Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Empty folders after Windows Restore Virus


  • Please log in to reply
12 replies to this topic

#1 DrGunner

DrGunner

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 09 June 2011 - 07:30 PM

I think I have finally cleared my computer of the virus. I ran unhide.exe and got my desktop icons back. All my program folders are still empty however.

I saw in another thread about looking for a smtmp folder. I ran the system look but it came up empty

SystemLook 04.09.10 by jpshortstuff
Log created at 17:26 on 09/06/2011 by Dr Lee
Administrator - Elevation successful

Invalid Context: dir %Temp%\smtmp /s

-= EOF =-

I was looking around on "my computer" and noticed a bunch of wierd folders in my "windows" folder. They are named "$NtUninstallKB932823-v3$" but with different numbers. Inside them is a folder named "Spunist". There are also alot of files named "KB980436"....with different numbers of course. Does this have anything to do with the virus or is another????

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:24 AM

Posted 09 June 2011 - 07:38 PM

Does this have anything to do with the virus or is another????

Those are safe entries - your Windows updates.

Unfortunately, it looks like some of the programs you ran removed that crucial temporary folder.
You'll have to restore your items manually.

You can restore the defaults for the Start Menu, Accessories and Administrative Tools as follows:
Posted Image
  • Then click on the Restore button.


To manually recreate "All Programs" entries, follow these steps...

  • Download App Paths
  • Double click on AppPaths.exe to run the program.
  • Keep the program open.

In this example I'll recreate an entry for Avast antivirus program.
  • Go Start>All Programs.
  • Right click on Avast entry, click "Properties".

Posted Image
NOTE. Make sure, you right click on Avast program, NOT on Avast folder.

  • You'll see this window:

Posted Image

Due to the damage caused by the infection, you'll find "Target" box empty.

  • Go back to AppPaths window and find Avast entry.
  • Right click on Avast line, click "Edit".
  • A pop-up window will open:

Posted Image

  • Highlight everything in "Path" box, right click on it, click "Copy"
  • Go back to Avast "Properties" window, right click inside "Target" box, click "Paste".
  • IMPORTANT! Add quotation marks at the beginning of the path and at the end
  • Click OK and you're done.

Posted Image


In case, program's link shows as (empty):

Posted Image

  • Open Windows Explorer, navigate to Avast folder in Program Files
  • Right click on Avast ".exe" file, click "Create shortcut":

Posted Image

  • Copy that shortcut, go back to Start menu.
  • Right click on avast!Free Antivirus, click "Paste".
  • You'll see Avast shortcut recreated replacing (empty) entry.

Alternatively....
...you paste that shortcut in:
(XP) - C:\Documents and Settings\All Users\Start Menu\Programs\Avast
(Vista/7) - C:\Program Data\Start Menu\Programs\Avast

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 Quadrillion

Quadrillion

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 09 June 2011 - 08:08 PM

The virus just got me. I posted the logs, etc in the spyware forum. No response yet. As far as the startup shortcuts go, I did a test. Went to Paint Shop Pro folder (I was in Safe Mode), right clicked on psp.exe and clicked "send to desktop", i.e., I created a shortcut. Then I copied the shortcut, right clicked on the empty psp folder in Start Menu and pasted it. Seemed to work just fine. Shouldn't be too much trouble to do for the programs I really use.

By the way, how did you get rid of the malware/virus.

Edited by Quadrillion, 09 June 2011 - 08:08 PM.


#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:24 AM

Posted 09 June 2011 - 08:17 PM

Quadrillion
It's not a proper way to post in someone else topic.
It can be done, the way you did it, but I can't say anything more since I have no idea how clean your computer is and your work may get easily wasted.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 Quadrillion

Quadrillion

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 09 June 2011 - 09:31 PM

Broni, my computer isn't clean yet, but his is. My solution worked and I think was basically a shortcut to doing what was described by you in your earlier post. But, in the future, I'll refrain from offering from what I thought was a pretty harmless suggestions if that's bad form.

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:24 AM

Posted 09 June 2011 - 09:48 PM

By no means, I had any intention to offend you.
I suppose, I misread your reply.
I apologize :)

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 Quadrillion

Quadrillion

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 09 June 2011 - 10:23 PM

Cool. I'm not a computer guru by any means, so you do have to keep an eye on me.

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:24 AM

Posted 09 June 2011 - 10:48 PM

Hehe...no problem :)

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 DrGunner

DrGunner
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 10 June 2011 - 11:55 AM

What worked for me was to start up in safe mode with networking. I then ran RKill. Then a full scan of Malwarebytes. That seemed to do most of it. However, after rebooting, the Windows restore virus was gone but I had an error message about "catalyst Control Center not working" so I figured I was still infected. I then ran SuperAntispyware and it found an additional 2 items. Finally, I ran Unhide.exe to recover my desktop icons.

Thanks Broni for all your help

#10 DrGunner

DrGunner
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 10 June 2011 - 11:59 AM

Broni,

One question..... Instead of going through the hassel of restoring all of my folders, could I run the restore for the system folders then just do a sytem restore to a date before I got the virus? Thanks!!!

#11 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:24 AM

Posted 10 June 2011 - 12:03 PM

Running system restore may bring the infection back.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#12 Quadrillion

Quadrillion

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 10 June 2011 - 01:03 PM

Broni, are you saying that the virus might have planted something in a restore file that was created a week or more before the virus even entered the machine?

#13 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:24 AM

Posted 10 June 2011 - 05:09 PM

Depending on a kind of infection, all kinds of files can get infected, including various restore points.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users