Shortcut virus - Command Prompt

Hi everybody :slight_smile: :smiley: It’s been awhile xD ;D

You see, my USB drive had been infected by shortcut virus so I was trying to remove it with the Command Prompt so I typed this command:
attrib -r -h -s /d /s .
and then:
@echo off
cls
del /f /s /q /a *.lnk

but I by mistake forgot to replace the root directory (C: drive) with the USB flash drive letter, now my computer it’s all a mess :cry:
Years ago the analysts in this forum helped me a lot ;D. I was wondering if I can use the Farbar Recovery Scan Tool to solve this

I’ve attached the FRST file

Anybody help me please ;D
Thanks in advance :smiley:

Also scroll down to >> SPECIFIC INFECTIONS LOGS and follow MCshield instructions >> https://forum.avast.com/index.php?topic=194892.0

MCshield log must be copy paste here … NOT attach or it will look like chinese

Malware expert is notified. It may take hours before he is online

Okay thank you very much, just give me a moment
AllScans log, that’s right?

Well, something went wrong, USB Drive not showing up in AllScans.txt tab neither LastScan.txt tab, but in “My computer” the USB drive were there, and again all files were in shortcut having destination folder as cmd (C:\Windows\System32), that’s why I opened the Command Prompt

Here it is my MCShield LastScan log



MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<

22/03/2018 09:41:27 a. m. > Unidad C: - análisis comenzó (OS ~917 GB, NTFS HDD )...

=> El disco está limpio.

Latest Allscans log (AllScans list is too long) and all of them from february :frowning:

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<

11/02/2018 11:13:27 a. m. > Unidad C: - análisis comenzó (OS ~917 GB, NTFS HDD )...

=> El disco está limpio.

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<

11/02/2018 06:45:42 p. m. > Unidad C: - análisis comenzó (OS ~917 GB, NTFS HDD )...

=> El disco está limpio.

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<

12/02/2018 10:03:41 a. m. > Unidad C: - análisis comenzó (OS ~917 GB, NTFS HDD )...

=> El disco está limpio.

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<

12/02/2018 02:19:19 p. m. > Unidad C: - análisis comenzó (OS ~917 GB, NTFS HDD )...

=> El disco está limpio.

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<

14/02/2018 09:00:54 a. m. > Unidad C: - análisis comenzó (OS ~917 GB, NTFS HDD )...

=> El disco está limpio.

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<

16/02/2018 07:21:53 a. m. > Unidad C: - análisis comenzó (OS ~917 GB, NTFS HDD )...

=> El disco está limpio.

System is clean :slight_smile:

I don’t see malware in FRST logs. Can you explain “now my computer it’s all a mess”?

Hello ;D

what I did is deleted all files with extension .lnk in root directory (C:) :'(, all shortcuts are gone, how can I undo these commands?

maybe with FRST? What about with this: LastRegBack…

Please don’t go messing about with FRST commands without instructions. You may end up doing more damage then good - especially when it comes to your Registry.

Edit: Is Windows pirated?

KMS-R@1n is commonly associated with pirated copies of Windows.

yes I understand now the risk of doing things without knowing :cry:
it was original, I don’t know why I used kms

(sorry for my bad english)

Only solution is to manually create shortcuts for application you are using or reinstalling them. There is no undo for those commands.

The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Okay, I’ll be more careful next time ;D :slight_smile:

Thank you very much, just one last question. I’d like to know, could you please explain it to me?. FRST log report include the following: LastRegBack: 2018-03-22 03:50 (prior to that date I hadn’t done anything yet)

At first I thought this will work, but it’s not really the case.

FRST looks into the system and lists the last registry backup made by the system. [b][u]The registry backup contains a backup of all the hives.[/u][/b] It is different from the LKGC (Last Known Good Configuration) backup of the ControlSet.

There are a number of reasons why you might want to use this backup as a solution to a problem but a common one is where loss or corruption has occurred.

For example, when a program is installed, a new subkey containing settings like a program's location, its version, and how to start the program, are all added to the Windows Registry.

Programs Location is exactly what the shortcut is pointing to. The registry itself wouldn’t store a reference to a reference to a program.

Hi Michael,

Thank you for your answer, I get it now ;D :slight_smile: :wink:

Regards