Desktop Icons and Start Menu are Missing - Malware?

[eandc]

This looks like a pretty bad issue. First the customer told me that all his desktop icons disappeared. I thought maybe he accidentally hid them. He also says that when he goes to google and searches for something, when he clicks on the search results, he is directed somewhere else. Ok, so we know his browser is being hi-jacked. But this I didn't expect. Look at the screen shot below when I remoted into his PC. No icons, no start button. Customer has XP Home Edition. Right-clicking on the desktop does absolutely nothing. I can bring up the task manager and select New Task, but I cannot run explorer.exe. I just get a permissions error. I was able to install Malwarebyte's, but after scanning for 8 seconds, the program just closes. Now I am trying an online scan to see if that works. I can't access My Computer at all. I really can't even run most programs. After Malwarebyte's closes, I cannot open it again. Not even by typing the exact path in the New Task window. I can open IE, but it won't let me access his hard drive or anything. I just keep getting an error about permissions. Obviously not all his permissions are gone since I am able to install software. But his PC is definitely in bad shape. Unfortunately he lives in CA, and I live in NJ, so I have to do this all remotely.

Any ideas, or a decent program I can run to get this *** off his PC?

 

[number13]

try the simple things first, to do a restore to an earlier time, Start, All Programs, Accessories, System Tools, System Restore, and pick a time before this started, then if you are lucky and all is well, download NOD32( fully functional ffor 30 days), install and then buy it so you don't have to perform miracles long distance any more

 

[eandc]

try the simple things first, to do a restore to an earlier time, Start, All Programs, Accessories, System Tools, System Restore, and pick a time before this started, then if you are lucky and all is well, download NOD32( fully functional ffor 30 days), install and then buy it so you don't have to perform miracles long distance any more

I can't since the start menu is missing and I have no way of accessing an explorer window. Even in the task manager>new task, it won't allow me to open any folders.

I guess I can try executing it by typing in c:\windows\system32\restore\rstrui.exe and see if it will even launch. A lot of items won't launch though. Just get an error that the path is incorrect or you do not have permissions.

 

[number13]

what about safe mode and then hit your windows key on the KB, if that doesn't work, you have an option still, use the installation disk and do a repair

 

[eandc]

what about safe mode and then hit your windows key on the KB, if that doesn't work, you have an option still, use the installation disk and do a repair

Actually I was able to run system restore by typing in c:\windows\system32\restore\rstrui.exe. I did it in safe mode and without safe mode. It appears to go through, but doesn't rollback the machine at all. Still have the same problems.

 

[number13]

so the files are corrupted, wipe the drive a couple of times(write Zero's to the drive) and reinstall the OS, sorry nothing helped, but be sure that the infection is buried deep

 

[eandc]

Eh, I don't quit that easily. Right now I am running Eset Nod32 Version 4 and it seems to be going through and I should be able to scan the PC during the preboot. Hopefully it will work.

 

[number13]

good luck, nothing I like more than someone who doesn't give up easily, hope that you can save everything

 

[number13]

guess what, go to the control panel and select the Taskbar and Start menu item, and check the correct boxes

 

[eandc]

I can't access the control panel since it is part of explorer. It looks like I am dealing with a pretty good rootkit program. I am trying to get rid of it with Eset Nod32 Version 4.

 

[eandc]

Resolved

1. Used Sophos Anti-Rootkit to remove a good amount of malware.

2. After running Sophos, I was now able to successfully run Malwarebytes'.

3. Explorer.exe was still completely damaged, so I copied it from C:\WINDOWS\ServicePackFiles\i386 into C:\WINDOWS. Finally got the desktop back.

4. Finished cleaning up everything and made sure Windows was running properly.