Windows Recovery

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 130
First Seen: March 23, 2011
Last Seen: January 8, 2020
OS(es) Affected: Windows

Windows Recovery Image

Windows Recovery is the name of a fake disk defragmenting program that has infected a lot of PCs. As anyone who has battled this malware can tell you, Windows Recovery is difficult to remove completely, and to have Windows Recovery on your computer is very disruptive. Please do not confuse Windows Recovery with Windows Recovery Console, which is a legitimate Windows tool, but which does something completely different from what the phony Windows Recovery claims Windows Recovery can do. Most importantly, remember that Windows Recovery is not a real system optimization tool, and you should not pay for Windows Recovery under any circumstances.

Because Windows Recovery is just the latest version of a fake security program that has taken many different names, most of the symptoms caused by Windows Recovery are typical and rather ordinary. Windows Recovery does what Windows Recovery does in order to get you to buy a license for its nonexistent program, and Windows Recovery generally resorts to scare tactics. Every time you start Windows, Windows Recovery will show up first, with its phony user interface that uses a variety of Windows logo and mimics the style of real Windows programs. Windows Recovery will play some scan animations in the interface, and Windows Recovery will tell you that Windows Recovery is scanning your computer for errors – which Windows Recovery is actually incapable of doing. When the scan animation has finished, Windows Recovery will tell you that Windows Recovery has found some very serious problems with your PC, and that Windows Recovery can only fix things if you go to the Windows Recovery payment site and pay the license fee. If you do pay for a license, you will not get one, because they don't exist; so paying is a bad idea.

Windows Recovery also causes frequent pop-up alerts. Generally, these alerts will not mention that they have been generated by Windows Recovery. Instead, they will say things like "Critical error!" or "Critical hard disk drive error!" followed by some rubbish about a problem with your computer's internal components. Windows Recovery will tell you that your hard drive has bad sectors, that the drive is unreadable, that an error occurred because a file could not be saved to the hard drive, and even that there are problems with your RAM and that the system's internal temperature is dangerously high. Then, the alert window will recommend that you run a scan, or that you "fix errors," and sometimes Windows Recovery will even load a fake safe mode screen and play a progress animation. Generally, though, the alerts will try to direct you to the payment site, to buy a license for the "Advanced Module" that Windows Recovery says Windows Recovery needs in order to protect your computer. (Needless to say, there is no Advanced Module.)

In order to prevent you from removing Windows Recovery's fake security software, and in order to convince you that Windows Recovery is real, Windows Recovery will make some really annoying changes to your computer. For example, Windows Recovery will prevent all other programs from running, and when you try to start a program other than Windows Recovery or your web browser, you will get an error message that says that hard drive problems prevented the program from running. It may be possible to get another program to run after trying the same one a few times in a row, but there is never any guarantee that this will work.

Windows Recovery makes a number of changes to the Registry, including one that allows Windows Recovery to run every time your computer starts, and another change that sets some folders' contents to hidden. So if Windows Recovery is on your computer, some important folders will appear to be empty, although they actually aren't. The most common folder targeted by Windows Recovery in this way is the System or System32 sub folder of Windows. Windows Recovery will even change your Internet settings, turning off some security features of Internet Explorer, and causing your browser to take you to the payment page for Windows Recovery regardless of which site you were trying to visit.

So much for the usual symptoms caused by a fake security program – Windows Recovery also causes a few other problems that are relatively strange, because the other malware in Windows Recovery's family does not seem to do these things. These problems become evident once you have made an attempt to remove Windows Recovery from your computer. Often, removing the fake security software itself is not enough, because Windows Recovery leaves behind a rootkit and some Registry changes which, for some reason, tend not to be repaired in the Windows Recovery removal process. The rootkit malware that remains lodged in the system will continue to cause Search engine redirects and script errors, with Internet Explorer script error pop-ups appearing even when you are not online, accompanied by audio from advertisements that you can't see. Also, the changes that Windows Recovery makes to the Registry that cause some files or folder contents to be hidden often have to be manually undone; otherwise, even after Windows Recovery is gone, these items will continue to be invisible.

Windows Recovery is part of a large family of rogue disk defragmenting programs, the FakeSysDef family and all of its members are part of an online scam that originated in Russia. Windows Recovery showed up around the beginning of April, 2011, but Windows Recovery is descended from malware that goes back at least to 2009. The other fake system optimization tools related to Windows Recovery are System Defragmenter, Ultra Defragger, HDD Control, Win HDD, Win Defrag, Win Defragmenter, Disk Doctor, Hard Drive Diagnostic, HDD Diagnostic, HDD Plus, HDD Repair, HDD Rescue, Smart HDD, Defragmenter, HDD Tools, Disk Repair, Windows Optimization Center, Scanner, HDD Low, Hdd Fix.

SpyHunter Detects & Remove Windows Recovery

File System Details

Windows Recovery may create the following file(s):
# File Name MD5 Detections
1. alxjviag.exe 2815ade59dbcfacc7cfb9cf6703afbad 114
2. IQoRoRfnYmWW.exe 690241d2868ca9d2b9b7358b15732a3f 3
3. 16113460.exe d9f552ac44acfa8bb2e62ee506b79d1a 0

Related Posts


Most Viewed