Windows Recovery is a harmful hard drive optimization program that will initiate a scan even without user’s intervention. When this happens, it only means that Windows Recovery virus is already inside the computer. It was able to modify system settings that made it to run on its own. The malware came from the same group who developed Windows Safemode and System Diagnostic, it is expected that this variant will be as risky as the old ones. Aside from disabling your anti-virus software, Windows Recovery virus also prevent any installed programs from running. Computer is unusable during the infection. Repeatedly, the malicious program prompts to purchase the Windows Recovery registration key to be able to make the PC stable again.
Instead of buying and spending for this useless software, it is best to scan the computer with real anti-malware program. If none is present, download a copy from known web site. You may also find on this page an effective Windows Recovery removal tool. It is available for free. Download, install, update and thoroughly scanning the computer can help remove Windows Recovery virus completely.
Most importantly, you must be able to identify fake from legitimate security programs. Fake are those who use deceiving tactics, just as stated above. Real one’s offers a trial period and are useful for a limited period. If trial period lapses, it prompts users to voluntarily obtain the full version, otherwise it will not work same as before. While fake software akin to Windows Recovery will punished user with annoying pop-up alerts and purchasing of the licensed version is enforced.
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
How to Remove Windows Recovery
Systematic procedures to get rid of the threat are presented on this section. Make sure to scan the computer with suggested tools and scanners.
Step 2 : Scan the computer with recommended removal tool
1. First thing you should do is reboot the computer in Safe Mode with Networking to avoid Windows Recovery from loading at start-up.
NOTE: You will need to PRINT or BOOKMARK this procedure, as we have to restart the computer during the removal process.
Remove all media such as floppy drive, cd, dvd, and USB devices. Then, restart the computer and please do the following:
Boot in Safe Mode with Networking on Windows XP, Windows Vista, and Windows 7 system
a) Before Windows begins to load, press F8 on your keyboard.
b) It will display the Advanced Boot Options menu. Select Safe Mode with Networking.
Start computer in Safe Mode with Networking using Windows 8
a) Before Windows begins to load, press Shift and F8 on your keyboard.
b) On Recovery interface, click on 'See advanced repair options'.
c) Next, click on Troubleshoot option.
d) Then, select Advanced options from the list.
e) Lastly, please choose Windows Startup Settings and click on Restart. When Windows restarts, you will be send to a familiar Advanced Boot Options screen.
f) Select Safe Mode with Networking from the selections menu.
2. Download the Removal Tool and save it on your Desktop or any location on your PC.
3. When finished downloading, locate and double-click on the file to install the application. Windows' User Account Control will prompt at this point, please click Yes to continue installing the program.
4. Follow the prompts and install with default configuration.
5. Before the installation completes, check prompts that software will run and update on itself.
6. Click Finish. Program will run automatically and you will be prompted to update the program before doing a scan. Please download needed update.
7. When finished updating, the tool will run. Select Perform full scan on main screen to check your computer thoroughly.
8. Scanning may take a while. When done, click on Show Results.
9. Make sure that all detected threats are checked, click on Remove Selected. This will delete all files and registry entries that belongs to Windows Recovery.
10. Finally, restart your computer.
Note: If Windows Recovery prevents mbam-setup.exe from downloading. Download the software from another computer. Renaming it to something like 'anything.exe' can help elude the malware.
Step 3 : Ensure that no more files of Windows Recovery are left inside the computer
1. Click on the button below to download Norton Power Eraser from official web site. Save it to your desktop or any location of your choice.
4. Once the file is downloaded, navigate its location and double-click on the icon (NPE.exe) to launch the program.
5. Norton Power Eraser will run. If it prompts for End User License Agreement, please click on Accept.
6. On NPE main window, click on Advanced. We will attempt to remove Windows Recovery components without restarting the computer.
9. On next window, select System Scan and click on Scan now to perform standard scan on your computer.
10. NPE will proceed with the scan. It will search for Trojans, viruses, and malware like Windows Recovery. This may take some time, depending on the number of files currently stored on the computer.
11. When scan is complete. All detected risks are listed. Remove them and restart Windows if necessary.
Step 4 : Remove the Rootkit Trojan that installs Windows Recovery
Rootkit Remover is a stand-alone utility developed by McAfee. It can be used to detect and remove rootkit Trojan that is associated with Windows Recovery. This tool can detect rootkit that is part of ZeroAccess and TDSS family.
1. Download Rootkit Remover and save it to your desktop or any accessible location. Click the button below to begin download the tool.
2. Locate the file rootkitremover.exe and double-click to run the program.
3. When User Account Control prompts if you want to allow the program to make changes on the computer, please click Yes.
4. Rootkit Remover instantly scans the computer and look for presence of Trojans, viruses, and rootkit that is related to Windows Recovery .
5. Once it finishes scanning the computer, the tool will require you to restart Windows.
Alternative Removal Procedures for Windows Recovery
Option 1 : Use Windows System Restore to return Windows to previous state
During an infection, Windows Recovery drops various files and registry entries. The threat intentionally hides system files by setting options in the registry. With these rigid changes, the best solution is to return Windows to previous working state is through System Restore.
To verify if System Restore is active on your computer, please follow the instructions below to access this feature.
Access System Restore on Windows XP, Windows Vista, and Windows 7
a) Go to Start Menu, then under 'Run' or 'Search Program and Files' field, type rstrui.
b) Then, press Enter on the keyboard to open System Restore Settings.
Open System Restore on Windows 8
a) Hover your mouse cursor to the lower left corner of the screen and wait for the Start icon to appear.
b) Right-click on the icon and select Run from the list. This will open a Run dialog box.
c) Type rstrui on the 'Open' field and click on OK to initiate the command.
If previous restore point is saved, you may proceed with Windows System Restore. Click here to see the full procedure.
Option 2 : Windows Recovery manual uninstall guide
IMPORTANT! Manual removal of Windows Recovery requires technical skills. Deleting system files and registry entries by mistake may result to total disability of Windows system. We advise you to perform a backup of registry before proceeding with this guide.
1. Kill any running process that belongs to Windows Recovery.
- Press Ctrl+Alt+Del on your keyboard.
- When Windows Task Manager appears, look for Windows Recovery files (refer to Technical Reference) and click End Process.
2. Delete all registry entries that belong to this malware.
- Press [Windows Key]+R on your keyboard.
- In the 'Open' dialog box, type regedit and press Enter. This will open registry editor.
- Find and delete registry entries as mentioned in Technical Reference section.
- Close registry editor. Changes made will be saved automatically.
3. Scan the computer with antivirus program.
- Connect to Internet and open your antivirus software. Please update to obtain the latest database and necessary files.
- Restart the computer in Safe Mode.
- Just before Windows logo begins to load press F8 on your keyboard.
- On Windows Advanced Boot Options, select Safe Mode and press Enter.
- Thoroughly scan the computer with your updated antivirus software.
4. Delete all files dropped by Windows Recovery.
- While still in Safe Mode, search and delete malicious files. Please refer to 'Technical Reference'. Make sure that you execute 'End Task' first before deleting the file. Otherwise, the system will not let you perform this action.
File Location for Windows Versions:Added Registry Entries:
- %AllUserProfile% for Vista/7 user is C:\ProgramData while for Windows XP/2000 this is C:\Documents and Settings\All Users\
- %UserProfile% for Vista/7 user is C:\Users\<Current User> for Windows Vista/7, for Windows XP/2000 this is C:\Documents and Settings\<Current User>.
Did Windows Recovery blocks your Internet access?
It is usual that rogue program prevents user from downloading removal tools from the Internet. Thus, infected computer may be denied to access the Internet by making changes to computer's proxy, DNS, and Hosts file. To fix Internet connection problem, follow these steps:
1. Download the free program called MiniToolBox. Click the button below to begin. Save the file on your hard drive or preferably in your Desktop.
2. Close all running Internet browser and double-click on the file to run. It opens a window showing a list of features.
3. Make sure that you have a check mark on the following items : Flush DNS, Reset IE Proxy Settings, and Reset FF Proxy Settings.
4. Click on the GO button to start the process. The program automatically closes and displays a text file for your reference.
5. If the above solution does not work, you may try other method like fixing a virus-blocked Internet access. Also, make sure that your hosts file is free from any malicious entries. View steps in cleaning Windows host file.
Recover missing or hidden files and folders
To avoid manual execution of programs and files, Windows Recovery will hide files and folders on the infected computer. Most victims think that files and folders are deleted, but it is not. The malware simply changed the attributes to hide the data. Follow this guide to show all hidden files and folders if it remains hidden after activating Windows Recovery.
1. Open My Computer or Windows Explorer.
2. On top menu of upper left corner, click on Organize, then choose Folder and Search Options.
3. Folder Options dialog box will appear. Select the View tab.
4. On Advance Settings, mark 'Show hidden files, folders and drives.'
5. Click OK to save the settings. You can now view the folders and files, though, they are still concealed because Windows Recovery sets the attributes to hidden.
6. While still on Windows Explorer, click on the drive (C: or D:). On right pane, mouse over on the folder or file you wanted to unhide. To select all folder, you may use the keyboard shortcut Ctrl+A. Right-click, then select Properties .
7. On the Attributes area, remove the markings on Hidden. This will change the attributes of affected files and folders. Click Apply.
8. If it prompts for confirmation, please select 'Apply changes to the selected items, subfolders and files'. Then, click OK to proceed.