Wallpaper is blue, icons and docs are gone.
Solved/Closed
dev4321
-
Feb 17, 2012 at 04:32 PM
kuttusram Posts 25 Registration date Tuesday February 14, 2012 Status Member Last seen March 9, 2012 - Feb 26, 2012 at 09:05 PM
kuttusram Posts 25 Registration date Tuesday February 14, 2012 Status Member Last seen March 9, 2012 - Feb 26, 2012 at 09:05 PM
Related:
- Wallpaper is blue, icons and docs are gone.
- Desktophut wallpaper - Download - Customization
- Push video wallpaper - Download - Customization
- Blue stick 5 - Download - Android emulators
- Lively wallpaper - Download - Customization
- Animated wallpaper - Guide
21 responses
Anonymous User
Feb 17, 2012 at 08:08 PM
Feb 17, 2012 at 08:08 PM
You have been infected by recovery rogue,Boot into your infected account
Click on Start,go to RUN and type
%temp% and click ok
If you find a folder called smtmp ,copy it to a safe location.
If you do not find it,check here
C:/windows/temp
If you still do not find it,leave it
Step 1:
Click on Start,go to RUN and type
cmd and click ok
Now copy these commands and run it
Echo y | reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr
Echo y | reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop
Restart your PC ,boot into infected account.
Now you should be able to right click and see your desktop icons.
STEP 2:
Download UNHIDE
https://download.bleepingcomputer.com/grinler/unhide.exe
Run this fix,you should get back your missing file
STEP 3:
Download
https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/
Install,update and run a full scan
Post the clean log
Download
https://support.kaspersky.com/downloads/utils/tdsskiller.exe
Launch it.Click on change parameters-Select TDLFS file system
Click on "[b]Scan/b".Please post the LOG report(log file should be in your C drive)
Let me know how it went
Click on Start,go to RUN and type
%temp% and click ok
If you find a folder called smtmp ,copy it to a safe location.
If you do not find it,check here
C:/windows/temp
If you still do not find it,leave it
Step 1:
Click on Start,go to RUN and type
cmd and click ok
Now copy these commands and run it
Echo y | reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr
Echo y | reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop
Restart your PC ,boot into infected account.
Now you should be able to right click and see your desktop icons.
STEP 2:
Download UNHIDE
https://download.bleepingcomputer.com/grinler/unhide.exe
Run this fix,you should get back your missing file
STEP 3:
Download
https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/
Install,update and run a full scan
Post the clean log
Download
https://support.kaspersky.com/downloads/utils/tdsskiller.exe
Launch it.Click on change parameters-Select TDLFS file system
Click on "[b]Scan/b".Please post the LOG report(log file should be in your C drive)
Let me know how it went
kuttusram
Posts
25
Registration date
Tuesday February 14, 2012
Status
Member
Last seen
March 9, 2012
4
Feb 17, 2012 at 09:39 PM
Feb 17, 2012 at 09:39 PM
This issues is related with a spyware called
System Check.
Please select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
After this please press the Apply button and then the OK
Press on the key Alt+Crtl+Delete key on the keyboard. Now you will get a new window called Task Manager. Now hold the Ctrl key on the key board and click on File, New Task on the Task Manager. Now you will get a new black window.
Inside that black window type CD/ and hit on enter.
Now type ATTRIB -H -R -S /S /D and hit on enter.
Click on Start,go to RUN and type
%temp% and click ok
If you find a folder called smtmp ,copy it to a safe location.
Associated System Restore Files:
%LocalAppData%\<random>
%LocalAppData%\<random>.exe
%LocalAppData%\~<random>
%LocalAppData%\~<random>
%StartMenu%\Programs\System Restore\
%StartMenu%\Programs\System Restore\System Restore.lnk
%StartMenu%\Programs\System Restore\Uninstall System Restore.lnk
%Temp%\smtmp\
%Temp%\smtmp\1
%Temp%\smtmp\1
%Temp%\smtmp\2
%Temp%\smtmp\3
%Temp%\smtmp\4
%UserProfile%\Desktop\System Restore.lnk
Don't delete the folder
%Temp%\smtmp\
%Temp%\smtmp\1
%Temp%\smtmp\1
%Temp%\smtmp\2
%Temp%\smtmp\3
%Temp%\smtmp\4
These are the shortcuts in your start Menu.
If you delete these folders you will lose all of the shortcuts in the start menu. First take a back up of these folder
%Temp%\smtmp\
https://www.bleepingcomputer.com/virus-removal/remove-system-check
MCSA, MCSE,MCP,MCTS & Exchange.
Mark helpful posts & answers
System Check.
Please select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
After this please press the Apply button and then the OK
Press on the key Alt+Crtl+Delete key on the keyboard. Now you will get a new window called Task Manager. Now hold the Ctrl key on the key board and click on File, New Task on the Task Manager. Now you will get a new black window.
Inside that black window type CD/ and hit on enter.
Now type ATTRIB -H -R -S /S /D and hit on enter.
Click on Start,go to RUN and type
%temp% and click ok
If you find a folder called smtmp ,copy it to a safe location.
Associated System Restore Files:
%LocalAppData%\<random>
%LocalAppData%\<random>.exe
%LocalAppData%\~<random>
%LocalAppData%\~<random>
%StartMenu%\Programs\System Restore\
%StartMenu%\Programs\System Restore\System Restore.lnk
%StartMenu%\Programs\System Restore\Uninstall System Restore.lnk
%Temp%\smtmp\
%Temp%\smtmp\1
%Temp%\smtmp\1
%Temp%\smtmp\2
%Temp%\smtmp\3
%Temp%\smtmp\4
%UserProfile%\Desktop\System Restore.lnk
Don't delete the folder
%Temp%\smtmp\
%Temp%\smtmp\1
%Temp%\smtmp\1
%Temp%\smtmp\2
%Temp%\smtmp\3
%Temp%\smtmp\4
These are the shortcuts in your start Menu.
If you delete these folders you will lose all of the shortcuts in the start menu. First take a back up of these folder
%Temp%\smtmp\
https://www.bleepingcomputer.com/virus-removal/remove-system-check
MCSA, MCSE,MCP,MCTS & Exchange.
Mark helpful posts & answers
sundar7701. Okay, when you say "copy the tools from a clean PC to infected PC" Do you mean download all the links on a clean PC and add them to a USB and add it to the infected PC? Sorry if it's a stupid question, new with all this technical computing.
Anonymous User
Feb 18, 2012 at 04:57 PM
Feb 18, 2012 at 04:57 PM
Yes,you're right.
Do not hesitate to ask questions.I'm here to help you
Do not hesitate to ask questions.I'm here to help you
Didn't find the answer you are looking for?
Ask a question
Okay thanks. Currently on the clean PC, my mcafee picked up the first link "UNHIDE" as a dangerous site, so I'm a litttle scared of using it.
And do I need to really download the anti malware software since I already did a full scan on my infected PC with my mcafee and it said there's nothing on it. I'll post the clean log of it.
And may I ask what will the "tdsskiller" actually do?
And do I need to really download the anti malware software since I already did a full scan on my infected PC with my mcafee and it said there's nothing on it. I'll post the clean log of it.
And may I ask what will the "tdsskiller" actually do?
Anonymous User
Feb 19, 2012 at 08:11 AM
Feb 19, 2012 at 08:11 AM
Please run the tools.Mcafee cannot remove all the infections.
TDSSkiller is used to remove the rootkit.
Ignore warnings and download UNHIDE now.The site is working now
TDSSkiller is used to remove the rootkit.
Ignore warnings and download UNHIDE now.The site is working now
Sorry for the late response, but before I do all this may I ask what exactly is in the folder "smtmp" because I can't seem to find it and you say copy it to a safe location, so it must be somewhat important.
kuttusram
Posts
25
Registration date
Tuesday February 14, 2012
Status
Member
Last seen
March 9, 2012
4
Feb 22, 2012 at 02:15 PM
Feb 22, 2012 at 02:15 PM
If your computer is infected with this spyware called System Check what it will do it it will remove all of the Short cuts in the start Menu. It will delete all the Short cuts in the start Menu and move to the folder smtmp. So if we delete the folder smtmp we will not be able to add them back to the start menu. Another thing this spyware doing is Hide all the Files and Folders in our computer. As I told you in my first replay only one ATTRIB -H -R -S /S /D show you all of your files and folders back .
kuttusram, Thanks for the advice. I researched about this spyware and yes it looks like it causes most of the problems my PC has but I didn't get "fake messages displaying that I should by a "product". So I don't think I have this spyware.
kuttusram
Posts
25
Registration date
Tuesday February 14, 2012
Status
Member
Last seen
March 9, 2012
4
Feb 22, 2012 at 03:25 PM
Feb 22, 2012 at 03:25 PM
It is not necessary that you got pop ups all the time. Bit all other symptoms on your computer sees to be similar to this same spyware System Check. Like you lost all the Desktop Icons and you lost all the Start Menu Items etc. Any way if it is not the same one it is nice to hear.
As sundar7701 told you we are waiting for your logs. There may be one more infection associated with it. Mainly you have to check a infection called Trojan.Zeroaccess.
To check it's presence you have to do one thing.
In Windows XP
---------------
Click on the start meanu and press on Run.
Inside the Run window type CMD and press on Okay.
In the black Command Window type
NETSH WINSOCK RESET and hit on enter.
If you get a message
"Sucessfully reset the Winsock Catalog. You must restart the machine in order to complete the reset." then you are safe.
As sundar7701 told you we are waiting for your logs. There may be one more infection associated with it. Mainly you have to check a infection called Trojan.Zeroaccess.
To check it's presence you have to do one thing.
In Windows XP
---------------
Click on the start meanu and press on Run.
Inside the Run window type CMD and press on Okay.
In the black Command Window type
NETSH WINSOCK RESET and hit on enter.
If you get a message
"Sucessfully reset the Winsock Catalog. You must restart the machine in order to complete the reset." then you are safe.
kuttusram, I checked for it's presence and the message came up, meaning I don't have Trojan.Zeroaccess.?
And sundar7701, do I get you the logs by using the Malwarebytes' Anti-Malware?
And sundar7701, do I get you the logs by using the Malwarebytes' Anti-Malware?
kuttusram
Posts
25
Registration date
Tuesday February 14, 2012
Status
Member
Last seen
March 9, 2012
4
Feb 25, 2012 at 07:25 PM
Feb 25, 2012 at 07:25 PM
If you got the message "Sucessfully reset the Winsock Catalog. You must restart the machine in order to complete the reset." that means you don't have Trojan.Zeroaccess and it's safe to go.
kuttusram
Posts
25
Registration date
Tuesday February 14, 2012
Status
Member
Last seen
March 9, 2012
4
Feb 26, 2012 at 05:58 AM
Feb 26, 2012 at 05:58 AM
Means your computer is 100% safe and secure. :)
Anonymous User
Feb 26, 2012 at 07:59 PM
Feb 26, 2012 at 07:59 PM
And sundar7701, do I get you the logs by using the Malwarebytes' Anti-Malware?
Hi
Looks like you're not interested in running scans.Its more than a week and still you're posting scans.If you're not interested in scanning your PC for infections,i would recommend you to back up your data and reinstall your operating system
kuttusram - Feb 26, 2012 10:58am GMT
Means your computer is 100% safe and secure. :)
Hi
Please do not guess anything.His computer is infected by system check rogue and you say that his computer is secure !!!!!!!!
Are you trying to say that his computer is free from zero access rootkit?
Common most of times system check rogue is accompanied by MAXSS rootkit and not the zero access rootkit.Running a command a saying that PC is clean is immature way of handling things
Hi
Looks like you're not interested in running scans.Its more than a week and still you're posting scans.If you're not interested in scanning your PC for infections,i would recommend you to back up your data and reinstall your operating system
kuttusram - Feb 26, 2012 10:58am GMT
Means your computer is 100% safe and secure. :)
Hi
Please do not guess anything.His computer is infected by system check rogue and you say that his computer is secure !!!!!!!!
Are you trying to say that his computer is free from zero access rootkit?
Common most of times system check rogue is accompanied by MAXSS rootkit and not the zero access rootkit.Running a command a saying that PC is clean is immature way of handling things
kuttusram
Posts
25
Registration date
Tuesday February 14, 2012
Status
Member
Last seen
March 9, 2012
4
Feb 26, 2012 at 08:38 PM
Feb 26, 2012 at 08:38 PM
Hi sundar7701 ,
\\globalroot\system32\ winsock.dll
\\globalroot\system32\ mzx++
in MSINFO32
in this two which one you are referring as MAXSS rootkit ? In both of this infection we will not be able to reset the WINSOCK. According to Symantec it is the Trojan.ZeroAccess root kit.
\\globalroot\system32\ winsock.dll
\\globalroot\system32\ mzx++
in MSINFO32
in this two which one you are referring as MAXSS rootkit ? In both of this infection we will not be able to reset the WINSOCK. According to Symantec it is the Trojan.ZeroAccess root kit.
Anonymous User
Feb 26, 2012 at 08:44 PM
Feb 26, 2012 at 08:44 PM
\\globalroot\system32\ winsock.dll
\\globalroot\system32\ mzx++
Have you seen this on any zero access rootkit????
On any zero access infected PC,when you open msinfo32,you will find this
\\globalroot\system32\ mswsock.dll
\\globalroot\system32\ <gras>max++ (this is symptom of oldest version of zero access rootkit)
I would suggest you to study about basic differenced between MAXSS(tdl4 rootkits) and zero access
\\globalroot\system32\ mzx++
Have you seen this on any zero access rootkit????
On any zero access infected PC,when you open msinfo32,you will find this
\\globalroot\system32\ mswsock.dll
\\globalroot\system32\ <gras>max++ (this is symptom of oldest version of zero access rootkit)
I would suggest you to study about basic differenced between MAXSS(tdl4 rootkits) and zero access
kuttusram
Posts
25
Registration date
Tuesday February 14, 2012
Status
Member
Last seen
March 9, 2012
4
Feb 26, 2012 at 08:51 PM
Feb 26, 2012 at 08:51 PM
I am dealing with 10-15 Zero Access cases in a Single day. I am working with one of the Antivirus Company's Virus Removal team.
If you get chance please try to NETSH WINSOCK RESET in a Zero Access case. It will not work that one is 101% Sure. Check and confirm it.
I am telling this from our experience.
If you get chance please try to NETSH WINSOCK RESET in a Zero Access case. It will not work that one is 101% Sure. Check and confirm it.
I am telling this from our experience.
Anonymous User
Feb 26, 2012 at 08:56 PM
Feb 26, 2012 at 08:56 PM
Please read my previous reply AGAIN.
Did i ever say that NETSH WINSOCK RESET will work on ZERO ACCESS ROOTKIT infected PC??
You may work on zero access rootkit infected PC but that doesnt mean that you know about rootkits and its symptoms(you did not even remember what you saw in MSINFO32)
I'm not discouraging but advice you learn a lot on these rootkits and advicing people by asking them to type netsh winsock reset and saying that PC is clean is complete nonsense.We are not looking at zero access rootkit alone.
Did i ever say that NETSH WINSOCK RESET will work on ZERO ACCESS ROOTKIT infected PC??
You may work on zero access rootkit infected PC but that doesnt mean that you know about rootkits and its symptoms(you did not even remember what you saw in MSINFO32)
I'm not discouraging but advice you learn a lot on these rootkits and advicing people by asking them to type netsh winsock reset and saying that PC is clean is complete nonsense.We are not looking at zero access rootkit alone.
kuttusram
Posts
25
Registration date
Tuesday February 14, 2012
Status
Member
Last seen
March 9, 2012
4
Feb 26, 2012 at 08:58 PM
Feb 26, 2012 at 08:58 PM
I got you sundar7701.
dev4321 we are still waiting for your log file. :)
dev4321 we are still waiting for your log file. :)
Anonymous User
Feb 26, 2012 at 09:03 PM
Feb 26, 2012 at 09:03 PM
You're welcome kuttusram and i appreciate your interest in learning
Feb 18, 2012 at 01:51 PM
And I can't download anything, I have low disk space and like I said before I can't delete anything since everything in my documents folder is gone. Help please!
Feb 18, 2012 at 02:50 PM
Ignore low disk space warning
Feb 18, 2012 at 02:51 PM
REPLY TO THE TOPIC option to reply me
do not click on ADD COMMENT