Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 Recovery virus, unable to restore start menu programs list


  • Please log in to reply
3 replies to this topic

#1 Eric Larsen

Eric Larsen

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 10 June 2011 - 08:46 AM

Hey all, this is my first post here, so please be gentle. :)

Problem summary:
A client of mine (I'm an IT summer temp in a production facility) recently contracted the Windows 7 Recovery virus and contacted me to fix it. Having encountered the XP version recently and resolved the issue, I was able to easily remove the virus and associated rootkit. The difference this time was that unhide.exe failed to restore the start>all programs menu shortcuts, although it did manage to restore the folder structure. I read through and followed the instructions of another thread here: http://www.bleepingcomputer.com/forums/topic399676.html which did not resolve the issue. The output given by SystemLook is as follows:

SystemLook 04.09.10 by jpshortstuff
Log created at 09:14 on 09/06/2011 by debra
Administrator - Elevation successful

========== dir ==========

C:\Users\debra\AppData\Local\Temp\smtmp - Parameters: "/s"

---Files---
None found.

C:\Users\debra\AppData\Local\Temp\smtmp\1 d------ [17:43 08/06/2011]
desktop.ini --ahs-- 442 bytes [04:49 14/07/2009] [05:01 14/07/2009]

C:\Users\debra\AppData\Local\Temp\smtmp\1\Programs d------ [17:43 08/06/2011]
desktop.ini --ahs-- 1130 bytes [04:54 14/07/2009] [14:23 31/05/2011]

C:\Users\debra\AppData\Local\Temp\smtmp\1\Programs\Accessories d------ [17:43 08/06/2011]
Desktop.ini --ahs-- 1854 bytes [02:36 14/07/2009] [23:47 22/06/2010]

C:\Users\debra\AppData\Local\Temp\smtmp\1\Programs\Accessories\Accessibility d------ [17:43 08/06/2011]
Desktop.ini --ahs-- 370 bytes [02:36 14/07/2009] [04:57 14/07/2009]

C:\Users\debra\AppData\Local\Temp\smtmp\1\Programs\Accessories\System Tools d------ [17:43 08/06/2011]
Desktop.ini --ahs-- 1338 bytes [02:36 14/07/2009] [04:57 14/07/2009]

C:\Users\debra\AppData\Local\Temp\smtmp\1\Programs\Accessories\Tablet PC d------ [17:43 08/06/2011]
Desktop.ini --ahs-- 343 bytes [07:45 14/07/2009] [23:47 22/06/2010]

C:\Users\debra\AppData\Local\Temp\smtmp\1\Programs\Accessories\Windows PowerShell d------ [17:43 08/06/2011]
desktop.ini --ahs-- 216 bytes [04:57 14/07/2009] [04:57 14/07/2009]

C:\Users\debra\AppData\Local\Temp\smtmp\1\Programs\Administrative Tools d------ [17:43 08/06/2011]
desktop.ini --ahs-- 1958 bytes [04:53 14/07/2009] [23:47 22/06/2010]

C:\Users\debra\AppData\Local\Temp\smtmp\1\Programs\Games d------ [17:43 08/06/2011]
desktop.ini --ahs-- 1128 bytes [05:32 14/07/2009] [20:56 20/09/2010]

C:\Users\debra\AppData\Local\Temp\smtmp\1\Programs\Maintenance d------ [17:43 08/06/2011]
Desktop.ini --ahs-- 606 bytes [02:36 14/07/2009] [04:57 14/07/2009]

C:\Users\debra\AppData\Local\Temp\smtmp\1\Programs\Startup d------ [17:43 08/06/2011]
desktop.ini --ahs-- 174 bytes [04:54 14/07/2009] [04:54 14/07/2009]

C:\Users\debra\AppData\Local\Temp\smtmp\3 d------ [17:43 08/06/2011]
desktop.ini --ahs-- 146 bytes [14:33 28/07/2010] [13:06 05/10/2010]

C:\Users\debra\AppData\Local\Temp\smtmp\4 d------ [17:43 08/06/2011]
desktop.ini --ahs-- 174 bytes [04:54 14/07/2009] [04:54 14/07/2009]

-= EOF =-

I looked and, indeed, the only files located in ...\smtmp\[1,3,4]\... were .ini files. I had previously enabled viewing of hidden and system files in explorer. So, fresh out of ideas, I've come to you fine people for suggestions. It's a minor problem, but annoying and counter-productive nonetheless. I have logfiles from rkill, DDS, TDSSKiller, and MBAM if you'd like to see them.

Many thanks in advance for the help. :)

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:06:34 PM

Posted 10 June 2011 - 11:15 AM

Unfortunately, it looks like you'll have restore everything manually.

You can restore the defaults for the Start Menu and Administrative Tools as follows:


To manually recreate "All Programs" entries, follow these steps...

  • Download App Paths
  • Double click on AppPaths.exe to run the program.
  • Keep the program open.

In this example I'll recreate an entry for Avast antivirus program.
  • Go Start>All Programs.
  • Right click on Avast entry, click "Properties".

Posted Image
NOTE. Make sure, you right click on Avast program, NOT on Avast folder.

  • You'll see this window:

Posted Image

Due to the damage caused by the infection, you'll find "Target" box empty.

  • Go back to AppPaths window and find Avast entry.
  • Right click on Avast line, click "Edit".
  • A pop-up window will open:

Posted Image

  • Highlight everything in "Path" box, right click on it, click "Copy"
  • Go back to Avast "Properties" window, right click inside "Target" box, click "Paste".
  • IMPORTANT! Add quotation marks at the beginning of the path and at the end
  • Click OK and you're done.

Posted Image


In case, program's link shows as (empty):

Posted Image

  • Open Windows Explorer, navigate to Avast folder in Program Files
  • Right click on Avast ".exe" file, click "Create shortcut":

Posted Image

  • Copy that shortcut, go back to Start menu.
  • Right click on avast!Free Antivirus, click "Paste".
  • You'll see Avast shortcut recreated replacing (empty) entry.

Alternatively....
...you paste that shortcut in:
(XP) - C:\Documents and Settings\All Users\Start Menu\Programs\Avast
(Vista/7) - C:\Program Data\Start Menu\Programs\Avast

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 Eric Larsen

Eric Larsen
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 10 June 2011 - 11:51 AM

Then it is as I feared. Oh well, I'll just do it on my lunch break.

Thanks for the help. :)

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:06:34 PM

Posted 10 June 2011 - 12:00 PM

Sure thing :)

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users