Windows Error Recovery
Windows Error Recovery is a new kind of fake hard drive defragmenter tool. To some who are unaware of rogue application, Windows Error Recovery virus seems to be respectable software. But their initial notion will change once this rogue program begins to operate on the computer. It does not only produce displeasure but also hampers Internet browsing. It intentionally redirect Internet search to unwelcome web sites. Knowing that Windows Error Recovery is a member of a huge group of counterfeit hard drive utility, never expect it to be a valuable program. Other members of this group include Data Recovery and System Recovery.
This bogus application can be loaded on computer without a notice. It is downloaded on your PC by Trojan through security holes and software flaw. Also, the Trojan is showing off with the advanced technology that able to obscure antivirus detection.
Once successfully breaks into system, Windows Error Recovery will arrange for automatic start-up. Then, after Windows login, it instantly initiate system diagnostic. It will provide numerous artificial findings as anticipated. These errors are a complete lies and are just instrument to oblige users for the procurement of Windows Error Recovery licensed version. At any condition, never trust Windows Error Recovery. Moreover, do not spend for this worthless software. Resort to effective and legitimate application to remove Windows Error Recovery virus from your PC. That is the best thing you can execute on situations like this.
Screen Shot Image:
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
Windows Error Recovery Removal Procedures
Windows Error Recovery REMOVAL TOOL:
Efficient and complete removal of Windows Error Recovery can be provided by Malwarebytes Anti-Malware. Please download, install and scan. If downloading is blocked by a virus, use a clean computer and save it to a Disc or USB drive and execute the removal on infected machine.
MANUAL REMOVAL:
1. Unload any running Windows Error Recovery process by pressing Ctrl+Alt+Del on your keyboard. This will open Task Manager. Look for the following process and click “End Process”:
[random characters].exe
2. If antivirus program Is installed, connect to Internet and update it to have the latest database and pattern files.
3. Thoroughly scan the computer and clean/delete all infected files. See lists of Windows Error Recovery associated files below.
4. Edit Windows registry and delete malicious entries as stated below.
- For Windows 2000/XP: Go to Start > Run, type “regedit” on dialog box then press Enter on keyboard.
- For Windows Vista/7: Go to Start > Search Program and Files, type “regedit” and press Enter.
5. Close registry editor, changes will be save automatically.
6. Remove Windows Error Recovery start-up entry by going to Start > Run, type msconfig on the “Open” dialog box. System Configuration Utility will open. Go to Startup tab and uncheck the following Startup item(s):
[random characters].exe
7. Click on Apply and reboot the computer for changes to take effect.
Technical Details and Additional Information:
Malicious Files Added by Windows Error Recovery
%StartMenu%\Programs\Windows Error Recovery\
%UserProfile%\Desktop\Windows Error Recovery.lnk
%LocalAppData%\[random characters]
%LocalAppData%\[random characters].exe
%LocalAppData%\~[random characters]
%LocalAppData%\~[random characters]
File Location for Windows Versions:
- %UserProfile% for Vista/7 user is C:\Users\<Current User> for Windows Vista/7, for Windows XP/2000 this is C:\Documents and Settings\<Current User>.
- %LocalAppData% for Vista/7 refers to C:\Users\<Current User>\AppData\Roaming, while for Windows XP/2000 user it is C:\Documents and Settings\<Current User>\Application Data.
- %StartMenu% on Vista/7 it refers to C:\Users\<Current User>\AppData\Roaming\Microsoft\Windows\Start Menu while for Windows XP/2000 this is C:\Documents and Settings\<Current User>\Start Menu\.
Windows Error Recovery Registry Entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random characters].exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random characters]”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “CertificateRevocation” = ’0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnonBadCertRecving” = ’0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop “NoChangingWallPaper” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = ‘/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer “NoDesktop” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = ’1′
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “DisableTaskMgr” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “Hidden” = ’0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “ShowSuperHidden” = ’0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU “MRUList”