?
Solved

Missing Short Cuts d/t Malware

Posted on 2011-10-30
8
Medium Priority
?
450 Views
Last Modified: 2012-05-12
I am working on a PC with Windows XP pro, it had some kind of malware than made the start menu items hidden aswell as the desktop and all programs items. I have delt with this before. From safe mode with networking i have run (in this order), R-kill, Malware Bytes, Unhide.exe, the registry fix to reassociate .exe files, Combofix.exe, Bit Defender Online scan. Malware bytes i ran a couple time to totally clean all objects. You guys had previously answered the question of how to fix all the empty folders in "All Programs". (i.e. all the folders under All Programs show as empty after one folder deep. (example: Start - all programs - microsoft office - empty)  Previously i was told to go to here ((( WinXP  C Drive ->  Docs and Settings ->  User Account -> Application Data -> Local Settings ->Application Data -> temp -> smtmp )))  
This time i don't see a local settings folder under app data, i have searched for "smtmp" under the users folder and found nothing. (yes, i'm searching hidden files too) so is this a new variation of the same old malware, and are the files simply held somewhere else?  how to get these back is the real question.
0
Comment
Question by:Rebol
  • 4
  • 2
  • 2
8 Comments
 
LVL 8

Expert Comment

by:Thethical
ID: 37053527
did you unhide the OS protected files? Once cleaned did you run a system restore?
0
 

Author Comment

by:Rebol
ID: 37053548
No, those files should stay hidden. and no, if i ran the system restore then it would undo several of the changes made. Specifically the reassociation made for the .exe files. I did run the unhide app which unhides the appropriate file, but it will not replasce the files that were moved by the malwar, i.e. the shortcuts to the apps.
0
 
LVL 38

Expert Comment

by:younghv
ID: 37053769
All of the top-line scanner tools are designed to run in "Normal Mode" - not "Safe Mode".

They need to be run Normal Mode because that is when the rogue processes are running and because the creators develop them to run that way.
These EE Articles cover the basics of trouble-shooting and repair of current malware variants:
Stop-the-Bleeding-First-Aid-for-Malware
Rogue-Killer-What-a-great-name

Take a look at this EE Article by 'rpggamergirl' that seems to address the symptoms you're describing:
Windows-XP-Vista-Recovery-rogue-Desktop-icons-missing-Empty-program-files:

For a general discussion of current malware fighting techniques, have a read of this collaborative effort:
Malware Fighting – Best Practices
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 

Author Comment

by:Rebol
ID: 37054228
From personal experience and from what i've read it is best to atleast start by running the scanners from safe mode with networking, one reason is because exactly what you stated, the malware/virus is running in regular mode, and much of the malware/viruses out there attack the "anti" programs, rendering them useless, or preventing them from updating properly.(hence the "safe mode with networking") I have seen this with even the "top-line" scanners (SEP, Norton, Malewarebytes, Bitdefender, McAfee, ComboFix even R-Kill) R-Kill even tells you to rename it to an innocuous name prior to coping it to an infected PC so the running bad processeswont attack it. best to get in the first strike and attack when most of them are not running. i always follow up my clean up proceedure with running scans again in regular mode but that is usually just a formality. I read through these articles, but i don't see any mention if the directory "smtmp" doesn't exist. except when someone had cleared the temps, which i have not. i tried running restoresm.bat but that didn't seem to change anything. so i just don't know where to find these shortcuts. Or will i have to manually rebuilt the file structure in the menus?
0
 
LVL 38

Expert Comment

by:younghv
ID: 37054385

I wish you well in resolving this.

/unsubscribe
0
 

Accepted Solution

by:
Rebol earned 0 total points
ID: 37054631
Thanks anyway buddy, i got a new tool out of it(restoresm.bat) which it didn't work here but it may on future occasions, so thanks for that.
0
 
LVL 8

Expert Comment

by:Thethical
ID: 37058662
the purpose of unhiding the os protected files is to search for other files or folders that the windows search cannot find. Once unhiding the protected files, check the temp folder for any suspicious files to delete and then rehide.
0
 

Author Closing Comment

by:Rebol
ID: 37166515
.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question