Sunday, 4 September 2011

How to Remove "System Recovery" (Uninstall Guide)

System Recovery scareware is typically introduced by deceptive security alerts targeting unsuspecting computer users. Is this software legitimate? NO. It's a fake system optimization program that reports non-existent hard drive errors, RAM failures and Windows registry issues to make you think that your computer is about to bite the dust unless you pay a fee on the spot. However, paying the fee only makes things worse.

We have to admit that "System Recovery" is a very generic name and it looks more like a legit system utility than scareware. Conversation rate is typically around 2% for rogue anti-virus software, System Recovery might do even better because it looks like genuine Windows software. As you may have guessed, it's not a first-of-its kind scareware designed to steal money from inexperienced computer users. Just a few days ago, we wrote about Master Utilities which is pretty much the same rogue application and there are a many more similar malware in our database. So, if you are under System Recovery malware attack, please follow the removal instructions on this page:

  • Do not delete files from Windows Temp folder
  • Use TDSSKiller and Backdoor.Tidserv Removal Tool before scanning your computer with well-known and well-reviewed malware removal tool
  • Do not purchase System Recovery
Additionally, you can activate the rogue program by entering this registration code 1203978628012489708290478989147 and any email as shown in the image below. Once this is done, you are free to install anti-malware software and remove the rogue anti-virus program from your computer properly.

Fake System Recovery warning:

Associated System Recovery files and registry values:


Windows XP:
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].exe
  • %UsersProfile%\Desktop\System Recovery.lnk
  • %UsersProfile%\Start Menu\Programs\System Recovery
  • %UsersProfile%\Start Menu\Programs\System Recovery\System Recovery.lnk
  • %UsersProfile%\Start Menu\Programs\System Recovery\Uninstall System Recovery.lnk
%AllUsersProfile% refers to: C:\Documents and Settings\All Users
%UserProfile% refers to: C:\Documents and Settings\[User Name]

Windows Vista/7:
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS].exe
  • %UsersProfile%\Desktop\System Recovery.lnk
  • %UsersProfile%\Start Menu\Programs\System Recovery\
  • %UsersProfile%\Start Menu\Programs\System Recovery\System Recovery.lnk
  • %UsersProfile%\Start Menu\Programs\System Recovery\Uninstall System Recovery.lnk
%AllUsersProfile% refers to: C:\ProgramData
%UserProfile% refers to: C:\Users\[User Name]

Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS].exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'yes'
Share this information with other people:

No comments:

Post a Comment