Question

Windows XP - Desktop and Start Menu are Missing - Malware?

Asked by: kpratola

This looks like a pretty bad issue. First the customer told me that all his desktop icons disappeared. I thought maybe he accidentally hid them. He also says that when he goes to google and searches for something, when he clicks on the search results, he is directed somewhere else. Ok, so it sounds like his browser is being hi-jacked. But this I didn't expect. Look at the screen shot below when I remoted into his PC. No icons, no start button. Customer has XP Home Edition. Right-clicking on the desktop does absolutely nothing. I can bring up the task manager and select New Task, but I cannot run explorer.exe. I just get a permissions error. I was able to install Malwarebyte's, but after scanning for 8 seconds, the program just closes. Now I am trying an online scan to see if that works. I can't access My Computer at all. I really can't even run most programs. After Malwarebyte's closes, I cannot open it again. Not even by typing the exact path in the New Task window. I can open IE, but it won't let me access his hard drive or anything. I just keep getting an error about permissions. Obviously not all his permissions are gone since I am able to install software. But his PC is definitely in bad shape. Unfortunately he lives in CA, and I live in NJ, so I have to do this all remotely.

Any ideas, or a decent program I can run to get this shit off his PC?

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-08-05 at 19:45:15ID24630152
Tags

Windows XP

,

Virus

,

Malware

Topics

Windows XP Operating System

,

Anti-Virus

,

HijackThis Software

Participating Experts
5
Points
0
Comments
22

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Start Desktop(explorer.exe) from my application. Beca…
    I have build an application that changes the registry setting HKLM\Software\Microsoft\WindowsNT\CurrentVersion\winlogon\Shell=Explorer.exe to HKLM\Software\Microsoft\WindowsNT\CurrentVersion\winlogon\Shell=MYAPPLICATION.exe Its working fine but i need to start desktop(explor...
  2. Irregular shaped menu
    Sorry, this question may be underscored. But this is my last blood. My Q is can you make an irregular shaped menu, just like a little bit curving on the far left... _____________ \ \____________ see what I mean? No?? Thanks Jack
  3. I Quarantined explorer.exe w/ McAfee - Now Win98 …
    I was trying to clean up my friends Dell Inspiron laptop w/ Windows 98 SE -- I ran McAfee virus scanner and it came up with a bunch of files that were infected with a trojan so I told McAfee to quarantine the infected files without thinking, and one of them was explorer.exe. ...
  4. MALWARE
    HI ALL I HAVE A MALWARE PROBLEM OR SOMETHIG LIKE THAT I HAVE A RESIDENT UCLEANER PROBLEM THAT ASK ME TO BUY EVERY TIME ASLO A ERROR SAFE I CANT DEAL WITH IT , I USE A LOT OF ANTI SPAM, ANTI VIRUS, ETC BUT NOTHING MY SOLUTION WAS DELETE DE DOCUMENT AND SETTINGS USERS AND STA...
  5. malware
    When opeining IE browser, i keep getting little boxes in different parts of the web page say "page cannot be displayed. i noticed that the little boxes are linked to http://eee.jopenqc.com. I can't get rid of the boxes...please help...i ran spyware and malware detector ...
  6. Magic Jack
    Greetings, I have Magic Jack installed and it works fine but it always opens its window on Power up. Is there any way to go ahead and have it launch on power up but not have the window open up on the desktop ? Maybe just have it minimize on the tool bar ?

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: dstewartjrPosted on 2009-08-05 at 19:54:50ID: 25029762

Start a new task of regedit and browse to



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon


in the right hand pane look at  "shell" and modify it if different from "Explorer.exe" no quotes

close regedit and new task explorer.exe

 

by: dstewartjrPosted on 2009-08-05 at 19:57:14ID: 25029770

just to clarify, it should read explorer.exe

 

by: kpratolaPosted on 2009-08-05 at 20:00:27ID: 25029788

I'll check that out tomorrow, but I have a feeling that it is a bigger issue than that. Many applications won't open that are named correctly. So I don't think this possible malware just simply renamed explorer.exe. Otherwise I would think that programs such as Malwarebyte's should run, but they don't and give me the same exact error.

 

by: dstewartjrPosted on 2009-08-05 at 20:16:52ID: 25029883

yup, this may be a start to at least get you to the desktop.

 

by: Diesel79Posted on 2009-08-05 at 20:41:49ID: 25029976

MalwareBytes is great stuff but like most AV/Spyware scanners works much better in safe mode. I realize that you are doing this remotely but you will probably need to go hands on.

 

by: bpanowtvPosted on 2009-08-05 at 21:05:12ID: 25030054

you may try the followings:
1. map to the client's C: drive.
2. enable viewing hidden files in explorer.
3. have a look at your client's C:\, C:\Windows, C:\Windows\system32, C:\Windows\system, C:\Windows\system32\drivers\etc, C:\Program Files and etc.
4. check any modified files or folders are happened in the recent dates.
5. check any strange file names.
6. if you find strange files or folders in the above directories, i think most likely this PC is being hijacked or infected.

the best solution is you take out the harddisk and do a antivirus scan on another healthy pc. but if you need to work remotely, i would suggest you to do the followings:
1. map the client's C: drive.
2. use your own antivirus program to scan it and see if it can be healed.

good luck!

 

by: rpggamergirlPosted on 2009-08-05 at 21:40:12ID: 25030154

Most of the time you need to rename the tools before saving to the desktop or before in contact with the infected pc so the nasties can't block it from executing.

First we need you to check on this one.
Since MalwareBytes is already installed, locate the Malwarebytes executable, mbam.exe and rename it to "winlogon.exe"(don't rename with any other name) and run it.

Let us know if it runs completely.


If you can access the registry also check for this key and if explorer.exe is listed as a subkey, delete it.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

 

by: rpggamergirlPosted on 2009-08-05 at 21:47:12ID: 25030191

To also check for virut download and run Combofix, if virut is present you'll be alerted by the tool

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Rename Combofix before in contact with the pc.
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

by: kpratolaPosted on 2009-08-06 at 04:34:06ID: 25032076

I will attempt renaming Malwarebyte's today and start with that. I can't get into explorer at all, so I hope I can at least get into the command prompt to rename the exe file.

I'll also check out the registry, if it allows me too. I have a few things to try at least, and I should be able to walk him through using safe mode. Hopefully.

Then I will give ComboFix a shot.

 

by: kpratolaPosted on 2009-08-06 at 09:06:42ID: 25035041

So far nothing is working.


1.       New Task, appwiz.cpl  - Removed what I could, didn't help.

 ------------------------------------------------------------------------------------------------------------

2.       New Task, CMD - Couldn't rename, but sent customer a copy of one I renamed and was able to run Malwarebytes'. Program closed after 6 seconds and could no longer be run.
a.       C:\Program Files\Malwarebytes Anti-Malware
                                                               i.      Rename mbam.exe to winlogon.exe
                                                             ii.      Winlogon.exe

--------------------------------------------------------------------------------------------------------------
 
3.       New Task, regedit  - Didn't exist.
a.       HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                                                               i.      If explorer.exe is listed as a sub key, delete it

-----------------------------------------------------------------------------------------------------------------
 
4.       New Task, regedit - Made no difference. Get the same error.
a.       HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
                                                               i.      Change value of shell from explorer.exe to  view.exe
                                                             ii.      New Task, explorer

-----------------------------------------------------------------------------------------------------------------
 
5.       New Task, CMD - Did nothing.
a.       netsh winsock reset

-----------------------------------------------------------------------------------------------------------------
 
6.       New Task, msconfig - Couldn't modify anything in here. Permissions error.

-----------------------------------------------------------------------------------------------------------------
 
7.       Send customer cf.exe (ComboFix) - Just like Malwarebytes', it starts to run and then just closes.
a.       Close all windows and kill anti-virus and firewall processes
b.      http://www.bleepingcomputer.com/combofix/how-to-use-combofix
 
8.       New Task, c:\windows\system32\restore\rstrui.exe - The restore goes through, but then it boots back into Windows and everything is the same and it states the restore failed.

I rebooted the customer's computer into Safe Mode and was able to login as the administrator. Didn't make any difference. Everything was still missing and couldn't access the same files.

This just doesn't look good. It seems like after running certain files, they close and the permissions get changed and they can't be run again. I haven't seen anything like this.

Any other suggestions before I have him bring his computer somewhere to have Windows reinstalled?

 

by: dstewartjrPosted on 2009-08-06 at 09:14:31ID: 25035144

" i.      Change value of shell from explorer.exe to  view.exe "

Sorry, should worded differently. I just wanted you to ensure that the value was "Explorer.exe"


 

by: kpratolaPosted on 2009-08-06 at 09:26:09ID: 25035268

Yes, it was already explorer.exe. I renamed it back.

 

by: Diesel79Posted on 2009-08-06 at 09:27:20ID: 25035285

The best thing to do would be to remove the OS from the equation entirely. Most antivirus vendors (eset, symantec etc.) will provide options for running their AV from a preboot environment. This will probably end up being your best option given the issues you are having. You may even try downloading a trial version of Eset Nod32 Version 4 because i know that you can create a preboot using that. You may also be able to make a disk using BartPE also.

 

by: kpratolaPosted on 2009-08-06 at 11:53:40ID: 25036790

I am trying Eset Nod32 Version 4 now. Hopefully it will work. It appears that I am dealing with a rootkit.

 

by: rpggamergirlPosted on 2009-08-06 at 16:45:31ID: 25039041

If the problem stil persists:
Try this, download Process Explorer and rename it to "winlogon.exe" or svchost.exe"(not any other name.
http://live.sysinternals.com/procexp.exe

Rename the file to winlogon.exe or svchost.exe run it.
Then look for any random numbers executables e.g.,3425631.exe, highlight any random.exe and rightclick and select "kill process".

Once the process is killed, you can then run MalwareBytes or Combofix.



If the above won't work.
Download RootRepeal.zip "You will need to rename RootRepeal to winlogon.exe" and unzip it to your Desktop.
"Terminate Process and Delete File", which should do exactly that. Then, click Scan again. If the process isn't gone, or re-spawns on reboot, use "Force-Kill Process and Wipe File" to make sure it's gone. Other anti-malware should be able to take care of the rest then.



Download RootRepeal.zip and unzip it to your Desktop.
http://rootrepeal.googlepages.com/RootRepeal.zip

   * Double click RootRepeal.exe to start the program
   * Click on the Report tab at the bottom of the program window
   * Click the Scan button
   * In the Select Scan dialog, check:

         o Drivers
         o Files
         o Processes
         o SSDT
         o Stealth Objects
         o Hidden Services

   * Click the OK button
   * In the next dialog, select all drives showing
   * Click OK to start the scan

         Note: The scan can take some time. DO NOT run any other programs while the scan is running

   * When the scan is complete, the Save Report button will become available
   * Click this and save the report to your Desktop as RootRepeal.txt
   * Go to File, then Exit to close the program


 

by: kpratolaPosted on 2009-08-06 at 16:59:23ID: 25039095

I ended up using Sophos Anti-Rootkit which appeared to eliminate most of the infected files. Now I am able to run Malwarebytes' without it closing. Hopefully it will be clean after this, but I will most likely need to repare or replace explorer.exe and other files. Maybe I will get lucky and the system restore will now work if that wasn't infected too.

Is there any easy way of repairing explorer.exe and other windows files? I was just going to try making a new copy of explorer.exe, but I think quite a few files ended up being deleted because of the infection.

 

by: rpggamergirlPosted on 2009-08-06 at 18:07:41ID: 25039306

Well that good.. check to see if Combofix is able to run now... if it may find a clean copy of explorer.exe and other system files(in the system)and will replaced it, if there is a clean copy.

We might also see other bad files on the log that are still lurking there.

 

by: rpggamergirlPosted on 2009-08-06 at 18:09:43ID: 25039313

Or if you still have the Windows CD, you can try running the sfc /scannow and system files that are corrupted will be replaced.

 

by: kpratolaPosted on 2009-08-06 at 18:09:50ID: 25039314

Great, I will give that a shot.

 

by: kpratolaPosted on 2009-08-06 at 18:18:10ID: 25039347

I was looking into the sfc command, but unfortunately the customer doesn't have the original disks which were probably a Dell restore disk anyway.

 

by: pln1146Posted on 2009-08-06 at 22:31:15ID: 25040146

Task Manager can recover explorer if you are able to open it.  Press Ctrl-Alt-Del to open Windows Security Dialog.  Select Task Manager.  In the Task Manager window, go to File then New Task (Run).  Type explorer and click OK.  

 

by: kpratolaPosted on 2009-08-07 at 10:39:13ID: 25045191

Resolved

1. Used Sophos Anti-Rootkit to remove a good amount of malware.

2. After running Sophos, I was now able to successfully run Malwarebytes'.

3. Explorer.exe was still completely damaged, so I copied it from C:\WINDOWS\ServicePackFiles\i386 into C:\WINDOWS. Finally got the desktop back.

4. Finished cleaning up everything and made sure Windows was running properly.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...