No desktop icons or taskbar - desktop.ini in Recent Documents [Solved]

I have followed the steps and run into problems and could use some assistance.

I have run the Microsoft Malicious Software finder Quick Scan and it found nothing.

I ran Symantec's FixVundo.exe and it found nothing.

I installed Malwarebytes - but it would not run.
I am using Task Manager & have to browse down to mbam.exe but could not get the program to run.

I ran rooter.exe & the log follows:

Microsoft Windows XP Professional (5.1.2600) Service Pack 2

A:\ [Removable] (Total:0 Mo/Free:0 Mo)
C:\ [Fixed] - NTFS - (Total:148930 Mo/Free:3478 Mo)
D:\ [Fixed] - NTFS - (Total:238472 Mo/Free:3011 Mo)
E:\ [Removable] (Total:1927 Mo/Free:1785 Mo)
R:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
S:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)

Sat 05/30/2009| 6:25

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\Ati2evxx.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\LEXBCES.EXE
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\WINDOWS\system32\LEXPPS.EXE
---------- C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
---------- C:\WINDOWS\system32\CTsvcCDA.exe
---------- C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
---------- C:\WINDOWS\system32\HPZipm12.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\MsPMSPSv.exe
---------- C:\PROGRA~1\AVG\AVG8\avgemc.exe
---------- C:\PROGRA~1\AVG\AVG8\avgrsx.exe
---------- C:\PROGRA~1\AVG\AVG8\avgnsx.exe
---------- C:\Program Files\AVG\AVG8\avgcsrvx.exe
---------- C:\WINDOWS\system32\taskmgr.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!



1 - "C:\Rooter$\Rooter_1.txt" - Sat 05/30/2009| 6:26

----------------------\\ Scan completed at 6:26

I ran OTList and received an error:
"Access violation @ address 00506627 in module 'OTListIt2.exe'. Read of address 00000000.
Below the scan stopped at C:\Documents and Settings\All Users\Start Menu\Programs\Startup folder...
I tried to run it a few times with the same result.

I am appreciative of any assistance I can get with this problem.

Karen

Hello Karen,

Welcome to Geeks to Go!
Sorry for the delay.

Please do as follow:

• Download ComboFix by sUBs to your Desktop.
  

  Link 1
  Link 2
  

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  
  
• Double click combofix.exe and follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

• Do not mouse-click Combofix's window while it is running. That may cause it to stall.
• ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
• Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
• CF disconnects your machine from the Internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Hello Pauline,

I do not have the internet available from my XP machine. The malware has it disabled so do I need different directions? And no, the recovery console is not currently installed on the infected machine.

I had to buy a new computer that I am now using to access the internet and get directions and files and do my work but I still need to get that computer functional again.

Thank you,

Karen

Edited by RiverMiss, 01 June 2009 - 08:30 AM.

Hello Karen,

Please do as follow to install the Recovery Console manually with ComboFix:

• Download ComboFix by sUBs to your Desktop.
  

  Link 1
  Link 2
  

• Go to Microsoft's website => http://support.microsoft.com/kb/310994
• Select the download that's appropriate for your Operating System
  
  

  

• Download the file & save it as it's originally named, then transfer this file on the desktop
  
• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  
  
  
• Drag the setup package onto ComboFix.exe and drop it.
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
  
  
• At the next prompt, click 'Yes' to run the full ComboFix scan.
  
• When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next reply.

Dear Pauline,

I do not have access to the desktop on this computer. I do not have a taskbar either. I only have wallpaper. I have to do everything using the Task Manager. Do you understand this? I am feeling a bit frustrated since all of the directions are requesting me to do things using things that are not available and that is the problem. Also, I do not have a taskbar way to stop AVG from running since I have no taskbar.

It has always been my understanding that you would not try to install the Recovery Console on a computer that is this messed up. We do not really know what is wrong with the computer and trying to install something like that could be a bad thing from my experience. When I tried to access the recovery console using my XP CD I got a message that it could not find the hard drive. That was a while ago and I could try again but it would be preferable to use the CD and not try to install the recovery console at this point using combofix.

It might make more sense to try to run combofix without the Recovery Console install. From the things that I have tried - I have not been able to get anything to run that requires an install. I can run files that run as .exe's but if they have to be installed & then run - no dice. So, does combofix install and then run?

Thanks

Karen

Edited by RiverMiss, 01 June 2009 - 10:15 AM.

Sorry for that Karen.


ComboFix doesn't require to be installed, so no problem to run it.

Concerning the Recovery Console, it's your choice to install it or not, but it's much safer to have it, especially if you can't access it with your XP CD.
What are the make/model of your computer?


Let's try differently

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the option Last known good configuration, then press Enter.

Does your desktop and taskbar came back? If yes, let's go to the ComboFix step


If no change

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

Do you have the desktop and the taskbar in Safe Mode? If yes, launch ComboFix from the desktop, if not, launch ComboFix through the task manager (no need to disable AVG, as it is not launched in Safe Mode).

Edited by pauline addis, 01 June 2009 - 11:57 AM.

Hi Pauline,

I tried both of those and there is no difference. I have also made a new user and that did not change anything. I tried to restore to a previous restore point and could not.

For my info please, does combofix install or just run?

Thanks,

Karen

Hi Karen,

Combofix just run, so you can launch it with Task Manager.
It is not doing any install, it just create some folders.

Hi Pauline,

Please close this post for the time being.

Thank you.

Karen

Hi Pauline,

Here is my dds.scr scan logs:


==== Installed Programs ======================

WILLPower
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Acrobat Elements 6.0
Adobe Flash Player 10 ActiveX
Adobe Reader 6.0.1
Adobe Reader 7.0.8
Adobe Reader 7.0.9
Adobe SVG Viewer 3.0
Adobe® Photoshop® Album Starter Edition 3.0
Adobe® Photoshop® Album Starter Edition 3.0.1
Advanced Analyzer
AnswerWorks Runtime
Apple Software Update
ATI Control Panel
ATI Display Driver
AVG Free 8.0
Banctec Service Agreement
Broadcom Advanced Control Suite 2
Business Complete Care Services Agreement
Classic PhoneTools
Corel Applications
Creative MediaSource
Creative System Information
Creative Zen Nano Plus
DeductionPro 2003
DeductionPro 2004-05
DeductionPro 2005-06
DeductionPro 2006
DeductionPro 2007
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Networking Guide
Dell System Restore
DQ DSL Modem
Dr Watson for Microsoft Windows OneCare Live v1.1.1067.14
Dragon NaturallySpeaking 9
FileMaker Pro 5.0
Horizons - 1.00.05
Horizons - 1.00.09
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP LaserJet 3050/3052/3055/3390/3392 2.0
HP Software Update
hppFaxDrv3390
hppFaxUtility
hppFonts
hppIOFiles
hppLJ3390
hppManuals3390
hppscan3390
hppScanTo
hppSendFax
hppTooCool
hppToolBoxFX
hpzTLBXFX
Intel Application Accelerator
Intel® 537EP V9x DFV PCI Modem
Internet Explorer Default Page
iPod for Windows 2005-10-12
iTunes
Jasc Animation Shop 3
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 9
Java™ 6 Update 11
Lotus SmartSuite Release 9.5
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Classic Board Games
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Library 10
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Pro 10
Microsoft Digital Image Suite 10
Microsoft FrontPage Server Extensions 2002
Microsoft IntelliPoint 5.2
Microsoft IntelliType Pro 5.2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Meeting 2005
Microsoft Office XP Professional with FrontPage
Microsoft PhotoDraw 2000 V2
Microsoft Plus! Digital Media Edition
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! for Windows XP
Microsoft Plus! Photo Story 2 LE
Microsoft Publisher 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Modem Event Monitor
Modem Helper
Modem On Hold
MSN Money Investment Toolbox
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
Musicmatch for Windows Media Player
MUSICMATCH® Jukebox
NumeroLogic - 1.00.02
Pagis Pro 3.0
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
Perfect Attorney
PowerDVD 5.3
QFolder
Quicken 2006
QuickTime
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Scan
ScanSoft OmniPage Pro 14.0
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Solitaire Master 4
Sonic Update Manager
Sony ACID Music Studio 6.0
Sony DVD Architect Studio 3.0a
Sony Preset Manager 2.0d
Sony Sound Forge Audio Studio 8.0a
Sony Vegas Movie Studio 6.0a
Sound Blaster
SoundMAX
TaxCut 2004
TaxCut Deluxe 2005
TaxCut Iowa 2007
TaxCut Premium + State 2007
TaxCut Premium 2006
TD AMERITRADE StrategyDesk 1.1
TD AMERITRADE StrategyDesk 1.2
TD AMERITRADE StrategyDesk 1.3
TD AMERITRADE StrategyDesk 2.0
TD AMERITRADE StrategyDesk 2.1
TD AMERITRADE StrategyDesk 2.2
TD AMERITRADE StrategyDesk 2.3
TD AMERITRADE StrategyDesk 2.4_2 (C:\Program Files\TD AMERITRADE\StrategyDesk)
TD AMERITRADE StrategyDesk 3.0_3 (C:\Program Files\TD AMERITRADE\StrategyDesk)
TD AMERITRADE StrategyDesk 3.1_4 (C:\Program Files\TD AMERITRADE\StrategyDesk)
TextBridge Pro 9.0
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB914882)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
WebEx
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888310
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Winning Times - 1.00.12
WinWay Resume Deluxe
Word Connect
WordPerfect Office 12
WriteExpress 3,001 Business & Sales Letters

==== End Of File ===========================



DDS (Ver_09-05-14.01) - NTFSx86
Run by Karen at 13:52:56.50 on Mon 06/01/2009
Internet Explorer: 7.0.5730.11

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell4me.com/mywaybiz
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [InstantAccess] c:\progra~1\scansoft\textbr~1.0\bin\INSTAN~1.EXE /h
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [DSLAGENTEXE] dslagent.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [CTSysVol] c:\program files\creative\sound blaster\surround mixer\CTSysVol.exe /r
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRunServices: [RegisterDropHandler] c:\progra~1\scansoft\textbr~1.0\bin\REGIST~1.EXE
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_11.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - hxxps://www.windowsonecare.com/install/cli/1.1.1067.14/WinSSWebAgent.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} - hxxps://support.microsoft.com/OAS/ActiveX/odc.cab
DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://download.microsoft.com/download/7/1/D/71D9F11F-0C02-4707-9D60-D56EA8951020/pmupd806.exe
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156355073093
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/activedata/SymAData.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://tdameritradeevents.webex.com/client/T22L/event/ieatgpc.cab
DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - hxxps://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-05-30 06:25 <DIR> --d----- C:\Rooter$
2009-05-30 06:14 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-30 06:14 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-30 06:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-30 06:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2004-12-01 15:57 3,259 a------- c:\program files\INSTALL.LOG

============= FINISH: 13:53:20.17 ===============

From first glance it looks like something has changed the http's to hxxp's.
Plus from the previous scan the
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
looks a bit fishy.

So, have you dealt with similar issues before?

Do you want me to upload these files as well as post them?

Thank you.

Karen

Hello Karen,

Please run combofix in safe mode. If your desktop don't come back, please download the 3 files I have attached to this post, and transfer them to the infected computer.

Run nodesktop.reg, and when asked to allow it to merge with your registry, click OK, then OK again when it is complete.

Now, reboot your computer and see if it has allowed you to get your icons and taskbar back.

If that fails, run xp_taskbar_desktop_fixall.vbs, then click Yes at the notice. Your desktop will disappear for a moment, then hopefully, return with all your icons.

Click OK to exit the script.

If that fails too, run FixShell.cmd. It will open an empty command prompt, then close.

Now, reboot your computer and see if it has allowed you to get your icons and taskbar back.

If still no luck, please insert your XP disk. Then, under task manager, click on New task, and in the Create a new task dialog box type sfc /scannow, and click Ok.

This command will start the Windows File Protection service so that it can scan your systems ‘protected’ files and verify them against the source to ensure that they haven’t been corrupted. The tool will replace these files immediately upon finding them.

It can take some time, but it's important to let it run completely.

Now, reboot your computer and see if it has allowed you to get your icons and taskbar back.

If all that steps don't correct the problem, we will have to do a repair of your system.

Tell me how it gone, and please, post the content of the combofix.log (c:\combofix.txt)

Hi Karen,

The change from http to hxxp is made by DDS in the log, to avoid opening the links inadvertently if some are bad. It's ok.

The 2 processes from the rooter log are ok.


This is the only line I see which should be removed by combofix
c:\program files\INSTALL.LOG


Apart that, your log is clean. So if there is something, it's hidden. Let's see what combofix brings back.


Also, some of your programs are outdated: Adobe Reader, Java and AVG. But we need you to recover your computer in a better working state and Internet to proceed.


Can you please attach the 2 DDS logs in your next reply please. They are not complete there, and it's important that I can see all the info they give.


Thanks!
Pauline

sorry, double post

Edited by pauline addis, 04 June 2009 - 02:06 AM.

Hi Pauline,

I am attaching the logs with this post. I won't get to run combofix until hopefully later today. My days never go as I plan unfortunately...

Thanks,

Karen