Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Vista Recovery Virus


  • Please log in to reply
4 replies to this topic

#1 penguincurious

penguincurious

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 31 May 2011 - 03:18 PM

Hi,

Another poor fool struck down with windows vista recovery virus!

I've tried following the guide at http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery
but the virus won't allow me to run rkill at all. I've tried the renamed versions, but it seems to recognize it as rkill and deletes it. Additionally, whenever the mouse is over the desktop there is a constant busy icon preventing me from running anything there. Any help urgently requested!


Thanks!

BC AdBot (Login to Remove)

 


#2 Goibniu

Goibniu

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 31 May 2011 - 05:04 PM

A few questions that might give us some more information:

What operating system are you running (XP, Vista, 7) if Vista or 7 32 or 64 bit? (right click on my computer and left click on properties to find out)

Did you try to run the programs in normal mode or safe mode? (F8 before windows starts to boot)

Try downloading the programs recommended for cleanup, then booting to safe mode and try running them from there.

#3 penguincurious

penguincurious
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 31 May 2011 - 05:16 PM

I'm running vista 32 (home edition).

Have tried the programs in normal, safe mode and safe mode with networking.

Just an update: I have managed to install malwarebytes - the virus kept telling me it couldn't be installed even running a dialog box saying 'rolling back to previous setup' then deleting the installer icon from the desktop. However when i navigated to 'program files\malwarebytes' the program was there! I am now running malwarebytes to see what it comes up with and will post an update once done.

this is a tricky little beggar!

#4 penguincurious

penguincurious
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 01 June 2011 - 05:03 AM

Ok, m-bam seems to have removed the virus, and unhide has restored the hidden files. Start Menu is displaying all the folders in the program list but each folder is empty. Unhide has removed the hidden files, but certain folders, for example C:\Program Data\Start Menu is still hidden and when I check permissions, there are 3 'everyone', 'administrator' and 'all users' these are all set to have no permissions. If I try to change this I'm told 'access is denied'. Any ideas?

#5 Goibniu

Goibniu

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 01 June 2011 - 11:37 AM

2 possible ways to fix this. One requires system restore to be on and have a restore point from before the infection. For the other you can't have emptied your temp files since the infection messed with your start menu.

There are 2 locations of start menu type of shortcuts:
Applications installed for all users: %Program Data%\Microsoft\Windows\Start Menu
Applications installed just for your user: %UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs


1: In some cases the shortcuts are just moved to the temp folder.
%UserProfile%\AppData\Local\Temp\smtmp\1 – these were the missing %Program Data%\Microsoft\Windows\Start Menu items.
%UserProfile%\AppData\Local\Temp\smtmp\4 – these were the missing %UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs

You may also want to check out the 2 and 3 folders, I am not sure what links are in there but you may want them too.


2: Go to the various start menu locations. There should be the Programs folder. Right click and go to Properties. Go to the Previous Versions tab. Wait for previous versions to load in window. Click on a version before the virus. Open the folder to verify that the shortcuts are there, then click on Restore and most of the programs will be back in the Start Menu.


Let me know how this does. I think that the first one has the best chance of success but the other may work too.

Corrected for windows 7 start menu and temp file paths. Accidentally put the XP ones in first time.

Edited by Goibniu, 01 June 2011 - 11:43 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users