Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Remove Windows Recovery

  • Please log in to reply
1 reply to this topic

#1 teamvaal


  • Members
  • 2 posts
  • Local time:10:32 AM

Posted 29 May 2011 - 04:52 PM

Questions about http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery


Ive tried doing the process (however before I found/followed your process, I removed the infected hard drive and ran scans via usb to sata from a known safe computer using malwarebytes, superanti spyware and kaspersky). I am still booting up to a BSOD in safe or regular mode. I can fix this temporarily by using fdisk /mbr. After booting to dos and running that command I can then boot safely into windows. However upon boot up I get a Windows has found a new device, installs drivers and asks to reboot.

Ive run Rkill, Malwarebytes, TDSSKiller (Kasperskys rootkit exe), and unhide.exe. But upon reboot I get BSOD. I can then reboot again with my DOS utility CD and fdisk /mbr. At that point I can reboot again and get into windows. But still get the found new device, driver install. I think thats the problem, I read thats how rootkits work by installing themselves as device drivers...

Currently Im running my scans again in Safe mode, but I dont see this working as Ive already run scans on the infected drive connected via USB on a safe and secured PC.

So my questions:

1. The following are listed on the above referenced website. What the page doesnt say is how to correct these entries. Several of them still remain in my registry. Do I remove them? Or adjust them? For example the low risk file types entry exists on my infected PC. Do I delete the entry?
Associated Windows Recovery Windows Registry Information:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "<random>.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "<random>"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = 0'

2. Any other suggestions would be welcome (I have ghost images of the drive from about a month ago, also backup copies of the registry. Im resisting doing this because they are missing something important, a license I installed for important software I use.. It would be a pain in the rear to redo the license process). That said Im willing to be pretty agressive because worst case scenario I do have images and backups.

3. Im concerned about this virus infecting other computers on my home and work network. Especially the PCs I used to scan the infected drive via USB to SATA connector.

Edited by teamvaal, 29 May 2011 - 05:43 PM.

BC AdBot (Login to Remove)


#2 teamvaal

  • Topic Starter

  • Members
  • 2 posts
  • Local time:10:32 AM

Posted 30 May 2011 - 06:12 PM

Went ahead and restored from backup images. Just wanted to let you know before you got on the case : )

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users