No start menu / desktop icons missing - W32/Autorun worm
2009-06-12 13:19 by Craig Atkins (1 comments)
Having seen 2 machines in 2 days with the same symtoms, it's safe to say that there is a bout of a virus - W32/Autorun - going about.
The symptoms in both cases have been the customer has had a virus alert from their antivirus product, have cleaned the system and removed the threats, rebooted and have then been presented with a totally blank desktop - just their desktop picture showing.
Pressing Ctrl+Alt+Del will bring up task manager, and a look at the 'Processes' tab confirms that there is no explorer.exe running (explorer.exe is responsible for your desktop, taskbar, start menu and file browsing)
Trying to browse to c:\windows\explorer.exe and manually running it gives an error:
Windows cannot find 'C:\WINDOWS\explorer.exe'
The problem:
This virus drops a file (C:\Program Files\Microsoft Common\svchost.exe) and creates a registry key to point to this file. When the antivirus runs, it picks up the virus file and deletes it. However, it does not remove the registry entry. This breaks Windows Explorer.
How does this virus get on the machine?
This virus appears to infect computers via PDF documents. Therefore, once you have re-instated your desktop you should visit Adobe.com (http://www.adobe.com) and download the latest version of Adobe Reader.
The solution:
Boot your machine to the blank desktop.
Press Ctrl, Alt & Del keys at the same time.
Windows Task Manager should load
Click the 'File' menu link
Click New Task (Run...)
In the box that appears, type: regedit
Press OK
Registry Editor should open
Navigate through the folders on the left as follows (double click them):
HKEY_LOCAL_MACHINE
SOFTWARE
Microsoft
Windows NT
CurrentVersion
Image File Execution Options
You should now see a list of subfolders, underneath 'Image File Execution Options'
Single right click on the folder called explorer.exe and choose 'Delete' from the popup menu
Close the Registry Editor window (red cross at top right)
In the Windows Task Manager window, press the File menu
Click New Task (Run...)
Type: explorer into the box and press the OK button
Your desktop should re-load.
Scan your machine for malware and bugs using MalwareBytes (http://www.malwarebytes.com) to make sure all is clean.
Update Adobe Reader
The symptoms in both cases have been the customer has had a virus alert from their antivirus product, have cleaned the system and removed the threats, rebooted and have then been presented with a totally blank desktop - just their desktop picture showing.
Pressing Ctrl+Alt+Del will bring up task manager, and a look at the 'Processes' tab confirms that there is no explorer.exe running (explorer.exe is responsible for your desktop, taskbar, start menu and file browsing)
Trying to browse to c:\windows\explorer.exe and manually running it gives an error:
Windows cannot find 'C:\WINDOWS\explorer.exe'
The problem:
This virus drops a file (C:\Program Files\Microsoft Common\svchost.exe) and creates a registry key to point to this file. When the antivirus runs, it picks up the virus file and deletes it. However, it does not remove the registry entry. This breaks Windows Explorer.
How does this virus get on the machine?
This virus appears to infect computers via PDF documents. Therefore, once you have re-instated your desktop you should visit Adobe.com (http://www.adobe.com) and download the latest version of Adobe Reader.
The solution:
Boot your machine to the blank desktop.
Press Ctrl, Alt & Del keys at the same time.
Windows Task Manager should load
Click the 'File' menu link
Click New Task (Run...)
In the box that appears, type: regedit
Press OK
Registry Editor should open
Navigate through the folders on the left as follows (double click them):
HKEY_LOCAL_MACHINE
SOFTWARE
Microsoft
Windows NT
CurrentVersion
Image File Execution Options
You should now see a list of subfolders, underneath 'Image File Execution Options'
Single right click on the folder called explorer.exe and choose 'Delete' from the popup menu
Close the Registry Editor window (red cross at top right)
In the Windows Task Manager window, press the File menu
Click New Task (Run...)
Type: explorer into the box and press the OK button
Your desktop should re-load.
Scan your machine for malware and bugs using MalwareBytes (http://www.malwarebytes.com) to make sure all is clean.
Update Adobe Reader
Add a comment
Comment by Charlotte computer repair | 2010-06-23