[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


How do I remove the Windows Recovery Virus

Posted on 2011-05-06
Medium Priority
Last Modified: 2013-12-09

My clients XP Laptop is infected with the 'Windows Recovery' Virus.

I can not access Task Manager or any files on the C:\ drive - containing important business data.

I researched the web and found:


One of the sites that seemed to make sense.

I tryed executing rkill, and several renamed versions, and get sporadic results. It finds differnent files to derminate - none ending with the desired result. I can not install Malwarebytes - no matter what I do.

I also saw - via the web,  a mention for GridinSoft - Trojan Killer. It scares me - I don't know who to trust. Everybody wants you to execute something from there web site that's going to solve all your problems.

I know this virus is hiding items and disabling everything of any value.

Any suggestions????

Question by:GeeMoon
  • 4
  • 3
LVL 38

Accepted Solution

younghv earned 2000 total points
ID: 35707322
"Grinler" is one of the best anti-malware minds in the business.
You can trust his advice.


If none of the versions of "RKill" are working for you (there are 7 of them) try these two (same function, different programs):


Download TheKiller to your Desktop

Note that TheKiller is renamed as explorer.exe
Run it by double click
Press OK button after program finish
Do not restart your system after this step, but immediately run the next scan: MalwareBytes

Also read my EE Articles about this:

http://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-Aid-for-Malware)
http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)

Author Comment

ID: 35709012
Thanks YoungHV for your quick response.

Here's where I am at.

I tried every rkill file from Grinler. No success
It appears that I was able to run Spybot and remove some items - w/in Safe Mode
I returned to the original profile and discovered I was able to access Task Manager.
I saw a service - 17882916.exe that I shut down - it removed the the Windows Recovery window from the destop - not much else. Still in bad shape.

I accessed your suggested link to Rogue Killer - Installed/executed - it appears to be successful.I was able to remove a file named mwstsmmruioi.exe
I attempted to install Malwarebytes for the 100th time - no success
I decided to try installing to an alternate directory - after reading access denied errors - Success.
I was able to remove 14 infections.

It appears that the pop ups are gone, but, I am still unable to view any progam files from the start menu or see any desktop icons. I can rht clk Start - Explore and unhide directories to view. It is obvious that this virus was able to globally hide everything.

Any suggestions on how to globally unhide all directories? Could I get into trouble if I unhide the parent directories one by one w/in C:\ ?
LVL 38

Expert Comment

ID: 35709070
Yes, I will post a link to the Global Unhide.
There is a good one from Kaspersky.
You should also try the other Menu Items from Rogue Killer
(3, 4, 5, 6)
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

LVL 38

Expert Comment

ID: 35709088
Here is one to try, still looking for the other:


Author Comment

ID: 35709850
I finished the Rogue Killer options and the unhide.exe.

Yes, it did unhide folders w/in the C:\ drive. Thank you.

The desktop icons still are missing along with the partial start programs menus. The first layer appears w/o any executable programs. I bet permission were messed with. I am wondering if I should try to restore prior to the infections - now that they are no longer there to interfere.
LVL 38

Expert Comment

ID: 35710235
Try this one:

In Windows Explorer, navigate to your Desktop Folder
Select all
Right-click on 'Properties"
De-Select 'Hidden'.

Author Closing Comment

ID: 35729672
Thank you YoungHV for all your help.

I tried all your suggestions. They allowed me to gain access to important data. This was the most important task to acheive. I was executing a cheesy MS backup to a flash drive. The backup file was there, but, when I tried to restore, there was no data. Later on I realised that all the data was hidden - carrying the hide attribute.

Currently, the system is too far gone to repair. I am still having hiding issues, amongst others. I attempted to restore to past recovery backup dates - no success. I attempted to repair with the XP CD - no success. I decided enough is enough. I restored all the data to a separate PC, valided it with my client and wiped the original system.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question