Help With .lnk File Takeover (recommended I Come Here From Previous Thread)

previous thread: https://forums.majorgeeks.com/threads/help-with-malware-removal.319890/#post-2023997

situation: my computer got infected with a virus i'm calling "nrpro" it was a ransomware that would pop up a blue screen and inform me my computer was being taken over by a "randsom ware" and to call 1-800 number.
i've managed to remove the virus but it's effects seem to still be lingering,
what happened was when it was installed on my computer several of my desktop icons became hidden and it tried to replace the hidden icons with similiar icons, but failed..i assume?
what i saw happen in the span of no more then 60 seconds was about 10 of my desktop icons faded, then were duplicated and then the duplicated ones disappeared/were deleted.
since then any time i try to pin my internet browser (chrome) to the task bar i get an error message that the shortcut :exe.(something).bat" cannot be found, would you like to delete this shortcut.
i'm able to open chrome, but in task manager next to the open new window icon it's instead an icon for one of the icons that were hidden/faded out and i get the same error message concerning the shortcut.

doing some digging around i discovered the location of the .bat file to be %appdata\roaming\browsers, so i went there to try to manually delete it, but couldn't find the folder.
so i instead recreated the folder and the .bat file putting some jibberish in the file ("do nothing" ) and then proceeded to run a virus scan using malware bytes , (and other malware software like roguekiller and hitmanpro, but primarily malware bytes). the folder and .bat file were identified as a PUP at which point i quarantined and then prompted deleted them using malware bytes.

giving it about 2-3 minutes and then relaunching chrome the icon and the .bat file name changes to a different shortcut icon tha t was hidden and a different exe.bat file name

icons/file names in order so far

warthunder : exe.erolpxei.bat
cross out : exe.rehcnual.bat
blizzard.net : exe.rehcnual ten.elttab.bat
star wars the old republic : exe.rehcnual.bat

from what i can see it seems like all the .bat files are the backwards name of the respective hidden icon, and they do seem to match up.

i'm not really sure what i've done/been doing to recreate the icons/file names changing though, my best guess is that recreating the folder and .bat file manually, then removing them via malware bytes has something to do with it? but it's not repeatable 100% of the time and seems to be very hit and miss... for example it took 1 try to go from warthunder to cross out, but it took 5 tries to go from blizzard to S.W.T.O.R. and as of yet i'm on my 3rd try with star wars and no success?

it'd be nice if i could just find the root of what is doing this and nip it in the butt but i'm not sure where to look at this point or what to do beyond continually recreating the folder manually then deleting it via my virus scan

 

have you tried using this? https://www.majorgeeks.com/files/details/tweaking_com_windows_repair.html
i would just run the "all repairs preset" so nothing gets overlooked, and all of your programs and files should remain intact.
if you do run this program, it'll prompt you for a restart when it completes the repair.
may run for an hour or so before it finishes.

 

ok, finished all the proccessing and stuff, but saddly, still having the same problem

 

i checked my registry via reg edit and under my classic roots i found a folder in my lnk titled "{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}" not sure if this is normal or not, but i know from experience that most viruses or harmful files tend to hide in alpha-numerically named folders...... i don't know enough about registry keys to know if this is normal or how to check if it's normal or not though

 

It's HKEY_CLASSES_ROOT.
And that folder is normal - I have the same in Windows 7.

BTW Did you run Tweaking.com - Windows Repair in Safe Mode?

 

yes, no luck

 

at this point i feel like it's maybe a registry key or something but i'm not sure what/where.... i tried using a process monitoring software but i can't find where the file is being created and then deleted, i feel like if i could track down when it happens i could follow it to what's causing it =/

 

found a command line i think looks weird in the proccess monitor, states that chrome started and this is the command line:

"C:\Program Files (x86)\Google\Chrome\Application\chrome - Copy.exe" --type=renderer --field-trial-handle=1732,18390708005719091961,6704870259643188926,131072 --service-pipe-token=25185993058534583 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=25185993058534583 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1

not sure if this should all be here or not? =/

 

Look in Default Programs.
Is there anything out of the ordinary?

Look at Chrome's add-ons.
Anything you don't recognize?

 

nothing in chromes extensions that seems out of place,
and nothing in default programs =/

 

this proccess logger i found isn't really showing anything...or rather is showing TOO much, can anybody suggest an event viewer? trying to see what happens when i launch chrome to see why this .bat file is creating itself and then deleting

 

OMFG I FIXED IT!!!

went to regedit > Computer\HKEY_CLASSES_ROOT\ChromeHTML\shell\open\command the command line was :"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "0" -1% or something along those lines (i deleted the part after the .exe and forget exactly what it was but it was very close to "0" %-1% ) and it's working again now!

any insights on what happened or what is "0" -1" thing might have been? (i know it was 0 -1 with symbols around it i forget if they were " " or % or both =/ sorry. but yeah, it was a file extension that was buried deep in my registry files causing chrome to open another file or something ? (i'm assuming? )

 

Just to be sure, restart and run Chrome.

 

that's actually how i tested to make sure it was fixed before posting

 

Well done!