Do you know what Recovery (1-844-813-5673) is?
We want to inform you about a newly discovered malicious application called Recovery (1-844-813-5673). Our security experts have classified this program as malware and deemed it a fake security alert. Therefore, you must remove this application from your PC as soon as possible to get rid of the false alerts. These alerts are designed to promote 1-844-813-5673, a fake tech support number that will probably charge you premium rate or try to sell you a useless service or application. In short, this malware is all about making money for its developers.
Before we move on to its malicious features, we want to elaborate on its possible distribution methods. Our researchers have received unconfirmed information that Recovery (1-844-813-5673) could be distributed using malicious bundled software installers. These installers are most likely featured on lesser-known, shady software distributing websites. These sites bundle freeware and open-source software with borderline malware and full-fledged malware. Researchers say that the installers have been purposefully configured to install the additional software secretly, so that is how Recovery (1-844-813-5673) can end up on your computer.Recovery (1-844-813-5673) screenshot
Scroll down for full removal instructions
While installing, the installer creates three registry keys. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Divyesh is created to autostart this application once your computer boots up, and the Divyesh string should have value data of C:\Windows\Divyesh\Divyesh or C:\Windows\Divyesh\Divyesh\Divyesh.exe. The other registry keys that are HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DIVYESH and HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DIVYESH are less important as they are supposed to create a registry in Control Panel to uninstall it. However, the uninstaller does not work, so you have to delete the malicious files manually.
Its main executable called Divyesh.exe can be placed in %WINDIR%\Divyesh\Divyesh, but you can also find it in %TEMP% or the Downloads folder or even on the desktop. In any case, this application is set to run upon infection and launch its Graphical User Interface that looks like a Blue Screen of Death (BSoD) error screen. The fake error claims that “A component of the operating system has expired” and the culprit is designated as winload.efi which is located at windows\system32, but the hard disk on which it is on is not specified. This message suggests that you use recovery tools to fix this problem and if you do not have a disc or USB image of Windows, it suggests that you contact your PC administrator or Device manufacturer by calling 1-844-813-5673.
Now, from the look of things, this malware implies that your PC administrator (which is non-existent) and your Device’s manufacturer use the same phone number. Clearly, the fake alert was not thought through. Researchers say that if you use Windows 10, then you can close this fake alert by pressing Alt+Tab, while other versions of Windows require that you boot up your PC in Safe Mode. Note that Recovery (1-844-813-5673) was configured to kill Task Manager, so you need Safe Mode as it prevents this malware from launching altogether.
As you can see, Recovery (1-844-813-5673) was designed to lock your computer’s screen to prevent you from using it, and it disables Task Manager so that you could not kill Divyesh.exe. Its criminal developers want you to waste your time and money by calling a fake tech support number that will not help you at all. Therefore, we encourage you to take action against this application, particularly as it does not do any lasting damage to your computer and it is relatively easy to remove, just follow our guide presented below.
Boot up your PC in Safe Mode with Networking
- Restart the computer.
- Press and hold the F8 key as your computer restarts.
- On the Advanced Boot Options screen, use the arrow keys to highlight Safe Mode with Networking, and then press Enter.
Windows 7 and Vista
- Click the Start button click the arrow next to the Shut Down button, and then click Restart.
- Press and hold the F8 key as your computer restarts.
- On the Advanced Boot Options screen, use the arrow keys to highlight the Safe Mode with Networking, and then press Enter.
Windows 8 and 8.1
- Press Win+C keys, and then click Settings.
- Click Power, hold down Shift on your keyboard and click Restart.
- Select Troubleshoot.
- Click Advanced options, and select Startup Settings.
- Click Restart and press 5 on your keyboard to Enable Safe Mode with Networking.
- Click the Start button and then the Power button.
- Hold down the Shift key and select Restart.
- In the resulting full-screen menu, select Troubleshoot.
- Select Advanced options and click Startup Settings.
- In the Startup Settings screen, press Restart.
- The PC will reboot and bring you to a Startup Settings screen.
- Select Enable Safe Mode with Networking.
Delete Recovery (1-844-813-5673)
- Press Win+E.
- In the address box, enter C:\Windows\Divyesh\Divyesh
- Find Divyesh.exe, right-click it and click Delete.
- Go to the Downloads folder and desktop and delete Divyesh.exe is found.
- Empty the Recycle Bin.
- Press Win+R.
- Enter regedit and click OK.
- Go to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Delete Divyesh.
- Then go to HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DIVYESH and delete it.
- Finally, go to HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DIVYESH and delete it.
In non-techie terms:
Our researchers have concluded that Recovery (1-844-813-5673) is nothing more than a malicious application whose only objective is to compel you to dial the featured tech support number to generate money from selling you useless services or charging you premium rate for the call. Therefore, we recommend that you remove this program from your PC as soon as possible. The guide above does not work, we recommend using SpyHunter as it will make light work of this malware.