.lnk / vbs infection

You're welcome.

Try the below patch, but first make sure that you have not been turning UAC back on. It needs to stay disable while we are working on your PC and your logs show that it is enabled.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

Right click on the Start button and select Properties.

• Make sure the Start Menu tab is selected and then click the Customize button
• On the next form ( Custom Start Menu ) you should see Computer at the top.
• Select Don't display this item.
• Then click OK
• Then click Apply

Right now the Computer selection should not show at all when you left click on Start.

Now repeat the above instructions but this time under the Compter item, select Display as a link. And click OK and then Apply.

Now the Computer select should be back on the Start Menu. Any change in the behavior?

 

You forgot to attach the new MGlogs.zip file.

Yes because it really is not disabled as I can see from your logs.

Great!

Yes this is the preferred method anyway since it offers greater security especially the way malware is today. It is much more secure to make you have to select a user name and enter a password.

No that registry patch will not address this. You will have to fix that yourself from the command prompt like we did for the folders with the attrib -r -h command. And is it files that you have a problem with or folders. Give some examples of which files or folders.

Not sure how to fix this. It is not a shortcut like others. Does this happen with other user accounts? If you do not have other user accounts, create one and see if it works okay or has similar problems. In the end, you may need to create a new user account to use for yourself since the malware may have just cause too much damage to recover from.

 

Don't use this account. In fact, make sure that you keep it disabled. Try booting in safe mode and use the Administrator account and see what happens. Also try creating a "NEW" user account with administrator priviledges and see what happens with this new user account.


I guessing that something under the below registry key may be changed that is causing this, but I'm not positive.

HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}


In fact please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  Code:

  :reg
  HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop.
• Please attach the SystemLook.txt log found on your Desktop to next reply.

 

Not sure why it keeps reverting back unless you are manually changing or running something that causes it to change to this way. The below registry value keeps being set back to a 1.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableCAD"=dword:00000001

Only time will tell if you have a problem running or accessing something.



Delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\Windows\TEMP
C:\Users\Aleigh\AppData\Local\Temp

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

 

Try the below registry patch.

Copy the bold text below to notepad. Save it as fixmc.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work. Now reboot your PC and see if there is any change.

No!! It appeared when you inserted a USB memory stick which had an autorun.inf file that automatically ran and infected your PC.

What folders are marked as shortcuts that you are worried about? Some normally show this way. Like the ones under C:\users\USERAccountName\ Application Data, Cookies, Local Settings, My Documents, NetHood, PrintHood, Recent, SendTo, StartMenu, and Templates. And there are others too like C:\Users Default User which you cannot access anyway just like the above other items.

 

You're welcome.



If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!