Windows XP Recovery is a fake computer optimization and hard disk drive defragmenter software. It blocks legitimate Windows applications, detects fake hard drive problems and displays various fake error messages that the computer’s hard drive is corrupt in order to frighten you into purchasing this useless application. Do not pay for the bogus software! Simply ignore all that it will display you and remove Windows XP Recovery from your computer as quickly as possible!
Windows XP Recovery is promoted and installed itself on your computer without your permission and knowledge through the use of trojans or other malicious software as you do not even notice that. Moreover, the authors of of the fake program may also distribute this malware on social networks (Twitter, My Space, Facebook, etc) and spam emails. Please be careful when opening attachments and downloading files or otherwise you can end up with a rogue program on your PC.
Once installed, Windows XP Recovery will be configured to run automatically when Windows starts. Next, the rogue does a fake scan of your computer then tells you it has found numerous critical errors, e.g. “Read time of hard drive clusters less than 500 ms”, “32% of HDD space is unreadable”, “Bad sectors on hard drive or damaged file allocation table”, etc. It will require you to pay for the fake software before it “repairs” your machine of the problems. Of course, all of these errors are a fake. So, you can safety ignore the false scan results.
In addition to the above-described, while Windows XP Recovery is running, it will block legitimate Windows applications on your computer and won’t let you download anything from the Internet. Last, but not least, the rogue will display numerous fake warnings and nag screens. Some of the warnings are:
System Restore
The system has been restored after a critical error. Data integrity and hard drive integrity verification required.
Windows – No Disk
Exception Processing Message 0×0000013
Critical Error
A critical error has occurred while indexing data stored on hard drive. System restart required.
Of course, all of these warnings are a fake. This is an attempt to make you think your computer in danger. Like false scan results you can safely ignore them.
What is more, Windows XP Recovery hides files and folders on your system drive (disk C by default).
To see all hidden files and folders you need to open Folder options (Windows Vista/7: Organize->”Folder and search options”->View tab; Windows 2000/XP: Tools->Folder Options->View tab). Select “Show hidden files and folders” option and click OK button.
As you can see, obviously, Windows XP Recovery is a scam, which created with only one purpose – to steal your money. Most important, don`t purchase the program! You need as quickly as possible to remove the malicious software. Follow the removal instructions below, which will remove Windows XP Recovery and any other infections you may have on your computer for free.
Automated Removal Instructions for Windows XP Recovery
Step 1. Reboot your computer in Safe mode with networking
It is possible that Windows XP Recovery will not allow you to start the Malwarebytes Anti-malware or another malware remover. Then you will need to reboot your computer in Safe mode with networking.
Restart your computer.
After hearing your computer beep once during startup, start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when the Boot Menu appears.
Instead of Windows loading as normal, Windows Advanced Options menu appears similar to the one below.
Windows Advanced Options menu
When the Windows Advanced Options menu appears, select Safe mode with networking and then press ENTER.
Step 2. Unhide hidden files
Windows XP Recovery hides the folders and files on your system drive (disk C by default). To unhide those files and folders you need to complete this step.
Click Start, Run. Type cmd and press Enter. Command console “black window” opens. Type attrib -h /s /d and press Enter. Close Command console.
Step 3. Remove TDSS trojan-rootkit
Windows XP Recovery may be bundled with TDSS trojan-rootkit, so you should run TDSSKiller to detect and remove this infection.
Download TDSSKiller from here and unzip to your desktop.
Open TDSSKiller folder. Right click to tdsskiller and select rename. Type a new name (123myapp, for example). Press Enter. Double click the TDSSKiller icon. You will see a screen similar to the one below.
TDSSKiller
Click Start Scan button to start scanning Windows registry for TDSS trojan. If it is found, then you will see window similar to the one below.
TDSSKiller – Scan results
Click Continue button to remove TDSS trojan.
Step 4. Remove Windows XP Recovery associated malware
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer for Windows XP Recovery associated malware. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure all entries have a checkmark at their far left and click “Remove Selected” button to remove Windows XP Recovery. MalwareBytes Anti-malware will now remove all of associated Windows XP Recovery files and registry keys and add them to the programs’ quarantine. When MalwareBytes Anti-malware has finished removing the infection, a log will open in Notepad and you may be prompted to Restart.
Windows XP Recovery removal notes
Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.
Note 2: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Note 3: your current antispyware and antivirus software let the infection through ? Then you may want to consider purchasing the FULL version of MalwareBytes Anti-malware to protect your computer in the future.
Windows XP Recovery creates the following files and folders
%UserProfile%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
%CommonAppData%\[RANDOM]
%CommonAppData%\~[RANDOM]
%UserProfile%\Start Menu\Programs\Windows XP Recovery\Uninstall Windows XP Recovery.lnk
%UserProfile%\Start Menu\Programs\Windows XP Recovery\Windows XP Recovery.lnk
%UserProfile%\Desktop\Windows XP Recovery.lnk
%CommonAppData%\[RANDOM].exe
Note: %CommonAppData% is C:\Documents and Settings\All Users\Application Data (for Windows XP/2000) or C:\ProgramData (for Windows 7/Vista)
Windows XP Recovery creates the following registry keys and values
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\USE FORMSUGGEST = Yes
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CERTIFICATEREVOCATION = 0
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WARNONBADCERTRECVING = 0
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WARNONZONECROSSING = 0
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\3\1601 = 0
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING\STATE = 146944
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\CONTROL\SESSION MANAGER\PENDINGFILERENAMEOPERATIONS = \??\%CommonAppData%\[RANDOM].exe
You’ve saved my life!
Many thanks for the info, it does work!
Many thanks.
The process did help, but it did not completely remove all traces (a desktop icon remained shortcutting to a file in “documents and settings/all users/data application” folder, and so did a program entry in the program list). Still – the system did get back to life, which is a great relief.
the tdsskiller won’t open/run. i renamed it and everything. what am i doing incorrectly.
After those steps, I removed the virus but Ill my disc C has gone. I think I lost all my songs, works … any suggestions? I’m freaking out here …
Just what the doctor ordered. And I didn’t have to feed an online vultures to get it done. Thanks a ton.
Eduardo, Windows XP Recovery may hide the folders and files on your system drive. Try repeat the step 2.
thanks, it seemsto have worked.
I’m still missing programs though. But I can find them with the search option.
Thx for the post
My sisters laptop was infected with this malicious software.
I booted into safe mode, used my usb stick with malwarebytes and installed it.
Remove selected items and i placed new virus program on the pc.
Problem solved!
Thx
followed instructions with no success. First when attempted to run attrib -h /s /d each line began with the words “Not resetting system file then file name. Then TDSSKiller did not find the rootkit. Then Mbam would not install. Tried both fix 1 and 2 and still would not install. I had an old version of Malwarebytes’ anti-malware but could not uninstall – would get error message “cannot find ‘utCompiledCode’ record for this version of uninstaller”. last time (4 or 5 tries)I did regular reboot and discovered that the new version of AntiMalware showed to have been installed. Ran it and found 2717 objects. all but 3 were quaranteened by another program. The only one of note was “PUM Hijack.TaskManager in HKEY_LOCAL_MACHINE\Microsoft\Windows\CurrentVerson\Policies\Systems\DisableTaskManager
Can someone give me further directions please. Thanks in advance.
ehw
Thank you very much for this – I have a few residual problems which I wonder if you can help on.
1. Although I have maanged to unhide my files, various programs are still hidden e.g the folder for Dr Speedtouch is shown as empty which is a pain if my internet connection drops and I need to manually reconnect.
2. Although I’ve manged to unhide my expansion drive F, everything on it is shown as “semi-greyed out” – I can open the files but they’re not clear as they used to be.
Any suggestions? I’ve tried all the fixes listed and I’ve tried opening in the last known good configuration but no luck.
I’ve run through the process twice, but still have no desktop. All files and programs are on the system, but the desktop just does not show it. I can get to them via Start>All Prgrams..
I’ve done the \attrib -h /s /d three times.
Anything else I can do? Thanks!!
Thanks very very much. Your advice is extremely helpful. I have had my notebook cured.
Wouldn’t download at first but then changed name of file and it worked first time, but no files or icons. If anybody knows how to retrieve them then please do share.. 🙂
Stop panicking! Just sussed it. Go into control panel, appearance and themes, Folder Options, click on view tab then activate the ‘show hidden files and folders’ radio button then apply. All mine were restored instantly.Good luck.
No, I did that last week, the program folders remain hidden.
For the greyed out files that shouldn’t be, right click on the file, click on properties, click the general tab, uncheck hidden at the bottom next to attributes
Is it possible this program disabled or remapped my arrow keys? I cannot select between safe mode starting options.
Thanks for such good site and information. I tried both the options but none of them worked. Maybe my version of XP virus was more strong. Hence i googled more and finally came across one page which helped me remove.
If neither of the method works – please download rkill (from other computer and get it via USB) and then proceed. Details below.
bleepingcomputer.com/virus-removal/remove-win-7-antispyware-2011
after two days and several other websites that provided for the most part useless information the tips on this page helped me to finally regain control of my system and return things to normal. The only things other pages showed me to do was how to reenable taskmanager.
If you do not have a desktop, create a new profile. Go to your task manager (if possible) go to file, new task, run(obviously), c:\, that should bring up your c drive. Go to control panel, user accounts, new profile, and create a new profile.