Wallpaper is blue, icons and docs are gone. [Solved/Closed]

Report
-
Posts
25
Registration date
Tuesday February 14, 2012
Status
Member
Last seen
March 9, 2012
-
Hello,
Yesterday as usual my computer was becoming slow, so I thought I'd just turn it on and off as I'd usually do. Now starting up again, just after typing my password for my user account, a message pops up. And I guess I mindlessly pressed x out of it. All I remember about the message is that it had a "time remaining" countdown and I think it said something bout "administration". Do you know what it could be about?

Now fully logged on I fine:

My Wallpaper gone and now my background is just blue.
Half of my downloaded programs and their icons gone including Internet Explorer.
My documents folder empty including music and pictures folders.
All of my google chrome memory is gone including favorites and websites.
And you know the white box that would appears when you right click, that box has become grey.
And the icons your suppose to have when you open the start-up menu are gone.
And lastly, For some reason my user account is the only one like this, I have checked.

I Have no idea where too begin and I would try system restore but the problem is that i have low disk space, and I would delete some documents but the folder is empty -_-


So you know I use Windows XP.
So could you please help.
Thank you.




21 replies


You have been infected by recovery rogue,Boot into your infected account

Click on Start,go to RUN and type


%temp% and click ok

If you find a folder called smtmp ,copy it to a safe location.

If you do not find it,check here

C:/windows/temp

If you still do not find it,leave it


Step 1:


Click on Start,go to RUN and type

cmd and click ok

Now copy these commands and run it

Echo y | reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr

Echo y | reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop

Restart your PC ,boot into infected account.

Now you should be able to right click and see your desktop icons.

STEP 2:

Download UNHIDE

https://download.bleepingcomputer.com/grinler/unhide.exe

Run this fix,you should get back your missing file

STEP 3:

Download

https://ccm.net/download/download-105-malwarebytes

Install,update and run a full scan

Post the clean log


Download

https://support.kaspersky.com/downloads/utils/tdsskiller.exe

Launch it.Click on change parameters-Select TDLFS file system

Click on "[b]Scan/b".Please post the LOG report(log file should be in your C drive)


Let me know how it went
2
Thank you

A few words of thanks would be greatly appreciated. Add comment

CCM 2796 users have said thank you to us this month

Thanks for responding quickly! Now, I can't find "smtmp" neither "C:/windows/temp" So what does that mean?

And I can't download anything, I have low disk space and like I said before I can't delete anything since everything in my documents folder is gone. Help please!
Anonymous User
I want you copy the tools from a clean PC to infected PC and follow the instructions

Ignore low disk space warning
Anonymous User
Next time click on

REPLY TO THE TOPIC option to reply me

do not click on ADD COMMENT
Posts
25
Registration date
Tuesday February 14, 2012
Status
Member
Last seen
March 9, 2012
4
This issues is related with a spyware called

System Check.



Please select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
After this please press the Apply button and then the OK

Press on the key Alt+Crtl+Delete key on the keyboard. Now you will get a new window called Task Manager. Now hold the Ctrl key on the key board and click on File, New Task on the Task Manager. Now you will get a new black window.
Inside that black window type CD/ and hit on enter.
Now type ATTRIB -H -R -S /S /D and hit on enter.


Click on Start,go to RUN and type


%temp% and click ok

If you find a folder called smtmp ,copy it to a safe location.

Associated System Restore Files:


%LocalAppData%\<random>
%LocalAppData%\<random>.exe
%LocalAppData%\~<random>
%LocalAppData%\~<random>
%StartMenu%\Programs\System Restore\
%StartMenu%\Programs\System Restore\System Restore.lnk
%StartMenu%\Programs\System Restore\Uninstall System Restore.lnk
%Temp%\smtmp\
%Temp%\smtmp\1
%Temp%\smtmp\1
%Temp%\smtmp\2
%Temp%\smtmp\3
%Temp%\smtmp\4
%UserProfile%\Desktop\System Restore.lnk

Don't delete the folder
%Temp%\smtmp\
%Temp%\smtmp\1
%Temp%\smtmp\1
%Temp%\smtmp\2
%Temp%\smtmp\3
%Temp%\smtmp\4

These are the shortcuts in your start Menu.
If you delete these folders you will lose all of the shortcuts in the start menu. First take a back up of these folder

%Temp%\smtmp\



https://www.bleepingcomputer.com/virus-removal/remove-system-check
MCSA, MCSE,MCP,MCTS & Exchange.
Mark helpful posts & answers
sundar7701. Okay, when you say "copy the tools from a clean PC to infected PC" Do you mean download all the links on a clean PC and add them to a USB and add it to the infected PC? Sorry if it's a stupid question, new with all this technical computing.

Yes,you're right.

Do not hesitate to ask questions.I'm here to help you
Okay thanks. Currently on the clean PC, my mcafee picked up the first link "UNHIDE" as a dangerous site, so I'm a litttle scared of using it.

And do I need to really download the anti malware software since I already did a full scan on my infected PC with my mcafee and it said there's nothing on it. I'll post the clean log of it.

And may I ask what will the "tdsskiller" actually do?
Infact with the "UNHIDE" website it won't let me in. It's going so slow.

Please run the tools.Mcafee cannot remove all the infections.

TDSSkiller is used to remove the rootkit.

Ignore warnings and download UNHIDE now.The site is working now
Sorry for the late response, but before I do all this may I ask what exactly is in the folder "smtmp" because I can't seem to find it and you say copy it to a safe location, so it must be somewhat important.
Posts
25
Registration date
Tuesday February 14, 2012
Status
Member
Last seen
March 9, 2012
4
If your computer is infected with this spyware called System Check what it will do it it will remove all of the Short cuts in the start Menu. It will delete all the Short cuts in the start Menu and move to the folder smtmp. So if we delete the folder smtmp we will not be able to add them back to the start menu. Another thing this spyware doing is Hide all the Files and Folders in our computer. As I told you in my first replay only one ATTRIB -H -R -S /S /D show you all of your files and folders back .

If you do not have SMTMP ignore it

Waiting for your logs
kuttusram, Thanks for the advice. I researched about this spyware and yes it looks like it causes most of the problems my PC has but I didn't get "fake messages displaying that I should by a "product". So I don't think I have this spyware.
Posts
25
Registration date
Tuesday February 14, 2012
Status
Member
Last seen
March 9, 2012
4
It is not necessary that you got pop ups all the time. Bit all other symptoms on your computer sees to be similar to this same spyware System Check. Like you lost all the Desktop Icons and you lost all the Start Menu Items etc. Any way if it is not the same one it is nice to hear.

As sundar7701 told you we are waiting for your logs. There may be one more infection associated with it. Mainly you have to check a infection called Trojan.Zeroaccess.



To check it's presence you have to do one thing.

In Windows XP
---------------

Click on the start meanu and press on Run.
Inside the Run window type CMD and press on Okay.
In the black Command Window type
NETSH WINSOCK RESET and hit on enter.

If you get a message
"Sucessfully reset the Winsock Catalog. You must restart the machine in order to complete the reset." then you are safe.
kuttusram, I checked for it's presence and the message came up, meaning I don't have Trojan.Zeroaccess.?

And sundar7701, do I get you the logs by using the Malwarebytes' Anti-Malware?
Posts
25
Registration date
Tuesday February 14, 2012
Status
Member
Last seen
March 9, 2012
4
If you got the message "Sucessfully reset the Winsock Catalog. You must restart the machine in order to complete the reset." that means you don't have Trojan.Zeroaccess and it's safe to go.
Safe to go?
Posts
25
Registration date
Tuesday February 14, 2012
Status
Member
Last seen
March 9, 2012
4
Means your computer is 100% safe and secure. :)

And sundar7701, do I get you the logs by using the Malwarebytes' Anti-Malware?

Hi

Looks like you're not interested in running scans.Its more than a week and still you're posting scans.If you're not interested in scanning your PC for infections,i would recommend you to back up your data and reinstall your operating system


kuttusram - Feb 26, 2012 10:58am GMT
Means your computer is 100% safe and secure. :)



Hi

Please do not guess anything.His computer is infected by system check rogue and you say that his computer is secure !!!!!!!!

Are you trying to say that his computer is free from zero access rootkit?

Common most of times system check rogue is accompanied by MAXSS rootkit and not the zero access rootkit.Running a command a saying that PC is clean is immature way of handling things
Posts
25
Registration date
Tuesday February 14, 2012
Status
Member
Last seen
March 9, 2012
4
Hi sundar7701 ,

\\globalroot\system32\ winsock.dll
\\globalroot\system32\ mzx++

in MSINFO32

in this two which one you are referring as MAXSS rootkit ? In both of this infection we will not be able to reset the WINSOCK. According to Symantec it is the Trojan.ZeroAccess root kit.


\\globalroot\system32\ winsock.dll
\\globalroot\system32\ mzx++


Have you seen this on any zero access rootkit????

On any zero access infected PC,when you open msinfo32,you will find this

\\globalroot\system32\ mswsock.dll
\\globalroot\system32\ <gras>max++
(this is symptom of oldest version of zero access rootkit)

I would suggest you to study about basic differenced between MAXSS(tdl4 rootkits) and zero access
Posts
25
Registration date
Tuesday February 14, 2012
Status
Member
Last seen
March 9, 2012
4
I am dealing with 10-15 Zero Access cases in a Single day. I am working with one of the Antivirus Company's Virus Removal team.

If you get chance please try to NETSH WINSOCK RESET in a Zero Access case. It will not work that one is 101% Sure. Check and confirm it.
I am telling this from our experience.

Please read my previous reply AGAIN.

Did i ever say that NETSH WINSOCK RESET will work on ZERO ACCESS ROOTKIT infected PC??


You may work on zero access rootkit infected PC but that doesnt mean that you know about rootkits and its symptoms(you did not even remember what you saw in MSINFO32)

I'm not discouraging but advice you learn a lot on these rootkits and advicing people by asking them to type netsh winsock reset and saying that PC is clean is complete nonsense.We are not looking at zero access rootkit alone.
Posts
25
Registration date
Tuesday February 14, 2012
Status
Member
Last seen
March 9, 2012
4
I got you sundar7701.

dev4321 we are still waiting for your log file. :)

You're welcome kuttusram and i appreciate your interest in learning