CryptoLocker Protection


Protect your home or business from Ransomware like Cryptolocker, the newest and most nefarious threat against computer security to date.

Avoid costly downtime and data recovery services and use our C-Net Ransom Defender to secure your systems!

Learn More

How Our Service Works

Play our comercial

We Fix IT Over The Internet!

How to use ExpertSupportNow
Click here to watch

Spyware Removal Guide

Remove Spyware Yourself
Instant download! Learn how the experts remove spyware and speed up PCs.

Our Do-It-Yourself Guide will teach you Step by Step how to remove spyware, cleanup your PC keep it running fast, safe and protected.

Click here for more details!

New Support Session

ExpertSupportNow Connection
Please enter your name or company name and support key above as directed by our support staff.

Need a support key? Click here

How To Remove Windows Recovery Virus / Malware

Windows Recovery is a fake scanning tool usually downloaded to the system on accident, and without a user knowing this program will install itself and produce a number of warnings indicating a system infection. These warnings are fake and should be ignored. The warnings it produces will inform a user of various security flaws and will do scans that tell a user that they are infected with a serious Trojan virus, Windows Recovery will then attempt to remove it and then gives a error messages saying the infection can only be removed with the purchase of their software. This is a scam and should never be purchased. If a user attempts to close out of the program it will continue to run in the background taking up system resources causing slow downs. Windows Recovery will also change internet settings causing browser redirects as well as disables some Windows Utilities.

Manual Removal of Windows Recovery: First users should restart into Windows Safe Mode. To do this shutdown the PC first, next turn on the computer and press the F8 button until a menu appears giving the options to start Windows in safe mode. If you don’t get this menu its usually because the F8 key wasn’t pressed in time, if the Windows Startup screen appears and shows its loading Windows this means it wasn’t pressed in time and you’ll have to restart and try again. Once in safe mode you will need to delete the following files that are written to the computer:

Windows Vista & 7:

  • %AllUsersProfile%\~<random>
  • %AllUsersProfile%\~<random>r
  • %AllUsersProfile%\<random>.dll
  • %AllUsersProfile%\<random>.exe
  • %AllUsersProfile%\<random>
  • %AllUsersProfile%\<random>.exe
  • %UserProfile%\Desktop\Windows Recovery.lnk
  • %UserProfile%\Start Menu\Programs\Windows Recovery\
  • %UserProfile%\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk
  • %UserProfile%\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk

Windows XP:

  • %AllUsersProfile%\Application Data\~<random>
  • %AllUsersProfile%\Application Data\~<random>r
  • %AllUsersProfile%\Application Data\<random>.dll
  • %AllUsersProfile%\Application Data\<random>.exe
  • %AllUsersProfile%\Application Data\<random>
  • %AllUsersProfile%\Application Data\<random>.exe
  • %UserProfile%\Desktop\Windows Recovery.lnk
  • %UserProfile%\Start Menu\Programs\Windows Recovery\
  • %UserProfile%\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk
  • %UserProfile%\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk

Windows Recovery Registry Entries that should be removed:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “<random>.exe”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “<random>”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “CertificateRevocation” = ‘0’
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnonBadCertRecving” = ‘0’
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop “NoChangingWallPaper” = ‘1’
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = ‘/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:’
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ‘1’
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = ‘1’
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “DisableTaskMgr” = ‘1’
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no’
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main “Use FormSuggest” = ‘yes’
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “Hidden” = ‘0’
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “ShowSuperHidden” = 0′

Please Contact Us Here for more information on Windows Recovery Malware/ Scareware
Need help removing Windows Recovery Malware/ Scareware or other PC problems? E-Mail Us Here

Be Sociable, Share!

4 Responses to How To Remove Windows Recovery Virus / Malware

  • Phil Klein says:

    Can you tell me how to get to these file locations so I can delete them?

  • Jamie says:

    I am trying to clear this virus off of my computer, too. When I go to the C drive in safe mode, I get a blank screen. What am I doing wrong? Thanks!

  • stracat says:

    I had to do this this morning on my laptop. I am reciting this somehwat from memory, so I can’t give you exact syntax, but hopefully this will shed a little more light on what needs to be done.

    In XP anyway, to find the “%allusersprofile” folder, look under “Documents and Settings” on your c: drive. It should contain a folder called “All Users”.

    When I opened that folder, I also had a blank screen and could not see the “Application Data” folder specified in the article. The files had been marked as hidden.

    If you have this problem, you can change the “All Users” folder properties to reveal the hidden “Application Data” folder. With the “All Users” folder open, follow its menu to “Tools” “Folder options” “View” and check the “Show hidden files and folders” radio button and apply the settings.

    You should then see and be able to open the “Application Data” folder. From its view menu, choose the detailed view and click then click on the Date modified tab until the most recent files pop to the top of the list.

    The most recent files will probably correspond to the time your machine was infected and will be the files shown in the article above:

    %AllUsersProfile%\Application Data\~
    %AllUsersProfile%\Application Data\~r
    %AllUsersProfile%\Application Data\.dll
    %AllUsersProfile%\Application Data\.exe
    %AllUsersProfile%\Application Data\

    The portion will be specific to your computer’s infection, but these files are pretty easy to spot when grouped together this way. Delete them as you would any other file or folder.

    To access the registry entries in the article, open the “run” window on your start menu and enter “regedit”.

    This opens an explorer-type application that lets you navigate the registry. Using the tree on the left to follow the paths supplied in the article and when you see each bad entry, right click and “delete” it. When finished with all your changes, simply exit “regedit” and things should run much better.

    This cleaned up my system enough that I could run my usual anti-spyware applications. Run as many as you have to clean up any stray problems.

    Hope this helps.

Leave a Reply