Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Tuesday, April 19, 2011

Windows Recovery, Windows Restore Malware Removal Instructions

Tell your friends:
Windows Recovery, Windows Restore, Windows SafeMode and Windows Fix Disk - all these applications disguise as an official Windows functions/utilities and states that your hard drive has some serious problems. In order to convince you, this malware changes settings on files and folder in you directories to "hidden." For example, if you check "My Documents" folder you won't see any files because they are hidden, so you may think that your hard drive is failing. It also displays an endless stream of fake alerts and pop-ups about hard drive failures, critical hard disk drive errors and some other clearly non-existent problems. Windows Recovery, Windows Fix Disk and other names of this malware have been covered in my previous posts and elsewhere, it is worth noting an alternate removal instructions which hopefully will help you to remove such fake applications. Please follow the steps in the removal guide below.





Fake error warnings:
Task Manager has been disabled by your admininstrator.


Critical Error
Hard drive critical error. Run a system diagnostic utility to
check your hard disk drive for errors. Windows can't find hard
disk space. Hard drive error



Removal instructions:

1. First of all, you need to unhide the files and folders. Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter cmd and hit Enter or click OK.



At the command prompt, enter attrib -h /s /d and hit Enter. Now, you should see all your files and folders. NOTE: you may have to repeat this step because the malware may hide your files again.



2. The rogue application places an icon or your desktop. Right click on the icon, click Properties in the drop-down menu, then click the Shortcut tab.



The location of the malware is in the Target box.



On computers running Windows XP, malware hides in:
C:\Documents and Settings\All Users\Application Data\

NOTE: by default, Application Data folder is hidden. Malware files are hidden as well. To see hidden files and folders, please read Show Hidden Files and Folders in Windows.

Under the Hidden files and folders section, click Show hidden files and folders, and remove the checkmark from the checkbox labeled:

- Hide extensions for known file types
- Hide protected operating system files

Click OK to save the changes. Now you will be able to see all files and folders in the Application Data directory.

On computers running Windows Vista/7, malware hides in:
C:\ProgramData\

3. Look for suspect ".exe" files in the given directories depending on the Windows version you have.

Example Windows XP:
C:\Documents and Settings\All Users\Application Data\18542698.exe

Example Windows Vista/7:
C:\ProgramData\18542698.exe

Basically, there will be a couple of ".exe" file named with a series of numbers or letters.



Rename those files to virus1.vir, virus2.vir etc. For example:



It should be: C:\Documents and Settings\All Users\Application Data\virus1.vir

Instead of: C:\Documents and Settings\All Users\Application Data\18542698.exe

4. Restart your computer. The malware should be inactive after the restart.

5. Open Internet Explorer and download TDSSKiller. This malware usually (but not always) comes bundled with TDSS rootkit. Removing this rootkit from your computer is very important (if exists). Run TDSSKiller and remove the rootkit.



6. Download recommended anti-malware software and run a full system scan to remove this virus from your computer.

NOTE: don't forget to update the installed program before scanning.


Associated files and registry values:

Files:

Windows XP:
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\Application Data\~[SET OF RANDOM CHARACTERS]
  • %UsersProfile%\Local Settings\Application Data\[SET OF RANDOM CHARACTERS].lic
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].dll
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].exe
  • %UsersProfile%\Desktop\Windows Recovery.lnk
  • %UsersProfile%\Start Menu\Programs\Windows Recovery\
  • %UsersProfile%\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk
  • %UsersProfile%\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk
%AllUsersProfile% refers to: C:\Documents and Settings\All Users
%UserProfile% refers to: C:\Documents and Settings\[User Name]

Windows Vista/7:
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\~[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS].lic
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS].dll
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS].exe
  • %UsersProfile%\Desktop\Windows Recovery.lnk
  • %UsersProfile%\Start Menu\Programs\Windows Recovery\
  • %UsersProfile%\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk
  • %UsersProfile%\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk
%AllUsersProfile% refers to: C:\ProgramData
%UserProfile% refers to: C:\Users\[User Name]

Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS].exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'yes'
Share this information with other people:

16 comments:

Anonymous said...

THANKKKKKKKKKKK YOU !!!

Anonymous said...

thanks

Anonymous said...

Except none of this restores your program linke under All Program Files. The folders will be there, but they will be empty, and Quick Launch is gone as well. I have run unhide, malwarebytes, superantispyware, hijack this, spybot, ccleaner, tdsskiller, unhid hidden and os files,a nd nothing brings back program files and quick launch icons.

Anonymous said...

Yes, I did all this and still cannot access many of my previous programs. I also note that certain folders have a padlock and I cannot do anything with them. HELP!!!!

Ruth said...

I'm not sure what I am doing wrong. I can't get past step 1. When I enter the attrib etc. nothing happens. Please help!

Ruth

Anonymous said...

Can we delete the files we renamed "virus.vir" and such? i ask this because tdsskiller found nothing for me after i scanned.

Admin said...

Yes, you can.

olibear said...

the solutio to this is to go to your computer, go to your hard drive (c:) and select the folders [c:\program files (x86)] and right click on them.. then properties>security (tab)..select the user names u want click on "to change permissions,click" [edit].. then on the new screen that pop up, select full control..do this for every person u want getting access to those files, grandma accoutn, brother, admin ..what ever... also you might want to do this for c:\program files and to get all your programs back in the [start] bar go to c:\programdata and look for the folder named startup... do the same as descrived above.

Maria said...

On step two, I can't find the desktop icon. Where do I go or do? Thanks.

Anonymous said...

Hey there, this is a fantastic set of instructions. Do I delete the associated files and registry values? Thanks!

Anonymous said...

These sound like great instructions, but several of my folders including Documents & Settings is locked and I'm not able to bypass that by changing the settings or permissions. Now what do I do?

azc said...

This malware moves all shortcuts from the All Users profile Desktop, Start Menu and Quicklaunch folders.

I was able to find where it had moved them to by searching for calculator.lnk

It was somewhere in the Application Data folder. It had created subfolders called 1, 2, and 4 and each of those folders contained the shortcuts for one of the locations they had been moved from.

ITGuy said...

This worked and had something to add to it.
Olibear-
the solutio to this is to go to your computer, go to your hard drive (c:) and select the folders [c:\program files (x86)] and right click on them.. then properties>security (tab)..select the user names u want click on "to change permissions,click" [edit].. then on the new screen that pop up, select full control..do this for every person u want getting access to those files, grandma accoutn, brother, admin ..what ever... also you might want to do this for c:\program files and to get all your programs back in the [start] bar go to c:\programdata and look for the folder named startup... do the same as descrived above.

Me-
I had to take ownership of the folders and files to be able to give them full permissions and apply to all sub folders.

Then:
azc-

This malware moves all shortcuts from the All Users profile Desktop, Start Menu and Quicklaunch folders.

I was able to find where it had moved them to by searching for calculator.lnk

It was somewhere in the Application Data folder. It had created subfolders called 1, 2, and 4 and each of those folders contained the shortcuts for one of the locations they had been moved from.

This all together cleared it up. What a PIA malware. At least I know now since I clean up several of these a day sometimes. It's one thing to infect computers but this is just uncalled for by these jerks.

Anonymous said...

Holy cow, it worked! I've literally spent DAYS trying to get the programs back. Thank you thank you thank you!!!

Beth in AZ

Anonymous said...

It's not working. I've renamed the files as advised. Restarted computer and it's popped up again. I did the system scan anyways with malware bytes. And it's not getting rid of it... Please help this is my 4th full day battling it...

Anonymous said...

After I used Malware bytes to get rid of the malware, I had to set all my files to hidden, then set them immediately back to unhidden, and they all popped right back where they were supposed to be