Windows Recovery is a harmful hard drive optimization program that will initiate a scan even without user’s intervention. When this happens, it only means that Windows Recovery virus is already inside the computer. It was able to modify system settings that made it to run on its own. The malware came from the same group who developed Windows Safemode and System Diagnostic, it is expected that this variant will be as risky as the old ones. Aside from disabling your anti-virus software, Windows Recovery virus also prevent any installed programs from running. Computer is unusable during the infection. Repeatedly, the malicious program prompts to purchase the Windows Recovery registration key to be able to make the PC stable again.
Instead of buying and spending for this useless software, it is best to scan the computer with real anti-malware program. If none is present, download a copy from known web site. You may also find on this page an effective Windows Recovery removal tool. It is available for free. Download, install, update and thoroughly scanning the computer can help remove Windows Recovery virus completely.
Most importantly, you must be able to identify fake from legitimate security programs. Fake are those who use deceiving tactics, just as stated above. Real one’s offers a trial period and are useful for a limited period. If trial period lapses, it prompts users to voluntarily obtain the full version, otherwise it will not work same as before. While fake software akin to Windows Recovery will punished user with annoying pop-up alerts and purchasing of the licensed version is enforced.
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
How to Remove Windows Recovery
Systematic procedures to get rid of the threat are presented on this section. Make sure to scan the computer with suggested tools and scanners.
Step 2 : Scan the computer with recommended removal tool
1. First thing you should do is reboot the computer in Safe Mode with Networking to avoid Windows Recovery from loading at start-up.
NOTE: You will need to PRINT or BOOKMARK this procedure, as we have to restart the computer during the removal process.
Remove all media such as floppy drive, cd, dvd, and USB devices. Then, restart the computer and please do the following:
Boot in Safe Mode on Windows XP, Windows Vista, and Windows 7 system
a) Before Windows begins to load, press F8 on your keyboard.
b) It will display the Advanced Boot Options menu. Select Safe Mode.
Start computer in Safe Mode using Windows 8 and Windows 10
a) Close any running programs on your computer.
b) Get ready to Start Windows. On your keyboard, Press and Hold Shift key and then, click on Restart button.
c) It will prompt you with options, please click on Troubleshoot icon.
d) Under Troubleshoot window, select Advanced Options.
e) On next window, click on Startup Settings icon.
f) Lastly, click on Restart button on subsequent window.
g) When Windows restarts, present startup options with numbers 1 - 9. Select "Enable Safe Mode with Networking" or number 5.
h) Windows will now boot on Safe Mode with Networking. Proceed with virus scan as the next step.
2. Download the Removal Tool and save it on your Desktop or any location on your PC.
3. When finished downloading, locate and double-click on the file to install the application. Windows' User Account Control will prompt at this point, please click Yes to continue installing the program.
4. Follow the prompts and install with default configuration.
5. Click Finish after successful installation. Program will run automatically and you will be prompted to download software updates. Please download needed update.
6. When finished updating, the tool will run. Click on Scan tab from Top Menu of main screen. Then, choose Threat Scan (Recommended) to check your computer thoroughly.
7. Click on Start Scan to begin. Scanning may take a while. When done, this tool will display lists of identified threats.
8. Make sure that all detected threats are checked, click on Remove Selected. This will delete all files and registry entries that belongs to Windows Recovery.
9. Finally, click Finish and restart your computer.
Note: If Windows Recovery prevents mbam-setup.exe from downloading. Download the software from another computer. Renaming it to something like 'anything.exe' can help elude the malware.
Step 3 : Ensure that no more files of Windows Recovery are left inside the computer
1. Click on the button below to download Norton Power Eraser from official web site. Save it to your desktop or any location of your choice.
2. After downloading, navigate its location and double-click on the NPE.exefile to launch the program.
3. Norton Power Eraser will run. If it prompts for End User License Agreement, please click on Accept to proceed.
4. On NPE main window, click on Advanced Options. We will attempt to remove "Windows Recovery" by thoroughly scanning your current operating system.
5. On next window, select System Scan and click on Scan now to perform standard scan on your computer.
6. NPE will proceed with the scan. It will search for Trojans, viruses, and malware like Windows Recovery. This may take some time, depending on the number of files currently stored on the computer.
7. When scan is complete. All detected risks are listed. Click on Fix Now to remove Windows Recovery and other known threats. Then, restart Windows if necessary.
Step 4 : Remove the Rootkit Trojan that installs Windows Recovery
Rootkit Remover is a stand-alone utility developed by McAfee. It can be used to detect and remove rootkit Trojan that is associated with Windows Recovery. This tool can detect rootkit that is part of ZeroAccess, Necurs, and TDSS family.
1. Download Rootkit Remover and save it to your desktop or any accessible location. Click the button below to begin the download.
2. Locate the file rootkitremover.exe and double-click to run the program.
3. When User Account Control prompts if you want to allow the program to make changes on the computer, please click Yes.
4. Rootkit Remover instantly scans the computer and look for presence of Trojans, viruses, and rootkit that is related to Windows Recovery .
5. Once it finishes scanning the computer, the tool will require you to restart Windows.
Alternative Removal Procedures for Windows Recovery
Use Windows System Restore to return Windows to previous state
During an infection, Windows Recovery drops various files and registry entries. The threat intentionally hides system files by setting options in the registry. With these rigid changes, the best solution is to return Windows to previous working state is through System Restore.
To verify if System Restore is active on your computer, please follow the instructions below to access this feature.
Access System Restore on Windows XP, Windows Vista, and Windows 7
a) Go to Start Menu, then under 'Run' or 'Search Program and Files field, type rstrui.
b) Then, press Enter on the keyboard to open System Restore Settings.
c) Windows will display list of saved restore points. Select the most recent one to restore Windows to previous working and clean state.
d) It may take some time to fully restore back-up files. Restart Windows when done.
Open System Restore on Windows 8 and Windows 10
a) For Windows 8 user, go to Start Search, while on Windows 10, use the Start Menu Search and type rstrui.
b) Click on the located program to open System Restore window.
c) Windows will display list of saved restore points if it is active. Select the most recent one to restore Windows to previous working and clean state.
d) It may take a while to fully restore back-up files. Restart Windows when done.
If previous restore point is saved, you may proceed with Windows System Restore.
Option 2 : Windows Recovery manual uninstall guide
IMPORTANT! Manual removal of Windows Recovery requires technical skills. Deleting system files and registry entries by mistake may result to total disability of Windows system. We advise you to perform a backup of registry before proceeding with this guide.
1. Kill any running process that belongs to Windows Recovery.
- Press Ctrl+Alt+Del on your keyboard.
- When Windows Task Manager appears, look for Windows Recovery files (refer to Technical Reference) and click End Process.
2. Delete all registry entries that belong to this malware.
- Press [Windows Key]+R on your keyboard.
- In the 'Open' dialog box, type regedit and press Enter. This will open registry editor.
- Find and delete registry entries as mentioned in Technical Reference section.
- Close registry editor. Changes made will be saved automatically.
3. Scan the computer with antivirus program.
- Connect to Internet and open your antivirus software. Please update to obtain the latest database and necessary files.
- Restart the computer in Safe Mode.
- Just before Windows logo begins to load press F8 on your keyboard.
- On Windows Advanced Boot Options, select Safe Mode and press Enter.
- Thoroughly scan the computer with your updated antivirus software.
4. Delete all files dropped by Windows Recovery.
- While still in Safe Mode, search and delete malicious files. Please refer to 'Technical Reference'. Make sure that you execute 'End Task' first before deleting the file. Otherwise, the system will not let you perform this action.
File Location for Windows Versions:Added Registry Entries:
- %AllUserProfile% for Vista/7 user is C:\ProgramData while for Windows XP/2000 this is C:\Documents and Settings\All Users\
- %UserProfile% for Vista/7 user is C:\Users\<Current User> for Windows Vista/7, for Windows XP/2000 this is C:\Documents and Settings\<Current User>.
Did Windows Recovery blocks your Internet access?
It is usual that rogue program prevents user from downloading removal tools from the Internet. Thus, infected computer may be denied to access the Internet by making changes to computer's proxy, DNS, and Hosts file. To solve Internet connection problem, please see our guide in fixing a virus-blocked Internet access. Also, make sure that your Windows Host File is free from any malicious entries. View steps in cleaning Windows host file.
Recover missing or hidden files and folders
To avoid manual execution of programs and files, Windows Recovery will hide files and folders on the infected computer. Most victims think that files and folders are deleted, but it is not. The malware simply changed the attributes to hide the data. Follow this guide to show all hidden files and folders if it remains hidden after activating Windows Recovery.
1. Open My Computer or Windows Explorer.
2. On top menu of upper left corner, click on Organize, then choose Folder and Search Options.
3. Folder Options dialog box will appear. Select the View tab.
4. On Advance Settings, mark 'Show hidden files, folders and drives.'
5. Click OK to save the settings. You can now view the folders and files, though, they are still concealed because Windows Recovery sets the attributes to hidden.
6. While still on Windows Explorer, click on the drive (C: or D:). On right pane, mouse over on the folder or file you wanted to unhide. To select all folder, you may use the keyboard shortcut Ctrl+A. Right-click, then select Properties .
7. On the Attributes area, remove the markings on Hidden. This will change the attributes of affected files and folders. Click Apply.
8. If it prompts for confirmation, please select 'Apply changes to the selected items, subfolders and files'. Then, click OK to proceed.