Jump to content


 

Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 recovery - all programs, folders, and desktop erased/missing

Started by blondeseries2 , May 26 2011 11:09 PM

  • Please log in to reply
9 replies to this topic

#1 blondeseries2

blondeseries2

    New Member

  • Members
  • Pip
  • 4 posts

Posted 26 May 2011 - 11:09 PM

I accidently downloaded False security spyware "Windows 7 Recovery". Immediately afterwards, all icons on the desktop disappeared, could not access any programs or files. Could not see transfered files/folders on the desktop. Ran rkill, then malwarebytes, then superantispyware free (in safe mode), then gmer. Many files were found, quarantined, and removed. However, still no files, programs on desktop or in start-up menu. In Firefox does not open pages to appropriate link. please help. thanks in advance.

Below are the available logs in order - Malwarebytes, Super antispyware free; the gmer log is incomplete, as it was too long to post the entire log when I tried, but the log appeared to have thousands of files listed, that appear to possibly be a bunch of normal files and programs.


thanks again


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6688

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/26/2011 8:15:01 PM
mbam-log-2011-05-26 (20-15-01).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|Q:\|)
Objects scanned: 282629
Time elapsed: 45 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gODYLqGmtHs (Trojan.FakeMS) -> Value: gODYLqGmtHs -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\godylqgmths.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\programdata\39116536.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\Users\Krina\AppData\Local\Temp\adobe_flash_player.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Krina\AppData\Local\Temp\ldrf9d5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Krina\AppData\Local\Temp\tmpF9C6.tmp (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\Users\Krina\Desktop\virus cure\rkill.com (Trojan.BankerBot.Gen) -> Quarantined and deleted successfully.







SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/26/2011 at 09:23 PM

Application Version : 4.52.1000

Core Rules Database Version : 7151
Trace Rules Database Version: 4963

Scan type : Complete Scan
Total Scan Time : 00:52:13

Memory items scanned : 334
Memory threats detected : 0
Registry items scanned : 11881
Registry threats detected : 0
File items scanned : 134635
File threats detected : 116

Adware.Tracking Cookie
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\krina@msnportal.112.2o7[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\krina@atdmt[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\krina@insightexpressai[1].txt
a.ads2.msads.net [ C:\Users\Krina\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\2Y8QRY2D ]
ia.media-imdb.com [ C:\Users\Krina\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\2Y8QRY2D ]
media.mtvnservices.com [ C:\Users\Krina\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\2Y8QRY2D ]
msnbcmedia.msn.com [ C:\Users\Krina\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\2Y8QRY2D ]
s0.2mdn.net [ C:\Users\Krina\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\2Y8QRY2D ]
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@2o7[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@a.intentmedia[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@a1.interclick[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@ad.crwdcntrl[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@ad.wsod[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@ad.yieldmanager[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@ad.yieldmanager[3].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@adbrite[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@adecn[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@adinterax[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@adinterax[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@adinterax[3].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@ads.pointroll[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@ads.undertone[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@adserver.adreactor[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@adserver.adtechus[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@advertising[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@advertising[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@adxpose[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@apmebf[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@apmebf[3].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@ar.atwola[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@atdmt[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@atdmt[3].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@beacon.dmsinsights[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@bizrate[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@casalemedia[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@clickfuse[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@collective-media[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@content.yieldmanager[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@content.yieldmanager[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@content.yieldmanager[5].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@data.coremetrics[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@dealtime[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@dmtracker[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@dmtracker[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@doubleclick[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@e-2dj6walisjcpwkp.stats.esomniture[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@e-2dj6wck4ugd5abq.stats.esomniture[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@e-2dj6wclycgazeaq.stats.esomniture[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@e-2dj6wfmysocjklo.stats.esomniture[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@fastclick[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@fastclick[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@imrworldwide[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@in.getclicky[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@insightexpressai[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@interclick[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@invitemedia[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@invitemedia[3].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@jobinterviewquestions[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@kontera[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@lfstmedia[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@limaconsulting.112.2o7[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@linksynergy.walmart[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@liveperson[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@liveperson[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@liveperson[3].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@liveperson[4].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@liveperson[5].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@liveperson[6].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@liveperson[8].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@liveperson[9].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@lucidmedia[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@media.adfrontiers[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@media6degrees[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@mediabrandsww[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@mediaplex[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@mediaplex[3].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@mediaplex[4].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@mm.chitika[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@myaccount.mudomaha[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@overture[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@paypal.112.2o7[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@petfinder[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@pointroll[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@pro-market[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@pro-market[3].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@questionmarket[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@questionmarket[3].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@r1-ads.ace.advertising[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@rcci.122.2o7[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@realmedia[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@revsci[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@ru4[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@ru4[3].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@samsclub.112.2o7[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@serving-sys[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@serving-sys[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@serving-sys[3].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@specificclick[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@specificclick[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@specificmedia[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@stampscom.112.2o7[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@stat.dealtime[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@stats.exph.net.re.getclicky[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@statse.webtrendslive[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@tacoda.at.atwola[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@tacoda.at.atwola[2].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@tacoda.at.atwola[4].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@trafficmp[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@traveladvertising[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@tribalfusion[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@user.lucidmedia[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@walmart.112.2o7[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@www.burstnet[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@yieldmanager[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@zedo[1].txt
C:\Users\Krina\AppData\Roaming\Microsoft\Windows\Cookies\Low\krina@zedo[2].txt





GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-26 22:37:18
Windows 6.1.7600
Running: c535mv8u.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269ec2d88
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\70f3953e5c87
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269ec2d88 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\70f3953e5c87 (not active ControlSet)

---- Files - GMER 1.0.15 ----

File Q:\$RECYCLE.BIN 0 bytes
File Q:\$RECYCLE.BIN\S-1-5-21-2833784658-2284975252-4144577734-1000 0 bytes
File Q:\$RECYCLE.BIN\S-1-5-21-2833784658-2284975252-4144577734-1000\desktop.ini 129 bytes
File Q:\$RECYCLE.BIN\S-1-5-21-2833784658-2284975252-4144577734-500 0 bytes
File Q:\$RECYCLE.BIN\S-1-5-21-2833784658-2284975252-4144577734-500\desktop.ini 129 bytes
File Q:\drivers 0 bytes
File Q:\drivers\AHCI 0 bytes
File Q:\drivers\AHCI\data1.cab 2183918 bytes
File Q:\drivers\AHCI\data1.hdr 54802 bytes
File Q:\drivers\AHCI\data2.cab 7370673 bytes
File Q:\drivers\AHCI\ISSetup.dll 552214 bytes executable
File Q:\drivers\AHCI\layout.bin 473 bytes
File Q:\drivers\AHCI\setup.exe 455600 bytes
File Q:\drivers\AHCI\setup.ini 781 bytes

 

  • BC Ads
  • BleepingComputer.com

#2 Budapest

Budapest

    Bleepin' Cynic

  • Moderator
  • PipPipPipPipPipPip
  • 22,661 posts
  • Gender:Male

Posted 26 May 2011 - 11:12 PM

To make your files visible again, please download the following program to your desktop:

Unhide.exe

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 blondeseries2

blondeseries2

    New Member

  • Members
  • Pip
  • 4 posts

Posted 27 May 2011 - 09:06 PM

Thank you for your help. The Files have reappeared on my desktop, however, I still cannot get them to reappear in my start menu. I have uninstalled and no longer have a antivirus/spyware to turn off as it instructs in the pop-up after the program finished running. Thanks again for your help.

#4 Budapest

Budapest

    Bleepin' Cynic

  • Moderator
  • PipPipPipPipPipPip
  • 22,661 posts
  • Gender:Male

Posted 28 May 2011 - 04:37 PM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    :dir
%Temp%\smtmp /s
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 Blaine B.

Blaine B.

    Member

  • Members
  • PipPip
  • 96 posts
  • Gender:Male
  • Location:Indiana

Posted 28 May 2011 - 04:57 PM

Sounds like something similar that happened to my system 2 days ago. I had a combination of the XP Security Center and some sort of Recovery virus invade my machine. It made my start menu ENTIRELY empty and also deleted about 2/3 of my desktop icons. Most of it was lost, luckily I had a backup of "c:\documents and settings" on an external harddrive so I got my icons and start menu list back.

On top of that, there were MANY files in c:\documents and settings which were also made HIDDEN by this invasion attempt. I was able to see that because I had Windows Explorer set to show hidden files and folders by default, in which case hidden files and folders will show up in with a bit of transparency to them compared to the rest of solid-colored icons, folders, and files.

#6 blondeseries2

blondeseries2

    New Member

  • Members
  • Pip
  • 4 posts

Posted 29 May 2011 - 09:34 PM

Thanks for the reply! Here is the result of the latest scan:

SystemLook 04.09.10 by jpshortstuff
Log created at 21:33 on 29/05/2011 by Krina
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== dir ==========

C:\Users\Krina\AppData\Local\Temp\smtmp - Parameters: "/s"

---Files---
None found.

C:\Users\Krina\AppData\Local\Temp\smtmp\1 d------ [00:58 26/05/2011]
desktop.ini --ahs-- 442 bytes [04:49 14/07/2009] [05:01 14/07/2009]

C:\Users\Krina\AppData\Local\Temp\smtmp\1\Programs d------ [00:58 26/05/2011]
desktop.ini --ahs-- 1748 bytes [04:54 14/07/2009] [00:47 07/04/2011]

C:\Users\Krina\AppData\Local\Temp\smtmp\1\Programs\Accessories d------ [00:58 26/05/2011]
Desktop.ini --ahs-- 1876 bytes [02:36 14/07/2009] [08:48 22/12/2010]

C:\Users\Krina\AppData\Local\Temp\smtmp\1\Programs\Accessories\Accessibility d------ [00:58 26/05/2011]
Desktop.ini --ahs-- 370 bytes [02:36 14/07/2009] [04:57 14/07/2009]

C:\Users\Krina\AppData\Local\Temp\smtmp\1\Programs\Accessories\System Tools d------ [00:58 26/05/2011]
Desktop.ini --ahs-- 1338 bytes [02:36 14/07/2009] [04:57 14/07/2009]

C:\Users\Krina\AppData\Local\Temp\smtmp\1\Programs\Accessories\Tablet PC d------ [00:58 26/05/2011]
Desktop.ini --ahs-- 343 bytes [07:23 29/07/2009] [08:35 22/12/2010]

C:\Users\Krina\AppData\Local\Temp\smtmp\1\Programs\Accessories\Windows PowerShell d------ [00:58 26/05/2011]
desktop.ini --ahs-- 216 bytes [04:57 14/07/2009] [04:57 14/07/2009]

C:\Users\Krina\AppData\Local\Temp\smtmp\1\Programs\Administrative Tools d------ [00:58 26/05/2011]
desktop.ini --ahs-- 1674 bytes [04:53 14/07/2009] [04:57 14/07/2009]

C:\Users\Krina\AppData\Local\Temp\smtmp\1\Programs\Games d------ [00:58 26/05/2011]
Desktop.ini --ahs-- 1128 bytes [05:32 14/07/2009] [08:35 22/12/2010]

C:\Users\Krina\AppData\Local\Temp\smtmp\1\Programs\Intel d------ [00:58 26/05/2011]
desktop.ini --ahs-- 195 bytes [08:42 22/12/2010] [08:42 22/12/2010]

C:\Users\Krina\AppData\Local\Temp\smtmp\1\Programs\Maintenance d------ [00:58 26/05/2011]
Desktop.ini --ahs-- 606 bytes [02:36 14/07/2009] [04:57 14/07/2009]

C:\Users\Krina\AppData\Local\Temp\smtmp\1\Programs\Startup d------ [00:58 26/05/2011]
desktop.ini --ahs-- 174 bytes [04:54 14/07/2009] [04:54 14/07/2009]

C:\Users\Krina\AppData\Local\Temp\smtmp\1\Programs\Windows Live d------ [00:58 26/05/2011]
desktop.ini --ahs-- 95 bytes [02:49 05/04/2011] [00:47 07/04/2011]

C:\Users\Krina\AppData\Local\Temp\smtmp\3 d------ [00:58 26/05/2011]
desktop.ini --ahs-- 211 bytes [08:18 18/02/2011] [08:18 18/02/2011]

C:\Users\Krina\AppData\Local\Temp\smtmp\4 d------ [00:58 26/05/2011]
desktop.ini --ahs-- 174 bytes [04:54 14/07/2009] [04:54 14/07/2009]

-= EOF =-

#7 Budapest

Budapest

    Bleepin' Cynic

  • Moderator
  • PipPipPipPipPipPip
  • 22,661 posts
  • Gender:Male

Posted 29 May 2011 - 10:15 PM

Copy all content of this folder:
C:\Users\user_name\AppData\Local\Temp\smtmp\1
and paste it to this folder:
C:\Program Data\Start Menu
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 blondeseries2

blondeseries2

    New Member

  • Members
  • Pip
  • 4 posts

Posted 01 June 2011 - 08:17 PM

For some reason, I don't appear to have "Start Menu" under C:\Program Data. Also, I noticed that if I tried to open any of the program folders in C:\Users\user_name\AppData\Local\Temp\smtmp\1 they didn't have any contents. Is that normal? What now?

#9 Blaine B.

Blaine B.

    Member

  • Members
  • PipPip
  • 96 posts
  • Gender:Male
  • Location:Indiana

Posted 01 June 2011 - 08:25 PM

Do you have Explorer set to show hidden files and folders?

Run TDSS Killer as well, that was the only scan utility that got my system back up to 100%, even after multiple scans using about everything else that you can imagine.

#10 Budapest

Budapest

    Bleepin' Cynic

  • Moderator
  • PipPipPipPipPipPip
  • 22,661 posts
  • Gender:Male

Posted 01 June 2011 - 08:49 PM

In Windows Explorer, go Tools > Folder Options > View tab and UN-check "Hide protected operating system files". Also select "Show hidden files and folders".
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw
Back to Am I infected? What do I do?


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Am I infected? What do I do?
  4. Privacy Policy
  5. Rules ·