BleepingComputer.com: Cannot see start menu files - unhide.exe didn't work

Hello,

I have an infected machine that has had Malwarebytes, SuperAntiSpyware and Microsoft Security Essentials ran on it and at the end of this process I ran the icons were still missing under the start menu and displayed as empty. I then ran unhide.exe but the icons were still missing.

I was hoping you could help me out a bit, just let me know what log you need me to run first.

Thanks,

John

Can you post the resulting logs from Malwarebytes and Super Anti-Spyware?

Also did you run any registry or temp file cleaners?

Malwarebytes Log:

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.27.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Sony Laptop :: SONYLAPTOP-VAIO [administrator]

Protection: Enabled

1/27/2012 4:36:24 PM
mbam-log-2012-01-27 (16-36-24).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 331739
Time elapsed: 2 hour(s), 26 minute(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\Sony Laptop\AppData\Local\Temp\msimg32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Sony Laptop\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\36afad31-5a154bb2 (Trojan.Downloader.lb) -> Delete on reboot.

(end)


I ran SuperAntiSpyware portable so no log file was saved.

I'm not sure if we ran a temp file or registry cleaner like CCleaner on it yet, if we have I have a back up of the original machine I can pushed back to it to start the process over if needed.

That would potentially reinfect you. Can you run SAS non-portable.

SAS No Portable Scan Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/01/2012 at 04:17 PM

Application Version : 5.0.1142

Core Rules Database Version : 8190
Trace Rules Database Version: 6002

Scan type : Complete Scan
Total Scan Time : 00:30:56

Operating System Information
Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
UAC Off - Administrator

Memory items scanned : 455
Memory threats detected : 0
Registry items scanned : 44364
Registry threats detected : 0
File items scanned : 56416
File threats detected : 0

Can you navigate to c:\Program Files and see if all your applications are there also c:\Users\yourusername and find your start menu and see if its populated?

This is what is in the start menu.

All the files are still in the program files and program files(x86)

Here is what mine looks like:



Have you reformatted?

No I haven't.

I am going to restore the backup because I believe someone ran CCleaner. I will just start the virus removal process over again. I will post in the next few hours to see if the files are back or not.

if the applications are in c:\program files then I would reinstall the applications.

What I did was restore the backup I took before doing a virus removal and ran unhide.exe and all the applications returned to the start menu.

Thanks, site is a bunch of help, don't know where I'd be without the help you guys provide.

So someone did run ccleaner or another temp file cleaner.