Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"File Restore" - virus or a real hard drive problem?


  • Please log in to reply
16 replies to this topic

#1 Darel

Darel

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 20 October 2012 - 08:11 PM

My wife's laptop - HP Pavilion dv7 running Windows 7 Home Premium SP1.

She was working on a paper online and got a popup that said "File restore in progress", opened up a window that started showing lots of very scary-looking red, yellow and green hard drive errors. All of her desktop icons were deleted except for the recycle bin and Google Chrome, which she's never used anyway. I have MBAM and SAS installed and the MBAM file was empty, and SAS locks up as soon as I try to open it.

I suspect a virus because the only option to close the "File Restore" program window is to click "Repair" on the dozens of bright red scary hard disk errors it gives you. You can't actually close it. When I did click "Repair" it popped up with a "purchase now" File restore box. At this point I went into the task manager and forced it closed, which it still didn't do, I had to "end now".

I restarted the computer and the "File Restore" was the only thing that opened, all desktop icons are still gone except the two mentioned above, and the SAS update download window opened (although the program itself seems to be missing) but would not respond to anything, nor was the progress bar moving. This too had to be forced closed in the task manager.

I managed to re-download MBAM using Google Chrome (since IE is now gone). I have a full scan running on it right now.

Any thoughts / advice on both cleaning up her laptop AND possibly restoring everything that was on it before that seems to be missing? Please let me know if this is a virus for certain and I'll move it over to the proper forum. Just want to make sure this really isn't a bunch of real hard drive errors. I couldn't find anything on File Restore when I searched either the Virus forum or the entire BC site.

Thanks,
Darel

BC AdBot (Login to Remove)

 


#2 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:57 PM

Posted 20 October 2012 - 09:15 PM

Hi Darel,

It is indeed a virus. See here: http://www.bleepingcomputer.com/virus-removal/remove-file-restore

#3 Darel

Darel
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 20 October 2012 - 09:26 PM

Thanks!

#4 Darel

Darel
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 21 October 2012 - 09:27 AM

OK, still having a problem. I followed the instructions and got rid of the virus. I cannot seem to recover (unhide?) my desktop icons. I first used the unhider program in the instructions, then went and downloaded another I found on the internet, then I finally went through step by step and into the properties and "show all hidden", and running the -H command prompt manually and nothing seems to want to recover or unhide them. Any other ideas? Below is the logfile produced by unhide.

nhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/forums/topic405109.html

Program started at: 10/21/2012 10:21:36 AM
Windows Version: Windows 7

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 177905 files processed.

Processing the D:\ drive
Finished processing the D:\ drive. 122 files processed.

Processing the F:\ drive
Finished processing the F:\ drive. 34 files processed.

Processing the Q:\ drive
Finished processing the Q:\ drive. 0 files processed.

Restoring the Start Menu.
* 17 Shortcuts and Desktop items were restored.


Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
No registry changes detected.

Restarting Explorer.exe in order to apply changes.

Program finished at: 10/21/2012 10:26:00 AM
Execution time: 0 hours(s), 4 minute(s), and 24 seconds(s)

#5 Sarah_Anderson

Sarah_Anderson

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 21 October 2012 - 11:01 AM

This particular rogue hides your files by adding the +h attribute to them. But some other rogues move your Start Menu/Desktop shortcuts to a different folder to hide them from you. Maybe this could be a new variant which moves your Start Menu/Desktop shortcuts to a different folder as well as hiding them?

This method will find all your Start Menu/Desktop shortcuts, whether they are hidden or moved. (It won't find them if the .lnk file extension had been renamed, but hopefully that's not the case.)

1. Download Everything-1.2.1.371.exe from HERE and install it. (During the installation, tick the box to allow the installer create a Desktop shortcut to the program.)
2. Run Search Everything from the shortcut on your Desktop.
3. Type *.lnk into the search bar at the top of the program GUI.
4. You should now see all your shortcuts and where they are located.
5. Right click on any shortcut, select Properties, then click on the General tab. Under Attributes:, if the Hidden box is ticked, untick it, then click Apply, then click OK.

If you are unsure of anything, you can post a log for me to look at. To do this, click File, then click Export. Save the log to your Desktop and post it here if you want me to take a look at it.

Let me know how you get on. :)

#6 Darel

Darel
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 21 October 2012 - 01:00 PM

No dice. It seems like everything that was missing appeared on this list, but nothing I could find, not one single item on the list, was ticked "hidden". I tried toggling a few, "hidden" then back to not hidden, with no change.

Since this is my wife's computer, I'm not really sure what all she had saved on her desktop, but I have been specifically looking for an IE icon to come up and I'm not really seeing it, ever. A couple variants of Internet Explorer show up on this report, but again none are ticked "hidden".

Thank you very much for your help on this matter.

Log below:

C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$I0UEYIF.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$I1H4B3V.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$I2G96WL.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$I2UI26U.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$I76RZXB.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$IEAAIZW.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$IEEFZTD.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$IFWRGQD.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$II9OFBD.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$IIMS7DU.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$IJQDMYI.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$ILF6H5M.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$IPNRPON.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$IPY1I4H.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$IQS8SK9.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$IQTV8AJ.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$IS1AFLS.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$ISJDUV6.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$ITGFXTR.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$IU71N9X.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$IWGXT59.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$IWP8CCN.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$IXZLKMU.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$IZG3YWA.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$R0UEYIF.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$R1H4B3V.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$R2G96WL.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$R2UI26U.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$R76RZXB.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$REAAIZW.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$REEFZTD.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$RFWRGQD.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$RI9OFBD.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$RIMS7DU.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$RJQDMYI.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$RLF6H5M.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$RPNRPON.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$RPY1I4H.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$RQS8SK9.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$RQTV8AJ.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$RS1AFLS.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$RSJDUV6.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$RTGFXTR.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$RU71N9X.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$RWGXT59.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$RWP8CCN.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$RXZLKMU.lnk
C:\$Recycle.Bin\S-1-5-21-449086951-1972256656-3030087147-1001\$RZG3YWA.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Office\Recent\2012 Obstacle Course and Minute to Win its (Kellie).LNK
C:\ProgramData\Microsoft\Windows\GameExplorer\{961391a5-faff-4656-b639-9469eafbd166}\PlayTasks\0\Agatha Christie - Peril at End House.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{3c4466d3-a3d7-410d-97ed-d148233326db}\PlayTasks\0\Bejeweled 2 Deluxe.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{5ea2c3d3-899a-4d22-b46b-e03dc3c2a115}\PlayTasks\0\Bejeweled 3.lnk
C:\HP\HPQWare\dtshortcuts\EN_BE\Bezoek eBay.be.lnk
C:\HP\HPQWare\dtshortcuts\NL_BE\Bezoek eBay.be.lnk
C:\HP\HPQWare\StartMenuLink\EN_BE\Online Services\Bezoek eBay.be.lnk
C:\HP\HPQWare\StartMenuLink\NL_BE\Online Services\Bezoek eBay.be.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{dcf8c30f-84f6-4475-829d-2dea8d873786}\PlayTasks\0\Blackhawk Striker 2.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{060c286e-7b14-4bf4-9936-205028416ca7}\PlayTasks\0\Blasterball 3.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{8dde8af6-a947-49ea-8858-e46765d3acb9}\PlayTasks\0\Bounce Symphony.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{1cd10db5-fd52-412c-8f5d-106e71b1c9bd}\PlayTasks\0\Build-a-lot 2.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{4f4fa136-6ede-454c-9495-620e06dcb70f}\PlayTasks\0\Cake Mania.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Office\Recent\Chapter 2 Test.LNK
C:\Program Files\Microsoft Games\Chess\ChessMCE.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{b0a33b86-31a7-4631-ba6d-b5a4fe1606d9}\PlayTasks\0\Chuzzle Deluxe.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Office\Recent\cicada killer (2).LNK
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\computer.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\computer.lnk
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Control Panel.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Control Panel.lnk
C:\Users\Kellie\Documents\Youcam\CyberLink YouCam(Webcam).lnk
C:\Users\Kellie\Links\Desktop.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{4c62c261-4bc4-4df9-9107-4f91e6a38018}\PlayTasks\0\Diner Dash 2 Restaurant Rescue.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Office\Recent\Discussions.LNK
C:\ProgramData\Microsoft\Windows\GameExplorer\{9c57dc32-44bf-4dad-8cce-4d334f4f725a}\PlayTasks\0\Dora's World Adventure.lnk
C:\Users\Kellie\Links\Downloads.lnk
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Ease of Access.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Ease of Access.lnk
C:\HP\HPQWare\dtshortcuts\ES_ES\eBay compra y vende de todo.lnk
C:\HP\HPQWare\StartMenuLink\ES_ES\Online Services\eBay compra y vende de todo.lnk
C:\HP\HPQWare\dtshortcuts\IT_IT\eBay Italia.lnk
C:\HP\HPQWare\StartMenuLink\IT_IT\Online Services\eBay Italia.lnk
C:\HP\HPQWare\dtshortcuts\DE_AT\eBay.at.lnk
C:\HP\HPQWare\StartMenuLink\DE_AT\Online Services\eBay.at.lnk
C:\HP\HPQWare\dtshortcuts\DE_CH\eBay.ch.lnk
C:\HP\HPQWare\dtshortcuts\EN_CH\eBay.ch.lnk
C:\HP\HPQWare\dtshortcuts\FR_CH\eBay.ch.lnk
C:\HP\HPQWare\dtshortcuts\IT_CH\eBay.ch.lnk
C:\HP\HPQWare\StartMenuLink\DE_CH\Online Services\eBay.ch.lnk
C:\HP\HPQWare\StartMenuLink\EN_CH\Online Services\eBay.ch.lnk
C:\HP\HPQWare\StartMenuLink\FR_CH\Online Services\eBay.ch.lnk
C:\HP\HPQWare\StartMenuLink\IT_CH\Online Services\eBay.ch.lnk
C:\HP\HPQWare\dtshortcuts\EN_TH\eBay.co.th.lnk
C:\HP\HPQWare\StartMenuLink\EN_TH\Online Services\eBay.co.th.lnk
C:\HP\HPQWare\dtshortcuts\EN_HK\eBay.com.hk.lnk
C:\HP\HPQWare\StartMenuLink\EN_HK\Online Services\eBay.com.hk.lnk
C:\HP\HPQWare\dtshortcuts\EN_MY\eBay.com.my.lnk
C:\HP\HPQWare\StartMenuLink\EN_MY\Online Services\eBay.com.my.lnk
C:\HP\HPQWare\dtshortcuts\EN_SG\eBay.com.sg.lnk
C:\HP\HPQWare\StartMenuLink\EN_SG\Online Services\eBay.com.sg.lnk
C:\HP\HPQWare\dtshortcuts\EN_IE\eBay.ie.lnk
C:\HP\HPQWare\StartMenuLink\EN_IE\Online Services\eBay.ie.lnk
C:\HP\HPQWare\dtshortcuts\EN_IN\eBay.in.lnk
C:\HP\HPQWare\dtshortcuts\HI_IN\eBay.in.lnk
C:\HP\HPQWare\StartMenuLink\EN_IN\Online Services\eBay.in.lnk
C:\HP\HPQWare\StartMenuLink\HI_IN\Online Services\eBay.in.lnk
C:\HP\HPQWare\dtshortcuts\DE_DE\eBay.lnk
C:\HP\HPQWare\dtshortcuts\EN_AU\eBay.lnk
C:\HP\HPQWare\dtshortcuts\EN_CA\eBay.lnk
C:\HP\HPQWare\dtshortcuts\EN_US\eBay.lnk
C:\HP\HPQWare\dtshortcuts\FR_CA\eBay.lnk
C:\HP\HPQWare\dtshortcuts\FR_FR\eBay.lnk
C:\HP\HPQWare\StartMenuLink\DE_DE\Online Services\eBay.lnk
C:\HP\HPQWare\StartMenuLink\EN_AU\Online Services\eBay.lnk
C:\HP\HPQWare\StartMenuLink\EN_CA\Online Services\eBay.lnk
C:\HP\HPQWare\StartMenuLink\EN_US\Online Services\eBay.lnk
C:\HP\HPQWare\StartMenuLink\FR_CA\Online Services\eBay.lnk
C:\HP\HPQWare\StartMenuLink\FR_FR\Online Services\eBay.lnk
C:\HP\HPQWare\dtshortcuts\EN_NL\eBay.nl.lnk
C:\HP\HPQWare\dtshortcuts\NL_NL\eBay.nl.lnk
C:\HP\HPQWare\StartMenuLink\EN_NL\Online Services\eBay.nl.lnk
C:\HP\HPQWare\StartMenuLink\NL_NL\Online Services\eBay.nl.lnk
C:\HP\HPQWare\dtshortcuts\EN_PH\eBay.ph.lnk
C:\HP\HPQWare\StartMenuLink\EN_PH\Online Services\eBay.ph.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Office\Recent\ED 585.LNK
C:\Users\Kellie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Everything\Everything Help.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{fac60ee0-3e65-46c0-862e-52d1e16fa6d1}\PlayTasks\0\Farm Frenzy.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{b3454272-20b1-4853-9201-5a71a281bf30}\PlayTasks\0\FATE - The Traitor Soul.lnk
C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\File Restore\File Restore.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\File_Restore.lnk
C:\HP\HPQWare\StartMenuLink\en-us\USA\Free Trials for QuickBooks, Quicken and TurboTax.lnk
C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\GameExplorer.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
C:\Users\Public\Desktop\Google Chrome.lnk
C:\Program Files\Microsoft Games\Hearts\HeartsMCE.lnk
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Help.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Help.lnk
C:\HP\HPQWare\StartMenuLink\en-us\USA\HP Download Store.lnk
C:\HP\HPQWare\StartMenuLink\en-us\USA\HP\HP Download Store.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\HP Download Store.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\hpDST.lnk
C:\HP\HPQWare\StartMenuLink\EN_US\Music and Media\Install Rhapsody.lnk
C:\ProgramData\Intel\ExtremeGraphics\CUI\Resource\Intel® HD Graphics.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
C:\ProgramData\Hewlett-Packard\base\launch_base.lnk
C:\ProgramData\Hewlett-Packard\HP Setup\launchreg.lnk
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Magnify.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Magnify.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{9e81298d-ecad-4464-b46d-0ffb96e1d270}\PlayTasks\0\Mah Jong Medley.lnk
C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware\Tools\Malwarebytes Anti-Malware Chameleon.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware\Malwarebytes Anti-Malware Help.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware\Malwarebytes Anti-Malware.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Office\Recent\matthewsU5actionresearch.LNK
C:\Users\Kellie\AppData\Roaming\Microsoft\Office\Recent\MatthewsU6Thinkfinity (2).LNK
C:\Users\Kellie\AppData\Roaming\Microsoft\Word\MatthewsU6Thinkfinity302568633393905449\MatthewsU6Thinkfinity.docx.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Office\Recent\MatthewsU6Thinkfinity.LNK
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Starter (English)\Microsoft Office 2010 Tools\Microsoft Clip Organizer.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Starter (English)\Microsoft Excel Starter 2010.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Starter (English)\Microsoft Office 2010 Tools\Microsoft Office 2010 Upload Center.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2010.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Starter (English)\Microsoft Office 2010 Tools\Microsoft Office Picture Manager.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Starter (English)\Microsoft Office 2010 Tools\Microsoft Office Starter To-Go Device Manager 2010.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Starter (English)\Microsoft Word Starter 2010.lnk
C:\Windows\System32\migwiz.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{060c286e-7b14-4bf4-9936-205028416ca7}\SupportTasks\0\More Games.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{119eedc1-0c64-4f7d-a42f-15559b86ea74}\SupportTasks\0\More Games.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{1cd10db5-fd52-412c-8f5d-106e71b1c9bd}\SupportTasks\0\More Games.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{3c4466d3-a3d7-410d-97ed-d148233326db}\SupportTasks\0\More Games.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{4c62c261-4bc4-4df9-9107-4f91e6a38018}\SupportTasks\0\More Games.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{4f4fa136-6ede-454c-9495-620e06dcb70f}\SupportTasks\0\More Games.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{530bf15f-039a-4796-9724-3503dfc6796a}\SupportTasks\0\More Games.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{58081f22-f467-440d-b45a-d1207a716bdd}\SupportTasks\0\More Games.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{5ea2c3d3-899a-4d22-b46b-e03dc3c2a115}\SupportTasks\0\More Games.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{736aff42-8708-4017-be92-eb94aabb558f}\SupportTasks\0\More Games.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{8dde8af6-a947-49ea-8858-e46765d3acb9}\SupportTasks\0\More Games.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{90e6e1ce-1450-49b0-b6e3-82e43551c60f}\SupportTasks\0\More Games.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{93c5e4ca-9d35-4bd8-95b1-c7327601d483}\SupportTasks\0\More Games.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{961391a5-faff-4656-b639-9469eafbd166}\SupportTasks\0\More Games.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{989c5174-cdb7-456a-81a0-8c2d6e45d6c5}\SupportTasks\0\More Games.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{9b9b12f2-7e8f-4fe3-8365-8998b415574d}\SupportTasks\0\More Games.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{9c57dc32-44bf-4dad-8cce-4d334f4f725a}\SupportTasks\0\More Games.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{9d36fecf-a272-4632-a018-906223216b09}\SupportTasks\0\More Games.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{9e81298d-ecad-4464-b46d-0ffb96e1d270}\SupportTasks\0\More Games.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{a897d9a2-a669-4856-bdc4-f84ea324cf47}\SupportTasks\0\More Games.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{b0a33b86-31a7-4631-ba6d-b5a4fe1606d9}\SupportTasks\0\More Games.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{b3454272-20b1-4853-9201-5a71a281bf30}\SupportTasks\0\More Games.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{c44af186-ce1f-41b7-94d3-def66a94aeeb}\SupportTasks\0\More Games.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{dcf8c30f-84f6-4475-829d-2dea8d873786}\SupportTasks\0\More Games.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{fac60ee0-3e65-46c0-862e-52d1e16fa6d1}\SupportTasks\0\More Games.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Office\Recent\My Documents.LNK
C:\ProgramData\Microsoft\Windows\GameExplorer\{736aff42-8708-4017-be92-eb94aabb558f}\PlayTasks\0\Mystery P.I. - Stolen in San Francisco.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{90e6e1ce-1450-49b0-b6e3-82e43551c60f}\PlayTasks\0\Namco All-Stars PAC-MAN.lnk
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{93c5e4ca-9d35-4bd8-95b1-c7327601d483}\PlayTasks\0\Penguins!.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{989c5174-cdb7-456a-81a0-8c2d6e45d6c5}\PlayTasks\0\Plants vs. Zombies - Game of the Year.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{c44af186-ce1f-41b7-94d3-def66a94aeeb}\PlayTasks\0\Poker Superstars III.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{9d36fecf-a272-4632-a018-906223216b09}\PlayTasks\0\Polar Bowler.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{9b9b12f2-7e8f-4fe3-8365-8998b415574d}\PlayTasks\0\Polar Golfer.lnk
C:\Program Files (x86)\Hewlett-Packard\Energy Star\PowerSav.lnk
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Private Character Editor.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Private Character Editor.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{000d96f5-8034-4b74-a429-b6f0b04c75f4}\PlayTasks\0\provider.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{26352374-af55-4b53-b07b-6b0288ed97df}\PlayTasks\0\provider.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{3eda1e54-8889-41f5-a649-5a306789b7ef}\PlayTasks\0\provider.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{977b5905-4d14-47f1-bbbf-7b92f596695d}\PlayTasks\0\provider.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{c3c636e0-1b04-11de-8c30-0800200c9a66}\PlayTasks\0\provider.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{d58eecb0-0816-11de-8c30-0800200c9a66}\PlayTasks\0\provider.lnk
C:\Users\Kellie\AppData\Local\Microsoft\Windows\GameExplorer\{000d96f5-8034-4b74-a429-b6f0b04c75f4}\PlayTasks\0\provider.lnk
C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\QuickTime Player.lnk
C:\Users\Kellie\Links\RecentPlaces.lnk
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Run.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Run.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Everything\Search Everything.lnk
C:\Users\Kellie\Desktop\Search Everything.lnk
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{a897d9a2-a669-4856-bdc4-f84ea324cf47}\PlayTasks\0\Slingo Supreme.lnk
C:\HP\HPQWare\dtshortcuts\DA_DK\Snapfish.lnk
C:\HP\HPQWare\dtshortcuts\DE_AT\Snapfish.lnk
C:\HP\HPQWare\dtshortcuts\DE_CH\Snapfish.lnk
C:\HP\HPQWare\dtshortcuts\DE_DE\Snapfish.lnk
C:\HP\HPQWare\dtshortcuts\EN_AU\Snapfish.lnk
C:\HP\HPQWare\dtshortcuts\EN_CA\Snapfish.lnk
C:\HP\HPQWare\dtshortcuts\EN_GB\Snapfish.lnk
C:\HP\HPQWare\dtshortcuts\EN_IE\Snapfish.lnk
C:\HP\HPQWare\dtshortcuts\EN_IN\Snapfish.lnk
C:\HP\HPQWare\dtshortcuts\EN_NZ\Snapfish.lnk
C:\HP\HPQWare\dtshortcuts\EN_SG\Snapfish.lnk
C:\HP\HPQWare\dtshortcuts\EN_US\Snapfish.lnk
C:\HP\HPQWare\dtshortcuts\ES_ES\Snapfish.lnk
C:\HP\HPQWare\dtshortcuts\FR_BE\Snapfish.lnk
C:\HP\HPQWare\dtshortcuts\FR_CA\Snapfish.lnk
C:\HP\HPQWare\dtshortcuts\FR_CH\Snapfish.lnk
C:\HP\HPQWare\dtshortcuts\FR_FR\Snapfish.lnk
C:\HP\HPQWare\dtshortcuts\IT_CH\Snapfish.lnk
C:\HP\HPQWare\dtshortcuts\IT_IT\Snapfish.lnk
C:\HP\HPQWare\dtshortcuts\JA_JP\Snapfish.lnk
C:\HP\HPQWare\dtshortcuts\NB_NO\Snapfish.lnk
C:\HP\HPQWare\dtshortcuts\NL_BE\Snapfish.lnk
C:\HP\HPQWare\dtshortcuts\NL_NL\Snapfish.lnk
C:\HP\HPQWare\dtshortcuts\PT_PT\Snapfish.lnk
C:\HP\HPQWare\dtshortcuts\SV_SE\Snapfish.lnk
C:\HP\HPQWare\StartMenuLink\DA_DK\Music and Media\Snapfish.lnk
C:\HP\HPQWare\StartMenuLink\DE_AT\Music and Media\Snapfish.lnk
C:\HP\HPQWare\StartMenuLink\DE_CH\Music and Media\Snapfish.lnk
C:\HP\HPQWare\StartMenuLink\DE_DE\Music and Media\Snapfish.lnk
C:\HP\HPQWare\StartMenuLink\EN_AU\Music and Media\Snapfish.lnk
C:\HP\HPQWare\StartMenuLink\EN_CA\Music and Media\Snapfish.lnk
C:\HP\HPQWare\StartMenuLink\EN_GB\Music and Media\Snapfish.lnk
C:\HP\HPQWare\StartMenuLink\EN_IE\Music and Media\Snapfish.lnk
C:\HP\HPQWare\StartMenuLink\EN_IN\Music and Media\Snapfish.lnk
C:\HP\HPQWare\StartMenuLink\EN_NZ\Music and Media\Snapfish.lnk
C:\HP\HPQWare\StartMenuLink\EN_SG\Music and Media\Snapfish.lnk
C:\HP\HPQWare\StartMenuLink\EN_US\Music and Media\Snapfish.lnk
C:\HP\HPQWare\StartMenuLink\ES_ES\Music and Media\Snapfish.lnk
C:\HP\HPQWare\StartMenuLink\FR_BE\Music and Media\Snapfish.lnk
C:\HP\HPQWare\StartMenuLink\FR_CA\Music and Media\Snapfish.lnk
C:\HP\HPQWare\StartMenuLink\FR_CH\Music and Media\Snapfish.lnk
C:\HP\HPQWare\StartMenuLink\FR_FR\Music and Media\Snapfish.lnk
C:\HP\HPQWare\StartMenuLink\IT_CH\Music and Media\Snapfish.lnk
C:\HP\HPQWare\StartMenuLink\IT_IT\Music and Media\Snapfish.lnk
C:\HP\HPQWare\StartMenuLink\JA_JP\Music and Media\Snapfish.lnk
C:\HP\HPQWare\StartMenuLink\NB_NO\Music and Media\Snapfish.lnk
C:\HP\HPQWare\StartMenuLink\NL_BE\Music and Media\Snapfish.lnk
C:\HP\HPQWare\StartMenuLink\NL_NL\Music and Media\Snapfish.lnk
C:\HP\HPQWare\StartMenuLink\PT_PT\Music and Media\Snapfish.lnk
C:\HP\HPQWare\StartMenuLink\SV_SE\Music and Media\Snapfish.lnk
C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.lnk
C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware\SUPERAntiSpyware Alternate Start.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware\SUPERAntiSpyware Free Edition.lnk
C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware\SUPERAntiSpyware Help.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware\SUPERAntiSpyware Registration-Activation.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Windows\Recent\unhide.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Everything\Uninstall Everything.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\File Restore\Uninstall File Restore.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Uninstall Google Chrome.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware\Uninstall Malwarebytes Anti-Malware.lnk
C:\Program Files\Hewlett-Packard\HP Auto\Uninstall.exe.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Verizon\Verizon Internet Security Suite.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{119eedc1-0c64-4f7d-a42f-15559b86ea74}\PlayTasks\0\Virtual Villagers 4 - The Tree of Life.lnk
C:\HP\HPQWare\dtshortcuts\EN_GB\Visit eBay.co.uk.lnk
C:\HP\HPQWare\StartMenuLink\EN_GB\Online Services\Visit eBay.co.uk.lnk
C:\HP\HPQWare\dtshortcuts\FR_BE\Visitez eBay.be.lnk
C:\HP\HPQWare\StartMenuLink\FR_BE\Online Services\Visitez eBay.be.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{09c578b5-3aa9-45e6-aff9-d128b52cfa9a}\PlayTasks\0\web.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{227680FF-28CE-48EE-AADF-8D009B2813A9}\PlayTasks\0\web.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{22A975C0-D22F-482C-A387-637EEC15870F}\PlayTasks\0\web.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{2D080D0F-37EF-433E-90F1-CE36EB0205F6}\PlayTasks\0\web.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{40E227A9-5146-4228-B973-C5CE3CAAC442}\PlayTasks\0\web.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{41F454F5-BF18-49DC-AF06-C69765992EDB}\PlayTasks\0\web.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{502CF397-846F-459B-AB59-9826E34B7ECE}\PlayTasks\0\web.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{677247CF-4120-46DC-A3DF-71588CC9CB7E}\PlayTasks\0\web.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{e9f7e4c9-fbef-42e7-b19f-48bf2ea8176b}\PlayTasks\0\web.lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{58081f22-f467-440d-b45a-d1207a716bdd}\PlayTasks\0\Wheel of Fortune 2.lnk
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Mail.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Live Photo Gallery.lnk
C:\Users\Kellie\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Media Player.lnk
C:\Windows\winsxs\amd64_microsoft-windows-powershell_31bf3856ad364e35_6.1.7601.17514_none_5b56b853bd5adf50\Windows PowerShell (x86).lnk
C:\Windows\winsxs\amd64_microsoft-windows-powershell_31bf3856ad364e35_6.1.7601.17514_none_5b56b853bd5adf50\Windows PowerShell Modules.lnk
C:\Windows\winsxs\amd64_microsoft-windows-powershell_31bf3856ad364e35_6.1.7601.17514_none_5b56b853bd5adf50\Windows PowerShell.lnk
C:\Users\Public\Documents\YouCam\YouCam(Webcam).lnk
C:\ProgramData\Microsoft\Windows\GameExplorer\{530bf15f-039a-4796-9724-3503dfc6796a}\PlayTasks\0\Zuma Deluxe.lnk
C:\HP\HPQWare\dtshortcuts\ZH-HK\All\做買賣?去eBay!.lnk
C:\HP\HPQWare\StartMenuLink\ZH-HK\All\Online Services\做買賣?去eBay!.lnk
C:\HP\HPQWare\dtshortcuts\ZH_CN\喀嚓鱼照片.lnk
C:\HP\HPQWare\StartMenuLink\ZH_CN\Music and Media\喀嚓鱼照片.lnk

#7 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:57 PM

Posted 21 October 2012 - 01:09 PM

Another program capable of restoring the shortcuts is RogueKiller

If you open the program, there is a Fix Shortcuts button.

#8 Darel

Darel
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 21 October 2012 - 01:53 PM

No luck. RK report:

ogueKiller V8.1.1 [10/01/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Kellie [Admin rights]
Mode : Shortcuts HJfix -- Date : 10/21/2012 14:52:26

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 2 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 145 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 49 / Fail 0
Backup: [FOUND] Success 0 / Fail 0 / Exists 17

Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped
[F:] \Device\HarddiskVolume4 -- 0x3 --> Restored
[Q:] \Device\SftVol -- 0x3 --> Restored

Finished : << RKreport[1].txt >>
RKreport[1].txt

#9 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:57 PM

Posted 21 October 2012 - 02:01 PM

Was a temporary file cleaner run after the infection occurred?

CCleaner, TFC?

#10 Darel

Darel
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 21 October 2012 - 02:11 PM

No, all I've run is basically MBAM, SAS, and several programs designed to help unhide files. I also ran the RK for the report above.

#11 Sarah_Anderson

Sarah_Anderson

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 21 October 2012 - 02:22 PM

thisisu is a malware expert, and I am not. So I recommend that you follow his instructions from now on. :thumbup2:

But, just for your information, the Search Everything log shows that there are a load of shortcuts in the Recycle Bin. Were they deleted deliberately? If they were not deleted deliberately, you could try restoring a few and see what happens.

#12 Darel

Darel
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 21 October 2012 - 02:26 PM

I don't think they were deleted deliberately...that certainly would be easy. Thanks!

#13 Darel

Darel
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 21 October 2012 - 02:33 PM

There were a lot of deleted shortcuts, but none of them should have been shortcuts in the first place...hmmm...no reason to make a desktop shortcut to every single digital picture in the picture library.

Still not there, but I think getting closer.

#14 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:57 PM

Posted 21 October 2012 - 03:05 PM

Sorry to be the bearer of bad news but the shortcuts are gone :(

They are typically stored in a folder in %temp% called SMTMP

Both Unhide and RogueKiller do not detect its presence.

You didn't try to run ComboFix did you? Sometimes ComboFix will backup the SMTMP folder into its Quarantine folder (Qoobox)

#15 Darel

Darel
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 21 October 2012 - 03:13 PM

Nope, I've been around here long enough to know not to run ComboFix without being told to do so by one of the experts!

Now, this may seem like a pretty basic computer question. Everything on the desktop IS just a shortcut, right? My missing desktop icons only means that shortcuts were deleted, and not actual programs, correct?

If that's the case, this is no big deal. I can "clean up" my wife's desktop and make new shortcuts to what she actually uses.

I just want to make sure that what's hidden is just shortcuts, and down the road if it does appear that something is missing, I just need to look for it and un-hide it.

Thank you all for your help!

Darel




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users