Missing desktops

A client called this morning with a bad PC. When I logged in as the user, a "File Restore" infection appeared on the screen. Yeah, an obvious false program.

Clicked the Start Button, and it’s completely empty. Awesome. Reboot, and get into safe mode. Same user id, and same symptoms. Loads of fun.

Copied the file unhide.exe from my laptop to a thumbdrive, popped in on the infected computer, and managed to use the Search field to open Windows Explorer and get to the thumbdrive. Using unhide restored the Start Menu items (but the default info underneath was blank) and the desktop items.

A web search reveals that this particular infection moves the files to a folder in c:users<user>AppDatalocaltempsmtmp directoryl 1 for Start Menu items, 2 for Quick Launch toolbar items, and 4 for All users desktop and folder items. I copied the contents of the "1" directory to the user’s real Start menu location and got all the right links back.

​Oddly, the "Documents", "Computer", "Help", and other links that usually appear on the right side of the Start menu were still gone. After a little more searching, I discovered that there might be a false registry entry. Searching the client’s registry didn’t show a false entry. So, another search said to try this:

Right click at Start button > Properties > Start Menu tab > Customize > see if " Display as a link " option is selected.

Turns out everything I was expecting to see was listed as "Do not display this item". So I made the suggested adjustments, and it’s back to normal.

Needless to say, this was not a nice infection (is there ever an nice one?), but fixing the problem didn’t require a full rebuild, as one site suggested. 🙂 Lots less time to repair than that.

Missing desktops

A client called this morning with a bad PC. When I logged in as the user, a "File Restore" infection appeared on the screen. Yeah, an obvious false program.

Clicked the Start Button, and it’s completely empty. Awesome. Reboot, and get into safe mode. Same user id, and same symptoms. Loads of fun.

Copied the file unhide.exe from my laptop to a thumbdrive, popped in on the infected computer, and managed to use the Search field to open Windows Explorer and get to the thumbdrive. Using unhide restored the Start Menu items (but the default info underneath was blank) and the desktop items.

A web search reveals that this particular infection moves the files to a folder in c:users<user>AppDatalocaltempsmtmp directoryl 1 for Start Menu items, 2 for Quick Launch toolbar items, and 4 for All users desktop and folder items. I copied the contents of the "1" directory to the user’s real Start menu location and got all the right links back.

​Oddly, the "Documents", "Computer", "Help", and other links that usually appear on the right side of the Start menu were still gone. After a little more searching, I discovered that there might be a false registry entry. Searching the client’s registry didn’t show a false entry. So, another search said to try this:

Right click at Start button > Properties > Start Menu tab > Customize > see if " Display as a link " option is selected.

Turns out everything I was expecting to see was listed as "Do not display this item". So I made the suggested adjustments, and it’s back to normal.

Needless to say, this was not a nice infection (is there ever an nice one?), but fixing the problem didn’t require a full rebuild, as one site suggested. 🙂 Lots less time to repair than that.