Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows restore virus upped the ante


  • Please log in to reply
16 replies to this topic

#1 andei2

andei2

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 26 May 2011 - 06:29 PM

Today is May 26th and this virus is driving me nuts.
It has been removed by Combofix and Malwarebytes. I ran rkill to terminate processes before I tried to use both those tools.
I ran UNHIDE to recover the data on this machine.
I ran TDSSKILLER for any potential redirects.
I removed AVG, which was no easy feat even with their removal tool.
Then I used combofix… and malwarebytes.

Fine. All the items are back. But guess what?
They are back, but if I look in my start to program files list, ALL the items point to C:\Documentsandsettings\owner.. ect ect, instead of to C:\programfiles. ect ect.

In addition there is no place for me to change the path. Now what? Combofix was able to fix this on one computer, but not the one on my desktop today.

Help! How do I get my program files from start to point back to where they should be?
.Attached File  screenshot of program files from start menu.JPG   120.69KB   7 downloads

BC AdBot (Login to Remove)

 


#2 andei2

andei2
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 26 May 2011 - 08:05 PM

Btw, I used tools I found here to get back my accessories to where they belong. But, when looking at the properties in any of the "invalid location files, the properties box does not have all the tabs it should. Instead there are only 3 tabs. general, shared, and security.
SO I cannot change the path using the properties box.

#3 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:00 PM

Posted 26 May 2011 - 10:06 PM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    :dir
    %Temp%\smtmp /s
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#4 andei2

andei2
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 26 May 2011 - 10:57 PM

Thanks! I will do this as soon as I get back to my office in the morning.
I have to say that I have seen some unique twists while removing various viruses in the last decade, but this one was really UGHHHHHHHHH!
I hope people are available for help tomorrow.

#5 andei2

andei2
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 27 May 2011 - 02:36 PM

Ok, here are the findings. As I said I removed the virus and recovered the data. But getting my program files to point to the items is where I am locked up.


SystemLook 04.09.10 by jpshortstuff
Log created at 12:31 on 27/05/2011 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "*Jucheck*"
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe --a---- 241777 bytes [02:05 02/09/2004] [02:05 02/09/2004] 260586772C36D427B364E0F8E9815450
C:\Program Files\Java\jre6\bin\jucheck.exe --a---- 382384 bytes [23:47 16/12/2008] [23:47 16/12/2008] DC1BEDE6C3735D5850A64B7656458BC7

-= EOF =-

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:00 PM

Posted 27 May 2011 - 07:02 PM

It doesn't look like you ran a script from my reply #3.
You ran some different script. We're not looking for "jucheck.exe".

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#7 andei2

andei2
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 28 May 2011 - 03:46 PM

ok... here it is

SystemLook 04.09.10 by jpshortstuff
Log created at 13:45 on 28/05/2011 by Owner
Administrator - Elevation successful

========== dir ==========

C:\DOCUME~1\Owner\LOCALS~1\Temp\smtmp - Unable to find folder.

-= EOF =-

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:00 PM

Posted 28 May 2011 - 06:48 PM

Unfortunately, it looks like you ran some program, which removed temporary files.
Because of that, you'll have to restore all shortcuts manually....

You can restore the defaults for the Start Menu, Accessories and Administrative Tools as follows:
Posted Image
  • Then click on the Restore button.


To manually recreate "All Programs" entries, follow these steps...

  • Download App Paths
  • Double click on AppPaths.exe to run the program.
  • Keep the program open.

In this example I'll recreate an entry for Avast antivirus program.
  • Go Start>All Programs.
  • Right click on Avast entry, click "Properties".

Posted Image
NOTE. Make sure, you right click on Avast program, NOT on Avast folder.

  • You'll see this window:

Posted Image

Due to the damage caused by the infection, you'll find "Target" box empty.

  • Go back to AppPaths window and find Avast entry.
  • Right click on Avast line, click "Edit".
  • A pop-up window will open:

Posted Image

  • Highlight everything in "Path" box, right click on it, click "Copy"
  • Go back to Avast "Properties" window, right click inside "Target" box, click "Paste".
  • IMPORTANT! Add quotation marks at the beginning of the path and at the end
  • Click OK and you're done.

Posted Image

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#9 andei2

andei2
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 28 May 2011 - 09:12 PM

Yes, i have all those programs in my files. I was pretty sure I would have to recreate the path. BUT...
There is no shortcut key in the properties box as I mentioned in teh follow up to my initial post.
I don't know how to get that back, and Microsoft has no answer on their site that I can find.

Do you know if there is a place in the registry where the shortcut tab can be added? Right now I only have 4 tabs (this is windows XP btw). The missing tab is "shortcut"

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:00 PM

Posted 28 May 2011 - 09:16 PM

Are you sure, you're clicking on a program itself, not on a program's FOLDER?

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#11 andei2

andei2
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 28 May 2011 - 09:39 PM

Let me log off my computer and get back on the bad one. But you are correct. I am able only to get into the folder since the program itself says empty, nothing opens there. be back in a few

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:00 PM

Posted 28 May 2011 - 09:44 PM

I surely can't reproduce your issue, but what options do you have, when you right click on "Empty"?

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#13 andei2

andei2
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 28 May 2011 - 09:51 PM

looking at my top slot I see Mozyhome > Empty
If I click on mozyhome I get no shortcut. If I click on empty it blinks and goes away.

#14 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:00 PM

Posted 28 May 2011 - 09:59 PM

I'm afraid, you'll have to reinstall those programs...

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#15 andei2

andei2
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 28 May 2011 - 10:04 PM

Blech... yeah, that's the conclusion I came to as well.

I don't know why this one turned badly. The other 5 I had this week went fine. But this is an old computer that might have had other issues. *sigh*

I don't know where I will find matching programs. blast.


YAY!!! I found a work-around so I do not have to reinstall programs. See the result on page 2

Edited by andei2, 28 May 2011 - 11:26 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users