locked
Windows Recovery Malware RRS feed

  • Question

  • I have been an avid installer of Microsoft Security Essentials for about a year now. I have installed it on all five business computers, four at home, and any computer that I "fix". This afternoon the owner of the business I work at somehow obtained the "Windows Recovery" virus. I assumed that MSE was somehow turned off, but it was still there - working in the background. Since that particular virus hides TONS of folders (even after removal you have to "show hidden folders" to see them) I am going to try and restore to an earlier point in time.

    If something can be done to detect this particular virus that would be great. For now I have an unused Kaspersky license that I will be utilizing as soon as I return home on my personal computers. I like the way MSE integrates into the Windows environment and it's lite resource requirements, but I would rather have three times the resource use and protection than deal with even a minor virus. It's not one of the ones you just get rid of and everything is normal again. Microsoft has some of the most brilliant people on the planet - please help me keep my faith.

    Friday, March 25, 2011 9:38 PM

Answers

  • Found the source and even the best malware suite couldn't have stopped it. The owner got an email with a fake undeliverable notice from "UPS". It contained a compressed file that when opened left the door wide open. It would have never been opened and immediately deleted if it were someone a bit more savvy, but at least he knows a red flag in that particular form now. I will change and add user accounts to the business computers today to make sure that most work is done on regular user accounts with an admin user account in the background. 

    Thank You for your advice.

    Saturday, March 26, 2011 2:57 PM

All replies

  • To protect your Microsoft Windows against viruses, malware programs and spywares, you should:

    • Use an antivirus (Like MSE)
    • Use a user without admin privileges. Let's suppose that you need admin privileges, you just need to use run as an administrator. By proceeding like that most of viruses, spywares and malware programs will be with no effect
    • Install latest Microsoft security updates
    • Never open untrusted links
    • Use Internet Explorer as it is the most secure browser
    • ...

    So, you can see that your computer protection is not just with an antivirus. You should do what I said. Personally, I am doing that on my PC and I don't have problems with such viruses.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

    Friday, March 25, 2011 10:22 PM
  • REALLY? You ARE a genius.

    I have no control over what other people do at their stations after I do the necessary installs and maintenance.

     

    Friday, March 25, 2011 11:01 PM
  • You should learn them the best pratices to avoid such problems.

    You can also prevent them from being a local admin on their computers. Just give them a guest account and if they need to install a software then you should intervene and install it (If you are using AD, you can install MSI packs via group policies). Like that, viruses will not run using admin privileges and their impact will be reduced a lot.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

    Friday, March 25, 2011 11:36 PM
  • Found the source and even the best malware suite couldn't have stopped it. The owner got an email with a fake undeliverable notice from "UPS". It contained a compressed file that when opened left the door wide open. It would have never been opened and immediately deleted if it were someone a bit more savvy, but at least he knows a red flag in that particular form now. I will change and add user accounts to the business computers today to make sure that most work is done on regular user accounts with an admin user account in the background. 

    Thank You for your advice.

    Saturday, March 26, 2011 2:57 PM
  • I NEVER open anything unless I know exactly what it is, and didn't open anything the past few days, anyway.  However, a blog site I visited (I think it was that one... it was the only one, around that time, with which I've had no prior interraction) said it needed my permission to run FLASH.  First I clicked "no", then I thought, shoot, it's just a video, I can always hit pause, and hit OK.

    Shortly after, I started getting the Windows Recovery messages.  I knew it was a trick, and did not follow their directions.  I finally found the newly installed program, its name was only a number.exe, and finally deleted it.  The "your computer is in trouble" messages stopped, and THEN the random audio-only started.  Nothing running that shows up.  I've been online since 1985 or so, and am not an idiot. 

    Point is, HOW DO I GET RID OF IT?  It's obviously an old form of malware, judging by the posts dating back to 2007 from people who've gotten it.  They were give really weird answers, like "your speakers are picking up radio stations".  But I KNOW this is malware... it was too closely connected with the Windows Recovery incident.

    Please don't tell me how to prevent it... I need a list of steps to eradicate it.  And I'm not falling for the many web sites that purport to remove it while actually installing THEIR version of malware/adware. 

    Sorry if I seem bitter, I'm frustrated with others' useless "answers".  WhiskeyTango73, you seem to have a "handle" (pun intended) on it... what is your advice?

    Saturday, April 23, 2011 6:02 PM
  • I think I have just discovered a MAJOR clue about this.  I mean, unless you already knew this much.  I had noticed that the places it was playing the random clips from are being logged in my IE8's HISTORY.  Then I found "another" script error message about one of those uninvited pages, and rreaized I'd seen several of those since the problem stated.  So, something connected to IE is running scripts.  I have a screen capture of the most recent "Internet Explorer Script Error" message, in case someone can get any more clues from it.  I'll keep saving future ones, too.  My son suggested disabling Active-X, or Java, or other scripts... hmmm... bet it's Flash.  It started with a request supposedly from Flash.

    I'm SO used to IE, and have it set up exactly as I want it, that I'd hate to permanently switch to another browser.  Though the scripts (or whatever) are  running even when IE8 is not.  Still, I wonder if uninstalling it, or disabling a certain type of script, would end it?

    Picking up radio transmissions, indeed... I hope those other poor souls have gotten better answers by now...

    Back to my detective work...

    Saturday, April 23, 2011 6:24 PM
  • Well unfortunately the OP found the problem .. I say "unfortunately" because I just got burned two days ago by this virus, and as with a prior user it was a simple window asking permission to run flash.  (it wasn't the normal Windows permission - this was a web-based permission).   Security Essentials did NOTHING - and it screwed up everything.  Ended up having to format and re-install the O/S.  It deleted my system restore files, ruined my mouser driver to the point where no mouse would would and reinstalling / fixing drivers did not help, the works.

    I, too, have been preaching Security Essentials for about 6 months.  No more.  Back to Kaspersky - I guarantee if I had Kaspersky running, there is no way I would have gotten this virus.

    Saturday, April 30, 2011 3:17 AM
  • Does anyone have any clue in how to get the programs menu/desktop icons to reappear? Or is formatting the only option? I've removed the malware.. but all my existing programs in the start menu don't appear.
    Tuesday, May 10, 2011 4:49 AM
  • Does anyone have any clue in how to get the programs menu/desktop icons to reappear? Or is formatting the only option? I've removed the malware.. but all my existing programs in the start menu don't appear.

    The malware simply makes your user profile folder hidden (and adds a registry key to not show hidden files and folder), so that it looks as if your documents and data have disappeared. All you need to do is untick the 'Hidden' checkbox in the properties of your user profile folder.

    It's not that difficult a virus to remove. I've dealt with it on a couple of customers' machines, and I've found that when I log in as the local administrator, the virus isn't active as it's only been set to run in the user account of the person that encountered it, despite the virus files being installed in the 'All Users\Application Data' folder. MalwareBytes will find and remove the files, although I'd suggest also checking for registry entries that have been changed/created within the affected user's profile.

    Friday, May 13, 2011 9:16 AM
  • I just had a similar problem with "Windows 7 Recovery." Looks like for me, it also installed via fictional flash file. In my case, I'm not that familiar with Windows 7 and since it was installed already, assumed it was supposed to be there. It wanted a password, and a reboot. I didn't catch on until I noticed the improper grammar on the 3rd tab of the program. Anyway, this thing now messes up a bunch of your windows settings, in my case, it was 2 files, one was a 15 character long string of random characters, and the other what looked like a random number. They ran in services with the category of "Microsoft.... ODBC...." I don't have the exacts. The files were physically located in C:\Program Data\ (which was hidden). One file actively starts the other if it gets closed, and I had to eliminate them both from processes to get the constant fake errors to stop. Now the fun part. It hid everything on my desktop, including my wallpaper. It also hid everything in my start bar, and changed a bunch of further settings in the registry, including hiding a bunch of folders even on my external hard drive. I'm still sorting this mess out. AVG didn't detect it at all. Windows Defender did not detect it. MalwareBytes did. Here's the useful blog entry I came across to help me remove this thing- http://www.pchubs.com/blogs/windows-7-recovery-removal-process-remove-windows7recovery
    Saturday, May 21, 2011 1:23 PM