“ALL PROGRAMS” folder is empty after removing bogus AV program called "Windows Recovery"
“ALL PROGRAMS” folder is empty after removing bogus AV program called "Windows Recovery"
I have a PC is infected with bogus antivirus program called "Windows Recovery"
- PC is running XP Pro SP3
- This program blocked all options to disable the software. (task manager, MalwareBytes) Required booting PC in safe mode to troubleshoot
- From a “RUN” command, I typed “mbam.exe to execute MalwareBytes. It failed to update . required downloading the latest database from a known good PC and applying it to this infected PC. Ran a full scan. MalwareBytes removed all related entries. Rebooted.
- Upon reboot, the "All Programs" folder is empty and the screen is blank
- Installed and ran "ComboFix". However Combo-Fix would not update properly but it did run to no avail
- performed a “system restore” to an earlier known good date. Did not resolve issue
- attempted to download a possible patch from Microsoft but it would execute.
I know there are several related issues on the web but not one that appears to be helpful. I’m trying to avoid a rebuild.
I have a PC is infected with bogus antivirus program called "Windows Recovery"
- PC is running XP Pro SP3
- This program blocked all options to disable the software. (task manager, MalwareBytes) Required booting PC in safe mode to troubleshoot
- From a “RUN” command, I typed “mbam.exe to execute MalwareBytes. It failed to update . required downloading the latest database from a known good PC and applying it to this infected PC. Ran a full scan. MalwareBytes removed all related entries. Rebooted.
- Upon reboot, the "All Programs" folder is empty and the screen is blank
- Installed and ran "ComboFix". However Combo-Fix would not update properly but it did run to no avail
- performed a “system restore” to an earlier known good date. Did not resolve issue
- attempted to download a possible patch from Microsoft but it would execute.
I know there are several related issues on the web but not one that appears to be helpful. I’m trying to avoid a rebuild.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ZombieAutopsy
Give try http://answers.microsoft.com/en-us/windows/forum/windows_vista-files/missing-user-folders-in-start-menu-all-programs/e001920f-d757-4990-9fd2-aebad1babeed
ASKER
paulmacd: true, I failed to mention above that I did see the actual folders and files but the menus were blank. I'll try your suggested link
You may or may not chose to use their suggested removal software - that's up to you. The bottom of the page has references to several file system locations and registry entries that can be edited by hand to remove the annoyance.
ASKER
paulmacd: I tried the suggestion but no luck
ZombieAutopsy: your suggestion points to Vista systems. However, I tried unchecking the hidden options manually under the start menu. Rebooted PC. I now have some of the All Programs but the desktop still have no icons. When I go to the icons folder, the icons folder, the shortcuts are there but they wont appear on the desktop.
I'm going to try and perform an XP repair
ZombieAutopsy: your suggestion points to Vista systems. However, I tried unchecking the hidden options manually under the start menu. Rebooted PC. I now have some of the All Programs but the desktop still have no icons. When I go to the icons folder, the icons folder, the shortcuts are there but they wont appear on the desktop.
I'm going to try and perform an XP repair
ASKER
paulmacd: MalwareBytes already cleaned out the bottom mentioned entries
You went through ALL the registry settings on that page? There are at least two that deal with (un)hiding files on your computer (including items on your desktop/start menu)...
ASKER
I did. Most of the entries were there to remove. A few were not
Odd - I've used that process several times and it's always worked for me. Are you sure the malware isn't still running/installed somewhere?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
the Windows XP Repair didnt help.
The Rogueremover felt like option 6 worked but it didnt work.
Here's what I started doing
- I created a new user profile and copied over all the original Favorites, Desktop items and My Documents. Favorites dont work. Even if I try to remove, ad and remove the hidden attributes it fails
- Even though I lost no data, I keep finding more things that are hidden.
- It looks like will need to backup all data and rebuild the PC
The Rogueremover felt like option 6 worked but it didnt work.
Here's what I started doing
- I created a new user profile and copied over all the original Favorites, Desktop items and My Documents. Favorites dont work. Even if I try to remove, ad and remove the hidden attributes it fails
- Even though I lost no data, I keep finding more things that are hidden.
- It looks like will need to backup all data and rebuild the PC
Thanks tz.
agieryic -
The detailed instructions from "Grinler" should help you.
http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery
Note step number 17 to use "unhide.exe".
You can try just using that, but you may want to go through his entire checklist (from the start) - just to be sure you've got every thing.
agieryic -
The detailed instructions from "Grinler" should help you.
http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery
Note step number 17 to use "unhide.exe".
You can try just using that, but you may want to go through his entire checklist (from the start) - just to be sure you've got every thing.
Try this http://www.kellys-korner-xp.com/xp_tweaks.htm for the icons
agieryic -
I doubt that you are going to be able to fix this without following the detailed instructions from here:
http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery
Note that there are three phases to fixing most of these variants.
1. Kill the rogue process (allows the scanner to fully function).
2. Run the scanner.
3. Run the unhide.exe (or other special tool) to fix the various other symptoms.
I doubt that you are going to be able to fix this without following the detailed instructions from here:
http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery
Note that there are three phases to fixing most of these variants.
1. Kill the rogue process (allows the scanner to fully function).
2. Run the scanner.
3. Run the unhide.exe (or other special tool) to fix the various other symptoms.
Worst case, you can open a command prompt and type:
C:
CD \Documents and Settings
ATTRIB -H /S /D
That will unhide everything that isn't a hidden system file for all the users on the computer.
C:
CD \Documents and Settings
ATTRIB -H /S /D
That will unhide everything that isn't a hidden system file for all the users on the computer.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
younghv:
You provided an incredible amount of great information and resolutions. I consider myself an expert at removing malware but not anywhere near your level.
It’s amazing how one works with this everyday as I do and never take for granted that it’s possible to fix every issue. When I get a call from a client who received an infection mostly fake AV programs, I ask them never to reboot until I can either remotely logon or come onsite in person. First thing I try is “task manager” to kill the bogus process and search some of the obvious folders. If I can’t find anything manually, the adventure begins. I use most of the tools and some of the processes you mentioned but not all – but now I know more from posts like yours
In this scenario trying to recover from the damage done by “Windows Recovery”, I ran out of time. Since this particular PC’s data was easy to recover, I had to back it, reformat and rebuild the O/S and restore all its data.
Your suggestions are outstanding. I have documented them for use in my next similar scenario.
I have one question that I always wanted to post. “What would have actually happened if one did let the “fake AV “ program run its course and one would pay the fee for this bogus AV program?” Would the fake program actually reverse the damage done at which time one could try then to remove the fake AV program? Of course either way, the user could dispute the charge. I’m very curious
You provided an incredible amount of great information and resolutions. I consider myself an expert at removing malware but not anywhere near your level.
It’s amazing how one works with this everyday as I do and never take for granted that it’s possible to fix every issue. When I get a call from a client who received an infection mostly fake AV programs, I ask them never to reboot until I can either remotely logon or come onsite in person. First thing I try is “task manager” to kill the bogus process and search some of the obvious folders. If I can’t find anything manually, the adventure begins. I use most of the tools and some of the processes you mentioned but not all – but now I know more from posts like yours
In this scenario trying to recover from the damage done by “Windows Recovery”, I ran out of time. Since this particular PC’s data was easy to recover, I had to back it, reformat and rebuild the O/S and restore all its data.
Your suggestions are outstanding. I have documented them for use in my next similar scenario.
I have one question that I always wanted to post. “What would have actually happened if one did let the “fake AV “ program run its course and one would pay the fee for this bogus AV program?” Would the fake program actually reverse the damage done at which time one could try then to remove the fake AV program? Of course either way, the user could dispute the charge. I’m very curious
@agieryic,
Thank you for the comments.
My entire background for IT was with an organization (Semper Fi) that doesn't allow any attempts at repair.
Infected systems are immediately 're-imaged' (data back-up is the user's responsibility) and handed back to the user.
What I have learned here on EE over the past few years has been an eye-opener - to say the least.
My primary teacher here on EE has been rpggamergirl (https://www.experts-exchange.com/M_3598771.html) who understands this stuff down to the nano-level. Read some of her comments in malware questions and I'm sure you'll agree.
About your last question - this 'stuff' is called "Ransomeware" or "Scamware" by a lot of people.
The only function is to get the user to give up their credit card information - where the least that will happen is a charge for the 25-30 bucks they're asking...but the charges could be much worse.
The malware is a scam as is the "repair". Nothing will happen after you pay, except that you will be out the money.
There are a couple of these variants that you have to let run in the background as you're doing the actual repair.
On the bright side, there are several "White Hats" out there creating the tools to fight this stuff - and since I rely on their work to run my current business (Computer Repair) I make it a point to donate to these guys every year.
One of these good guys is a member of EE (Tigzy) who wrote the program named "RogueKiller" (https://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great
I always encourage others to donate to these folks as a way of saying thank you for the work they're doing.
I hope this answered your last question.
Thank you for the comments.
My entire background for IT was with an organization (Semper Fi) that doesn't allow any attempts at repair.
Infected systems are immediately 're-imaged' (data back-up is the user's responsibility) and handed back to the user.
What I have learned here on EE over the past few years has been an eye-opener - to say the least.
My primary teacher here on EE has been rpggamergirl (https://www.experts-exchange.com/M_3598771.html) who understands this stuff down to the nano-level. Read some of her comments in malware questions and I'm sure you'll agree.
About your last question - this 'stuff' is called "Ransomeware" or "Scamware" by a lot of people.
The only function is to get the user to give up their credit card information - where the least that will happen is a charge for the 25-30 bucks they're asking...but the charges could be much worse.
The malware is a scam as is the "repair". Nothing will happen after you pay, except that you will be out the money.
There are a couple of these variants that you have to let run in the background as you're doing the actual repair.
On the bright side, there are several "White Hats" out there creating the tools to fight this stuff - and since I rely on their work to run my current business (Computer Repair) I make it a point to donate to these guys every year.
One of these good guys is a member of EE (Tigzy) who wrote the program named "RogueKiller" (https://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great
I always encourage others to donate to these folks as a way of saying thank you for the work they're doing.
I hope this answered your last question.
ASKER
Excellant and extremely helpful feedback. Thanks for all your help