<

Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x

Windows XP/Vista Recovery rogue - Desktop icons missing - Empty program files

Published on
70,519 Points
16,019 Views
45 Endorsements
Last Modified:
Awarded
Most PC repair technicians (if not all) always start their cleanup process by emptying the temp folders before running any removal tools. It makes sense because temp folders are common places for malware installers to lurk and removing all the junk also cuts down the removal tools scanning time. With this known info, malware writers created rogues that move files to that directory.

So now we have rogue software that will move user's files to the %temp%\smtmp folder.
Infected with this malware, you must NOT empty your temp folders nor run CCleaner or any temp file cleaners until you have fully removed the rogue and everything is back to normal.

So far, the Windows Recovery and Windows Restore rogues are the culprits but there could be other variants that do the same thing.
These rogues hide files and move desktop shortcuts and Programs startmenu shortcuts into this folder --> %temp%\smtmp, it then creates 4 subdirectories:

%Temp%\smtmp\1\ => Allusers Start Menu
%Temp%\smtmp\2\ => Allusers Quick Launch
%Temp%\smtmp\3\ => Quick Launch\User Pinned\TaskBar
%Temp%\smtmp\4\ => AllUsers Desktop

If you did not empty your temp folder you can just retrieve those files from there. Or using restoresm.zip which will restore all the missing shortcuts. restoresm.zip
Extract the file, open the restoresm folder and doubleclick on restoresm.bat to run it.


The Cleanup:

Grinler at Bleepingcomputer wrote an excellent tutorial for the removal of this infection, check it out here. http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery
The tools mentioned below also work for most of the family of rogues not just for the rogues that hides files.


Tools needed: (If unable to download tools, use another PC to download into a USB or burn to a CD).
FixNCR.reg – executables are blocked so you need to run this registry fix so programs will launch.
RKill – run this to kill malware processes (to be sure, use the renamed RKill "iexplore.exe" or other renamed RKill)
RogueKiller – this is another alternative you can use to kill malware processes before running MalwareBytes.
MalwareBytes - this is the scanner that removes the infection.
Unhide.exe – use this tool to remove the hidden flags of files as this infection hides files on your computer from being seen. The drawback of running unhide.exe is, it unhides ALL files even windows system files with default hidden attributes.
TDSSKiller - run this tool if google searches are redirected as this is often bundled with TDSS rootkits.


NOTE: Do Not reboot after running RKill or RogueKiller otherwise the malware processes will start up again. Straight after killing the malware processes, you need to immediately run MalwareBytes to remove the infection.


If file association is borked after the removal of the infection, you can use these fixes:
Dougknox XP .exe file association fix.
Vista – File association fixes.
Windows 7 file association fixes


*** UPDATE ***

Instead of running all the above-mentioned tools(with the exception of MalwareBytes and TDSSKiller) you could also just run "TheKiller".

Download TheKiller by maliprog
http://maliprog.geekstogo.com/explorer.exe

Note that "TheKiller" is renamed as explorer.exe
Double click on it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
Press OK when the program finished.
Do not restart your system after this step. You then run other tools like MalwareBytes, TDSSKiller or ComboFix.

NOTE: If malware blocks TheKiller from running please try to run it again.



So you used CCleaner and the %temp%\smtmp folder is gone, what now?
If the temp folder has been cleaned and the shortcuts are gone, all is not lost, you can recover those default shortcuts using Ramesh Srinivasan's fixes, or manually restore all by using Noviciate’s repair.zip (scroll down to post #30).

* To Restore Accessories Program Files Menu
Download accrestore.zip, unzip, doubleclick on AccRestore.exe to run it and click the "Restore" button.

* To Restore Admin Tools Program Files Menu
Download admintools.zip, unzip and doubleclick on "Restore Administrative Tools items" button.

* To Restore each program shortcut, the repair.zip by Noviciate works. The extracted repair.vbs when run produces needed shortcut links which you can then cut and paste into your start menu folder.

* In Windows 7 - How to restore missing startmenu default shortcuts
http://www.sevenforums.com/tutorials/135246-start-menu-all-programs-windows-7-restore-default-shortcuts.html

* In Vista -  How to restore missing startmenu default shortcuts
http://www.vistax64.com/tutorials/159034-start-menu-restore-missing-default-shortcuts.html

For XP tutorial images of the above, go to this link below.
http://www.geekstogo.com/forum/topic/302235-all-icons-and-programs-gone/page__p__2022670#entry2022670


If you need assistance removing this infection, post a question in the Virus & Spyware zone or post a comment here and I will try to help if I can.

Hope you find this article helpful.
45
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 6
  • 2
  • +8
32 Comments
 
LVL 38

Expert Comment

by:younghv
This is excellent work.
We must have 10-15 questions a day that this will help solve.
Very timely.
(Yes vote above)
0
 
LVL 47

Author Comment

by:rpggamergirl
Thanks for the Yes vote, :)
0
 
LVL 31

Expert Comment

by:James Murrell
Great, this will help me a lot with family computers
0
Protect Your Retail Business and Reputation

Wi-Fi access doesn't just impact your business & customer experience, it can also affect your security.  Join us for an informative webinar to learn more about the top threats and trends impacting retail today, and the key solutions to protecting retail networks and reputations.

 

Expert Comment

by:Jsmply
RPG is always unbelievably helpful.  This is just another example of what an asset she is to EE!
0
 
LVL 47

Author Comment

by:rpggamergirl
cs97jjm3,
Thanks for the Yes vote and for your feedback.

Jsmply,
Thanks for voting Yes and for the kind words, much appreciated, :)
0
 

Expert Comment

by:Jsmply
Your very welcome.  I've said many times, being able to access your articles and contact you for tricky malware issues is worth the EE subscription/membership price alone.  
0
 
LVL 47

Author Comment

by:rpggamergirl
Reading your comments really makes my day! thanks again.
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
Great article rpggamergirl, however I have few question for you if you may answer them. I have seen few users complaining about the IE Favorites also gone after the infection. Is there any fix for it yet?

Further there was an instance where user has reported that using System Restore has fixed his issue with missing Start Menu shortcuts. Is this still a concrete solution to the problem?

Thanks .......!!!!!!!!

Again ......... great article....

You got my vote.

Sudeep
0
 
LVL 47

Author Comment

by:rpggamergirl
SSharma,

The unhide.exe should've taken care of the hidden favorites folder, if unhide.exe was already run and IE favorites are still showing empty then maybe the folder also has been moved. If the contents of the favorite folder exist yet not showing in IE then it's just the reg values that need to be restored to point back to that folder. I can post a reg file if needed.

"Further there was an instance where user has reported that using System Restore has fixed his issue with missing Start Menu shortcuts. Is this still a concrete solution to the problem?"

Definitely not to my knowledge... I have seen reports where System restore failed in restoring the missing shortcuts... I participated on a thread where system restore supposedly have restored them. But one success out of many failed attempts don't really mean much. That one time could've been just a fluke. Let me know if you see reports where system restore was successful in restoring those shortcuts.

Thanks for your comment and the Yes vote.

0
 
LVL 30

Expert Comment

by:Sudeep Sharma
>>>>if unhide.exe was already run and IE favorites are still showing empty then maybe the folder also has been moved

Do we know if the Favorites also been to %temp%/smtmp under some subfolder, just like Allusers Start Menu and Allusers Desktop?

Thanks for answering
0
 
LVL 47

Author Comment

by:rpggamergirl
So far, I haven't heard of the favorites shortcuts being moved to temp\smtmp subfolder. Just the reg value pointing somewhere instead of the favorites folder. There was also a case of an smtmp folder created somewhere else C:\temp\smtmp
0
 
LVL 23

Expert Comment

by:Brian Gee
Excellent and very thorough. This is indeed an excellent article and resource, rpggamergirl.
0
 
LVL 1

Expert Comment

by:Tigzy
Hello

Notice that RogueKiller will remove the rogue's registry keys (mode 2) and restore the files from smtmp folder plus hidden files (mode 6)

This is important cause with one tool, you get back full access to your computer for safe cleaning with AM software (MBAM)
0
 
LVL 47

Author Comment

by:rpggamergirl
Thanks yobri, :)

Hi Tigzy,

Thanks for your input, much appreciated. Thanks again for the RogueKiller tool.
Does RogueKiller remove hidden flags on all files in the system even files with default hidden attributes like unhide.exe does?

It seems some variant of this rogue also modifies the value of "Favorites" in Current User.....\Shell folder so it no longer point to the favorites folder. I'm just wondering if RogueKiller takes care of that too since unhide.exe doesn't seem to do it.
Thanks!
0
 
LVL 1

Expert Comment

by:Tigzy
Does RogueKiller remove hidden flags on all files in the system even files with default hidden attributes like unhide.exe does?

Yes it does.
I speak sometimes with grinler via MBAM forums, so our tools take care about the same things basically.

Never heard about the favorites key...
However, the favorites folder (in the personal folder) is hidden by the rogue too, are you sure this is not the problem?
0
 
LVL 1

Expert Comment

by:Tigzy
I add we are not able to make the difference between the files hidden by the rogue and the ones previously hidden by the system. So all are treated equally.

I you want to hide some with "system" attribute, the user can use my tool:
http://tigzy.geekstogo.com/Tools/forceHide.exe

0
 
LVL 47

Author Comment

by:rpggamergirl
Tigzy,

The tool sounds good but when I run it I get this "The application failed to initialize properly" error.
0
 
LVL 1

Expert Comment

by:Tigzy
I forgot to say you need to have the .net framework 3.5 at least. Usually users have it, but I understand It could not be the case on a vm :)
0
 
LVL 47

Author Comment

by:rpggamergirl
Hi Tigzy,

I downloaded .net framework 3.5.
Dropped folder into the Forcehide window and yes it will check and uncheck the hidden attribute of the folder but it doesn't actually hide it. I can still see it even though explorer.exe is set not to show hidden files and folders.
Did I do it correctly?
Thanks.
0
 
LVL 1

Expert Comment

by:Tigzy
Yes, that's all...
Is the display of hidden files activated?

May you try F5 on the desktop?
0
 
LVL 47

Author Comment

by:rpggamergirl
Hi Tigzy,

Sorry for much delayed reply.

"Is the display of hidden files activated?"

If you mean explorer is set to display hidden files and folders then yes it is. In the folder properties, the hidden attribute is also unchecked.

However, the Forcehide tool works on files, it's only on folders and sub-folders that it doesn't even though it still check or uncheck the system and hidden attributes. What I mean is, there's no effect on folders only on files.
0
 
LVL 1

Expert Comment

by:Tigzy
Yes, if you select a folder, only the folder himself will be affected.
but I can improve my tool to affect subfolders and files recursively...
0
 
LVL 47

Author Comment

by:rpggamergirl
That would be great!
0
 
LVL 58

Expert Comment

by:tigermatt
Voted yes. Thanks, rpg!
0
 
LVL 47

Author Comment

by:rpggamergirl
Thanks Matt! :)
0
 
LVL 18

Expert Comment

by:Ravi Agrawal
Brilliant, as always. Cast my Yes vote.

Ravi.
0
 

Expert Comment

by:jburgess_isit
I did all of this, and my folders are still empty.  In all programs, the folders are there, but the contents inside of the folders are gone.  I did not delete any temp files.
0
 
LVL 38

Expert Comment

by:younghv
jburgess_isit,
Please post your comment back in your original question (http://www.experts-exchange.com/Q_27554941.html) and I will continue to try to help you.

I posted a reference to this article only about 8 minutes ago, but if you have already run all of the programs recommended, be sure to post all of the log files that were generated.
0
 
LVL 32

Expert Comment

by:willcomp
@rpg and tigzy -- enjoyed the discussion. Have been using RogueKiller since Vic recommended it some time back and much prefer it to RKill.

Yes vote for rpg.
0
 
LVL 47

Author Comment

by:rpggamergirl
jburgess_isit,

It's okay to post here since it is a relevant topic, and it keeps this thread active.
Even though you didn't delete your temp files yourself doesn't mean those smtmp folders weren't deleted. Most cleanup/virus scanners these days will empty the temp folders but only selected scanners are updated to check for smtmp folders.

So in your case those smtmp folders that stored the shortcuts were gone and recreating the shortcuts was needed.

At willcomp - Roguekiller is great,  there's also another tool great  "TheKiller" which has features that RogueKiller doesn't have, :)
It's good to have selection of tools.

Thanks for the yes vote, :)
0
 
LVL 32

Expert Comment

by:willcomp
@rpg -- I've seen where you recommended TheKiller in other posts. Will download and give it a try. Thanks.
0
 
LVL 47

Author Comment

by:rpggamergirl
Thekiller is also pre-cleanup tool like RogueKiller that stops malicious and non-esential running processes and perfect for rogues like this one that hide files and moves shortcuts to smtmp folder, among its other features.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Join & Write a Comment

Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month