Windows Recovery Skinny!!

Maybe I am wrong about the restore previous versions. I will have to take a look at a windows 7 home machine.

Edit:
I stand corrected. I just looked at a Windows 7 Home Premium that I loaded from an OEM disk yesterday and it does show the previous versions tab. Maybe this was added in an update or something because I heard a while back, I think it was on podnutz pro, that previous versions was only available in professional operating systems.

I guess this takes care of Windows 7 for this virus.
 
Last edited:
Had my first one of these come in Friday. I had worked on this machine before so system restore was enabled which made it very easy.
Killed (I think it was) four processes then ran mbam which got a bunch of stuff (trojan fake alerts, fake av, rootkit). System restore to a week earlier and everything was good in the hood. Quick and easy, but only because I had system restore.

Before I ran system restore I did run unhide.exe to see what it would do. It unhid the user folders and restored desktop icons but not wallpaper, didn't help start or all programs.
 
Just to give you guys some more detail - the shortcuts are NOT deleted. This evil pile of junk makes a copy of the folder tree in a different location under the user's temp folder.

If you do this:

Code: 
dir /s *.lnk > c:\shortcuts.txt

You'll get output of all shortcuts on the system. If you look at the paths you should find the original shortcuts - they should all be in there, the malware makes a numbered folder for each profile on the machine (eg C:\docs&settings\userA, userB, etc) and it includes the All Users and Default User profiles as well, IIRC.

You can find the shortcuts this way and move them back, as long as you haven't run CCleaner or anything against the temp folders.
 
ZPrime said:
Just to give you guys some more detail - the shortcuts are NOT deleted. This evil pile of junk makes a copy of the folder tree in a different location under the user's temp folder.

If you do this:

Code: 
dir /s *.lnk > c:\shortcuts.txt

You'll get output of all shortcuts on the system. If you look at the paths you should find the original shortcuts - they should all be in there, the malware makes a numbered folder for each profile on the machine (eg C:\docs&settings\userA, userB, etc) and it includes the All Users and Default User profiles as well, IIRC.

You can find the shortcuts this way and move them back, as long as you haven't run CCleaner or anything against the temp folders.
Click to expand...


Awesome. Thanks for the tip!
 
ZPrime said:
Just to give you guys some more detail - the shortcuts are NOT deleted. This evil pile of junk makes a copy of the folder tree in a different location under the user's temp folder.

If you do this:

Code: 
dir /s *.lnk > c:\shortcuts.txt

You'll get output of all shortcuts on the system. If you look at the paths you should find the original shortcuts - they should all be in there, the malware makes a numbered folder for each profile on the machine (eg C:\docs&settings\userA, userB, etc) and it includes the All Users and Default User profiles as well, IIRC.

You can find the shortcuts this way and move them back, as long as you haven't run CCleaner or anything against the temp folders.
Click to expand...

+rep

Thanks, I will reinfect my test system and check this out.

This would be much quicker then running sysrestore.
 
vdub12 said:
This would be much quicker then running sysrestore.
Click to expand...

This put's a question in my mind. In a situation like this where system restore is an option, wouldn't restoring the system to a point before the infection (before registry/file changes/damage) be better for the computer (and therefore the client) then patching/repairing?
 
mobomojo said:
This put's a question in my mind. In a situation like this where system restore is an option, wouldn't restoring the system to a point before the infection (before registry/file changes/damage) be better for the computer (and therefore the client) then patching/repairing?
Click to expand...

The virus infects the restore points.

After running system restore you still have to remove the rootkit.
 
vdub12 said:
The virus infects the restore points.

After running system restore you still have to remove the rootkit.
Click to expand...

So here's a chicken vs. egg question:

Does the virus actually attack the system restore points, or do some of them get infected because they did a restore point of an infected system?

Rick
 
From what I've seen over the years, it appears that the malware is copied into the Restore Point, effectively "infecting" it. I'm not sure how viable the malware would be once included in the Restore Point but I always clean temp files first then remove the Restore Points before running any scans (unless I use a bootable CD or thumb drive).
 
On the one I did last week, after killing the processes MBAM removed a rootkit (plus abunch of other stuff) before running system restore. After the system restore TDSKiller came up clean, Hitman Pro got some adware then SAS got one more trojan and some more adware. This one is coming back in this weekend for a memory upgrade (finally), I'll poke around and make sure I didn't miss anything, but it appeared clean.
 
I've had it up to HERE with this Windows Recovery virus today. Long story short, I had a customer come in with a XP Dell desktop with an easy scareware av variant. I cleaned the whole pc, Combofix the full meal deal and it was running great. They take it home open their email and doing who knows what and withing 20 minutes of leaving my office, they have reinfected it. They say it's the identical virus. So I'm 2nd guessing myself and I tell them I'll clean it for free just to be nice. They bring it in and it's the Windows Recovery virus....NOT what they had before. GRRRR! So I follow the step by step instructions here and it all seems to go well until I try to install a new version of McAfee for them (their request). The install keeps crashing when it gets to the actual installation process. It seems really strange and I'm thinking the machine might still be infected, but everything comes up clean. Everything.

I then realize that the Start Menu folders are mostly empty. Some of the things are there, but not most. All the MS folders are empty, MS Works, Games, Accessories etc as well as 90% of the software apps they've installed. I go through every trick in the book I read here and other places to get those programs to show back up. Nothing. I checked All Users and they were missing there too which (according to the guys on Bleeping Computer) is pretty bad. I tried all their tricks still nothing. So after about 4 more (free) hours into this thing I say screw it and I call the customer, tell them the dilemma they say to nuke if I need to because they have no docs or files on it. They use webmail, play solitaire and that's it.

This has been a pain in the rear and I'm sure one of you guys with more knowledge could have gotten it figured out, but I was at my wits end. I hate giving up and nuking and paving but I've got so many hours in this thing and I'm coming up against a long weekend and they need it back tomorrow. I feel like a quitter, but I guess sometimes I've got to admit defeat and do what makes the most sense economically.:(
 
ZPrime said:
Just to give you guys some more detail - the shortcuts are NOT deleted. This evil pile of junk makes a copy of the folder tree in a different location under the user's temp folder.

If you do this:

Code: 
dir /s *.lnk > c:\shortcuts.txt

You'll get output of all shortcuts on the system. If you look at the paths you should find the original shortcuts - they should all be in there, the malware makes a numbered folder for each profile on the machine (eg C:\docs&settings\userA, userB, etc) and it includes the All Users and Default User profiles as well, IIRC.

You can find the shortcuts this way and move them back, as long as you haven't run CCleaner or anything against the temp folders.
Click to expand...

Are you a wizard?

Great solution! +++
 
ZPrime said:
Just to give you guys some more detail - the shortcuts are NOT deleted. This evil pile of junk makes a copy of the folder tree in a different location under the user's temp folder.

If you do this:

Code: 
dir /s *.lnk > c:\shortcuts.txt

You'll get output of all shortcuts on the system. If you look at the paths you should find the original shortcuts - they should all be in there, the malware makes a numbered folder for each profile on the machine (eg C:\docs&settings\userA, userB, etc) and it includes the All Users and Default User profiles as well, IIRC.

You can find the shortcuts this way and move them back, as long as you haven't run CCleaner or anything against the temp folders.
Click to expand...

Thank you much! I think you're rep is going up just from this one post! Great way to start it off and glad you found the site!
 
Yet another path to take care of this.. If no attempt has been made to remove this fake program, simply activate/register the program with the code 8475082234984902023718742058948. It will then "recover"/unhide all files and make things normal again. Proceed with the usual removal after this. I believe this code will work with most variants. Have removed it successfully a couple of times with this method.
 
BigMac said:
Yet another path to take care of this.. If no attempt has been made to remove this fake program, simply activate/register the program with the code 8475082234984902023718742058948. It will then "recover"/unhide all files and make things normal again. Proceed with the usual removal after this. I believe this code will work with most variants. Have removed it successfully a couple of times with this method.
Click to expand...

I want to know who was stupid enough to pay to get that code..........
 
Just did my first removal for a paying customer using the ideas from this thread -

thanks to everyone for that.

I used Prevx free scanner to check for items left scattered behind and then manually removed them.

Does anyone use Prevx and what are anyone's thoughts.

John
 
grayfoxcomputing said:
From what I've seen over the years, it appears that the malware is copied into the Restore Point, effectively "infecting" it. I'm not sure how viable the malware would be once included in the Restore Point but I always clean temp files first then remove the Restore Points before running any scans (unless I use a bootable CD or thumb drive).
Click to expand...

Before you delete the temp directory files make sure you recover the moved shortcuts. If you don't and you also remove the restore points you will not be able to recover the start menu shortcuts.

Appleby said:
I've had it up to HERE with this Windows Recovery virus today. Long story short, I had a customer come in with a XP Dell desktop with an easy scareware av variant. I cleaned the whole pc, Combofix the full meal deal and it was running great. They take it home open their email and doing who knows what and withing 20 minutes of leaving my office, they have reinfected it. They say it's the identical virus. So I'm 2nd guessing myself and I tell them I'll clean it for free just to be nice. They bring it in and it's the Windows Recovery virus....NOT what they had before. GRRRR! So I follow the step by step instructions here and it all seems to go well until I try to install a new version of McAfee for them (their request). The install keeps crashing when it gets to the actual installation process. It seems really strange and I'm thinking the machine might still be infected, but everything comes up clean. Everything.

I then realize that the Start Menu folders are mostly empty. Some of the things are there, but not most. All the MS folders are empty, MS Works, Games, Accessories etc as well as 90% of the software apps they've installed. I go through every trick in the book I read here and other places to get those programs to show back up. Nothing. I checked All Users and they were missing there too which (according to the guys on Bleeping Computer) is pretty bad. I tried all their tricks still nothing. So after about 4 more (free) hours into this thing I say screw it and I call the customer, tell them the dilemma they say to nuke if I need to because they have no docs or files on it. They use webmail, play solitaire and that's it.

This has been a pain in the rear and I'm sure one of you guys with more knowledge could have gotten it figured out, but I was at my wits end. I hate giving up and nuking and paving but I've got so many hours in this thing and I'm coming up against a long weekend and they need it back tomorrow. I feel like a quitter, but I guess sometimes I've got to admit defeat and do what makes the most sense economically.:(
Click to expand...

Sorry you had such a problem with this. I had to N&P my first one of these to because of the same reason you did. The next time you see this just make sure to recover the start menu icons from the temp directory using the methods described in this thread. Make sure you do this before any scans. Many scanners empty the temp folders. I would move the icons to a temp directory on root before any removal attempts just to save those icons.

BigMac said:
Yet another path to take care of this.. If no attempt has been made to remove this fake program, simply activate/register the program with the code 8475082234984902023718742058948. It will then "recover"/unhide all files and make things normal again. Proceed with the usual removal after this. I believe this code will work with most variants. Have removed it successfully a couple of times with this method.
Click to expand...

Never thought about that angle. I will have to test the code on the test variant I have. I am sure the virus maker will change it soon though. I am sure the people making these watch these forums. Because whenever we find a way to fight there programs and talk about it here they change.
 
BigMac said:
Yet another path to take care of this.. If no attempt has been made to remove this fake program, simply activate/register the program with the code 8475082234984902023718742058948. It will then "recover"/unhide all files and make things normal again. Proceed with the usual removal after this. I believe this code will work with most variants. Have removed it successfully a couple of times with this method.
Click to expand...

This worked. Put in the activation code and a fake email address, activate it then click on the help and support button, run malwarebytes. What it didnt do was restore the program links in the start menu but that was easy enough to fix by right clicking each program and restoring it to it's previous version.

Best of luck
 
vdub12 said:
There has to be an easier solution to this problem. The system icons are easy, we are just going to have to compile them from different systems. However, the program icons are another mater. There has to be an easy way to rebuild the start menu when something like this happens.
Click to expand...

I wonder how this would work? http://www.vistastartmenu.com/ the xp machine I just worked on had corrupted restore points and not systmp folder
 
You must log in or register to reply here.

Similar threads

LordX
Can't get Bitlocker to work - Path specified in BCD is incorrect
Replies
10
Views
940
Philippe
Philippe
HCHTech
Gear View Basic and Windows 11
Replies
2
Views
312
HCHTech
HCHTech
xrobwx71
Microsoft tests new Windows 11 tool to remotely fix boot crashes
Replies
7
Views
1K
Sky-Knight
Sky-Knight
HCHTech
Slow opening times for files on a network drive
Replies
10
Views
800
trevm999
trevm999
GTP
Activate any version of Windows, Windows Server, Office etc...
Replies
5
Views
645
fincoder
fincoder
Back
Top