We have to admit that "System Recovery" is a very generic name and it looks more like a legit system utility than scareware. Conversation rate is typically around 2% for rogue anti-virus software, System Recovery might do even better because it looks like genuine Windows software. As you may have guessed, it's not a first-of-its kind scareware designed to steal money from inexperienced computer users. Just a few days ago, we wrote about Master Utilities which is pretty much the same rogue application and there are a many more similar malware in our database. So, if you are under System Recovery malware attack, please follow the removal instructions on this page: http://deletemalware.blogspot.com/2011/09/how-to-remove-master-utilities.html
Important!
- Do not delete files from Windows Temp folder
- Use TDSSKiller and Backdoor.Tidserv Removal Tool before scanning your computer with well-known and well-reviewed malware removal tool
- Do not purchase System Recovery
Fake System Recovery warning:
Associated System Recovery files and registry values:
Files:
Windows XP:
- %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]
- %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].exe
- %UsersProfile%\Desktop\System Recovery.lnk
- %UsersProfile%\Start Menu\Programs\System Recovery
- %UsersProfile%\Start Menu\Programs\System Recovery\System Recovery.lnk
- %UsersProfile%\Start Menu\Programs\System Recovery\Uninstall System Recovery.lnk
%UserProfile% refers to: C:\Documents and Settings\[User Name]
Windows Vista/7:
- %AllUsersProfile%\[SET OF RANDOM CHARACTERS]
- %AllUsersProfile%\[SET OF RANDOM CHARACTERS].exe
- %UsersProfile%\Desktop\System Recovery.lnk
- %UsersProfile%\Start Menu\Programs\System Recovery\
- %UsersProfile%\Start Menu\Programs\System Recovery\System Recovery.lnk
- %UsersProfile%\Start Menu\Programs\System Recovery\Uninstall System Recovery.lnk
%UserProfile% refers to: C:\Users\[User Name]
Registry values:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS].exe"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'yes'
0 comments:
Post a Comment