Solution for missing start menu shortcuts

[Panama Red]

Some of you may have encountered malware lately that hides the files from view, removes the desktop background and/or removes all the shortcut icons from the start menu. Unhide.exe will expose the hidden files again and a registry change will give your desktop back. Now, I'm happy to say, I found the missing shortcuts. Several threads on the web have discussed this without resolution. Some even concluded that you have to create all the shortcuts yourself or do a repair install of XP. I stumbled upon the solution quite by accident. The Accessories>System Tools folder was empty (except for IE with no addons) so I tried a search, including hidden files, for Disk Cleanup. Low and behold, it was in a folder in Documents & Settings>User name>Local Settings>Temp>smtmp. Inside smtmp I found three numbered folders containing the missing shortcuts. Simply moved them to the User's Start Menu Folder and voila! - All is good again. I don't know if the same folder is used by each rogue malware so you may want to do a Search (include System and Hidden files) for Disk Cleanup or Disk Defragmenter. Then just browse to that file location and see what you find. This sure is easier than creating new shortcuts for each Program or doing a Repair Install!

Edit: As noted in a post I made below, the smtmp folder has a new hiding spot. I have a pc in for repair right now that doesn't have that folder in the Local Settings. Instead, it is in Windows/Temp.

[jdeb]

you sure do bring a lot of value to this forum Panama Red

[Panama Red]

Update: Folder 1 in the hidden tmp folder as noted above should be moved to your Start Menu folder under the user's name. Folder 2 contains the Quick Launch icons such as Show Desktop. Those icons will need to be moved to: C:/Documents and Settings/User name/Application data/Microsoft/Internet Explorer/Quick Launch. I believe Folder 4 is desktop icons but I'm not certain of that.

[Iman74]

Panama,
What about the desktop itself like the chose background for example?

[Panama Red]

Quote:

Originally Posted by Iman74 Panama, What about the desktop itself like the chose background for example?

Running unhide.exe has been clearing that one up. If not, it may take a registry change. Do a search in regedit for "No Desktop". If it shows up, change the number in the data area from 1 to 0 (or visa versa, I'm not positive).

[Iman74]

Yeah, my gut tells me it's the registry like you suggested "NoDesktop". So far haven't found it worked, but maybe next time I will search the registry instead of manually going there. Thanks for the input.


Going to Google unhide.exe but if you haven't already referenced it I would like to know more.

[glc]

Virus Cleaned - All files, folders HIDDEN SYSTEM - SOLVED!

[cvcman]

well im not real good with this stuff, I may have to pay someone to find it. Again I can open powerpoint items but cant find it...And most of the program files sem missing and the ones that are there say empty.....

[duenor]

Thank you for the very useful information. I too stumbled across what the virus had done - it was also by accident. The computer had a whole bunch of files in local settings/temp, so I went to delete them. Noticed some strange ones created recently. But your instructions made it much easier to repair.

Things to note.

Win Sec Essentials was used to perform initial scan/removal after pulling HDD and scanning from secure machine via external enclosure.
Malwarebytes was used to perform flash scan to remove 4 more infected items after HDD was reinstalled into user's laptop.
Malwarebytes was used on full scan to ensure that no particles remained.

Virus behavior notes:
1. The virus does not simply move all of your icons. It moves MOST of them but leaves many behind. When you do ProgramRed's trick (looking for folder "smtmp" in "local settings/temp", "1"=programs/startmenu, "2"=quicklaunch, "3" =desktop), you will get a lot of "file already here, overwrite?" prompts. DO NOT overwrite. say "no" to those and write down the names of those folders. you will have to manually go into the smtp version of that folder and move those icons over to the startmenu, quicklaunch, or desktop folders. I believe he does this expressly to prevent fixes to be easily implemented. took about 10 minutes for me to do.
2. the virus not only hides files, but also adds a read-only tag to them. attempting to use attrib will result in "access denied". Unhide.exe was successful in making things visible, but was less successful in making those folders virus-marked read-only visible. fortunately, only the root directory folders are this way affected. (the ones in c:\). simply highlight everything in your root directory in explorer (make sure "view hidden files and folders" is enabled), and uncheck hidden. I have left them read-only for now because I'm not certain if removing R or S properties from files that should have them will cause any problems.

thank you so much for the users of this forum, and for all of the time and effort put out there to combat this virus designed to rip off the vulnerable.

kevin

[Kilsally]

moving folders 1, 2 and 4 got me back my desktop icons and menu icons but not the actual program shortcuts in the start menu. When I press the start button, Sage Accounts and all the rest are listed but when you go to any of them the sub menu appears and says `empty`. Going to try windows repair install.

[vcvogel]

I moved the folders under the all users Start Menu Folder

[rwest]

Quote:

Originally Posted by glc Virus Cleaned - All files, folders HIDDEN SYSTEM - SOLVED!

GLC, maybe you or any mod can link the threads together? I was thinking of that thread when I saw your post. That things such a bugger, be nice to have all the solutuins in one place huh?

[glc]

There are too many posts in each one all spread out over different dates - if I merge them it will be VERY confusing.

[rjfvillarosa]

Quote:

Originally Posted by rwest GLC, maybe you or any mod can link the threads together? I was thinking of that thread when I saw your post. That things such a bugger, be nice to have all the solutuins in one place huh?

Quote:

Originally Posted by glc There are too many posts in each one all spread out over different dates - if I merge them it will be VERY confusing.

I will have a look at creating a "sticky" thread with a little introduction and links to both threads and any other relevant threads.

[glc]

I think that would be an excellent idea.

[daveyp225]

Hey all, been years since I logged in, but google brought me back

This thread helped a lot. Appreciate it. In Vista, the shortcuts are stored in:

Users\*user*\AppData\Local\Temp\smtmp

Thanks guys.
Dave

[EzyStvy]

The unhide.exe file helped me yesterday

[Panama Red]

Just discovered a new variation for hidding the Program Shortcuts. Instead of using the Temp file under Local Settings, the pc I have here right now has the smtmp file hidden in the Window/Temp folder. I'm going to edit my earlier entry to include this optional hiding spot. Must be the bad guys can read our "fix" threads too.

[fluffman86]

Just stumbled on this thread while trying to remove this virus at work. Unfortunately, one of the first things I do when combating a Fake AV is to boot the computer into TRK and remove any suspicious files in APPDATA, followed by doing a Windows Junk File cleaning that clears out Temp Files, Temporary Internet Files, etc. That totally blasted any backups of shortcuts the virus may have made.

[Nuclear Krusader]

Guess I should stop clearing out the contents of the temp folders when dealing with this infection.

[rbm328]

i too had the malware hit. i ran unhide and it brought my files back into view, but am still not finding my shortcut icons for the start menu. i ran a search for smtmp and disk cleanup, which turned up nothing. any ideas?

[Panama Red]

Did you look in the two folders I mentioned for the smtmp folder? One is in the Windows > Temp folder. The other, in XP, is in Docs & Settings > (your user name) > Local Settings > Temp folder. The Local Settings folder is a hidden folder so you'll have to use the Folder Options in the Control Panel to select Show Hidden Folders.

[Korov]

Hi, many thanks for the fantastic help here, I got rid of this virus and have managed to unhide all my files and get my start menu back.

However, I have not been able to get my desktop back - right clicking on it is still disabled. I could not find a registry key called 'Noviewcontextmenu' or anything similar, even after lots of searching Regedit.

My shortcuts are there when I explore to the Desktop folder, but the desktop itself is blank and can't be clicked on.

Does anyone have any ideas about this?

Thanks again for all the help on this site!

[Panama Red]

See posts 9 & 12 in this thread.

No icons - right-click does nothing.

[Korov]

Solved! Many thanks Panama Red.

[rbm328]

panama red- i had originally given my box to an IT friend, who cleaned the virus' AND (i found out last week) purged all the temp files, thats why i couldn't find the files you mentioned. i sent him this link so hopefully, in the future, he won't jump on the temp purge.

is there any way i can get my start menu links back besides reloading all the software?
thanks

[Panama Red]

Go to the Programs folder and look up the .exe file for each Program. Right click the .exe and send it to a folder on your Desktop temporarily. Once you have all the shortcuts created, move them to the Startup folder under All Users (for XP) or your user name if you're the only one on the pc. Recreating the Windows features shortcuts is similar, you just have to know where the .exe files are located. If you can get another pc with the same operating system, find the shortcuts you want to add in the other pc's start/all programs menu. Right click the shortcut and select Properties. The click the Show Target or Open location button. That will tell you where to look on your computer for the same Windows file locations. Use the same recreation method I outlined for the Programs.

[glc]

Minor clarification:

Quote:

Right click the .exe and send it to a folder on your Desktop temporarily.

Don't send the .exe, select "create shortcut" and send it. I recommend you uncheck "hide extensions for known file types" in your folder options, it makes it easier to find the correct file.

[Panama Red]

Quote:

Originally Posted by glc Minor clarification: Don't send the .exe, select "create shortcut" and send it. I recommend you uncheck "hide extensions for known file types" in your folder options, it makes it easier to find the correct file.

Right you are, G. I meant to send the shortcut to the desktop folder. Brain and fingers weren't working together! (again!!)