9 Replies Latest reply on Sep 13, 2011 7:01 AM by exbrit

    Failure to stop Windows Recovery Virus

      Dear all

       

      Last week one of our PC's was attacked by the Windows Recovery virus.

       

      I was viewing what seemed like an innocuous web site and left my desk which was when the virus seemingly downloaded from the web site onto the PC. When I returned, I was greeted by a 'black screen' asking me to either restart Windows in Safe Mode or the last saved settings.

       

      To cut a long story short, I took out the hard drive (thinking it was a hardware fault) and put it into another computer. It was only after a while that I saw that it was in fact a Windows Recovery virus. It had installed a program asking me to scan and check my PC, had 'hidden' most of my startup and other items and was clearly some kind of Trojan. I had to use another anti-virus program to remove it and all seems OK with the PC now.

       

      My question is why McAfee didn't detect or block this virus from downloading to my PC? We currently run 4 installations of McAfee and I want to be aware of what I can do to prevent this from happening again?

       

      Hope somebody can shed some light on what went wrong.

       

      Many thanks

       

      Message was edited by: markinvention on 12/09/11 07:57:44 CDT
        • 1. Re: Failure to stop Windows Recovery Virus
          exbrit

          You posted under Home Products so have moved this to Malware Discussion > Home User Assistance.  If you are using Enterprise let me know and I will move it again.

           

          There are many fake anti-malware programs that fool just about any antivirus software, believe me.  nHence the need sometimes to use 3rd party tools.

           

          Windows Recovery is a fake computer analysis and optimization program that displays fake information in order to scare you into believing that there is an issue with your computer. Windows Recovery is installed via Trojans that display false error messages and security warnings on the infected computer. These messages will state that there is something wrong with your computer's hard drive and then suggests that you download and install a program that can fix the problem. When you click on of these alerts, Windows Recovery will automatically be downloaded and installed onto your computer.

           

          Once installed, Windows Recovery will be configured to start automatically when you login to Windows. Once started, it will display numerous error messages when you attempt to launch programs or delete files. Windows Recovery will then prompt you to scan your computer, which will then find a variety of errors that it states it cannot fix until you purchase the program. When you use the so-called defragment tool it will state that it needs to run in Safe Mode and then show a fake Safe Mode background that pretends to defrag your computer. As this program is a scam do not be scared into purchasing the program when you see its alerts.

           

          There is an excellent removal guide here:  http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery scroll down the page as the first linkis you see are advertising that supports that website.

           

          McAfee has some tools that may prove useful in these cases, Fake Alert Stinger being one, and there are some 3rd party ones mentioned here: https://community.mcafee.com/docs/DOC-2168

          1 of 1 people found this helpful
          • 2. Re: Failure to stop Windows Recovery Virus

            Many thanks - as part of our approach to getting rid of the virus we downloaded the programs shown, including MalwareBytes.

             

            I think what I would like to understand is if my current installation of McAfee should have alerted me to a download and blocked it before it had a chance to get into my PC. I was under the impression that if anything tried to download to my PC McAfee would have at least  blocked it initially and asked me to confirm the download. I could have seen this was trying to slip under the radar and stopped it at source.

             

            Would the third party tools you mention run OK with McAfee and what would these things do which my current installation doesn't?

             

            Thanks again for your help.

            • 3. Re: Failure to stop Windows Recovery Virus
              exbrit

              The free version of Malwarebytes is the best to use with exisiting antivirus applications.  The Stinger tools are meant as supplementary tools anyway.  Whilst you can update Malwarebytes free manually, the Stinger tools need to be freshly downloaded each time they are used becuase they don't have a built-in updater.

               

              McAfee has two ways of warning, Siteadvisor browser protection assuming it's installed and assuming the website has been red flagged, which may not be the case.

              Plus VirusScan detecting the malware which in the case of these fake 'products' it usually fails as would Norton etc. etc.   They work in a different way and in order for regular antivirus applications to detect them their heuristic detection would have to be set so high that practically anything would be labelled as possible malware.    Malwarebytes, Fake-Alert Stinger et alia all work differently and are not much good at fighting the millions of regular attacks out in the field that the normal virus scanners detect.

              • 4. Re: Failure to stop Windows Recovery Virus

                Thanks again - I know you can't comment specifically on Malwarebytes, but would a program such as this guard against attacks from things like Windows Recovery, because they work in a different way compared to McAfee, Norton etc?

                 

                It's surprising, given that a lot of these virus are transmitted in this way that the mainstream virus software industry is unable to stop the attacks at source, and operate once the virus has been downloaded to the host PC. I was hoping that anything which tries to 'download' to my PC would be queried by an antivirus package - or at least before it tries to 'install' on my hard disc.

                 

                Obviously, having been bitten once I'm trying to ensure I have the best combination of products in operation.

                 

                Thanks again.

                 

                Message was edited by: markinvention on 13/09/11 02:30:39 CDT
                • 5. Re: Failure to stop Windows Recovery Virus
                  exbrit

                  I don't think anything is around that would warn you against these fake anti-malware entries,  They mostly rely on someone clicking on something to activate them.   Malwarebytes is a scanner not a real-time protector.   You best defense to always keep Windows totally up to date including optional updates and especially updates for Internet Explorer even if you don't use it.   Also keep Windows Defender active...it updates automatically if switched on.  Last of all just be very careful what you click on, download or file share.   Use good spam filters on your mail and use SiteAdvisor in your browsers and perhaps other similar extensions such as WOT etc. to give first warnings and  a second opinion about websites.

                   

                  Message was edited by: Ex_Brit on 13/09/11 3:42:17 EDT AM
                  1 of 1 people found this helpful
                  • 6. Re: Failure to stop Windows Recovery Virus

                    Very useful advice.

                     

                    I want to retain McAfee as our main antivirus program - we have a number of computers running it - and I want to ensure there are no clashes between McAfee and Malwarebytes. We have enabled the 'Protection' and web site blocking module of Malwarebytes and just want to be sure this won't clash. Can you tell me if this would be OK with McAfee and any other known issues with running the two programs together? I have turned off the 'start with Windows' option on MB.

                     

                    Many thanks

                    • 7. Re: Failure to stop Windows Recovery Virus
                      SamSwift

                      Hi Mark,

                       

                      Moving this to Top Threats as it's Fake AV related. There are some blogs in this section which might be of interest to you as well.

                       

                      Which McAfee product(s) have you purchased/installed?

                       

                      If you have two on-access scanners running on a machine it can cause instability issues as the two scanners can end up fighting over the same file - that's the main 'gotcha' I can think of.

                       

                      HTH

                       

                      Sam

                      • 8. Re: Failure to stop Windows Recovery Virus

                        Thanks Sam

                         

                        We've got Anti Virus Plus with reatime scanning and firewall 'on'.

                         

                        In Malwarebytes I've got 'start file execution blocking with protection module starts' and 'start malicious web site blocking when module starts'

                         

                        Would you suggest I turn this off or can it run happily with McAfee?

                         

                        Regards

                         

                        Mark

                        • 9. Re: Failure to stop Windows Recovery Virus
                          exbrit

                          Then this isn't the free version of Malwarebytes? I only recommend the free version.  I wouldn't run active protection on it too as that could feasibly clash with McAfee.

                           

                          I guess you will just have to try it and see what transpires.

                           

                          Youy could ask that question also in their forums:  http://forums.malwarebytes.org//

                           

                          Message was edited by: Ex_Brit on 13/09/11 8:01:29 EDT AM