Windows Recovery Skinny!!

[vdub12]

OK this virus isn't so bad.

Just like many of the rouges it looks worse then it is.

Here are my notes for removal.

First off fire up process explorer and kill the random named processes.

Run regedit and first make a backup of the registry then delete these keys.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “CertificateRevocation” = ’0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnonBadCertRecving” = ’0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop “NoChangingWallPaper” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = ‘/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = ’1′
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “DisableTaskMgr” = ’1′

Now change the following keys to what I have listed here.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘yes’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “Hidden” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “ShowSuperHidden” = 1′

Next enable hidden files as well as protected system files and go to the allusers folder under appdata and remove the randomly named files.

Run the unhide.exe utility available here

Finally restart the system. If after restart you still don't have desktop icons then you have a variant that includes a rootkit. For this run combo fix. Combo fix will repair the volsnap.sys file for you as well as kill some additional registry entries.

Reboot the system and re-enable the internet and email shortcuts in the start menu, they should still be disabled.

The final part of this removal in my opinion was the worse. The virus does delete files. It basically clears the all users / start menu folder. Attached to this thread is a copy of the icons that I took from a clean XP Pro system. However this will not help in win 7, vista, XP home or other version OS's.

I think it might help if others will post icons from all users from other OS's but I think the biggest problem is going to be getting customers program icons back. I have not figured that part out yet. Dose anyone know if these icons are in the restore data?

Anyway, this is what I have so far. The test system is running great and other then the program icons its flawless.

 

[Blue Banana]

Good work

When I got this and the start menu/desktop icons weren't showing up, I ran system restore to the previous day. My infection probably wasn't 100% the same as the one you described here, because the restore worked right away.

My steps were pretty basic I would say. I like the automated approach.

1. Malwarebytes. Removed 164 infections
2. Ran unhide.exe. Didn't help one little bit though.
3. System Restore. Ran MWB again and all traces of the rogue was gone.

 

[vdub12]

Good work

When I got this and the start menu/desktop icons weren't showing up, I ran system restore to the previous day. My infection probably wasn't 100% the same as the one you described here, because the restore worked right away.

My steps were pretty basic I would say. I like the automated approach.

1. Malwarebytes. Removed 164 infections
2. Ran unhide.exe. Didn't help one little bit though.
3. System Restore. Ran MWB again and all traces of the rogue was gone.

Personally I prefer manual removal. The steps I listed took a fraction of the time that scanners would take. I also like to understand the virus and get inside its head so to speak. That way when variants change I can keep up. Many of these rouges change to defeat scanners. Honestly the only reason I even used Combofix was because I was to lazy to replace the volsnap.sys file.

On a side note all the registry changes can be automated so with a little scripting this virus could be defeated with a single mouse click.

 

[vdub12]

Another thing to add that i forgot about.

I am running the AVG rescue CD just to verify that I have in fact cleaned this system up and I found that it infects the windows recovery directory's.

This is another reason its not a good idea to just run system restore to try and fix this. I recommend deleting all restore points after removal. I normally do this anyway but on the test system I didn't.

 

[Xander]

While I don't rely on it, there have been the odd time that a Restore has been the simplest option to get some of the symptoms out of your face. You still need to manually review, of course, but if it's a choice between a 20 minutes killing off processes and then manually reviewing the autostarts to figure out what keeps starting that one persistent file OR 5 minutes doing a SR....

 

[commodore64]

I just worked on one of these as well, tried serveral ways of removal, all left the system clean, but the start menu folders in all programs were empty. This was after trying all from above + other techniques. Ive seen other forums asking the same thing about the start menu folders in all programs being empty, none with an answer beyond system restore. I ended up just adding shortcuts to the software in the empty folders since the software was really there. This computer had no restore points so we couldnt do that, and the customer did not want a reinstall. Worked fine in the end. This one was windows 7 so I went to Program data\microsoft\windows\start menu, and them pasted a shortcut from the execute of the software missing from the program files folder.

 

[vdub12]

I just worked on one of these as well, tried serveral ways of removal, all left the system clean, but the start menu folders in all programs were empty. This was after trying all from above + other techniques. Ive seen other forums asking the same thing about the start menu folders in all programs being empty, none with an answer beyond system restore. I ended up just adding shortcuts to the software in the empty folders since the software was really there. This computer had no restore points so we couldnt do that, and the customer did not want a reinstall. Worked fine in the end. This one was windows 7 so I went to Program data\microsoft\windows\start menu, and them pasted a shortcut from the execute of the software missing from the program files folder.

There has to be an easier solution to this problem. The system icons are easy, we are just going to have to compile them from different systems. However, the program icons are another mater. There has to be an easy way to rebuild the start menu when something like this happens.

 

[SmithFamilyDesigns]

For unhiding everything, I do this:

XP:

attrib -h c:\docume~1\*.* /s /d

Vista+

attrib -h c:\Users\*.* /s /d

This is nice because it doesn't remove hidden from system files, so all of the stuff that should stay hidden does. Obviously change directories if needed, but those are the typical user directories.

 

[vdub12]

For unhiding everything, I do this:

XP:

attrib -h c:\docume~1\*.* /s /d

Vista+

attrib -h c:\Users\*.* /s /d

This is nice because it doesn't remove hidden from system files, so all of the stuff that should stay hidden does. Obviously change directories if needed, but those are the typical user directories.

This does not work for deleted files though. The unhide.exe does a good job of only unhiding the correct files. The problem you might run in to using attrib is if you let this virus sit it will hide everything. On my test system it hid the entire C: drive.

I wonder if we could use a simple portable data recovery program to undelete the start menu icons.

Does anyone have any suggestions?

 

[commentator8]

Just to mention, there is definitely a variant that does not delete files, as previously mentioned in the other thread the one i came up against simply required booting into safe mode, deleting the virus and running unhide. So no rootkit (i checked) and no deleted files.

 

[vdub12]

Just to mention, there is definitely a variant that does not delete files, as previously mentioned in the other thread the one i came up against simply required booting into safe mode, deleting the virus and running unhide. So no rootkit (i checked) and no deleted files.

This is true, but we deal in worse case and its better to be prepared for it. No point in N&P if its not necessary. I would rather find a solution then hope for an easy virus.

 

[vdub12]

OK I figured out how to get all the original icons back.

I don't know why I didn't try this before.

Right before you run combofix do a system restore to the last checkpoint. Then run combofix and once its done everything should be fine. Keep in mind with the shortcuts down you will have to manually run system restore from the command prompt.

c:\windows\system\restore\rstrui.exe

Or you can run it from msconfig.

I know that there may be situations that are not perfect but with this situation I set a restore point right before I infected the system.

My test box is exactly like it was before it was infected.

 

[wtigger]

Also keep in mind most malware infects/corrupts the System Restore Points, so they won't always be useful.

 

[vdub12]

Also keep in mind most malware infects/corrupts the System Restore Points, so they won't always be useful.

This is true and this one does to. However, the infection in system restore is the rootkit that combofix takes care of. That's why I say to run it right before combofix. The Windows recovery virus does not infect the restore points.

By running combofix after system restore you don't have to remove the rootkit twice like I did the first time.

I put my system though this infection 4 times last night and tried things in different order and this seamed like the best way. It would be nice if we had a utility that could extract specific files from the restore points. That way we could just take the start menu icons.

 

[BigMac]

A method in Windows 7 to get the Start Menu looking nice again you can use a new nicely implemented feature of system restore by simply going to the Windows progdata directory (C:\ProgramData\Microsoft\Windows\), right click on Start Menu and go to Restore Previous Versions and select a date before the infections and wa-la! This avoids doing a unnecessary system restore!

 

[dbdawn]

A method in Windows 7 to get the Start Menu looking nice again you can use a new nicely implemented feature of system restore by simply going to the Windows progdata directory (C:\ProgramData\Microsoft\Windows\), right click on Start Menu and go to Restore Previous Versions and select a date before the infections and wa-la! This avoids doing a unnecessary system restore!

This is something that I did not know, thanks for the tip!

 

[vdub12]

A method in Windows 7 to get the Start Menu looking nice again you can use a new nicely implemented feature of system restore by simply going to the Windows progdata directory (C:\ProgramData\Microsoft\Windows\), right click on Start Menu and go to Restore Previous Versions and select a date before the infections and wa-la! This avoids doing a unnecessary system restore!

This will only work in professional and above. While home and below supports it MS took the links away so people can't use it. There's a hack out there to make it work from what I understand though.

 

[Vicenarian]

tested it today...the "programs" portion of the Start Menu is fine...

It's just the pinned items list that disappears...but you can just right-click, pin to start menu, bang, that's it.

 

[BigMac]

This will only work in professional and above. While home and below supports it MS took the links away so people can't use it. There's a hack out there to make it work from what I understand though.

Odd. I just did this on a Windows 7 Home Premium 64-Bit system.

 

[Xander]

A method in Windows 7 to get the Start Menu looking nice again you can use a new nicely implemented feature of system restore by simply going to the Windows progdata directory (C:\ProgramData\Microsoft\Windows\), right click on Start Menu and go to Restore Previous Versions and select a date before the infections and wa-la! This avoids doing a unnecessary system restore!

Did this the other day for data recovery. They'd copied files to a disk, saw the Copy dialog running and, when done, deleted the originals. Turns out nothing copied after all ({shrug} I wasn't there). Tried a few basic recovery programs and they found nothing. Restore Previous Versions did the trick.