BleepingComputer.com: Empty folders after Windows Restore Virus

I think I have finally cleared my computer of the virus. I ran unhide.exe and got my desktop icons back. All my program folders are still empty however.

I saw in another thread about looking for a smtmp folder. I ran the system look but it came up empty

SystemLook 04.09.10 by jpshortstuff
Log created at 17:26 on 09/06/2011 by Dr Lee
Administrator - Elevation successful

Invalid Context: dir %Temp%\smtmp /s

-= EOF =-

I was looking around on "my computer" and noticed a bunch of wierd folders in my "windows" folder. They are named "$NtUninstallKB932823-v3$" but with different numbers. Inside them is a folder named "Spunist". There are also alot of files named "KB980436"....with different numbers of course. Does this have anything to do with the virus or is another????

Quote

Those are safe entries - your Windows updates.

Unfortunately, it looks like some of the programs you ran removed that crucial temporary folder.
You'll have to restore your items manually.

You can restore the defaults for the Start Menu, Accessories and Administrative Tools as follows:

• Restore Accessories Program Files Menu with accrestore.zip for XP
  
  • Extract (unzip) the tool, double-click on it to run and ensure that the following check boxes are checked (as shown below):
  
  
  
  • Then click on the Restore button.

To manually recreate "All Programs" entries, follow these steps...

• Download App Paths
  
• Double click on AppPaths.exe to run the program.
  
• Keep the program open.

In this example I'll recreate an entry for Avast antivirus program.

• Go Start>All Programs.
  
• Right click on Avast entry, click "Properties".

NOTE. Make sure, you right click on Avast program, NOT on Avast folder.

• You'll see this window:

Due to the damage caused by the infection, you'll find "Target" box empty.

• Go back to AppPaths window and find Avast entry.
  
• Right click on Avast line, click "Edit".
  
• A pop-up window will open:

• Highlight everything in "Path" box, right click on it, click "Copy"
  
• Go back to Avast "Properties" window, right click inside "Target" box, click "Paste".
  
• IMPORTANT! Add quotation marks at the beginning of the path and at the end
  
• Click OK and you're done.

In case, program's link shows as (empty):

• Open Windows Explorer, navigate to Avast folder in Program Files
  
• Right click on Avast ".exe" file, click "Create shortcut":

• Copy that shortcut, go back to Start menu.
  
• Right click on avast!Free Antivirus, click "Paste".
  
• You'll see Avast shortcut recreated replacing (empty) entry.

Alternatively....
...you paste that shortcut in:
(XP) - C:\Documents and Settings\All Users\Start Menu\Programs\Avast
(Vista/7) - C:\Program Data\Start Menu\Programs\Avast

The virus just got me. I posted the logs, etc in the spyware forum. No response yet. As far as the startup shortcuts go, I did a test. Went to Paint Shop Pro folder (I was in Safe Mode), right clicked on psp.exe and clicked "send to desktop", i.e., I created a shortcut. Then I copied the shortcut, right clicked on the empty psp folder in Start Menu and pasted it. Seemed to work just fine. Shouldn't be too much trouble to do for the programs I really use.

By the way, how did you get rid of the malware/virus.

This post has been edited by Quadrillion: 09 June 2011 - 08:08 PM

Quadrillion
It's not a proper way to post in someone else topic.
It can be done, the way you did it, but I can't say anything more since I have no idea how clean your computer is and your work may get easily wasted.

Broni, my computer isn't clean yet, but his is. My solution worked and I think was basically a shortcut to doing what was described by you in your earlier post. But, in the future, I'll refrain from offering from what I thought was a pretty harmless suggestions if that's bad form.

By no means, I had any intention to offend you.
I suppose, I misread your reply.
I apologize

Cool. I'm not a computer guru by any means, so you do have to keep an eye on me.

Hehe...no problem

What worked for me was to start up in safe mode with networking. I then ran RKill. Then a full scan of Malwarebytes. That seemed to do most of it. However, after rebooting, the Windows restore virus was gone but I had an error message about "catalyst Control Center not working" so I figured I was still infected. I then ran SuperAntispyware and it found an additional 2 items. Finally, I ran Unhide.exe to recover my desktop icons.

Thanks Broni for all your help

Broni,

One question..... Instead of going through the hassel of restoring all of my folders, could I run the restore for the system folders then just do a sytem restore to a date before I got the virus? Thanks!!!

Running system restore may bring the infection back.

Broni, are you saying that the virus might have planted something in a restore file that was created a week or more before the virus even entered the machine?

Depending on a kind of infection, all kinds of files can get infected, including various restore points.