How do you deal with the Windows Recovery malware?

How SHOULD you deal with Windows Recovery? I'll get to that in a moment. But first, there are several important steps you should NOT take in dealing with this type of infection:

  • Don't run Disk Cleanup, Ccleaner, or any utility program that deletes Temp files
  • Don't run ComboFix
  • Don't buy any program that claims to remove this infection

So, did any of these DON'Ts surprise you? Do you ever think about what NOT to do when attacking a virus or other malware infection? Most of the time our tendency is to jump into action and start "fixing." Sometimes it's just as important to know what NOT TO DO as it is to know what TO DO.

We now return to our regularly scheduled programming...

The rogue security program known as Windows Recovery has become one of the most widespread examples of this threat category in recent history. It is also more difficult to remove than most programs of this type. There are many variations on the actual name used for it, but the symptoms are virtually identical in all variants.

The first symptom is a large pop-up, usually at Windows startup time. Unlike many programs in this category, it does not warn the user of a virus infection; instead, it claims to have found errors on the hard drive, saying "Error fix is required." At that point, of course, it asks the user for a credit card to download a program that will allegedly fix the errors on the hard drive.

The window contains no "Ignore" or "Cancel" option, and clicking the red X in the top right corner of the window will not close it. There is also no entry in the Taskbar, so closing the window from there is not an option either.

The program usually disables Task Manager, removing another possible way of closing this window. If the user ignores the pop-up and attempts to run their usual programs, that's when they encounter the more ominous symptoms of this malware.

At that point it appears that all programs have been lost on the hard drive, and all icons may have disappeared from the desktop. They may not be able to see any of their data files, either. That's when panic sets in.

As with most widespread malware, a search for "Windows Recovery virus" in your favorite search engine will return many links with supposed cures for this infection. These links range from completely worthless to incomplete or outdated, to some that actually offer a complete and accurate, if time-consuming, solution.

Using the techniques taught in the Virus Remediation Training course and some of the tools provided with the course, this infection can be stopped in less than 5 minutes. Complete removal of the malware and restoration of all files and shortcuts can usually be accomplished in less than 15 minutes.

But, it could get worse...

On some systems infected by this malware, a Rootkit is also installed. These infections typically are not detected by anti-malware programs, even otherwise good ones such as VIPRE and MalwareBytes. Removing these rootkits can present a challenge for the most seasoned veterans of malware repair.

Most of the common rootkits since early 2010 fall into the category of TDL3 Rootkits, also known as TDSS Rootkits. Another name they have been given is Alureon. And recently TDL4 Rootkits have begun to appear in the wild. In any case, it is easy to identify such an infection based on its symptoms.

The average user will notice no obvious symptoms of a TDL3 rootkit infection. But once you know the characteristics of these infections, you can easily confirm the presence of such a rootkit.

  • Results of a Google search are redirected to unrelated sites
  • Trying to run Windows Updates manually fails, with an error code ending in ...0eff
  • Trying to install Service Pack 3 on a Windows XP system fails with a "system file in use" error

The Virus Remediation Training includes detailed procedures and tools for removing rootkit infections, as well as traditional viruses, spyware, and rogue security programs such as Windows Recovery.