Windows XP restore Virus/Malware Start menu shortcuts
Recently
we have been getting a few copy’s of the “Windows XP Restore” virus going around. This one is a nasty bit of kit. It changes all your files on C:\ to hidden and throws in a bunch of popup crap. I have been using malwarebytes anti-malware to get rid of the bugger but this virus leaves a parting gift of a hours worth of cleanup for the user profile. So far my process has been to rename the users profile folder under c:\documents and settings. I just rename the user folder to user.old. Then I log in as the user which creates a new profile. I then migrate the data back over manually.
Another pain in the ass with this virus is start menu shortcuts. Even after un-hiding the “All Users” start menu and the profile start menu all the shortcuts were still missing, So I went on the hunt and found that the virus moves them to C:\Documents and Settings\user\Local Settings\Temp\smtmp\1. It also seems to have moved quick launch to C:\Documents and Settings\user\Local Settings\Temp\smtmp\2.
NOTE: Recover these files before you run your AV software as they have started removing the files as part of the virus.
Hope this little bit of info helps!
Life as an Airport SysAdmin 
Thank you very much! My experience was *identical*. Only I couldn’t find the ‘All Users’ start menu shortcuts.. Your post saved me a lot of time (and annoyance)!
I just do not understand these virus writing idiots; So I spent an entire evening cleaning this mess up (on another persons computer); for what? Who gains anything with these nonsense?
Anyway, big thanks for your detective work!
Richard
I am battling this right now. I was able to download Superantispware which picked up a number of trojans. It wouldn’t let me download Malwarebytes (both were already installed, just can’t get to it). After rebooting even in safe mode, I still can’t access anything on my C drive to even get to these paths. I tried searching for files and programs -nothing. The only way I can get to the internet is to go to Control panel -Security Center and then look for updates which get me to the net.
Any ideas on what to do if you can’t get to these shortcuts to find your programs?
This virus basically hides all files on your computer. If you change your windows explorer settings to show hidden files you should be able to access your files. to restore them not using MBAM or Combofix you need to right click on the file/folder and uncheck hidden. Some files will not allow this change so a bulk change wont work.
mbam will install in safe mode. i just did it like 20 min ago….lol
awesome thanks, that helped me a ton.
Nice write up. I’m deaaling with the same virus, except it I haven’t been able to find where it hid the start menu shortcuts. The folders you listed don’t exist on the PC I’m cleaning up.
I ran across that on a few PCs as well. Seems some AV programs remove those folders. if you do a quick recuva scan of the users local settings directory the shortcuts will show up.
brillant, i found the same on a mcahine i was working on.
well spotted
i think there error came from windows xp restore, but of course its not the real one
I’m dealing with this problem on my mother’s computer … what a nightmare! I restored the start menu program folders, but they’re all “Empty”! Any thoughts on how to restore the actual shortcuts?
The shortcuts are probally still hidden. you need to set your folder options to show hidden files/folders then right click on all the application folders and click on properties. uncheck hidden and press okay. There will be a dialog box that pops up. select to perform the action on all folders and subfolders.
Thanks!! I also found that it disabled right click on the desktop. Here is how to fix that
http://ag-technofreak.blogspot.com/2010/06/disable-right-click-functionality-on.html
It also locks the wallpaper. To change that just search for NoChangingWallpaper in the reg and give it a 0.
Neat tip! I have just been logging in as the local admin account then renaming their profile folder to username.old. then when I log on as the user again they get a nice clean new profile and I just have to migrate the data.
i have IObit security software, and last night a pop up said hey there is a new update, so i went to the update link adn it said everything has changed to this and that i needed to dl that. i chose not to. now this morning when i turned it on, windows pops up saying that my ram is at a critical usage, and there is a problem with my hard drive, giving me 11 critcal warnings and that i need to fix right now. is that part of the virus?
That would be the virus yes.
The “Windows-XP-Restore” virus …
Don’t worry, don’t freak out, your computer and files are okay, but prepare
to spend time cleaning up your computer. Don’t buy the program, it’s a scam.
I just got rid of this virus myself. Don’t waste your time downloading antivirus
programs, I did, and most of them didn’t find anything related to this virus.
One even stated it found serious threats, but it turned out to find only cookies.
You are most likely seeing …
No desktop icons (need to delete registry “NoDesktop”)
Task Manager blocked (need to delete registry “DisableTaskMgr”)
Nothing on C: drive (need to remove the “Hidden” attributes)
The frightening thing was …
Internet Explorer was not running but every minute I would see the
Windows pointer hour-glass flicker then iexplore task show up in
Task Manager. I would end the task and a minute later, back again.
I downloaded a program that shows network activity (cports.exe) and set it to a
1 second Auto Refresh. YIKES !!! Coming from a Process Name “unknown”, my computer
was connecting to IP addresses, such as noname.inferno.name, and I had no idea what was
being transmitted or received. (Maybe personal information, who knows !)
I spent 2 days cleaning things up, MANUALLY. Most of the time was from downloading
and trying every program that claims to be “The Best”. Later on, I found a website
that had pretty good directions:
http://deletemalware.blogspot.com/2011/06/remove-windows-xp-restore-uninstall.html
One thing I learned, if you try to run the tddskiller.exe program, and it doesn’t start,
chances are, it’s being blocked by the virus. I moved the program to a flash drive, renamed
it to iexplore.exe and it started.
It found the volsnap.sys file infected, fixed it and the problem was solved.
You can verify by running the original tddskiller.exe, it should no longer be blocked.
Also, cports.exe was quiet, no internet connection activity.
I agree that AV/Malware removeal programs do not remove all of the virus, but they do automate some of the removal process. and when you ahve 10 or more PCs infected, any help is great!
What a funky virus… they could have just as easily just deleted those shortcuts. Not really sure what they are thinking just moving them. thank you for your post, you saved my friend’s start menu.
They move them so that when you “buy” the program, it can put them all back into the right place 🙂
AWESOME!! I been chasing this for awhile now – sure saves from having to re-create those shortcuts.
Thank you
tdt
Thank you so much, this was a huge help! We thought it deleted the start menu, but after thinking about it for a while, I thought it might just move it, since giving these bastards your credit card will usually ‘clean’ the malware. This saves hours of time restoring the start menu, thanks again!
well ive finally decided to fix the laptop, it wont let me finish installing the malwarebytes program, and then randomly decides to shut. which creats a long hassle do to i have an issue with my vid screen cable, and only sometimes will come on….
Had same virus on a client PC today. Was able to identify the main bad files by connecting from a remote machine while the infected machine was logged off (therefore not activating anything else). Used Start / run / \\machinename\c$. Searched all files dated today, found those with random names and removed.
Lots of hidden files, so I basically removed “hidden from everything on the drive.
Log into machine remotely, and was then able to restore a restore point from a week ago using System Restore. After that, ran MalwareBytes to ensure everything’s clean, now working.
Note: when using remote desktop, make sure your clipboard is NOT shared so it can’t transfer any infections that may exist.
If you use the excellent shareware Total Commander file manager (only has a nag screen on startup) to change the attributes, you can recurse the sub-directories – don’t forget to re-hide the desktop.ini files otherwise the user will see a lot of unfamiliar menu/desktop items.
you are the best. Thanks alot… would love to buy you a beer
Thanks for this post, it was really helpful, cheers
I need help…I have gone through removed the virus and followed your steps and my start menu is not recovering. I can get the icons but when you expand to “all programs” those show “empty”. Any help or suggestions would be greatly appreciated.
This article helped me out, thanks!
what happens if you already ran a cleaner and lost the temp files 😦