Spread the love! TechSpot Tech Gift Shortlist 2017

Vista Recovery Console malware infection

By SecDumi ยท 12 replies
May 25, 2011
  1. ----------------------

    To any future readers, I did do all instructions as asked as everyone else seeking assistance should. But, since all experienced will be different and it is bad to delete anything without guidance or follow anyone else's instructions, I have deleted my logs as the information won't help anyone else but me.

    Original thread starts below:

    I got the Vista Recovery Console pop up last night. It told me things like I was out of memory and my ram was too hot, both lies, and how would it know the temperature? Ha. It also hid everything in my user folder, removed all desktop icons, emptied the quicklaunch menu and start menu. I could still get to all programs via the computer folder.

    I ran CCCleaner (which I had previously) to see what my startup programs were and the following stuck out:

    HKCU:Run yiMjvSkpKyOa C:\ProgramData\yiMjvSkpKyOa.exe

    I disabled the startup and deleted the file from a CMD prompt. I later found a shortcut named "Vista Recovery Console" on my desktop with that file listed on my desktop after I'd restored the icons and deleted what I found in MalwareBytes.

    First I tried to run a Windows Security Essentials scan, found nothing. Also tried AVG, fail. Finally downloaded MalwareBytes and found the following:

    Malwarebytes' Anti-Malware

    Database version: 6669

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 7.0.6002.18005

    5/24/2011 10:50:49 PM
    mbam-log-2011-05-24 (22-50-49).txt

    Scan type: Quick scan
    Objects scanned: 172738
    Time elapsed: 5 minute(s), 57 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 3
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\programdata\43507448.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    c:\Users\TheUser\AppData\Local\Temp\adobe_flash_player.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\TheUser\AppData\Local\Temp\jar_cache2389963931054689550.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\Users\TheUser\AppData\Local\Temp\ldr8d60.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

    I removed all of the files from malwarebytes as well as some unknown file types named 43507448, ~43507448 and ~43507448r from CMD prompt

    I also went into the CMD prompt and ran the attrib function unhide all files and folders. Being Vista, and not run as Adminstrator, I got a lot of "denied". That made it so I could see all my icons and everything in my user folder again. I had to start over for my quicklaunch icons, but that wasn't bad.

    Today, I found this forum and I ran the other scans required:

    GMER, I downloaded from the main, multiple times, while not connected to the internet and having the other antivirus turned off. I also only had notepad open (to see the instructions) and I keep getting a blank log. Recommendations to get that log?

    DDS logs previously attached for diagnosis
  2. Broni

    Broni Malware Annihilator Posts: 54,142   +378

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.


    You're running two AV programs, Microsoft Security Essentials and AVG.
    One of them has to go.
    If AVG, make sure to use AVG Remover to uninstall it: http://www.avg.com/us-en/utilities

    If you still have some items missing/hidden...
    Download and run UnHide


    Please download Rootkit Unhooker from one of the following links and save it to your desktop.
    In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

    • Double-click on RKUnhookerLE.exe to start the program.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • Click the Report tab, then click Scan.
    • Check Drivers, Stealth, and uncheck the rest.
    • Click OK.
    • Wait until it's finished and then go to File > Save Report.
    • Save the report to your Desktop.
    • Copy and paste the contents of the report into your next reply.
    -- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".


    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    Click the "Scan" button to start scan:

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
  3. SecDumi

    SecDumi TS Rookie Topic Starter

    Ok, I installed AVG only to try to remove the virus, it is not there all the time.

    I could not get RootKitUnhooker to work from any of the 3 locations. I kept getting this error, and the program will not continue:

    Error loading driver, NTSTATUS code 0xC000036B

    removed aswMBR log as no longer needed
  4. Broni

    Broni Malware Annihilator Posts: 54,142   +378

    I'm sorry about RKUnhooker. My bad. It won't work on 64-bit system.

    It doesn't matter. It can't be present. Please, use AVG Remover to get rid of it.

    Do you still have hidden files issue?

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

    Make sure, you re-enable your security programs, when you're done with Combofix.


    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.


    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  5. SecDumi

    SecDumi TS Rookie Topic Starter

    Broni, to start, thank you to much for your nice and fast assistance.

    Good to know about the 64-bit.
    AVG is uninstalled. I do not have any more files hidden that I know of.

    removed ComboFix log, no one else's log will be the same, does not need to stay
  6. Broni

    Broni Malware Annihilator Posts: 54,142   +378

    You're very welcome [​IMG]

    Combofix log looks good :)

    Any other current issues?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:

    %systemroot%\*. /mp /s
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %PROGRAMFILES%\Common Files\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %USERPROFILE%\Favorites\*.url /x
    %ALLUSERSPROFILE%\*.dat /x
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %systemroot%\pchealth\helpctr\System\*.exe /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  7. SecDumi

    SecDumi TS Rookie Topic Starter

    I do not have any more issues that I know of, I just want to make sure there isn't anything else hidden in my system that doesn't belong. Looking at these results, I do see some things that I don't need anymore.... I may make sure it's clean, save what I want to keep and fresh install.

    OTL text removed, very detailed, no longer needed Every one, even with the same infection, will have different results.
  8. SecDumi

    SecDumi TS Rookie Topic Starter

    The second file didn't fit in the last post...


    Extras log file also removed
  9. Broni

    Broni Malware Annihilator Posts: 54,142   +378

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      O15 - HKU\S-1-5-21-3041301471-9082621-993238469-1000\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
      [2011/05/24 20:46:14 | 000,000,000 | ---D | C] -- C:\Users\TheUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Vista Recovery
      [2010/11/25 20:21:25 | 000,000,000 | ---D | M] -- C:\Users\TheUser\AppData\Roaming\AVG10
      @Alternate Data Stream - 64 bytes -> C:\Users\TheUser\Desktop\JM_30DAY_SHRED.avi:TOC.WMV
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.


    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.

    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
  10. SecDumi

    SecDumi TS Rookie Topic Starter

    Ran Fix, rebooted, here is that log:
    All processes killed

    Directly below is one of the lines from the OTB log, but I may have found the folder later, will leave, but remove rest of log.
    Folder C:\Users\TheUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Vista Recovery\ not found.

    Removed checkup.txt, no longer needed


    Ran TFC, it deleted some temp files and rebooted.


    ESET did take forever, but did not find anything.
  11. Broni

    Broni Malware Annihilator Posts: 54,142   +378

    Update Internet Explorer to version 9.

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.


    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how your computer is doing.
  12. SecDumi

    SecDumi TS Rookie Topic Starter

    Here is the final log

    I do have to note, in removing some of the programs I installed during this check. I actually found a folder called "Windows Vista Recovery" in my Programs list in the Start Menu. It was created about the time I got my popup with the Trojan. Inside it had possible a program and an uninstall program (I didn't click on them to confirm, I just deleted the entire folder)

    Also to note, I don't use IE, so that's why it was never updated.

    Broni, Thank you again so much for your help, and for your extremely fast responses.
    Please don't take it personally if I come back in here and remove some of my log files. Not everyone needs to know what is installed on my computer!

    OTL log removed
  13. Broni

    Broni Malware Annihilator Posts: 54,142   +378

    You're very welcome :)

    Good move :)

    Even if you don't use IE, it's on your computer and thus it must be kept up to date.

    Good luck and stay safe :)
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...