BleepingComputer.com: Missing desktop icons and programs

Hello - Seeking help with the aftermath of some form of malware or virus after running Malwarebytes. Desktop icons and most programs missing from All Programs menu.
Have run DD and GMER and attached their log files.
Also have attached Malwarebytes log.

Attached: DDS, GMER and Malwarebytes logs

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by Amma at 7:54:25 on 2011-10-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3033.2741 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://earthlink.net/
mURLSearchHooks: H - No File
BHO: {1287f980-811b-4586-8c1d-9232882ab87a} - c:\documents and settings\amma\local settings\application data\TCPIPPTR.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {768D3083-662C-8A9A-84E3-D01E65AC7474} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MouseVerifierTray] rundll32.exe "c:\documents and settings\all users\application data\MouseVerifierTray.dll",DllRegisterServer
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [OEM13Mon.exe] c:\windows\OEM13Mon.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [E07.exe] c:\program files\internet explorer\63a9\E07.exe
mRun: [POhWwySvraH.exe] c:\documents and settings\all users\application data\POhWwySvraH.exe
dPolicies-explorer: NoDesktop = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{C66DC4B8-0A26-4F32-9CF3-589E64888949} : DhcpNameServer = 10.0.0.1
TCP: Interfaces\{EDD6C37A-E3B4-49B0-BC8E-2D50DD42CCBF} : DhcpNameServer = 10.0.0.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\msimsg32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [2010-1-6 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [2010-1-6 41760]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]
S1 MpKsl568e6c61;MpKsl568e6c61;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{980e9fc5-f80e-404a-9b55-38853fdaa8bc}\MpKsl568e6c61.sys [2011-10-13 28752]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-1-6 112512]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 OEM13Afx;Provides a software interface to control audio effects of OEM013 camera.;c:\windows\system32\drivers\OEM13Afx.sys [2010-1-6 141376]
S3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\drivers\OEM13Vfx.sys [2010-1-6 7424]
S3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\drivers\OEM13Vid.sys [2010-1-6 235840]
.
=============== Created Last 30 ================
.
2011-10-14 02:55:12 469504 ---ha-w- c:\documents and settings\all users\application data\POhWwySvraH.exe
2011-10-14 01:15:33 28752 ---ha-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{980e9fc5-f80e-404a-9b55-38853fdaa8bc}\MpKsld0d087cf.sys
2011-10-14 01:15:31 -------- d--h--w- c:\documents and settings\amma\application data\jfRZ9hYXwU
2011-10-14 01:15:31 -------- d--h--w- c:\documents and settings\amma\application data\bEL8gTZqjCkVzt
2011-10-14 01:10:59 -------- d--h--w- c:\documents and settings\amma\application data\TucS2ibD3n5Q
2011-10-14 01:10:57 -------- d--h--w- c:\documents and settings\amma\application data\rrzONyxA0v2b3m5
2011-10-13 03:12:25 -------- d-----w- c:\program files\B924E
2011-10-13 03:12:14 -------- d--h--w- c:\documents and settings\amma\application data\9F6B9
2011-10-13 03:11:58 -------- d--h--w- c:\documents and settings\amma\application data\wFF44amH6s
2011-10-13 03:11:58 -------- d--h--w- c:\documents and settings\amma\application data\vBBBtzPP0cA1vDo
2011-10-13 03:11:55 -------- d--h--w- c:\documents and settings\amma\application data\mrzzONNyxAuv2oF
2011-10-13 03:11:54 -------- d--h--w- c:\documents and settings\amma\application data\mYYYXwjUVelOtz0
2011-10-13 00:17:18 7269712 ---ha-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{980e9fc5-f80e-404a-9b55-38853fdaa8bc}\mpengine.dll
2011-10-12 21:46:33 100352 ---ha-w- c:\documents and settings\all users\application data\MouseVerifierTray.dll
2011-10-12 00:28:12 -------- d--h--w- c:\documents and settings\amma\application data\Auslogics
2011-10-12 00:27:31 -------- d-----w- c:\program files\Auslogics
2011-10-11 23:06:25 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
2011-10-11 22:57:47 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-10-11 22:15:54 -------- d--h--w- c:\documents and settings\amma\application data\Malwarebytes
2011-10-11 22:15:50 -------- d--h--w- c:\documents and settings\all users\application data\Malwarebytes
2011-10-11 22:15:47 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-11 22:15:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-11 22:11:03 -------- d-----w- c:\documents and settings\amma\local settings\application data\WMTools Downloaded Files
2011-10-11 21:17:58 -------- d-----w- c:\program files\CCleaner
.
==================== Find3M ====================
.
2011-09-26 18:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:25:11 1867904 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-07-29 00:09:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 7:54:53.18 ===============


<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-14 08:55:42
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST925041 rev.0004
Running: gmer.exe; Driver: C:\DOCUME~1\Amma\LOCALS~1\Temp\fftyapog.sys


---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\Amma\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB23464$\3956060260 0 bytes
File C:\WINDOWS\$NtUninstallKB23464$\3956060260\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB23464$\3956060260\bckfg.tmp 803 bytes
File C:\WINDOWS\$NtUninstallKB23464$\3956060260\cfg.ini 231 bytes
File C:\WINDOWS\$NtUninstallKB23464$\3956060260\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB23464$\3956060260\kwrd.dll 208896 bytes
File C:\WINDOWS\$NtUninstallKB23464$\3956060260\L 0 bytes
File C:\WINDOWS\$NtUninstallKB23464$\3956060260\L\rohepcid 62976 bytes
File C:\WINDOWS\$NtUninstallKB23464$\3956060260\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB23464$\3956060260\U 0 bytes
File C:\WINDOWS\$NtUninstallKB23464$\3956060260\U\00000001.@ 1536 bytes
File C:\WINDOWS\$NtUninstallKB23464$\3956060260\U\00000002.@ 209920 bytes
File C:\WINDOWS\$NtUninstallKB23464$\3956060260\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB23464$\3956060260\U\80000032.@ 71168 bytes
File C:\WINDOWS\$NtUninstallKB23464$\482679882 0 bytes

---- EOF - GMER 1.0.15 ----

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7931

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

10/13/2011 8:03:30 PM
mbam-log-2011-10-13 (20-03-30).txt

Scan type: Full scan (C:\|)
Objects scanned: 231671
Time elapsed: 16 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 7
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Policies Update (Trojan.SHarpro.PGen) -> Value: Policies Update -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rH66sWWK7fL9gXj8234A (Trojan.FakeAlert.CLGen) -> Value: rH66sWWK7fL9gXj8234A -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qGGG5sQJ7dEKgRq (Trojan.Agent) -> Value: qGGG5sQJ7dEKgRq -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mQJ6dEK8gZhXkVl8234A (Trojan.FakeAlert.CLGen) -> Value: mQJ6dEK8gZhXkVl8234A -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TA0uvS2ib3m58234A (Trojan.FakeAlert.CLGen) -> Value: TA0uvS2ib3m58234A -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Amma\application data\Sun\Java\deployment\cache\6.0\18\7e769d12-6878e27b (Trojan.Exploit.Drop) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\beep.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\beep.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\11.tmp (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\12.tmp (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\1453E8.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\2143E8.tmp (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\C.tmp (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\p5tm1qbi6dss92.exe.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\cdrom.sys (Trojan.Patched) -> Quarantined and deleted successfully.





Thanks,
Chris

This post has been edited by ckamila: 14 October 2011 - 01:11 PM

Poking around the system while waiting for support i find enabling "View system files and folders" show icons on desktop. They are functional but grayed out.
All Programs menu still missing 90+ percent of allocations and sub folders - i assume they are hidden or moved?


Chris

Sorry about asking for support - just reread the upper section of this forum...

Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

This post has been edited by ckamila: 15 October 2011 - 03:15 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

• Do not run any other tool untill instructed to do so!
  
• please Do not Attach logs or put in code boxes.
  
• Tell me about any problems that have occurred during the fix.
  
• Tell me of any other symptoms you may be having as these can help also.
  
• Do not run anything while running a fix.
  
• Do not run any other tool untill instructed to do so!

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following


• Log from Combofix
  
• let me know of any problems you may have had
  
• How is the computer doing now?

Gringo

Gringo- thanks for the response. I was able to resolve the issue of infection but not the problem of the empty shell of the Windows All Pprograms menu items. If you have any thoughts to solution they would be welcome. I needed to return the computer back to my friend so i don't have access currently.

Thank you for taking your time and offering support,

Chris

Hello

if this does not work - http://download.bleepingcomputer.com/grinler/unhide.exe


then it will have to be rebuilt manually



gringo

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.