So I got that WindowsRecovery malware on my Win 7 laptop. My files are hidden but luckily I had the option to right click on the folders in My Computer and it gave me the option to scan with Malwarebytes Anti-Malware. However, when I'm scanning the damn thing shuts down my computer a couple minutes into it.
I tried booting my computer in safe mode but it even has its own fake safe mode screen! How do I get rid of this thing?
WindowsRecovery Malware
-
CrazyBones
- Senior Member
- Posts: 104
- Joined: Fri Feb 24, 2006 3:15 pm
WindowsRecovery Malware
Sedit qui timuit ne non succederet.
-
CrazyBones
- Senior Member
- Posts: 104
- Joined: Fri Feb 24, 2006 3:15 pm
Ok, so I managed to scan my computer fully and I think I removed it. However, my desktop background is black, icons are missing, and it looks like almost all my files/programs are missing with the exception of a few such as Firefox and Windows Movie Maker (This was the case before I removed it).
Sedit qui timuit ne non succederet.
-
FlyingPenguin
- Flightless Bird
- Posts: 33161
- Joined: Wed Nov 22, 2000 11:13 am
- Location: Central Florida
- Contact:
I ran into this one last month. If System Restore is not corrupt, go back to the oldest restore point you can find to get well before the problem. It won't affect your data. It fixed the damaged system files and desktop for me.
Although in all honesty, this one is so nasty I don't think you can ever be sure there isn't a rootkit or boot sector virus still in there, maybe just acting as a keylogger. If it was me, I'd backup my data (and scan it for viruses from a clean PC) and then DBAN the whole drive and do a clean install.
For future peace of mind, invest in a big external HDD and some imaging software and image your boot partition regularly (it helps keep the images a manageable size if you keep your data and games on another partition). That way if something like this ever happens again, you can just restore the partition and MBR from the last good image.
That's what I do. I have Acronis image the boot partition once a week. I don't even bother having system restore enabled.
Although in all honesty, this one is so nasty I don't think you can ever be sure there isn't a rootkit or boot sector virus still in there, maybe just acting as a keylogger. If it was me, I'd backup my data (and scan it for viruses from a clean PC) and then DBAN the whole drive and do a clean install.
For future peace of mind, invest in a big external HDD and some imaging software and image your boot partition regularly (it helps keep the images a manageable size if you keep your data and games on another partition). That way if something like this ever happens again, you can just restore the partition and MBR from the last good image.
That's what I do. I have Acronis image the boot partition once a week. I don't even bother having system restore enabled.
---
“The Government of Spain will not applaud those who set the world on fire just because they show up with a bucket.” - Prime Minister of Spain, Pedro Sánchez
“The Government of Spain will not applaud those who set the world on fire just because they show up with a bucket.” - Prime Minister of Spain, Pedro Sánchez
-
GuardianAsher
- Golden Member
- Posts: 1102
- Joined: Mon Aug 01, 2005 12:30 am
- Location: Lubbock, TX
Okay, we've been tackling this one a good bit here lately. While FP is right in that the only true way to make sure you're clean is to do a complete reinstall, fear not, because you can defeat this.
We've been hitting it with a combination of TDSS Rootkit Killer, Combofix, Hitman Pro, Microsoft Security Essentials, Malwarebytes, and SuperAntiSpyware. We've had a great amount of success with this thus far. Yeah, it's a lot of work to put into it and a reinstall would probably be easier, but some of our clients aren't too keen on reinstalls, unfortunately.
Those programs above should be able to nuke nearly every infection on the PC without much issue. To take care of the hidden files, Grinler (BleepingComputer) created a small utility that unhides the hidden files and folders, but is designed (afiak) to not unhide files that are supposed to stay hidden. You can find that here:
http://www.technibble.com/forums/showthread.php?t=26127
Now for the last part, the All Programs menu. If you have Windows XP, you're pretty much on your own, unfortunately. Microsoft's TweakUI tool will help get your icons back in order (Use the Icon Repair option) and then you'll have to manually go into Program Files and create new shortcuts for the EXEs.
Vista and 7 users have it easy. If you navigate to %programdata%/Microsoft/Windows, right click on the Start Menu folder, and hit Restore Previous Versions, you can go back a few days to where the icons were still in tact, and restore them from the Previous Versions.
Now I have to stress again, I completely agree with Flying Penguin. Backup backup backup, reinstall. It's the only 100% safe way to make sure your PC isn't rootkit'd or keylogger'd. But we've been using this method and it's given us great results.
Best of luck, and happy virus hunting!
We've been hitting it with a combination of TDSS Rootkit Killer, Combofix, Hitman Pro, Microsoft Security Essentials, Malwarebytes, and SuperAntiSpyware. We've had a great amount of success with this thus far. Yeah, it's a lot of work to put into it and a reinstall would probably be easier, but some of our clients aren't too keen on reinstalls, unfortunately.
Those programs above should be able to nuke nearly every infection on the PC without much issue. To take care of the hidden files, Grinler (BleepingComputer) created a small utility that unhides the hidden files and folders, but is designed (afiak) to not unhide files that are supposed to stay hidden. You can find that here:
http://www.technibble.com/forums/showthread.php?t=26127
Now for the last part, the All Programs menu. If you have Windows XP, you're pretty much on your own, unfortunately. Microsoft's TweakUI tool will help get your icons back in order (Use the Icon Repair option) and then you'll have to manually go into Program Files and create new shortcuts for the EXEs.
Vista and 7 users have it easy. If you navigate to %programdata%/Microsoft/Windows, right click on the Start Menu folder, and hit Restore Previous Versions, you can go back a few days to where the icons were still in tact, and restore them from the Previous Versions.
Now I have to stress again, I completely agree with Flying Penguin. Backup backup backup, reinstall. It's the only 100% safe way to make sure your PC isn't rootkit'd or keylogger'd. But we've been using this method and it's given us great results.
Best of luck, and happy virus hunting!
-
CrazyBones
- Senior Member
- Posts: 104
- Joined: Fri Feb 24, 2006 3:15 pm