Windows Recovery Series Description

[+] Click Image to Enlarge

• 
• 
• 
• 
• 
• 
• 
• 
• 

Windows Recovery Series is a bogus anti-spyware program created by online scammers. If you notice frightening warning messages that appear to come from Windows stating that your identity or computer is at risk (for example, ‘Warning! Identity theft attempt Detected’ message), you may really be receiving bogus messages from an infection trying to peddle a rogue anti-spyware program like Windows Recovery Series. Windows Recovery Series will not fix or protect your computer from security or privacy risks because, in actuality, it’s the security threat infecting your computer. You may see Windows Recovery Series under other names such as Windows Antivirus Care, Windows Guard Solutions, Windows Safety Toolkit, Windows Safety Manager. Yet the malice Windows Recovery Series provokes doesn’t change.

When installed on a machine, most often through a Trojan, Windows Recovery Series will initiate its scam and run bogus system scans which will result in fake virus reports. With the help of a Trojan and to keep you from uninstalling it, Windows Recovery Series will block you from using your web browser or executing security programs. The whole idea is to get you to purchase Windows Recovery Series. The method Windows Recovery Series follows is first to intimidate you with its fake reports of viruses it supposedly detected, and then lure you into making a purchase of a program that has no virus removal capabilities. Windows Recovery Series is the security risk that you should avoid, and if infected with it, you should remove its components immediately.

Type: Rogue AntiSpyware Programs

How Can You Detect Windows Recovery Series?

Windows Recovery Series Technical Report

As new Windows Recovery Series details are reported by our customers and findings from our Threat Research Center, we will update this section.

Fake message for Windows Recovery Series:

The following fake error message(s) appears for Windows Recovery Series:

Error
Keylogger activity detected. System information security is at risk.
It is recommended to activate protection and run a full system scan.

Warning! Identity theft attempt Detected
Hidden connection IP: 58.82.12.124
Target: Your passwords for sites

Warning
Firewall has blocked a program from accessing the Internet.
Windows Media Player Resources
C:Windowssystem32dllcachewmploc.dll
C:Windowssystem32dllcachewmploc.dll is suspected to have infected your PC. This type of virus intercepts entered data and transmits them to a remote server.

Error
Software without a digital signature detected.
Your system files are at risk. We strongly advise you to activate your protection.

Warning! Identity theft attempt Detected

‘How Windows Recovery Series Infects Your Computer’ Video

Windows Recovery Series Removal Details

Windows Recovery Series has typically the following processes in memory:

• %AppData%\Inspector-[RANDOM].exe
• %AppData%\Protector-[RANDOM].exe

Windows Recovery Series creates the following registry entries:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Inspector”
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “UID” = “rudbxijemb”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.exe
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegedit” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “net” = “2012-2-17_2″
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapsetup3001.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mostat.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ERROR_PAGE_BYPASS_ZONE_CHECK_FOR_HTTPS_KB954312
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “ID” = 0
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\platin.exe

Important Article Disclaimer