malware has removed the desktop icons

[fmy321]

Hello,

I need help with an infection on my Windows XP computer. Upon boot up the desktop appears for a few seconds, then all the icons disappear and I can no longer navigate. When I booted up in safe mode, windows loaded, then immediately went to shut down and rebooted itself. I've tried safe mode a few times now and it always shuts down and reboots. I cannot seem to access anything on that computer right now.

Can anyone help with this?

Thanks,

fmy

 

[OCD]

Hi fmy321,

My name is OCD. I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

• I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for the issues on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.
• Copy and Paste logs directly into the reply window. DO NOT attach the logs unless specifically instructed to do so.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.

Please stay with this topic until I let you know that your system appears to be "All Clear"

Important: All tools MUST be run from the Desktop.

=========================

Last Known Good Configuration

How to start your computer by using the Last Known Good Configuration feature
(read through the steps before starting)

• Remove all floppy disks and CDs from your computer and then restart your computer.

• Restart your computer.
• When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
• Select the option for Last Known Good Configuration using the arrow keys.
• Then press enter on your keyboard.

=========================

If the computer boots normally now please run the following scans and post the corresponding logs. If not, report back with how the computer is acting.

=========================

aswMBR

Download aswMBR.exe and save it to your desktop.

• • Windows XP : Double click on the icon to run it.
  • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
• When asked if you want to download Avast's virus definitions please select Yes.
• Click Scan
• Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
• You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

=========================
OTL

Download OTL to your desktop.

• Make sure all other windows are closed and to let it run uninterrupted.
  • Windows XP : Double click on the icon to run it.
  • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Under Custom Scan paste this in
  
  %USERPROFILE%\..|smtmp;true;true;true /FP
  %temp%\smtmp\*.* /s >
  /md5start
  iexplore.*
  explorer.*
  winlogon.*
  dll
  zx.dll
  hlp.dat
  consrv.dll
  services.*
  /md5stop
  netsvcs
  drivers32
  %SYSTEMDRIVE%\*.*
  %systemroot%\Fonts\*.com
  %systemroot%\Fonts\*.dll
  %systemroot%\Fonts\*.ini
  %systemroot%\Fonts\*.ini2
  %systemroot%\Fonts\*.exe
  %systemroot%\system32\spool\prtprocs\w32x86\*.*
  %systemroot%\REPAIR\*.bak1
  %systemroot%\REPAIR\*.ini
  %systemroot%\system32\*.jpg
  %systemroot%\*.jpg
  %systemroot%\*.png
  %systemroot%\*.scr
  %systemroot%\*._sy
  %APPDATA%\Adobe\Update\*.*
  %ALLUSERSPROFILE%\Favorites\*.*
  %APPDATA%\Microsoft\*.*
  %PROGRAMFILES%\*.*
  %APPDATA%\Update\*.*
  %systemroot%\*. /mp /s
  dir "%systemdrive%\*" /S /A:L /C
  CREATERESTOREPOINT
  %systemroot%\System32\config\*.sav
  %PROGRAMFILES%\bak. /s
  %systemroot%\system32\bak. /s
  %ALLUSERSPROFILE%\Start Menu\*.lnk /x
  %systemroot%\system32\config\systemprofile\*.dat /x
  %systemroot%\*.config
  %systemroot%\system32\*.db
  %PROGRAMFILES%\Internet Explorer\*.dat
  %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
  %USERPROFILE%\Desktop\*.exe
  %PROGRAMFILES%\Common Files\*.*
  %systemroot%\*.src
  %systemroot%\install\*.*
  %systemroot%\system32\DLL\*.*
  %systemroot%\system32\HelpFiles\*.*
  %systemroot%\system32\rundll\*.*
  %systemroot%\winn32\*.*
  %systemroot%\Java\*.*
  %systemroot%\system32\test\*.*
  %systemroot%\system32\Rundll32\*.*
  %systemroot%\AppPatch\Custom\*.*
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  BASESERVICES
  DRIVES
  CREATERESTOREPOINT
  
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
  • You may need two posts to fit them both in.

=========================

In your next post please provide the following:

• aswMBR.txt
• attach MBR.zip
• OTL.txt
• Extras.txt

 

[fmy321]

Hi OCD,

It's great that you will be able to help me. Thank you.

I restarted the machine in "Last Known Good Configuration" mode as you suggested. This is what happened:

computer starts to load Windows
desktop appears, including all the icons
after approximately 10 seconds all icons disappear, my desktop background is still there but there is no access to the start button
the mouse still controls the cursor but there is nothing to do, still no access to start button even through the keyboard
I've waited up to five minutes....nothing happens and I have to perform a hard shutdown

Thanks again for the help,
fmy321

 

[OCD]

Hi fmy321,

Let's try this and see if we can access the Task Bar and Start Menu.

Press and hold the "Ctrl" key simultaneously with the "Esc" key to access the Windows Start Menu.
OR
If your computer has a Windows key, see if that works.

=========================

If you are able to access the Start Menu with the above steps do the following next, if not report back.

=========================

• In the Run box type "taskmgr.exe" (without quotes) this should open the Task Manager
• Next choose File > New Task (run) > enter "explorer.exe" (without quotes)
• Select OK

=========================

Reboot

=========================

If the computer reboots and the Desktop Icons, Start Menu & Task Bar are visible, then continue. If not report back.

=========================

System File Checker

• Click Start, in the run box:
• Type: sfc /scannow (There's a space between sfc and /scannow.)

• Type: exit to close the command prompt window
• Include the findings in your next reply

In your next post please provide the following:

• Update status

 

[fmy321]

Hi OCD,

I tried both of your suggestions: the windows key and ctrl + esc keys simultaneously. Neither brings up the task bar or start menu.
fmy321

 

[OCD]

Hi fmy321,

Boot your computer and tap the F8 key repeatedly to access the Advanced Boot Options menu.

What are the options available in the Advanced Boot menu?

Do you have Windows XP Disks?

 

[fmy321]

OCD,

My options are:
last known good configuration
directory services restore mode
debugging mode
disable automatic restart on system failure
start windows normally
reboot
return to OS choices menu
safe mode
safe mode with networking
safe mode with command prompt

Unfortunately, I do not have XP disks


fmy321

 

[OCD]

Hi fmy321,

• Boot once again to the Advance Boot Options menu.
• This time select Safe Mode with Command Prompt
• Once the Command Prompt windows appears type: sfc /scannow (There's a space between sfc and /scannow.)
• Then press Enter.
• After the scan has finished, reboot the computer into Normal Mode

=========================

In your next post please provide the following:

• Report back the results of the System File Checker

 

[fmy321]

Hi OCD,

I started the computer in safe mode with command prompt. The computer goes into safe mode (black screen with “safe mode” in all four corners). After a couple seconds, Windows starts to load. It then immediately shuts down the computer, then reboots.

Note: my screensaver still starts up if there is no activity for a few minutes.

I restarted the computer in Normal Mode. While the icons were still on the desktop, I quickly clicked the start button, clicked run and typed in cmd. The command prompt window appeared (this took a couple attempts to do it quickly enough). I typed in your suggested command: sfc /scannow. The Windows File Protection box popped up and the scan started. The scan took 30 – 40 minutes to complete. During the scan I repeatedly got a couple messages. Either:

“Files that are required for Windows to run properly must be copied to the DLL cache. Insert your Windows XP Professional Service Pack 3 cd now”

Or

“Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original version of these files. Insert your Windows XP Professional Service Pack 2 cd now”

Since I don’t have the disks, I had to cancel out each time one of these messages appeared (a total of 15 times during the scan).

Once the scan was finished, I closed out the command prompt window, shut down the computer and restarted in Normal Mode. The machine booted up, the desktop and icons showed up and the icons disappeared within 10 seconds or so. Same as before.

Hope this isn’t too much info. I didn’t know what you needed.

fmy321

 

[OCD]

Hi fmy321,

Hope this isn’t too much info. I didn’t know what you needed.

The more detailed the explaination the better, thanks. Let's try a slightly different approach:

• Boot once again to the Advance Boot Options menu.
• This time select Safe Mode with Command Prompt
• Once the Command Prompt windows appears type: chkdsk /f [COLOR="#FF00000"]C[/COLOR]: [color="#FF00000"] (Replace if C is not your hard drive with the appropriate drive letter)[/color] - [There is a space between chkdsk and /f C:]
• Then press Enter.
• After the scan has finished, reboot the computer into Normal Mode

=========================

In your next post please provide the following:

• chkdsk update

 

[fmy321]

Hi OCD,

Tried your suggestion. Unfortunately, when I start up in safe mode with command prompt I get to the safe mode screen, then windows starts to load and then reboots the computer. I never get a command prompt.

I tried it the way I mentioned in my last post…quickly click the start button and run cmd in the ten seconds or so before my icons and task bar disappear. I got to the command prompt this way and tried to run chkdsk but got the message:

“Cannot lock current drive. Volume is in use by another process.”

It asked if I wanted to run chkdsk on start up, so I said yes. Doing this I was able to run chkdsk. It completed all three stages then put up some statistics on the screen. However, it rebooted so fast I was not able to read any of the stats. It rebooted into Normal Mode, leaving me with the same problem.

Also, I’ve found a friend who has a disk I can borrow if you think it will help. I believe it is labeled as a “reinstall disk, Windows XP Professional SP 2”. We did not buy our computers at the same time but both are Dell computers running XP Professional. Didn’t know if this could help or just make things worse.

fmy321

 

[OCD]

Hi fmy321,

A reinstall might be the best option. It seems your current version of Windows has become corrupt. Unfortunately, with a reinstall you will lose all your currently installed programs and data.

If this is the route you would like to take let me know when you have the disks and we will go from there.

 

[fmy321]

Hi OCD,

I would prefer to solve the problem without reinstalling windows, if that is possible. Is there anything else we can try?

If we cannot solve the issue, my two options for xp disks are:

A Dell disk labeled "Recovery disk, XP Professional SP 2"

or

A Microsoft disk labeled "Microsoft XP Professional, Version 2002"

Is there anything we can try before re-installing?

fmy321

 

[OCD]

Hi fmy321,

Is there anything we can try before re-installing?

You stated it you leave the computer for awhile your screensaver will kick in.

Boot up in Normal Mode and once the Start button and Task Bar disappear try hitting the F11 key. If it resolves the problem skip the next set of instructions.

I usually don't just give links to other websites that have directions for steps to try but in this instance I am. Please go here and work through the suggested solutions and see if any of these remedy the situation. Report back with your results.

 

[fmy321]

Hi OCD,

The F11 key did not do anything.

I tried the website you suggested. None of the suggestions worked. I was able to open the task manager. When I typed in "explorer.exe" I noticed that in the task manager, under the Image Name column, "explorer.exe" appeared for a few seconds. It disappeared and "rundll32.exe" appeared for a few seconds, then disappeared. Nothing else happened and I never did get a task bar.

fmy321

 

[OCD]

Hi fmy321,

I'm still trying to figure out a way around this issue, but we may still need to end up re-installing the OS.

Can you give me the Make, Model of the computer?

 

[fmy321]

It's a Dell Dimension E310

 

[OCD]

Hi fmy321,

Unfortunately, I'm not coming up with much. Let's give System File Checker again and when prompted for a CD use the Microsoft XP Professional, Version 2002

• Boot once again to the Advance Boot Options menu.
• This time select Safe Mode with Command Prompt
• Once the Command Prompt windows appears type: sfc /scannow (There's a space between sfc and /scannow.)
• Then press Enter.
• After the scan has finished, reboot the computer into Normal Mode

=========================

In your next post please provide the following:

• Report back with the results.

 

[fmy321]

Hi OCD,

Since I can’t boot in Safe Mode with Command Prompt I accessed the command prompt by running cmd from the Task Manager. Don’t know if this is a problem (since I’m not in safe mode) but thought I should tell you how I got to the command prompt.

Once there, I ran System File Checker and used the Windows XP Professional cd. Unfortunately, it just kept telling me that I had the wrong disk. It needs XP Professional SP 2 and SP 3 disks. Once finished with the file checker I rebooted in Normal Mode, but continue to have the same problem.

fmy321

 

[OCD]

Hi fmy321,

Let's see if we can get to System Restore and roll back to a date prior to the problem.

• Once again access the Command Prompt.
• In the Command Prompt window type %systemroot%\system32\restore\rstrui.exe and press Enter.
• Follow the instructions to perform the System Restore

Post back the results.