Quantcast

Maximum PC

It is currently Mon Jul 28, 2014 2:40 pm

All times are UTC - 8 hours




Post new topic Reply to topic  [ 3 posts ] 
Author Message
 Post subject: How to remove Windows Recovery (the easy way)
PostPosted: Fri May 20, 2011 9:00 pm 
Malware specialist
Malware specialist
User avatar

Joined: Sun Apr 03, 2005 12:49 pm
Posts: 11696
Location: Kansas City, KS
Many people seem to have been afflicted by this nasty malware. Essentially what it does is hide all of the files on your desktop and start menu to simulate disk corruption. For more detailed information read this article.

Steps to remove
  1. Open the rogue program and click on the Help and Support button (or wherever you enter the registration key, if you can't find it, look for something with the word activate, then enter a fake e-mail and the code). Enter: 8475082234984902023718742058948. It is critical that you do this to make the malware easier to remove. It will automatically unhide all the files. If it asks to restart the computer, restart the computer.
  2. Try going to Add/Remove programs and uninstall Windows Recovery (if listed). If not listed there, try clicking in to your Start Menu and look for the Windows Recovery folder. If there is an Uninstall Windows Recovery file there, try uninstalling. Regardless of what happens, continue on with the steps.
  3. Download the free version of Malwarebytes Anti-Malware.
  4. Install and update the program. Be sure to do this (the updating)!
  5. Run a Complete System Scan. Please note, this will take an hour or so, so you may want to go away for a while.
  6. Remove everything Malwarebytes' finds. If there is anything still hidden, download Unhide.exe from Bleepingcomputer.com and run it. Your files should now be unhidden.
  7. To see if you are lucky/unlucky enough to have the rootkit that sometimes comes with this malware, run TDSSKiller.
    Note: I've seen several cases of this malware not removing well even after registering. If you are having problems with your files disappearing DO NOT CLEAR YOUR TEMP FILES, instead read the below comment on how to restore the files. If the link is removed at some point, the location is: %UserProfile%\AppData\Local\Temp\smtmp


If the program is already removed and you haven't cleared your temp files, you might try reading the following article. If that article doesn't help, try doing a System Restore to before the attack happened (after the system is clean, be sure to backup your files in case something bad happens though).


Top
  Profile  
 
 Post subject: Re: How to remove Windows Recovery (the easy way)
PostPosted: Thu May 26, 2011 8:02 am 
Monkey Federation (Top 10)*
Monkey Federation (Top 10)*
User avatar

Joined: Thu Jun 24, 2004 1:22 pm
Posts: 27367
Location: In a cage, dumbass.
Hack, I love you. This thing is nasty. My employees catch it all the time.

When I've encountered it, it didn't let any application run (like a browser so I could download Malwarebytes). Does step one help this?


Top
  Profile  
 
 Post subject: Re: How to remove Windows Recovery (the easy way)
PostPosted: Thu May 26, 2011 8:33 am 
Malware specialist
Malware specialist
User avatar

Joined: Sun Apr 03, 2005 12:49 pm
Posts: 11696
Location: Kansas City, KS
Spider Monkey wrote:
Hack, I love you. This thing is nasty. My employees catch it all the time.

When I've encountered it, it didn't let any application run (like a browser so I could download Malwarebytes). Does step one help this?


Yes.

Then everything should be easy to remove.


Top
  Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group