?
Solved

“ALL PROGRAMS” folder is empty after removing bogus AV program called "Windows Recovery"

Posted on 2011-05-10
19
Medium Priority
?
2,327 Views
Last Modified: 2013-11-22
“ALL PROGRAMS”  folder is empty after removing bogus AV program called "Windows Recovery"

I have a PC is infected with bogus antivirus program called "Windows Recovery"
- PC is running XP Pro SP3
- This program blocked all options to disable the software. (task manager, MalwareBytes) Required booting PC in safe mode to troubleshoot
- From a “RUN” command, I typed “mbam.exe to execute MalwareBytes. It failed to update . required downloading the latest database from a known good PC and applying it to this infected  PC. Ran a full scan. MalwareBytes removed all related entries. Rebooted.
- Upon reboot, the "All Programs" folder is empty and the screen is blank
-  Installed and ran "ComboFix". However Combo-Fix would not update properly but it did run to no avail
- performed a “system restore” to an earlier known good date. Did not resolve issue
- attempted to download a possible patch from Microsoft but it would execute.

I know there are several related issues on the web but not one that appears to be helpful. I’m trying to avoid a rebuild.

0
Comment
Question by:agieryic
  • 7
  • 5
  • 4
  • +3
19 Comments
 
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 300 total points
ID: 35730499
It's not empty - they're hidden.  Follow the directions on this page:
http://www.spywarevoid.com/remove-windows-recovery-windowsrecovery-removal-steps.html
0
 
LVL 1

Author Comment

by:agieryic
ID: 35730563
paulmacd: true, I failed to mention above that I did see the actual folders and files but the menus were blank. I'll try your suggested link
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 35730572
You may or may not chose to use their suggested removal software - that's up to you.  The bottom of the page has references to several file system locations and registry entries that can be edited by hand to remove the annoyance.
0
 
LVL 1

Author Comment

by:agieryic
ID: 35730837
paulmacd: I tried the suggestion but no luck

ZombieAutopsy: your suggestion points to Vista systems. However, I tried unchecking the hidden options manually under the start menu. Rebooted PC. I now have some of the All Programs but the desktop still have no icons. When I go to the icons folder, the icons folder, the shortcuts are there but they wont appear on the desktop.

I'm going to try and perform an XP repair
0
 
LVL 1

Author Comment

by:agieryic
ID: 35730862
paulmacd: MalwareBytes already cleaned out the bottom mentioned entries
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 35730865
You went through ALL the registry settings on that page?  There are at least two that deal with (un)hiding files on your computer (including items on your desktop/start menu)...
0
 
LVL 1

Author Comment

by:agieryic
ID: 35730944
I did. Most of the entries were there to remove. A few were not
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 35730959
Odd - I've used that process several times and it's always worked for me.  Are you sure the malware isn't still running/installed somewhere?
0
 
LVL 30

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 300 total points
ID: 35731067
Read younghv's article on Rogueremover:

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_4922-Rogue-Killer-What-a-great-name.html

Run the scan (option 1)
I believe option 6 may solve your problem.
0
 
LVL 1

Author Comment

by:agieryic
ID: 35732358
the Windows XP Repair didnt help.

The Rogueremover felt like option 6 worked but it didnt work.

Here's what I started doing
- I created a new user profile and copied over all the original Favorites, Desktop items and My Documents. Favorites dont work. Even if I try to remove, ad and remove the hidden attributes it fails

- Even though I lost no data, I keep finding more things that are hidden.
- It looks like will need to backup all data and rebuild the PC
0
 
LVL 38

Expert Comment

by:younghv
ID: 35733200
Thanks tz.

agieryic -
The detailed instructions from "Grinler" should help you.
http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery

Note step number 17 to use "unhide.exe".

You can try just using that, but you may want to go through his entire checklist (from the start) - just to be sure you've got every thing.
0
 
LVL 4

Expert Comment

by:JohnDecker
ID: 35753331
0
 
LVL 38

Expert Comment

by:younghv
ID: 35753380
agieryic -
I doubt that you are going to be able to fix this without following the detailed instructions from here:
http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery

Note that there are three phases to fixing most of these variants.
1. Kill the rogue process (allows the scanner to fully function).
2. Run the scanner.
3. Run the unhide.exe (or other special tool) to fix the various other symptoms.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 35753775
Worst case, you can open a command prompt and type:
C:
CD \Documents and Settings
ATTRIB -H /S /D

That will unhide everything that isn't a hidden system file for all the users on the computer.
0
 
LVL 38

Accepted Solution

by:
younghv earned 1400 total points
ID: 35754482
Based on the comments in the original post:
- ALL PROGRAMS”  folder is empty after removing bogus AV program called "Windows Recovery"
- From a “RUN” command, I typed “mbam.exe to execute MalwareBytes. It failed to update .
- Upon reboot, the "All Programs" folder is empty and the screen is blank
- However Combo-Fix would not update properly but it did run to no avail
- attempted to download a possible patch from Microsoft but it would execute.
**************************

It is fairly certain that the infection has not been completely removed.
This is not a situation in which we should be treating "symptoms".

You should run the full set of removal instructions - posting ALL scanner logs for us to review.

If you wish, you may substitute "RogueKiller" for "RKill" (same basic function, but with additional options).

The detailed instructions from "Grinler" should help you.
http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery

Addtional details in a couple of my EE Articles:
http://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-Aid-for-Malware)
http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
0
 
LVL 1

Author Comment

by:agieryic
ID: 35764325
younghv:
You provided an incredible amount of great information and resolutions. I consider myself an expert at removing malware but not anywhere near your level.

It’s amazing how one works with this everyday as I do and never take for granted that it’s possible to fix every issue. When I get a call from a client who received an infection mostly fake AV programs, I ask them never to reboot until I can either remotely logon or come onsite in person.  First thing I try is “task manager” to kill the bogus process and search some of the obvious folders. If I can’t find anything manually, the adventure begins.  I use most of the tools and some of the processes  you mentioned but not all – but now I know more from posts like yours

In this scenario trying to recover from the damage done by “Windows Recovery”, I ran out of time. Since this particular PC’s data was easy to recover, I had to back it,  reformat and rebuild the O/S and restore all its data.

Your suggestions are outstanding. I have documented them for use in my next similar scenario.

I have one question that I always wanted to post. “What would have actually happened if one did let the “fake AV “ program run its course and one would pay the fee for this bogus AV program?” Would the fake program actually reverse the damage done at which time one could try then to remove the fake AV program? Of course either way, the user could dispute the charge. I’m very curious

0
 
LVL 38

Expert Comment

by:younghv
ID: 35764481
@agieryic,
Thank you for the comments.

My entire background for IT was with an organization (Semper Fi) that doesn't allow any attempts at repair.

Infected systems are immediately 're-imaged' (data back-up is the user's responsibility) and handed back to the user.

What I have learned here on EE over the past few years has been an eye-opener - to say the least.
My primary teacher here on EE has been rpggamergirl (http://www.experts-exchange.com/M_3598771.html) who understands this stuff down to the nano-level. Read some of her comments in malware questions and I'm sure you'll agree.

About your last question - this 'stuff' is called "Ransomeware" or "Scamware" by a lot of people.

The only function is to get the user to give up their credit card information - where the least that will happen is a charge for the 25-30 bucks they're asking...but the charges could be much worse.

The malware is a scam as is the "repair". Nothing will happen after you pay, except that you will be out the money.

There are a couple of these variants that you have to let run in the background as you're doing the actual repair.

On the bright side, there are several "White Hats" out there creating the tools to fight this stuff - and since I rely on their work to run my current business (Computer Repair) I make it a point to donate to these guys every year.

One of these good guys is a member of EE (Tigzy) who wrote the program named "RogueKiller" (http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)).

I always encourage others to donate to these folks as a way of saying thank you for the work they're doing.

I hope this answered your last question.
0
 
LVL 1

Author Closing Comment

by:agieryic
ID: 35764881
Excellant and extremely helpful feedback. Thanks for all your help
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It started not too long ago. It was at first annoying. My keystrokes seemed to be randomly generated, not the ones I typed on the keyboard. For some reason this only happened in certain applications (especially browsers such as IE11, Firefox and Chr…
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question