We have been seeing alot of infected computers this week that have varients of the Windows Recovery Malware. The various antivirus progams out there dont seem to be catching it, and while antispyware programs such as malwarebytes and spybot will find and remove the malware, the infected computer is left with all files hidden on the desktop and C: drive, as well as no shortcuts on the start menu. There is a bit of cleanup that needs to be done manually in order to restore the computer back to its previous state, but fortunately its relatively easy.
First off, we are going to need to gain access to the internet in order to download the tools we need. Unfortunately without your desktop shortcuts or the start menu, this can appear difficult. The first thing is to check the quick launch area next to the start button for a shortcut to your browser. If there isnt one there, you will need to go to “Start” then “Run” and type in “iexplore.exe”. This should bring up internet explorer
Next step is to kill the malware process. There is a utility called “RKILL” which you can download from: http://www.bleepingcomputer.com/download/anti-virus/rkill RKILL will stop the malware from running untill next time you reboot and allow you download and run malwarebytes.
After you have disabled the malware, it is time to remove it. Download, UPDATE, and run malwarebytes from http://www.malwarebytes.org Perform a quick scan, then remove the items it finds. A reboot will be required when it finishes.
After the reboot, you will find you still have no files or start menu shortcuts. Dont fear, the files are there, but they are hidden. The start menu shortcuts have been moved but can be copied back. The first thing you will need to do is to change your windows explorer view to show hidden and system files. You should now see your files again, but they are still hidden and will appear slightly greyed. You could try changing the attributes manually on all your files, but there is a utility called “unhide.exe” that will do this for you and makes the job much easier. Download and run Unhide.exe, but disregard the message at the end about re-running it without antivirus to bring back the shortcuts. That is the next step. Unhide.exe is available at: http://download.bleepingcomputer.com/grinler/unhide.exe
To fix the last piece of this puzzle, we need to get the start menu shortcuts back. Open windows explorer and look for the following folder: %userprofile%local settingstempSMTMP You will notice there are a couple folders in here. The folder named “1” corresponds to the start menu. “2” is the quick launch, and “4” appears to be the desktop. Quick launch and desktop shortcuts dont get affected though so all we need is the “1” folder. For XP, copy the contents of “1” into C:Documents and SettingsAll UsersStart menu For Windows 7 machines copy the contents of “1” into C:ProgramDataMicrosoftWindowsStart Menu
Finally, check the desktop for a “XP Restore” shortcut and delete it. Also remove the “Windows xp restore” folder and 2 shortcuts from the start menu.
Now your computer should look like it did before it got infected. If you are unable to change your wallpaper or run task manager, download, install, update and run Spybot. This should reverse the local policies that were installed to block these items. You will also want to perform a full scan with malware bytes and your antivirus software at this point to catch anything else that may be lurking on your system.