BleepingComputer.com: Empty start menu, no desktop icons... Taking Next Step

On Aug 28, 2011, Angela12345 authored a post entitled: "Empty start menu, windows explorer, no desktop icons, etc etc". Her symptoms mirrored mine. More specifically: all of the symptoms listed in title of post but only the Delayed Write Failure message from her list of messages.

I followed the directives given by the moderator. First follow the steps outlined here: http://www.bleepingcomputer.com/virus-removal/remove-windows-xp-recovery ... did that. Ran rkill and TDSSKiller - stopped processes in background and found no root kits running (whew!) but was unable to install Malwarebytes. The next set of directions required a post back to the forum for specific and individualized help.

System is Windows XP Professional SP3. User opened zipped file in official looking email of another employee. User was kicked out of Internet Explorer and system began with above detailed symptoms. I picked the system up shortly thereafter and noted the next set of symptoms.

Task Manager was disabled - used registry key fix to manually re-enable. Saw nothing running in Processes that was traceable to a suspicious process (don't know what's running in the various "svchost.exe" processes however). Was able to recheck various items in Properties / Start Menu / Customize / Advanced menu of Taskbar and Start Menu Properties to regain My Computer, Control Panel, Printers and Faxes, Help and Support, and Run - the information here seems to be "real". However, My Documents, My Pictures, My Music, and All Programs all remain "empty".

Right click on desktop (Display Properties and creation of certain types of documents - Word, etc.) also now works.

Again, am at step for installing Malwarebytes. System will not complete install. Please advise.

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom

User opened zipped attachment from "official" city site and lost all start menu items, desktop icons, and access to documents. RKill and customizing Start Menu allowed me to regain My Computer, Control Panel, printers and Faxes, Help and Support, and Run items. All Programs and Hard Drive contents still unavailable. Right-click and some icons have returned. "Access Denied" during Malwarebytes' installation.

RESULTS OF DDS (DDS.txt):

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_24
Run by Madeline at 5:06:23 on 2011-10-28
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.685

[GMT -4:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated*

{FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\HP\HPLaserJetService\HPLaserJetService.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\system32\HPSIsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mExplorerRun: [2600] c:\docume~1\alluse~1\locals~1\temp\e646db51.com
StartupFolder: c:\documents and settings\madeline\start

menu\programs\startup\FMAAR (Gabbi) logon.bat
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel -

c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

{FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -

hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} -

hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8E4ACF14-A8DD-466E-B686-67B51FACEC5E} :

DhcpNameServer = 192.168.1.1
Notify: NavLogon - c:\windows\system32\NavLogon.dll
LSA: Notification Packages = scecli
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\madeline\application

data\mozilla\firefox\profiles\nu353y48.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://verizon.my.yahoo.com/
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program

files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} -

c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} -

c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} -

c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program

files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant:

{20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation

foundation\DotNetAssistantExtension
FF - Ext: oldbar: {46868735-c3fa-47ce-8ce7-cce51a66aceb} -

%profile%\extensions\{46868735-c3fa-47ce-8ce7-cce51a66aceb}
FF - Ext: Microsoft .NET Framework Assistant:

{20a82645-c095-46ed-80e3-08825760534b} -

%profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6

337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys

[2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common

files\symantec shared\ccEvtMgr.exe [2007-5-29 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common

files\symantec shared\ccSetMgr.exe [2007-5-29 169576]
R2 HP LaserJet Service;HP LaserJet Service;c:\program

files\hp\hplaserjetservice\HPLaserJetService.exe [2009-6-24 136704]
R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [2011-9-8

99896]
R2 MLPTDR_Q;MLPTDR_Q;c:\windows\system32\MLPTDR_Q.SYS

[2003-7-22 18848]
R2 StarWindService;StarWind iSCSI Service;c:\program files\alcohol

soft\alcohol 120\starwind\StarWindService.exe [2005-4-2 217600]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common

files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-8-31 105592]
R3

NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110831.0

02\naveng.sys [2011-8-31 86136]
R3

NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110831.

002\navex15.sys [2011-8-31 1576312]
S3

MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamsw

issarmy.sys [2010-8-24 41272]
S3 mvusbews;USB EWS Device;c:\windows\system32\drivers\mvusbews.sys

[2011-9-8 17408]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe

[2007-10-7 116664]
S4 gupdate;Google Update Service (gupdate);c:\program

files\google\update\GoogleUpdate.exe [2010-2-5 135664]
S4 gupdatem;Google Update Service (gupdatem);c:\program

files\google\update\GoogleUpdate.exe [2010-2-5 135664]
S4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec

antivirus\Rtvscan.exe [2007-10-7 1822648]
S4 Vax347b;Vax347b;c:\windows\system32\drivers\Vax347b.sys [2009-11-2

159616]
S4 Vax347s;Vax347s;c:\windows\system32\drivers\Vax347s.sys [2009-11-2

5248]
.
=============== Created Last 30 ================
.
2011-10-24 18:36:51 409488 --sha-w- c:\documents and

settings\all users\application data\mbcsRBXXadpy.exe
.
==================== Find3M ====================
.
2011-09-26 15:41:20 611328 ----a-w-

c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w-

c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w-

c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ----a-w-

c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ----a-w-

c:\windows\system32\win32k.sys
2011-09-05 19:27:39 75264 ---ha-w-

c:\windows\system32\drivers\ipsec.sys
2011-09-05 19:27:39 64512 ---ha-w-

c:\windows\system32\drivers\serial.sys
2011-09-02 21:19:02 53472 ----a-w-

c:\windows\system32\wuauclt.exe.tmp
2011-09-02 19:23:09 4194304 ----a-w-

c:\windows\system32\kpniocee.dll
2011-08-17 13:49:54 138496 ---ha-w-

c:\windows\system32\drivers\afd.sys
.
============= FINISH: 5:08:08.32 ===============


RESULTS OF GMER (ark.txt):

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-28 06:16:14
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 ->

\Device\Ide\IdeDeviceP0T0L0-3 ST340016A rev.3.10
Running: gmer.exe; Driver:

C:\DOCUME~1\Madeline\LOCALS~1\Temp\pftdqpog.sys


---- System - GMER 1.0.15 ----

SSDT 86EE2470 ZwConnectPort

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\Madeline\LOCALS~1\Temp\mbr.sys The system

cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS

(Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network

Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network

Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network

Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS

(Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft

Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS

(Symantec Event Library/Symantec Corporation)

---- EOF - GMER 1.0.15 ----


PLEASE SEE ATTACHED ATTACH.ZIP FILE and Advise.

This post has been edited by Orange Blossom: 28 October 2011 - 11:00 AM
Reason for edit: Merged topics. ~ OB

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

• Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.
  
  
  
• Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  
  
  
• Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks

I'm sorry for the belated response. Had a bit of food poisoning on Friday evening (when I would have responded to this post) and have not been the same since.

I am very much interested in your response, but the customer for whom I was trying to clear this system is about to pick up the system and go elsewhere. Is it possible to send me the next step and then contact me directly at my registered address so that I may forward the information to the customer? I'm sure they either are already a member of Bleeping Computer or a follower and would join to continue working with you.

Thank you.

This sounds like ZeroAccess - it has certainly disabled MBAM and hidden desktop icons which are two of the usual ways that it attacks.

The next step would be to look for specific files, one of which kills the usual removal tools we use, and to find that we need an OTL log

• Download OTL to your desktop.
  
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Under the Standard Registry box change it to All.
  
• Check the boxes beside LOP Check and Purity Check.
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

If your user decides to continue here then they need to start a new topic and PM me. I can close this one and pick up the new one - it's just less messy that way.

Thank you for your time, m0le. I will advise the user.

No problem

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.