Solved Problems removing Windows-recovery virus
- Thread starter magicman72
- Start date
magicman72
Posts: 21 +0
Question, is it safe to assume that even if I was able to get system restore to work that it wouldn't necessarily bring back the deleted shortcuts? Aren't things like deleted items or even newly saved items unaffected by restore? And is it safe to assume restore is not working because of the virus? I still see restore points on the calendar but it doesn't complete, unless it needs to be done in safe mode for some reason? Sorry for all the questions...
Broni
Posts: 56,041 +517
True, because system restore deals only with Windows files and registry.
I don't think system restore doesn't work per se, because as you could see, it tried to do its job.
However, I'd assume, that most restore POINTS are corrupted because of the infection.
We can easily check.
Complete all last steps.
That way, all restore point will be removed and a new one will be created.
When you're done with everything, try to restore your computer to this very fresh (today's) restore point.
See, if it'll work.
magicman72
Posts: 21 +0
Below is the OTL log you requested before. Looks like it had some issues with temp\_avast, not sure if that's a problem or not.
I've been searching about this virus that I got hit with and found that several people are having the same exact issues as me since last week. I want to wait to see what solution develops before deleting any restore points. So, if you can keep the topic open I will get back to it or perhaps you'll find a fix and get back to it. It seems the user "shell" of the whole start menu is corrupt and I'm confident someone will find a fix soon! I hope...
All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\VIRUS Removal\VundoFix Backups\cehjl.ini.bad moved successfully.
C:\VIRUS Removal\VundoFix Backups\cehjl.ini2.bad moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: hairlogic.com Inc
->Temp folder emptied: 240462 bytes
->Temporary Internet Files folder emptied: 1938464 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 68360917 bytes
->Flash cache emptied: 2956 bytes
User: HAIRLO~1~COM
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: Lori
->Temp folder emptied: 1522 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 33023 bytes
Session Manager Temp folder emptied: 0 bytes
Session Manager Tmp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 67.00 mb
[EMPTYFLASH]
User: Administrator
->Flash cache emptied: 0 bytes
User: All Users
User: Default User
->Flash cache emptied: 0 bytes
User: Guest
->Flash cache emptied: 0 bytes
User: hairlogic.com Inc
->Flash cache emptied: 0 bytes
User: HAIRLO~1~COM
User: LocalService
User: Lori
->Flash cache emptied: 0 bytes
User: NetworkService
->Flash cache emptied: 0 bytes
Total Flash Files Cleaned = 0.00 mb
OTL by OldTimer - Version 3.2.22.3 log created on 05122011_190151
Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
Registry entries deleted on Reboot...
I've been searching about this virus that I got hit with and found that several people are having the same exact issues as me since last week. I want to wait to see what solution develops before deleting any restore points. So, if you can keep the topic open I will get back to it or perhaps you'll find a fix and get back to it. It seems the user "shell" of the whole start menu is corrupt and I'm confident someone will find a fix soon! I hope...
All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\VIRUS Removal\VundoFix Backups\cehjl.ini.bad moved successfully.
C:\VIRUS Removal\VundoFix Backups\cehjl.ini2.bad moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: hairlogic.com Inc
->Temp folder emptied: 240462 bytes
->Temporary Internet Files folder emptied: 1938464 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 68360917 bytes
->Flash cache emptied: 2956 bytes
User: HAIRLO~1~COM
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: Lori
->Temp folder emptied: 1522 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 33023 bytes
Session Manager Temp folder emptied: 0 bytes
Session Manager Tmp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 67.00 mb
[EMPTYFLASH]
User: Administrator
->Flash cache emptied: 0 bytes
User: All Users
User: Default User
->Flash cache emptied: 0 bytes
User: Guest
->Flash cache emptied: 0 bytes
User: hairlogic.com Inc
->Flash cache emptied: 0 bytes
User: HAIRLO~1~COM
User: LocalService
User: Lori
->Flash cache emptied: 0 bytes
User: NetworkService
->Flash cache emptied: 0 bytes
Total Flash Files Cleaned = 0.00 mb
OTL by OldTimer - Version 3.2.22.3 log created on 05122011_190151
Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
Registry entries deleted on Reboot...
Broni
Posts: 56,041 +517
OTL stated, that it'll remove Avast entry on reboot.
As for your shortcuts I have some more info.
Not too good though.
Windows Recovery is pretty new type of infection, so I found out about working solution only very recently.
What happens, WR moves all those shortcuts to Windows temporary folder and they can be recovered from there.
However, since we ran TFC, all items in that folder are gone.
Your only solution at this point is to recreate those shortcuts manually.
As for your shortcuts I have some more info.
Not too good though.
Windows Recovery is pretty new type of infection, so I found out about working solution only very recently.
What happens, WR moves all those shortcuts to Windows temporary folder and they can be recovered from there.
However, since we ran TFC, all items in that folder are gone.
Your only solution at this point is to recreate those shortcuts manually.
magicman72
Posts: 21 +0
Ugh! Seriously? 
Stupid question, how do I re-create shortcuts back to the start menu program's list?
Also, what determines which shortcuts gets onto the programs used most often list of the start menu? Some things are there but some aren't like Firefox which I've used repeatedly but stll doesn't show up there and I have to go launch if from the programs folder.
Stupid question, how do I re-create shortcuts back to the start menu program's list?
Also, what determines which shortcuts gets onto the programs used most often list of the start menu? Some things are there but some aren't like Firefox which I've used repeatedly but stll doesn't show up there and I have to go launch if from the programs folder.
Broni
Posts: 56,041 +517
Recreating shortcuts is fairly easy, just time consuming.
Let's say, I go Start>All Programs and click on Opera.
In your case, it shows [empty] - a shortcut is gone.
All you have to do is to right click on Opera, click Properties:
Then in "Target" field, you enter a path to a file (in quotation marks), which opens Opera.
In this case opera.exe.
Let's say, I go Start>All Programs and click on Opera.
In your case, it shows [empty] - a shortcut is gone.
All you have to do is to right click on Opera, click Properties:
Then in "Target" field, you enter a path to a file (in quotation marks), which opens Opera.
In this case opera.exe.
magicman72
Posts: 21 +0
Hmm... All I get is "General, Sharing, Security, Customize" tabs.
magicman72
Posts: 21 +0
How about using a program to recover the deleted shortcuts? Do you recommend any? It's not a lot of data that could be corrupted, just shortcuts, so it may work?
magicman72
Posts: 21 +0
Yes, the virus is gone, but sadly, not without something to remember it by. Thanks for all your help!
Similar threads
Latest posts
-
Where you findBest custom suits in Manhattan?- Custom shirts replied
-
Nvidia's RTX Pro 6000 quietly beats the RTX 5090 in early benchmarks, at triple the cost- Baldrickalpha1 replied
