Desktop icons and taskbar dont show up

I was infected with a scare-ware..I dont remember what it was called. I managed to get rid of that with spybot, but I am still experiencing some problems. For instance, when i boot up windows I dont have any desktop icons or the bar on the bottom with the start button.
Sometimes task manager doesn't work making it difficult to do anything at all. My internet cuts out entirely at times and I cant open any new connections but previously established connections remain open like ventrillo. I've used malwarebytes anti-malware, spybot search an destroy, and I also have avg installed.

Before much can be done about the malware removal, we need to establish how best you are able to use your computer at this stage.

Windows Advanced Options Menu
Getting into Windows Safe Mode
http://www.computerhope.com/issues/chsafe.htm

From the Windows Advanced Options Menu, please try the following ...
Choose "Last known good configuration that worked", and press <ENTER>. The computer will attempt to load Windows.
If Windows does not start normally, try the same thing again .... and continue trying for 10 times, before you rule that option out as a means of getting your OS running normally.
Why 10 times? Based on past experience, a successful result is sometimes achieved after several consecutive failed attempts.

You can log in to Windows normally, but you end up looking at your desktop wallpaper/background image (not a plain blue or black screen?), but without icons/taskbar/start button. Is this correct?

You implied that task manager works only sometimes (and I am guessing that you have been using Ctrl+Alt+Del): Does Ctrl+Shift+Esc bring up the Task Manger window reliably?

Please try the following ...
On the Applications tab of the Task Manager window, click on "New Task", and in the "Run" dialog box that opens type "explorer.exe" and press <ENTER>.
Does a Windows Explorer window open, and can you use it to browse all the files on your computer?
OR ... do you see a message?

What happens when you attempt to start the system in Safe Mode?
Are you offered the choice of logging in to either the Administrator account or your own account?
If you log into your own account can you then open Task Manager using Ctrl+Shift+Esc ?

Please try starting the system in Safe Mode, and logging into the Administator account and let me know if there is any difference.

What happens when you attempt to start the system in "Safe Mode with networking"?
On the Applications tab of the Task Manager window, click on "New Task", and in the "Run" dialog box that opens type "iexplore.exe" and press <ENTER>.
Does a Windows Internet Explorer window open, and can you use it to browse the net on-line? Do you have internet access then?
OR ... do you see a message?

After doing all of the above work, please re-start your system. Does your system start normally ... or is it still without icons/taskbar/start button?

Yes, I can log into windows normally, and originally it was just a plain blue screen. I think I removed most of the virus so now when I load windows it is my wallpaper, just without the icons/taskbar/startbutton. Ive tried both ctrl-alt-delete/ctrl-shift-escape sometimes neither work. They usually only seem to work if I do it right when windows boots up before everything has a chance to load. And then from there I would new task explorer.exe and the desktop/taskbar would come up. And yes I am able to browse and do everything normally.

Previously i wasn't able to boot windows in safe mode, it said something about spfd.exe or something, then the computer would just restart. I think I removed some of the viruses infecting my computer and now I am able to boot in safe mode/safe mode with networking.

And as far as the internet thing goes, I was getting periodic pop-up windows of 3 tabs of spam websites. I think I removed that with spybot, but earlier today my internet cut out completely. That has only happened once so it might have just been a fluke...but it did mess up the online homework I was doing for my college class.

Also when I boot up windows it shows the "user:____" "Password:___" type login screen like the old windows used to have. Not the Icons with Administrator and the various users. I saw some errors back when I had the virus something related to logonui.exe and userinit.exe or something like that.

It would seem that you are able to operate your Windows system normally ... or manage somehow ... with normal malware removal procedures.
XP or Vista ??? Service Pack level ?

How about posting the relevant logs relating to the removal of the malware ... MBAM, Spybot, AVG et al ....
That will give a helper something to start working with.

If you have Spybot's Tea Timer running, open the Spybot interface > Tools > Advanced Mode and turn Tea Timer OFF, before proceeding with any malware removal instructions.

xp, and I believe its sp 3? or maybe 2 idk. I tried doing a full system scan with avg and the next morning my computer was frozen up...I tired it again last night with MBAM and again it was frozen...and excuse me I don't use spybot I meant spyware doctor*

How about posting the relevant logs relating to the removal of the malware ... MBAM

I meant the already existing logs: To find the MBAM logs, use Windows Explorer to navigate to the following location ...

C:\Documents and Settings\(Your Profile Name)\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs

Are there any logs there? The file name format is like this ..... mbam-log-2009-01-19 (00-14-03).txt.
Check to see whether there are any logs identifying malware or indicating the removal of malware from your system.
If so, copy/paste in this thread. (File > Select All > Copy .... and paste the whole log).

Please try to update the MBAM definitions and run a Quick Scan (not a Full Scan). This should only take a few minutes to complete.
Does it complete successfully? If it does, please post the log.

Here is the very first scan I did with MBAM

Malwarebytes' Anti-Malware 1.41
Database version: 3137
Windows 5.1.2600 Service Pack 3

11/9/2009 6:13:01 PM
mbam-log-2009-11-09 (18-13-01).txt

Scan type: Quick Scan
Objects scanned: 116894
Time elapsed: 6 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 15
Registry Values Infected: 9
Registry Data Items Infected: 4
Folders Infected: 4
Files Infected: 35

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\BtwSrv.dll (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\rdolib.dll (Spyware.Passwords) -> Delete on reboot.
C:\WINDOWS\system32\msxm192z.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\btwsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\btwsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\btwsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\queryservice (Adware.OneStep) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BTWSRV (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\QueryService (Adware.OneStep) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\QueryService Service (Adware.OneStep) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Spyware.Passwords) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ter8m (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mBt (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: omonvc.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Spyware.Passwords) -> Data: c:\windows\system32\rdolib.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Spyware.Passwords) -> Data: system32\rdolib.dll -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.SearchPage) -> Bad: (http://join.clonecashsystem.com/track/NjU1ODMuMjYuMzEuMzUuMC4wLjAuMC4w) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Program Files\QueryService (Adware.OneStep) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\QueryService (Adware.OneStep) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WSDDSys (Rogue.WindowsSystemDefender) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\omonvc.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\BtwSrv.dll (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\7.tmp (Worm.PALEVO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\8.tmp (Worm.PALEVO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opeia.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\B.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lsm32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mscert.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rdolib.dll (Spyware.Passwords) -> Delete on reboot.
C:\WINDOWS\system32\C.tmp (Worm.PALEVO) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\VRT7.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\QUE760.tmp\upgrade.exe (Adware.Queryservice) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andrew\Local Settings\Temp\VRT734.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andrew\Local Settings\Temp\VRT739.tmp (Trojan.StartPage) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andrew\Local Settings\Temp\d.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andrew\Local Settings\Temp\h.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andrew\Local Settings\Temp\queryservice-QryservSC1.exe (Adware.Queryservice) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andrew\747.tmp (Worm.PALEVO) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W5UFG1IR\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\isvchost.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\QueryService\queryservice.dll (Adware.OneStep) -> Quarantined and deleted successfully.
C:\Program Files\QueryService\queryservice.exe (Adware.OneStep) -> Quarantined and deleted successfully.
C:\Program Files\QueryService\uninstall.exe (Adware.OneStep) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\QueryService\queryservice125.exe (Adware.OneStep) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WSDDSys\wsd.cfg (Rogue.WindowsSystemDefender) -> Quarantined and deleted successfully.
C:\Clone Cash System.url (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andrew\Favorites\Clone Cash System.url (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msxm192z.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\msb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\sc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FastNetSrv.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andrew\Local Settings\Temp\WeFiSetup_5_501_12.exe (Trojan.Dropper) -> Quarantined and deleted successfully.






Doing another quick scan now. I will update when its done.


Edit: Here it is.


Malwarebytes' Anti-Malware 1.41
Database version: 3137
Windows 5.1.2600 Service Pack 3

11/16/2009 6:28:31 PM
mbam-log-2009-11-16 (18-28-28).txt

Scan type: Quick Scan
Objects scanned: 114472
Time elapsed: 13 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Andrew\Local Settings\Temporary Internet Files\Content.IE5\FT1H2CLP\abb[1].txt (Trojan.Cutwail) -> No action taken.
C:\Documents and Settings\Andrew\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> No action taken.

Sorry that I don't have any fancy pre-prepared "canned speeches" to post of my own .... but I would like you to run ATF Cleaner and then SUPERAntiSpyware followed by MBAM.

Please follow the instructions in post #2 by boopme
http://www.bleepingcomputer.com/forums/ind...t&p=1496246

... from "Next run ATF and SAS:", part way down post #2 ...

I noticed that your MBAM database was outdated when you last ran the scan: Please ensure that you do update with the latest definitions before running the scan.

Please post the logs from SAS and MBAM.

Sorry I've been really busy lately and just been using my infected computer. It was manageable but now I found out I have malware.virut again after I scanned with spyware doctor. I click fixed check and now Im getting "Files that are required to run windows properly have been replaced by unrecognized versions. To maintain system stability, windows must restore the original versions of these files. Insert your windows XP pro cd-rom now" and my taskbar just disappeared again....When I control-alt-delete and try new task "explorer" it says "windows cannot find explorer. make sure u type the name correctly, and then try again..etc" So my computer is still definitely infected, I will try to do your steps when I get home from college If I am able to.

Halp! Im afraid to restart my computer because I don't think I will be able to do anything.

now I found out I have malware.virut

Virut: Things are looking decidedly tricky.
Virut may best be considered fatal for your current system. You should take the necessary steps to retrieve copies of your personal files from the current system. It is important that you save only your personal files, and no other ... especially no programs or other executable files. Probably the best method to use is to boot from a bootable LiveCD (such as a Linux version or UBCD4Win for example) and save your files to an external USB hard drive or flashdrive or DVD disk. The media on which you have saved your files should then be thoroughly scanned and cleaned from a well-protected system.

Virut and other File infectors - Throwing in the Towel? .... miekiemoes
http://miekiemoes.blogspot.com/2009/02/vir...s-throwing.html

After you have saved your files to a remote medium, then you need to consider the future of your current system.
One option: Wipe your hard drive clean with something like dban or "active@ killdisk" and do a "clean install" of your operating system.
The other option will be time consuming and not necessarily successful, nor can it be guaranteed that your machine will ever be reliably secure.

I strongly suggest that you do not connect this machine to the internet. I also suggest that you take steps to safe-guard your personal information by changing all passwords. If you have conducted any financial affairs on this computer, it may be prudent to advise the financial institutions that your personal security may have been compromised.

Yeah, I really don't want to format(for many reasons), so what is the other option?

Yeah, I really don't want to format(for many reasons), so what is the other option?

We attempt to fix your computer in this forum area .... preferably after you have retrieved copies of your personal files. Malware removal is a risky business and there is no guarantee of a happy ending.

If we cannot do so here, then the next step would be for you to post in the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

..... the first step being to read and follow the instructions here ...
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

That forum area is particularly busy, and there will be some time to wait before receiving any response at all ....... probably around a week, possibly even 2 weeks. Then the "fix" may take some time too.

If you are curious about what may be involved, you may visit the forum
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
and read some of the threads.
Please do NOT attempt to use any of the tools or instructions that you do read about in that forum area.

Are you still able to use MBAM?
Before starting MBAM, disable any other real-time protection that may be running (your antivirus, Spyware Doctor etc)
Please start MBAM (at this time, do not choose to update which would require connection to the net).
Then run a Quick scan and post the contents of the log.
Choose NOT to fix anything at this time.

When you have posted the log from the first scan, please run a Full scan of the whole computer. When it has finished, please post the contents of the log. Choose NOT to fix anything, and close MBAM.

Let's have a look at what is found now, and see what we may be able to do.

Have you shut down/re-started the computer ? I can understand you being nervous about doing that, and at this time perhaps it may be best to leave it running until we decide on the next step.

Edit: I realised that you could have difficulty posting the log .... sorry. However, I expect that you will not be able to run MBAM at all. Please try to run MBAM and choose to SAVE the log, and without posting the log, let me know how things are going at your end.

I was able to download dds to my computer but when I try to run it I get C:\windows\system32\find.exe is not a valid win32 application.

and yes I can run mbam with the new task feature...no infections found on the quick scan

Malwarebytes' Anti-Malware 1.41
Database version: 3137
Windows 5.1.2600 Service Pack 3

11/22/2009 1:24:23 PM
mbam-log-2009-11-22 (13-24-23).txt

Scan type: Quick Scan
Objects scanned: 115288
Time elapsed: 10 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

And no I haven't shut down restarted this computer since then, this is the only computer I have with internet access and I have online college assignments due practically on a daily basis.

Edit: also I don't know how I could back up my folders/files to a disk or whatever if I cant use explorer?

I was referred from http://www.bleepingcomputer.com/forums/t/271696/desktop-icons-and-taskbar-dont-show-up/
I was able to download dds to my computer but when I try to run it I get C:\windows\system32\find.exe is not a valid win32 application.
I got rootappeal to run but it kept freezing when it was scanning my avg vault.

I am unable to get my desktop/taskbar to show up, and unable to start explorer.exe


Edit: this was supposed to be in the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal to our Am I infected? What do I do? forum.
but I was not able to produce any logs so it was moved here =/