Antivirus Desktop Spyware/Malware

Windows 7 Recovery (Spyware)

I recently encountered a spyware/virus infection on a Windows 7 PC that was quite interesting. It was entitled Windows 7 Recovery. At first the spyware makes you think that your hard drive has failed and that you have many errors on your system. What actually happens to your desktop is the interesting part. The spyware takes all programs, desktop items, as well as the startup programs and marks them as hidden. This gives you the impression that something is wrong with your hard drive and you need to fix it. The fake Windows 7 Recovery then informs you that it has the ability to fix the issues for you if you purchase the software. This should be your first sign that it is not a legitimate piece of software. If you did not install it and it’s asking you to buy it, then stop immediately and contact your IT support. Also, do not worry about your files, as they are still there just hidden.

How to Fix:

I ran the sysinternals tool “autoruns” to find out exactly what program was automatically running and causing the problem. I went to the logon tab and under the registry keys for run I found 3 suspicious files consisting of randomly generated characters. I removed all three of these as well as the registry keys associated with them.

I also found a few other registry keys that were affected, which block certain things such as the ability to change the desktop background and use task manager. Remove the below registry keys if found on your system:

NOTE: If you do not know anything about the registry consult a technology professional.

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “<random>.exe”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “<random>”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings “CertificateRevocation” = ‘0’
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings “WarnonBadCertRecving” = ‘0’
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesActiveDesktop “NoChangingWallPaper” = ‘1’
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAssociations “LowRiskFileTypes” = ‘/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:’
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments “SaveZoneInformation” = ‘1’
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem “DisableTaskMgr” = ‘1’
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem “DisableTaskMgr” = ‘1’
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerDownload “CheckExeSignatures” = ‘no’
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Use FormSuggest” = ‘yes’
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced “Hidden” = ‘0’
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced “ShowSuperHidden” = 0′

Additional error messages that you may see:

“Hard Drive Failure The system has detected a problem with one or more installed IDE / SATA hard disks. It is recommended that you restart the system”

“System Error An error occurred while reading system files. Run a system diagnostic utility to check your hard disk drive for errors”

“Critical Error Hard drive critical error. Run a system diagnostic utility to check your hard disk drive for errors. Windows can’t find hard disk space. Hard drive error”

“Fix Disk Windows 7 Recovery Diagnostics will scan the system to identify performance problems. Start or Cancel”

“Windows 7 Recovery Diagnostics Windows detected a hard disk error. A problem with the hard drive sectors has been detected. It is recommended to download the following certified <sic> software to fix the detected hard drive problems. Do you want to download recommended software?”

“Requested registry access is not allowed. Registry defragmentation required Read time of hard drive clusters less than 500 ms 32% of HDD space is unreadable Bad sectors on hard drive or damaged file allocation table GPU RAM temperature is critically high. Urgent RAM memory optimization is required to prevent system crash Drive C initializing error Ram Temperature is 83 C. Optimization is required for normal operation. Hard drive doesn’t respond to system commands Data Safety Problem. System integrity is at risk. Registry Error – Critical Error”

“Critical Error! Damaged hard drive clusters detected. Private data is at risk”

“Critical Error Hard Drive not found. Missing hard drive”

“Critical Error RAM memory usage is critically high. RAM memory failure”

“Critical Error Windows can’t find hard disk space. Hard drive error”

“Critical Error! Windows was unable to save all the data for the file System32496A8300. The data has been lost. This error may be caused by a failure of your computer hardware”

“Critical Error A critical error has occurred while indexing data stored on hard drive. System restart required”

“System Restore The system has been restored after a critical error. Data integrity and hard drive integrity verification required”

“Activation Reminder Windows 7 Recovery Activation Advanced module activation required to fix detected errors and performance issues. Please purchase Advanced Module license to activate this software and enable all features”

“Low Disk Space You are running very low disk space on Local Disk (C:)”

“Windows – No Disk Exception Processing Message 0x0000013”

17 thoughts on “Windows 7 Recovery (Spyware)”

  1. I am currently affected with this virus THANK YOU SO MUCH for doing this!!!!! Truly appreciated!!!! PLease continue posting free genius!

  2. Thanks for this article. A friend thought his hard disk failed; I suspected malware but wasn’t sure specifically which steps to take.

    I found about 2/3rds of the keys you found and some other ones that appeared to be related (keys put in local_machine instead of user, etc.)

    Microsoft Security Essentials cleaned up the trojan but kept catching more of it. For example, it tried to prevent me from un-hiding files, tried to stop me (I think) from using regedit, tried to close or redirect IE after I managed to get it open, etc.

    1. What I like to do in this situation is log in as another user. Then run autoruns from that user account. After the initial scan, you will see a users tab at the top in which you can change the user who you are running autoruns for. Generally on the second tab which is “Logon,” you will see suspicious entries and it will tell you where they are. I always try removing the infection first before these other things.

  3.  This gives us the impression that something is wrong with our hard drive.This is a great content.I like this one.I appreciate to this content.Thanks to share this nice blog.Keep sharing.

  4. Microsoft Security Essentials cleaned up the trojan but kept catching more of it.Thanks for all the information. I really like the concept of this post and I feel that this is a very unique and rare information that you have managed to compile. It is quite interesting to read about this very rare topic.
     

Leave a Reply

Your email address will not be published. Required fields are marked *