Help removing Windows recovery trojan horse

Greenmachine

Windows recovery has somehow managed to install itself on my computer with the following issues.

On the administrative account issues are as follows
My computer folder empty
Folder are empty
No icons are displayed on the desktop
there are connection problems with the usb mouse i.e it keeps losing it's connection for it come back agian after 10-15 minutes.
It recognise that a flash drive has been installed but won't open it's contents.

On the Guest log on the followning occurs
The Internet work with limited function
Usb ports working
All programs folder empty
my documents empty
my pictures empty
my music empty
when i log onto the internet i ma brought to a page microsoft + security centre. Seem legit but I am not sure.

I have tried following the instruction on the bleeping computer fourum but to no avail.

downloaded rkill etc but the trojan is blocking it from running.
acually can't download anything on the admin log-on
only tries to run via the guest log on.
I tried downloaded it onto a memory stick on a different computer and then running it from there but it still won't run.

Kind of out of ideas at this stage so open to suggestions.

mp22

http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery

gears

I think I have the same problem as the OP and have tried rkill and other things, I'm not an expert by any means so was wondering would system restore help at all

mp22

I don't think so,you really need to run through the steps in the guide,a handy way to get rkill is to download it on another pc,put it on a usb key.you just need to double click it when its on the infected pc.

gears

Thanks mp22, I did try that with rkill already and it didnt work the windows recovery window keeps popping up. I have managed to get the laptop up and running in safe mode and I'm transfering everything I need to a ext drive, should I try rkill in safe mode or would it work?

mp22

Yea, safe mode with networking is where all the steps should be undertaken

gears

Thanks again I'll give it another go

gears

It seems to have worked as the window doesn't come up any more but there's an icon on the desk top for windows xp restore and it's listed in the programs and one strange thing no windows office programs are listed. I can open word and excel files ok thought but I can't find outlook. Any ideas what I can do now?

mp22

At the bottom of the removal instructions page the is a link to unhide.exe have you run that program?

gears

I did ok and all files appeared but Outlook seems to still be hidden. Should I just run it again or should I try something else?

If I do need to run it again should it be in safe mode?

mp22

If it's outlook shortcut that's missing goto-start-all programs-find outlook right click on it a new menue appears select send to-show on desktop,that will get the shortcut back.

By the way what anti virus are you using?

gears

I'm afraid it's a little more hidden than that, in the "all programs" list Microsoft office is listed but when you click on it the label reads empty and the same goes for many more including itunes, Skype and loads more. I have gotten Outlook going again by typing outlook.exe into run but I can't do the same for Word or Excel but I have been able to use them by opening a file from my documents so they are there.

I'm using McAfee it's all up to date so it should work but....

mp22

Try this http://www.superantispyware.com/ get the free version install update run a scan (no need for safe mode)then run the unhide software again.

gears

I'll try that now. Thanks for the help.

gears

I ran that latest software and it did find a lot of problems which it dealt with and then I ran unhide but it still hasnt solved the problem. Sorry but do you have any more ideas to help with this.

Also I think I know when this virus attached itself, i did a Real Player update on tuesday and thinking back it might not have been a genuine update, if I did a system restore to a date previous to then would this help at all?

mp22

System restore cant do much harm at this stage,make sure you have everything that you cant afford to lose backed up.By the sound of things a reinstall of the os is probably going to be the only way to get the pc back in tip top condition.

gears

I was afraid a reinstall would be the only way to go. It's a laptop I've had for years (cant afford a new one) and as I work for myself theres lots on it that I'm afraid I'll loose even though can back it up I'm worried I'll miss something plus I've no idea how to go about a reinstall. Lots of googeling ahead I think.

mp22

Step one: drag and drop the contents of your c drive onto a external hard drive,ditto for any other drives on the laptop.

2)restart the pc go into the bios (the first screen you see says press esc,f2 or whatever to enter setup)make sure the first boot device is your cd/dvd drive.
3)insert xp disk in drive restart pc
4) when asked to press any key to boot from the cd DO SO
5)when you get to the what drive do you want to install windows to select the largest one and use the format the drive option.
6)install windows

gears

Ok, not too complicated but I don't have any discs for XP or Office, they probably came with the laptop but I have no idea where they are now. Is there anything I can do to get copies?

mp22

Try and borrow the disks.

bryaner

I got this bad boy today, got rid by starting in safe mode, system restore back 2 days and ran malwarebytes, the dirty fecker had me worried for a wee bit..