PDA

View Full Version : Windows Recovery Trojan / Virus



Gedc
12-06-2011, 09:09 AM
Got this yesterday. It wasn't nice ! Indicates your machine is about to go through meltdown, hides all your icons, moves your profiles and then says to download some paid for software etc etc After a couple of hours work using malwarebytes and unhide.exe most of my machine appears back to normal.

The issues I still face

1. When I click the start menu the large box above " All Programs" is completely empty

2. When I click through on "All Programs" it has the titles of the various programs installed on the machine but when I go to access i see (empty) appear under the title

3. I found a post on another forum on this trojan indicating some items had been moved - see below and I've also found the folders marked 1,2 and 4 which indeed have the data but not sure where to recopy the data back to to fix the machine.

Would appreciate if someone could point me to the correct location for copying these back.

Post from other forum below.

Try navigating to the following path: (make sure you have the hidden files and folders visible)

C:\Documents and Settings\your user name goes here \Local Settings\Temp\smtmp

Inside the smtmp folder you will see three folders named 1, 2, 4

1 = Start Menu Program shortcuts
2 = Current User Quick Start shortcuts
4 = All Users Desktop folders and shortcuts

Simply copy the shortcuts back to the original path.

Speedy Gonzales
12-06-2011, 09:14 AM
Follow this

http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery

Run rkill first

http://download.bleepingcomputer.com/grinler/rkill.exe

Its fake / rogue software

Gedc
12-06-2011, 10:03 AM
Hi Speedy

Did all that yesterday mate. Still got the issue of it moving start menu profiles or shortcuts to those temporary file locations. Where would i copy them back to as most of the programs on the start menu say (empty) when I go to open them.

Cheers

Ged

wainuitech
12-06-2011, 11:24 AM
Done several PC's over the last week or two, exact same thing, Sometimes it was simply easier to save all the data and reinstall windows from fresh.(repair install doesn't work either)

Sometimes you can move the files back to the location C:\Documents and Settings\User name\Start Menu

Sometimes it works other times it still doesn't.

Gedc
12-06-2011, 01:56 PM
Hi..

Tried to open that location and it came back with "is not accessible" "access denied".

Maybe a fresh install is an answer !

mzee
12-06-2011, 02:37 PM
I have had this several times. If you keep an Image of the "C' partition on an external drive you would be able to restore the whole system in the time it takes to have a coffee! Hard drives are very cheap and there are a lot of paid and free Imaging programs. I use Acronis. Have a small "C' partition, about 30GB for quick backups.

Keep your data on another partition and your Image will not have to be right up to date to avoid losing data. To do this, make a folder "data" on another partition, then right click on "my documents", select properties, select move, select the folder "data". You will be asked if you wish to transfer the contents, "yes".

To the operator nothing has been changed and "my documents' continues to be used, the data is transferred automatically.

Using the above method you only have to make an Image after installing major software or updates. Make sure that it is working Ok and do a Crap Clean and virus scan beforehand.