Windows Recovery

24 March 2011 98 Comments

Windows Recovery is a harmful hard drive optimization program that will initiate a scan even without user’s intervention. When this happens, it is assumed that Windows Recovery virus has already penetrated a computer and was able to modify system settings that made it run automatically. Coming from the same group who developed Windows Safemode and System Diagnostic, it was expected that this variant will be as dangerous as the old ones. Aside from disabling anti-virus application, Windows Recovery virus also prevent any installed programs from executing. Computer will be rendered unusable. Repeatedly, the malicious application prompts to purchase the Windows Recovery registration key to be able to make the PC stable again.

Instead of obtaining and spending for this useless application, it is best to scan the computer with legitimate anti-malware program. If none is present, download a copy from legitimate web site. This effective Windows Recovery removal tool is available for free. Download, install, update and thoroughly scanning the computer can help remove Windows Recovery virus completely.

Most importantly, be able to recognized and identify fake from legitimate security programs. Fake are those who made to be sold and marketed in a deceiving manner as stated above. Real one’s offers a trial period and are useful for a period of time. If trial period lapses, it prompts users to voluntarily obtain the full version, otherwise it will not work same as before. While fake software akin to Windows Recovery will punished user with annoying pop-up alerts and acquisition of the licensed version is enforce.

Screen Shot Image:

Alias: WindowsRecovery

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

Added Registry Entries:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\Advanced "ShowSuperHidden" = 0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run ".exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/ fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\System "DisableTaskMgr" = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\policies\system "DisableTaskMgr" = '1'

Associated Files and Folders:

%UserProfile%\Desktop\Windows Recovery.lnk
%UserProfile%\Start Menu\Programs\Windows Recovery\
%UserProfile%\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk
%UserProfile%\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk
%AllUsersProfile%\~[random]
%AllUsersProfile%\~[random]r
%AllUsersProfile%\[random].dll
%AllUsersProfile%\[random].exe
%AllUsersProfile%\[random]
%AllUsersProfile%\[random].exe

File Location for Windows Versions:
%AllUserProfile% for Vista/7 user is C:\ProgramData while for Windows XP/2000 this is C:\Documents and Settings\All Users\
%UserProfile% for Vista/7 user is C:\Users\<Current User> for Windows Vista/7, for Windows XP/2000 this is C:\Documents and Settings\<Current User>.

How to Remove Windows Recovery

Print this Guide | Bookmark This

Manual Removal Procedure

1. Press Ctrl+Alt+Del on keyboard to stop the process associated to "Windows Recovery". When Windows Task Manager opens, go to Processes tab. Find and end this process.
(random characters).exe

2. You need to update your installed antivirus software. Please connect to the Internet and download the most recent database. This is a one-click process from your AV program’s console.
3. Thoroughly scan the computer and remove any threats found by your antivirus program. If delete option is not available, your best next choice is to quarantine the infected file. There is also a need to manually locate and delete malicious files. Please see the file section for items that are relevant to Windows Recovery Virus.

4. Next, you need to remove registry entries created by Windows Recovery. Please refer to registry section to view entries related to the rogue program. [how to edit registry]
5. Exit registry editor when you are done.

6. Get rid of Windows Recovery start-up entry by going to Start > Run, type msconfig on the "Open" dialog box. It will launch a new window containing System Configuration Utility. Click on the Startup tab and uncheck the following item.
(random characters).exe

7. Click Apply. You need to restart Windows.

Windows Recovery Virus Removal Tool

For not so technical users that cannot comprehend with the manual removal. This automatic detection and cleaner is recommended. However, you need to download and install a tool to complete this process. The tool is free to download. We highly advise the use of this program to automatically delete all files and registry entries created by Windows Recovery. Remember that erasing system files required by the operating system may cause erratic behavior. It may also lead to system malfunction. Proceed with Windows Recovery automatic removal.

Use A Portable SuperAntiSpyware:
For complete removal of the virus, carry out a separate scan using different security program. This may catch infected items that evade your previous scan. Download and run SuperAntiSpyware Portable Scanner.

Comments and Suggestions

On this area you can find Visitor's personal suggestions. We cannot control and evaluate each recommended 'Windows Recovery' removal procedure from visitors so please use it at your own risks.

Before posting your comment, please check the following FAQ first if your inquiry pertains to payment refund and credit card issues.

Frequently Asked Question

You cannot apply for a refund on this site. We do not sell rogue security programs. It is clearly stated in the "Disclaimer" section of every fake anti-virus software articles that precisesecurity.com is not in any way connected with the product.You may apply for a refund on the site where you purchased the software. Contacting your credit card issuer may also help to get your money back.

How can I refund my payment for Windows Recovery? Can I ask for a refund here?

When you searched the Internet for "Windows Recovery," search engine might show our URL in the result because we have article that is relevant to your query. However, having this article on our web site does not mean that we are endorsing or selling the program. Read the whole article first before concluding that we are associated to the fake anti-virus.

How come that when I search for "Windows Recovery," I ended up on precisesecurity.com?

We encourage you to dispute the online transaction made to acquire Windows Recovery. You have been a victim of an online fraud with widely lucrative operation. Immediately file a complaint to your credit card issuer and get a charge back. Read this article for some guidelines.

Should I dispute the online purchase to my credit card company or bank? How can I do that?

98 Comments

freaknstyle
Apr 14, 2011 @ 16:03:12
Very Nice and very helpful.
This is the best helping site out of which i have researched.
Really6 appriciable.
Keep it up.
Shyam Kumar
Apr 14, 2011 @ 16:06:42
Which is best antivirus ?
Free n Paid both.
Shyam Kumar
Apr 14, 2011 @ 16:10:40
“mvneducation” at the rate of “yahoo” dot “in”
SJS
Apr 23, 2011 @ 13:11:14
Used stopzilla, didn’t help. When I clik on start, all programs stills says it’s empty.
Pete
Apr 23, 2011 @ 20:58:18
I got hit with this last night but, with the help found here, I was able to clean it up without much trouble. I’m a basic computer user with XP, SP3.
Now, how do I restore the folders and files that this thing hid ? Start/All Programs now says it’s empty and all of the other files and folders are there, just hidden. It even hides file size, etc. in Install/Remove Programs.
Any furthere help would be great but Thanks so much for this info !
Vincent
Apr 24, 2011 @ 00:42:26
Got rid of windows recovery with anti mal ware, however missing all pictures and documents if anybody knows how to retrieve them back please let me know ASAP thanks Vince
Finn MacLan
Apr 24, 2011 @ 14:53:27
Well, I can see quite a few that have been affected the same time as me. I too ran Stopzilla, and by also following the steps provided, it looks to have elimanated the nasty files.
I share your pain, my documents look lost and once i have calm down, will try a restore from a portable hard-drive.
One worry is the windows 7 themes is not working. Has anyone else got this issue? I wondered if the virus wiped the files. Downloading new themes has proven not to work. This makes me think the virus is still active?
Vincent
Apr 24, 2011 @ 20:08:55
Virus is still there…. This has been the hardest viurs I have delt with.
TT
Apr 25, 2011 @ 22:14:39
This virus was a pain in the @$$. Ran Malware Bytes, AVG, MS Sec. Essentials and Kaspersky and they all picked up remnants of this. I think it by-passed Security Essentials initially by changing Windows Genuine Validation (which turns off MS S.E.) and then it can run.
It also hid all my files and made them read only. I decided it is best to reinstall the OS and restore files from back-up since it is hard to tell what other changes it has made which are not noticed now but might show up later.
Sebastian
Apr 26, 2011 @ 11:40:52
I have removed virus now however all my files have gone. Is there a way to get all my documents, photos and videos back?
Dave
Apr 26, 2011 @ 19:56:31
Your files are still there. just click on ” My Computer”
Then go to “tools”, “folder options” then “view”
Scroll down and uncheck “Dont show hidden files folders or drives”
click “OK” and close My Computer. you should be able to see your files.
chemi
Apr 27, 2011 @ 01:30:18
same problem here, no documents, windows themes seem to be vanished, any ideas where my documents went?
Brian
Apr 27, 2011 @ 22:03:30
There is a tool called unhide.exe that should get all your files back so that you can access them.
nikki m
Apr 28, 2011 @ 01:07:44
I’m still working through getting rid of this virus, but have managed to stop the process and download malwarebytes antimalware which is scanning right now. I couldn’t find any of the files to delete them…? But I was able to recover all of my pics and docs by clicking on start, then right click on each folder (pictures, documents, etc) and unchecking the hide box. that was all it took to bring those back. I’m still working on my desktop…
Terry
Apr 28, 2011 @ 02:14:30
Very Helpful, “un-hiding” the files gave me confidence that all the data/programs are there and not lost forever.
Jon
Apr 28, 2011 @ 15:07:51
Got hit by this last night – took me an hour and a half to get the better of it and still not won. Pesky thing disabled SEssentials which caught me off guard.
If it helps those still fighting: I’m running XP. First thing I did was disconnect the internet, then boot to safe mode and run Windows Restore to restore the settings to a date about a week and a half previously (believe I went to Start->Run and just typed “Restore” to find the program). That stopped the program running on boot up, allowed Essentials to start and put my start menu back to normal.
I then ran Essentials to find those Trojans.
Expect there’s a lot of malware still hanging around the PC though and that it’s only a matter of time ’til it comes back so will be running anti-malware / other virus checkers tonight.
warren
Apr 28, 2011 @ 16:09:29
Hi i got this windows recovery virus and it hid all my programs ect.
i removered the virus with norton but my program and pictures was still hiden so i have made a program that unhides everything and lets you use and see everything its fantastic.
If you want it email me: tombraiderwh1 @ hotmail.com
hazel
Apr 30, 2011 @ 14:56:43
It has disabled task manager so I cannot stop it activating on start up. Also Add/Remove Programs option is also disabled. XP system recovery option no longer works. Safe mode will not work fully. If I leave it running for a few minutes it blacks out the screen.
edward
Apr 30, 2011 @ 17:11:22
download curr process,,,it is a third party software more advance than task manager,,if u want i’ll send you that application ms.hazel…im from dasma cavite,computer tech..willing to help you out..
Hazel
May 01, 2011 @ 12:45:22
another victim here. i think i have disabled the virus but have lost icons on desktop, taskbar, progam folder is empty etc. i can run tools/view/unhide etc but makes no difference, cannot get them back and cannot find explorer.exe, aLSO PULLS UP RANDOM WEB SITES ON A SEARCH.
i have several VALID SYSTEM restore points, but when i try to use, it just starts and stops again. i run xp pro, s-essentials, firewall, avg, how did it get past these? i have not downloaded anything in weeks. only thing i can think is i have been looking at tornado coverage and may have responded to a flash request to look at some footage. doing this on another pc btw.
nikki m
May 01, 2011 @ 14:55:24
I think I beat it. I used safe mode to stop the process in task manager then downloaded malwarebytes anti-malware. used that to delete the files, then downloaded and ran unhide.exe and got all of my files to show again. thanks to sites like this i saved myself probably $100. This happened to me last year and I had the geek squad fix – wish I would’ve known that I could have done it myself, without much skill in the pc fixing dept.
Hazel
May 01, 2011 @ 18:15:22
seem to have removed it but not only lost desktop icons etc also lost internet access. any suggestions how I can get internet back to download unhide?
Cedric
May 01, 2011 @ 19:08:06
Hi all,
I got infected on vista last thursday evening 28/04.
Everything on my desktop and start menu have disappeared, the computer is extremely slow and constantly working
I can access internet with firefox but most google researches are redirected towards weirds websites.
The virus is sometimes playing music when WIFI is on.
I have ran malwarebytes AntiMalware which found and deleted 9 infected elements – mainly trojans.
David
May 02, 2011 @ 03:27:55
Hi – I got whacked on Sunday morning (5/1). Lucky I found this site. My computer normally is networked at work and I got hit while using it at home, so I couldn’t boot up in safe mode (administrator restrictions). I was able to download Malwarebytes and Unhide onto a flash drive – using another computer – and used the flash drive to launch them onto the computer that was infected. That is the only way I could clean it. Thanks!!
It took a good long chuck of an otherwise very nice day, but I finally cleaned my machine. I still found that some registry entries on the Windows Recovery list hadn’t been deleted, so I did that before restarting my machine.
Most files showed up again, but my startup menu didn’t return as before and my desktop formatting all went out the window (no pun intended), but all the core files are intact. What a massive pain, but thanks for the clear and helpful advice.
Joe
May 03, 2011 @ 09:37:55
Hi All
I have the same problem as you all however,…… mine is mor elike Hazels… the task manager will not work and says it has been disabled by the administrator? I can start the laptop in safe mode but when i click on control panel or my computer it just freeze’s
Any suggestions on what i can do to sort this out, it appears to have wiped everything, i have lost friends and family in previous times and have all my pictures etc on here so this really is important to me
Thank you
Joe (Please post reply with my name at the front so i can see who is replying to me)
Michael
May 03, 2011 @ 12:45:45
Got hit with Windows Recovery virus as well. Luckily I was able to remove it and recover most of my hidden files with unhide.exe. However, when I hit “start”, then look at my “programs” menu, all the programs list as being ‘empty’. Whethere it is itunes or Microsoft Office. everything is listed as ‘empty’. These programs are still on the computer as I can open a document and ‘Word’ then opens, or itunes starts when I connect my phone. It seems the link from the “programs” menu to the exe. file is missing. I’m guessing it is due to registry issues? Any thoughts on how to reestablish those links?
Samael
May 03, 2011 @ 17:17:54
This site is brilliant. I just used Tools/Folder Options/View in My Computer to unhide the files… it means I can finally do some late school work.
Nopchai
May 05, 2011 @ 01:20:23
My computer infected with this virus. It disabled task manager. I couldn’t stop its processes. I tried to reinstall windows w/o format the hard drive. I shut the computer down. The last thing to do is clear all memory; disconnected all pwer sources ie, battery, unpluged. Then format the hard drive…Yes, the only choice you guy can do.
Ruth
May 06, 2011 @ 00:31:39
I can’t open Task manager even in safe mode. What can I do?
Mr.Manc
May 06, 2011 @ 11:59:44
It’s just taken me 2 days to put a dent in this horrible little thing. Have managed to partially fix the PC after running AVG, Microsoft Security Essentials and Malwarebytes several times each (Sec. Ess never picked anything up, it was MWBytes 3rd run that finally picked it up and did the job), but now suffering same issues as everyone else.
Have un-hidded my folders but cannot right-click on the desktop or drag apps to it or create shortcuts to it. Also can’t change the desktop background from the blue screen. Not a big deal, i know, but it would suggest that something is still wrong…
…Malwarebytes has just finished ANOTHER scan and found the cause (i assume): “PUM.Hijack.DisplayProperties – HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper”
Rick
May 06, 2011 @ 23:00:50
The first step did not work. When I press ctrl/alt/del i did not get the task manager (windows 7. Un able to get past the visus. ready to use a hammer!
Rick
May 06, 2011 @ 23:05:57
From the Start menu I typed “task” and tried to start the task manager as well and I got a message saying the task manager had been disabled by the administrator. Now what?
Nicole Sharpe
May 07, 2011 @ 07:15:24
Please do these changes in Safe Mode.
Ruth: Go into Safe mode. Bring up CMD prompt. Type in MSCONFIG and you should be able to get into the Task Manager AND the registry files.
Safe Mode.
I had to use an external drive to get the stuff on my infected computer, but I still can’t launch Outlook,and my History for the internet is not visible and I am missing sqmapi.dll so I can’t download the SP1 for Windows 7.
Give me 10 minutes with the butthole that did this…..
John
May 08, 2011 @ 19:35:13
It was very helpful
Ruth
May 08, 2011 @ 23:25:28
I opened in safe mode and did exactly as you said above but still could not get into task manager. Do you know another way around this virus? Thank you SO much for your help!
Ray
May 10, 2011 @ 12:30:38
Michael said:
Got hit with Windows Recovery virus as well. Luckily I was able to remove it and recover most of my hidden files with unhide.exe. However, when I hit “start”, then look at my “programs” menu, all the programs list as being ‘empty’. Whethere it is itunes or Microsoft Office. everything is listed as ‘empty’. These programs are still on the computer as I can open a document and ‘Word’ then opens, or itunes starts when I connect my phone. It seems the link from the “programs” menu to the exe. file is missing. I’m guessing it is due to registry issues? Any thoughts on how to reestablish those links?
Same thing here, Unhide worked for “some” stuff. but not all, and not with my start menue. Michael, did you ever get it figured out?
Jason Spiro
May 10, 2011 @ 22:53:36
Hi Ray,
Right-click the Start button.
Click “Properties”.
Enable “Store and display a list of recently opened programs” and “Store and display a list of recently opened documents”.
This worked for me.
All the best,
–Jason Spiro
IT consultant
Toronto, Canada
Sara
May 11, 2011 @ 01:33:23
We got hit with this 2 days ago. We got past the windows recovery screen and did the malware thing, it detected 9 trojan viruses, we can get on the internet but everything else i gone. The desktop icons are gone and wont let us put anything on there and when we go to the start options everything is empty. how do we get eveything back on the start menu and get our icons to be on the desktop. help please?
amy
May 11, 2011 @ 12:21:56
i didnt lose anything but have to do a search for anything i need i have nothing in start-up menu or on my deak top but everyfile i search for i find however i cannot do a system restore to fix the problem anybody know what i can do because i can find my restore disk that came with my pc thanks
David
May 11, 2011 @ 20:40:25
My wife got this virus/trojan, on her laptop. To all those who have defeated the virus, but who are missing start menu items and desktop icons, I found a great solution which amazingly restored everything. There is a free anti malware program named Combofix. This will clean all remaining traces of the malware and restore your icons and links. You need patience because it took 40 minutes on my wife’s laptop, but it was a relief to see the desktop icons reappear after 20 minutes.
George G
May 11, 2011 @ 22:37:35
Hi Used Malwarebytes and Unhide…which restored all My Documents..but as with Ray, Left Hand side of Start Menu is empty and all programs show as empty…does anyone have a solution how to restore these Programs…I have copied all of My Documents to an external Hard Drive..should they now be ok to view….& thanks to all for their postings..togethere we’ll win!
ctoguy
May 12, 2011 @ 05:39:03
You can get to System Restore with this $%^#$ thing.
Do your start menu. In Run, type msconfig
But unlike previous suggestions, dont go to the startup program list.
Select the General Tab. There is a system restore button on there,
and it is ACTIVE . I’m restoring mine by a few days presently.
For reference, I am running a Windows XP system.
How is this thing spreading? Email ? Click on link of a website?
What triggers the Installation of it?
The last thing i had done is do the Windows Automatic Update “Manual” review and run. You don’t think someone has hacked the Windows Update Service ? When I rebooted after the Windows update, all chaos
broke loose ( same symptoms as everyone else is seeing ). I truly thought my hard drive was having an issue for the first 15 minutes or so – but when I saw Task Manager disabled – the light bulb went on.
The System Restore just finished, and all my programs are listed again, desktop icons, files, … I suggest taking this route.
Can you imagine if some %$^&$ $$%&*# hijacked Windows Update and System Restore on a system? Danger Will Robinson !
George G
May 12, 2011 @ 08:47:51
A very “BIG” thank you to ctoguy for your posting…I am also on XP, have just done as you suggested and like yourself I am back up and running…did you also use a program to erase the virus… I used Malewarebytes and hope it has completely wiped it out…the virus attacked on Wednesday AM and I have NO idea what set it off…once again, many thanks
Maverick87
May 12, 2011 @ 13:07:41
This just hit our machine yesterday – we have the free K-9 protection and this is the first time it failed to snag this @#$%^&*! thing.
I was only on ESPN and Grooveshark. I’m likely to suspect the latter had some bad link that wasn’t caught. Can’t even check history as I can’t get to any browser without the @#$%^&*! throwing up a fake block page.
We have Malware Bytes available at work, so hopefully that will work.
People that write this stuff should be dragged through the streets behind a car. Then hanged.
Ray
May 12, 2011 @ 17:02:25
I thought id share how I got this one cleared up finally!
1. Boot into Safe mode
2. on another PC, download the iexplorer.exe, malwarebytes, and unhide to a flash drive. (All on the malwarebytes site)
3. Run iexplorer.exe (this closed the virus)
3. Install and updated and ran Malwarebytes
4. Restart and then run unhide.exe
– This unhid SOME but not all folders on my PC
5. Finally do system restore to a date prior to getting hit with the virus, and that cleared up the rest of my folder issues.
Hope this helps someone out there!
Bev
May 16, 2011 @ 22:18:43
#43 ctoguy – YOU ARE A GENIUS!!
Running Windows XP
1) I did download Malwarebytes 1st and ran twice, and found viruses both times.
2) I did the unhide, regedit, msconfig, all through start, run, etc… but don’t think I would have had to if I would have found ctoguy’s advice.
3) My system is back just like it was after following the steps on how to do a system restore on Windows XP
THANK YOU!!
Bev
May 16, 2011 @ 23:31:54
One more note – while my computer is running fine, I’ve had iexplore open up on it’s own 3 times and starts running a commercial in the background. Have to go into taskmanager and terminate. So – guess it’s not completely fixed. Will have to do some searching to see what’s going on. Meanwhile, running two separate virus checker programs again. So far – nothing.
Jeff
May 17, 2011 @ 00:00:32
I found a website to help with restoring the start menu / programs shorcuts community.mcafee.com/message/188808
It states” It occurred to me that if it was a scam to get you to buy software – it would potentially work – so all the “lost” data must be on the disc somewhere – probably in renamed files.
So I did a full windows search of the c drive – including non-indexed, hidden and systems files for all the files created on the day that it happened and found the lost start menu files in:-
c:\users\username\appdata\local\temp\smtmp the latter being a folder containing all the files and shortcuts – I then just copied these back to their proper locations ie the start menu items belong in c:\programdata\microsoft\windows\startmenu\progams and then copied/dragged the other shortcuts back to the desktop or taskbar….
Maybe this will help other people though obviously the name smtmp might be a randomly produced one the methodology should still work.”
I searched for smtmp and found all of the links and was able to restore them.
Gelly56
May 17, 2011 @ 22:01:43
Thanks CTOGuy. Had the nasty virus and spent way to long on getting this thing remove before I came to your posting. Your solution worked like a charm. Thanks again…
Yeti
May 19, 2011 @ 03:07:12
I was hit by this thing. I’m not able to use my mouse or other key. What I can do to follow all the steps mentioned above?Thank you.
Yeti
May 19, 2011 @ 03:15:04
I was hit by that thing, my mouse does not work so I’m unable to move around the screen. The right and left keys does not allow me to go to start, so What I can do to follow the above mentioned steps? Thank you.
Bob F
May 20, 2011 @ 17:32:29
Same problems as all above, fake scan, disabled task manager, missing
desktop (right clicking for desktop properties was also disabled) and start menu shortcuts. Also, to really make things tough, the virus also disabled the USB ports.
Starting in safe mode was able to run spybot and malwarebytes via the run > command prompt. Ran both programs several times, it does take more than one pass with a reboot between each.
That tamed the worst of it. Then unhid and got most of the desktop back.
Now just recreating the shortcuts in start programs manually. Some of the .exe files are taking awhile to find.
What gets me is this got past AVG and Spybot both fully updated with live scanning on. If ever there was a wake up call for backing up, this was it.
Bob F
May 20, 2011 @ 17:40:26
Othere – start > programs > accessories > system tools – is now empty.
Anyone have a idea how to re-establish this link?
Mark
May 20, 2011 @ 21:41:43
Do your start menu. In Run, type msconfig
But unlike previous suggestions, dont go to the startup program list.
Select the General Tab. There is a system restore button on there,
and it is ACTIVE .
I did the above as per ctoguy, worked like a charm, all emtpty folders were restored and desktop came back as it was. You need to do this even if you purge your system of the virus. This is a nasty one, i have not come across a virus that hides folders and icons, even in safe mode.
Bob F
May 20, 2011 @ 23:36:11
Mark – what if you never created a date to restore from?
Tym
May 21, 2011 @ 04:57:52
I am still having problems with this, but I think Ctoguy may be onto something. I went to run system restore in windows vista, but I did not have the button in the general tab. I got it to start up from the last tab, and when my restore points came up, I only had 2 options, both being windows updates. I just connected to the internet yesterday so this is the first time they ran, and that is when the chaos came onto my computer. I really think this has to do with the windows update service.
michelle
May 22, 2011 @ 02:33:34
Can’t restart pc in safe mode. Can’t pull up msconfig with cmd prompt. Any solutions?
Tatjana
May 22, 2011 @ 20:18:37
Hi all,
I use Vista and had exactly the same problem with Windows Vista Recovery. Tried everything. Installed Malwarebytes, Spybot, nothing helped. Tried restoring, but didn`t work in normal mode
Finally:
1. I booted the computer in Safe Mode
2. Restored the computer to the day before
3. Booted up in normal mode
4. The Desktop and the start programmes came back, but all my pictures, music and document files were still gone
5. Downloaded Unhide.exe and solved the problem.
Now everything is back.
Hope that will be of use to someone.
Noel
May 23, 2011 @ 12:07:03
I was affected by this same tragic virus.. Went to a comp shop and was told it will take a day or two to fix. Want to smash my notebook. Luckily, browsed your site and did the MANUAL procedures, followed Dave #12 advice. Now I’m back to normal just now and I’m still running antivirus. Very helpful site indeed. Thanks to all.
Brandon
May 25, 2011 @ 06:02:29
Here is the fix for: Missing desktop icons, start menu, and etc.
1st – Get rid of mal-ware virus its self.
2nd – Google unhide.exe
or download here: download.bleepingcomputer.com/grinler/unhide.exe
(Worked for me, running xp)
Then Restart. You will be-able to save all files, but you will eithere have to reinstalled the programs or go to your folders and they will be located here: C:\Program Files and you will have to start them up that way. (If you dont know how to do that just reinstall your programs.
3rd – You will still have a virus running on your processes named iexplore.exe. Its very hard to get rid of. This follow video will tell you what you need to get rid of this. youtube.com/watch?v=TZ3mGMmu5sY)
After that you should be ready to go, and you should be running at 100%!
Any Questions? Ill be off and on for a few days.
-Thanks Brandon.
ben
May 26, 2011 @ 01:52:40
DO NOT TRY TO USE SAFE MODE.
Supposedly safe mode has been working for some of you. Maybe I’ve got an evolved version of the virus. As soon as I turned off my computer to restart in safe mode, I got a black screen of death. White underscore, all buttons make a beeping sound. F8 and F12 do not do anything at startup. Safe mode: out of the question.
DO NOT under any circumstances turn off your computer. Gmail important documents to yourself. Now I have to shell out money to an expert to see if he can get past the screen of death. I should have run malwarebytes or something instead of turning off my computer.
DON’T TURN OFF YOUR COMPUTER.
sriley
May 26, 2011 @ 04:59:36
Thanks to ctoguy!!!! I did as he suggested and am back with a computer that looked like it did before this %^&&%$##@ thing got a hold on my laptop.
judy
May 26, 2011 @ 16:58:05
hi fellow victims, thanks to all especially ctoguy. my laptop was restored to factory set with motherboard replacement in early May. i spent the day, May 24, using windows update and shizamm! got the virus and hard drive damage as a bonus. so glad i bought the extended warranty. company is taking it back for repairs/replacement. the external hard drive backup is a blessing. thanks everybody. misery loves company.
Heather
May 26, 2011 @ 19:58:39
What can I do if I can’t even do a system restore? I can get to it but I have no previous days to restore to?
matt
May 28, 2011 @ 07:01:40
Hi everyone got this virus today and after much frustration have got my computer back 100%
I have windows 7 and lost all files/folders including everything in the start menu
step1: find the program rkill- it ends the attack
step2: download malwarebytes and run after rkill
step3: use the unhide.exe program.. unfortunately this only seems to unhide some folders and files such as on the desktop
step4: as i read in an earlier post someone mentioned combofix.. download this and run it will restore all of your startmenu items!
hope this helps
Lark
May 29, 2011 @ 09:55:44
HELP! I just removed this virus but have not been able to restore my desktop and also can not put my computer into safemode or repair mode. I just want to restore my computer to factory settings again. I am currently running Windows 7 and have tried everything on this board to fix this. I ran unhide.exe as well as going to start menu,control panel etc and unchecked what was suggested. So whats next? Why wont my computer let me go into safe mode or repair mode? It will not let me get to the right area to restore factory settings. I already tried restoring from a previous date but I had no chosen date so that did me no good. I also tried creating a date and that did not work. Any suggestions?
Lauren
May 29, 2011 @ 19:02:12
If your Start Menu is Empty, try the advice left from the McAffee forum by Jeff. I searched for “smtmp” in all files (include hidden files) and it came right up. I copied the data of each folder into the Start Menu folder (find it by right clicking on a folder in the start menu > Explore). Worked perfect. Thanks for posting this, as it was the last bit of the computer that was messed up by the virus! I was also able to find ways to fix my task manager, etc., by searching for individual problems in google. Hope that helped!
scorpryter
May 30, 2011 @ 04:19:43
Got nailed by Windows 7 Recovery
Was able to beat….I think
View Hidden files in Control Panel
Ran RKill
Was able to download and run Malwarebyte
Ran unhide.exe
Finally saw a suggestion above to run ComboFix….it restored the menus, the associations and the desktop icons.
Thanks all for the input….Malwarebyte’s is always great….
Special kudos to Combofix for picking up the pieces….I’d recommend running it first just to see if it’s the magic bullet.
Richard
May 30, 2011 @ 15:48:40
Okay, so I virus scanned and got rid of the virus, went through and eliminated the files and registry entries. I did the unhide to get the files showing again but now I still can’t get the desktop back. Also, System Restore isn’t working (have plenty of restore points, but won’t run! Not even in safe mode. What now???
jim
May 30, 2011 @ 22:59:52
Jason Spiro said:
Hi Ray,
Right-click the Start button.
Click “Properties”.
Enable “Store and display a list of recently opened programs” and “Store and display a list of recently opened documents”.
This worked for me.
All the best,
–Jason Spiro
IT consultant
Toronto, Canada
——————-
nothing gay but i want to give you the hugest hug ever..man i been working for hours trying to find a site to help me get my start menu.back low and behold this worked great..you are a king.
Rich S
May 31, 2011 @ 15:26:17
With all of your help I got rid of the virus. One last thing. My Favorites in IE are still hidden and I cannot seem to unlock them. How can I unhide favorotes. I am not a tech guy and the help on this site has allowd even me to get this operating again. Many thanks.
Joe
May 31, 2011 @ 22:19:26
These instructions are flawed. First, Windows Recovery Rogue Malware disables task manager (see registry entries in the instructions where disable task mgr is listed) yet, one of the instructions is to pres Ctl + Alt + Del to execute task manager. If the disable taskmgr registry key is present no amount of pressing keys will allow you to access it. You must first use regedit to delete the key. It is best if you remove this malware via safe mode with networking then Google unhide.exe as described above.
Dave
May 31, 2011 @ 23:14:28
Malwarebytes and superantispyware fixed this but the user files were hidden. This was actually on Windows 7. Using the Windows Explorer I was able to find Folder Options and set it to show hidden files. After that the missing user files showed up.
Dave
May 31, 2011 @ 23:15:34
BTW you have to go into Safe Mode to run Malwarebytes. Once you run that you don’t have to be in safe mode for the rest.
Nater
Jun 02, 2011 @ 18:06:05
With above advise I was able to to get my computer back to normal with the exception of Internet explorer. Any searches I do still link me to bogus sites. Any ideas and thanks in advance for any help.
iflyrjs
Jun 03, 2011 @ 13:53:55
This site is awesome
CTOGUY was very helpful thanks!
Had the same issues as everyone else and
ran malwarebytes first did a restore then ran unide.exe but run it from bleeping computers website there’s a link in some of the posts near the bottom
I went to some other site that I found a link to unhide.exr and they wanted me to purchase it after the scan the one from bleeping omputers website after you save it to your desktop click on it twice
a dos window opens and it says to be patient took about 5 mins.
I did it the other way the first time by just clicking on RUN and it wouldnt work.
everything is back as it was before
Amy
Jun 04, 2011 @ 18:23:28
I hope someone can help. This must be really imbeded in my computer somewhere. I’ve followed most of the advice here but still have problems. The main one is it won’t let me run a restore! Not from anywhere…says there is a file stopping it from running. It wasn’t a needed file as it was from an old, outdated program so I just deleted it. Tried to run restore again but, no go. I still got the same message even though the file had been deleted. My AVG files are still missing and can’t be found. I’ll try the advice listed above regarding the Start Menu…haven’t had a chance yet but have been working on this now for almost two weeks. I’m afraid of using that computer for anything but it’s the only desktop in the house so I really need it clear. I think we’ve gotten rid of the virus itself but just can’t get the silly thing up and running again! Any suggestions regarding the AVG? I’ve thought of just re-installing it but I want to make sure the computer is completely functional before loading anything else onto it! I hope someone has a suggestion on that restore! Tried it in safe mode…regular mode…nothing works!!! VERY frustrated! Thanks for all the help so far!
Amy
Matrox-NLE
Jun 04, 2011 @ 18:32:29
Question: do you delete the registry entries listed above, or do you confirm those are the settings and leave them be?
I’ve run MalwareBytes, RKill, Spybot, and I unhid my files within Windows, but I know this frakker is still there. Any suggestions?
Matrox-NLE
Jun 04, 2011 @ 18:33:36
Also, I sued StopZilla, which found a bunch of things, but then required I purchase the full version to get rid of it all. Is that just another scam, or should I do it?
Matrox-NLE
Jun 04, 2011 @ 18:34:10
meant to say used, not sued. :)
Bryan
Jun 04, 2011 @ 21:37:15
Got hit with the virus…did the following:
1. Malware bytes in safemode to remove the files
2. Combo fix to get the icons back
3. unhide.exe to restore any remaining
This combo seems to have gotten me close.
- B
Shel
Jun 05, 2011 @ 04:01:13
My computer has webroot antivirus and I was running a scan as I cleaned out the the files manually. I noticed that for these three files in particular, webroot warned me that they were trying to access the system as I deleted them. It’s likely that this is how the rogue virus keeps recurring in some systems. Just an fyi.
%AllUsersProfile%\Application Data\~[random]
%AllUsersProfile%\Application Data\~[random]r
%AllUsersProfile%\Application Data\[random]
Arlene
Jun 05, 2011 @ 06:45:13
Hi.
Got hit with the virus when I was applying for jobs online today =(
Have no freakin idea how the virus got there….
But anywho. I ran Malware like three times and it doesn’t detect anything. And I know the virus is still there, cause my computer is slow as hell. Currently running malware one more time and then I’m going to do system restore….
Murray
Jun 05, 2011 @ 14:15:58
Got hit with this last night. Avira recognized the virus and when I clicked remove, all went black. Ran Avira from safe mode and found no virus. Ran online scan from Trend Micro. No virus found. Called Dell only to find out that my warranty covers hardware only. They did everything (exactly) as described here but for $250! If I would have found this site earlier, I might have been able to fix it myself.
BTW-They sold me a one year software warranty (incl with the $250).
They also pushed hard for me to buy Macfee (that they would install for an additional cost) and to buy Registry Mechanic ($99 for 3 yrs).
A very costly experienced!
Haki
Jun 08, 2011 @ 03:04:51
Dave said:
Your files are still there. just click on ” My Computer”
Then go to “tools”, “folder options” then “view”
Scroll down and uncheck “Dont show hidden files folders or drives”
click “OK” and close My Computer. you should be able to see your files.
Dave you’re the man! Thank you, I hope this works for me at work cause i lost everything there too! Tried to restore to earlier point and i think I may have deleted some stuff. But thanks again.
SAM
Jun 08, 2011 @ 07:38:20
i am following the steps for the registry editor but what do i do on the 5th and 6th step? and is this what the .exe could be Fjava REG_SZ rundll32.exe “C:\Users\Sam\AppData\Local\oxomoheyev.dll”,Startup
it looks unusual. so yeah any advice? just that the 5th and 6th steps dont say anything to do, the others you modify the binary number.
SAM
Jun 08, 2011 @ 07:43:16
on this step for the regedit HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\ActiveDesktop “NoChangingWallPaper” = ‘1?
for me there is no active desktop folder thing in policies, only explorer and that has nothing in it. any ideas?
Iain
Jun 10, 2011 @ 04:13:32
Hi I had the virus… Used unhide with malwarebytes and combo fix thought it was gone then today it came up again… Where is it hiding?
Dave T
Jun 16, 2011 @ 00:03:29
My mom brought me her laptop (vista os)and it had this virus and at first had me as well thinking her hard drive took a dump cause she always sits it on her lap with a blanket so i wasnt to suprised it possibly fried as the warnings were saying.
After checking a bit furthere I noticed i could still work around through windows and thought it funny that the only files missing were anything under that current account… then when i saw the window insert your wind disc or purchase one here i knew it was a virus..
long story short:
1 booted into safe mode without networking
2 did a chckdisk to scan for errors and didnt find any
3 while in safemode still, installed spybot search and destroy, then manually installed updates as well.Found windows recovery virus. quarantined.
4 rebooted back into windows…still having pop-ups.
5 found this web page and started reading (on my computer not her laptop)
6 downloaded SuperAntiSpyware Portable Scanner, and Malwarebytes Anti-Malware. Burnt to disc to bring over to laptop
7 booted infected laptop back into safemode.
8 immediately went to msconfig and deleted a bunch of startup crap including the suggested “random characters.exe”
9 Brought over from disc the SuperAntiSpyware Portable Scanner, and Malwarebytes Anti-Malware. Installed and ran. Found much more infections
10 rebooted into windows… all but one pop-up remained and was some sort of ati catalyst video card recovery pop-up warning. ALSO noted that desktop, start menu, favorites, documents, everything from current user was gone/missing including the recycle bin. But windows was working, no hard drive issues or ram issues that the virus claimed as being real.
11 Went to folder options and unchecked do not show hidden files. Some files came back but not all. The ones that did come back were half transparent showing they were still hidden when they shouldnt be.
12 right clicked on start menu to change attributes of those files so they now showed as normal folders and not hidden.
13 Still many items missing. As suggested i looked in the c:\users\username\appdata\local\temp\smtmp and sure enough there were 3 folders containing program files and shortcuts that i just pasted back where they should be. But was still missing some items.
14 Read more on this website here and decided to try combofix after a few in here said they had luck with it. Burnt to a disc and brought to infected pc in safemode to install.
15 i did boot back into windows when i ran combofix. A FEW WORDS OF CAUTION IF YOU WISH TO TRY COMBOFIX. I would suggest to run it after you are certain you have cleaned the pc of the virus first as the first thing combofix does is create a restore point. would be a shame if you encounter another problem later and use a restore point only to bring it back to the recovery virus if you didnt get it cleaned first before running combofix.
16 combo fix didnt bring back any more icons or shortcuts but did eliminate that last ati pop-up…
17 went to control panel, personalization,change desktop icons, selected recycle bin, apply, ok. recycle bin now back on desktop.
18 laptop is working as it should but obviously missing some data especially photos…doing a search of the hard drive for .jpg files only turned up the sample images for desktop background images and one folder she had on the desktop that only got saved cause the virus itself moved it to that temp folder.. everything else on the entire hard drive was gone photo wise… and who knows what else..
SOooooo thanks to this site and many other people I was able to save her from purchasing a new hard drive or memory since it said it had all fried and got to over 81C lol..saying she lost 40% of her hard drive, on and on.. Companies that inflict this kind of havoc to people should be dealt with harshly.
Toni
Jun 18, 2011 @ 00:51:18
Thank you Jason Spoiro. That was the last step in restoring my system back to normal!
Dave T
Jun 18, 2011 @ 17:13:17
Update:
in my previous post, step #10 i meant to say all pop-ups WERE GONE but 1…
This virus is spreading like wildfire, my eye doctors office said all their computers are infected as well, and just this morning i had another friend call me with the same infection. The first thing i find hard to believe is if a system administrator or IT person has a network of pc’s to maintain and do updates on… why on earth would they send an update out (with this potential virus) to the network without testing it on a seperate machine “off the main grid” ???????
I never install windows updates (if thats in fact how its spreading) right away… i wait forever before updating cause its not uncommon for microshaft to release a update then remove it a few days later after everyone realizes there are problems with it.
Julie
Jun 20, 2011 @ 18:06:08
Excellent! Very helpful! Managed to recover my files and get rid of the virus. THANK YOU!
Sheila
Jul 15, 2011 @ 18:08:12
Thank you so much for explaining how to undo my recent viral (worm?) problem using “unhide”. It seemed to restore all those word files I thought were missing.
Question: I have Windows 7 and do spybot anti-spyware & MS Security antivirus updates and scans almost every day. I don’t understand how I could have gotten the horrible virus, worm or whatever it was. I recently joined Facebook. Could it have been transmitted that way? In any case, thanks again for the antidote.
Janelle
Sep 29, 2011 @ 17:28:03
I believe my virus came from an attempt to download a free plug in for photo shop…thanks to smart phones I was able to research how to fix the problem…utilizing this and my own quick thinking I hope to have fixed the issues….here are the steps I took…please tell me what else I can do to ensure no furthere issues arise with this virus.
I utilized my COMODO time machine and re booted from a snapshot taken 2 hours prior to the download….this got me up and running again.
I then ran my Avira free antivirus which detected and quarantined wheeloffortune.exe…
Simultaneously I downloaded and ran the malware bytes software recommended which found and deleted two os problems…at this point I was exhausted and I shut down my computer…
Only thing I noticed being a continued issue is my internet explorer kept shutting down and windows said there was something suspicious detected…
With these two scans completed, have i 100% resolved the issue or is there something else I should do?
I did a search for some of the malicious names listed and haven’t found anything furthere….
Thank you.
newbie
Nov 08, 2011 @ 07:03:08
sorry to ask but i dont know where can i post my problem to any forum that might help me though, just considering if my problem can be solved here…why does my ms office or any other applications can’t be launched after i use karspersky removal tool?it says it can’t be launched because out of memory? my karspersky antivirus did not work anymore, i can’t see the main window of karspersky..anyone help??thanks a lot….
Maldrid
Nov 08, 2011 @ 12:24:26
There is a possibility that the virus have infected your .exe files (word.exe, excel.exe etc…). Did Kaspersky removed any viruses from your PC?
Ari Anggara
Nov 14, 2011 @ 07:24:56
System (C:)
$Recycle.Bin (key + hidden)
[Smad-Cage] (hidden)
Config.Msi (hidden)
Document and Settings (key + hidden)
Recovery (hidden)
system Volume Information (hidden)
hiberfil.sys (1 Gb)
pagefile.sys (2 Gb)
Desktop.INI (hidden)
System (D:)
$RECYCLE.BIN (hidden)
system Volume Information (hidden)
MediaID.bin (vlc)
@@@CDRW.TMP (hidden)
Thumbs.db (hidden)
Mike
Dec 02, 2011 @ 15:06:02
Thanks to Jeff for pointing out that c:\users\username\appdata\local\temp\smtmp
c:\users\username\appdata\local\temp\smtmp\1
c:\users\username\appdata\local\temp\smtmp\2
c:\users\username\appdata\local\temp\smtmp\4
contain the missing shortcuts.