<

Windows XP/Vista Recovery rogue - Desktop icons missing - Empty program files

Published on
71,611 Points
17,111 Views
45 Endorsements
Last Modified:
Awarded
Editor's Choice
Most PC repair technicians (if not all) always start their cleanup process by emptying the temp folders before running any removal tools. It makes sense because temp folders are common places for malware installers to lurk and removing all the junk also cuts down the removal tools scanning time. With this known info, malware writers created rogues that move files to that directory.

So now we have rogue software that will move user's files to the %temp%\smtmp folder.
Infected with this malware, you must NOT empty your temp folders nor run CCleaner or any temp file cleaners until you have fully removed the rogue and everything is back to normal.

So far, the Windows Recovery and Windows Restore rogues are the culprits but there could be other variants that do the same thing.
These rogues hide files and move desktop shortcuts and Programs startmenu shortcuts into this folder --> %temp%\smtmp, it then creates 4 subdirectories:

%Temp%\smtmp\1\ => Allusers Start Menu
%Temp%\smtmp\2\ => Allusers Quick Launch
%Temp%\smtmp\3\ => Quick Launch\User Pinned\TaskBar
%Temp%\smtmp\4\ => AllUsers Desktop

If you did not empty your temp folder you can just retrieve those files from there. Or using restoresm.zip which will restore all the missing shortcuts. restoresm.zip
Extract the file, open the restoresm folder and doubleclick on restoresm.bat to run it.


The Cleanup:

Grinler at Bleepingcomputer wrote an excellent tutorial for the removal of this infection, check it out here. http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery
The tools mentioned below also work for most of the family of rogues not just for the rogues that hides files.


Tools needed: (If unable to download tools, use another PC to download into a USB or burn to a CD).
FixNCR.reg – executables are blocked so you need to run this registry fix so programs will launch.
RKill – run this to kill malware processes (to be sure, use the renamed RKill "iexplore.exe" or other renamed RKill)
RogueKiller – this is another alternative you can use to kill malware processes before running MalwareBytes.
MalwareBytes - this is the scanner that removes the infection.
Unhide.exe – use this tool to remove the hidden flags of files as this infection hides files on your computer from being seen. The drawback of running unhide.exe is, it unhides ALL files even windows system files with default hidden attributes.
TDSSKiller - run this tool if google searches are redirected as this is often bundled with TDSS rootkits.


NOTE: Do Not reboot after running RKill or RogueKiller otherwise the malware processes will start up again. Straight after killing the malware processes, you need to immediately run MalwareBytes to remove the infection.


If file association is borked after the removal of the infection, you can use these fixes:
Dougknox XP .exe file association fix.
Vista – File association fixes.
Windows 7 file association fixes


*** UPDATE ***

Instead of running all the above-mentioned tools(with the exception of MalwareBytes and TDSSKiller) you could also just run "TheKiller".

Download TheKiller by maliprog
http://maliprog.geekstogo.com/explorer.exe

Note that "TheKiller" is renamed as explorer.exe
Double click on it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
Press OK when the program finished.
Do not restart your system after this step. You then run other tools like MalwareBytes, TDSSKiller or ComboFix.

NOTE: If malware blocks TheKiller from running please try to run it again.



So you used CCleaner and the %temp%\smtmp folder is gone, what now?
If the temp folder has been cleaned and the shortcuts are gone, all is not lost, you can recover those default shortcuts using Ramesh Srinivasan's fixes, or manually restore all by using Noviciate’s repair.zip (scroll down to post #30).

* To Restore Accessories Program Files Menu
Download accrestore.zip, unzip, doubleclick on AccRestore.exe to run it and click the "Restore" button.

* To Restore Admin Tools Program Files Menu
Download admintools.zip, unzip and doubleclick on "Restore Administrative Tools items" button.

* To Restore each program shortcut, the repair.zip by Noviciate works. The extracted repair.vbs when run produces needed shortcut links which you can then cut and paste into your start menu folder.

* In Windows 7 - How to restore missing startmenu default shortcuts
http://www.sevenforums.com/tutorials/135246-start-menu-all-programs-windows-7-restore-default-shortcuts.html

* In Vista -  How to restore missing startmenu default shortcuts
http://www.vistax64.com/tutorials/159034-start-menu-restore-missing-default-shortcuts.html

For XP tutorial images of the above, go to this link below.
http://www.geekstogo.com/forum/topic/302235-all-icons-and-programs-gone/page__p__2022670#entry2022670


If you need assistance removing this infection, post a question in the Virus & Spyware zone or post a comment here and I will try to help if I can.

Hope you find this article helpful.
45
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free