Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


File recovery virus

  • This topic is locked This topic is locked
2 replies to this topic

#1 objex


  • Members
  • 1 posts
  • Local time:05:53 PM

Posted 11 October 2012 - 11:06 AM

I somehow got the file recovery virus. Not even sure how. I ran rkill which did not find anything. I renamed the .exe programs to 123.exe to stop the program from running and of course ran rkill and malwarebytes. They still say they find nothing. I performed attrib -h /s / which got me back all my hidden files. My start menu still did not have anything in terms of admin tools-control panel etc. I then looked at the properties and reselected see control panel as a menu and everything came back. I am not conviced that this virus has been removed. I also ran combofix and have a log for that which I will attach as well. According to the preparation guide I have 64bit and should not run the Gmer log so I have not. Please let me know if there is anything else you need me to do.

Attached Files

BC AdBot (Login to Remove)


#2 thisisu


  • Malware Response Team
  • 2,525 posts
  • Gender:Male
  • Location:USA
  • Local time:06:53 PM

Posted 13 October 2012 - 10:52 AM

Hello objex :)

  • I will be helping with your computer problems.
  • From this point on, it is very important that you refrain from doing anything else to your computer other than what I have requested of you.
  • I do not mind if you browse the web, do basic tasks, or even test to see if the problem(s) you are experiencing are still occurring with the computer while we are working together, but do not run any tools/fixes unless I or another helper from this thread has asked you to do so.
  • Remember that you came here for help, so allow us to help you :)
  • If something does not run, make a detailed note of what problems you encountered along the way (exact error messages are preferred), but continue onto the next steps until you reach the end of my post.
  • Always do the steps they are listed in (left to right, top to bottom).
  • I prefer that you complete all the steps while you are in Normal Mode. However, I understand that sometimes this is not possible. If you are unsuccessful in getting a tool/fix to run from Normal Mode, but Safe Mode works, then use Safe Mode.
  • If you have a question about something, do not hesitate to ask.

Let's begin:
Posted Image From Programs and Features (via Control Panel), please uninstall the below:
  • Java™ 6 Update 26


Posted Image Please download RogueKiller to your desktop.
  • Now rename RogueKiller.exe to winlogon.exe
  • Double-click winlogon.exe to run. Right-click winlogon.exe and select "Run as administrator"
  • When it opens, press the Scan button
  • When the scan is finished, press the Delete button.
  • When deleting is finished, press the Fix Shortcuts button
  • Post the contents of the latest 2 RKReports in your next message.


Posted Image Now download unhide.exe to your desktop.
  • Now run unhide.exe by right-mouse clicking it and selecting Run as administrator
  • Be patient as the tool runs.
  • Attach the unhide.txt file on your desktop.


Posted Image Update Malwarebytes and post the contents of the latest log even if no threats are found.


Posted Image Please download and run TDSSKiller
  • VERY IMPORTANT: In the event that threats are detected, allow TDSSKiller to perform the default action by simply pressing the Continue button.
  • Do NOT change the default action on your own unless instructed by a malware helper! Doing so may render your computer unbootable.
  • If threats were detected, TDSSKiller will require a reboot in order to attempt to clean the system.
  • After the scan is complete, you can find the TDSSKiller log at the root of your C: drive.
    • Example: C:\TDSSKiller.
  • Post the contents of this log in your next message.


Posted Image Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Very important that you run the tool in this manner:
    Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt in your next message.


Posted Image Please download OTL.

  • Save it to your desktop.
  • Right mouse click on the OTL icon on your desktop and select Run as Administrator
  • Check the "Scan All Users" checkbox.
  • Check the "Standard Output".
  • Change the setting of "Drivers" and "Services" to "All"
  • Copy the text in the code box below and paste it into the Posted Image text-field.
    %windir%\system32\drivers\*.sys /lockedfiles
  • Now click the Posted Image button.
  • Two reports will be created:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Paste the contents of OTL.txt here for me to review but attach Extras.txt

#3 thisisu


  • Malware Response Team
  • 2,525 posts
  • Gender:Male
  • Location:USA
  • Local time:06:53 PM

Posted 15 October 2012 - 09:39 AM

Due to the lack of feedback, this topic will closed.

If you need the topic re-opened, private message me or any moderator to re-open the thread.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users