One of our client’s users picked up this lovely nasty:
Note the lack of Task Manager button in the above or below screenshots.
- WindowsRecovery Malware
Now, we went to this site to download Malwarebytes and its updates:
Once we downloaded the two we dropped them onto a USB flash drive and plugged it into the infected machine.
When we managed to navigate to the USB flash drive the MB file was missing?!? We ended up needing to reveal hidden files in Windows Explorer as WindowsRecovery had managed to set the MB install file as hidden!
Okay, we have MB and its update installed. We were able to use the Start –> Run command to get to the mbam.exe file (Windows XP SP3 is where the infection is) but it would not update.
Once we started the MB scan and it began to pick up the infected files the malware rebooted the machine.
When we slaved up the infected machine’s hardware Microsoft Security Essentials picked up one infected file while MB found a few more. We dropped the drive back into the machine and WindowsRecovery was still there. :(
Do a Bing search for Remove WindowsRecovery and the following happens:
If we can’t get the machine clean using the “traditional” product in Malwarebytes then it is looking like the only option for us is to wipe and reload. There is no way we are going to trust many if not all of the sites that are in the results above. Especially all of the ones offering a “free removal tool”.
If this is a sign of the way things are going with malware infections we are going to stop wasting both our client’s time and ours and advise that we would image the machine, wipe it, and then reload it.
Now, here we are a little later on and what do we find but:
After reading through the above instructions, we will still recommend a wipe and reload. Our policy is to make this recommendation whenever a Trojan or Rootkit are involved. Once a system is owned in this manner there is virtually no way to guarantee ownership after “cleaning”.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book