Solved: Windows Recovery Virus - Win7

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

friday123

Thread Starter
Joined
Apr 10, 2011
Messages
14
I had the windows recovery virus- it was removed by malware. Yeah! Problem now is that my C: drive is not showing.
My hard drive is divided into 2 parts C:/ (all programs run from) D:/ (Save)all files are saved. The C:/ drive is invisible. If I go to My computer and C:/ is missing. D:/ is fine. If I click on computer it shows me the c:/harddrive and the amount of spaced used (everything looks fine).

All programs are missing from the startup file.
My background picture is gone. etc. etc.
I can access the programs if I open a corresponding file from the D:/ (Save) drive.

I have researched fixes but all of them are for when the virus is still on your computer.

I just want my computer back!:(

I have Windows 7

Any help would be great!
 
Joined
Jul 22, 2006
Messages
8,450
I just dealt with this beast and noticed that it had marked most files in Docs as "hidden."
Rt-click the files/folders and select "Properties."
If they are marked 'Hidden", uncheck.
 

friday123

Thread Starter
Joined
Apr 10, 2011
Messages
14
The problem is that my work files are fine (d: drive) I can see them and access them with no problem.
All my programs are hidden on the c: drive. They are hidden and I can't see them/ get to them.

If I want to use a program that I haven't used before (no saved file)
I can't access it.
 
Joined
Jul 22, 2006
Messages
8,450
Rt-click the folder/properties and uncheck "Hidden" if checked.
 

friday123

Thread Starter
Joined
Apr 10, 2011
Messages
14
Okay - that option is available on the D: drive where all my saved files are.

When I rt click on C: I am allowed to acces the properties but it just gives me the properties of the drive - General - Used disk space, Free space etc. (no option to unhide anything, Tools, Hardware, Sharing, Security, etc.

That option is not available on my C: drive where all my programs are. everything is invisible - "folder is empty". There are no folders at all. The whole drive appears to be missing. I can only see the drive and the "space used" if I click computer - once I click on the c: the folder is totally empty.
 
Joined
Jul 22, 2006
Messages
8,450
Try Control Panel/Folder options.
I think it's under View (Show hidden files)
 

friday123

Thread Starter
Joined
Apr 10, 2011
Messages
14
Thank you!!!! It worked! Now I have another question for you, how do I get all the programs to show on the Start menu?
 
Joined
Jul 22, 2006
Messages
8,450
Find the folder called Program Menu (Start Menu?) and see if the files are hidden.
If not, you can re-create the shortcuts.
 

friday123

Thread Starter
Joined
Apr 10, 2011
Messages
14
I have another small problem. After a closer look at the c: drive items are still missing - for example I have ms office 2007 - under the office folder none of the programs are listed. I've checked the folder and they're not hidden. Any ideas?
 
Joined
Jul 22, 2006
Messages
8,450
Check the properties of higher level folders.
Use search to see if these f these programs still exist (I'm sure they do).
Search for "winword", for example, and see if it executes Word.
Are the programs in Program Files (x86)?
 

friday123

Thread Starter
Joined
Apr 10, 2011
Messages
14
I forgot one of the hidden folders - everything is great now.

Thank you very much for all you help and time.
I can now send the men with the little white jacket away!
 
Joined
Jul 22, 2006
Messages
8,450
Cool. Interesting that your symptom was similar to but not the same as on the other machine.
Use the thread tools to mark this "Solved" so other can find the solution.
 
Joined
Jun 2, 2011
Messages
1
I have the fix for this crap.. Took me about 2 hours to solve..

If you hit control Alt Delete to bring up the task manager and it is greyed out then go to start run, type regedit and browse to this..

HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies\ System •In the right-pane, delete the value named DisableTaskMgr
•Close Regedit.exe


First you need to go into msconfig and disable all the stuff in the startup that looks funny. Usually you will see something like.. asuhkj$okj.exe Disable all those in the startup.

Then go into your registry and change the keys below. This unhides any folders that were hidden.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = 0'

That brings back all your icons.. Change Values from 1 to 0. Then restart..

Next after the system is back up you will notice you have your icons back, but program files and system files are still gone. Don't worry.. You can now browse to folders now so go to Documents and settings, go to all users, go to application, then delete anything that references that stupid program there. Next, Run the following programs in this order.. CCleaner, Mbam, then do one more restart. Then the following program fixes everything that the virus breaks. combofix. This is the thing that brings everything back. Make sure you follow the instructions to a T on this one. Combo fix will bring back and unhide all icons, and program files. After this is done, you will need to reference the registry again and try and find all the crap that the stupid virus corrupted. Here is a complete list to check. Make sure everything is in order after running that. Hope this all helps. Below are the things that this nasty MF'r does to your computer.

Associated Windows Recovery Files:
Windows Vista & 7:

%AllUsersProfile%\~<random>
%AllUsersProfile%\~<random>r
%AllUsersProfile%\<random>.dll
%AllUsersProfile%\<random>.exe
%AllUsersProfile%\<random>
%AllUsersProfile%\<random>.exe
%UserProfile%\Desktop\Windows Recovery.lnk
%UserProfile%\Start Menu\Programs\Windows Recovery\
%UserProfile%\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk
%UserProfile%\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk

Windows XP:

%AllUsersProfile%\Application Data\~<random>
%AllUsersProfile%\Application Data\~<random>r
%AllUsersProfile%\Application Data\<random>.dll
%AllUsersProfile%\Application Data\<random>.exe
%AllUsersProfile%\Application Data\<random>
%AllUsersProfile%\Application Data\<random>.exe
%UserProfile%\Desktop\Windows Recovery.lnk
%UserProfile%\Start Menu\Programs\Windows Recovery\
%UserProfile%\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk
%UserProfile%\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk File Location Notes:
%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\ for Windows 2000/XP, C:\Users\ for Windows Vista/7, and c:\winnt\profiles\ for Windows NT.
%AllUsersProfile% refers to the All Users Profile folder. By default, this is C:\Documents and Settings\All Users for [COLOR=blue ! important][FONT=inherit ! important][COLOR=blue ! important][FONT=inherit ! important]Windows [/FONT][/FONT][FONT=inherit ! important][COLOR=blue ! important][FONT=inherit ! important]2000[/FONT][/COLOR][/FONT][/COLOR][/COLOR]/XP and C:\ProgramData\ for Windows Vista/7.
Associated Windows Recovery Windows Registry Information:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "<random>.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "<random>"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = 0'​
 

fairnooks

Banned
Joined
Oct 1, 2007
Messages
5,251
A nice preventative is to back up the registry maybe once a month and keep that ace card up your sleeve.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

No members online now.
Top