Windows Recovery Malware

Posted

At London Data we have noticed an insurgence of drive-by-downloads of so called antivirus solutions for Windows 7, Vista and XP. These come in many guises but the most common will appear as a pop-up when visiting a website before ‘scanning’ your PC for malicious software. At this point if you are very vigilant and quick you can get out of this process by simply clicking the close button on the window – no harm no foul. However if you are unfortunate enough to have this scan complete and then attempt to remove these ‘malicious’ items (which are in fact nothing more than made up names) this rogue software installs itself on your system and all but cripples your computer.

Symptoms vary from preventing any applications running and warning you again and again that your system is infected to changing all your file attributes to ‘hidden’ so it appears the non-existent plethora of malware that this utility claims to have detected have deleted all of your files. Whatever it tries to do its main goal is to panic you in to buying the software – therefore getting your credit/debit card details. Not good news. Even worse is that these little nasties seem to be very adept at bypassing even the most adept of virus protection suites, it seems that as they do not self-propagate in the way that is expected of modern malware it slips through the net of most zero day threat detection algorithms… sneaky…

However, these can be removed with a little patience and a lot of cunning by simply using the tools that are available to you as standard with Microsoft Windows XP, Vista and 7. You may have noticed your operating system installing something called the Malicious Software Removal Tool once a month, and believe it or not Microsoft really seems to have hit the nail on the head with this one. Called by running the rather comforting ‘mrt’ command from a command prompt it scans your system much like a normal AV system, but like Mr.T seems to do so with much more aggression and success.

In short, if you are hit with one of these viruses the first thing I would recommend trying is a quick boot in to safe mode, clear your startup group and add a shortcut to mrt.exe in to that folder. Reboot in to normal mode and Mr T will run before the malware allowing you to get in there and clean it out before it starts denying you access to your programs. If you still find you are stuck, drop us a line at support@london-data.co.uk and one of our experts will be glad to help.

Matthew Manning

Maintenance & Projects

part of the family since 2009