How to fix "Windows XP Recovery" Malware
How to fix "Windows XP Recovery" Malware
11 comment(s)We have been seeing alot of infected computers this week that have varients of the Windows Recovery Malware. The various antivirus progams out there dont seem to be catching it, and while antispyware programs such as malwarebytes and spybot will find and remove the malware, the infected computer is left with all files hidden on the desktop and C:\ drive, as well as no shortcuts on the start menu. There is a bit of cleanup that needs to be done manually in order to restore the computer back to its previous state, but fortunately its relatively easy.
First off, we are going to need to gain access to the internet in order to download the tools we need. Unfortunately without your desktop shortcuts or the start menu, this can appear difficult. The first thing is to check the quick launch area next to the start button for a shortcut to your browser. If there isnt one there, you will need to go to "Start" then "Run" and type in "iexplore.exe". This should bring up internet explorer
Next step is to kill the malware process. There is a utility called "RKILL" which you can download from: http://www.bleepingcomputer.com/download/anti-virus/rkill RKILL will stop the malware from running untill next time you reboot and allow you download and run malwarebytes.
After you have disabled the malware, it is time to remove it. Download, UPDATE, and run malwarebytes from http://www.malwarebytes.org Perform a quick scan, then remove the items it finds. A reboot will be required when it finishes.
After the reboot, you will find you still have no files or start menu shortcuts. Dont fear, the files are there, but they are hidden. The start menu shortcuts have been moved but can be copied back. The first thing you will need to do is to change your windows explorer view to show hidden and system files. You should now see your files again, but they are still hidden and will appear slightly greyed. You could try changing the attributes manually on all your files, but there is a utility called "unhide.exe" that will do this for you and makes the job much easier. Download and run Unhide.exe, but disregard the message at the end about re-running it without antivirus to bring back the shortcuts. That is the next step. Unhide.exe is available at: http://download.bleepingcomputer.com/grinler/unhide.exe
To fix the last piece of this puzzle, we need to get the start menu shortcuts back. Open windows explorer and look for the following folder: %userprofile%\local settings\temp\SMTMP You will notice there are a couple folders in here. The folder named "1" corresponds to the start menu. "2" is the quick launch, and "4" appears to be the desktop. Quick launch and desktop shortcuts dont get affected though so all we need is the "1" folder. For XP, copy the contents of "1" into C:\Documents and Settings\All Users\Start menu For Windows 7 machines copy the contents of "1" into C:\ProgramData\Microsoft\Windows\Start Menu
Finally, check the desktop for a "XP Restore" shortcut and delete it. Also remove the "Windows xp restore" folder and 2 shortcuts from the start menu.
Now your computer should look like it did before it got infected. If you are unable to change your wallpaper or run task manager, download, install, update and run Spybot. This should reverse the local policies that were installed to block these items. You will also want to perform a full scan with malware bytes and your antivirus software at this point to catch anything else that may be lurking on your system.
Comments
Anonymous
THANKYOU!!!
I am a busy mom of three. I lost all of my pictures to this horrible virus. I was able to follow your instructions and find my photos. I have limited computer experience, missing 8 keys on my keyboard and I don't even have a functional word processing program. You saved my family a lot of money with your easy to follow instructions. Thank you so much for taking the time to post this.
Veterinary technician
re:appreciation
I have been surfing online more than 3 hours today, yet I never found any interesting article like yours. It’s pretty worth enough for me. Personally, if all webmasters and bloggers made good content as you did, the net will be much more useful than ever before.
eavedrop44
It’s pretty worth enough for
It’s pretty worth enough for me. Personally, if all webmasters and bloggers made good content as you did, the net will be much more useful than ever before.gemini tiles
Veterinary technician
re:appreciation
I have been surfing online more than 3 hours today, yet I never found any interesting article like yours. It’s pretty worth enough for me. Personally, if all webmasters and bloggers made good content as you did, the net will be much more useful than ever before.
Anonymous
medical assistant schools
Thank you for an excellent publish along with a great blog too. Sometimes you can easily get off track so with lists such as this it's simpler to help keep on the right track and discover how to pay attention to one (or perhaps a couple of) things at that time.
techgeekdad
Needed to know how to restore shorcuts
I have already done battle with the Windows 7 variant of this virus and found that Windows 7 had a nice feature that allowed to you restore to previous versions of shortcuts.
XP doesn't have this same feature and when a coworker's system got infected I already had in the back of my mind that I would have the issue of recovering the shortcuts. I'm glad I found your article becuase so far it's the only one out there on this virus that I've found that discusses how to restore the shortcuts.
I've gone ahead and written my own article on it at http://techgeekdad.com/2011/06/how-to-remove-windows-xp-recovery-virus/
I'm including a link back to your blog as the source of that part of my article. Also if you read my article you'll see that the machine I was working on also got hit by the google redirect virus as well. I don't know if you have an article related to that yet and I"m not sure if the PC got infected with both viruses at the same time or if one helped add the other. Anyway fighting the google redirect virus was a lot of fun and I found tons of articles out there that talked about how to kill it and most of them didn't work out so I think the virus has gotten smarter. Fortunatly I did find one solution that finally worked.
Conference Venues London
Windows XP
This is a fantastic website and I can not recommend you guys enough. Full of useful resource and great layout very easy on the eyes. Please do keep up this great work.
Clare
Thank you!
Thank you so much for writing this article, Brian.
I picked up a "System Fix" malware on Friday and have spent 5 days trying to get it sorted.
Went through most of the malware / AVs around and finally got rid of the programme, but was left unable to access any of my data.
Followed your suggestions (which worked on Vista) and I have my data back.
Woo hooo!!!!
Am now running a full back-up and sending gratitude to everyone who helped create the solutions to this one.
Wishing you sunshine and laughter,
Clare
best file recovery
Great report! I am agree with
Great report! I am agree with the author's opinion.
Info deletion scenario is generally a headache for the person.
To be able to resolve this challenge, the specialists have proposed a lot of data recovery solutions.
If there is a deletion of data condition, an end user should have a preliminary understanding of appropriate info restoration application.
Anonymous
thanks
Just wanted to say you rock! Many thanks.