Windows 7 Recovery

By | May 15, 2011 | 0 Comment

Windows 7 Recovery is a fake utility software that uses a Trojan to spread itself. It can be installed on the computer without users consent. What is so special about this rogue is it can detect operating system of the victim so that the malware will install a version based on the identified OS. Other versions of this rogue are Windows XP Recovery and Windows Vista Recovery. Promoted as system utility tool, Windows 7 Recovery will provide features such as hard drive and memory optimization. Thought, it may look like a legal program; authors made this product as a money-earning program that intends to scam computer users. Its promises to fix system errors and improve the operation of the PC will not be granted even with the licensed version of it. Both trial and full version of this phony software is not capable of what it has projected during endorsement period.

If you spot Windows 7 Recovery on the computer, get a real anti-malware program and install as suggested. Then, you must update its database so that recent malware and viruses will be identified. Delete all threats revealed by this tool after running a complete scan. To completely remove Windows 7 Recovery, another full scan is advice while the computer is running on safe mode.

Type Rogue
Sub-Type FakeAV
OS Affected Windows 7

What are the Symptoms of Windows 7 Recovery Infection?

Windows 7 Recovery Fake Scanner

It will modify Windows Registry and add the following entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random].exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “CertificateRevocation” = ‘0’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnonBadCertRecving” = ‘0’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop “NoChangingWallPaper” = ‘1’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = ‘/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ‘1’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = ‘1’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “DisableTaskMgr” = ‘1’
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no’
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main “Use FormSuggest” = ‘yes’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “Hidden” = ‘0’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “ShowSuperHidden” = 0′

The threat will drop the following malicious files:
%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Recovery
%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Recovery\Uninstall Windows 7 Recovery.lnk
%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Recovery\Windows 7 Recovery.lnk
%UserProfile%\Desktop\Windows 7 Recovery.lnk
%AllUsersProfile%\~
%AllUsersProfile%\~r
%AllUsersProfile%\.dll
%AllUsersProfile%\[random].exe
%AllUsersProfile%\
%AllUsersProfile%\.exe

Leave a Reply

Your email address will not be published. Required fields are marked *