Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Unable to access functional desktop

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Unable to access functional desktop

Unread postby perhansa » March 15th, 2009, 5:20 pm

This infection is on a 3 Ghz Win XP running SP3 with updates valid as of 3/1/09.


Initially I was unable to get spybot or any antispyware software to run. The system comes up to a blank desktop (no start button, no icons, no taskbar).
I have to bring up task manager to get a run command to initiate any program. After spybot has run I then initiate Explorer that executes numerous (15-20)
command windows. At that point the desktop appears with all functions available. However, I can't run Windows update, IE7 states that it is doing the
ActiveX check and then returns Error number: 0x8007000B. The reason that I am attaching the word documents is that they are screen shots of the Spybot main
screen showing the problems identified. However the situation is not resoved by having Spybot fix them. They still exist when I reboot. It seems that they
are loaded in wininit.ini. I have done a search search for all files containing uac*.* these seem to be the culprits identified by Spybot as components of
win32.TDSS.rtk. I also have been infected by win32.Agent.pz as identified by Spybot. I am going to go ahead and boot into a bart pe session and delete the
ime directory and then reboot and see what happens.
Any ideas that you can provide I would be most appreciative.



Logfile of HijackThis v1.97.7
Scan saved at 11:34:18 AM, on 3/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Running processes:
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
E:\Program Files\CD_DVD\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\CD_DVD\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
E:\Program Files\Adobe Acrobat 7\Distillr\Acrotray.exe
E:\Program Files\Internet\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
O:\Download\Web Tools\SpyWare Removal\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe Acrobat 7\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\Internet\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - E:\Program Files\Internet\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe Acrobat 7\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe Acrobat 7\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - E:\Program Files\Internet\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Program Files\Adobe Acrobat 7\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "E:\Program Files\Internet\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [AlcoholAutomount] "E:\Program Files\CD_DVD\Alcohol 120\axcmd.exe" /automount
O4 - Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe Acrobat 7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe Acrobat 7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe Acrobat 7\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe Acrobat 7\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe Acrobat 7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe Acrobat 7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe Acrobat 7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program Files\Adobe Acrobat 7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://E:\Program Files\Internet\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\M$O2K3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://E:\Program Files\Internet\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://E:\Program Files\Internet\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://E:\Program Files\Internet\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RoboForm Toolbar (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration (HKLM)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4835282234
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3ED04504-AC75-4F5D-8E7A-4CA0966E95D1}: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{B50EFE1C-5452-46E4-B9E3-713D7DAE39D2}: NameServer = 192.168.2.1



StartupList report, 3/15/2009, 11:43:43 AM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16791)
* Using default options
==================================================

Running processes:

C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
E:\Program Files\CD_DVD\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\CD_DVD\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\taskmgr.exe
E:\Program Files\Internet\Spybot - Search & Destroy\FRED.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
E:\Program Files\Adobe Acrobat 7\Distillr\Acrotray.exe
E:\Program Files\Internet\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\Iexplore.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\perhansa\Start Menu\Programs\Startup]
Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Acrobat Speed Launcher.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\sdra64.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
IntelliPoint = "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
SoundMan = SOUNDMAN.EXE
AlcWzrd = ALCWZRD.EXE
Alcmtr = ALCMTR.EXE
Acrobat Assistant 7.0 = "E:\Program Files\Adobe Acrobat 7\Distillr\Acrotray.exe"
NeroFilterCheck = C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
RoboForm = "E:\Program Files\Internet\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} = "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
AlcoholAutomount = "E:\Program Files\CD_DVD\Alcohol 120\axcmd.exe" /automount

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - E:\Program Files\Adobe Acrobat 7\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - E:\PROGRA~1\Internet\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
RoboForm - E:\Program Files\Internet\Siber Systems\AI RoboForm\RoboForm.dll - {724d43a9-0d85-11d4-9908-00400523e39a}
(no name) - E:\Program Files\Adobe Acrobat 7\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}

--------------------------------------------------

Enumerating Download Program Files:

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://www.update.microsoft.com/windows ... 4835282234

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash10a.ocx
CODEBASE = http://fpdownload2.macromedia.com/get/s ... wflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINDOWS\TEMP\UACaf0c.tmp||C:\WINDOWS\system32\UACapynapxy.dll||C:\WINDOWS\system32\UACfoqpkcxe.dll||C:\WINDOWS\system32\UACfrmtyrxj.dll||C:\WINDOWS\system32\UACijnbevyk.dll_old||C:\WINDOWS\system32\UACijnbevyk.dll||C:\WINDOWS\system32\UACpbatnfvv.dll||C:\WINDOWS\system32\drivers\UACjrndddot.sys||C:\WINDOWS\system32\UACdstddekg.log_old||C:\WINDOWS\system32\UACdstddekg.log||C:\WINDOWS\system32\UACrypxmnlm.dat_old||C:\WINDOWS\system32\UACrypxmnlm.dat


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 6,258 bytes
Report generated in 0.047 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


ACDSee 4.0
ACDSee 4.0 Service Release 1
Adobe Acrobat 7.1.0 Professional
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
AI RoboForm (All Users)
Avery DesignPro
FairUse Wizard 2
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Intel(R) Processor ID Utility
InterActual Player
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Mozilla Firefox (3.0.6)
Nero 8
neroxml
NVIDIA Drivers
Realtek High Definition Audio Driver
RunAlyzer
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960715)
Spybot - Search & Destroy
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VCRedistSetup
VLC media player 0.9.4
Windows Internet Explorer 7
Windows Media Format Runtime
Windows XP Service Pack 3
WinRAR archiver
WinZip
perhansa
Active Member
 
Posts: 1
Joined: March 15th, 2009, 2:06 pm
Top
Advertisement
Register to Remove

Re: Unable to access functional desktop

Unread postby NonSuch » April 7th, 2009, 1:44 am

We are sorry you have waited so long for a response. As you can see, we are quite busy as are all the other help forums. Also, it is possible that you received no response because there was no malware evident in your HijackThis log.

If you still require help, please start a new topic and post a fresh HijackThis log, along with a complete description of all symptoms you are currently experiencing that make you feel your system is infected with malware. Also, in the same post, please include an Uninstall List.

To create an Uninstall List, open HijackThis and, from the Main Menu > click on the "Open the Misc Tools section" button > click "Open Uninstall Manager" > click "Save List." Save the list to your Desktop or any convenient location. Next, copy the contents of the Uninstall List and paste it into the same post as your HijackThis log.

This topic is now closed. Please start a new topic by following the HijackThis Guideline posted here, and be sure to include your Uninstall List: >Guideline for posting your HijackThis log<
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Top
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 580 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index