Solved

No Desktop after virus and spyware removal

Posted on 2008-10-24
9
724 Views
Last Modified: 2013-11-22
Computer running XP Pro, SP3 with AVG Antivirus.  Client seeing popups indicative of Smitfraud and Winantiviruspro malware.  Ran Malwarebytes, Smitfraudfix, removed malware.  Rebooted and no desktop icons, taskbar or start button.  I can get these in Safe Mode and I can get to Task Manager and run Internet Explorer.  Trying to run Explorer.exe gets error message saying I do not have appropriate permissions to access the item.  Ran repair install of XP and everything was fine (desktop returned to normal), until I reinstalled SP3.  It then returned to the same behavior.  It displays a malware message before the Welcome screen.
0
Comment
Question by:jimblunt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 2

Accepted Solution

by:
patmoli earned 500 total points
ID: 22798738
I also use Combofix for these types of problems.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22798964
0
 

Author Comment

by:jimblunt
ID: 22801005
Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 19:54:13, on 10/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Charlie\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {3B7AAEB1-9F3D-4491-9C06-C7165CA8D058} - C:\Program Files\Applications\iebt.dll (file missing)
O4 - HKLM\..\Run: [lphctkrj0e513] C:\WINDOWS\System32\lphctkrj0e513.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Argentum Backup] "C:\Program Files\Argentum Backup\ab.exe" /startup
O4 - HKCU\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
O4 - HKCU\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://msm.webex.com/client/T26L/webex/ieatgpc.cab
O16 - DPF: {F84E0B64-1E86-4640-8094-5B38CEB28C1E} (SkyFex Client Object) - https://skyfex.com/download/SkyFexClient.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: ikcllotx - C:\WINDOWS\SYSTEM32\ikcllotx.dll
O20 - Winlogon Notify: jmfgpdso - C:\WINDOWS\SYSTEM32\jmfgpdso32.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - Unknown owner - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe" /service /P ddoctorv2 (file missing)

I analyzed it at Hijackthis.de and made the suggested changes.  Still no desktop.
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 20

Expert Comment

by:IndiGenus
ID: 22801055
Hi,

Simply making fixes with HJT on this bad of an infection will not work. I second the opinion of
patmoli and go with combofix here.
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22801118
Yeah, you still seem infected. You could also try Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php)
0
 

Author Comment

by:jimblunt
ID: 22801200
Combofix seems to have repaired it.  Thanks!  Any ideas as to why this machine got so infected.  It had a current copy of AVG Antivirus 8.0 that was up to date.
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22801217
There's a number of ways you could've been infected. You could have installed some kind of bogus software that installed them, there could've been some sort of browser exploit that was triggered when you went onto a website, etc. I would send one more updated HijackThis log just in case even though ComboFix usually gets everything. Also, use the "Attach File" option to send the log.
0
 

Author Comment

by:jimblunt
ID: 22801281
I may have spoken too soon.  Reinstalled the AVG, updated it and it has found two rootkits and another trojan.  Also, when I plugged in a USB stick, it asked what program I wanted to open the drive with.  The new HJT log is attached.
I am a vendor for AVG and this is the first time a client has reported a virus getting past it in over two years.  Hence, my concern about where he got this virus attack.
hijackthis.log
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22801396
Well, your log seems clean unless you have a rootkit. even if you have some sort of rootkit. AVG might've detected some files that weren't running so they were pretty harmless. If it asks what program you want to open, maybe run:
regsvr32 /i shell32.dll
You can still download other virus scanners and scan but the virus should be gone for the most part. You may have some leftovers but they should be pretty harmless since they're inactive.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
HP PC Hardware Diagnostics UEFI 11 178
antivirus on mac 8 82
anti virus for Blackberry 6 90
auto script to stop bitdefender to scan my external drives 6 91
UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question