The Windows Recovery Virus Returns

Over the past few weeks we have been receiving comments from technicians and private subscribers who have used Reimage to resolve the Windows Recovery Virus.

This virus has been around for a while but has recently resurfaced. The Windows Recovery Virus is a harmful malware that disguises itself as a certified Microsoft optimization program, initiating a scan of the user’s hard-drive, with or without permission. Once this has happened, we must assume that the virus has infiltrated the system, effectively hijacking it by modifying the system settings. It then proceeds to disable any anti-virus and firewall applications. In many cases, the virus prevents any installed programs from running, rendering the PC virtually unusable. To add insult to injury, the virus repeatedly prompts the user to purchase the Windows Recovery registration key, in order to repair the unstable system.

The Windows OS affected by the Windows Recovery Virus are Win 2000, Win XP, Vista, Win 7.

Solutions include removing it manually, or as one technician put it “…Much rather spend 20 minutes with a cup of tea and a biscuit, and one eye on (Reimage)…”

We are always grateful for the emails, responses and updates, from all of our subscribers, especially those recounting personal experiences when using Reimage to repair their PC; as these help us to make our product work better for you.

As you have no doubt guessed, Reimage is an effective solution to this problematic virus. Not only will Reimage restore all system settings to their default Microsoft settings, but it will do so without harming your user data, nor requiring you to back-up your system in order to begin the repair process. Regardless, we do however maintain that you should always keep a back-up copy of all your important data.

In addition, Reimage will replace any Windows OS files that were erased, damaged, or compromised by the virus with authorized Microsoft parts.

To remove this virus manually you can try the instructions found on Microsoft Answers.

The following instructions are recommended for advanced users only. If for any reason, you are uncertain of how to perform any of the tasks listed below, we strongly advise that you do not continue.
To remove this virus manually, complete the following set of tasks. Do not forget to create a backup before getting started to the manual removal guide.

1) Stop Process:
Open the Windows Task Manager and click the Processes tab. In the list of active tasks, locate and select the process [random].exe. Click the End Process button. The process will now stop.

2) Delete Registry Values:
Launch the Registry Editor by going to Start>Run. Type regedit and click OK.
The Registry Editor is divided into two panes. The left pane is for navigating to a specific registry key, and the right pane displays the values of the selected key.
To delete a value, right-click the value (in the right pane) and select Delete.
Delete the following registry entries:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “[random].exe”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “[random]”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAssociations “LowRiskFileTypes” = ‘/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:’
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments “SaveZoneInformation” = ’1′
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerDownload “CheckExeSignatures” = ‘no’
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Use FormSuggest” = ‘yes’
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings “WarnonBadCertRecving” = ’0′
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem “DisableTaskMgr” = ’1′

3) Unregister DLL Files:
Launch the Command Prompt window by going to Start>Run. Type cmd and click OK.
In the Command Prompt window, navigate to a folder containing the file [random].dll.
Within the directory, type regsvr32 /u [dll_name] and press Enter.
A message should appear to confirm the un-registration process.

4) Delete Files:
Windows Vista & 7:

%AllUsersProfile%~<random>
%AllUsersProfile%~<random>r
%AllUsersProfile%<random>.dll
%AllUsersProfile%<random>.exe
%AllUsersProfile%<random>
%AllUsersProfile%<random>.exe
%UserProfile%DesktopWindows Recovery.lnk
%UserProfile%Start MenuProgramsWindows Recovery
%UserProfile%Start MenuProgramsWindows RecoveryUninstall Windows Recovery.lnk
%UserProfile%Start MenuProgramsWindows RecoveryWindows Recovery.lnk

Windows XP:

%AllUsersProfile%Application Data~<random>
%AllUsersProfile%Application Data~<random>r
%AllUsersProfile%Application Data<random>.dll
%AllUsersProfile%Application Data<random>.exe
%AllUsersProfile%Application Data<random>
%AllUsersProfile%Application Data<random>.exe
%UserProfile%DesktopWindows Recovery.lnk
%UserProfile%Start MenuProgramsWindows Recovery
%UserProfile%Start MenuProgramsWindows RecoveryUninstall Windows Recovery.lnk
%UserProfile%Start MenuProgramsWindows RecoveryWindows Recovery.lnk

5) Restart your system.