• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 452
  • Last Modified:

Missing Short Cuts d/t Malware

I am working on a PC with Windows XP pro, it had some kind of malware than made the start menu items hidden aswell as the desktop and all programs items. I have delt with this before. From safe mode with networking i have run (in this order), R-kill, Malware Bytes, Unhide.exe, the registry fix to reassociate .exe files, Combofix.exe, Bit Defender Online scan. Malware bytes i ran a couple time to totally clean all objects. You guys had previously answered the question of how to fix all the empty folders in "All Programs". (i.e. all the folders under All Programs show as empty after one folder deep. (example: Start - all programs - microsoft office - empty)  Previously i was told to go to here ((( WinXP  C Drive ->  Docs and Settings ->  User Account -> Application Data -> Local Settings ->Application Data -> temp -> smtmp )))  
This time i don't see a local settings folder under app data, i have searched for "smtmp" under the users folder and found nothing. (yes, i'm searching hidden files too) so is this a new variation of the same old malware, and are the files simply held somewhere else?  how to get these back is the real question.
0
Rebol
Asked:
Rebol
  • 4
  • 2
  • 2
1 Solution
 
ThethicalCommented:
did you unhide the OS protected files? Once cleaned did you run a system restore?
0
 
RebolAuthor Commented:
No, those files should stay hidden. and no, if i ran the system restore then it would undo several of the changes made. Specifically the reassociation made for the .exe files. I did run the unhide app which unhides the appropriate file, but it will not replasce the files that were moved by the malwar, i.e. the shortcuts to the apps.
0
 
younghvCommented:
All of the top-line scanner tools are designed to run in "Normal Mode" - not "Safe Mode".

They need to be run Normal Mode because that is when the rogue processes are running and because the creators develop them to run that way.
These EE Articles cover the basics of trouble-shooting and repair of current malware variants:
Stop-the-Bleeding-First-Aid-for-Malware
Rogue-Killer-What-a-great-name

Take a look at this EE Article by 'rpggamergirl' that seems to address the symptoms you're describing:
Windows-XP-Vista-Recovery-rogue-Desktop-icons-missing-Empty-program-files:

For a general discussion of current malware fighting techniques, have a read of this collaborative effort:
Malware Fighting – Best Practices
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
RebolAuthor Commented:
From personal experience and from what i've read it is best to atleast start by running the scanners from safe mode with networking, one reason is because exactly what you stated, the malware/virus is running in regular mode, and much of the malware/viruses out there attack the "anti" programs, rendering them useless, or preventing them from updating properly.(hence the "safe mode with networking") I have seen this with even the "top-line" scanners (SEP, Norton, Malewarebytes, Bitdefender, McAfee, ComboFix even R-Kill) R-Kill even tells you to rename it to an innocuous name prior to coping it to an infected PC so the running bad processeswont attack it. best to get in the first strike and attack when most of them are not running. i always follow up my clean up proceedure with running scans again in regular mode but that is usually just a formality. I read through these articles, but i don't see any mention if the directory "smtmp" doesn't exist. except when someone had cleared the temps, which i have not. i tried running restoresm.bat but that didn't seem to change anything. so i just don't know where to find these shortcuts. Or will i have to manually rebuilt the file structure in the menus?
0
 
younghvCommented:

I wish you well in resolving this.

/unsubscribe
0
 
RebolAuthor Commented:
Thanks anyway buddy, i got a new tool out of it(restoresm.bat) which it didn't work here but it may on future occasions, so thanks for that.
0
 
ThethicalCommented:
the purpose of unhiding the os protected files is to search for other files or folders that the windows search cannot find. Once unhiding the protected files, check the temp folder for any suspicious files to delete and then rehide.
0
 
RebolAuthor Commented:
.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now