Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Missing desktop icons (among other things)


  • This topic is locked This topic is locked
19 replies to this topic

#1 mgmtsys

mgmtsys

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 31 October 2012 - 03:34 PM

The symptoms started with a warning about hard drive failure. I have run a variety of scans, including booting Kaspersky Rescue Disk from USB when no other scans would run. Kaspersky found rootkit Boot.SST.b and disinfected, ESET online scan will still not run, and MBAM finds no infections. Desktop items are in the folder but not displaying now, and the start menu is missing most items as well.

DDS (Ver_2012-10-19.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 10:23:02 on 2012-10-31
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.495.27 [GMT -5:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\coupon companion\coupon companion-bg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Coupon Companion: {11111111-1111-1111-1111-110011441193} - c:\program files\coupon companion\Coupon Companion.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265642904674
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{FE3FD3AA-8AA3-4071-950F-CDCBA7EDE885} : DHCPNameServer = 192.168.1.1
Notify: igfxcui - igfxsrvc.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== File Associations ===============
.
ShellExec: FRONTPG.EXE: edit=c:\progra~1\micros~2\office\FRONTPG.EXE
.
=============== Created Last 30 ================
.
2012-10-31 15:03:50 -------- d-s---w- C:\ComboFix
2012-10-31 14:46:49 -------- d-----w- c:\program files\CCleaner
2012-10-31 14:39:54 -------- d-----w- c:\documents and settings\administrator\application data\GlarySoft
2012-10-31 14:39:53 -------- d-----w- c:\program files\Glary Utilities
2012-10-31 14:39:21 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Google
2012-10-31 14:39:20 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Coupon Companion
2012-10-31 14:39:19 -------- d-----w- c:\program files\Coupon Companion
2012-10-31 14:24:43 -------- d-----w- c:\documents and settings\administrator\application data\ElevatedDiagnostics
2012-10-31 14:06:38 -------- d-----w- c:\documents and settings\administrator\local settings\application data\PCHealth
2012-10-31 14:03:19 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2012-10-31 14:03:12 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-10-31 14:03:11 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-31 14:03:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-31 13:21:35 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-10-29 17:22:03 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-10-29 16:19:21 -------- d-----w- c:\documents and settings\all users\application data\Norton
2012-10-29 16:19:21 -------- d-----w- c:\documents and settings\administrator\local settings\application data\NPE
.
==================== Find3M ====================
.
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53:22 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:29:19 2192896 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58:06 2069632 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 10:23:49.70 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 mgmtsys

mgmtsys
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 31 October 2012 - 03:40 PM

One more symptom:

Some updates could not be installed. Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2656370)

Alert balloon keeps popping up saying updates are ready, but when I attempt to install, I receive this message.

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,414 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:16 PM

Posted 02 November 2012 - 08:57 PM

Greetings mgmtsys and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:


===================================================


Ground Rules:

  • First, I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================


Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please allow me some time to review the information you have provided. I will post back as soon as possible.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,414 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:16 PM

Posted 02 November 2012 - 11:34 PM

Hi mgmtsys,

I notice you previously ran Combofix and I would like to review that log to see what was deleted. Also I have a couple other things I would like you to run for me.


===================================================


Windows Repair (All in One)

--------------------

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Download Windows Repair (All in One) and save it to your desktop
  • Double click the icon and select Run
  • Continually click Next, then Finish
  • Go to Step 4 and under "System Restore" click on Create button:


    Posted Image
  • Go to Start Repairs tab and click Start button.


    Posted Image
  • Please ensure that ONLY the following items are checked (they're all checked by default):

    • Remove Policies Set By Infections
      Repair Missing Start Menu Icons Removed By Infections
      Repair Icons
      Repair Windows Updates
  • Click on box next to the Restart System when Finished. Then click on Start
  • Your computer will reboot upon completion
  • Copy and paste the contents of the following log in your reply:

    C:\Tweaking.com_Windows_Repair_Logs\_Windows_Repair_Log.txt

===================================================


Obtaining Current ComboFix.txt

--------------------

Please copy and paste the contents of the following file in your reply.

C:\ComboFix.txt


===================================================


AdwCleaner by Xplode - Search for Adware

-------------------

  • Please download AdwCleaner by Xplode onto your desktop.
  • Double click on AdwCleaner.exe, select OK, then Run
  • Click on Search
  • A logfile will automatically open after the scan has finished
  • Copy and paste the contents in your reply
  • You can find the logfile at C:\AdwCleaner[R1].txt as well

===================================================


screen317's Security Check

--------------------

  • Please download screen317's Security Check to your desktop
  • Double-click Posted Image icon
  • Click OK
  • Select Run
  • Press any key to start the program
  • Allow the program to run
  • A Notepad document will open on your desktop. Please copy and paste the contents in your reply

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Windows repair log
  • Combofix log
  • AdwCleaner log
  • Security check log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 mgmtsys

mgmtsys
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 05 November 2012 - 03:39 PM

Hi Gary, my name is Tom. Thank you for helping me with this issue(s); I really appreciate it!

I did run Combofix, but the logfile in the root directory is gone now. Here are the contents of the logfile C:\Qoobox\Combofix2.txt:

ComboFix 12-10-30.03 - Administrator 10/30/2012 15:32:46.6.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.495.322 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-09-28 to 2012-10-30 )))))))))))))))))))))))))))))))
.
.
2012-10-29 17:22 . 2012-10-30 08:26 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-10-29 16:19 . 2012-10-29 16:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NPE
2012-10-29 16:19 . 2012-10-29 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2009-06-11 3618104]
.
c:\documents and settings\barb.MSI\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe [N/A]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2004-08-20 20:51 118784 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-08-20 20:55 155648 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgrWired]
2004-03-02 17:49 86016 ---ha-w- c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 19:03 36975 ---ha-w- c:\program files\Java\jre1.5.0_06\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"NMIndexingService"=3 (0x3)
"NetSvc"=3 (0x3)
"idsvc"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\PVSW\\bin\\w3dbsmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Documents and Settings\\barb.MSI\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-30 15:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1275210071-1801674531-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,89,77,a5,f8,d3,94,25,47,af,ad,71,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,89,77,a5,f8,d3,94,25,47,af,ad,71,\
.
Completion time: 2012-10-30 15:49:13
ComboFix-quarantined-files.txt 2012-10-30 20:49
.
Pre-Run: 68,479,500,288 bytes free
Post-Run: 69,206,454,272 bytes free
.
- - End Of File - - FB13D1A45D93DA3989F166A6680D3C1D


Here are the other logs you requested:

C:\Tweaking.com_Windows_Repair_Logs\_Windows_Repair_Log.txt

Starting Repairs...
Start (11/5/2012 2:14:05 PM)

Remove Policies Set By Infections
Start (11/5/2012 2:14:05 PM)
Done (11/5/2012 2:14:08 PM)

Repair Missing Start Menu Icons Removed By Infections
Start (11/5/2012 2:14:08 PM)
Done (11/5/2012 2:14:16 PM)

Repair Icons
Start (11/5/2012 2:14:16 PM)
Could Not Find C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db.bak
Could Not Find C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
Done (11/5/2012 2:14:19 PM)

Repair Windows Updates
Start (11/5/2012 2:14:19 PM)
The requested service has already been started.

More help is available by typing NET HELPMSG 2182.

'bitsadmin.exe' is not recognized as an internal or external command,
operable program or batch file.
Done (11/5/2012 2:15:28 PM)

Cleaning up empty logs...

All Selected Repairs Done.
Done (11/5/2012 2:15:28 PM)
Total Repair Time: 00:01:23


...YOU MUST RESTART YOUR SYSTEM...

C:\AdwCleaner[R1].txt

# AdwCleaner v2.006 - Logfile created 11/05/2012 at 14:32:13
# Updated 30/10/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Administrator - BARBDESKTOP
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Administrator\desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Found : HKCU\Software\Cr_Installer
Key Found : HKCU\Software\Crossrider
Key Found : HKCU\Software\InstalledBrowserExtensions
Key Found : HKLM\SOFTWARE\Classes\CLSID\{2D360201-FFF5-11D1-8D03-00A0C959BC0A}
Key Found : HKLM\SOFTWARE\Classes\CrossriderApp0004493.BHO
Key Found : HKLM\SOFTWARE\Classes\CrossriderApp0004493.BHO.1
Key Found : HKLM\SOFTWARE\Classes\CrossriderApp0004493.Sandbox
Key Found : HKLM\SOFTWARE\Classes\CrossriderApp0004493.Sandbox.1

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [1013 octets] - [05/11/2012 14:32:13]

########## EOF - C:\AdwCleaner[R1].txt - [1073 octets] ##########

screen317's Security Check

Results of screen317's Security Check version 0.99.54
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Please wait while WMIC is being installed.
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.1.1000
CCleaner
Adobe Reader 8 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 16% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,414 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:16 PM

Posted 05 November 2012 - 03:48 PM

Hi Tom,

Welcome and thank you for the information.

Can you tell me if your Start Menu items have reappeared? Also, when did you first notice your desktop icons missing?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 mgmtsys

mgmtsys
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 05 November 2012 - 04:00 PM

Hi Gary, I was able to get the desktop icons back last week; several users' folders in C:\Documents and Settings were marked as 'hidden', so I changed the attributes of the folder, including subfolders and files to not hidden. The start menu items are still not back, however.

She first noticed the desktop icons missing after I ran Kaspersky from USB. Initially, she was not able to do anything. So I ran the scan and she logged back in--the desktop icons were missing.

Thank you for the very fast response!

Tom

#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,414 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:16 PM

Posted 05 November 2012 - 04:10 PM

Hi Tom,

Thank you for your quick response as well :thumbup2:

I just want to make sure we are clear because the description of what you are (not) seeing on your computer is different than what one of the reports would indicate.

Repair Missing Start Menu Icons Removed By Infections
Start (11/5/2012 2:14:08 PM)
Done (11/5/2012 2:14:16 PM)

Repair Icons
Start (11/5/2012 2:14:16 PM)
Could Not Find C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db.bak
Could Not Find C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
Done (11/5/2012 2:14:19 PM)

This seems to say your Start Menu items should be visible but not your desktop icons.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 mgmtsys

mgmtsys
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 05 November 2012 - 04:18 PM

I see. Well I just ran those scans from the Administrator account; the missing icons are in the Barb account. Should I re-run the scan with that login?

#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,414 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:16 PM

Posted 05 November 2012 - 04:23 PM

Hi Tom,

Yes please.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 mgmtsys

mgmtsys
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 06 November 2012 - 08:36 AM

Hi Gary, sorry it took so long. I ran out of time yesterday before I could run the scans. Here are the new logs:

Windows Repair Log:


Starting Repairs...
Start (11/5/2012 2:14:05 PM)

Remove Policies Set By Infections
Start (11/5/2012 2:14:05 PM)
Done (11/5/2012 2:14:08 PM)

Repair Missing Start Menu Icons Removed By Infections
Start (11/5/2012 2:14:08 PM)
Done (11/5/2012 2:14:16 PM)

Repair Icons
Start (11/5/2012 2:14:16 PM)
Could Not Find C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db.bak
Could Not Find C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
Done (11/5/2012 2:14:19 PM)

Repair Windows Updates
Start (11/5/2012 2:14:19 PM)
The requested service has already been started.

More help is available by typing NET HELPMSG 2182.

'bitsadmin.exe' is not recognized as an internal or external command,
operable program or batch file.
Done (11/5/2012 2:15:28 PM)

Cleaning up empty logs...

All Selected Repairs Done.
Done (11/5/2012 2:15:28 PM)
Total Repair Time: 00:01:23


...YOU MUST RESTART YOUR SYSTEM...
Starting Repairs...
Start (11/6/2012 7:25:38 AM)

Remove Policies Set By Infections
Start (11/6/2012 7:25:38 AM)
Done (11/6/2012 7:25:40 AM)

Repair Missing Start Menu Icons Removed By Infections
Start (11/6/2012 7:25:40 AM)
Done (11/6/2012 7:25:43 AM)

Repair Icons
Start (11/6/2012 7:25:43 AM)
Could Not Find C:\Documents and Settings\barb.MSI\Local Settings\Application Data\IconCache.db.bak
Could Not Find C:\Documents and Settings\barb.MSI\Local Settings\Application Data\IconCache.db
Done (11/6/2012 7:25:45 AM)

Repair Windows Updates
Start (11/6/2012 7:25:45 AM)
The BITS service is not started.

More help is available by typing NET HELPMSG 3521.

The requested service has already been started.

More help is available by typing NET HELPMSG 2182.

'bitsadmin.exe' is not recognized as an internal or external command,
operable program or batch file.
Done (11/6/2012 7:26:47 AM)

Cleaning up empty logs...

All Selected Repairs Done.
Done (11/6/2012 7:26:47 AM)
Total Repair Time: 00:01:09


...YOU MUST RESTART YOUR SYSTEM...





AdwCleaner log:




# AdwCleaner v2.006 - Logfile created 11/06/2012 at 07:31:14
# Updated 30/10/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : barb - BARBDESKTOP
# Boot Mode : Normal
# Running from : C:\Documents and Settings\barb.MSI\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2D360201-FFF5-11D1-8D03-00A0C959BC0A}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{2D360201-FFF5-11D1-8D03-00A0C959BC0A}
Key Found : HKLM\SOFTWARE\Classes\CrossriderApp0004493.BHO
Key Found : HKLM\SOFTWARE\Classes\CrossriderApp0004493.BHO.1
Key Found : HKLM\SOFTWARE\Classes\CrossriderApp0004493.Sandbox
Key Found : HKLM\SOFTWARE\Classes\CrossriderApp0004493.Sandbox.1

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [1142 octets] - [05/11/2012 14:32:13]
AdwCleaner[R2].txt - [1036 octets] - [06/11/2012 07:31:14]

########## EOF - C:\AdwCleaner[R2].txt - [1096 octets] ##########






Security check log:


Results of screen317's Security Check version 0.99.54
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Please wait while WMIC compiles updated MOF files.
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.1.1000
CCleaner
Adobe Reader 8 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 16% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,414 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:16 PM

Posted 06 November 2012 - 10:32 AM

Hi Tom,

Looks like she is the administrator so we are getting the same results.

Please run this for me to see if we can bring those items back.


===================================================


Unhide

--------------------

  • Please download Unhide to your desktop
  • Double click the Posted Image icon
  • Once the program has completed a Windows alert will be displayed stating your files have been restored
  • Please reboot your computer
  • Please copy and paste the contents of the Unhide.txt document which will be created on your desktop

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Unhide.txt
  • Are your icons back?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 mgmtsys

mgmtsys
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 06 November 2012 - 04:40 PM

Hi Gary, thanks again for your help. The icons and start menu are back!

Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/forums/topic405109.html

Program started at: 11/06/2012 03:34:00 PM
Windows Version: Windows XP

Please be patient while your files are made visible again.

Processing the A:\ drive
Finished processing the A:\ drive. 0 files processed.

Processing the C:\ drive
Finished processing the C:\ drive. 65309 files processed.

The C:\DOCUME~1\barb.MSI\LOCALS~1\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/forums/topic405109.html

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
* Start_ShowControlPanel was set to 0! It was set back to 1!
* Start_ShowMyComputer was set to 0! It was set back to 1!
* Start_ShowMyDocs was set to 0! It was set back to 1!
* Start_ShowMyMusic was set to 0! It was set back to 1!
* Start_ShowMyPics was set to 0! It was set back to 1!
* Start_ShowPrinters was set to 0! It was set back to 1!
* Start_ShowRun was set to 0! It was set back to 1!
* Start_ShowSearch was set to 0! It was set back to 1!
* Start_ShowSetProgramAccessAndDefaults was set to 0! It was set back to 1!
* Start_ShowRecentDocs was set to 0! It was set back to 2!
* Start_ShowNetConn was set to 0! It was set back to 1!
* Start_ShowNetPlaces was set to 0! It was set back to 1!

Restarting Explorer.exe in order to apply changes.

Program finished at: 11/06/2012 03:36:53 PM
Execution time: 0 hours(s), 2 minute(s), and 53 seconds(s)

#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,414 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:16 PM

Posted 06 November 2012 - 05:40 PM

Hi Tom,

Great news!

I would like you to check to check the .NET Framework update again. Don't be surprised if it doesn't work properly. That particular Windows component can be problematic when it comes to updates.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 mgmtsys

mgmtsys
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 07 November 2012 - 04:54 PM

Hi Gary, the .NET Framework update still is not working, but no big deal. I am finally able to run the ESET online scan, which I am about to do now just for giggles. Everything else seems to be working fine. Thanks again!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users