MyPCHealth

Windows Recovery Fake Analysis and Diagnostic Program.

Similarly to rogue or fake anti spyware also known as scamware this is a fake System Anaylsys/diagnostic program that is installed through malware, infected adverts or websites. It will configure itself to automatically start everytime the computer starts up. It will bring up a scanner saying you are having problems with your computer such as hardware errors. It will then ask you purchase it to remove the programs. What ever you do dont purchase as the program is the real infection and should be removed. The program also pops up various messages while it is running in the background. Some of the various messages are shown below:

• Activation Reminder - Advanced module activation required to fix detected errors and performance issues. Please purchase Advanced Module license to activate this software and enable all features.
• Critical Error! - A critical error has occurred while indexing data stored on hard drive. System restart required.
• Critical Error! - Damaged hard drive clusters detected. Private data is at risk.
• Critical Error! - Hard Drive not found. Missing hard drive.
• Critical Error! - RAM memory usage is critically high. RAM memory failure.
• Critical Error! - Windows was unable to save all the data for the file \System32\<random Characters>. The data has been lost. This error may be caused by a failure of your computer hardware.
• Critical Error! - Windows can't find hard disk space. Hard drive error
  System Restore! - The system has been restored after a critical error. Data integrity and hard drive integrity verification required.

On top of these various error message popping up and causing annoyance the program also does more sinister things to make you beleive what its saying is true. The program alters the attribute of your system files and even program files. It adds the +H (hidden) attribute to these files to make it look like they have been deleted. The program also attempts to stop you running programs thowing up errors messages enhancing the belief that there are problems with your computer. The program may also change all your default file assocations to stop you running programs.

To remove this peice of malware you need to follow these instructions :

Note : If at anypoint you are problems following below. Start the computer in Safe mode by f8 when the computer starts and selecting safe mode with networking from the menu.

Firstly you need to download and run Rkill. This will kill any rogue processes that are running on the computer.(do not restart your computer as this will allow any problematic programs to restart). If you have problems running Rkill please download a version from the same page with a different extension. Once you have run Rkill download and install MalwareBytes. Update it to the latest definations and run a full scan. This should remove the infection that is Windows Recovery.

Removing the +H attribute set by the rogue scamware.

If this infection has hidden all your program files,system files and icons. You will need to unhide them again by taking off the +H attribute. To do this for your whole disk please do the following :

• Click the windows or start button.
• In the Run/Search box type cmd
• A Black Window will appear with white writing. Then type the following
• c: then press enter (just incase you are not on the correct drive)
• Then type cd \ and then press enter. . This will take you to the root of c: Then type the following
• attrib -h /s /d

• This may take some time and you will see lots of text going up the screen. This is the computer checking each file for that attribute and removing it if it exists.
• Once finished reboot the computer and see if your files have come back.

If you do not feel comfortable with the above method you can download a program called unhide from bleeping computer to do a similar job.

Note : If your computer is not allowing you to run executable files, instead asking for what program do you wish to open it with. Your exe extension has been altered by the virus causing it not to work. You will need to reset your default file assocations (windows 7).