Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Got rid of "WIndows Recovery" but cant get the deskptop icons,


  • This topic is locked This topic is locked

#1
qwerty321

qwerty321

    Member

  • Member
  • PipPip
  • 48 posts
Hello

I got affected by "Windows Recovery" malware. After hours, I believe I got rid of it using Spyhunter 4.1.11.0 The symptoms or the pop ups no more appear. I have conducted several checks using Spyhunter, which says my system is clean at the moment! I also tried "Reimage" which says there is no malicious software in my computer.

However,
1. Im unable to see any desktop items, shortcuts, etc
2. Im unable ro right click at desktop
3. Desktop is plain black
4. The items in the taskbar is missing.
5. The folder names of programs do appear in the "Start -> All Programs" , however "(empty)" is mentioned when I click the name of the programs.
6. The programs can be used by going to the actual folder ie. "C:Program FIles/itunes.exe". The files in My Documents function perfectly!

Things I tried
1. At first "Administrators Documents" and "Shared Documents" were hidden. I unticked the Hidden option and applied changes to Folders, Sub-folders and files.
2. I did the same to the items in C:Program Files
3: Download unhide.exe and tried to enter command mentioned in one of the forums, But am unable to type anything athough i had my antivirus and anti spyware swtiched off
4. Went to command prompt and entered command "attrib -h /s /d" as mentioned in one of the pages.

My System is Windows XP, Version 2002, Service Pack 3

Please bear with me. Im not good at using command prompts
  • 0

Advertisements


#2
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi, qwerty321! Welcome to GeeksToGo! My nick name is Render and I will be assisting you with your Malware/Security problems. Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any queries or you are unsure about anything, just say and I'll help you out :)

It may well be worth you printing/saving the instructions throughout the fix, so you have them to hand just in case you are unable to access this site.

Please note:
  • Remember to post your logs, not attach them. So, any logs from any programs we run, should be just 'copied & pasted' into your reply.
  • Please only run the tools that I request. I know malware can be frustrating but running other tools in the meantime and between posts, only makes it harder for us to analyse and fix your PC in the long run.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!

If you cannot run following tools from your desktop, please, press CTRL+SHIFT+ESC keys on your keyboard. Task Manager should open. Click on New Task... button and then Browse to navigate to downloaded tool. Select it and click on Open button and then OK button to run it.

Please follow the steps below:

Step 1

Download RogueKiller to your desktop

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 1 and validate
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.

Step 2

  • Please download aswMBR.exe to your desktop.
  • Double click the aswMBR.exe to run it.

    Posted Image
  • Click the Scan button to start scan.

    Posted Image
  • On completion of the scan click Save log, save it to your desktop and post in your next reply.

Step 3

Posted Image OTL Custom Scan

  • Double click on the Posted Image icon to run it.
  • Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top, make sure Stadard output is selected.
  • Select Scan all users
  • Under the Extra Registry section, check Use SafeList
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scans/Fixes box copy and paste this in:

    netsvcs
    %SYSTEMDRIVE%\*.exe
    %USERPROFILE%\..|smtmp;true;true;true /FP
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    %systemroot%\*. /mp /s
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    CREATERESTOREPOINT

  • Click the Posted Image button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

When completed the above, please post back the following in the order asked for:
  • contents of the RKreport.txt
  • aswMBR log
  • OTL scan log
  • Extras log

  • 0

#3
qwerty321

qwerty321

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
Hello Render!! Sorry for the late reply. I was unwell so was not able to reply!

Contents of the RKreport.txt

RogueKiller V5.2.2 [06/05/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-to...-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Administrator [Admin rights]
Mode: Scan -- Date : 06/14/2011 00:05:07

Bad processes: 0

Registry Entries: 10
[BLACKLIST] HKLM\[...]\services : SSHNAS (%SystemRoot%\system32\svchost.exe -k netsvcs) -> FOUND
[BLACKLIST] HKLM\[...]\services : SSHNAS (%SystemRoot%\system32\svchost.exe -k netsvcs) -> FOUND
[BLACKLIST] HKLM\[...]\Root : LEGACY_SSHNAS () -> FOUND
[SUSP PATH] {35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job : c:\windows\snarab.exe -> FOUND
[SUSP PATH] {22116563-108C-42c0-A7CE-60161B75E508}.job : c:\docume~1\admini~1\locals~1\temp\stf.exe -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (1) -> FOUND
[HJPOL] HKCU\[...]\Explorer : NoDesktop (1) -> FOUND
[HJ] HKCU\[...]\ActiveDesktop : NoChangingWallPaper (1) -> FOUND
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

HOSTS File:

127.0.0.1 localhost
127.0.0.1 atwola.com
38.113.174.32 www.google-analytics.com
38.113.170.200 ads1.msn.com
38.113.174.32 dehp.myspace.com
38.113.174.32 demr.myspace.com
38.113.174.32 desk.myspace.com
38.113.174.32 delb.myspace.com
38.113.174.32 delb2.myspace.com
38.113.174.32 debr.myspace.com
38.113.170.200 rad.msn.com
127.0.0.1 www.intuneads.com
127.0.0.1 www.freemusic123.com
127.0.0.1 www.cifras.com.br
127.0.0.1 www.gshome.com
127.0.0.1 www.all-midi.com
127.0.0.1 www.directtabs.com
127.0.0.1 hg1.hitbox.com
127.0.0.1 ad.harmony-central.com
[...]


Finished : << RKreport[1].txt >>
RKreport[1].txt

Edited by qwerty321, 13 June 2011 - 01:48 PM.

  • 0

#4
qwerty321

qwerty321

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
aswMBR log

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-06-14 00:05:52
-----------------------------
00:05:52.046 OS Version: Windows 5.1.2600 Service Pack 3
00:05:52.046 Number of processors: 2 586 0xF0D
00:05:52.046 ComputerName: PCXP UserName:
00:05:52.796 Initialize success
00:06:07.265 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
00:06:07.265 Disk 0 Vendor: FUJITSU_ 891F Size: 152627MB BusType: 3
00:06:07.265 Disk 0 MBR read successfully
00:06:07.265 Disk 0 MBR scan
00:06:07.265 Disk 0 Windows XP default MBR code
00:06:07.281 Disk 0 scanning sectors +312560640
00:06:07.312 Disk 0 scanning C:\WINDOWS\system32\drivers
00:06:21.921 Service scanning
00:06:23.000 Disk 0 trace - called modules:
00:06:23.015 ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll >>UNKNOWN [0x8a67c1e8]<<
00:06:23.015 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a56c840]
00:06:23.015 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> [0x8a56c020]
00:06:23.015 5 PCTCore.sys[b9c97099] -> nt!IofCallDriver -> \Device\00000084[0x8a519a28]
00:06:23.015 7 ACPI.sys[b9e7f620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x89fe0030]
00:06:23.031 \Driver\iaStor[0x8a576958] -> IRP_MJ_CREATE -> 0x8a67c1e8
00:06:23.031 Scan finished successfully
00:06:48.359 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\babu\MBR.dat"
00:06:48.375 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\babu\aswMBR.txt"
  • 0

#5
qwerty321

qwerty321

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
But I ran into a problem while running OTL Custom Scan

I restarted my computers and killed the processes of all the programs.
I then conducted the OTL Custom Scan following all the steps you mentioned!
However, the computer stops to respond when it reaches "Scanning Firefox setting..."
I left the computer that way for an hour and half although you had said "The scan wont take long."
I repeated the entire process twice!! But the result was the same :)
Did I miss anything?? Or did I do something wrong??

Please help me out!! And thanks a ton for the prompt reply!!
Cheers
  • 0

#6
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi,

Well... Your computer is infected and that is why OTL is having some problems to do the scan.

Do the following:

Quit all running programs and run RogueKiller once again.

  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 2 and validate
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

Then try to run OTL scan from my previous post once again.
  • 0

#7
qwerty321

qwerty321

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
RKreport.txt


Well i ran roguekiller.exe again and typed 2. It gave back my wallpaper, but the icons at desktop were still missing! Running the OTL at the moment but it has stopped again at "Scanning firefox settings..."

RogueKiller V5.2.2 [06/05/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-to...-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Administrator [Admin rights]
Mode: Remove -- Date : 06/14/2011 02:28:35

Bad processes: 0

Registry Entries: 10
[BLACKLIST] HKLM\[...]\services : SSHNAS (%SystemRoot%\system32\svchost.exe -k netsvcs) -> DELETED
[BLACKLIST] HKLM\[...]\services : SSHNAS (%SystemRoot%\system32\svchost.exe -k netsvcs) -> DELETED
[BLACKLIST] HKLM\[...]\Root : LEGACY_SSHNAS () -> DELETED
[SUSP PATH] {35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job : c:\windows\snarab.exe -> DELETED
[SUSP PATH] {22116563-108C-42c0-A7CE-60161B75E508}.job : c:\docume~1\admini~1\locals~1\temp\stf.exe -> DELETED
[HJPOL] HKLM\[...]\System : DisableTaskMgr (1) -> DELETED
[HJPOL] HKCU\[...]\Explorer : NoDesktop (1) -> DELETED
[HJ] HKCU\[...]\ActiveDesktop : NoChangingWallPaper (1) -> REPLACED (0)
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> REPLACED (C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

HOSTS File:

127.0.0.1 localhost
127.0.0.1 atwola.com
38.113.174.32 www.google-analytics.com
38.113.170.200 ads1.msn.com
38.113.174.32 dehp.myspace.com
38.113.174.32 demr.myspace.com
38.113.174.32 desk.myspace.com
38.113.174.32 delb.myspace.com
38.113.174.32 delb2.myspace.com
38.113.174.32 debr.myspace.com
38.113.170.200 rad.msn.com
127.0.0.1 www.intuneads.com
127.0.0.1 www.freemusic123.com
127.0.0.1 www.cifras.com.br
127.0.0.1 www.gshome.com
127.0.0.1 www.all-midi.com
127.0.0.1 www.directtabs.com
127.0.0.1 hg1.hitbox.com
127.0.0.1 ad.harmony-central.com
[...]


Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt
  • 0

#8
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
So I would like if you agree to temporary uninstall Firefox and all Firefox's add-ons. Is this OK with you?
  • 0

#9
qwerty321

qwerty321

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
Sure!! I prefer the laptop to firefox!! But I should save the bookmarks first!! But I am on my way out and will be back only after about 2 days I guess!! Dont waste your precious time on me for a day atleast :)!!I ll uninstall firefox and the addons and do the OTL test and paste the results!! OK?
Thanks for the help!!
Cheers
  • 0

#10
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi,

No hurry. Please don't uninstall Firefox yet. I will make some coffee and think about it one more time. Please let me know when you will be back.:)
  • 0

Advertisements


#11
qwerty321

qwerty321

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
P.S.

I have got my desktop icons back too along with the wallpaper!! But its acting a bit strange!! When i click the "Show desktop" button in the "Quick Launch" next to the Start Menu, all the icons vanish! But the next time I click the show desktop button, the desktop icons come back!!
  • 0

#12
qwerty321

qwerty321

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
Ok I wont uninstall firefox until I come back!! Actually I ll be going after 4 hours :unsure: But I wont have any prolonged time to work on the problem until then :)

Enjoy the coffee :yes:
  • 0

#13
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Yes. It is typical for that kind of infection. When you will return please try with this instead:

Posted Image OTL Custom Scan

  • Double click on the Posted Image icon to run it.
  • Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top, make sure Stadard output is selected.
  • Select Scan all users
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scans/Fixes box copy and paste this in:

    %USERPROFILE%\..|smtmp;true;true;true /FP

  • Click the Posted Image button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open OTL.Txt in Notepad window.
  • Please copy (Edit->Select All, Edit->Copy) the content of this file and post it with your next reply.

  • 0

#14
qwerty321

qwerty321

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
Hey Render,

Just followed the above mentioned step. However, the result was the same! Got stuck at "Scanning Firefox Settings" :unsure: Maybe I should uninstall it and run OTL :yes:

I am going away for about two days. I will uninstall firefox and run OTL when I come back. Please mention if you come up with another step. I will try that before I uninstall firefox when I come back!!


Thanks for the help!
Cheers :)
  • 0

#15
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Please try this:

Run OTL.exe and click on Quick scan. When finished post the OTL and Extras logs if the scan will be successful.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP