Some of the fake security malware in the wild has been moving the start menu items to a temporary directory under the user profile.  This has cause us at work some annoyance, since we remove all the temp files before starting a malware removal.  So several times this week, we have had to rebuild several start menus from scratch — which was not fun.  

In Windows 7, the Start menu items are move to

  • All Users Items = %userprofile%AppDataLocalTempsmtmp1
  • Current User Items = %userprofile%AppDataLocalTempsmtmp2
  • Desktop Items = %userprofile%AppDataLocalTempsmtmp4

 

Desktop item can be moved or copied back with robocopy:

robocopy %userprofile%appdatalocaltempsmtmp4 %userprofile%desktop /move /a-:h

All Users can be moved with:

robocopy %userprofile%appdataLocalTempsmtmp1 "c:ProgramDataMicrosoftWindowsStart Menu" /move /a-:h[/code[

Current Users:

robocopy %userprofile%AppdataLocalTEmpsmtmp2 "%userprofile%AppdataRoamingMicrosoftWindowsStart Menu" /move /a-:h

Of course, /e can be subsituted for /move to make a copy of the files back to the correct locations. I've been using the /a-:h to remove the hidden attribute, since a few times the files have been hidden too. 

I have not seen the start menu get moved in Windows XP, yet; however the paths will be very similar:

  • All Users Items = %userprofile%Local SettingsTempsmtmp1
  • Current User Items = %userprofile%Local Settings\Tempsmtmp2
  • Desktop Items = %userprofile%Local SettingsTempsmtmp4
Advertisements