Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Window XP Pro missing desktop icons / no System Restore


  • Please log in to reply
15 replies to this topic

#1 SJTeeJ

SJTeeJ

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 21 April 2013 - 10:55 PM

After leaving my PC running for the last 2-3 days, my wife went to log me off (I have my own account, her own account, and a separate account for our 2 kids).  When she logged on into her account, there were no desktop icons visible.  I powered down the PC to log her off. I then powered up and logged into my account - same exact thing, no desktop icons.

 

I then rebooted into Safe Mode, and tried to effect a System Restore.  The PC indicated that there were NO restore points to restore to, which is a bunch of crap.  I tried running the latest version of Rogue Killer, which did find about 6 odd things (I can paste the text if needed).

 

Again, oddly..... I can see all my icons booting into safe mode.  I have a 5th Administrator account, and booted into that, and then logged out from that and into my normal personal account.  If I boot normally, I can't see any desktop icons.  And..... the PC won't let me do a System Restore. I also have the Malwarebytes Pro version, and it shows no problems in the log.

 

Now I'll say it.... HELP!  What the F happened to my PC without my knowing about it over the last 3 days?!???

 

Teejay1959


Edited by SJTeeJ, 21 April 2013 - 11:07 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,534 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:48 PM

Posted 22 April 2013 - 01:18 PM

Hello ,please post your Scan Log.

Please run this Windows Repair Tool


  • Run command Prompt as Administrator. To do that:
  • Go to Start and type cmd.exe in the Search box.
  • It gives you cmd.exe in the upper part. Right-click cmd.exe and select "Run As Administrator".
  • Copy the following command, right-click in the open Command prompt window and select Paste then press Enter: sfc /scannow

    This will check the integrity of system files and replaces them if needed. Please wait until the scan is done.
  • Please download Windows Repair All in One zip file and unzip it.[list]
  • Open the folder and run Repair_Windows.exe
  • Under "Start Repair" tab click "Start".
  • Click "No" to the prompt.
  • Select all the options.

Edited by boopme, 22 April 2013 - 01:23 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 SJTeeJ

SJTeeJ
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 22 April 2013 - 08:31 PM

Thanks for your assistance.  Mind you, the only way I can boot up and actually see my icons is to boot up in Safe Mode.  I also have McAfee SecurityCenter running on this PC.  However.... the Real-time Scanning in there is turned off and cannot be turned back on!

 

Below is the logfile of the run of RogueKiller:

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode with network support
User : Thomas [Admin rights]
Mode : Scan -- Date : 04/21/2013 20:58:57
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : SacReminder (C:\Documents and Settings\All Users\Application Data\OfficeGuardian\reminder\SacReminder.exe) [7] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1868693687-618504908-1359493475-1005[...]\Run : SacReminder (C:\Documents and Settings\All Users\Application Data\OfficeGuardian\reminder\SacReminder.exe) [7] -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD800JD-75JNC0 +++++
--- User ---
[MBR] 0abf0f451cab3d444cef17548ccc7615
[BSP] 61089aa54da192ccacc263ab131da6b3 : MBR Code unknown

Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 71868 Mo
2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 147299985 | Size: 4361 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: MAXTOR STM3320620AS +++++
--- User ---
[MBR] 681f2504b75a080a6e90bd9956d39a28
[BSP] 53fb5e0eb74fec81c99059302b155bb3 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_04212013_02d2058.txt >>
RKreport[1]_S_04212013_02d2058.txt

 

Doing exactly the steps you asked produces this message: C:\I386\CMD.EXE

This service cannot be started in Safe Mode

 

Typing CMD.EXE in the Start->Run box does produce a DOS window.

 

Copying and pasting the sfc /scannow  produces THIS message:
 

C:\sfc /scannow

Windows File Protection could not initiate a scan of protected system files.

The specific error code is 0x000006ba [The RPC server is unavailable.].

 

Now what do I do? Please advise!!


Edited by SJTeeJ, 22 April 2013 - 08:37 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,534 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:48 PM

Posted 22 April 2013 - 08:36 PM

Looks like there may be an MBR Rootkit in the way.
 
Lets check for and confirm the MBR (Master Boot Record) rootkit.

Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 SJTeeJ

SJTeeJ
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 22 April 2013 - 08:45 PM

Sigh.  Doing what you told me produced an EMPTY log file.  Nothing in it.

 

What now?



#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,534 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:48 PM

Posted 22 April 2013 - 08:51 PM

Try one more
Please download aswMBR ( 4.5MB ) to your desktop.
  • Double click the aswMBR.exe icon, and click Run.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Click the Scan button to start the scan.
  • On completion of the scan, click the  save log button, save it to your desktop, then copy and paste it in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 SJTeeJ

SJTeeJ
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 22 April 2013 - 08:53 PM

Oops.  I didn't quite copy that right.  NOW I have a log file, and here it is:

 

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JD-75JNC0 rev.06.01C06 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-18

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK



#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,534 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:48 PM

Posted 22 April 2013 - 09:07 PM

OK yes nw do the ASW scan
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,534 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:48 PM

Posted 22 April 2013 - 09:12 PM

Also do you use BackupAgent
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 SJTeeJ

SJTeeJ
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 22 April 2013 - 09:26 PM

To my knowledge, I do NOT use BackupAgent.  I do use CCleaner (and try to keep it current), and do a registry backup every time I do a registry scan.  My wife informed me that she saw a notice on the screen from McAfee just prior to her logging me off that said something like "update completed; do you want to reboot now?"  I know in the past I have had problems with McAfee, having to use their own McAfee Removal Tool to actually kill all the damn tendrils that McAfee places in the OS.  Once I had done THAT, then the strange problems went away.  I don't know if that is the problem here, but I wouldn't be surprised if it was.  I am currently running the AV QuickScan and will post the log as soon as it finishes.



#11 SJTeeJ

SJTeeJ
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 22 April 2013 - 09:54 PM

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-04-22 22:18:29
-----------------------------
22:18:29.656    OS Version: Windows 5.1.2600 Service Pack 3
22:18:29.656    Number of processors: 2 586 0x401
22:18:29.656    ComputerName: XXXXXXXX_PC  UserName: Thomas (sorry, I blanked this out. This doesn't need to be published)
22:18:30.609    Initialize success
22:18:57.531    AVAST engine defs: 13042202
22:19:12.625    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-18
22:19:12.640    Disk 0 Vendor: WDC_WD800JD-75JNC0 06.01C06 Size: 76293MB BusType: 3
22:19:12.656    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T1L0-20
22:19:12.671    Disk 1 Vendor: MAXTOR_STM3320620AS 3.AAE Size: 305245MB BusType: 3
22:19:12.812    Disk 0 MBR read successfully
22:19:12.828    Disk 0 MBR scan
22:19:12.875    Disk 0 unknown MBR code
22:19:12.890    Disk 0 Partition 1 00     DE Dell Utility Dell 4.1       54 MB offset 63
22:19:12.906    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        71868 MB offset 112455
22:19:12.953    Disk 0 Partition 3 00     DB  CP/M / CTOS MSWIN4.1     4361 MB offset 147299985
22:19:13.000    Disk 0 scanning sectors +156232125
22:19:13.125    Disk 0 scanning C:\WINDOWS\system32\drivers
22:19:36.296    Service scanning
22:20:01.968    Modules scanning
22:20:19.093    Disk 0 trace - called modules:
22:20:19.125   
22:20:20.218    AVAST engine scan C:\WINDOWS
22:20:36.453    AVAST engine scan C:\WINDOWS\system32
22:27:28.296    AVAST engine scan C:\WINDOWS\system32\drivers
22:28:09.593    AVAST engine scan C:\Documents and Settings\Thomas
22:40:28.375    AVAST engine scan C:\Documents and Settings\All Users
22:48:44.156    Scan finished successfully
22:51:18.250    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Thomas\Desktop\MBR.dat"
22:51:18.281    The log file has been saved successfully to "C:\Documents and Settings\Thomas\Desktop\aswMBR.txt"

 

ASW scan now completed:



#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,534 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:48 PM

Posted 22 April 2013 - 09:58 PM

OK, I believe it may be Clickfree backup.

Ok after that I want to run SFC.. It's getting late for me so I may have to check back in the AM>

SFC


Please run SFC (System File Checker)
Please run System File Checker sfc /scannow... For more information on this tool see How To Use Sfc.exe To Repair System Files

NOTE for Vista/WIN 7 users..The command needs to be run from an Elevated Command Prompt.Click Start, type cmd into the Start/Search box,
right-click cmd.exe in the list above and select 'Run as Administrator'


You will need your operating system CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC

Then click File.. then New Task(Run)

In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
Let it run and insert the CD when asked.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 SJTeeJ

SJTeeJ
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 29 April 2013 - 07:29 PM

C:\I386\sfc /scannow

Windows File Protection could not initiate a scan of protected system files.

The specific error code is 0x000006ba [The RPC server is unavailable.].

 

This is the same result I got earlier.  What do I do now?

 

And, I have used ClickFree, but I haven't used it in probably over 1 year.



#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,534 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:48 PM

Posted 29 April 2013 - 08:08 PM

This should be the resolution.

http://support.microsoft.com/?kbid=296241
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 SJTeeJ

SJTeeJ
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 29 April 2013 - 08:29 PM

The VeriSign Certificate is present.  I can't restore it as it is already here!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users