Remove Windows Recovery malware

Windows Recovery is a misleading program that pretends to be a legitimate and useful system repair software. It will detect hardware and registry errors, state that can improve the performance your computer. However, you should never believe in it! WindowsRecovery can not detect and fix any system problems. This parasite is created with one purpose, to steal your money.

Windows Recovery is distributed via trojans. On first start, this malware registers itself in the registry Windows, to run automatically. Further, the program starts the process of scanning a machine whose result is the discovery of the set of serious system problems, e.g “Data Safety Problem. System integrity is at risk.”, “Registry Error – Critical Error.”, “Ram Temperature is 83 C. Optimization is required for normal operation.”, etc. Then as the scan is complete, you get a prompt to purchase its full version and fix the system. Most important, don`t pay for the bogus software! You should ignore all that WindowsRecovery will show you.

Moreover, Windows Recovery will display a lot of fake alerts that warn about critical system errors, hardware failure, etc. Some of the alerts are:

Critical Error!
Windows was unable to save all the data for the file \System32\496A8300. The data has been lost. This error may be caused by a failure of your computer hardware.

Critical Error
A critical error has occurred while indexing data stored on hard drive. System restart required.

System Restore
The system has been restored after a critical error. Data integrity and hard drive integrity verification required.

What is more, Windows Recovery will block the action to launch any executables. Instead it will generate the fake warning box:

Windows detected a hard drive problem.
A hard drive error occurred while starting the application

Just the false scan results, all of these warning are a fake and should be ignored.

From the above, obviously, although all the actions taken by WindowsRecovery might look legitimate but, in reality, the program is totally scam. Don’t trust it! Need as quickly as possible to check your computer and remove all found components of this malware. Please follow the removal instructions below to remove Windows Recovery malware for free.

Automatic removal instructions for Windows Recovery malware in Safe mode

1. Reboot in Safe mode with networking
It is possible that WindowsRecovery malware will not allow you to run a malware removal software. If this is the case, then you will need to reboot your computer in Safe mode with networking.

1.1. Restart your computer. After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear.

1.2. Select “Safe mode with networking” and press Enter.

2. Remove Windows Recovery malware

2.1. Download Malwarebytes Anti-malware or SuperAntispyware and install it.

2.2. Perform a full scan. The scan may take some time to finish,so please be patient.

2.3. Remove what it found and reboot your computer.

Automatic removal instructions for Windows Recovery malware in Normal mode mode

1. Rename the main executable of Windows Recovery

1.1. For Windows XP/2000 users
Click Start, Run. Type in Open field the text below:

%AllUsersProfile%\Application Data

Press Enter. It will open a contents of C:\Documents and Settings\Users\Application Data folder.

1.1. For Windows Vista/7 users
Click Start, type in Search field the text below:


Press Enter. It will open a contents of C:\ProgramData folder.

1.2. Locate randomly named files (e.g. se6qSOdT83lVn.exe, BVKcPHxLQWl.exe) and rename them.

1.3. Reboot your computer.

2. Remove Windows Recovery malware

2.1. Download Malwarebytes Anti-malware or SuperAntispyware and install it.

2.2. Perform a full scan. The scan may take some time to finish,so please be patient.

2.3. Remove what it found and reboot your computer.

If you need a help with the instructions, ask a question in the Spyware removal forum.

Associated Windows Recovery files and registry keys:

%UserProfile%\Desktop\Windows Recovery.lnk
%UserProfile%\Start Menu\Programs\Windows Recovery\
%UserProfile%\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk
%UserProfile%\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk
%AllUsersProfile%\[RANDOM CHARACTERS].exe
%AllUsersProfile%\[RANDOM CHARACTERS].dll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | [RANDOM CHARACTERS]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | [RANDOM CHARACTERS].exe

You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

AddThis Social Bookmark Button

9 Responses to “Remove Windows Recovery malware”

  1. There were 4 steps I needed to go through to re-capture control of my computer: you are missing “unhider” and restore). Here is what I posted elsewhere (just trying to help people out):

    I spent 5 hours earlier today battling the new Windows Recovery malware and I want to share the solution. The worst part is that I am running the full McAfee Security Center and it DID NOT block this malware. It did try to remove a few of the files after they had been installed, but it wasn’t complete and I couldn’t correct the problem nor could I run Windows Restore. My computer was virtually useless and my files inaccessible.

    “Windows Recovery” first appears as a series of pop up warnings with messages like “Critical Error”, “the system has detected a problem with . . .”, “Hard drive failure”, and others. These are all scary warnings that look very real. Here’s a link to some examples of what it looks like when it takes over your computer:

    If you click on any of those windows — to close them, minimize or even move them — they install further malware on your computer and completely take it over.

    In my case, the malware eventually shut down and restarted my computer and virtually all my desktop icons disappeared. When I went to the start menu, all my programs had disappeared from the folders. When I tried Control-Alt-Delete — it told me I was not authorized to access the Windows Task Manager. Only 3 icons remained on my desktop: Internet Explorer , My Computer and (in my case) AOL. When I opened My Computer, all the icons and folders were grayed out and were listed as “read only” files.

    If this sounds like the problem you’re having, follow these simple steps which worked for me and you’ll save a lot of heartache:

    1) download the free Malwarebytes from;1 or directly here:

    2) allow it to update the definitions then run the scan

    3) after it finds the malware, instruct it to delete the malware files and restart your computer

    4) when you computer restarts don’t be dismayed to find that your files and desktop are still missing. That’s because this Windows Recovery malware “hides” your original files as part of its nastiness.

    5) now go and download Trojan-Killer’s free “unhider” here: or directly here:

    6) double-click the downloaded file to run it and wait as it “unhides” all your files and folders on your computer. It takes about 10 minutes to complete (with no progress indicator), but you’ll see your desktop icons slowly reappear, though your original desktop background image will probably still be missing and some files still may not be accessible.

    7) you’ve now removed the Windows Recovery malware and “unhided” the files, folders and links

    8) Now to need to Restore your system to a point prior to the malware attack. You will now see that most of your programs have been restored to your start menu. Follow this method to restore your system: on Windows XP (may be similar for Vista or 7?), click Start >> All Programs >> accessories >> System Tools >> System Restore. From there you can restore you computer to a time before the malware attack.

    9) Once System Restore completes, your computer will be restarted and will be restored to it’s prior operating norms. Note that it could take a long while for your computer to fully restart and there may be a window or two which will need your attention throughout the process. In my case, it took nearly 1/2 hour to fully restore my files and operating system to their prior format.

    I hope this brief tutorial helps you avoid the headaches I experienced and extra hours I spent earlier today.

    Good luck!

  2. Thanks so much for posting this- everything worked except unhider.exe I click to run the program and nothing happens, unless it’s running and I don’t realize it. Thanks again!

  3. I have followed the steps carefully and removed the malware – 32. Then I tried the “unhider” and ran into a problem with IE not responding. Needless to stay I did not get all of my program files back and some of the folders – especially administrative tools is empty, so cannot restore. Got any clues what to do next.

  4. lifesaver thanks man. very thorough and easy to follow. props.

  5. Exactly works as said. Many thanks John for posting to help others.

  6. Did work and got rid of the fake alert. Thanks.

  7. Acusmatico Says:

    Hello John and thank you very much for your suggests. I got this malware simply surfing the net. After the error message icons, Avast antivirus displayed that I got a virus. Sounds like a joke!!! I was scared to lose all my data so I immediately removed the hard disc from the pc and inserted it in another one to get data. Then I restarted with Linux Ubuntu and noticed that all data were still available. I followed the topic indications and your indications. After removing malware with Malwarebytes I started Unhider. It has been very useful; it got back most of the files from D:/ (the second partition that windows didn’t find). To read all files I selected all and changed properties of the folders and files: unhide and not read only. Anyway the problem for me was the desktop, still black and not restored. Access to task manager was forbidden. My friend suggested me to save desktop data and create a new account. I deleted the account and create a new one. I got new desktop and task manager. Unfortunately I had to restore all the link from the program files menu (start menu); they were deleted so I had to create them. System is stable but, such an effort to restore all. It took long time…
    Thanks man for your useful advices!!

  8. This virus backups all the link from the program files menu to %UserProfile%\local settings\temp\SMtmp folder.

  9. Nobody has mentioned the problem of all folders are now “READ ONLY” ….No matter how many times you un-click “read only”, it keeps coming back immediately after you’re done.

Leave a Reply