Windows XP Recovery

Windows XP Recovery virus will pretend a legal hard drive tool to attract users and convince them to pay for the licensed version. You must not buy this rogue software.

Windows XP Recovery is a misleading program. Fake security web sites spread this malware and promote it as valid system optimization software. Another approach to circulate the malware is through fake Adobe Flash player update. In certainty, Windows XP Recovery is a virus that penetrates a computer then installs itself to provide false findings. It tries to misinform computer users and urgently recommend acquiring licensed version of the program. If loaded, this fake optimization product launches a performance scan and announced several hard disk drive errors, junk files and folders, registry errors and outdated drives. These alerts seem to make look valid findings but since it came from unknown, we presume them as fake. Identified problems do not really exist on the system.

To persuade computer users into buying the paid version of Windows XP Recovery, the rogue program floods the computer with too much alerts coming from Windows taskbar. Any attempt to fix these errors will refer user to payment web site where credit card account will be processed online. Since Windows XP Recovery belongs to a rogue category, expect that even the paid version will not help fix performance and stability problems. As mentioned, there are no errors needed to be fixed. Most of all, bear in mind that rogue software were developed only to steal money from innocent victims.

Screenshot Image:

Fake Antivirus

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

Technical Details and Additional Information:

103 Responses

  1. Frank says:

    When you try to open Task Manager, the following error may occur:

    Task Manager has been disabled by your administrator

    This error is caused if the DisableTaskMgr restriction is enabled. To enable Task Manager, try one of these methods:

    IMPORTANT: If this restriction was enabled in your system without you doing anything or without your knowledge, then it’s highly likely that a Virus has blocked the usage of Task Manager in your system by enabling the DisableTaskMgr policy via the registry. I strongly suggest that you perform a thorough checkup of your system immediately. Steps listed in the Resolution section of this article helps you unblock the Task Manager, but that does not remove the Virus (if any) from your system.

    Click Start,Run- or hold the windows key and press the “R” key. and type in this command exactly as given below: (better – Copy and paste)
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f


    •Click Start, Run and type Regedit.exe
    •Navigate to the following branch:
    HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies\ System

    •In the right-pane, delete the value named DisableTaskMgr
    •Close Regedit.exe

  2. Bev says:

    You can get to System Restore with this $%^#$ thing.

    Do your start menu. In Run, type msconfig

    But unlike previous suggestions, dont go to the startup program list.
    Select the General Tab. There is a system restore button on there,
    and it is ACTIVE . I’m restoring mine by a few days presently.
    For reference, I am running a Windows XP system.

  3. Andrea says:

    ok… so I am positive that my good computer is infected with this stupid virus but I can’t open the task manager it won’t let me.. any help? It is on XP if that helps.

  4. Hanz says:

    To enable disabled TASK MANAGER, click start, run, then type gpedit.msc (group policy management console) go to administrative template, system, ctrl alt del option, double click remove task manager, select disable.

  5. Andrea says:

    thank you for your help. I got rid of the stupid bugger! I used system restore after putting the computer into safe mode.

  6. Stephanie says:

    Today I did a restore to 2 weeks ago. Thought it was gone. But upon reboot I got a warning from Avast that explorer tried to open a website at without my prompting and when I go to Task Manager iexplorer.exe is running and using a ton of memory. Anyone else have this happening? My virus scans are picking up nothing.

  7. Hanz says:

    Download HIJackthis.this program examines vulnerable or suspect parts of your system, such as browser helper objects and certain types of Registry keys. Pressing the Scan button generates a log of dozens of items, most of which are just customizations. Don’t check off an item and hit the Fix Checked button unless you’re sure it’s malware. Clicking Info on Selected Item tells you why the entry was flagged as suspicious, but not whethere it’s actually malware.

  8. Hanz says:

    Download HIJackthis.this program examines vulnerable or suspect parts of your system, such as browser helper objects and certain types of Registry keys. Pressing the Scan button generates a log of dozens of items, most of which are just customizations. Don’t check off an item and hit the Fix Checked button unless you’re sure it’s malware. Clicking Info on Selected Item tells you why the entry was flagged as suspicious, but not whethere it’s actually malware.To find that out, search the Web for that item’s name.

  9. Steve H. says:

    I’ve run into this rouge utility twice in the last week through my computer business. I’ve been able to get rid of it with a combination of Malwarebytes, Spybot S&D or Super Anti Spyware, and a good antivirus program. I like Avast for free antivirus. The problem is once you’ve removed the rouge, you’re still left with the problem of all your files and folders being hidden & a damaged start menu. You can manually un-hide them folder by folder, but you’re start menu will never be the same. Namely, the program list. All your program links are just gone. Even creating a new user account doesn’t help with this issue. If you can live with this or if you can rebuild your program list link by link you can overcome this problem. At this point until someone comes along with a removal tool for these next gen rouges, I’m recommending a reinstall of Windows, drivers, programs, data, etc. The time it takes to run all the scans necessary to remove the infection & combat the ill effects it has on your OS, you can backup your data & eithere run a recovery disc, recovery partition, or reinstall Windows from your installer disc. It sucks to have to do this & it may be more effort than most people want to put into their systems, but it seems like this malware leaves your computer in a bad way. (display properties highjack, desktop icons highjack, taskmanager highjack, start menu highjack, hides all your folders & files, changes your home page, & changes your proxy settings) I have yet to try running a system restore mostly because in my experience, system restore doesn’t reverse the effects of most infections. Since there’s very little protection against these types of infections and most antivirus programs will let these rouges slip through, I’d advise people to use safe web browsing habbits at all times. Being smart on the internet is the first step in avoiding these types of infections. Good luck to all!

  10. Amyn says:

    I have this virus and have been able to remove it. Unfortunately, It left all my folders and files Hidden (start Menu, Programs, everything in the C: Drive).

    Is there a fix to this? I found one previously but am unable to locate it now.

    I am however able to go to Tools> Folder Options> Show Hidden Files and Folders and it shows everything. But they are still technically hidden and there is nothing in my start menu, desktop or under all programs.

    – Thank You

  11. Stephanie says:


    I have the exact same problem.. however the bug is still on my machine. It is attached to iexplorer.exe… you may want to check your task manager to be sure ixplorer.exe is not running in the background on your machine as well. FYI – I’ve tried 4 different malware and spyware cleaners, on top of my anti-virus, so far without luck. Boo

  12. Dan says:

    Amun I have the same exact problem. I think I got rid of it by following a video on YouTube but now all my folders are ghost like as if I am showing all hidden folders still. If I turn off show hidden folders most of them go away. Has anyone found out how to restore this? By the way I am trying to do a system restore and my computer just won’t do it. Help!!!!!!

  13. Computertechguy says:

    Ok here is what I do first. I restart computer in safe mode which many of you say you cann’t get to the task manager. This will take care of that. After in there do a msconfig and stop the process in the startup tab. I only leave 3 things checked they are ” igfxtray, hkcmd and your anti-virus “. Restart the computer. I load the spyware and virus removel software from a sd card that has a lock on it, so virus will not come back to me. I use an adapter as a USB. I load them right from the sd card to the C: drive on the bad computer. I run malwarebytes first, then superantispyware, then run ccleaner, then I run combofix. After that runs completely I use smart defrag software and then load a good anti-virus.

  14. Kobe says:

    Thanks for all the help guys, I have managed to remove the virus (I think).

    However, as Steve H has previously stated, the virus has left our desktop and start menu completely empty and all our files hidden. I know we can unhide our files by using unhide.exe, but is there anyway at all to recover the desktop and start menu, or is that gone forever?

  15. Kobe says:

    OMG thanks heaps Computertechguy!!

    I ran combofix and it seems to have fixed everything! All my desktop icons and start menu is back! Although there are slight differences, everything seems to be working now. Just gonna do a reboot and hope everything’s in order.

    thanks again!

  16. graz says:

    Got it just a couple of hours ago.
    Boring stuff!
    Just a little help for the desktop icons – try: set HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Policies/Explorer/NoDesktop
    to a value of 0 and restart
    In my case at least part of the icons that where originally on the
    desktop reappeared.
    For the menubar – nope
    Ditto for the files/folders (done it manually, just removed the hidden attribute – folders and subfolders)
    good luck

  17. Patman says:

    Thanks to all posters, especially ComputerGuy. Wife picked this up this morning while browsing… MalwareBytes alone did not do enough, had to do all four recommended by ComputerGuy and also ran “unhide.exe” per which did appear to leave appropriately-hidden system files still hidden. The desktop will take a little re-arranging, but for the most part, we got everything back. wants you to run RKill.exe, but I got good results just booting in safe mode with networking, loading the anti-malware products from a thumb drive. Once I ran MalwareBytes, I could reboot into regular mode and run the rest. I also uninstalled and reinstalled Firefox (wife’s browser-of-choice) before re-browsing, just in case.

  18. Maya says:

    How to restore Hidden files

    I have changed the registry keys indicated in related post 1. “Windows recovery”. The link:

    After that, I could see all my files again, they were still marked as hidden but after I have changed the hidden attribute in the properties of the folders. Now the effects of the virus seem to have disappeared.

    The registry values I have changed are the following, as the virus left them. I exchanged ‘1’ for ‘0’ and ‘yes’ for ‘no’.

    Windows Recovery Registry Entries:
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no’
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main “Use FormSuggest” = ‘yes’
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\Advanced “Hidden” = ‘0?
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\Advanced “ShowSuperHidden” = 0?
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run “.exe”
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run “”
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Internet Settings “CertificateRevocation” = ‘0?
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Internet Settings “WarnonBadCertRecving” = ‘0?
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\ActiveDesktop “NoChangingWallPaper” = ‘1?
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Associations “LowRiskFileTypes” = ‘/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/ fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:’
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Attachments “SaveZoneInformation” = ‘1?
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\System “DisableTaskMgr” = ‘1?
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\policies\system “DisableTaskMgr” = ‘1?

    I hope this can help you to solve your problems.

  19. John J says:

    After reading comments from Bev & Andrea I too used System Restore. Only needed to go back a couple of days. I then searched for some of the files associated with this impostor and they were gone. So I guess it is possible that somewhere on the drive something is lingering that may bring it back, but right now everything is good.

  20. Bob says:

    Unfortunatley; I also was infected with this virus. I followed the 20 step guideline on and was able to get rid of it and restore my invisible desktop icons and files/folders. However; my start and program menu are still not correct. It shows the programs but the short cuts are missing. I have read all the entries above, and Kobe said running combofix corrected this problem, for the most part. Andrea said using system restore, corrected this problem. I just want to confirm that I am interpretting this correctly. You had success fixing the issue of missing short cuts in the start/program menu with these methodologies? (I am double checking because all other sites I have looked at are unable to fix this problem. Some say unfixable, reinstall of all software and short cuts is required.) If one or the other of these solutions worked, you made my day.

  21. Jeremy says:

    Computertechguy’s solution works! I just used all 6 programs and I’m up and running. Thank you so much!

  22. CheezHead says:

    I also have had this on a couple of PCs. Another tech worked on the first one and I had no luck repairing it, saved the customer’s data and did a reload. This last machine I immediately ran ComboFix and after it was done everything was back, including start menu items. Your results may vary. Just doing a MBAM scan now and everything looks clean.

  23. Bob says:

    Jeremy and Cheezhead, thanks so much for verifying information. Computertechguy, thanks for providing a guide to solve this problem.

  24. Ed says:

    Got this virus on my desktop yesterday morning……started windows in safe mode and ran malwarebytes (during which the multiple error windows that the virus generates were still coming up on the screen) but was pulled away before I could fix the errors that malware had detected. When I got back to it, my computer was in some kind of cycle where it goes from the opening Dell screen to the starting windows xp screen to a black screen giving me different options of how to start windows (safe mode, safe mode with networking, normal, etc.); no matter which of these options I choose it loops back around and does this 3-step process continually.

    I have finally figured out how to get the computer to boot from the cd drive with the original xp disc inserted, but I’m not sure how to continue or if this is even the best method to move forward without erasing anything I had prior to yesterday morning.

    Any ideas?

  25. tadd says:

    Thanks to all that posted their solutions.

    1. run spybot search and destroy

    2. regedit and find nodesktop and delete that registry entry to bring back the desktop

    3. fold attributes update it to show hidden files

    4. reboot

    I haven’t been able to get the start, programs to show the programs yet.

    note: I used lavasoft adaware, however search and destroy found more issues so am keeping search and destroy and have uninstalled adaware.

  26. tadd says:

    combofix worked and brought back my start, programs

    Thank you! Life is good again.

  27. CaseyFolds says:

    Worked exactly like they said it would. I had a customer with a pc that was part of a local area network that had certain permissions set for the user and administrator that made it more difficult than a home pc fix but I eventually got it THANK YOU!!!

  28. calub says:

    is this a new variant my programs are there but if i go to accessories then system tools nothing also all program are there and in tact but no exe on startup menu other than malwarebytes that i installed

  29. calub says:

    also on previous version i found on some machines an infection in volsnap.sys that malwarebyte would remove but only on another machine word to the wise if you remove volsnap.sys you have to replace the file or pc will blue screen

  30. Rob says:

    Thank you Computertechguy and all who posted! Between this site and Bleeping Computers I was able to remove this nastyass virus from my wife’s computer.

    My question: where would she have picked this up? Would like to keep from repeating this adventure in restoration.

    Thanks again!

  31. Kevin says:

    Just so you know, your first step, “1. Press Ctrl+Alt+Del on keyboard to stop process associated to “Windows XP Recovery”. When Windows Task Manager opens, go to Processes Tab and find and end the following process:
    (random characters).exe” kind of disrupts your fix. Task Manager, by default, is dsabled by this process. You need to try again.

  32. Charlotte says:

    I’ve followed all the directions and I have gotten rid of the virus and got my files, desktop and programs back. But now IE keeps redirecting me when I try to do a search. Help?

  33. Bob says:

    Charlotte, I had similar problem with redirections. Go to Step 5 explains that this virus is sometimes bundled with a redirector virus. If you run tdsskiller, it stops the problem. Atleast, it fixed the problem I was having.

    FYI to all, I ran computertechguy’s recommendation for superantispyware yesterday, after already running malwarebytes several days earlier, and found two more trojans. So running both programs, back to back, does make a difference.

    Rob, I don’t know where I read this but supposedly there is a vulnerability within Adobe updates, and that is one of the ways it comes in. In my case, I believe this is how I got it. I was asked and agreed to update flash player. Shortly after, my troubles started. Could have been something else I suppose but I don’t visit risky sites, am very careful and run current antivirus. So was very surprised, like everyone, to get this thing.

  34. James says:

    Thanks all for the great posts. Working my way through the directions I was able to get rid of the virus, bring back my desktop, bring back my start menu, and get rid of the ghosting of files. But my LAN DSL internet connection no longer works. The DSL works on my other computer. I checked my IP settings which were OK. The driver for my network adapter is OK. I even tried the command line IP reset from other web posts. Still nothing.
    I get the message “little or no connectivity”. Any help on this?

  35. Gelio says:

    The removal directions here are quite lacking. The XP Recovery hides all of your folders, documents, shortucts, etc. I was able to recover everything, and remove the spyware. I found an activation key for it, and activated it. Use teh emaila ddress of and teh key code of 8475082234984902023718742058948 to activate the application. It will stop pestering you with pop-ups at this point, and will restore all hidden files/programs/folders, etc. After aftivation, you can then remove it byinstalling malwarebytes and superantispware. Also, download unhide.exe, as there may still be some hidenn folders/files, adn this will unhide tehm all. You will also need to edit your registry as applications probably will no longer launch. You will need to edit HKEY_CLASSES_ROOT\exefile\shell\open\command and there should be one value listed named default, and the value should be “%1” %* (quote percent one quote space percent asterisk). Navigate to HKEY_CLASSES_ROOT\.exe. In the right pane, set default to exefile. The Content Type value should be application/x-msdownload

  36. Bob says:

    I have followed all the advise and recommendations posted. I still am unable to get the start and program menu fixed. The items are all there, just missing all the short cuts. I tried system resore and combofix, they didn’t correct it. Does anyone have any recommendations?

  37. Gelio says:

    To everyone who is missing their start and program files. They are hidden under a temp folder. Look under your profile, then local or local settings (depending on if you are running XP/Vista/Win 7), then you should see a folder named smtmp. Inside this folder will be other folders with a number, these will contain your start, program items, quick launch items. etc. You just copy them tot eh corect location and you are set.

  38. Area Man says:

    Computertechguy….. you mention “After that runs completely I use smart defrag software and then load a good anti-virus.” What in your opinion is the best anti-virus? I have used McAfee Total protection (2010 now) and I don’t think it caught this virus”

  39. Gelio says:

    @Areaman – A Good free one is Microsoft Security Essentials, it is the best of all the free ones. Of the paid ones, you still cannot beat Symantec Anti-Virus or if you want a full fledged suite, then Symantec Internet Security Suite is among the best, and so is ESET

  40. Bob says:

    Area Man- I use Mcafee as well. In my case, the first symptoms of this virus was the Mcafee software, also total protection, hanging up when it tried to update itself. Mcafee does not prevent it from coming in. I read there is a vulnerability in the Adobe update process, and this is how it is being spread.

  41. KIm Hartshorn says:

    questions about suspect registry data that i have found:

    in HKCU…./policies/system there is a setting called “disableregistrytools”

    in in HKCU…./policies/explorer there are settings for
    (will deleting nodesktop get my desktop back?

    in HKCU…./policies/attachments
    there is a setting for savezoneinformation

    in HKCU…./policies/activedesktop
    there is a setting for nochangingwallpaper (maybe this will fix my display panel?)

    So far I have found the suggested download fixes to be of limited use, I wish I had not installed AVG as that might be a contributing factor to the downloads not helping. I was able to remove most of the problem manually once I set unhide on the invisible files and could see where I was going once again and allow search to work. There are still lingering problems with my programs in startup menu, my blank desktop and my inability to run system restore…hoping that deleting these registry files will fix those issues. Just as a point of reference, how dangerous is deleting a registry file that is not identified as (default)?

    thanks all…the hints on getting task manager running again were very helpful.

  42. KIm Hartshorn says:

    as an addendum to my previous message, my compute is up and running thanks to the hints about disabling the program from startup in msconfig, most of my success in getting rid of the files was done in safe mode

  43. KIm Hartshorn says:

    I also found the same (random letters) string in the
    in HKCU…./currentversion/run/

    can I safely delete this also?

  44. Nicky says:

    Hi, I just discover this problem with my pc and able get into taskmanager after several shutting down of pc. I try finding that (random characters).exe in task manager process but it’s not there. Is there another name it could be under? Also, all my documents, all programs, etc are eithere missing or hidden. Please help me get rid of this annoying virus!

  45. tskaggs85 says:

    Hello, I booted up in safe mode and ran a system restore. worked like a charm.


  46. KIm Hartshorn says:

    my random charachters were yiMjvSkpKyOa.exe I don’t know how truly random they were…also some files were disguised with numbers although search still found them under the random character name

    my system restore has been disabled since the beginning and I haven’t yet gotten it working again, although I have successfully gotten my desktop icons back.

  47. KIm Hartshorn says:

    One more thing, I believe the more unsuccessful attempts you make to disable this thing allows it to expand its reach…or maybe it expands on each reboot…i think i may not have tried system restore quickly enough

  48. Matt Sanchez says:

    Thanks guys, i used all the added comments and it helped for me, but I have no start menu options,
    Which I was expected from your comments.

  49. David says:

    Just got the virus, have the icons back in my start menu but my desktop is all blue and when i right click nothing happens. Help please!

  50. Michael says:

    Removing this is all well and good (I spent 3 hours restoring my system and still don’t have everything back), but what I would like is to hear that the originators of this program have been caught and punished.
    Preferably the way that Russian spammer was punished (may God have mercy on his soul).

  51. Mike says:

    Here’s what I did.

    Boot into safe mode w/ networking
    download and run malwarebytes in full mode
    that seemed to get rid of the infection. But still a blank desktop.

    run malwarebytes again (to be sure)

    to recover the desktop, go to My Computer
    Tools, Folder Options, View, Show hidden files and folders

    That restored the icons on the desktop

    still no background, so reset it in the usual way (right-click on desktop, properties, desktop, choose the background you want)

    Still missing most items in start menu
    tried running System Restore, but for some reason it’s not working right on this computer

    then tried running combo fix.
    still missing start menu items

    finally navigated to My Computer, Documents and Settings, right-click on [the username you’re logged on as], uncheck the hidden box, apply changes to this folder, subfolder and files

    And that worked!

    You should also do the same to the All Users folder and whatever other users are set up on your computer.

    Hope this helps.

    – mike

  52. Jean-Francois Burguet says:

    A big thank you to “Computertechguy” ! I had the same situation and his advises worked perfectly for me:

    1) unblock task manager to kill the malware process
    2) safe mode then msconfig and stop the process in the startup tab.
    3) malwarebytes + superantispyware + ccleaner + combofix + smart defrag + a good anti-virus (in that order).

    This goodwill international collaboration is amazing. Just imagine if we could do this at the political and economic levels too…


    JFB – Milan (ITALY)

  53. Abi says:

    I got this today – no idea where from, I wasn’t on any websites I shouldn’t have been and hadn’t opened any dodgy looking emails…took me 3 hours to fix it.
    I had got quite far through it’s program, even so far as the buy the upgrade page, but fortunately had the forthought to ask my boyfriend what he thought before paying for anything!
    It’s a very clever virus and it took me about 3 hours to get rid of it, though my pc still isn’t right…I did a combination of the advice offered here (deleting files and stopping it’s processes). I restarted in safe mode eventually, and tried to restore to a couple of days ago, but the restore didn’t work, I think it might have deleted it?
    I can’t change my desktop at all, only the colour of the screen, and I can’t view my quick launch on the task bar. All are minor issues, but I think the best thing to do will be to wipe the pc completely and start over.
    Oh, and I also deleted all my browsing history and changed all my passwords…it had also deleted Firefox and internet explorer, but not Chrome which I thought was interesting.
    Anyway, thanks everyone for the advice and help – couldn’t have done it without you!

  54. Carol says:

    I have had tons of virus’s on my computer however, this one was the worst! It locked up all of my files and programs and hid all of my folders. I noticed that I could not use my memory stick but I could use my D drive. I have malwarebytes on my stick so I went over to staples and had it burned to a disk. I was able to run Malwarebytes but I had to run it several times to remove the virus. It showed 8 infections and they were not easy to remove but eventually I got it all. I could access my system restore but could not run it (I couldn’t get passed the restore date screen). I highly recommend Malwarebytes!

  55. Kim Hartshorn says:

    I’ve fixed everything except: all programs, recently used programs in left hand window of startup menu, and I still cannot get actual windows restore to turn on.


  56. Dom says:

    after doing as mentioned here,my quick launch bar is now totaly empty,and im still missing some shortcuts on desktop…any ideas?

  57. Ale says:

    Works very well for me to start in safe mode, run msconfig, unmark almost all and reboot. As Computertechguy said.

  58. Andrea Gracia says:

    Just got this virus, I knew it was a virus the moment it popped up so I immediately followed Frank’s tip to open the task manager…

    Click Start, Run and type Regedit.exe
    Navigate to the following branch:
    HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies\ System
    In the right-pane, delete the value named DisableTaskMgr
    Close Regedit.exe

    And then end the following process:(random characters).exe

    That will stop the annoying (and false) “critical error” prompts…at least for a while. I ran MBAM and it quickly deleted the virus (about a 15 minute scan). I’m now running a second scan with SuperAntiSpyware just to be safe. I’ll have to unhide everything which will be a pain but at least it’s clean.

    By the way, to view your hidden files, just open my computer from the start menu > tools > folder options > view > and check show hidden files and folders. To unhide the folders, right click > properties > and un-check hidden. I’m sure there’s a way to unhide everything, I think I’ve heard of a program called unhide.exe but I’m going to continue with my second scan before I move on to that step.

    Oh, and you may want to change your desktop back as it’s going to make it all black.

    Thanks for the help!

  59. Denise says:

    Just wanted to say after 2 days of trying to fix this bloody problem (crying and everything), thanks to Computertechguy it is done! I can’t thank you enough as I desperately needed some files for a court case and thought they were lost forever, so thank you, thank you.

    Just to let anyone else know in case it happens to them – my files didn’t show up straight away, so I went into, Start – Search, then went into tools and checked show hidden files -all my desktop icons appeared(although ghost like) and I can access my files!!!!!

    I think I will no longer be using this PC and will be sticking to my Mac in future – no viruses in 8 years :)

  60. tj says:

    I ran into this on a family members computer. It had deleted all icons in the start menu and I could not access task manager. Luckily I had created a Second adminstrator account. It still had functioning icons which made life easier. I restore the system then ran a ComboFix i found on another site. I had to then reinstall the antivirus software because it wouldn’t enable. I also updated Java which is how I believe the system was infected.

  61. Diane says:

    Thank you one and all. This virus has had me pulling my hair out all day! Hopefully now the process of getting back to something resembling normallity. Luckily only use asus for internet use so the fact I have lost files won’t be a problem.

  62. William says:

    For those who have battled far enough to get your computer up and running but are still having trouble with missing programs in the start menu; as my last ditch effort to fix this, I went into my C drive and highlighted all file folders, right clicked, went to properties and unchecked hidden. I am not sure if some of the files need to be hidden, but having my start menu working is more important to me.

    Hopefully that will help some of you out there. I do thank eveyone else for helping me through this.


  63. Lorri says:

    I had this stupid virus on my work computer. Our IT person was able to fix the problem. However, I noticed that there were a few odd files on my thumb drive and my external hard drive. I wasn’t sure what they were, and in a panic, deleted them. Can this virus jump to an external device?

  64. Asim says:

    My PC is attacked by the stupid virus. I have almost removed the virus but still I can’t find any icon at my Desktop. In my program meny I can’t find all programs. Your help is required to restore it completly.


  65. Jason says:

    I was able to remove by using mscconfig to stop the program, regedit to enable task manager, then Spybot SD and the malwarebytes tool. Also ran the TDSS kit, and avg antivirus. Unhid everything, and also had to rebuilt the start menu from backups as suggested in prior comments. Thanks all for posting your suggestions.

  66. pm says:

    This worked for me:
    – boot up in safe mode (f8) and – check creation date of %User Temp%\smtmp\ folder (this is infection date) see http : //
    – do system restore to a date prior to infection
    – boot again into safe mode
    – open windows explorer and search for all files (include hidden) modified (and hence created) on this date
    – delete all files (not folders) created (not modified) on this date – this is a pain as you cannot search on creation date. Hopefully you’ll catch all the trojan files and cached browser files which may contain dodgy items.
    – boot normally
    – delete the all browser history etc and delete all dodgy websites from your bookmarks!

  67. Glenn Meyer says:

    Thanks for nothing. This so-called level 2 virus wiped out my registry. I now have no programs and no folders visible on the desktop or in the start menu. Your instructions on how to handle the virus are completely inadequate.

  68. KIm Hartshorn says:

    using regedit.exe go to HKCU….software/microsoft/windows/currentversion/policies/explorer

    you will find a setting called nodesktop…delete it. That should restore your desktop icons. I have had less luck restoring my full start menu. I have been compensating by putting shortcuts of the programs I am using in the startup file. However I can’t find the windows accessory programs.

    I also deleted the settings nowallpaper that was under
    and that restored control of the background screen using display control panel

  69. KIm Hartshorn says:

    edit to previous post

    no wallpaper was found in:

  70. devpareek says:

    i hv this virus on my laptop. i can see all the menu items but it does not let me open any .exe file incl internet explorer etc or mbam . any suggestions?

  71. Greg says:

    I am having trouble accessing the internet and it particular getting my wireless modem to activate. I used the start menu to do this in the past and now can’t do it. Any suggestions. It also says my HELP and SUPPORT is not active.

  72. Stephen says:

    Well done Bev! I followed your instructions in comment 2 and it worked a treat!.
    Here’s what I did:
    Start the PC in ‘Safe Mode’ (press and hold F8 while the PC is starting up) and access ‘System Restore’ as instucted by Bev. System Restore got everything back – although some icons on the desktop are a little faint. I’ll work on that.

  73. BrianB says:

    This is particularly ‘pesky’ virus !!! It had like others, above, had ‘planted’ itself (from nowhere) on my computer in a seemingly continuous loop. However, I found that malwarebytes was accessible through right click in the folder structure I had left. So I managed to delete the virus through that route.
    My tip is, then, to put as much as is thought appropriate into the right click menu when the option is given.
    I also run Rocketdock and the virus did not affect the shortcuts from this, although the Windows start menu structure was 100% destroyed as was the Quick Launch menu. Thus I was able to access some programmes, in particular the internet, from which I found this site.
    My second tip is, then, to have a secondary launch programme installed.
    I subsequently ran ‘Unhide’ and although the start menu structure is not fully rebuilt (the desktop icons are) all folders/sub folders/files are visible from explorer. So it will be a slow rebuild when I need to access specific programmes.
    Thank-you to those who have posted previously on this site.

  74. Jayster says:

    To get the programs back from the start menu, I simply clicked start, RIGHT clicked on Programs”, selected “Open all Users”. This displays the “Programs” folder. Right clicked on that, selected properties, and removed the check mark for “hidden”. Now all the programs are back under “All Programs” when I click the start button. This is for WinXP

  75. Steve says:

    I picked up this virus two days ago and it is driving me crazy. Right now, I am in some intermediate stage of removing it. It will let me run only some exe files. The first thing I did was a system restore and that stopped the crazy pop-ups. Then I ran MBAM and SuperAnitSpyware and that removed some more files, but not all of it. I ran unhide.exe (from and that made all of my files visible. I can only somewhat use the internet. I get redirected when clicking on a search engine link. I think the missing link is to run TDSSkiller, but my system won’t let me run it. Any suggestions?

  76. JR says:

    Hello everyone.
    I got infected by this virus but I am having very big troubles killing it completely.
    I ran malewarebytes, spybot, super antispyware, TDSSKiller. I managed to restore my desktop and all that but I still have the caracteristic blue flash on windows start and my UC is driven to 100% by the process , plus HiJackthis is crashing during the scan (no response) and I am having souds issues and my internet connection is weaker.
    I am running out of ideas, would be great if someone could help just a bit more.

  77. Robey says:

    Hi all,
    Has anyone encountered any more evidence that this may have come from an Adobe update? I am working with a user who says that the thing she did just before this issue manifested was an update to Flash player.

  78. Beverly says:

    This is a big THANKS to Gelio, on May 27, 2011,he/she gave the email addres and the activation code to use, I just used it and my netbook is back up running…I think everyone who r having problems should use this method..Thanks again Gelio….be bless

  79. Theresa says:

    I too have this virus and am trying to rid my PC of it. The only step I’ve been able to do is re-enabling the task manager. I don’t think I can run a virus scan – I can’t get to the internet to download anything (everything is missing) and I think my McAfee is out of date and was not working properly (dumb, I know). How can I get this thing off my PC if I can’t get to the ‘net to download/install anything? Thank you!

  80. Jimmy B says:

    When my laptop acquired this virus, everything disappeared from my screen. Nothing worked except Start for shutting down and run for accessing the Configuration System. No anti-virus, no system restore, no Internet access, no safe run, no task manager, nada – nothing. I just shut down and took the machine to a reputable computer shop. Was told the virus can hang out on the machine for aver a week before activating, so no way to really track. The virus appears to latch onto an email attachment or a URL that appears valid. Oh, yeah, all documents, folders, and files were hidden – even those on my attached external hard drive – but recovered nicely. Because my computer was so disabled, I could not follow some of the good suggestions posted here.

    Well $80.00 later my machine is home and I need to reload taskbars, toolbars, etc.

  81. Tommy Mack says:

    I just read thru these comments and then successfully purged this rascal from a friend’s Xp PC. This virus is profile dependant, so if you have other user accounts on the infected PC, it does not launch on those. I found you dont really need any anti-virus scanning/cleaning program to fix this. Nor should you have to hack the registry or spend time unhiding file attributes. Save yourself all that time and effort. The virus basically turns a lot of key file attributes to Hidden and installs 2 regenerative processes and various registry keys to launch and keep relaunching its bogus Critical Error message to entice you to buy its fake cleaner/fixer. All you should need to do is boot to Safe Mode (Hit F8 just after POST) and then Start, RUN, and enter MSConfig. On the General tab, click on the Launch System Restore tab. This is the same Restore process that the virus hides in the \Windows\System32\Restore folder. It cannot be accessed or successfully launched from there or from Accessories/System Tools in an infected PC. But it does run from the MSConfig General tab. Proceed thru the prompts, picking a restore point a day before you first got infected. It should run to completion and reboot to a restored uninfected PC. A fine little digital version of Back to the Future.

  82. Mike says:

    Can someone please privately message me? I’ve tried everything here…auto removal and manual removal. I’ve followed the steps above and I still do not have any files in my start menu folders. My email is: mike.hingle @

    Many Thanks,


  83. Rahul says:

    Hello. This is first time i am logging on this website. I want to thank everyone who posted useful information on this blog.
    I had same windows recovery virus and had lots of trouble to get it out. But with the information posted here and installing Malwarebytes i managed to clean it off. I also managed to get back my files and folders including my quick start menu. Special thanks to Mr. Mike for this useful information. Many thanks.

  84. mnsore says:


  85. Gene04 says:

    I had this terrible virus with all of the above symptoms. I recovered basically by going back to a several- days- ago restore point,running a registry cleaner program and performing a full Mc Afee scan. I managed to unhide my files and folders by following some of the postings…BUT…. my Internet Explorer “Favorites” are still hidden. How do I unhide them???

  86. Rene says:

    One tip to aid in removal is to rename your malwarebytes because the virus will block startup of the program. I renamed it virus.exe and I was able to start the program. Everything is still gone on my computer, but computer guy will be here this morning!

  87. john says:

    this is one mean ugly virus – people who do this sort of thing should be terminated.
    After hours, I too have recovered – except the quick link and taskbar is still messed up. Also IE not working reliably as when I go to certain sites I seem to be redirected to some other site not related whatsoever (but I’m not getting hurt – see below)

    I have now backed up Outlook and OneNote and some other data files and hopefully I will be able to go back to a clean state using a Pandora image. I am runnin XP – the windows restore points would not work – because one of my drives was not set for restoring – or something – goes through the whole thing and then after reboot – pops up a message about restore not successful.

    I have malware and it did not detect it. Ditto for security essentials – you just can’t rely on these programs – since these bugs are introduced by sites that have been hijacked and when you go visit them – you end up clicking on a link and you’re off to see the wizard.

    The only protection (using IE) is to turn on security to HIGH!!! and always browse that way – then scripts won’t be able to run and do their nasty deeds. Eventually you slip and open yourself to attack. The only way around that is to individually add each site to your trusted zone. Then you switch to medium security and before you know it you are googling for something (mortgage calculator) – and end up in some strange site and it’s all over.

    This even hijacked an external usb drive and turned it into hidden. It takes minutes for a recursive attrib – command to clear things up – so I just don’t know when or how this program did this without me noticing. I just remember the hard drive failure restore fake pop up and I immediately shut the system down and rebooted in safe mode.

    let’s see if this goes thru..

  88. TK says:

    Is there a list of the payload actions taken by this infecting agent somewhere that I can cross-check for restoring my system ?

    Was largely able to recover from this infection using instructions found at counterpart forums at teesupport and bleepingcomputer.
    They describe both how to manually disable and precisely remove the infection and then reverse the damages the infection made, which is useful because I suspect virus scans/removal do little about the last part.
    There were a few changes to my system presumably made by the infection that are not mentioned, however.

    Which brings me to one of my few remaining problems — no access to the internet.
    Can connect to other computers on my network (filesharing, router login, etc.), but not to the internet itself, be it for web, ftp, Email, etc.
    Beyond the lists of things to restore from the links above, I found that the DNS address numbers had been removed and restored them. I’ve gone through all the settings I can find and internet access remains locked out. If there’s another malicious or misset registry key somewhere, I wouldn’t know what it is, so I’m wondering, is there a list of the actions taken by this infecting agent that I can cross-check ?

    Have run “unhide.exe”.

    I did find an infection of TDSS rootkit and removed it with the Kaspersky utility. Notably, perhaps because I haven’t run virus scans yet, the TDSS rootkit returned and was found and “removed” by the Kaspersky utility a second time.

    Have not been able to run virus scans yet because I can’t install the software without internet access (why can’t they put the whole thing in the downloaded installer ??).

    Everyone missing Start Menu, Desktop and QuickLaunch items can find them in the folder:
    C:\Documents And Settings\[User Account]\Local Settings\Temp\smtmp
    The infection moved those items there and left empty copies of any folders behind.

  89. ErebusAres says:

    After Killing The Virus (Using Task Manager)
    Create A New Notepad, and save it as: Fixer.bat
    (Creating a Batch File)
    Then Right-Click, And Select Edit.

    Paste This Inside, and it will do the work for you.

    –Note–: This Hasn’t Been Fully Tested Yet.
    –Note–: All “Coding” Done By (Me) ErebusAres
    –Note–: If This Causes Your Computer To Mess Up In Any Way, You Chose To Run It, And I Take No Responsibility.

    ::Start After This::
    @echo off
    title Windows XP Recovery Fixer v5 – BY: ErebusAres
    echo Fixing: C Drive
    attrib /d -h c:\windows
    attrib /d -h “c:\Documents and settings”
    attrib /d -h “c:\Program Files”
    attrib /d /s -h “c:\Program Files\*”
    attrib /d -h c:\download
    attrib /d /s -h c:\download\*
    echo Fixing: Windows
    attrib /d /s -h c:\windows\*
    attrib /d /s -h c:\windows\system32\*
    echo Fixing: Documents And Settings
    attrib /d /s -h “c:\Documents and settings\*”
    attrib /d -h “c:\Documents and settings\%username%”
    attrib /d /s -h “c:\Documents and settings\%username%\*”
    attrib /d /s -h “c:\Documents and settings\all users”
    attrib /d /s +h “c:\Documents and settings\Default User”
    attrib /d /s +h “c:\Documents and settings\LocalService”
    attrib /d /s +h “c:\Documents and settings\NetworkService”
    echo Fixing: All Users
    attrib /d /s -h “c:\Documents and settings\all users\*”
    attrib /d +h “c:\Documents and settings\all users\Application Data”
    attrib /d /s +h “c:\Documents and settings\all users\DRM”
    attrib /d /s +h “c:\Documents and settings\all users\Templates”
    echo Fixing: Application Data
    attrib /d /s -h “c:\Documents and settings\all users\Application Data\*”
    attrib /d /s -h %appdata%\*
    attrib /d /s -h “%temp%\application data\*”
    echo Fixing: Start Menu
    attrib /d -h “c:\Documents and settings\all users\Start Menu”
    attrib /d /s -h “c:\Documents and settings\all users\Start Menu\*”
    attrib /d /s -h “c:\Documents and settings\all users\Start Menu\Programs\*”
    echo Removing Unwanted Windows Recovery Files
    echo y|del “c:\documents and settings\all users\application data\*.*”
    echo y|del %appdata%\*.*
    echo y|del %temp%\dfrgr
    echo y|del %temp%\dfrg
    echo y|del %tempdir%\dfrgr
    echo y|del %tempdir%\dfrg
    echo y|del “%desktop%\windows*.lnk”
    echo y|del “%programs%\windows*recovery\”
    echo y|del “%programs%\windows xp recovery\”
    echo y|rmdir “%programs%\windows xp recovery”
    echo y|del “%userprofile%\start menu\programs\windows recovery\*”
    echo y|rmdir “%userprofile%\start menu\programs\windows recovery”
    echo y|del %userprofile%\desktop\windows*.lnk
    echo Deleting Registry Entries
    reg del “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings” /v “CertificateRevocation” /f
    reg del “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings” /v “WarnonBadCertRecving” /f
    reg del “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop” /v “NoChangingWallPaper” /f
    reg del “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations” /v LowRiskFileTypes /f
    reg del “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments” /v SaveZoneInformation /f
    reg del “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System” /v DisableTaskMgr /f
    reg del “HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System” /v DisableTaskMgr /f
    reg del “HKCU\Software\Microsoft\Internet Explorer\Download” /v CheckExeSignatures /f
    reg del “HKCU\Software\Microsoft\Internet Explorer\Main” /v “Use FormSuggest” /f
    reg del “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced” /v “Hidden” /f
    reg del “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced” /v “ShowSuperHidden” /f
    reg del “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer” /v “NoDesktop” /f

    ::End Here::

  90. JP says:

    Has anyone else tried the email and activation code process recommended by Gelio and Beverly? I don’t understand the concept of using an email address and an activation code.

  91. Jeff says:

    Thanks to all of the comments! Nasty bugger virus! Started up in safe mode, Ran system restore, virus scan, blocked and right clicked the shadowed desktop items and unchecked hidden attributes, ran another virus scan. All seems good.

  92. txbullgod says:

    Robey, I got this after updating Adobe flash player. Cripple my computer in less than two hours. still trying to fix everything. Mcafee ran full scan, didnt find anything, malwarebytes is only success so far.

  93. Diana says:

    Been fighting this for weeks. After following all the above advice, was successful – or so I thought. After last reboot, got desktop pic but nothing else.

    Back to the beginning . . .

  94. TXBullgod says:

    Update: think I got it wiped out. Found this on Yahoo to get the start menu links back. Thanks to the person who posted it over there. If it was covered here, this will just be a repeat, if not, hope it helps you all get it squared away:

    “Best Answer – Chosen by Voters
    After running the unhide tool you may still be missing most of your start menu shortcuts… They can be found in a folder named smtmp inside:

    (XP)- C:\Documents and Settings\Username\Local Settings\Temp
    (W7)- C:\Users\Username\AppData\Local\Temp

    You might see a few numbered folders inside smtmp. One is for the items in All Users\Start Menu folder, one is quick launch items and one is the desktop item

    You should see shortcut icons inside them. You should see a long list of folders in one of the three numbered folders. This would be your start menu. Just copy and paste that long list of folders to the right location

    I have had this problem In my case there were three numbered folders inside C:\Documents and Settings\Username\Local Settings\Temp\smtmp folder. The folders were numbered 1, 2 and 4.

    Inside the 1 folder was a folder named “Programs.” This folder should be copied / pasted to (using XP) to C:\Documents and Settings\All Users\Start Menu, which will already have a folder named Programs but it is safe to overwrite it since Windows will replace the sub folders without creating duplicates.

    Inside the 2 folder (for me) were the quick launch items specific for the user. Select ALL of these shortcuts and copy / paste to (using XP) C:\Documents and Settings\Username\Application Data\Microsoft\Internet Explorer\Quick Launch.

    Inside the 4 folder were the desktop items that should be copied to C:\Documents and Settings\All Users\Desktop.”

  95. Danny says:

    I just wanted to Thank all the terrific people who have helped those of us impacted by this horrible nightmare virus. Like many others, I used the Bleeping Computers website to fix my PC and it worked like a charm. Congrats to those folks and the people at Malwarebytes for being on top of this. My stupid RPS antivirus saw nothing.

    And and a big Thanks to Gelio, who I believe was the first person to discover and post, that the start menu items could be found and restored from the SMTMP folder, found in the Local or Local settings folder. Now, someone mentioned the possibility that it may be accessed through the Adobe Update page. I do indeed remember seeing that pop up around the time I started receiving the first garbage messages about my hard drive etc.

    Now….to someone’s point about tracking down and prosecuting the criminals behind this……This is a major criminal act and I have no idea how many people have and will be impacted by these pigs who knew full well the horrible harm they were inflicting. There are probably thousands of people who have lost terribly important and irreplaceable files and data, most of whom are safe surfers and have expensive anti-virus software running on their systems. I also believe that the trauma caused to many of these people is as awful. I really hope someone in law enforcement initiates some sort of investigation…..

    Thanks again to all those who have helped !!

  96. Jamie says:

    Hi, I have gotten this life ruining virus or whatever it is and spent the past 2 days on my PC ignoring my kids and crying because I am an idiot and did not put our families pictures from the past few years on a CD or usb stick….I originally did a system restore, but my screen saver and a few things came back, but all my pics docs etc were gone!I finally after hours of research was able to unhide them…THANK GOD… I thought they were gone forever, I was about to be hospitalized for a anxiety attack, it was that serious. Anyway how do you make the unhidden photos look unhidden they are like faded or something? also I ran the malware and rootkill and tdd thing but I still think i have the Trojan how do I know? thanks to all who care :)

  97. Kim Hartshorn says:

    Currently you are only viewing files that are still hidden. In order to unhide them right click the highest level folder that is still hidden that contains the hidden folders and select properties. You can then uncheck the ‘hidden’ attribute at the bottom of the properties box. You will get a prompt that asks if you want to unhide everything within that folder and just answer yes.

  98. Kim Hartshorn says:

    unhide.exe in the dos commands did not work for me for some reason?

  99. JACKIE says:

    ANSWER FOR how do you make the unhidden photos look unhidden they are like faded or something?

  100. shadow says:

    Thanks a lot.

  101. jestonelso says:

    I got the bug! Some faker virus is ruining my life and my computer. Any new developments in getting rid of it, restoring my system back to the way I had it before 11-30-2011. Can’t see my Start programs and no matter what I do, what antiviral programs I run, it just keeps coming back and changing stuff after I reboot. Help!!!

  102. Raphael Santos says:

    Hey guys, for those which managed to removed the virus but are missing the start menu items, here is what I found out:

    right click on start menu -> properties -> start menu -> customize

    All default items are there, just change the tick from “Don’t display this item” to “Display as a link”

  103. Computer Repair Redding says:

    Great post! I have been looking for a source to remove this infection for days…Thanks for sharing!

Leave a Reply

Your email address will not be published. Required fields are marked *