Solution for missing start menu shortcuts

[Panama Red]

Some of you may have encountered malware lately that hides the files from view, removes the desktop background and/or removes all the shortcut icons from the start menu. Unhide.exe will expose the hidden files again and a registry change will give your desktop back. Now, I'm happy to say, I found the missing shortcuts. Several threads on the web have discussed this without resolution. Some even concluded that you have to create all the shortcuts yourself or do a repair install of XP. I stumbled upon the solution quite by accident. The Accessories>System Tools folder was empty (except for IE with no addons) so I tried a search, including hidden files, for Disk Cleanup. Low and behold, it was in a folder in Documents & Settings>User name>Local Settings>Temp>smtmp. Inside smtmp I found three numbered folders containing the missing shortcuts. Simply moved them to the User's Start Menu Folder and voila! - All is good again. I don't know if the same folder is used by each rogue malware so you may want to do a Search (include System and Hidden files) for Disk Cleanup or Disk Defragmenter. Then just browse to that file location and see what you find. This sure is easier than creating new shortcuts for each Program or doing a Repair Install!

Edit: As noted in a post I made below, the smtmp folder has a new hiding spot. I have a pc in for repair right now that doesn't have that folder in the Local Settings. Instead, it is in Windows/Temp.

[jdeb]

you sure do bring a lot of value to this forum Panama Red

[Panama Red]

Update: Folder 1 in the hidden tmp folder as noted above should be moved to your Start Menu folder under the user's name. Folder 2 contains the Quick Launch icons such as Show Desktop. Those icons will need to be moved to: C:/Documents and Settings/User name/Application data/Microsoft/Internet Explorer/Quick Launch. I believe Folder 4 is desktop icons but I'm not certain of that.

[Iman74]

Panama,
What about the desktop itself like the chose background for example?

[Panama Red]

Quote:

Originally Posted by Iman74 Panama, What about the desktop itself like the chose background for example?

Running unhide.exe has been clearing that one up. If not, it may take a registry change. Do a search in regedit for "No Desktop". If it shows up, change the number in the data area from 1 to 0 (or visa versa, I'm not positive).

[Iman74]

Yeah, my gut tells me it's the registry like you suggested "NoDesktop". So far haven't found it worked, but maybe next time I will search the registry instead of manually going there. Thanks for the input.


Going to Google unhide.exe but if you haven't already referenced it I would like to know more.

[glc]

Virus Cleaned - All files, folders HIDDEN SYSTEM - SOLVED!

[cvcman]

well im not real good with this stuff, I may have to pay someone to find it. Again I can open powerpoint items but cant find it...And most of the program files sem missing and the ones that are there say empty.....

[duenor]

Thank you for the very useful information. I too stumbled across what the virus had done - it was also by accident. The computer had a whole bunch of files in local settings/temp, so I went to delete them. Noticed some strange ones created recently. But your instructions made it much easier to repair.

Things to note.

Win Sec Essentials was used to perform initial scan/removal after pulling HDD and scanning from secure machine via external enclosure.
Malwarebytes was used to perform flash scan to remove 4 more infected items after HDD was reinstalled into user's laptop.
Malwarebytes was used on full scan to ensure that no particles remained.

Virus behavior notes:
1. The virus does not simply move all of your icons. It moves MOST of them but leaves many behind. When you do ProgramRed's trick (looking for folder "smtmp" in "local settings/temp", "1"=programs/startmenu, "2"=quicklaunch, "3" =desktop), you will get a lot of "file already here, overwrite?" prompts. DO NOT overwrite. say "no" to those and write down the names of those folders. you will have to manually go into the smtp version of that folder and move those icons over to the startmenu, quicklaunch, or desktop folders. I believe he does this expressly to prevent fixes to be easily implemented. took about 10 minutes for me to do.
2. the virus not only hides files, but also adds a read-only tag to them. attempting to use attrib will result in "access denied". Unhide.exe was successful in making things visible, but was less successful in making those folders virus-marked read-only visible. fortunately, only the root directory folders are this way affected. (the ones in c:\). simply highlight everything in your root directory in explorer (make sure "view hidden files and folders" is enabled), and uncheck hidden. I have left them read-only for now because I'm not certain if removing R or S properties from files that should have them will cause any problems.

thank you so much for the users of this forum, and for all of the time and effort put out there to combat this virus designed to rip off the vulnerable.

kevin

[Kilsally]

moving folders 1, 2 and 4 got me back my desktop icons and menu icons but not the actual program shortcuts in the start menu. When I press the start button, Sage Accounts and all the rest are listed but when you go to any of them the sub menu appears and says `empty`. Going to try windows repair install.

[vcvogel]

I moved the folders under the all users Start Menu Folder

[rwest]

Quote:

Originally Posted by glc Virus Cleaned - All files, folders HIDDEN SYSTEM - SOLVED!

GLC, maybe you or any mod can link the threads together? I was thinking of that thread when I saw your post. That things such a bugger, be nice to have all the solutuins in one place huh?

[glc]

There are too many posts in each one all spread out over different dates - if I merge them it will be VERY confusing.

[rjfvillarosa]

Quote:

Originally Posted by rwest GLC, maybe you or any mod can link the threads together? I was thinking of that thread when I saw your post. That things such a bugger, be nice to have all the solutuins in one place huh?

Quote:

Originally Posted by glc There are too many posts in each one all spread out over different dates - if I merge them it will be VERY confusing.

I will have a look at creating a "sticky" thread with a little introduction and links to both threads and any other relevant threads.

[glc]

I think that would be an excellent idea.

[daveyp225]

Hey all, been years since I logged in, but google brought me back

This thread helped a lot. Appreciate it. In Vista, the shortcuts are stored in:

Users\*user*\AppData\Local\Temp\smtmp

Thanks guys.
Dave

[EzyStvy]

The unhide.exe file helped me yesterday

[Panama Red]

Just discovered a new variation for hidding the Program Shortcuts. Instead of using the Temp file under Local Settings, the pc I have here right now has the smtmp file hidden in the Window/Temp folder. I'm going to edit my earlier entry to include this optional hiding spot. Must be the bad guys can read our "fix" threads too.

[fluffman86]

Just stumbled on this thread while trying to remove this virus at work. Unfortunately, one of the first things I do when combating a Fake AV is to boot the computer into TRK and remove any suspicious files in APPDATA, followed by doing a Windows Junk File cleaning that clears out Temp Files, Temporary Internet Files, etc. That totally blasted any backups of shortcuts the virus may have made.

[Nuclear Krusader]

Guess I should stop clearing out the contents of the temp folders when dealing with this infection.

[rbm328]

i too had the malware hit. i ran unhide and it brought my files back into view, but am still not finding my shortcut icons for the start menu. i ran a search for smtmp and disk cleanup, which turned up nothing. any ideas?

[Panama Red]

Did you look in the two folders I mentioned for the smtmp folder? One is in the Windows > Temp folder. The other, in XP, is in Docs & Settings > (your user name) > Local Settings > Temp folder. The Local Settings folder is a hidden folder so you'll have to use the Folder Options in the Control Panel to select Show Hidden Folders.

[Korov]

Hi, many thanks for the fantastic help here, I got rid of this virus and have managed to unhide all my files and get my start menu back.

However, I have not been able to get my desktop back - right clicking on it is still disabled. I could not find a registry key called 'Noviewcontextmenu' or anything similar, even after lots of searching Regedit.

My shortcuts are there when I explore to the Desktop folder, but the desktop itself is blank and can't be clicked on.

Does anyone have any ideas about this?

Thanks again for all the help on this site!

[Panama Red]

See posts 9 & 12 in this thread.

No icons - right-click does nothing.

[Korov]

Solved! Many thanks Panama Red.

[rbm328]

panama red- i had originally given my box to an IT friend, who cleaned the virus' AND (i found out last week) purged all the temp files, thats why i couldn't find the files you mentioned. i sent him this link so hopefully, in the future, he won't jump on the temp purge.

is there any way i can get my start menu links back besides reloading all the software?
thanks

[Panama Red]

Go to the Programs folder and look up the .exe file for each Program. Right click the .exe and send it to a folder on your Desktop temporarily. Once you have all the shortcuts created, move them to the Startup folder under All Users (for XP) or your user name if you're the only one on the pc. Recreating the Windows features shortcuts is similar, you just have to know where the .exe files are located. If you can get another pc with the same operating system, find the shortcuts you want to add in the other pc's start/all programs menu. Right click the shortcut and select Properties. The click the Show Target or Open location button. That will tell you where to look on your computer for the same Windows file locations. Use the same recreation method I outlined for the Programs.

[glc]

Minor clarification:

Quote:

Right click the .exe and send it to a folder on your Desktop temporarily.

Don't send the .exe, select "create shortcut" and send it. I recommend you uncheck "hide extensions for known file types" in your folder options, it makes it easier to find the correct file.

[Panama Red]

Quote:

Originally Posted by glc Minor clarification: Don't send the .exe, select "create shortcut" and send it. I recommend you uncheck "hide extensions for known file types" in your folder options, it makes it easier to find the correct file.

Right you are, G. I meant to send the shortcut to the desktop folder. Brain and fingers weren't working together! (again!!)

[Wildcat]

I have run into the hidden files rootkit a number of times at work and I finally got a procedure down that has the user back up and running in three steps which has taken me about 30 minutes to perform, on average. I added the fourth step for myself (and other geeks).

I do not do anything special prior to getting access to the infected PC (the user has probably already done enough ). So, the scene is I get a call for support and I walk up to the infected PC and perform the following steps:

1 - Run Kaspersky TDSSKiller and eliminate the rootkit that performed the dastardly deed (by hiding the files). Reboot after rootkit has been removed per TDSSKiller on-screen instructions.

2 - Run UnHide to correct the hidden file/folder attributes and return them to normal.

3 - After UnHide completes, I immediately perform a system restore to a day/time previous to the infection. Unless system restore is turned off, I have not had an issue where I wasn't able to restore to a recovery point earlier in the same day the infection struck. After the system reboots from the system restore, technically, the user is back up and operational with all their data visible and the Start Menu and Desktop icons restored and working.

**For those that go above and beyond** - I felt that I must add step 4 because there are those that I have witnessed in the past who would consider the above three steps sufficient to close the support ticket. However, the "Geeks" know that if you have any type of infection on a PC, there is ALWAYS potential for collateral damage and/or further cleanup that will help ensure the system is running at peak performance. Now for those who are under time constraints, then by all means, press on and let the user have their system back. But, if time permits (and since you already have access to/control of the system), perform step 4.

4 - Perform your normal/in-depth PC Health Checkup! I know that was vague, but this step is custom to the individual user. A short list of steps I take as part of my PC Health Checkup is as follows:

a - Run CCleaner to clean out all the temp files/folders it can and yes, I DO run the registry cleaning part of CCleaner. I have never had any kind of failure or problem after cleaning the registry with CCleaner.

b - Run MalwareBytes to check for and remove any other issues that may not have been discovered yet.

c - Run SuperAntiSpyware to check for and remove any other issues that may not have been discovered yet.

d - Run Microsoft's on-line Safety Scanner. This is an in-depth scan and takes quite a bit of time, depending on the number of files on the PC and the system hardware. But, it is another "screen" through which to strain for nasty files.

e - Ensure the AntiVirus or AntiMalware programs the users has installed are all up-to-date.

f - Run Microsoft Update to ensure all Critical, Recommended, and Optional updates are installed. Don't forget to run this several times until there are no more updates to be installed. This is crucial because there will almost always be updates to newly installed updates, especially if optional updates (i.e Microsoft .Net 4.0 Client install) are installed.

g - Run Secunia PSI (Personal Software Inspector). Update all out-of-date software and review any end-of-life programs that may require a paid upgrade. Secunia PSI has an option to run at start-up and you can even set it to monitor and automatically update installed third-party software (i.e. Adobe Flash Player, Apple Quicktime, etc.). Note: If this is an older system or it has 1GB of memory or less, I don't recommend having Secunia PSI run on start-up because it does impact performance on older systems or systems without enough memory.

h - Run Auslogics Registry Cleaner. It does the same as CCleaner's registry cleaner, but just more in-depth. It does not remove or clean-up temp files or folders.

I - Run Auslogics Registry Defrag. This is a trial install, but it suffices for a single use and then I uninstall it.

j - Run CCleaner one more time to clear out the temp files from all the updates that were installed in the steps above and to prepare for my final act.

k - Run Auslogics Disk Defrag Free. I enable some of the settings to ensure it runs in the most efficient manner possible. Note: I have seen fragmentation of hard drives be over 70%, which GREATLY impacts system performance! I configure the schedule on this to run when the PC is idle for 5 minutes. So, whenever the person goes away or makes a phone call and the system is idle for more than 5 minutes, it goes to work ensuring the disk fragmentation is kept as minimal as possible ensuring maximum hard drive read/write performance.

And that is that! That is pretty much the short-and-sweet of it. Like I said, steps 1-3 above have averaged about 30 minutes for my cases. Step 4 can take a day or two, depending on the number of files and system hardware.

Good luck and I hope this helps someone somewhere out there!

Respectfully,
Don