Spyware, Viruses, & Security forum

Question

Windows Recovery Virus

by PepeSlevin / April 29, 2011 1:30 AM PDT

Hi,
My Laptop has become infected by a Windows Recovery Rogue Virus/Trojan, despite having Norton and Stopzilla installed. The laptop is an old Acer Aspire 9500, running off Windows XP.

I am not a techy, so patience please. I have downloaded PC Tools Spyware Doctor / Antispyware Software and PC Tools Registry Mechanic at some cost as their advertisement stated it would resolve the issue. However the Laptop always crashes before it has had chance to complete the scan.

I have also tried downloading RKILL a number of times but never seems to complete the download, again the laptop freezes/crashes. It also appears that Stopzilla is blocking the download, but could be wrong.

I have all my pictures on the laptop and with no backup (stupid I know) and would be happy if I could get rid of this virus/Trojan.

Hope someone out there would be able to help me. Thanks in advance.

Discussion is locked
You are posting a reply to: Windows Recovery Virus
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Windows Recovery Virus
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

All Answers

Collapse -
Answer
Windows Recovery Virus
by tzmaddawg / April 29, 2011 1:48 AM PDT
In reply to: Windows Recovery Virus

Here is what I did that worked.
1. I started in Safe Mode with Networking, logged in as Administrator
2. I downloaded "Super Anti Spyware" However if saved to the default C:\Programs... it will not run. So I saved it to "My Documents" Installed and ran the software. It found and fixed many problems.
3. Ditto for MalwareBytes. It also found and fixed many problems.
4. I rebooted and logged in normally, but the virus was still running.5. I repeated 1 through 4 and also acquired "Trojan Killer" through CNET. It fixed issues not found by the other programs.
6. I rebooted and logged in normally. The virus appeared to be gone or at least disabled.
7. Many of my program icons remained as hidden files so I did a "System Restore" from a date two weeks back.
8. I then ran "Super Anti Spyware," MalwareBytes, Trojan Killer, Spybot Search & Destroy, and MS Security Essentials. Each program found different problems. Over 500 different problems were found and fixed.
9. After all that the system appears to be virus free. Time will tell.

Good luck to all. This is a pesky virus.

Collapse -
Answer
Recovering from Windows Recovery
by Carol~ Moderator / April 29, 2011 2:04 AM PDT
In reply to: Windows Recovery Virus

Pepe..

I would recommend FIRST removing Stopzilla. It has less than a stellar reputation. Additionally, we shy away from recommending registry cleaners. They tend to create more problems than they fix.

Follow ALL the steps in the below guide. Take special note of following.

Step #2 states:

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

Step #3 makes mention of the Rkill tool. Go to the download link provided, and read all that the author says about his Rkill tool.

Step #17 states, "This infection family will also hide all the files on your computer from being seen. To make your files visible again, please download the following program to your desktop" The step includes a tool to "unhide" your files.

Remove Windows Recovery (Uninstall Guide)

Let us know how you make out..
Carol

Collapse -
Recovering from Windows Recovery
by PepeSlevin / April 30, 2011 2:54 AM PDT

Hi Carol,
Thanks very much for your quick reply.

So what I did today was to buy a Samsung 1TB hdd, finally was able to download RKILL from my daughters laptop and onto the hdd. From the hdd I then ran RKILL which ran first time and apparently removed something by the name of C:/windows/system32/grpconv.exe.

From their I went onto download the Malware scan as suggested, here is where my luck ran out. The download had just completed when the laptop froze. As far as I understand, the malware scan should be done without redrafting the PC once the RKILL has been done. Is this correct and would you suggest starting from zero. I'm also concerned that I will be charged for the malware if and when I can get to scan my laptop.

Once again many thanks for your help.

Pep

Collapse -
A different approach..
by Carol~ Moderator / May 2, 2011 1:07 AM PDT

Pep..

Try the following. Remove what presently exists of Malwarebytes Anti-Malware (MBAM). Then use XP's Disk Cleanup Tool. You're going to download MBAM again, along with SUPERAntiSpware (SAS).

Using your daughter's laptop, download the below MBAM installer file, along with the update file below it. They are direct links. Prior to transferring them, rename the installer. For example, rename the installer (mbam-setup.exe) to pepe.exe. Copy the two to your laptop. Once pepe.exe is installed, run the update file. Do the same with SUPERAntiSpyware. If you have a problem with SAS, you may also have to rename the installer.

Malwarebytes' Anti-Malware (MBAM) Installer
http://www.besttechie.net/tools/mbam-setup.exe

MBAM Updater link
http://data.mbamupdates.com/tools/mbam-rules.exe

SUPERAntiSpyware
http://www.superantispyware.com/

SAS Updater link
http://www.superantispyware.com/definitions.html

Some malware will change your settings to use a proxy server. In order to check it, open IE and go to Tools>Internet Options>Connection Tab. Click on the LAN settings button. (As seen here ) If there is a check mark next to "Use a proxy server for your LAN", uncheck it. Click OK. (As seen here ) Then OK again

You wrote, "As far as I understand, the malware scan should be done without redrafting the PC once the RKILL has been done. Is this correct and would you suggest starting from zero."

As soon as Rkill's "window" closes, run one of the scans without a reboot in between. Otherwise, Rkill needs to be run again. If by saying "redrafting", you mean rebooting the computer, you are correct. If after scanning with MBAM or SAS, either finds anything, you will then need to reboot in order to complete the disinfection process.

You wrote, "I'm also concerned that I will be charged for the malware if and when I can get to scan my laptop."

I'm not sure if you mean, you will be charged by "Windows Recovery", or for one of the tools to remove it. ALL of the tools I suggested are FREE. There is NO reason to pay for any software, in order to remove it. I noticed in your original post, you noted you installed programs (and paid for them) because they advertised they would remove it. Pep, there are countless "rip offs" ( to put it bluntly) which advertise they will remove it, when in fact they won't.

If you meant Windows Recovety would charge you, please see where it states in the removal guide "what the infection does". In short:

'.... Windows Recovery will then prompt you to scan your computer, which will then find a variety of errors that it states it cannot fix until you purchase the program. When you use the so-called defragment tool it will state that it needs to run in Safe Mode and then show a fake Safe Mode background that pretends to defrag your computer. As this program is a scam do not be scared into purchasing the program when you see its alerts..'

If for some reason, we're unable to help at this forum, there are specialized forums we can refer you to, which are soley dedicated to removing malware. The diagnostic and removal tools used are ALL FREE. As are their services. There should be no need to pay for anything, at any point in time.

If you run into any problems along the way, please let us know.

Carol

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

Does BMW or Volvo do it best?

Pint-size luxury and funky style

Shopping for a new car this weekend? See how the BMW X2 stacks up against the Volvo XC40 in our side-by-side comparison.