Solved

No Desktop after virus and spyware removal

Posted on 2008-10-24
9
687 Views
Last Modified: 2013-11-22
Computer running XP Pro, SP3 with AVG Antivirus.  Client seeing popups indicative of Smitfraud and Winantiviruspro malware.  Ran Malwarebytes, Smitfraudfix, removed malware.  Rebooted and no desktop icons, taskbar or start button.  I can get these in Safe Mode and I can get to Task Manager and run Internet Explorer.  Trying to run Explorer.exe gets error message saying I do not have appropriate permissions to access the item.  Ran repair install of XP and everything was fine (desktop returned to normal), until I reinstalled SP3.  It then returned to the same behavior.  It displays a malware message before the Welcome screen.
0
Comment
Question by:jimblunt
9 Comments
 
LVL 2

Accepted Solution

by:
patmoli earned 500 total points
Comment Utility
I also use Combofix for these types of problems.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 22

Expert Comment

by:orangutang
Comment Utility
0
 

Author Comment

by:jimblunt
Comment Utility
Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 19:54:13, on 10/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Charlie\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {3B7AAEB1-9F3D-4491-9C06-C7165CA8D058} - C:\Program Files\Applications\iebt.dll (file missing)
O4 - HKLM\..\Run: [lphctkrj0e513] C:\WINDOWS\System32\lphctkrj0e513.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Argentum Backup] "C:\Program Files\Argentum Backup\ab.exe" /startup
O4 - HKCU\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
O4 - HKCU\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://msm.webex.com/client/T26L/webex/ieatgpc.cab
O16 - DPF: {F84E0B64-1E86-4640-8094-5B38CEB28C1E} (SkyFex Client Object) - https://skyfex.com/download/SkyFexClient.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: ikcllotx - C:\WINDOWS\SYSTEM32\ikcllotx.dll
O20 - Winlogon Notify: jmfgpdso - C:\WINDOWS\SYSTEM32\jmfgpdso32.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - Unknown owner - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe" /service /P ddoctorv2 (file missing)

I analyzed it at Hijackthis.de and made the suggested changes.  Still no desktop.
0
 
LVL 20

Expert Comment

by:IndiGenus
Comment Utility
Hi,

Simply making fixes with HJT on this bad of an infection will not work. I second the opinion of
patmoli and go with combofix here.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 22

Expert Comment

by:orangutang
Comment Utility
Yeah, you still seem infected. You could also try Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php)
0
 

Author Comment

by:jimblunt
Comment Utility
Combofix seems to have repaired it.  Thanks!  Any ideas as to why this machine got so infected.  It had a current copy of AVG Antivirus 8.0 that was up to date.
0
 
LVL 22

Expert Comment

by:orangutang
Comment Utility
There's a number of ways you could've been infected. You could have installed some kind of bogus software that installed them, there could've been some sort of browser exploit that was triggered when you went onto a website, etc. I would send one more updated HijackThis log just in case even though ComboFix usually gets everything. Also, use the "Attach File" option to send the log.
0
 

Author Comment

by:jimblunt
Comment Utility
I may have spoken too soon.  Reinstalled the AVG, updated it and it has found two rootkits and another trojan.  Also, when I plugged in a USB stick, it asked what program I wanted to open the drive with.  The new HJT log is attached.
I am a vendor for AVG and this is the first time a client has reported a virus getting past it in over two years.  Hence, my concern about where he got this virus attack.
hijackthis.log
0
 
LVL 22

Expert Comment

by:orangutang
Comment Utility
Well, your log seems clean unless you have a rootkit. even if you have some sort of rootkit. AVG might've detected some files that weren't running so they were pretty harmless. If it asks what program you want to open, maybe run:
regsvr32 /i shell32.dll
You can still download other virus scanners and scan but the virus should be gone for the most part. You may have some leftovers but they should be pretty harmless since they're inactive.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This video discusses moving either the default database or any database to a new volume.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now