Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows System Recovery


  • Please log in to reply
8 replies to this topic

#1 tonkinl

tonkinl

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 05 July 2011 - 04:04 AM

Hi there,

I've just been infected with Windows System Recovery. I realise something was up as I've been infected with Windows Vista Security not that long ago and didn't buy the program. I used this site previously and my computer was completely recovered, so I ran the same steps again ie RKill and then Malwarebytes and then paniced when after running Malwarebytes for 2 hours, I restated my computer to find all my files missing.

However, I came back to this site and found the specific info on this version of the virus and ran the various programs to unhide my programs, which wer succesfull. However, I still can't get my Start menu and Desktop back to normal.

I've been reading the thread on Windows 7 Recovery and the really helpful posts by Broni, which did help me get my Quickstart Taskbar back, but I just can't seem to get the Desktop or Start menu back to normal. I've tried using the take ownership program, which has not worked. I have also tried the Command promt stuff recommend in post #21, and some files appeared to be copied for the Desktop, but when I've restarted the computer, they are still not there.

I'm running Windows Vista Home premium. I was also running McAfee VirusPlus at the time of both infections, which obviously was completely useless. I've since removed it and at the moment am running Windows Security Essentials as a temp solution. As well as help with the Start menu and Desktop, I would really appreciate any other advice on protecting my computer.

Thanks in advance

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:08 PM

Posted 05 July 2011 - 02:38 PM

Hello, please try this UnHide

Do not run a Registry or Temp file cleaner.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 tonkinl

tonkinl
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 05 July 2011 - 05:52 PM

Hi there

Thanks for the reply, I had already run this and it brought back my files such as pictures and word files etc. I have run it again just to be sure and this time I get the following error dialogue box...

Windows Script Host

Can't find script engine "VBScript" for script "C:\Users\Lucy\AppData\Local\Temp\info.vbs".



Nb. I tried to do print screen to do a shot and it didn't seem to work.

Cheers

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:08 PM

Posted 05 July 2011 - 07:50 PM

Download Win32kDiag.exe from any of the following links to your desktop:

http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

Edited by boopme, 05 July 2011 - 07:52 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 tonkinl

tonkinl
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 06 July 2011 - 04:31 AM

I've run the program, its finished, nothing much seems to have happened???

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:08 PM

Posted 06 July 2011 - 09:07 AM

I'm sorry I erased the log section.

A file called log.txt should be created on your Desktop and open in Notepad.
Copy and paste the contents of that file in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 tonkinl

tonkinl
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 06 July 2011 - 11:34 AM

Ah, no worries, here is the log...


Running from: C:\Users\Lucy\Desktop\Win32kDiag.exe

Log file at : C:\Users\Lucy\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2011-07-06 08:54:20 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2011-07-06 08:54:12 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2011-07-06 08:54:12 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2011-07-06 08:54:12 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTkerberos.etl

[1] 2011-07-06 08:55:08 3368 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTkerberos.etl ()





Finished!

#8 tonkinl

tonkinl
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 17 July 2011 - 04:19 AM

Hello

Its been over a week now, and I've had no response after posting this log, please can someone get back to me?

Cheers
lucy

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:08 PM

Posted 17 July 2011 - 03:46 PM

Hi lucy ,sorry I did not get the notification. It appears you may have an MBR rootkit. This requires either areformat and reinstall or you need to move to the Malware Removal section.

We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users