Windows Recovery

Windows Recovery is not a real security program. It is a misleading piece of software that you need to eliminate. Follow the Windows Recovery removal steps to delete this virus.

Windows Recovery is a harmful hard drive optimization program that will initiate a scan even without user’s intervention. When this happens, it only means that Windows Recovery virus is already inside the computer. It was able to modify system settings that made it to run on its own. The malware came from the same group who developed Windows Safemode and System Diagnostic, it is expected that this variant will be as risky as the old ones. Aside from disabling your anti-virus software, Windows Recovery virus also prevent any installed programs from running. Computer is unusable during the infection. Repeatedly, the malicious program prompts to purchase the Windows Recovery registration key to be able to make the PC stable again.

Instead of buying and spending for this useless software, it is best to scan the computer with real anti-malware program. If none is present, download a copy from known web site. You may also find on this page an effective Windows Recovery removal tool. It is available for free. Download, install, update and thoroughly scanning the computer can help remove Windows Recovery virus completely.

Most importantly, you must be able to identify fake from legitimate security programs. Fake are those who use deceiving tactics, just as stated above. Real one’s offers a trial period and are useful for a limited period. If trial period lapses, it prompts users to voluntarily obtain the full version, otherwise it will not work same as before. While fake software akin to Windows Recovery will punished user with annoying pop-up alerts and purchasing of the licensed version is enforced.

Screenshot Image:

Windows Recovery Virus

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

How to Remove Windows Recovery

Systematic procedures to get rid of the threat are presented on this section. Make sure to scan the computer with suggested tools and scanners.

Step 2 : Scan the computer with recommended removal tool

1. First thing you should do is reboot the computer in Safe Mode with Networking to avoid Windows Recovery from loading at start-up.

NOTE: You will need to PRINT or BOOKMARK this procedure, as we have to restart the computer during the removal process.

Remove all media such as Memory Card, cd, dvd, and USB devices. Then, restart the computer and please do the following:

Boot in Safe Mode on Windows XP, Windows Vista, and Windows 7 system
a) Before Windows begins to load, press F8 on your keyboard.
b) It will display the Advanced Boot Options menu. Select Safe Mode.

Start computer in Safe Mode using Windows 8 and Windows 10
a) Close any running programs on your computer.
b) Get ready to Start Windows. On your keyboard, Press and Hold Shift key and then, click on Restart button.
c) It will prompt you with options, please click on Troubleshoot icon.
d) Under Troubleshoot window, select Advanced Options.
e) On next window, click on Startup Settings icon.
f) Lastly, click on Restart button on subsequent window.
g) When Windows restarts, present startup options with numbers 1 - 9. Select "Enable Safe Mode with Networking" or number 5.

Startup Options

h) Windows will now boot on Safe Mode with Networking. Proceed with virus scan as the next step.

2. Download the Removal Tool and save it on your Desktop or any location on your PC.

Download Tool

3. When finished downloading, locate and double-click on the file to install the application. Windows' User Account Control will prompt at this point, please click Yes to continue installing the program.

4. Follow the prompts and install with default configuration.

5. Click Finish after successful installation. Program will run automatically and you will be prompted to download software updates. Please download needed update.

6. When finished updating, the tool will run. Click on Scan tab from Top Menu of main screen. Then, choose Threat Scan (Recommended) to check your computer thoroughly.


7. Click on Start Scan to begin. Scanning may take a while. When done, this tool will display lists of identified threats.

MBAM Scan Finish

8. Make sure that all detected threats are checked, click on Remove Selected. This will delete all files and registry entries that belongs to Windows Recovery.

9. Finally, click Finish and restart your computer.

Note: If Windows Recovery prevents mbam-setup.exe from downloading. Download the software from another computer. Renaming it to something like 'anything.exe' can help elude the malware.

Step 3 : Ensure that no more files of Windows Recovery are left inside the computer

1. Click on the button below to download Norton Power Eraser from official web site. Save it to your desktop or any location of your choice.

NPE Download

2. After downloading, navigate its location and double-click on the NPE.exe file to launch the program.

3. Norton Power Eraser will run. If it prompts for End User License Agreement, please click on Accept to proceed.

4. On NPE main window, click on Advanced Options. We will attempt to remove "Windows Recovery" by thoroughly scanning your current operating system.

Advance Scan

5. On next window, select System Scan and click on Scan now to perform standard scan on your computer.

Scan the System

6. NPE will proceed with the scan. It will search for Trojans, viruses, and malware like Windows Recovery. This may take some time, depending on the number of files currently stored on the computer.

7. When scan is complete. All detected risks are listed. Click on Fix Now to remove Windows Recovery and other known threats. Then, restart Windows if necessary.

Step 4 : Remove the Rootkit Trojan that installs Windows Recovery

Rootkit Remover is a stand-alone utility developed by McAfee. It can be used to detect and remove rootkit Trojan that is associated with Windows Recovery. This tool can detect rootkit that is part of ZeroAccess, Necurs, and TDSS family.

1. Download Rootkit Remover and save it to your desktop or any accessible location. Click the button below to begin the download.

click to download

2. Locate the file rootkitremover.exe and double-click to run the program.

3. When User Account Control prompts if you want to allow the program to make changes on the computer, please click Yes.

Rootkit Remover Scan

4. Rootkit Remover instantly scans the computer and look for presence of Trojans, viruses, and rootkit that is related to Windows Recovery .

5. Once it finishes scanning the computer, the tool will require you to restart Windows.

Alternative Removal Procedures for Windows Recovery

Use Windows System Restore to return Windows to previous state

During an infection, Windows Recovery drops various files and registry entries. The threat intentionally hides system files by setting options in the registry. With these rigid changes, the best solution is to return Windows to previous working state is through System Restore.

To verify if System Restore is active on your computer, please follow the instructions below to access this feature.

Access System Restore on Windows XP, Windows Vista, and Windows 7

a) Go to Start Menu, then under 'Run' or 'Search Program and Files field, type rstrui.
b) Then, press Enter on the keyboard to open System Restore Settings.


c) Windows will display list of saved restore points. Select the most recent one to restore Windows to previous working and clean state.
d) It may take some time to fully restore back-up files. Restart Windows when done.

Open System Restore on Windows 8 and Windows 10

a) For Windows 8 user, go to Start Search, while on Windows 10, use the Start Menu Search and type rstrui.
b) Click on the located program to open System Restore window.


c) Windows will display list of saved restore points if it is active. Select the most recent one to restore Windows to previous working and clean state.
d) It may take a while to fully restore back-up files. Restart Windows when done.

If previous restore point is saved, you may proceed with Windows System Restore.

Option 2 : Windows Recovery manual uninstall guide

IMPORTANT! Manual removal of Windows Recovery requires technical skills. Deleting system files and registry entries by mistake may result to total disability of Windows system. We advise you to perform a backup of registry before proceeding with this guide.

1. Kill any running process that belongs to Windows Recovery.
- Press Ctrl+Alt+Del on your keyboard.
- When Windows Task Manager appears, look for Windows Recovery files (refer to Technical Reference) and click End Process.

End Task

2. Delete all registry entries that belong to this malware.
- Press [Windows Key]+R on your keyboard.
- In the 'Open' dialog box, type regedit and press Enter. This will open registry editor.
- Find and delete registry entries as mentioned in Technical Reference section.
- Close registry editor. Changes made will be saved automatically.

Run Regedit

3. Scan the computer with antivirus program.
- Connect to Internet and open your antivirus software. Please update to obtain the latest database and necessary files.
- Restart the computer in Safe Mode.
- Just before Windows logo begins to load press F8 on your keyboard.
- On Windows Advanced Boot Options, select Safe Mode and press Enter.
- Thoroughly scan the computer with your updated antivirus software.

4. Delete all files dropped by Windows Recovery.
- While still in Safe Mode, search and delete malicious files. Please refer to 'Technical Reference'. Make sure that you execute 'End Task' first before deleting the file. Otherwise, the system will not let you perform this action.

Associated Files and Folders:
File Location for Windows Versions:
  • %AllUserProfile% for Vista/7 user is C:\ProgramData while for Windows XP/2000 this is C:\Documents and Settings\All Users\
  • %UserProfile% for Vista/7 user is C:\Users\<Current User> for Windows Vista/7, for Windows XP/2000 this is C:\Documents and Settings\<Current User>.
Added Registry Entries:

Troubleshooting Guides

Did Windows Recovery blocks your Internet access?

It is usual that rogue program prevents user from downloading removal tools from the Internet. Thus, infected computer may be denied to access the Internet by making changes to computer's proxy, DNS, and Hosts file. To solve Internet connection problem, please see our guide in fixing a virus-blocked Internet access. Also, make sure that your Windows Host File is free from any malicious entries. View steps in cleaning Windows host file.

Recover missing or hidden files and folders

To avoid manual execution of programs and files, Windows Recovery will hide files and folders on the infected computer. Most victims think that files and folders are deleted, but it is not. The malware simply changed the attributes to hide the data. Follow this guide to show all hidden files and folders if it remains hidden after activating Windows Recovery.

1. Open My Computer or Windows Explorer.
2. On top menu of upper left corner, click on Organize, then choose Folder and Search Options.

Show Folder and Search Options

3. Folder Options dialog box will appear. Select the View tab.
4. On Advance Settings, mark 'Show hidden files, folders and drives.'

Show hidden files and folders

5. Click OK to save the settings. You can now view the folders and files, though, they are still concealed because Windows Recovery sets the attributes to hidden.
6. While still on Windows Explorer, click on the drive (C: or D:). On right pane, mouse over on the folder or file you wanted to unhide. To select all folder, you may use the keyboard shortcut Ctrl+A. Right-click, then select Properties .

7. On the Attributes area, remove the markings on Hidden. This will change the attributes of affected files and folders. Click Apply.

Hidden Files Attribute

8. If it prompts for confirmation, please select 'Apply changes to the selected items, subfolders and files'. Then, click OK to proceed.

Confirm Attributes

99 Responses

  1. freaknstyle says:

    Very Nice and very helpful.
    This is the best helping site out of which i have researched.
    Really6 appriciable.
    Keep it up.

  2. Shyam Kumar says:

    Which is best antivirus ?
    Free n Paid both.

  3. Shyam Kumar says:

    “mvneducation” at the rate of “yahoo” dot “in”

  4. SJS says:

    Used stopzilla, didn’t help. When I clik on start, all programs stills says it’s empty.

  5. Pete says:

    I got hit with this last night but, with the help found here, I was able to clean it up without much trouble. I’m a basic computer user with XP, SP3.

    Now, how do I restore the folders and files that this thing hid ? Start/All Programs now says it’s empty and all of the other files and folders are there, just hidden. It even hides file size, etc. in Install/Remove Programs.

    Any furthere help would be great but Thanks so much for this info !

  6. Vincent says:

    Got rid of windows recovery with anti mal ware, however missing all pictures and documents if anybody knows how to retrieve them back please let me know ASAP thanks Vince

  7. Finn MacLan says:

    Well, I can see quite a few that have been affected the same time as me. I too ran Stopzilla, and by also following the steps provided, it looks to have elimanated the nasty files.

    I share your pain, my documents look lost and once i have calm down, will try a restore from a portable hard-drive.

    One worry is the windows 7 themes is not working. Has anyone else got this issue? I wondered if the virus wiped the files. Downloading new themes has proven not to work. This makes me think the virus is still active?

  8. Vincent says:

    Virus is still there…. This has been the hardest viurs I have delt with.

  9. TT says:

    This virus was a pain in the @$$. Ran Malware Bytes, AVG, MS Sec. Essentials and Kaspersky and they all picked up remnants of this. I think it by-passed Security Essentials initially by changing Windows Genuine Validation (which turns off MS S.E.) and then it can run.

    It also hid all my files and made them read only. I decided it is best to reinstall the OS and restore files from back-up since it is hard to tell what other changes it has made which are not noticed now but might show up later.

  10. Sebastian says:

    I have removed virus now however all my files have gone. Is there a way to get all my documents, photos and videos back?

  11. Dave says:

    Your files are still there. just click on ” My Computer”
    Then go to “tools”, “folder options” then “view”

    Scroll down and uncheck “Dont show hidden files folders or drives”

    click “OK” and close My Computer. you should be able to see your files.

  12. chemi says:

    same problem here, no documents, windows themes seem to be vanished, any ideas where my documents went?

  13. Brian says:

    There is a tool called unhide.exe that should get all your files back so that you can access them.

  14. nikki m says:

    I’m still working through getting rid of this virus, but have managed to stop the process and download malwarebytes antimalware which is scanning right now. I couldn’t find any of the files to delete them…? But I was able to recover all of my pics and docs by clicking on start, then right click on each folder (pictures, documents, etc) and unchecking the hide box. that was all it took to bring those back. I’m still working on my desktop…

  15. Terry says:

    Very Helpful, “un-hiding” the files gave me confidence that all the data/programs are there and not lost forever.

  16. Jon says:

    Got hit by this last night – took me an hour and a half to get the better of it and still not won. Pesky thing disabled SEssentials which caught me off guard.

    If it helps those still fighting: I’m running XP. First thing I did was disconnect the internet, then boot to safe mode and run Windows Restore to restore the settings to a date about a week and a half previously (believe I went to Start->Run and just typed “Restore” to find the program). That stopped the program running on boot up, allowed Essentials to start and put my start menu back to normal.

    I then ran Essentials to find those Trojans.

    Expect there’s a lot of malware still hanging around the PC though and that it’s only a matter of time ’til it comes back so will be running anti-malware / other virus checkers tonight.

  17. warren says:

    Hi i got this windows recovery virus and it hid all my programs ect.
    i removered the virus with norton but my program and pictures was still hiden so i have made a program that unhides everything and lets you use and see everything its fantastic.
    If you want it email me: tombraiderwh1 @

  18. hazel says:

    It has disabled task manager so I cannot stop it activating on start up. Also Add/Remove Programs option is also disabled. XP system recovery option no longer works. Safe mode will not work fully. If I leave it running for a few minutes it blacks out the screen.

  19. edward says:

    download curr process,,,it is a third party software more advance than task manager,,if u want i’ll send you that application ms.hazel…im from dasma cavite,computer tech..willing to help you out..

  20. Hazel says:

    another victim here. i think i have disabled the virus but have lost icons on desktop, taskbar, progam folder is empty etc. i can run tools/view/unhide etc but makes no difference, cannot get them back and cannot find explorer.exe, aLSO PULLS UP RANDOM WEB SITES ON A SEARCH.

    i have several VALID SYSTEM restore points, but when i try to use, it just starts and stops again. i run xp pro, s-essentials, firewall, avg, how did it get past these? i have not downloaded anything in weeks. only thing i can think is i have been looking at tornado coverage and may have responded to a flash request to look at some footage. doing this on another pc btw.

  21. nikki m says:

    I think I beat it. I used safe mode to stop the process in task manager then downloaded malwarebytes anti-malware. used that to delete the files, then downloaded and ran unhide.exe and got all of my files to show again. thanks to sites like this i saved myself probably $100. This happened to me last year and I had the geek squad fix – wish I would’ve known that I could have done it myself, without much skill in the pc fixing dept.

  22. Hazel says:

    seem to have removed it but not only lost desktop icons etc also lost internet access. any suggestions how I can get internet back to download unhide?

  23. Cedric says:

    Hi all,
    I got infected on vista last thursday evening 28/04.
    Everything on my desktop and start menu have disappeared, the computer is extremely slow and constantly working

    I can access internet with firefox but most google researches are redirected towards weirds websites.
    The virus is sometimes playing music when WIFI is on.

    I have ran malwarebytes AntiMalware which found and deleted 9 infected elements – mainly trojans.

  24. David says:

    Hi – I got whacked on Sunday morning (5/1). Lucky I found this site. My computer normally is networked at work and I got hit while using it at home, so I couldn’t boot up in safe mode (administrator restrictions). I was able to download Malwarebytes and Unhide onto a flash drive – using another computer – and used the flash drive to launch them onto the computer that was infected. That is the only way I could clean it. Thanks!!

    It took a good long chuck of an otherwise very nice day, but I finally cleaned my machine. I still found that some registry entries on the Windows Recovery list hadn’t been deleted, so I did that before restarting my machine.

    Most files showed up again, but my startup menu didn’t return as before and my desktop formatting all went out the window (no pun intended), but all the core files are intact. What a massive pain, but thanks for the clear and helpful advice.

  25. Joe says:

    Hi All

    I have the same problem as you all however,…… mine is mor elike Hazels… the task manager will not work and says it has been disabled by the administrator? I can start the laptop in safe mode but when i click on control panel or my computer it just freeze’s

    Any suggestions on what i can do to sort this out, it appears to have wiped everything, i have lost friends and family in previous times and have all my pictures etc on here so this really is important to me

    Thank you

    Joe (Please post reply with my name at the front so i can see who is replying to me)

  26. Michael says:

    Got hit with Windows Recovery virus as well. Luckily I was able to remove it and recover most of my hidden files with unhide.exe. However, when I hit “start”, then look at my “programs” menu, all the programs list as being ’empty’. Whethere it is itunes or Microsoft Office. everything is listed as ’empty’. These programs are still on the computer as I can open a document and ‘Word’ then opens, or itunes starts when I connect my phone. It seems the link from the “programs” menu to the exe. file is missing. I’m guessing it is due to registry issues? Any thoughts on how to reestablish those links?

  27. Samael says:

    This site is brilliant. I just used Tools/Folder Options/View in My Computer to unhide the files… it means I can finally do some late school work.

  28. Nopchai says:

    My computer infected with this virus. It disabled task manager. I couldn’t stop its processes. I tried to reinstall windows w/o format the hard drive. I shut the computer down. The last thing to do is clear all memory; disconnected all pwer sources ie, battery, unpluged. Then format the hard drive…Yes, the only choice you guy can do.

  29. Ruth says:

    I can’t open Task manager even in safe mode. What can I do?

  30. Mr.Manc says:

    It’s just taken me 2 days to put a dent in this horrible little thing. Have managed to partially fix the PC after running AVG, Microsoft Security Essentials and Malwarebytes several times each (Sec. Ess never picked anything up, it was MWBytes 3rd run that finally picked it up and did the job), but now suffering same issues as everyone else.

    Have un-hidded my folders but cannot right-click on the desktop or drag apps to it or create shortcuts to it. Also can’t change the desktop background from the blue screen. Not a big deal, i know, but it would suggest that something is still wrong…

    …Malwarebytes has just finished ANOTHER scan and found the cause (i assume): “PUM.Hijack.DisplayProperties – HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper”

  31. Rick says:

    The first step did not work. When I press ctrl/alt/del i did not get the task manager (windows 7. Un able to get past the visus. ready to use a hammer!

  32. Rick says:

    From the Start menu I typed “task” and tried to start the task manager as well and I got a message saying the task manager had been disabled by the administrator. Now what?

  33. Nicole Sharpe says:

    Please do these changes in Safe Mode.

    Ruth: Go into Safe mode. Bring up CMD prompt. Type in MSCONFIG and you should be able to get into the Task Manager AND the registry files.

    Safe Mode.

    I had to use an external drive to get the stuff on my infected computer, but I still can’t launch Outlook,and my History for the internet is not visible and I am missing sqmapi.dll so I can’t download the SP1 for Windows 7.

    Give me 10 minutes with the butthole that did this…..

  34. John says:

    It was very helpful

  35. Ruth says:

    I opened in safe mode and did exactly as you said above but still could not get into task manager. Do you know another way around this virus? Thank you SO much for your help!

  36. Ray says:

    Michael said:
    Got hit with Windows Recovery virus as well. Luckily I was able to remove it and recover most of my hidden files with unhide.exe. However, when I hit “start”, then look at my “programs” menu, all the programs list as being ‘empty’. Whethere it is itunes or Microsoft Office. everything is listed as ‘empty’. These programs are still on the computer as I can open a document and ‘Word’ then opens, or itunes starts when I connect my phone. It seems the link from the “programs” menu to the exe. file is missing. I’m guessing it is due to registry issues? Any thoughts on how to reestablish those links?

    Same thing here, Unhide worked for “some” stuff. but not all, and not with my start menue. Michael, did you ever get it figured out?

  37. Jason Spiro says:

    Hi Ray,

    Right-click the Start button.
    Click “Properties”.
    Enable “Store and display a list of recently opened programs” and “Store and display a list of recently opened documents”.

    This worked for me.

    All the best,
    –Jason Spiro
    IT consultant
    Toronto, Canada

  38. Sara says:

    We got hit with this 2 days ago. We got past the windows recovery screen and did the malware thing, it detected 9 trojan viruses, we can get on the internet but everything else i gone. The desktop icons are gone and wont let us put anything on there and when we go to the start options everything is empty. how do we get eveything back on the start menu and get our icons to be on the desktop. help please?

  39. amy says:

    i didnt lose anything but have to do a search for anything i need i have nothing in start-up menu or on my deak top but everyfile i search for i find however i cannot do a system restore to fix the problem anybody know what i can do because i can find my restore disk that came with my pc thanks

  40. David says:

    My wife got this virus/trojan, on her laptop. To all those who have defeated the virus, but who are missing start menu items and desktop icons, I found a great solution which amazingly restored everything. There is a free anti malware program named Combofix. This will clean all remaining traces of the malware and restore your icons and links. You need patience because it took 40 minutes on my wife’s laptop, but it was a relief to see the desktop icons reappear after 20 minutes.

  41. George G says:

    Hi Used Malwarebytes and Unhide…which restored all My Documents..but as with Ray, Left Hand side of Start Menu is empty and all programs show as empty…does anyone have a solution how to restore these Programs…I have copied all of My Documents to an external Hard Drive..should they now be ok to view….& thanks to all for their postings..togethere we’ll win!

  42. ctoguy says:

    You can get to System Restore with this $%^#$ thing.

    Do your start menu. In Run, type msconfig

    But unlike previous suggestions, dont go to the startup program list.
    Select the General Tab. There is a system restore button on there,
    and it is ACTIVE . I’m restoring mine by a few days presently.
    For reference, I am running a Windows XP system.

    How is this thing spreading? Email ? Click on link of a website?
    What triggers the Installation of it?

    The last thing i had done is do the Windows Automatic Update “Manual” review and run. You don’t think someone has hacked the Windows Update Service ? When I rebooted after the Windows update, all chaos
    broke loose ( same symptoms as everyone else is seeing ). I truly thought my hard drive was having an issue for the first 15 minutes or so – but when I saw Task Manager disabled – the light bulb went on.

    The System Restore just finished, and all my programs are listed again, desktop icons, files, … I suggest taking this route.

    Can you imagine if some %$^&$ $$%&*# hijacked Windows Update and System Restore on a system? Danger Will Robinson !

  43. George G says:

    A very “BIG” thank you to ctoguy for your posting…I am also on XP, have just done as you suggested and like yourself I am back up and running…did you also use a program to erase the virus… I used Malewarebytes and hope it has completely wiped it out…the virus attacked on Wednesday AM and I have NO idea what set it off…once again, many thanks

  44. Maverick87 says:

    This just hit our machine yesterday – we have the free K-9 protection and this is the first time it failed to snag this @#$%^&*! thing.

    I was only on ESPN and Grooveshark. I’m likely to suspect the latter had some bad link that wasn’t caught. Can’t even check history as I can’t get to any browser without the @#$%^&*! throwing up a fake block page.

    We have Malware Bytes available at work, so hopefully that will work.

    People that write this stuff should be dragged through the streets behind a car. Then hanged.

  45. Ray says:

    I thought id share how I got this one cleared up finally!
    1. Boot into Safe mode
    2. on another PC, download the iexplorer.exe, malwarebytes, and unhide to a flash drive. (All on the malwarebytes site)
    3. Run iexplorer.exe (this closed the virus)
    3. Install and updated and ran Malwarebytes
    4. Restart and then run unhide.exe
    – This unhid SOME but not all folders on my PC
    5. Finally do system restore to a date prior to getting hit with the virus, and that cleared up the rest of my folder issues.

    Hope this helps someone out there!

  46. Bev says:

    #43 ctoguy – YOU ARE A GENIUS!!
    Running Windows XP

    1) I did download Malwarebytes 1st and ran twice, and found viruses both times.

    2) I did the unhide, regedit, msconfig, all through start, run, etc… but don’t think I would have had to if I would have found ctoguy’s advice.

    3) My system is back just like it was after following the steps on how to do a system restore on Windows XP


  47. Bev says:

    One more note – while my computer is running fine, I’ve had iexplore open up on it’s own 3 times and starts running a commercial in the background. Have to go into taskmanager and terminate. So – guess it’s not completely fixed. Will have to do some searching to see what’s going on. Meanwhile, running two separate virus checker programs again. So far – nothing.

  48. Jeff says:

    I found a website to help with restoring the start menu / programs shorcuts

    It states” It occurred to me that if it was a scam to get you to buy software – it would potentially work – so all the “lost” data must be on the disc somewhere – probably in renamed files.

    So I did a full windows search of the c drive – including non-indexed, hidden and systems files for all the files created on the day that it happened and found the lost start menu files in:-

    c:\users\username\appdata\local\temp\smtmp the latter being a folder containing all the files and shortcuts – I then just copied these back to their proper locations ie the start menu items belong in c:\programdata\microsoft\windows\startmenu\progams and then copied/dragged the other shortcuts back to the desktop or taskbar….

    Maybe this will help other people though obviously the name smtmp might be a randomly produced one the methodology should still work.”

    I searched for smtmp and found all of the links and was able to restore them.

  49. Gelly56 says:

    Thanks CTOGuy. Had the nasty virus and spent way to long on getting this thing remove before I came to your posting. Your solution worked like a charm. Thanks again…

  50. Yeti says:

    I was hit by this thing. I’m not able to use my mouse or other key. What I can do to follow all the steps mentioned above?Thank you.

  51. Yeti says:

    I was hit by that thing, my mouse does not work so I’m unable to move around the screen. The right and left keys does not allow me to go to start, so What I can do to follow the above mentioned steps? Thank you.

  52. Bob F says:

    Same problems as all above, fake scan, disabled task manager, missing
    desktop (right clicking for desktop properties was also disabled) and start menu shortcuts. Also, to really make things tough, the virus also disabled the USB ports.

    Starting in safe mode was able to run spybot and malwarebytes via the run > command prompt. Ran both programs several times, it does take more than one pass with a reboot between each.
    That tamed the worst of it. Then unhid and got most of the desktop back.

    Now just recreating the shortcuts in start programs manually. Some of the .exe files are taking awhile to find.

    What gets me is this got past AVG and Spybot both fully updated with live scanning on. If ever there was a wake up call for backing up, this was it.

  53. Bob F says:

    Othere – start > programs > accessories > system tools – is now empty.

    Anyone have a idea how to re-establish this link?

  54. Mark says:

    Do your start menu. In Run, type msconfig

    But unlike previous suggestions, dont go to the startup program list.
    Select the General Tab. There is a system restore button on there,
    and it is ACTIVE .

    I did the above as per ctoguy, worked like a charm, all emtpty folders were restored and desktop came back as it was. You need to do this even if you purge your system of the virus. This is a nasty one, i have not come across a virus that hides folders and icons, even in safe mode.

  55. Bob F says:

    Mark – what if you never created a date to restore from?

  56. Tym says:

    I am still having problems with this, but I think Ctoguy may be onto something. I went to run system restore in windows vista, but I did not have the button in the general tab. I got it to start up from the last tab, and when my restore points came up, I only had 2 options, both being windows updates. I just connected to the internet yesterday so this is the first time they ran, and that is when the chaos came onto my computer. I really think this has to do with the windows update service.

  57. michelle says:

    Can’t restart pc in safe mode. Can’t pull up msconfig with cmd prompt. Any solutions?

  58. Tatjana says:

    Hi all,

    I use Vista and had exactly the same problem with Windows Vista Recovery. Tried everything. Installed Malwarebytes, Spybot, nothing helped. Tried restoring, but didn`t work in normal mode
    1. I booted the computer in Safe Mode
    2. Restored the computer to the day before
    3. Booted up in normal mode
    4. The Desktop and the start programmes came back, but all my pictures, music and document files were still gone
    5. Downloaded Unhide.exe and solved the problem.
    Now everything is back.

    Hope that will be of use to someone.

  59. Noel says:

    I was affected by this same tragic virus.. Went to a comp shop and was told it will take a day or two to fix. Want to smash my notebook. Luckily, browsed your site and did the MANUAL procedures, followed Dave #12 advice. Now I’m back to normal just now and I’m still running antivirus. Very helpful site indeed. Thanks to all.

  60. Brandon says:

    Here is the fix for: Missing desktop icons, start menu, and etc.
    1st – Get rid of mal-ware virus its self.
    2nd – Google unhide.exe
    or download here:
    (Worked for me, running xp)
    Then Restart. You will be-able to save all files, but you will eithere have to reinstalled the programs or go to your folders and they will be located here: C:\Program Files and you will have to start them up that way. (If you dont know how to do that just reinstall your programs.
    3rd – You will still have a virus running on your processes named iexplore.exe. Its very hard to get rid of. This follow video will tell you what you need to get rid of this.
    After that you should be ready to go, and you should be running at 100%!

    Any Questions? Ill be off and on for a few days.
    -Thanks Brandon.

  61. ben says:


    Supposedly safe mode has been working for some of you. Maybe I’ve got an evolved version of the virus. As soon as I turned off my computer to restart in safe mode, I got a black screen of death. White underscore, all buttons make a beeping sound. F8 and F12 do not do anything at startup. Safe mode: out of the question.

    DO NOT under any circumstances turn off your computer. Gmail important documents to yourself. Now I have to shell out money to an expert to see if he can get past the screen of death. I should have run malwarebytes or something instead of turning off my computer.


  62. sriley says:

    Thanks to ctoguy!!!! I did as he suggested and am back with a computer that looked like it did before this %^&&%$##@ thing got a hold on my laptop.

  63. judy says:

    hi fellow victims, thanks to all especially ctoguy. my laptop was restored to factory set with motherboard replacement in early May. i spent the day, May 24, using windows update and shizamm! got the virus and hard drive damage as a bonus. so glad i bought the extended warranty. company is taking it back for repairs/replacement. the external hard drive backup is a blessing. thanks everybody. misery loves company.

  64. Heather says:

    What can I do if I can’t even do a system restore? I can get to it but I have no previous days to restore to?

  65. matt says:

    Hi everyone got this virus today and after much frustration have got my computer back 100%
    I have windows 7 and lost all files/folders including everything in the start menu

    step1: find the program rkill- it ends the attack
    step2: download malwarebytes and run after rkill
    step3: use the unhide.exe program.. unfortunately this only seems to unhide some folders and files such as on the desktop
    step4: as i read in an earlier post someone mentioned combofix.. download this and run it will restore all of your startmenu items!

    hope this helps

  66. Lark says:

    HELP! I just removed this virus but have not been able to restore my desktop and also can not put my computer into safemode or repair mode. I just want to restore my computer to factory settings again. I am currently running Windows 7 and have tried everything on this board to fix this. I ran unhide.exe as well as going to start menu,control panel etc and unchecked what was suggested. So whats next? Why wont my computer let me go into safe mode or repair mode? It will not let me get to the right area to restore factory settings. I already tried restoring from a previous date but I had no chosen date so that did me no good. I also tried creating a date and that did not work. Any suggestions?

  67. Lauren says:

    If your Start Menu is Empty, try the advice left from the McAffee forum by Jeff. I searched for “smtmp” in all files (include hidden files) and it came right up. I copied the data of each folder into the Start Menu folder (find it by right clicking on a folder in the start menu > Explore). Worked perfect. Thanks for posting this, as it was the last bit of the computer that was messed up by the virus! I was also able to find ways to fix my task manager, etc., by searching for individual problems in google. Hope that helped!

  68. scorpryter says:

    Got nailed by Windows 7 Recovery

    Was able to beat….I think

    View Hidden files in Control Panel
    Ran RKill
    Was able to download and run Malwarebyte
    Ran unhide.exe
    Finally saw a suggestion above to run ComboFix….it restored the menus, the associations and the desktop icons.

    Thanks all for the input….Malwarebyte’s is always great….
    Special kudos to Combofix for picking up the pieces….I’d recommend running it first just to see if it’s the magic bullet.

  69. Richard says:

    Okay, so I virus scanned and got rid of the virus, went through and eliminated the files and registry entries. I did the unhide to get the files showing again but now I still can’t get the desktop back. Also, System Restore isn’t working (have plenty of restore points, but won’t run! Not even in safe mode. What now???

  70. jim says:

    Jason Spiro said:

    Hi Ray,

    Right-click the Start button.
    Click “Properties”.
    Enable “Store and display a list of recently opened programs” and “Store and display a list of recently opened documents”.

    This worked for me.

    All the best,
    –Jason Spiro
    IT consultant
    Toronto, Canada
    nothing gay but i want to give you the hugest hug i been working for hours trying to find a site to help me get my start menu.back low and behold this worked are a king.

  71. Rich S says:

    With all of your help I got rid of the virus. One last thing. My Favorites in IE are still hidden and I cannot seem to unlock them. How can I unhide favorotes. I am not a tech guy and the help on this site has allowd even me to get this operating again. Many thanks.

  72. Joe says:

    These instructions are flawed. First, Windows Recovery Rogue Malware disables task manager (see registry entries in the instructions where disable task mgr is listed) yet, one of the instructions is to pres Ctl + Alt + Del to execute task manager. If the disable taskmgr registry key is present no amount of pressing keys will allow you to access it. You must first use regedit to delete the key. It is best if you remove this malware via safe mode with networking then Google unhide.exe as described above.

  73. Dave says:

    Malwarebytes and superantispyware fixed this but the user files were hidden. This was actually on Windows 7. Using the Windows Explorer I was able to find Folder Options and set it to show hidden files. After that the missing user files showed up.

  74. Dave says:

    BTW you have to go into Safe Mode to run Malwarebytes. Once you run that you don’t have to be in safe mode for the rest.

  75. Nater says:

    With above advise I was able to to get my computer back to normal with the exception of Internet explorer. Any searches I do still link me to bogus sites. Any ideas and thanks in advance for any help.

  76. iflyrjs says:

    This site is awesome
    CTOGUY was very helpful thanks!

    Had the same issues as everyone else and
    ran malwarebytes first did a restore then ran unide.exe but run it from bleeping computers website there’s a link in some of the posts near the bottom
    I went to some other site that I found a link to unhide.exr and they wanted me to purchase it after the scan the one from bleeping omputers website after you save it to your desktop click on it twice
    a dos window opens and it says to be patient took about 5 mins.
    I did it the other way the first time by just clicking on RUN and it wouldnt work.

    everything is back as it was before

  77. Amy says:

    I hope someone can help. This must be really imbeded in my computer somewhere. I’ve followed most of the advice here but still have problems. The main one is it won’t let me run a restore! Not from anywhere…says there is a file stopping it from running. It wasn’t a needed file as it was from an old, outdated program so I just deleted it. Tried to run restore again but, no go. I still got the same message even though the file had been deleted. My AVG files are still missing and can’t be found. I’ll try the advice listed above regarding the Start Menu…haven’t had a chance yet but have been working on this now for almost two weeks. I’m afraid of using that computer for anything but it’s the only desktop in the house so I really need it clear. I think we’ve gotten rid of the virus itself but just can’t get the silly thing up and running again! Any suggestions regarding the AVG? I’ve thought of just re-installing it but I want to make sure the computer is completely functional before loading anything else onto it! I hope someone has a suggestion on that restore! Tried it in safe mode…regular mode…nothing works!!! VERY frustrated! Thanks for all the help so far!


  78. Matrox-NLE says:

    Question: do you delete the registry entries listed above, or do you confirm those are the settings and leave them be?

    I’ve run MalwareBytes, RKill, Spybot, and I unhid my files within Windows, but I know this frakker is still there. Any suggestions?

  79. Matrox-NLE says:

    Also, I sued StopZilla, which found a bunch of things, but then required I purchase the full version to get rid of it all. Is that just another scam, or should I do it?

  80. Matrox-NLE says:

    meant to say used, not sued. :)

  81. Bryan says:

    Got hit with the virus…did the following:

    1. Malware bytes in safemode to remove the files
    2. Combo fix to get the icons back
    3. unhide.exe to restore any remaining

    This combo seems to have gotten me close.

    – B

  82. Shel says:

    My computer has webroot antivirus and I was running a scan as I cleaned out the the files manually. I noticed that for these three files in particular, webroot warned me that they were trying to access the system as I deleted them. It’s likely that this is how the rogue virus keeps recurring in some systems. Just an fyi.

    %AllUsersProfile%\Application Data\~[random]
    %AllUsersProfile%\Application Data\~[random]r
    %AllUsersProfile%\Application Data\[random]

  83. Arlene says:


    Got hit with the virus when I was applying for jobs online today =(
    Have no freakin idea how the virus got there….

    But anywho. I ran Malware like three times and it doesn’t detect anything. And I know the virus is still there, cause my computer is slow as hell. Currently running malware one more time and then I’m going to do system restore….

  84. Murray says:

    Got hit with this last night. Avira recognized the virus and when I clicked remove, all went black. Ran Avira from safe mode and found no virus. Ran online scan from Trend Micro. No virus found. Called Dell only to find out that my warranty covers hardware only. They did everything (exactly) as described here but for $250! If I would have found this site earlier, I might have been able to fix it myself.
    BTW-They sold me a one year software warranty (incl with the $250).
    They also pushed hard for me to buy Macfee (that they would install for an additional cost) and to buy Registry Mechanic ($99 for 3 yrs).
    A very costly experienced!

  85. Haki says:

    Dave said:
    Your files are still there. just click on ” My Computer”
    Then go to “tools”, “folder options” then “view”

    Scroll down and uncheck “Dont show hidden files folders or drives”

    click “OK” and close My Computer. you should be able to see your files.

    Dave you’re the man! Thank you, I hope this works for me at work cause i lost everything there too! Tried to restore to earlier point and i think I may have deleted some stuff. But thanks again.

  86. SAM says:

    i am following the steps for the registry editor but what do i do on the 5th and 6th step? and is this what the .exe could be Fjava REG_SZ rundll32.exe “C:\Users\Sam\AppData\Local\oxomoheyev.dll”,Startup
    it looks unusual. so yeah any advice? just that the 5th and 6th steps dont say anything to do, the others you modify the binary number.

  87. SAM says:

    on this step for the regedit HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\ActiveDesktop “NoChangingWallPaper” = ‘1?
    for me there is no active desktop folder thing in policies, only explorer and that has nothing in it. any ideas?

  88. Iain says:

    Hi I had the virus… Used unhide with malwarebytes and combo fix thought it was gone then today it came up again… Where is it hiding?

  89. Dave T says:

    My mom brought me her laptop (vista os)and it had this virus and at first had me as well thinking her hard drive took a dump cause she always sits it on her lap with a blanket so i wasnt to suprised it possibly fried as the warnings were saying.

    After checking a bit furthere I noticed i could still work around through windows and thought it funny that the only files missing were anything under that current account… then when i saw the window insert your wind disc or purchase one here i knew it was a virus..

    long story short:
    1 booted into safe mode without networking
    2 did a chckdisk to scan for errors and didnt find any
    3 while in safemode still, installed spybot search and destroy, then manually installed updates as well.Found windows recovery virus. quarantined.
    4 rebooted back into windows…still having pop-ups.
    5 found this web page and started reading (on my computer not her laptop)
    6 downloaded SuperAntiSpyware Portable Scanner, and Malwarebytes Anti-Malware. Burnt to disc to bring over to laptop
    7 booted infected laptop back into safemode.
    8 immediately went to msconfig and deleted a bunch of startup crap including the suggested “random characters.exe”
    9 Brought over from disc the SuperAntiSpyware Portable Scanner, and Malwarebytes Anti-Malware. Installed and ran. Found much more infections
    10 rebooted into windows… all but one pop-up remained and was some sort of ati catalyst video card recovery pop-up warning. ALSO noted that desktop, start menu, favorites, documents, everything from current user was gone/missing including the recycle bin. But windows was working, no hard drive issues or ram issues that the virus claimed as being real.
    11 Went to folder options and unchecked do not show hidden files. Some files came back but not all. The ones that did come back were half transparent showing they were still hidden when they shouldnt be.
    12 right clicked on start menu to change attributes of those files so they now showed as normal folders and not hidden.
    13 Still many items missing. As suggested i looked in the c:\users\username\appdata\local\temp\smtmp and sure enough there were 3 folders containing program files and shortcuts that i just pasted back where they should be. But was still missing some items.
    14 Read more on this website here and decided to try combofix after a few in here said they had luck with it. Burnt to a disc and brought to infected pc in safemode to install.
    15 i did boot back into windows when i ran combofix. A FEW WORDS OF CAUTION IF YOU WISH TO TRY COMBOFIX. I would suggest to run it after you are certain you have cleaned the pc of the virus first as the first thing combofix does is create a restore point. would be a shame if you encounter another problem later and use a restore point only to bring it back to the recovery virus if you didnt get it cleaned first before running combofix.
    16 combo fix didnt bring back any more icons or shortcuts but did eliminate that last ati pop-up…
    17 went to control panel, personalization,change desktop icons, selected recycle bin, apply, ok. recycle bin now back on desktop.
    18 laptop is working as it should but obviously missing some data especially photos…doing a search of the hard drive for .jpg files only turned up the sample images for desktop background images and one folder she had on the desktop that only got saved cause the virus itself moved it to that temp folder.. everything else on the entire hard drive was gone photo wise… and who knows what else..

    SOooooo thanks to this site and many other people I was able to save her from purchasing a new hard drive or memory since it said it had all fried and got to over 81C lol..saying she lost 40% of her hard drive, on and on.. Companies that inflict this kind of havoc to people should be dealt with harshly.

  90. Toni says:

    Thank you Jason Spoiro. That was the last step in restoring my system back to normal!

  91. Dave T says:


    in my previous post, step #10 i meant to say all pop-ups WERE GONE but 1…

    This virus is spreading like wildfire, my eye doctors office said all their computers are infected as well, and just this morning i had another friend call me with the same infection. The first thing i find hard to believe is if a system administrator or IT person has a network of pc’s to maintain and do updates on… why on earth would they send an update out (with this potential virus) to the network without testing it on a seperate machine “off the main grid” ???????

    I never install windows updates (if thats in fact how its spreading) right away… i wait forever before updating cause its not uncommon for microshaft to release a update then remove it a few days later after everyone realizes there are problems with it.

  92. Julie says:

    Excellent! Very helpful! Managed to recover my files and get rid of the virus. THANK YOU!

  93. Sheila says:

    Thank you so much for explaining how to undo my recent viral (worm?) problem using “unhide”. It seemed to restore all those word files I thought were missing.

    Question: I have Windows 7 and do spybot anti-spyware & MS Security antivirus updates and scans almost every day. I don’t understand how I could have gotten the horrible virus, worm or whatever it was. I recently joined Facebook. Could it have been transmitted that way? In any case, thanks again for the antidote.

  94. Janelle says:

    I believe my virus came from an attempt to download a free plug in for photo shop…thanks to smart phones I was able to research how to fix the problem…utilizing this and my own quick thinking I hope to have fixed the issues….here are the steps I took…please tell me what else I can do to ensure no furthere issues arise with this virus.
    I utilized my COMODO time machine and re booted from a snapshot taken 2 hours prior to the download….this got me up and running again.
    I then ran my Avira free antivirus which detected and quarantined wheeloffortune.exe…
    Simultaneously I downloaded and ran the malware bytes software recommended which found and deleted two os problems…at this point I was exhausted and I shut down my computer…
    Only thing I noticed being a continued issue is my internet explorer kept shutting down and windows said there was something suspicious detected…
    With these two scans completed, have i 100% resolved the issue or is there something else I should do?
    I did a search for some of the malicious names listed and haven’t found anything furthere….
    Thank you.

  95. newbie says:

    sorry to ask but i dont know where can i post my problem to any forum that might help me though, just considering if my problem can be solved here…why does my ms office or any other applications can’t be launched after i use karspersky removal tool?it says it can’t be launched because out of memory? my karspersky antivirus did not work anymore, i can’t see the main window of karspersky..anyone help??thanks a lot….

  96. Maldrid says:

    There is a possibility that the virus have infected your .exe files (word.exe, excel.exe etc…). Did Kaspersky removed any viruses from your PC?

  97. Ari Anggara says:

    System (C:)

    $Recycle.Bin (key + hidden)
    [Smad-Cage] (hidden)
    Config.Msi (hidden)
    Document and Settings (key + hidden)
    Recovery (hidden)
    system Volume Information (hidden)
    hiberfil.sys (1 Gb)
    pagefile.sys (2 Gb)
    Desktop.INI (hidden)

    System (D:)

    $RECYCLE.BIN (hidden)
    system Volume Information (hidden)
    MediaID.bin (vlc)
    @@@CDRW.TMP (hidden)
    Thumbs.db (hidden)

  98. Mike says:

    Thanks to Jeff for pointing out that c:\users\username\appdata\local\temp\smtmp
    contain the missing shortcuts.

  99. Doris says:

    This is a brand new computer, still under warranty. The only thing that came up was notepad. If there is a problem, I am sending this computer back. I didn’t understand the scan anyway. Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *