Only background is displayed

Hi,

I was trying to clean up an xp-pro from some malware, and virus, I think I deleted something I shouldn't have ...
When booting it get to the background image of the user, but it won't display anything else, no icons, no start bar, nothing, the ctrl+alt+del does work, on the main user just a couple of processes show, while as admin and another user there are several processes showing, I can shut down from there.

I tried last good, but no luck.

What could have I done?

Thank you
LVL 7
kenesoAsked:
Who is Participating?
 
willcompConnect With a Mentor Commented:
If it's what I think it is, a repair install win't help and neither will Recovery Console.

Like orangutang, I believe it's malware and I've seen it several times. The fastest and best solution for me has been to install and run Webroot SpySweeper using Task Manager in Normal mode. SmitFraudFix and VundoFix will sometimes do the job and you should try them first. SmitfraudFix will tell you if the Rustock B rootkit is present. If so, it must be removed.

http://www.bleepingcomputer.com/files/smitfraudfix.php
http://malwaremedic.proboards99.com/index.cgi?board=rootkitdetection&action=display&thread=1174283355&page=1 
0
 
Alan Huseyin KayahanCommented:
Hi keneso,

             How about safe-mode ? Does it work? If yes, try sfc /scannow in run. Safe mode with command prompt would be enough also.

Regards,

MrHusy
0
 
orangutangCommented:
Also, if it works in safe mode, VundoFix (http://www.atribune.org/content/view/24/2/) usually seems to work.
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
captainCommented:
Hi

Failing that boot from XP CD go into recovery mode and run it from there, thry MrHusy's suggestion first though.

All the best
0
 
kenesoAuthor Commented:
>>How about safe-mode ? Does it work?

Sorry, forgot to mention it, it won't load, it gets to the black screen qith the info about the system on top, but won't get to the big grey window that tells you again you are entering safe mode.
0
 
orangutangCommented:
Hmm, maybe try pressing Ctrl+Alt+Delete while logged in normally, open the "File" menu, click "New Task (Run...)" and open VundoFix using that method. You should be able to open any program using that method, including Internet Explorer and anything else.
0
 
pardizzoneCommented:
When it's just sitting at the background or the black screen in Safe Mode, bring up the Task manager via Ctrl/Alt/Del and choose File/New Task (Run). Type explorer.exe and click ok. That should give you a desktop. I would do another spyware scan. I had a machine do the same thng last week and it was cleared by running a scan again. I would run HiJackThis and see whats starting up at boot.
0
 
Alan Huseyin KayahanCommented:
          In such cases, doing a repair on current installation (Boot from OS CD, go on as you were installing a new OS, your current installation will be dedected in checking for previous installations phase, then choose repair. Not a cool solution maybe, but believe me is the fastest way.

Regards
0
 
kenesoAuthor Commented:
>>I would run HiJackThis and see whats starting up at boot.

http:Q_22704777.html
0
 
kenesoAuthor Commented:
I ran the suggested apps, neither smitfraud, and vundofix, I also ran SDfix from willcomp's second link, it di report a spyware, but I am not sure if it did anything, as the dos window closed at the end of the scan w/o any news.

I don't know if thanks to that, or just one of the wierd stuff happening, I got to run hojackthis, which found some stuff, mainly a couple, I cliked to fix them, and at reboot also the background image disappeared, leaving a blue screen.
0
 
kenesoAuthor Commented:
Right before the problem, I had put the hdd on another box to try running unlocker as suggested in http:Q_22704777.html and tried to delete this
"c:\windows\system32\netmgsno.exe"
which was referenced by a suspect file, I had tried deleting it, but no luck, as the system wouldn't let me access hijackthis, and unlocker, but as secondary hdd on another box, I was able to at least rename the netmgsno, though not deleting it, I deleted another file (dll) in the system32 which I don't recall the name (the only one I didn't take note), something like qpkrg (not sure), anyway it had same reference of the netmgsno.

Before that I had deleted a few stuff with killbox, I can post the list.

Hijackthis found this as well, and though I checked to fix it, it is still there.
O4 - HKLM\..\Run: [netmgsno] "c:\windows\system32\netmgsno.exe"

0
 
kenesoAuthor Commented:
I just ran in safe mode panda online scanner, and it found "again" 2 viruses, 5 adware, and 1 rootkit, I think it cleaned 2 viruses, one of them being the netmgsno.

What is puzzling me is that navigating to some of the paths, the folders are empty, where are they then?
0
 
rpggamergirlConnect With a Mentor Commented:
Hi,
A lot of nasties can block security sites and programs including Hijackthis etc, and does other things as well.

I've looked in your other thread, and the log there is heavily infected, have you deleted those files including netmgsno.exe?

Can you run another Kaspersky scan and give us a fresh log please?

OR, if not Kaspersky scan, then run combofix and show us the log.
Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


@ willcomp:
Thanks for the heads up.
0
 
-Mystique-Commented:
You may be best to do a fresh reinstall of windows.  I once ran into something very nasty, with files that wouldn't delete like your example, and this malware had a twist I've never seen before, nor found any information about, this one deleted antivirus, antispyware, antimalware application files.  If you reinstalled the antimalware prog, the exe would be deleted as soon as you reinstalled it.  Online scans would give errors and weren't able to scan the pc.  

I'd never seen anything like this before, it was also a browser hijacker that even got past the spybot Tea Timer when the malware first downloaded itself (and deleted tea timer as well as all my other antimalware application exe files.  Tea Timer  has effectively caught 99 percent of malware trying to sneak in, until this one came along.

The only way I was able to get rid of it was to reformat and do a fresh reinstall of C drive.  
0
 
kenesoAuthor Commented:
Ok, the background is back, after the combofix, but that netmgsno, is still there, though before the combofix I had run also mcafee's online, and it told me had deleted the netmgsno ...
After the combofix I reinstalled the unlocker, and this time worked, but that too won't delete the netmgso, though it would rename it, when selecting delete, it say it can't, and asks to do it on reboot, but it fails at it.

BTW
For the ones who don't know, this was related to this other question
http:Q_22704777.html

I am going to close this, as combofix did address the issue.

I will open a new question on netmgsno, and you are very welcome.

Thank you all.
0
 
kenesoAuthor Commented:
0
 
rpggamergirlCommented:
keneso,
I wanted to see the combofix log to check what other bad files maybe there besides netmgsno.exe
We can get rid of it, there are other tools we can use to delete hard to delete files.

Thank you for the points, very generous of you and I really appreciate it.
Would you be able to post the combofix log and a hijackthis log still?
either here or in your new question.

Thanks!

P.S. willcomp brought me to this question, if you'd like to give him some of the points, I can re-open this question, just let me know, thanks.
0
 
rpggamergirlCommented:
I mean, I would like to share some of the points to willcomp, instead of taking it all myself.
0
 
willcompCommented:
That's OK. It's not necessary, but I appreciate the gesture. Main point was to resolve problem and I didn't know what specific critter was to blame. And wanted to prevent unnecessary, fruitless actions such as repair install.
0
 
kenesoAuthor Commented:
Thank you again.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.