Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Start Menu Categories Empty after Windows Recovery Malware


  • Please log in to reply
4 replies to this topic

#1 wolfchaseah

wolfchaseah

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 23 May 2011 - 12:33 PM

I am having the same problem as mentioned in another topic- Got the Windows Recovery malware, ran MalwareBytes and removed the malware, used unhide.exe to show my files. My icons, start menu, and programs showed back up but all of the category files are empty (ex. Microsft Office> Empty). I ran unhide.exe several times with my antivirus turned off and still cannot manage to get them back. I saw a post by another user with insturctions on how to manually retieve/unhide them but he was on Windows 7/Vista and I am operating on Windows XP and am not sure how to do the same process.

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:07:48 AM

Posted 09 June 2011 - 01:15 PM

Can you post the logs for Malwarebytes Anti-Malware and also have you ran and temp file cleaner programs?

#3 wolfchaseah

wolfchaseah
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 16 June 2011 - 10:43 AM

Below is the log for Malwarebytes and I do not believe I have ran any temp file cleaners.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6610

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/18/2011 3:00:11 PM
mbam-log-2011-05-18 (15-00-11).txt

Scan type: Full scan (C:\|)
Objects scanned: 229700
Time elapsed: 41 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:07:48 AM

Posted 16 June 2011 - 11:08 AM

Note this program should only be used to restore files and programs that have appeared to been removed by a certain family of Malicious Software known as Windows Recovery. Under no circumstances should this be used for any other purpose. It is not a program or file recovery program.

If you have been infected with a Windows Recovery Virus please download UnHide and let it do its thing.

However, if you have ran any temporary file program cleaners like CCleaner, Automatic Temp File cleaners, or others then this program will not work for you. This program takes what is copied from the respective directories by the malware and puts it back into their original places.

#5 wolfchaseah

wolfchaseah
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 18 July 2011 - 01:44 PM

Thank you , thank you, thank you! That restored eveything. I ran unhide like three times after it first happened, but it just didn't work.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users