No Desktop after virus and spyware removal

Computer running XP Pro, SP3 with AVG Antivirus.  Client seeing popups indicative of Smitfraud and Winantiviruspro malware.  Ran Malwarebytes, Smitfraudfix, removed malware.  Rebooted and no desktop icons, taskbar or start button.  I can get these in Safe Mode and I can get to Task Manager and run Internet Explorer.  Trying to run Explorer.exe gets error message saying I do not have appropriate permissions to access the item.  Ran repair install of XP and everything was fine (desktop returned to normal), until I reinstalled SP3.  It then returned to the same behavior.  It displays a malware message before the Welcome screen.
jimbluntAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
patmoliConnect With a Mentor Commented:
I also use Combofix for these types of problems.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
orangutangCommented:
0
 
jimbluntAuthor Commented:
Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 19:54:13, on 10/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Charlie\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {3B7AAEB1-9F3D-4491-9C06-C7165CA8D058} - C:\Program Files\Applications\iebt.dll (file missing)
O4 - HKLM\..\Run: [lphctkrj0e513] C:\WINDOWS\System32\lphctkrj0e513.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Argentum Backup] "C:\Program Files\Argentum Backup\ab.exe" /startup
O4 - HKCU\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
O4 - HKCU\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://msm.webex.com/client/T26L/webex/ieatgpc.cab
O16 - DPF: {F84E0B64-1E86-4640-8094-5B38CEB28C1E} (SkyFex Client Object) - https://skyfex.com/download/SkyFexClient.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: ikcllotx - C:\WINDOWS\SYSTEM32\ikcllotx.dll
O20 - Winlogon Notify: jmfgpdso - C:\WINDOWS\SYSTEM32\jmfgpdso32.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - Unknown owner - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe" /service /P ddoctorv2 (file missing)

I analyzed it at Hijackthis.de and made the suggested changes.  Still no desktop.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
IndiGenusCommented:
Hi,

Simply making fixes with HJT on this bad of an infection will not work. I second the opinion of
patmoli and go with combofix here.
0
 
orangutangCommented:
Yeah, you still seem infected. You could also try Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php)
0
 
jimbluntAuthor Commented:
Combofix seems to have repaired it.  Thanks!  Any ideas as to why this machine got so infected.  It had a current copy of AVG Antivirus 8.0 that was up to date.
0
 
orangutangCommented:
There's a number of ways you could've been infected. You could have installed some kind of bogus software that installed them, there could've been some sort of browser exploit that was triggered when you went onto a website, etc. I would send one more updated HijackThis log just in case even though ComboFix usually gets everything. Also, use the "Attach File" option to send the log.
0
 
jimbluntAuthor Commented:
I may have spoken too soon.  Reinstalled the AVG, updated it and it has found two rootkits and another trojan.  Also, when I plugged in a USB stick, it asked what program I wanted to open the drive with.  The new HJT log is attached.
I am a vendor for AVG and this is the first time a client has reported a virus getting past it in over two years.  Hence, my concern about where he got this virus attack.
hijackthis.log
0
 
orangutangCommented:
Well, your log seems clean unless you have a rootkit. even if you have some sort of rootkit. AVG might've detected some files that weren't running so they were pretty harmless. If it asks what program you want to open, maybe run:
regsvr32 /i shell32.dll
You can still download other virus scanners and scan but the virus should be gone for the most part. You may have some leftovers but they should be pretty harmless since they're inactive.
0
All Courses

From novice to tech pro — start learning today.