Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Recovery Virus Eliminated But Start Menu Icons Are Still Missing


  • This topic is locked This topic is locked
25 replies to this topic

#1 he's dead jim

he's dead jim

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 11 May 2011 - 06:31 PM

so i used about 25 different programs, including combofix, and i can't find any more remnants of the virus. i used unhide and a program called usbshow, and all of my menus and programs are no longer hidden. the problem is only that the actual shortcut icons are still missing. before i spend another 3 hours making all new shortcuts, i wanted to see if anybody here knew anything that could help. i you need me to attach logs or reports i have no problem with that.

i searched over a dozen similar topics, and the ones that were successfully completed never said how they got the icons to show back up.

thanks a bunch..

:)

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:36 AM

Posted 11 May 2011 - 10:47 PM

Let's see, if we can find your shortcuts...

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    :folder
    %Temp%\smtmp\4
    %Temp%\smtmp\2
    %Temp%\smtmp\1
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 12 May 2011 - 04:41 PM

thanks much. here is the log file;



SystemLook 04.09.10 by jpshortstuff
Log created at 17:39 on 12/05/2011 by Michael
Administrator - Elevation successful

Invalid Context: folder

No Context: %Temp%\smtmp\4

No Context: %Temp%\smtmp\2

No Context: %Temp%\smtmp\1

-= EOF =-

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:36 AM

Posted 12 May 2011 - 04:48 PM

My apology. Wrong code.
It should read:

:dir
%Temp%\smtmp /s

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 12 May 2011 - 04:59 PM

no prob..

SystemLook 04.09.10 by jpshortstuff
Log created at 17:58 on 12/05/2011 by Michael
Administrator - Elevation successful

========== dir ==========

C:\DOCUME~1\Michael\LOCALS~1\Temp\smtmp - Unable to find folder.

-= EOF =-

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:36 AM

Posted 12 May 2011 - 05:05 PM

It looks like you ran some kind of temporary files cleaner and the folder is gone.
What did you run?

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 12 May 2011 - 05:13 PM

combofix
malwarebytes
superantispy
spybot
unhide
usbshow
ccleaner



ccleaner is a temporary files cleaner that runs on startup

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:36 AM

Posted 12 May 2011 - 05:27 PM

Yeah, CCleaner removed that folder since it was located in temporary directory.
As far, as I know, CCleaner creates a backup.
I know, it backs up registry, but I'm not sure about folders/files.
Can you try to use that backup, so we can see what happens?

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 Eyesee

Eyesee

    Bleepin Teck Shop


  • BC Advisor
  • 3,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:In the middle of Kansas
  • Local time:02:36 AM

Posted 12 May 2011 - 05:36 PM

I just dealt with Windows Recovery and the instructions in our guide here worked flawlessly.

CCleaner will warn you that it will "permanently delete files from your system".
If you ran that before unhide you may have to recreate your shortcuts.
Our guide makes no mention of running CCleaner as part of the cleanup process.
In the beginning there was the command line.

#10 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:36 AM

Posted 12 May 2011 - 07:29 PM

Hi he's dead jim,



We might try another approach. Please start your SystemLook on your desktop and copy the follwoing contents of code box into the main textfield:

:reg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders /s
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders /s

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

#11 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 12 May 2011 - 07:55 PM

for broni and eyesee using ccleaner was not part of the windows recovery removal, it was just set to run at startup on this particular system.

i do have a nice file and drive recovery program that i bought a few years back. if all else fails i may try that.


for sudavis - here is the log file and thanks to everyone for your help so far.


SystemLook 04.09.10 by jpshortstuff
Log created at 20:51 on 12/05/2011 by Michael
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Common Desktop"="%ALLUSERSPROFILE%\Desktop"
"Common Start Menu"="%ALLUSERSPROFILE%\Start Menu"
"Common Programs"="%ALLUSERSPROFILE%\Start Menu\Programs"
"Common Startup"="%ALLUSERSPROFILE%\Start Menu\Programs\Startup"
"Common AppData"="%ALLUSERSPROFILE%\Application Data"
"Common Templates"="%ALLUSERSPROFILE%\Templates"
"Common Favorites"="%ALLUSERSPROFILE%\Favorites"
"Common Documents"="%ALLUSERSPROFILE%\Documents"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"AppData"="%USERPROFILE%\Application Data"
"Desktop"="%USERPROFILE%\Desktop"
"Favorites"="%USERPROFILE%\Favorites"
"NetHood"="%USERPROFILE%\NetHood"
"Personal"="%USERPROFILE%\My Documents"
"PrintHood"="%USERPROFILE%\PrintHood"
"Programs"="%USERPROFILE%\Start Menu\Programs"
"SendTo"="%USERPROFILE%\SendTo"
"Start Menu"="%USERPROFILE%\Start Menu"
"Startup"="%USERPROFILE%\Start Menu\Programs\Startup"
"Templates"="%USERPROFILE%\Templates"
"My Pictures"="%USERPROFILE%\My Documents\My Pictures"
"Local Settings"="%USERPROFILE%\Local Settings"
"Local AppData"="%USERPROFILE%\Local Settings\Application Data"
"Cache"="%USERPROFILE%\Local Settings\Temporary Internet Files"
"Cookies"="%USERPROFILE%\Cookies"
"History"="%USERPROFILE%\Local Settings\History"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\New]
(No values found)


-= EOF =-

#12 clone of the mean

clone of the mean

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 12 May 2011 - 10:02 PM

Hi, new guy here. Mostly computer illiterate, but I'm trying. I'm dealing with the Windows Recovery issue as well. I have Avast and Super Anti Spyware. Neither detect this virus. I found STOPzilla and after 7% of the scan complete it's already found 35 issues!

My question for the moment is, will I be able to recover my stuff? I have an external harddrive, it's empty. My documents, pictures, music are empty, everything is gone. Hell, even my "favorites" list is gone!!! I can't even play friggin Solitare. My screen is just black. Are these symptoms of the virus or is there a bigger issue? I've been thinking about a new computer, is this my oppurtunity?

Thanks for any replies....

#13 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:36 AM

Posted 12 May 2011 - 10:04 PM

Follow this manual: http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#14 clone of the mean

clone of the mean

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 12 May 2011 - 10:23 PM

whew, that's a bunch of info. I can read it but I don't understand a bit of it. PC's ought to be illegal for people like me. I'm gonna wait til next week when my kid is out of school so he can figure it out for me. Thanks for the reply, hopefully it works. I'll let you know!

#15 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:36 AM

Posted 12 May 2011 - 11:16 PM

PC's ought to be illegal for people like me

Hahaha....

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users