Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Only background is displayed

Posted on 2007-07-20
21
Medium Priority
?
347 Views
Last Modified: 2010-03-05
Hi,

I was trying to clean up an xp-pro from some malware, and virus, I think I deleted something I shouldn't have ...
When booting it get to the background image of the user, but it won't display anything else, no icons, no start bar, nothing, the ctrl+alt+del does work, on the main user just a couple of processes show, while as admin and another user there are several processes showing, I can shut down from there.

I tried last good, but no luck.

What could have I done?

Thank you
0
Comment
Question by:keneso
  • 8
  • 3
  • 2
  • +5
20 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 19533654
Hi keneso,

             How about safe-mode ? Does it work? If yes, try sfc /scannow in run. Safe mode with command prompt would be enough also.

Regards,

MrHusy
0
 
LVL 22

Expert Comment

by:orangutang
ID: 19533674
Also, if it works in safe mode, VundoFix (http://www.atribune.org/content/view/24/2/) usually seems to work.
0
 
LVL 31

Expert Comment

by:captain
ID: 19533684
Hi

Failing that boot from XP CD go into recovery mode and run it from there, thry MrHusy's suggestion first though.

All the best
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 7

Author Comment

by:keneso
ID: 19533717
>>How about safe-mode ? Does it work?

Sorry, forgot to mention it, it won't load, it gets to the black screen qith the info about the system on top, but won't get to the big grey window that tells you again you are entering safe mode.
0
 
LVL 22

Expert Comment

by:orangutang
ID: 19534107
Hmm, maybe try pressing Ctrl+Alt+Delete while logged in normally, open the "File" menu, click "New Task (Run...)" and open VundoFix using that method. You should be able to open any program using that method, including Internet Explorer and anything else.
0
 
LVL 5

Expert Comment

by:pardizzone
ID: 19534114
When it's just sitting at the background or the black screen in Safe Mode, bring up the Task manager via Ctrl/Alt/Del and choose File/New Task (Run). Type explorer.exe and click ok. That should give you a desktop. I would do another spyware scan. I had a machine do the same thng last week and it was cleared by running a scan again. I would run HiJackThis and see whats starting up at boot.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 19534170
          In such cases, doing a repair on current installation (Boot from OS CD, go on as you were installing a new OS, your current installation will be dedected in checking for previous installations phase, then choose repair. Not a cool solution maybe, but believe me is the fastest way.

Regards
0
 
LVL 32

Accepted Solution

by:
willcomp earned 1000 total points
ID: 19534516
If it's what I think it is, a repair install win't help and neither will Recovery Console.

Like orangutang, I believe it's malware and I've seen it several times. The fastest and best solution for me has been to install and run Webroot SpySweeper using Task Manager in Normal mode. SmitFraudFix and VundoFix will sometimes do the job and you should try them first. SmitfraudFix will tell you if the Rustock B rootkit is present. If so, it must be removed.

http://www.bleepingcomputer.com/files/smitfraudfix.php
http://malwaremedic.proboards99.com/index.cgi?board=rootkitdetection&action=display&thread=1174283355&page=1 
0
 
LVL 7

Author Comment

by:keneso
ID: 19537850
>>I would run HiJackThis and see whats starting up at boot.

http:Q_22704777.html
0
 
LVL 7

Author Comment

by:keneso
ID: 19538401
I ran the suggested apps, neither smitfraud, and vundofix, I also ran SDfix from willcomp's second link, it di report a spyware, but I am not sure if it did anything, as the dos window closed at the end of the scan w/o any news.

I don't know if thanks to that, or just one of the wierd stuff happening, I got to run hojackthis, which found some stuff, mainly a couple, I cliked to fix them, and at reboot also the background image disappeared, leaving a blue screen.
0
 
LVL 7

Author Comment

by:keneso
ID: 19538906
Right before the problem, I had put the hdd on another box to try running unlocker as suggested in http:Q_22704777.html and tried to delete this
"c:\windows\system32\netmgsno.exe"
which was referenced by a suspect file, I had tried deleting it, but no luck, as the system wouldn't let me access hijackthis, and unlocker, but as secondary hdd on another box, I was able to at least rename the netmgsno, though not deleting it, I deleted another file (dll) in the system32 which I don't recall the name (the only one I didn't take note), something like qpkrg (not sure), anyway it had same reference of the netmgsno.

Before that I had deleted a few stuff with killbox, I can post the list.

Hijackthis found this as well, and though I checked to fix it, it is still there.
O4 - HKLM\..\Run: [netmgsno] "c:\windows\system32\netmgsno.exe"

0
 
LVL 7

Author Comment

by:keneso
ID: 19539956
I just ran in safe mode panda online scanner, and it found "again" 2 viruses, 5 adware, and 1 rootkit, I think it cleaned 2 viruses, one of them being the netmgsno.

What is puzzling me is that navigating to some of the paths, the folders are empty, where are they then?
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 1000 total points
ID: 19542773
Hi,
A lot of nasties can block security sites and programs including Hijackthis etc, and does other things as well.

I've looked in your other thread, and the log there is heavily infected, have you deleted those files including netmgsno.exe?

Can you run another Kaspersky scan and give us a fresh log please?

OR, if not Kaspersky scan, then run combofix and show us the log.
Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


@ willcomp:
Thanks for the heads up.
0
 
LVL 8

Expert Comment

by:-Mystique-
ID: 19545030
You may be best to do a fresh reinstall of windows.  I once ran into something very nasty, with files that wouldn't delete like your example, and this malware had a twist I've never seen before, nor found any information about, this one deleted antivirus, antispyware, antimalware application files.  If you reinstalled the antimalware prog, the exe would be deleted as soon as you reinstalled it.  Online scans would give errors and weren't able to scan the pc.  

I'd never seen anything like this before, it was also a browser hijacker that even got past the spybot Tea Timer when the malware first downloaded itself (and deleted tea timer as well as all my other antimalware application exe files.  Tea Timer  has effectively caught 99 percent of malware trying to sneak in, until this one came along.

The only way I was able to get rid of it was to reformat and do a fresh reinstall of C drive.  
0
 
LVL 7

Author Comment

by:keneso
ID: 19548985
Ok, the background is back, after the combofix, but that netmgsno, is still there, though before the combofix I had run also mcafee's online, and it told me had deleted the netmgsno ...
After the combofix I reinstalled the unlocker, and this time worked, but that too won't delete the netmgso, though it would rename it, when selecting delete, it say it can't, and asks to do it on reboot, but it fails at it.

BTW
For the ones who don't know, this was related to this other question
http:Q_22704777.html

I am going to close this, as combofix did address the issue.

I will open a new question on netmgsno, and you are very welcome.

Thank you all.
0
 
LVL 7

Author Comment

by:keneso
ID: 19549250
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 19551773
keneso,
I wanted to see the combofix log to check what other bad files maybe there besides netmgsno.exe
We can get rid of it, there are other tools we can use to delete hard to delete files.

Thank you for the points, very generous of you and I really appreciate it.
Would you be able to post the combofix log and a hijackthis log still?
either here or in your new question.

Thanks!

P.S. willcomp brought me to this question, if you'd like to give him some of the points, I can re-open this question, just let me know, thanks.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 19551951
I mean, I would like to share some of the points to willcomp, instead of taking it all myself.
0
 
LVL 32

Expert Comment

by:willcomp
ID: 19552184
That's OK. It's not necessary, but I appreciate the gesture. Main point was to resolve problem and I didn't know what specific critter was to blame. And wanted to prevent unnecessary, fruitless actions such as repair install.
0
 
LVL 7

Author Comment

by:keneso
ID: 19619140
Thank you again.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It is only natural that we all want our PCs to be in good working order, improved system performance, so that is exactly how programs are advertised to entice. They say things like:            •      PC crashes? Get registry cleaner to repair it!    …
If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question