A friend of mine dropped off her Compaq laptop the other day, apparently it had been running slow and a friend of hers came round and “did stuff” to “sort it” – unfortunately it didn’t go to plan, and instead of the system performance improving as a result of the activity – it deteriorated to the stage where XP would display a blank desktop on startup (as in no taskbar, start menu, desktop shortcuts or anything).
So this was the state it was in when I got it. Here’s what I did:
Step 1: Get access to Windows Explorer
Hit ctrl-alt-delete – this only worked after leaving it alone for a couple of minutes after boot-up. Click “File>New Task (run) and type “explorer”. This brings up the windows desktop furniture.
Step 2: Find out why it isn’t loading
I wondered what her friend did.. I looked at the most recent installed apps in Programme files – there was an app called “TuneUp Utilities 2009”. A likely suspect I thought. In the wrong hands these tweak/tuneup utils can do more harm than good. I loaded up the app and undid all the “fixes”
Step 3: Check a little deeper
Restoring the TuneUp files didn’t solve the explorer.exe problem, so I figured that something else must be up with it. I suspected malware. I have rescued several Windows systems from malware (spyware, trojans etc) before using a great bit of software called MalwareBytes AntiMalware. I couldn’t get the faulty system to read the installer from my USB drive, so I had to burn it off onto CD. While I was doing that – I also stuck ‘FixShell‘ on there (a visual basic script that restores explorer.exe to the XP shell).
Step 4: Safe mode scanning
I restarted the PC and hit F8 repeatedly as the laptop started up, which brought up the XP menu with the option to load ‘safe mode’. I did this and logged in as administrator (which for some reason had not appeared during normal startup). This time it loaded up with explorer.exe no problem. I ran MalwareBytes AntiMalware quick-scan and it picked up 27 items. Some were trojans, mentions of rootkit (eek) and other registry entries (including disabling security centre). I opted to ‘fix’ them all and restarted again as prompted (some nasty bits of malware can only be deleted on boot). This still did not fix the issue. I ran another scan just in case. It found a few more bits. Restart.
Step 5. Manual(ish) restore of explorer.exe
…. this is where it got quite interesting… after several unsuccessful attempts to restore command.exe, including creating a slipstreamed SP3 disc to run sfc /scannow – I finally installed Avast Antivirus Home Edition and did a boot time scan (AVG8 was already installed but I removed it, finally realising it hadn’t done its job). Avast picked up lots of win32:JunkPoly infections. JunkPoly is Avast speak for Virut.
Virut is bad.
Very bad.
Worse than bad – it’s terminal.
Format and reinstall is the only option. Backing up is risky.
So now I need to get the photos off, scan them thoroughly and format the hard-drive and reinstall XP.
It probably came from a P2P service, somehow got passed AVG8 (outdated virus def probably), and started infecting the system with all kinds of malware.
Just downloading Ubuntu now – will attempt to back the data up tomorrow…
Sorry to hear you were infected with this. The JunkPoly infections found by Avast are a sure sign that the infection is deeply rooted into the computer. JunkPoly is another name for Virut. Also your suspicions of it coming from P2P are most likely accurate. This new variation is spreading via illegal download sites.
Good luck with the photos. I would suggest using Dr Web CureIt to scan them. That is one of the more powerful tools when it comes to Virut. While I’m very bad about backups, I do try to put all of my pictures and important documents on a flash drive “just in case”. Reformatting is one thing but loosing family photos is a whole other heartache.
Hi Kevin,
Thanks for dropping by and offering condolences 😉
Yes – sadly it seems like some kind of universal law that you only think of backing up your data (especially photos) once it is seriously threatened. I learned this lesson once myself…
Hopefully I will be able to get a clean backup… I grabbed Dr Web last night after reading some learned people such as yourself rate it highly.
Now I need to get a blank & cheap Flash/HD to back the files up to…
I got the photos off onto a USB flash drive using Ubuntu disc… all clean. (scanned with Avast and Dr.Web CureIt – no results)…
It seemed to have mostly gone for .exe files. Hundreds of them…
Things had been going too well lately. Being between games, I was getting bored. So I downloaded the nastiest virus I could find, W32.Virut.CF. Fought this monster for two days. Threw everything I could find at it, Dr. Web, Malwarebytes, Ad-Aware, Symantec Endpoint Protection and Removal Tool, and AVG’s Remover. Also, keep an eye on your Hosts file and startup programs (msconfig). After all the collateral damage, Vista wouldn’t boot or repair from CD but a System Restore fixed that. Finally, you must repair all your .htm*, asp*, php, and pe files which have iframe lines added to them. I used UltraEdit’s “Replace In Files” command for this. I think I’ve finally got it licked but you never know… Best wishes!
Cheers for the tips… I had a couple of goes at scanning and fixing using the Dr.Web LiveCD, but the laptop kept going into hibernation and not coming out! Plus most of the files gave back a “write error” rather than “cured” for over 70% of the files it did process before hanging…
Towel thrown in 😉 Waiting for the owner to post her OEM XP disc so I can format and start again with a clean platter…
Peaces