Windows Recovery Fake Analysis and Diagnostic Program.


Similarly to rogue or fake anti spyware also known as scamware this is a fake System Anaylsys/diagnostic program that is installed through malware, infected adverts or websites. It will configure itself to automatically start everytime the computer starts up. It will bring up a scanner saying you are having problems with your computer such as hardware errors. It will then ask you purchase it to remove the programs. What ever you do dont purchase as the program is the real infection and should be removed. The program also pops up various messages while it is running in the background. Some of the various messages are shown below:

On top of these various error message popping up and causing annoyance the program also does more sinister things to make you beleive what its saying is true. The program alters the attribute of your system files and even program files. It adds the +H (hidden) attribute to these files to make it look like they have been deleted. The program also attempts to stop you running programs thowing up errors messages enhancing the belief that there are problems with your computer. The program may also change all your default file assocations to stop you running programs.


To remove this peice of malware you need to follow these instructions :

Note : If at anypoint you are problems following below. Start the computer in Safe mode by f8 when the computer starts and selecting safe mode with networking from the menu.

Firstly you need to download and run Rkill. This will kill any rogue processes that are running on the computer.(do not restart your computer as this will allow any problematic programs to restart). If you have problems running Rkill please download a version from the same page with a different extension. Once you have run Rkill download and install MalwareBytes. Update it to the latest definations and run a full scan. This should remove the infection that is Windows Recovery.

Removing the +H attribute set by the rogue scamware.

If this infection has hidden all your program files,system files and icons. You will need to unhide them again by taking off the +H attribute. To do this for your whole disk please do the following :


If you do not feel comfortable with the above method you can download a program called unhide from bleeping computer to do a similar job.

Note : If your computer is not allowing you to run executable files, instead asking for what program do you wish to open it with. Your exe extension has been altered by the virus causing it not to work. You will need to reset your default file assocations (windows 7).




Disclaimer: By using any of the software mentioned in this document you are adhering to their terms and conditions of use. I do not accept any responsibility for any loss, damage or disruption to your data or computer system that may occur while using the software mentioned in this document.
