Virus erased all my start menu and programs how can I restore it?

The malware does not delete the shortcuts, instead it hides all the icons and moves the icons into a temp folder under the user that got the virus. You can repair the virus issue by unhiding the files and restoring the shortcuts and icons to the correct location followed by running malware scanner (virus and spyware scanner) to remove the virus.

Before you start removing this virus, you should kill any possible background process by downloading and running rkill. Rkill will look like a command prompt box, allow it to kill all background processes before proceeding with unhiding and virus removals.

You can unhide your files by downloading and running unhider by Bleeping Computer. Unhiding the files may take a few moments please allow up to 10 minutes for unhider to unhide all of your files

After you have cleared all background processes and unhidden your files please proceed to restoring your shortcuts from the locations below to the respected locations.

The location of lost shortcuts / icons are:
Windows XP – “C:/Documents and Settings/%username%/Local Settings/Temp/SMTMP”
Windows Vista/7 – “C:/Users/%username%/AppData/Local/Temp/SMTMP”

Inside that folder there are 3 folders named 1, 2 and 4.
Folder “1″ has all the Program icons.
Folder “2″ has all the Quick Launch Icons.
Folder “4″ has all the Desktop icons.

Restore the content in folder 1 to: 
Windows XP: C:/Documents and Settings/All Users/Start Menu
Windows Vista and Windows 7: C:/ProgramData/Microsoft/Windows/Start Menu

Restore the content in folder 2 to:
Windows XP: C:/Documents and Settings/Application Data/Microsoft/Internet Explorer/Quick Launch
Windows Vista and Windows 7: C:/Users/AppData/Roaming/Microsoft/Internet Explorer/Quick Launch

Restore the content of folder 4 to:
Windows XP: C:/Documents and Settings/All Users/Desktop
Windows Vista and Windows 7: C:/Users/Public/Desktop

TIP:
When restoring Program Icons try and restore them to “C:Documents and SettingsAll UsersStart MenuPrograms” so it can repair the start menu for all users

Warning:
Please note that ComboFix, Disk Cleanup, CCleaner, or any application that deletes temporary files will delete the SMTMP folder and you will be stuck manually rebuilding the start menu. So please try this method first and it will save you A LOT of time

After restoring all icons and shortcuts, you may now proceed with running a malware scanner and registry cleaners such as TDSSKiller, Malwarebytes, Combofix, Spybot and CCleaner. Please ensure you download these scanners from a reputable sourced, preferably the developer’s websites.

If this answer helped please vote and comment.

62 Comments

  1. You should run rkill first and then unhide.exe, malwarebytes. I had this issue yesterday and was able to get the start menu back doing the following. Then I ran combofix after all was done.

    Reply
  2. Thanks Vincent. Wish I knew this yesterday….I ended up rebuilding/repairing the menu.

    Reply
  3. Awesome!! Just cleaned up a pc from an unknown malware threat but could not figure out how or where the hidden Quick Launch icons had gone to. I could see that the Quick Launch toolbar was still physically present on the Taskbar and was check in the properties page of the Taskbar too. Very simple fix but I don’t think I would have figured it out without this post. Thanks a bunch!

    Reply
    • I am glad to hear this has worked. I know for myself it was a pain to find the solution.

      Reply
  4. Thanks guys for sharing with the group. It’s helped a lot already. I used this the other day too.

    Reply
  5. Hey Guys, thanks for the help. I had the folders listed above (1,2,and 4)in C:Documents and Settings%username%Local SettingsTempSMTMP. Turns out that all I had to do was select the “Documents and Settings” folder, right click, choose “Properties”, and un-hide all of the folders, subfolders and files. My program returned to the start menu, and all my shortcuts in IE returned. My desktop is still blank, and will not let me copy anything to it, though. Anyone have any ideas about that? I got the “Windows XP Restore” virus, that looks just like the one pictured here: [Link removed for security purposes]. Thanks.

    Reply
  6. This was extremely helpful as I located the programs. However, how do I restore them?

    Reply
  7. You dont, all is lost. Also, I thought your last movie was terrible

    Reply
  8. all is not lost…
    use a file called unhide.exe
    run the file, wait a few minutes, and your files should be restored

    Reply
  9. You can restore the files by dragging them to their proper locations.

    Folder “1? has all the Program icons.
    Press the start button then right click on All Programs or Programs and select Explore and drag all the folders and files from Folder 1 into that folder

    Folder “2? has all the Quick Launch Icons.
    Drag all the icons here onto your quick launch bar

    Folder “4? has all the Desktop icons.
    Drag all the icons here onto your desktop

    That will restore all your icons, program files and quick launch. Please note that you need to run unhider.exe to unhide all the programs. You can download the file from here directly: http://vincentwong.info/downloads/unhider.exe

    Note when running unhider: it will not look like it is doing anything, however it is scanning your computer for all hidden files and unhiding the non system essential hidden files. It may take up to 15 minutes.

    Reply
    • I’m having these same exact issues due to a virus. I found folders 1 and 4. If I click on start button then right click on All Programs or Programs, I don’t get an Explore option. I can chose only Open or Properties. What other way can I restore my program icons to the start menu?

      Also, my desktop icons are now showing but they have a transparent look to them. Any idea why that would be?

      Reply
      • right click and click properties and unhide

        Reply
  10. so what if there is nothing in my users folder! I know, this is fudged up…

    Reply
    • If you do not see anything in the users folder, try to look in the all users or administrator folder. There normally is more than 1 user and it could have placed it under another users account.

      If you still cannot find anything then there is a good chance it was deleted by a cleaner such as CCleaner or Combofix. If that is the case then you can try a system restore to before the scan and hopefully it will restore the icons to the users folder and you can restore them before running your scans again.

      Reply
  11. WOW!!!!!!! Thank goodness I found this website! After two days of doing things, this is what restored all that my daughter had lost…thank you!!!

    Reply
  12. Vincent… How do you restore them??

    Reply
  13. I tried the link above http://vincentwong.info/downloads/unhider.exe but it said not found? could you tell me how to run unhide.exe? Thanx! I lost everything in my start menu, run, search documents… everything! Greg

    Reply
  14. I reuploaded unhider. The link should work now. To use unhider run the fieele and wait 5-10 mins. It will not look like it is doing anything but it will unhide most of yloour files. Be sure to recover the files from the folder I named in the original response.

    Reply
    • Amazing!!! Thank you Thank You Thank You!!!! Worked like a charm………..I did have to do a RESTART though and I don’t think that was mentioned.

      Reply
  15. Hey pretty cool, I ran the new link, got a little scared I came back it said computer was locked and wanted my password, I have no idea what it is, I forced shut down the computer rebooted back up and everything is back in the menu!? wow.. Thanx! Greg

    Reply
  16. Thank you for this. It has helped tremenously. I’m still not sure how to restore the icons to my desktop…but the other things worked great. Thank you again.

    Reply
    • if you are using Windows Xp press Start > Run > and enter: C:Documents and Settings%username%Local SettingsTempSMTMP
      if you are using Windows Vista or 7 press start > Run > and enter: C:Users%username%AppDataLocalTempSMTMP

      Look for folders 1, 2, and 4.
      Folder “1? has all the Program icons.
      Folder “2? has all the Quick Launch Icons.
      Folder “4? has all the Desktop icons.

      Drag the items from the folders to where they belong and your icons will be restored. let me know if you have any further questions

      Reply
      • Where do they belong (copied into) for Win 7?
        There is not a Documents and settings . . . area in Win 7

        Reply
        • Please read the original post again, You are looking at the Windows XP path

          Reply
      • I cant thank you enough!!! this helped me get back all my pictures!! THANK YOU!:) i just have a problem getting back my desktop icons i did want you said about folder 4 but my seems to be empty and i dont know how to get them back? plz help me

        Reply
  17. Useful information. Fortunate me I found your site unintentionally, and I’m shocked why this accident didn’t happened earlier! I bookmarked it.

    Reply
  18. I copied down the thing for windows xp double checked and it says it cannot find it and its telling me to chexk if the adress is right? I have 2 antivirus and antimalware softwares(iolo system shield and acronis) i scanned my computer using both and it quarantined deleted all corupted files. It says there is no more virus or anything. Did my antivirus software delete all my files?

    Reply
    • Ashley,

      If you do not see the files in the folders listed above that could mean your antivirus/malware may have deleted them. Have you run unhider yet? the files may still be hidden and unhider may be able to recover it. Also if all else fails try to restore using system restore to when the computer was infected, recover your shortcuts and then rescan for malware.

      Reply
      • How would i run unhider? My internets gone and all files are unnaccessible. The screensaver for the computer still has my pictures so im pretty sure my files are still intact. How would i run system restore? Sorry its just that this has to be my fifth virus on 4 computers in the last year

        Reply
  19. Thanks for the walk through. Got my customer’s machine right as rain in no time.

    Reply
  20. Thanks, you saved me a lot of time !

    Apparently I got this virus through malicious code injection with Firefox 3.6.18 and PDF reader…All icons destroyed, and this damn virus asking me for permissions to make change on my system disk, while spitting random fake system errors. Thanks to W7 UAC as well ;-)

    Reply
    • Not a problem, glad this helped. The information you provided will actually help a lot of others find out where this virus comes from.

      Reply
  21. what will i do if in the temp folder i cannot find the SMTMP or SNTMP folder?is there any other way to restore the SMTMP folder?please reply coz im really worried now..thanks

    Reply
    • If you cannot find the SMTMP or SNTMP folder in the temp folder, that means the folder may have been erased by a antimalware software or cleaner. The only way to recover all shortcuts at that point is via a system restore if possible.

      Reply
  22. It worked like a charm. Thank you!!!!!

    Reply
  23. I Have Windows Vista….. I turned on computer yesterday and I now have a black screen, lost all my desktop icons as well as my start up icons. I tried doing a system restore and it will not let me. What do I need to do next. Thanks

    Reply
  24. I like your style. I wanted to let you know there is a problem viewing site in Internet Explorer, you probably should fix this. I was forced to use Moxilla Firefox in order to properly read your article.

    Reply
  25. I have tried for two days trying to restore my files and find that exact folder but nothing would work. Thank you so much for that link. It worked perfect. Thanks again!!

    Reply
  26. No one seemed to answer thsi question and im so close to finnishing this problem.. (I’m having these same exact issues due to a virus. I found folders 1 and 4. If I click on start button then right click on All Programs or Programs, I don’t get an Explore option. I can chose only Open or Properties. What other way can I restore my program icons to the start menu?

    Also, my desktop icons are now showing but they have a transparent look to them. Any idea why that would be?) Questioned by Eileen

    Reply
  27. I have XP home ed and was able to remove trojan but the ‘start button’ gives me nothing no programs and a small window with a favorite link and there are no desktop icons. I can get on line and use my browser. I have background program icons. Is there somway that I can start a system restore?

    Reply
  28. what happens if you’ve accidently deleted those files and emptied ur recyle bin?!??!! :|

    Reply
  29. I’m in the same position as ashtyn89. I don’t get the Explore option when I click on the start menu. How else can I restore my program icons to the start menu?

    Would hugely appreciate any help

    Reply
  30. I haven’t read through all the posts but enough to see that I didn’t know about the menu’s getting moved to temp file locations, thanks!. Here’s how I dealt with the virus and maybe it will be useful to someone else.

    READ The Next Couple of Paragraphs before doing anything.

    I took the infected hard drive and installed it in a second computer running antivirus software. Since the infected drive isn’t being booted on this prevents any processes in the infected drive from running, or files from being in use.

    If you add in a slave hard drive you need to make sure the boot order is set so it still boots to your original hard drive. Typically this is done by checking the settings in the BIOS. If you don’t know how to do this, don’t use this procedure or get help from somebody who does. You do not want to have the system try to boot from the infected drive. The best case is it just wouldn’t work, i.e. it would blue screen when trying to start, the worst case is you could end up with two infected computers.

    After adding the infected drive as a slave hard drive in a second system..
    Scan for virus’s with “your” antivirus software.
    Install Malwarebytes, shutdown “your” antivirus and scan again with Malwarebytes.
    Install the “Kaspersky Virus Removal Tool” 1st one on the list at….
    http://www.kaspersky.com/virus-removal-tools
    In my case for the computers I’ve worked on Kaspersky found a root kit that the other virus removal tools (I used) missed.
    Turn “your” antivirus software back on.
    Both malwarebytes and the free Kaspersky tool are one shot items, they don’t stay running when finished.

    Between the various tools there should be an instance or more of infected files found in the system restore files which are inside of c:System Volume Information”. If you added this drive as a slave to another computer, of course the drive letter will be something other than C:. This is important to note as you may need the restore points later and you don’t want to restore infected files.

    If you haven’t backed up your documents from the infected PC, this might not be a bad time to do that, i.e. Thumb Drive, writable DVD / CD, or USB External drive, ect. You can unhide some files at this time if you choose just by using the standard file explorer. Pick a file folder on the slave drive, right click for properties, un-click the box that says “hidden” and click on the “OK” box. You can see the hiden files with the drive as a slave drive but if they are in a hidden state when the drive is moved back to the original computer, they will not be visible, overall, that will be fixed in the next couple of steps.

    Download Unhide.exe from..
    http://www.bleepingcomputer.com/download/anti-virus/unhide
    The virus I dealt with hides all virtually all the files. So while the drive is still resident in another computer copy unhide.exe over to the formerly infected hard drive. Make a new folder on the slave drive as you don’t want to place the file inside of a hidden folder.

    Move the drive back to the original computer and boot it.
    Run unhide.exe to make the hidden files visible again. The problem now is most all the menus are empty so..you can use the methods described above and restore the menus from the temp files but I also found that some shortcuts had been effected, i.e. I could get to System Restore but I could not alter the system restore setting for a drive, as in turn off restore or alter the amount of space used for restore points, clicking on the settings shortcut took me to System Poperties. The virus doesn’t want to allow Restore to be turned off since it infected it the restore files, but as they are now disinfected, the restore points should be usable and that’s what I did. I restored from a recent, but prior to the infection, restore point and all the empty sub menus and shortcuts were fixed.

    Reply
  31. Thanks for the tips, very very helpful. The virus gave me another headache that I haven’t yet solved. I am on Windows 7. When I click the Start “Orb” I no longer see a list of recently used programs, and I don’t see the Shortcuts to Documents, Control Panel, etc. The only things I see are “Computer” and “All Programs”.

    Tips? Ideas?

    Reply
  32. We absolutely love your blog and find nearly all of your post’s to be what precisely I’m looking for. Do you offer guest writers to write content available for you? I wouldn’t mind publishing a post or elaborating on a number of the subjects you write concerning here. Again, awesome weblog!

    Reply
  33. I ran unhide.exe and it brought back my documents and pictures. However, my programs are still hidden. And, my desktop screensaver and tray are a different color from the real desktop screen appearance. I put in c:Users%username%AppDataLocalTempSMTMP and it said that it is not found. I ran Malwarebytes and Avast. I cleaned the viruses that it picked up. I ran a pre-boot scan and it showed nothing. When I pull up All Programs from the Start Button on Windows 7, and click on the programs, it will drop down with empty. Is there anything I can do here?

    Reply
    • Breezman,

      What happened is your shortcuts (start menu -> all program files) were moved to the SMTMP folder. However if you ran some scans which may have removed the temporary folders during the scan you will have lost the files. I believe you are using windows 7 so just put a start -> run -> C:Users%username%AppDataLocalTemp and see if you can still see a SMTMP folder. If you do not then that means it is lost. If you do see the folder please follow the guide above on how to restore the shortcuts. If you would like remote support, one of my colleagues offers remote troubleshooting just submit a service request at http://www.NYPCTech.net

      Best of luck,
      Vincent W.

      Reply
  34. My gosh! Thanks SO Much all my programs are restored but do you know how to put icons back onto the start menu if you email me just title it Help For Start Menu Virus . Then I will send you a photo of what I mean. This will be really helpful! Thanks SO Much I owe you so much!

    Reply
  35. I was skeptical at first, but this worked like a charm! I can hardly believe it! I was so worried that all of the pictures of my 5 month old son were gone forever! THANK YOU!

    Reply
  36. So what do you do if you go to windows 7 so just put a start -> run -> C:Users%username%AppDataLocalTemp and the files are NOT there? How can I get everything back to the way it was? Thanks for everything.

    Reply
  37. Hi Vincent and all friends i use windows xp and i search all the username folder but it shoundn’t found the SMTMP folder then please tell me the way to get back these folder and how to restore the computer thanks………

    Reply
  38. It looks like I’m getting closer to realizing my entire drive is gone. I ran CCleaner before I got help for clearing the virus on my laptop. I’ve already run the unhide utility provided by Webroot. When I try to do a System Restore it says that there are no restore points. I had both a C: and D:, where C: holds program files and 85 or so gigs of space. D: held everything else and approx. 400 gigs of space, it held items such as some program files (so I wouldn’t run out of the remaining space on C:, pictures, music, documents, everything). Have I lost everything completely?

    Reply
  39. Oops – I forgot to mention that I still have a C:, but D: is gone.

    Reply
  40. Thank you for getting my start menu and quick launch bar back. The odd thing was that I did not have to copy the icons. As soon as unhide finished running they just appeared. It took a long time for the program to clean everything up, but was worth it.

    Reply
  41. it worked fine for me. thanks a lot. i had already run TDSSKiller and Malwarebytes and had overgone some recoveries because i had the file recovery virus but all seems to be ok now. thanks again!

    Reply
  42. The path to the SMTMP folder was a little different for me.
    Documents and SettingsusernameLocal settingsTempsmtmp
    Also the Local Settings folder is hidden so you need to change folder options to view hidden files.

    I only had folder 1 and 2. I copied and pasted the contents into the locations suggested and got all my menu shortcuts back.

    Thanks for the tip!

    Reply
  43. when i deleted the file the virus was in it deleted almost everything now when i click on a icon i haft go to the internet from a list with all the programs and when i get on the web its just a blank page this makes it hard to look up something and when i try to use anything that requires a flash player or download its like i didint download it and i tried downloading it again and runing it but it says application not found how do i fix this it is so annoying!!!

    Reply
    • Michael, everything should have been completed with the applications I provided. There should be no file that you would have needed to delete and flash should not have been affected. My recommendation at this point is to perform a system restore to a few days before your computer was infected and follow the directions above to ensure your computer is virus free. If that still does not work, I would recommend taking the computer out to the professionals to look into it, or you can visit http://www.NYPCTech.net (one of our preferred vendors) and schedule a remote support session with one of their technicians.

      Reply
  44. Gettin the same thing as Michael. Some web pages are just blank, and flash player doesn’t work anymore and and that application cannot found, and it can’t be downloaded again. Also tried deleting previous download to re-download without success, gives same as before with message of application cannot be found. Need flash player for half of everything viewed on the net. Please advise as to what can be done to fix this problem if you can.

    Reply
  45. Thanks for the information.
    This virus hit last year and I had trouble repairing several computers.

    Your information is the best I have seen.

    Keep up the good work.

    Reply
  46. vincentwong.info is very interesting. This site helped me get rid of the virus!

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>