Home > Windows > Windows XP restore Virus/Malware Start menu shortcuts

Windows XP restore Virus/Malware Start menu shortcuts

Recently we have been getting a few copy’s of the “Windows XP Restore” virus going around.  This one is a nasty bit of kit.  It changes all your files on C:\ to hidden and throws in a bunch of popup crap.  I have been using malwarebytes anti-malware to get rid of the bugger but this virus leaves a parting gift of a hours worth of cleanup for the user profile.  So far my process has been to rename the users profile folder under c:\documents and settings.  I just rename the user folder to user.old.  Then I log in as the user which creates a new profile.  I then migrate the data back over manually.

Another pain in the ass with this virus is start menu shortcuts.  Even after un-hiding the “All Users” start menu and the profile start menu all the shortcuts were still missing,  So I went on the hunt and found that the virus moves them to C:\Documents and Settings\user\Local Settings\Temp\smtmp\1.  It also seems to have moved quick launch to C:\Documents and Settings\user\Local Settings\Temp\smtmp\2.

NOTE: Recover these files before you run your AV software as they have started removing the files as part of the virus.

Hope this little bit of info helps!

Advertisements
  1. Richard
    June 9, 2011 at 5:50 pm

    Thank you very much! My experience was *identical*. Only I couldn’t find the ‘All Users’ start menu shortcuts.. Your post saved me a lot of time (and annoyance)!

    I just do not understand these virus writing idiots; So I spent an entire evening cleaning this mess up (on another persons computer); for what? Who gains anything with these nonsense?

    Anyway, big thanks for your detective work!

    Richard

  2. Patricia
    June 11, 2011 at 2:15 pm

    I am battling this right now. I was able to download Superantispware which picked up a number of trojans. It wouldn’t let me download Malwarebytes (both were already installed, just can’t get to it). After rebooting even in safe mode, I still can’t access anything on my C drive to even get to these paths. I tried searching for files and programs -nothing. The only way I can get to the internet is to go to Control panel -Security Center and then look for updates which get me to the net.

    Any ideas on what to do if you can’t get to these shortcuts to find your programs?

    • anigan
      June 13, 2011 at 11:29 am

      This virus basically hides all files on your computer. If you change your windows explorer settings to show hidden files you should be able to access your files. to restore them not using MBAM or Combofix you need to right click on the file/folder and uncheck hidden. Some files will not allow this change so a bulk change wont work.

    • b/
      July 1, 2011 at 8:31 pm

      mbam will install in safe mode. i just did it like 20 min ago….lol

  3. craig luciano
    June 13, 2011 at 2:11 am

    awesome thanks, that helped me a ton.

  4. Tom Wilson
    June 13, 2011 at 3:52 pm

    Nice write up. I’m deaaling with the same virus, except it I haven’t been able to find where it hid the start menu shortcuts. The folders you listed don’t exist on the PC I’m cleaning up.

    • anigan
      June 13, 2011 at 3:57 pm

      I ran across that on a few PCs as well. Seems some AV programs remove those folders. if you do a quick recuva scan of the users local settings directory the shortcuts will show up.

  5. thankyou anigan
    June 14, 2011 at 10:52 am

    brillant, i found the same on a mcahine i was working on.

    well spotted

    i think there error came from windows xp restore, but of course its not the real one

  6. justin
    June 15, 2011 at 9:00 pm

    I’m dealing with this problem on my mother’s computer … what a nightmare! I restored the start menu program folders, but they’re all “Empty”! Any thoughts on how to restore the actual shortcuts?

    • anigan
      June 17, 2011 at 8:10 am

      The shortcuts are probally still hidden. you need to set your folder options to show hidden files/folders then right click on all the application folders and click on properties. uncheck hidden and press okay. There will be a dialog box that pops up. select to perform the action on all folders and subfolders.

  7. June 15, 2011 at 10:52 pm

    Thanks!! I also found that it disabled right click on the desktop. Here is how to fix that

    http://ag-technofreak.blogspot.com/2010/06/disable-right-click-functionality-on.html

    It also locks the wallpaper. To change that just search for NoChangingWallpaper in the reg and give it a 0.

    • anigan
      June 17, 2011 at 8:11 am

      Neat tip! I have just been logging in as the local admin account then renaming their profile folder to username.old. then when I log on as the user again they get a nice clean new profile and I just have to migrate the data.

  8. squeek
    June 17, 2011 at 9:34 am

    i have IObit security software, and last night a pop up said hey there is a new update, so i went to the update link adn it said everything has changed to this and that i needed to dl that. i chose not to. now this morning when i turned it on, windows pops up saying that my ram is at a critical usage, and there is a problem with my hard drive, giving me 11 critcal warnings and that i need to fix right now. is that part of the virus?

    • anigan
      June 17, 2011 at 9:39 am

      That would be the virus yes.

  9. Eddie
    June 18, 2011 at 12:11 am

    The “Windows-XP-Restore” virus …

    Don’t worry, don’t freak out, your computer and files are okay, but prepare
    to spend time cleaning up your computer. Don’t buy the program, it’s a scam.

    I just got rid of this virus myself. Don’t waste your time downloading antivirus
    programs, I did, and most of them didn’t find anything related to this virus.
    One even stated it found serious threats, but it turned out to find only cookies.

    You are most likely seeing …
    No desktop icons (need to delete registry “NoDesktop”)
    Task Manager blocked (need to delete registry “DisableTaskMgr”)
    Nothing on C: drive (need to remove the “Hidden” attributes)

    The frightening thing was …
    Internet Explorer was not running but every minute I would see the
    Windows pointer hour-glass flicker then iexplore task show up in
    Task Manager. I would end the task and a minute later, back again.

    I downloaded a program that shows network activity (cports.exe) and set it to a
    1 second Auto Refresh. YIKES !!! Coming from a Process Name “unknown”, my computer
    was connecting to IP addresses, such as noname.inferno.name, and I had no idea what was
    being transmitted or received. (Maybe personal information, who knows !)

    I spent 2 days cleaning things up, MANUALLY. Most of the time was from downloading
    and trying every program that claims to be “The Best”. Later on, I found a website
    that had pretty good directions:
    http://deletemalware.blogspot.com/2011/06/remove-windows-xp-restore-uninstall.html

    One thing I learned, if you try to run the tddskiller.exe program, and it doesn’t start,
    chances are, it’s being blocked by the virus. I moved the program to a flash drive, renamed
    it to iexplore.exe and it started.

    It found the volsnap.sys file infected, fixed it and the problem was solved.
    You can verify by running the original tddskiller.exe, it should no longer be blocked.
    Also, cports.exe was quiet, no internet connection activity.

    • anigan
      June 20, 2011 at 9:14 am

      I agree that AV/Malware removeal programs do not remove all of the virus, but they do automate some of the removal process. and when you ahve 10 or more PCs infected, any help is great!

  10. Glenn
    June 21, 2011 at 4:57 am

    What a funky virus… they could have just as easily just deleted those shortcuts. Not really sure what they are thinking just moving them. thank you for your post, you saved my friend’s start menu.

    • Deon
      July 24, 2011 at 9:57 pm

      They move them so that when you “buy” the program, it can put them all back into the right place 🙂

  11. tdt
    June 30, 2011 at 9:31 am

    AWESOME!! I been chasing this for awhile now – sure saves from having to re-create those shortcuts.
    Thank you
    tdt

  12. June 30, 2011 at 5:09 pm

    Thank you so much, this was a huge help! We thought it deleted the start menu, but after thinking about it for a while, I thought it might just move it, since giving these bastards your credit card will usually ‘clean’ the malware. This saves hours of time restoring the start menu, thanks again!

  13. squeek
    July 4, 2011 at 11:01 am

    well ive finally decided to fix the laptop, it wont let me finish installing the malwarebytes program, and then randomly decides to shut. which creats a long hassle do to i have an issue with my vid screen cable, and only sometimes will come on….

  14. JustAGuy
    September 16, 2011 at 6:54 pm

    Had same virus on a client PC today. Was able to identify the main bad files by connecting from a remote machine while the infected machine was logged off (therefore not activating anything else). Used Start / run / \\machinename\c$. Searched all files dated today, found those with random names and removed.

    Lots of hidden files, so I basically removed “hidden from everything on the drive.

    Log into machine remotely, and was then able to restore a restore point from a week ago using System Restore. After that, ran MalwareBytes to ensure everything’s clean, now working.

    Note: when using remote desktop, make sure your clipboard is NOT shared so it can’t transfer any infections that may exist.

  15. Tim A-C
    October 5, 2011 at 9:04 am

    If you use the excellent shareware Total Commander file manager (only has a nag screen on startup) to change the attributes, you can recurse the sub-directories – don’t forget to re-hide the desktop.ini files otherwise the user will see a lot of unfamiliar menu/desktop items.

  16. tek the tec
    October 27, 2011 at 1:58 am

    you are the best. Thanks alot… would love to buy you a beer

  17. simon
    November 20, 2011 at 8:46 am

    Thanks for this post, it was really helpful, cheers

  18. Valerie
    November 28, 2011 at 4:25 pm

    I need help…I have gone through removed the virus and followed your steps and my start menu is not recovering. I can get the icons but when you expand to “all programs” those show “empty”. Any help or suggestions would be greatly appreciated.

  19. Ed
    December 27, 2011 at 9:45 am

    This article helped me out, thanks!

  20. wayne
    January 22, 2012 at 6:19 pm

    what happens if you already ran a cleaner and lost the temp files 😦

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: