Solved

No Desktop after virus and spyware removal

Posted on 2008-10-24
9
730 Views
Last Modified: 2013-11-22
Computer running XP Pro, SP3 with AVG Antivirus.  Client seeing popups indicative of Smitfraud and Winantiviruspro malware.  Ran Malwarebytes, Smitfraudfix, removed malware.  Rebooted and no desktop icons, taskbar or start button.  I can get these in Safe Mode and I can get to Task Manager and run Internet Explorer.  Trying to run Explorer.exe gets error message saying I do not have appropriate permissions to access the item.  Ran repair install of XP and everything was fine (desktop returned to normal), until I reinstalled SP3.  It then returned to the same behavior.  It displays a malware message before the Welcome screen.
0
Comment
Question by:jimblunt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 2

Accepted Solution

by:
patmoli earned 500 total points
ID: 22798738
I also use Combofix for these types of problems.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22798964
0
 

Author Comment

by:jimblunt
ID: 22801005
Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 19:54:13, on 10/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Charlie\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {3B7AAEB1-9F3D-4491-9C06-C7165CA8D058} - C:\Program Files\Applications\iebt.dll (file missing)
O4 - HKLM\..\Run: [lphctkrj0e513] C:\WINDOWS\System32\lphctkrj0e513.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Argentum Backup] "C:\Program Files\Argentum Backup\ab.exe" /startup
O4 - HKCU\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
O4 - HKCU\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://msm.webex.com/client/T26L/webex/ieatgpc.cab
O16 - DPF: {F84E0B64-1E86-4640-8094-5B38CEB28C1E} (SkyFex Client Object) - https://skyfex.com/download/SkyFexClient.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: ikcllotx - C:\WINDOWS\SYSTEM32\ikcllotx.dll
O20 - Winlogon Notify: jmfgpdso - C:\WINDOWS\SYSTEM32\jmfgpdso32.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - Unknown owner - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe" /service /P ddoctorv2 (file missing)

I analyzed it at Hijackthis.de and made the suggested changes.  Still no desktop.
0
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

 
LVL 20

Expert Comment

by:IndiGenus
ID: 22801055
Hi,

Simply making fixes with HJT on this bad of an infection will not work. I second the opinion of
patmoli and go with combofix here.
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22801118
Yeah, you still seem infected. You could also try Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php)
0
 

Author Comment

by:jimblunt
ID: 22801200
Combofix seems to have repaired it.  Thanks!  Any ideas as to why this machine got so infected.  It had a current copy of AVG Antivirus 8.0 that was up to date.
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22801217
There's a number of ways you could've been infected. You could have installed some kind of bogus software that installed them, there could've been some sort of browser exploit that was triggered when you went onto a website, etc. I would send one more updated HijackThis log just in case even though ComboFix usually gets everything. Also, use the "Attach File" option to send the log.
0
 

Author Comment

by:jimblunt
ID: 22801281
I may have spoken too soon.  Reinstalled the AVG, updated it and it has found two rootkits and another trojan.  Also, when I plugged in a USB stick, it asked what program I wanted to open the drive with.  The new HJT log is attached.
I am a vendor for AVG and this is the first time a client has reported a virus getting past it in over two years.  Hence, my concern about where he got this virus attack.
hijackthis.log
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22801396
Well, your log seems clean unless you have a rootkit. even if you have some sort of rootkit. AVG might've detected some files that weren't running so they were pretty harmless. If it asks what program you want to open, maybe run:
regsvr32 /i shell32.dll
You can still download other virus scanners and scan but the virus should be gone for the most part. You may have some leftovers but they should be pretty harmless since they're inactive.
0

Featured Post

Create Professional Looking Email Signatures

Create "Professional HTML Email Signatures" with ease.
7 Day Money Back Guarantee if not 100% Satisfied.
Affordable - Try it out for 7 Days Totally Risk Free.
Installers provided for over 45 Email clients.
Both Windows & MAC Supported.
Highly Recommended!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question