Friday, 13 May 2011

Remove Windows XP Recovery (Uninstall Guide)

Windows XP Recovery is a fake computer repair and optimization program that reports nonexistent security threats, registry errors and some other problems to make you think that there are serious issues with your computer. The rogue application displays critical error warnings and pop ups saying that certain applications are either corrupted or infected with viruses, spyware, etc. Windows XP Recovery offers to clean your computer and fix those nonexistent system/registry errors, for a fee. We have written a lot about the fake disk defragmenters in the past couple of weeks, e.g., Windows Recovery/Windows Restore. Windows XP Recovery is pretty much the same scareware with a new slightly modified graphical user interface. By the way, it may hide your files, icons and folders to scare you into believing that they are gone. Don't worry, your files are safe, you just can't see them. Thankfully, we've got the removal instructions to help you to remove Windows XP Recovery and restore you files. Please follow the steps in the removal guide below.



Fake error warnings:
Task Manager has been disabled by your admininstrator.

Critical Error
Damaged hard drive clusters detected. Private data is at risk.



Windows XP Recovery removal instructions:

1. First of all, you need to unhide the files and folders. Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter cmd and hit Enter or click OK.



At the command prompt, enter attrib -h /s /d or Attrib -h \\*.* /D /S and hit Enter. Now, you should see all your files and folders. NOTE: you may have to repeat this step because the malware may hide your files again.



2. The rogue application places an icon or your desktop. Right click on the icon, click Properties in the drop-down menu, then click the Shortcut tab.



The location of the malware is in the Target box.



On computers running Windows XP, malware hides in:
C:\Documents and Settings\All Users\Application Data\

NOTE: by default, Application Data folder is hidden. Malware files are hidden as well. To see hidden files and folders, please read Show Hidden Files and Folders in Windows.

Under the Hidden files and folders section, click Show hidden files and folders, and remove the checkmark from the checkbox labeled:

- Hide extensions for known file types
- Hide protected operating system files

Click OK to save the changes. Now you will be able to see all files and folders in the Application Data directory.

On computers running Windows Vista/7, malware hides in:
C:\ProgramData\

3. Look for suspect ".exe" files in the given directories depending on the Windows version you have.

Example Windows XP:
C:\Documents and Settings\All Users\Application Data\18542698.exe

Example Windows Vista/7:
C:\ProgramData\18542698.exe

Basically, there will be a couple of ".exe" file named with a series of numbers or letters.



Rename those files to virus1.vir, virus2.vir etc. For example:



It should be: C:\Documents and Settings\All Users\Application Data\virus1.vir

Instead of: C:\Documents and Settings\All Users\Application Data\18542698.exe

4. Restart your computer. The malware should be inactive after the restart.

5. Open Internet Explorer and download TDSSKiller. This malware usually (but not always) comes bundled with TDSS rootkit. Removing this rootkit from your computer is very important (if exists). Run TDSSKiller and remove the rootkit.



6. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

7. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Associated Windows XP Recovery files and registry values:

Files:

Windows XP:
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\Application Data\~[SET OF RANDOM CHARACTERS]
  • %UsersProfile%\Local Settings\Application Data\[SET OF RANDOM CHARACTERS].lic
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].dll
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].exe
  • %UsersProfile%\Desktop\Windows XP Recovery.lnk
  • %UsersProfile%\Start Menu\Programs\Windows XP Recovery\
  • %UsersProfile%\Start Menu\Programs\Windows XP Recovery\WWindows XP Recovery.lnk
  • %UsersProfile%\Start Menu\Programs\Windows XP Recovery\Uninstall Windows XP Recovery.lnk
%AllUsersProfile% refers to: C:\Documents and Settings\All Users
%UserProfile% refers to: C:\Documents and Settings\[User Name]

Windows Vista/7:
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\~[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS].lic
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS].dll
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS].exe
  • %UsersProfile%\Desktop\Windows XP Recovery.lnk
  • %UsersProfile%\Start Menu\Programs\Windows XP Recovery\
  • %UsersProfile%\Start Menu\Programs\Windows XP Recovery\Windows XP Recovery.lnk
  • %UsersProfile%\Start Menu\Programs\Windows XP Recovery\Uninstall Windows XP Recovery.lnk
%AllUsersProfile% refers to: C:\ProgramData
%UserProfile% refers to: C:\Users\[User Name]

Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS].exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'yes'
Share this information with other people:

No comments:

Post a Comment