Black desktop, visible task bar.. empty programs

[CBecker]

I'm not sure what to call what is going on, other than frustrating. We have a rebuilt computer, that has XP installed. When I start the computer, it will boot normally, but once it gets to the desktop, it's just black, with the taskbar visible. There are no programs showing. I can not right click on the desktop, to access anything. A few programs will prompt to start. (windows live messenger and a registry cleaner) Avast has request to to a bootscan, which I have allowed, several times. It repairs nothing. Can someone please help? I have photos on this machine, that I do not have backed up anywhere, and I know they are still there as when the virus protcetor is scanning, you can see it in the photos files. Please help... thanks.

[essexboy]

What was the initial symptom before this occured ?

Can you start taskmanager by using control+alt+delete

Can you burn a cd on another computer ?

[CBecker]

I'm not aware of any problem before this. My son turned the computer on, Saturday, and this was what we were met with. I can not access anything on the computer, other than what I stated. I can, start the computer in safe mode, via command prompt... but other than that... nada.

[essexboy]

Can you get to safe mode with networking to download and run an analysis programme ?

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Post both logs

[CBecker]

I guess I should havve been more specific... when I start the computer in safe mode, it all looks the same.... I can't access anything, no  matter...I can get to command prompt and enter commands there, but unsure as to what, if anything, I should do.

[CBecker]

this information may be useful.... Avast scanned it, and returned this informaiton....
File type: MBR:\\.\physical drive0
Rootkit: hidden boot sector

[essexboy]

OK I can fix that - Can you burn a cd using another computer ?  First I will clear the malware and then fix the MBR

OK next we will work outside of windows then Please print these instruction out so that you know what you are doing

• Download OTLPENet.exe to your desktop
  
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn  to burn the file to CD
  
• Reboot your system using the boot CD you just created.Note : If you do not know how to set your computer to boot from CD follow the steps here
  
• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads  :)
• Your system should now display a Reatogo desktop.Note : as you are running from CD it is not exactly speedy
• Double-click on the OTLPE icon.
• Select the Windows folder of the infected drive if it asks for a location
• When asked "Do you wish to load the remote registry", select Yes
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  
• OTL should now start
• Drag and drop this attached scan.txt into the Custom scans and fixes box, or double click the scan box
  
• Press Run Scan to start the scan.
  
• When finished, the file will be saved  in drive C:\OTL.txt
  
• Copy this file to your USB drive if you do not have internet connection on this system
• Right click the file and select send to : select the USB drive. 
• Confirm that it has copied to the USB drive by selecting it
• You can backup any files that you wish from this OS
• Please post the contents of the C:\OTL.txt file in your reply.

[CBecker]

ok... let me get started.... I will let you know what happens. thank you.

[essexboy]

Once you get to the reatogo desktop you will notice a MBRfix icon - we will use that later 

[karmana]

Essexboy,

You might want to also take a look at Grinler of Bleepingcomputer.com's home-made program unhide.exe.  It has been used in similar circumstances either before or after cleanup, when everything, including the Start menu programs, have been hidden.

Just Google search for those terms- you'll find it.

~Kar

[essexboy]

I do not think that unhide is needed here yet - the first thing to do is determine what the actual problem is.  The harddrive malware is fairly evident once you have it - but you are still able to run other programmes