Why have all my Documents and Desktop Icons gone away? (Infection)

A new family of infections is going around.  This infection comes in via an outdated Java plugin, infects the system, locks down the Task Manager, Hides everything and displays a window with errors that are completely bogus yet scary.  Note that in order to restore some of your shortcuts, you can not empty temporary files, so do not run CCleaner or any other temp file utility until you have all your shortcuts and icons back.

As a temporary workaround to view files, press ‘windows key’+ E to bring up windows explorer.  Now depending on your version of windows you will have to navigate to file and search option view.  In Windows 7 it is “Organize”, “Folder and search Options”, “View”.  In the new window that has poped up select the “View” Tab.  Select “Show Hidden Files, Folders and Drives” and also uncheck “Hide protected operating system files”.

Now all your documents and desktop icons should be back, but look a little ghostly.  This is normal, it just means that the files are hidden.  The next step is to reboot into safe mode.  After that, we are looking for the infection that is locking down the computer and popping up in our face.  Go to “C:\documents and settings\username\local settings”, “C:\documents and settings\username”, or  “C:\documents and settings\username\application data”   for windows XP, and for windows 7/Vista, “C:\users\username\app data\local”  and delete the garbage named exe file hiding there.  Note that it sometimes hides deep down in the Microsoft application data folder.  Another way to look for this infection is to clean up your start up applications by using Autoruns or MSCONFIG to find the name and path of the infection.  It should be pretty obvious as the name will be completely random.

Now that we have cleaned up that part of the infection we need to run Malwarebytes or some other trusted AntiMalware/Spyware program to remove any traces or ‘buddies’ it brought in.  If you absolutely can not find the infection in the step above, this step should take care of it as long as you are in safe mode(being in safe mode stops the infection from starting with Windows).  If your computer must be rebooted to remove the infections found, let it and then let Windows boot up normally.

Next we can run an app called “unhide.exe”(This will have to be downloaded from http://download.bleepingcomputer.com/grinler/unhide.exe ).  This will restore the correct hidden status to your files.  After this has run, you can hide hidden files and folders again.  Lastly, sometimes the Start Menu goes not have “Computer”/”My Computer” and others on it.  The best way to bring these back is to right click on an empty part of the start bar, Select “Properties”, Click the “Start Menu” tab, then the “Customize” Tab.  Here you will have a list that will let you select what you wish to have displayed on the right hand side of your start menu.  For Windows 7/Vista I recommend clicking the defaults button on the lower right.

Lastly we need to enable Task Manager.  To do this, go “Start”->”Run” and type “regedit”

After clicking “OK” a window will pop up.  You need to navigate to “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies”.  If taskmanager is disabled there is a very good chance there is a key on the right hand side that is disabling it.  Modify that key to 0 from 1, save the change and then Task Manager should be back.

The infection is now removed, and your computer should be back to how it was before the infection.  Call us or email us if you have any questions on this infection.


Did this help you?  Leave a comment!

Leave a Reply

Your email address will not be published. Required fields are marked *