Author Topic: Start menu fix after rogue antivirus  (Read 8752 times)

0 Members and 1 Guest are viewing this topic.

Offline viper33802

  • Newbie
  • *
  • Join Date: Dec 2011
  • Posts: 6
  • Karma: 0
    • View Profile
Start menu fix after rogue antivirus
« on: December 29, 2011, 10:35:48 AM »
hello, I have been dealing with these rouge antiviruses for a while. I am sure everyone is familiar with them. They hide all files on the hdd and remove (actually move) all of the start menu shortcuts. The AIO utility already includes a feature to restore all the hidden non-system files. I think it would be a great add-on to also write a script to repair the start menu after this virus. I cannot find one anywhere.

Here is the info on where the viruses move the start menu shortcuts.
http://www.pchell.com/support/unhidefiles.shtml

Offline Shane

  • Top Geek, err uh Dog.
  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9274
  • Location: USA
  • Karma: 135
  • "Knowledge should be shared not hidden."
    • View Profile
    • Tweaking.com
Re: Start menu fix after rogue antivirus
« Reply #1 on: December 29, 2011, 11:24:22 AM »
I clean this virus up a lot on my customers machines.

It makes a folder in the temp dir call s something (I cant remember off the top of my head!) And in that folder are 3 more folders labeled 1, 2 and 3 some times there is a 4.

This is where your start menu shortcuts, quick launch and desktop items where moved to by the virus.

From there it is just a matter of copying them back. Just make sure not to clear your temp files before you do!

Making a fix for just copying those folders back wouldn't be to hard.

I will have to wait till I get another system with that infection so I can verify the folders :wink:

Shane
PLEASE EDIT YOUR TOPIC AND PUT (SOLVED) IF YOU ARE ALL FIXED.

(My weekends belong to my wife and kids, I will try my best to answer all posts daily during the work week)

(About Shane)
Site Owner, Top Admin, Lead Programmer, Wife & 5 kids, Needs a lot more coffee.

When people ask "Why fix what isn't broken?" I reply "To make it better."
"Only a life lived for others is a life worthwhile"
Honor & Respect is all that matters.

Owner & Programmer of: www.pcwintech.com & www.tweaking.com

Offline viper33802

  • Newbie
  • *
  • Join Date: Dec 2011
  • Posts: 6
  • Karma: 0
    • View Profile
Re: Start menu fix after rogue antivirus
« Reply #2 on: January 13, 2012, 08:34:34 AM »
I had three of these today at work. Just to follow up, Were you going to write a script to automate the start menu cleanup? It would be greaat if you could. Thanks again

Offline Shane

  • Top Geek, err uh Dog.
  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9274
  • Location: USA
  • Karma: 135
  • "Knowledge should be shared not hidden."
    • View Profile
    • Tweaking.com
Re: Start menu fix after rogue antivirus
« Reply #3 on: January 13, 2012, 10:30:52 AM »
Do you remember if the folder in the temp dir was called smtemp?

I am waiting to get another machine infected with this so I can make the repair for it. :wink:

Shane
PLEASE EDIT YOUR TOPIC AND PUT (SOLVED) IF YOU ARE ALL FIXED.

(My weekends belong to my wife and kids, I will try my best to answer all posts daily during the work week)

(About Shane)
Site Owner, Top Admin, Lead Programmer, Wife & 5 kids, Needs a lot more coffee.

When people ask "Why fix what isn't broken?" I reply "To make it better."
"Only a life lived for others is a life worthwhile"
Honor & Respect is all that matters.

Owner & Programmer of: www.pcwintech.com & www.tweaking.com

Offline viper33802

  • Newbie
  • *
  • Join Date: Dec 2011
  • Posts: 6
  • Karma: 0
    • View Profile
Re: Start menu fix after rogue antivirus
« Reply #4 on: January 14, 2012, 12:17:12 PM »
close, the folder name is SMTMP.

Offline Shane

  • Top Geek, err uh Dog.
  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9274
  • Location: USA
  • Karma: 135
  • "Knowledge should be shared not hidden."
    • View Profile
    • Tweaking.com
Re: Start menu fix after rogue antivirus
« Reply #5 on: January 14, 2012, 12:19:09 PM »
Thats right, then under it it had folders names 1, 2, 3 and I think 4.

I just need to know which folder was holding which icons and I can make a quick repair for it :-)

Shane
PLEASE EDIT YOUR TOPIC AND PUT (SOLVED) IF YOU ARE ALL FIXED.

(My weekends belong to my wife and kids, I will try my best to answer all posts daily during the work week)

(About Shane)
Site Owner, Top Admin, Lead Programmer, Wife & 5 kids, Needs a lot more coffee.

When people ask "Why fix what isn't broken?" I reply "To make it better."
"Only a life lived for others is a life worthwhile"
Honor & Respect is all that matters.

Owner & Programmer of: www.pcwintech.com & www.tweaking.com

Offline viper33802

  • Newbie
  • *
  • Join Date: Dec 2011
  • Posts: 6
  • Karma: 0
    • View Profile
Re: Start menu fix after rogue antivirus
« Reply #6 on: January 16, 2012, 06:51:57 AM »
SMTMP folder
XP - C:\Documents and Settings\(Your Username)\Local Settings\Temp\SMTMP
Vista/7 - C:\Users\(Your Username)\AppData\Local\Temp\SMTMP

Folder 1 contains the All Users Start Menu shortcuts
XP - C:\Documents and Settings\All Users\Start Menu
Vista/7 - C:\Program Data\Microsoft\Windows\Start Menu

Folder 2 contains the Quick Launch shortcuts
XP - C:\Documents and Settings\(Your Username)\Application Data\Microsoft\Internet Explorer\Quick Launch
Vista/7 - C:\Users\(Your Username)\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch

Folder 3 contains Windows 7 Taskbar icons (not needed in Windows XP)
XP - N/A
Vista/7 - C:\Users\(Your Username)\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar

Folder 4 does have Desktop  icons
XP - C:\Documents and Settings\All Users\Desktop
Vista/7 - C:\Users\Public\Public Desktop
« Last Edit: January 16, 2012, 06:55:27 AM by viper33802 »

Offline Shane

  • Top Geek, err uh Dog.
  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9274
  • Location: USA
  • Karma: 135
  • "Knowledge should be shared not hidden."
    • View Profile
    • Tweaking.com
Re: Start menu fix after rogue antivirus
« Reply #7 on: January 16, 2012, 10:47:43 AM »
Perfect :-)

Let me see what I can throw together. :wink:

Shane
PLEASE EDIT YOUR TOPIC AND PUT (SOLVED) IF YOU ARE ALL FIXED.

(My weekends belong to my wife and kids, I will try my best to answer all posts daily during the work week)

(About Shane)
Site Owner, Top Admin, Lead Programmer, Wife & 5 kids, Needs a lot more coffee.

When people ask "Why fix what isn't broken?" I reply "To make it better."
"Only a life lived for others is a life worthwhile"
Honor & Respect is all that matters.

Owner & Programmer of: www.pcwintech.com & www.tweaking.com

Offline Shane

  • Top Geek, err uh Dog.
  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9274
  • Location: USA
  • Karma: 135
  • "Knowledge should be shared not hidden."
    • View Profile
    • Tweaking.com
Re: Start menu fix after rogue antivirus
« Reply #8 on: January 18, 2012, 04:48:27 PM »
Ok I got the new repair added to the windows repair.

I just need it tested first :-)

You up for trying it out for me with an infected system? It should copy all the folders and icons back correctly.

Once we confirm it works I will put out the new version and the standalone for the repair like the others as well :wink:

Shane
« Last Edit: January 18, 2012, 04:58:27 PM by Shane »
PLEASE EDIT YOUR TOPIC AND PUT (SOLVED) IF YOU ARE ALL FIXED.

(My weekends belong to my wife and kids, I will try my best to answer all posts daily during the work week)

(About Shane)
Site Owner, Top Admin, Lead Programmer, Wife & 5 kids, Needs a lot more coffee.

When people ask "Why fix what isn't broken?" I reply "To make it better."
"Only a life lived for others is a life worthwhile"
Honor & Respect is all that matters.

Owner & Programmer of: www.pcwintech.com & www.tweaking.com

Offline viper33802

  • Newbie
  • *
  • Join Date: Dec 2011
  • Posts: 6
  • Karma: 0
    • View Profile
Re: Start menu fix after rogue antivirus
« Reply #9 on: January 19, 2012, 05:14:27 AM »
Thanks! Hopefully I will have one of those today when I get to work. I will let you know as soon as I have an opportunity to test it. I will post my results & the OSes I have tested on.

Thanks again
-Viper

Offline Shane

  • Top Geek, err uh Dog.
  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9274
  • Location: USA
  • Karma: 135
  • "Knowledge should be shared not hidden."
    • View Profile
    • Tweaking.com
Re: Start menu fix after rogue antivirus
« Reply #10 on: January 19, 2012, 10:25:38 AM »
Great, let me know :-)

Shane
PLEASE EDIT YOUR TOPIC AND PUT (SOLVED) IF YOU ARE ALL FIXED.

(My weekends belong to my wife and kids, I will try my best to answer all posts daily during the work week)

(About Shane)
Site Owner, Top Admin, Lead Programmer, Wife & 5 kids, Needs a lot more coffee.

When people ask "Why fix what isn't broken?" I reply "To make it better."
"Only a life lived for others is a life worthwhile"
Honor & Respect is all that matters.

Owner & Programmer of: www.pcwintech.com & www.tweaking.com

Offline Shane

  • Top Geek, err uh Dog.
  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9274
  • Location: USA
  • Karma: 135
  • "Knowledge should be shared not hidden."
    • View Profile
    • Tweaking.com
Re: Start menu fix after rogue antivirus
« Reply #11 on: January 21, 2012, 04:40:39 PM »
I am hoping to put this update out on Sunday. Any luck with it?

Shane
PLEASE EDIT YOUR TOPIC AND PUT (SOLVED) IF YOU ARE ALL FIXED.

(My weekends belong to my wife and kids, I will try my best to answer all posts daily during the work week)

(About Shane)
Site Owner, Top Admin, Lead Programmer, Wife & 5 kids, Needs a lot more coffee.

When people ask "Why fix what isn't broken?" I reply "To make it better."
"Only a life lived for others is a life worthwhile"
Honor & Respect is all that matters.

Owner & Programmer of: www.pcwintech.com & www.tweaking.com

Offline viper33802

  • Newbie
  • *
  • Join Date: Dec 2011
  • Posts: 6
  • Karma: 0
    • View Profile
Re: Start menu fix after rogue antivirus
« Reply #12 on: January 21, 2012, 04:51:25 PM »
unfortunately I have not had any over the last two days... well I take that back. On friday and after I ran through my normal run of scanning with anti viruses while booting into a PE environment I had an XP system with a nerved start menu and all hidden files. I ran both unhide non system files & the beta start menu fix. I noticed that start menu fix ran then unhide system files. Should the order of this matter? Anyway, after the reboot the start menu was still nerved. I then looked for the SMTMP folder and it was no there. Here are my thoughts:

1) the virus moved the item to a different folder which I could not find (which I doubt)
2) I deleted temp files and didn't remember it ( who knows, it happens)
3) possible your script tried to move them without success and deleted the original folders once it was done (does tour script delete the original SMTMP folder after replacement?)

Offline Shane

  • Top Geek, err uh Dog.
  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9274
  • Location: USA
  • Karma: 135
  • "Knowledge should be shared not hidden."
    • View Profile
    • Tweaking.com
Re: Start menu fix after rogue antivirus
« Reply #13 on: January 21, 2012, 05:51:35 PM »
The new repair doesn't remove any thing. And I made sure to put it above the empty temp files one as well.

I tested it on XP. What windows did you run it on?

I will make and move the start menu items on my win 7 like I did xp and see if it works :-)

Shane
PLEASE EDIT YOUR TOPIC AND PUT (SOLVED) IF YOU ARE ALL FIXED.

(My weekends belong to my wife and kids, I will try my best to answer all posts daily during the work week)

(About Shane)
Site Owner, Top Admin, Lead Programmer, Wife & 5 kids, Needs a lot more coffee.

When people ask "Why fix what isn't broken?" I reply "To make it better."
"Only a life lived for others is a life worthwhile"
Honor & Respect is all that matters.

Owner & Programmer of: www.pcwintech.com & www.tweaking.com

 

anything