Missing Startup & Taskbar

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by kellyplus, Oct 26, 2005.

  1. kellyplus

    kellyplus Private E-2

    My Dell [Dimension 8400, Intel Pentium 4 540 (3.2GHz), 1 GB DDR2 SDRAM @ 532 MHz] is missing its start button and taskbar...probably the result of spyware.

    I have followed the steps outlined in the READ ME & RUN ME FIRST tutorial where possible, and completed a HJT scan (attached).

    Any suggestions will be appreciated.

    Kellyplus
     
  2. kellyplus

    kellyplus Private E-2

    Followup Information:
    DSL by Bellsouth, 2 computer local network with router.

    Unable to attach HJT log ("Document has no data).
    Desktop icons visible, but not movable.
    Cannot print or add printer. "The print spooler is not running".
    Cannot use IE to use any on-line scans (Can't even download MS updates "Setup could not verify the integrity of the file Update.inf...")
    Unable to disable System Restore: "

    Safe mode scans: Ccleaner found & cleaned multiple problems including TROJ_dloader.
    Ad-Aware SE & Spybot were clean, EVIDO found and cleaned TrojDownloader.small.azk.

    Kellyplus
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run HijackThis again and save a log. Does it show a log like you can see if you peek at other threads?

    If so try attaching the log again. If you are having problems attaching the log, post it inline and I will convert it for you.
     
  4. kellyplus

    kellyplus Private E-2

    Thanks for your response.

    The HJT log file is definitely there in C://Program Files/HijackThis/Hijackthis.log.
    It comes up on wordpad, and I can copy it, but I can neither paste it after copying it, nor upload it as a file attachment.

    (to attempt the paste, I highlighted the entire contents of the wordpad log, then copied it successfuly, but when I returned to the message to paste it, the paste option did not recognize the copy.)
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    CTRL-C copies and CTRL-V should paste. Is this what you are doing? You must have a reply message opened in the editor in order to paste it in. So click Reply and then paste in the message.

    When you try Manage Attachments do you get an error message? If so, what is it.
    Or does it just sit there until it times out?

    Is there a line in the process list that contains cmd.exe on it?

    Like c:\windows\system32\cmd.exe or similar?
     
  6. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    He cant reply, emailed me, here you go:


    I was able to answer chaslang's first response, but after that each time I've tried to post a reply, I get the message "Document contains no data," obviously a problem with my computer, not the website; although, I got the same result logging in on my wife's computer.
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Thanks MA! Looking at the log now!
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay let's start by addressing something simple.

    You should not run multiple antivirus applications. This is mentioned in the READ & RUN ME step3. You have both eScan and McAfee running. Pick the one you prefer and uninstall the other. Right now I would suggest you uninstall eScan because it seems to be broken anyway as the below O10 line from your HJT logs indicates.

    O10 - Broken Internet access because of LSP provider 'mwtsp.dll' missing

    The mwtsp.dll file is part of eScan. We need to fix this broken LSP chain.

    Download LSP - Fix

    Run LSP-Fix.

    Check the Box labeled "I know what I'm doing" and then click on the mwtsp.dll file (in the “Keep” section) to select it.

    Then, Select the >> button to move mwtsp.dll into the Remove section.

    Now, click the Finish Button. When the Repair Summary box appears, click OK.
    If it is already in the Remove section, just click Finish.


    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
    O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/WebsiteAccess/ie/bridge-c18.cab
    Do you recognize the IP Addresses in the below O17 lines? If not, fix them too.
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D4D170DF-A9DE-4553-8E13-11BC81DBAF9B}: NameServer = 85.255.113.139,85.255.112.22
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EA219350-B25F-4304-B0A7-CA6C15D25C3F}: NameServer = 85.255.113.139,85.255.112.22

    After clicking Fix, exit HJT.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and see if you can post a new HJT log. If you cannot attach your log, tell me the exact steps that you are using and exactly what happens.

    And tell me how things are working.
     
  9. kellyplus

    kellyplus Private E-2

    testing to see if I can reply to this post.
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes you can!
     
  11. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    > > chaslang,
    > >
    > > Took the recommended actions of your last post to my thread as follows:
    > >
    > > -Removed eScan (Sorry, I didn't know it was in the same hierarchy as
    > > MaAfee.)
    > > -LSP-Fix did not show the mwtsp.dll file, I assume because eScan was
    > > already uninstalled.
    > > -Still cannot disable the System Restore, but proceeded anyway
    > > -Hidden file viewing is enabled
    > > -Ran HJT scan and removed the lines you listed, after closing everything
    > > down.
    > > (I did not remove the 017 lines, since I am concerned they might be
    > > related to Bellsouth DSL or maybe my router? Thought it better to be sure
    > > ...so should they go?)
    > > -Reset Web Settings as directed
    > > -Rebooted in normal mode, ran another HJT scan and, after opening a reply
    > > window, tried to attach the HJT log by clicking on the Manage Attachments
    > > button, browsing for the log file, locating it and selecting it, then
    > > making sure it was correctly listed, then clicked on the upload button and
    > > waiting 3-4 minutes before receiving the "Document contains no data"
    > > message.
    > >
    > > Fefore that, I got the same result and error message, when after writing
    > > essentially this same information in the reply window, I clicked on the
    > > Post Reply button. Ditto for preliminary viewing of the post.
    > >
    > > My computer is reasonably operational, except for not having the start
    > > button and taskbar. Also, Desktop icons are not movable, my printer
    > > access has disappeared and I cannot add a printer ("Printer Spool is not
    > > operating", on-line scans that require IE will not cooperate, even though
    > > IE will load and browse, (but I was already using Firefox, so no big loss,
    > > but it is symptomatic.) I have been able to use most of my applications,
    > > including the most important one to me, Autocad 2000.
    > >
    > > I believe that's it for now. Thanks for your help, as well as the Major's
    > > for passing on my response in a non-standard way.
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Why can't you enter you messages here like the one you typed below as a test?

    Try using a different browser like Mozilla FireFox in place of Internet Explorer. See if you can attach a log with it. If not, just post the log as inline text in your message.

    I'm not positive but I doubt those IP address are for your ISP.
     
  13. kellyplus

    kellyplus Private E-2

    I have removed them with no ill effects.

    I have tried posting replies many, many times on my machine, before and after the test. With that one exception, I have been timed out every time I have hit the Post Reply button...and I get the FireFox message: "The Document has no data." In Explorer, it's different words, but results are the same...unable to post.

    I tried using my wife's computer, which is networked via router to my machine, and I got the same result. Now I am using a local library computer, on which I will attempt to paste my HJT log, but it may or may not read my CD. Alas, it does not recognize that there is a CD in the drive. So I can only ask for your suggestions of what to do at this point. My computer is still in the same state as reported in my post via MA.

    Two issues stand out to me...

    1. I cannot disable System Restore.
    2. EWIDO keeps finding and removing TrojanDownloader.Small.azk found in C:\\WINDOWS\SYSTEM32:hwaa.dll.

    I believe my HJT file is pretty much the same as before, without the 017 items. I did not see the dll file above listed in the log.

    I will eventually find a way to get the log to you.

    This is all I can do for now, so any suggestions you could offer with this limited info will be greatly appreciated. I can read the posts just fine, but my computer system simply will not let me Post any replies. MA has been very helpful in passing on my info to you, but I would rather not trouble him further, unless that's the only way.

    I hope this goes through, and await your response.

    Thanks,

    kellyplus
     
  14. kellyplus

    kellyplus Private E-2

    Forgot to mention that I redid the READ ME & RUN ME sequence again this afternoon. The Trojan is the only bad item turned up.

    kelly
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I think you have an ADS (Alternate Data Stream) infection that is attached to your system32 folder.

    Run HijackThis and click on the Open the Misc Tools section button. The click Open ADS Spy... Uncheck the Quick Scan check box. Click on "Scan" and when it complete click on "Save log..." to save what it finds. Please post the resulting log here. I would bet you will see among the entries at least one line like below (ignore all others for now).

    C:\WINDOWS\SYSTEM32:hwaa.dll (4096 bytes)

    What you will have to do is click on the lines with the :hwaa.dll showing to get them checked (in the check box) and then click on "Remove selected". After doing that, see if Ewido is clean. I would then double check after reboot and see if Ewido is still clean.
     
    Last edited: Nov 1, 2005
  16. kellyplus

    kellyplus Private E-2

    ADS Spy log

    C:\WINDOWS\mtstack.INI : winzti (0 bytes)
    C:\WINDOWS\ODBCINST.INI : hjysqv (0 bytes)
    C:\WINDOWS\smscfg.ini : gpqzpz (11736 bytes)
    C:\WINDOWS\SYSTEM32 : hwaa.dll (4096 bytes)
    C:\WINDOWS\SYSTEM32 : hwaa.dll (4096 bytes)
    C:\WINDOWS\T30DebugLogFile.txt : rhbnrj (21932 bytes)

    Right you are. EWIDO is clean after reboot, except for some cookies. Still can't attach, but at least I can post replies.

    Thanks!

    What's next?

    kellyplus
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What problems are you still having?

    Also explain why you cannot attach? Does it still just time out?

    Post a HijackThis log inline (just use copy and paste) with your next message if you cannot attach one.
     
  18. kellyplus

    kellyplus Private E-2

    Strangely enough, after my initial message, I was unable to Post Reply with either my CP or my wife's....This after verifying EWIDO was still clean, and re-running HJT ADS scan again, to be sure the Trojan had not returned. So I am back at the library, this time with a machine that will accept my CD with the HJT and ADS logs.

    Here they are:

    Edit by chaslang: Inline HJT log removed. Unnecessary because already attached.

    ADS log 11-2-05

    Some problems remaining:
    -Still no taskbar or startup
    -Can't print, nor add a printer ("Print Spooler not operating")
    -Can't drag/ move files, e.g., in Windows Explorer
    -Can't disable System Restore (System Restore encountered an error in trying to enable/disable one or more drives. Please restart...and try again.")
    -IE must be corrupted, I can't download any Windows updates, nor the Windows Antispyware; online scans at the READ/RUN ME tutorial do not respond in IE. The Microsoft download site does not recognize my IE as a valid 5.0 or better, and I have XP-SP2, and IE properties shows a version 6.0.

    Looking forward to resolving these mysteries, especially the problems with Posting Replies from my computer.

    I just tried and was able to attach the HJT log and the first ADS log, BUT only after receiving a v-bulletin requiring another log-in to the website. I was never prompted for this before on my computer. Maybe this is part of my problem.

    Thanks,

    kellyplus
     

    Attached Files:

    Last edited by a moderator: Nov 2, 2005
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you do not login, you can read messages but you cannot reply or upload messages. That has probably been your problem all along. Always look in the top right corner and make sure it shows you logged in with your username. If you delete cookies, you will loose automatic login capabilities you may have saved. This can be avoid by choosing not to delete certain cookies. CCleaner has options for this (so do other similar programs).
     
  20. kellyplus

    kellyplus Private E-2

    I checked that at the time...I was already logged in or at least it showed so at the top of the page. Don't think this is the problem.

    I am now at my computer, editing a message I was able to post. Go figure. It will be interesting to see if I can send another one after this.

    kellyplus
     
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    When you boot in safe mode:
    - do you have a taskbar (what did you mean by no startup?)
    - can you drag/move files in Explorer

    You will not be able to download any Windows updates unless the PC has been authenticated with Microsoft which it does not look like it has ever been done. But if your IE version is not recognized as valid, that will be a problem too.

    Was this PC purchased with WinXP SP2 already on it or was it upgraded to SP2?
    Do you have a bootable WinXP SP2 CD?
     
  22. kellyplus

    kellyplus Private E-2

    Sure enough, I was unable to Post Reply. I'm trying again after a safe mode EWIDO scan which turned up only Cookies.

    No taskbar in any mode.
    Startup is better described as start button.
    Not in Explorer or anywhere else.
    My PC is a Dell with XP Pro SP2, purchased in January 2005 with all software factory loaded. I have what they call a Reinstallation Disk for XP Pro SP2. There were no instructions about authentification. Isn't IE an integral part of XP?
     
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm talking about authenticating your PC's copy of Windows XP on Microsoft's Website. Without doing that, updates cannot be installed. The first time you go to MS update they should ask you to go thru that procedure (note:this is not a malware topic in itself). It requires that you review and accept a license agreement. And you have to accept a certificate from Microsoft to continue. Then will eventually get to a screen that has a title like "Genuine Windows Validation". You must say yes and then they will confirm that your copy is a valid license product. Only after doing this can you get updates.

    However if your IE version is not being recognize by Microsoft Update, you are probably being block before ever getting to this point.

    What I would recommend is to try disabling your McAfee firewall (it could be causing a problem) and then goto Windows Update and see where you can get to.

    I have a feeling some of your default services may not be running. Download GetService.zip from here: Getservice.zip

    Extract the file to a folder where you can find it, then go to the folder and double-click on the getservices.bat file. A notepad will open up. Save it to a file named services.txt and upload it here as an attachment.
     
  24. kellyplus

    kellyplus Private E-2

    I'm not sure how to disable the firewall without the taskbar. By the way, will MS updates help to resolve the other issues I listed?
     
  25. kellyplus

    kellyplus Private E-2

    Here's the Services.txt file you asked for from GetServices. Looks like it will not be allowed to upload ("Sending Request to forums.majorgeeks.com...") It's way too big to paste, so will try again later.
     
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is it too large to upload as an attachment? They typically are not. Do you get any error message?

    Are you able to run Windows Explorer without any problem (other than what has been mentioned)?
    If so, download this registry patch to your Desktop or somewhere else you can find it.

    http://www.kellys-korner-xp.com/regs_edits/nodesktop.reg

    Then use Win Explorer to locate this nodesktop.reg file and double click on it. Say yes when it asks you about adding to the registry. Let me know if it brings back you Taskbar.

    Also tell me if you can do the below to bring up Task Manager

    Simultaneously hold down CTRL-SHIFT-ESC
     
  27. kellyplus

    kellyplus Private E-2

    No, it's not too large to attach, but remember, I can't always attach from my computer...it's very erratic, sometimes I can, but usually, I have to go to another computer to do it. I didn't paste it because it seemed too large to have in the body of a message...So, after another unsuccessful attempt this morning on my PC, I'm back at the library computer to be able to upload the Services.txt attachment.

    I didn't get an error message that I could discern.

    I successfully downloaded the registry patch and added it per instructions, but after rebooting, the taskbar (and start button) were still missing.

    I am able to bring up Task Manager w/ CTRL-SHIFT-ESC, same as with CTRL-ALT-DEL. In fact, I've used TM a lot the last 2-3 weeks since my problems began. For a while, it was the only way to access Win Explorer, fortunately now back on the desktop with the removal of the Trojan.Small.azk.

    I still don't know how to disable the McAfee Firewall without having the taskbar.

    Thanks,

    kellyplus
     

    Attached Files:

  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There are 2 registry keys that sometimes cause problems similar to what you are having. We are going to look for and delete these keys (if found).

    Press CTRL-ALT-DEL to bring up Task Manager. And click File, New Task (Run..) and enter regedit and click OK. This will run the registry editor. Now look for the below registry keys (navigate thru the registry). Make sure you only look for and delete the exact keys listed below.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplorer.exe


    After deleting these keys (if found), let me know the results.

    If that does not help, open a command prompt window from Task Manager and then enter the below command and hit enter (you may be asked for your Windows CD):

    sfc /scannow

    Any help?
     
  29. kellyplus

    kellyplus Private E-2

    Neither of the listed register keys was found.

    I ran scannow and waited while the scan completed. There was no indication of any kind of result, but when the normal command prompt appeared, I clicked to close the command window. Windows would not let me, and after waiting 10 minutes or so, I closed it anyway.

    I am now back at the library to respond to your message. I will wait here for a while in case you have any followup questions regarding my completing your directives.

    Thanks,

    kellyplus
     
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I think at this point you may be looking at a Windows Repair install which is a topic truly better discussed in the software forum. However the below link may be helpful to you in doing this:

    http://www.webtree.ca/windowsxp/repair_xp.htm

    Find the link down the page that reads: How To Run a Repair Install

    Since your WinXP CD is SP2, you will not have to reinstall SP2 as is implied there. That was for people who already upgraded to SP2 from a system that was shipped with a lower SP rev level.
     
  31. kellyplus

    kellyplus Private E-2

    chaslang,


    I will give that a try. Do you want me to report back the outcome?

    In any event, thanks for your helpful suggestions and support.

    One last question: Did my most recent HJT log look ok?

    kellyplus
     
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes please report back. I will not be around starting tomorrow 11/04 until about 11/15, but if you have other questions, I'm sure one of the other Malware Fighters can help you.

    You last HJT log from message # 18 was clean.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds