How do I remove the Windows Recovery Virus

Posted on 2011-05-06
Last Modified: 2013-12-09

My clients XP Laptop is infected with the 'Windows Recovery' Virus.

I can not access Task Manager or any files on the C:\ drive - containing important business data.

I researched the web and found:

One of the sites that seemed to make sense.

I tryed executing rkill, and several renamed versions, and get sporadic results. It finds differnent files to derminate - none ending with the desired result. I can not install Malwarebytes - no matter what I do.

I also saw - via the web,  a mention for GridinSoft - Trojan Killer. It scares me - I don't know who to trust. Everybody wants you to execute something from there web site that's going to solve all your problems.

I know this virus is hiding items and disabling everything of any value.

Any suggestions????

Question by:GeeMoon
    LVL 38

    Accepted Solution

    "Grinler" is one of the best anti-malware minds in the business.
    You can trust his advice.

    If none of the versions of "RKill" are working for you (there are 7 of them) try these two (same function, different programs):


    Download TheKiller to your Desktop

    Note that TheKiller is renamed as explorer.exe
    Run it by double click
    Press OK button after program finish
    Do not restart your system after this step, but immediately run the next scan: MalwareBytes

    Also read my EE Articles about this: (Stop-the-Bleeding-First-Aid-for-Malware) (Rogue-Killer-What-a-great-name) (Basic Malware Troubleshooting)

    Author Comment

    Thanks YoungHV for your quick response.

    Here's where I am at.

    I tried every rkill file from Grinler. No success
    It appears that I was able to run Spybot and remove some items - w/in Safe Mode
    I returned to the original profile and discovered I was able to access Task Manager.
    I saw a service - 17882916.exe that I shut down - it removed the the Windows Recovery window from the destop - not much else. Still in bad shape.

    I accessed your suggested link to Rogue Killer - Installed/executed - it appears to be successful.I was able to remove a file named mwstsmmruioi.exe
    I attempted to install Malwarebytes for the 100th time - no success
    I decided to try installing to an alternate directory - after reading access denied errors - Success.
    I was able to remove 14 infections.

    It appears that the pop ups are gone, but, I am still unable to view any progam files from the start menu or see any desktop icons. I can rht clk Start - Explore and unhide directories to view. It is obvious that this virus was able to globally hide everything.

    Any suggestions on how to globally unhide all directories? Could I get into trouble if I unhide the parent directories one by one w/in C:\ ?
    LVL 38

    Expert Comment

    Yes, I will post a link to the Global Unhide.
    There is a good one from Kaspersky.
    You should also try the other Menu Items from Rogue Killer
    (3, 4, 5, 6)
    LVL 38

    Expert Comment

    Here is one to try, still looking for the other:

    Author Comment

    I finished the Rogue Killer options and the unhide.exe.

    Yes, it did unhide folders w/in the C:\ drive. Thank you.

    The desktop icons still are missing along with the partial start programs menus. The first layer appears w/o any executable programs. I bet permission were messed with. I am wondering if I should try to restore prior to the infections - now that they are no longer there to interfere.
    LVL 38

    Expert Comment

    Try this one:

    In Windows Explorer, navigate to your Desktop Folder
    Select all
    Right-click on 'Properties"
    De-Select 'Hidden'.

    Author Closing Comment

    Thank you YoungHV for all your help.

    I tried all your suggestions. They allowed me to gain access to important data. This was the most important task to acheive. I was executing a cheesy MS backup to a flash drive. The backup file was there, but, when I tried to restore, there was no data. Later on I realised that all the data was hidden - carrying the hide attribute.

    Currently, the system is too far gone to repair. I am still having hiding issues, amongst others. I attempted to restore to past recovery backup dates - no success. I attempted to repair with the XP CD - no success. I decided enough is enough. I restored all the data to a separate PC, valided it with my client and wiped the original system.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    Operating system developers such as Microsoft ( and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now