taskbar disappearing

im having a problem where the taskbar and desktop randomly disappear
and when i press ctr alt del. and run explorer from there, they reappear..but the eplorer doesnt run from task manager, but only from desktop itself.
ive also had some popups..
ive cleaned my computer with avast antivirus , and spybot..
and delted all the registrys and cookies found via spyhunter?


thx!

 

Hi romy,
Welcome to the Malware Forum!

Please run through the READ & RUN ME FIRST and attach the requested logs so we can look at them.

abri

 

heres my combofix log..

 

and heres the mgtools scan..

 

any help?

 

Hi romy,
please don't bump. You have a badly infected computer and it takes time to work up a set of instructions. Also, when you bump your post, it puts it at the top of the list and we work the list from bottom to top.
Thanks.
abri

 

Hi romy,

You have a couple of different problems. We will first address one and then go back to pick up the other one. Please do the following:

1) Go to add/remove programs and uninstall the below:

Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1

2) Reboot after uninstalling the above.

3) Install the current version of Sun Java from: Sun Java Runtime Environment

4) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

5) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


After you click fix, just close hijackthis.


6) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

7) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

i couldnt find
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"


also avenger couldnt create a zip file..
but heres the mglogs.zip u requested


actually computer was running pretty fine
b4 u made me do this

 

This is not a problem.

This doesn't need to be zipped. Just attach it as the .txt file that it is.

And how is it running now?

abri

 

oh no the computer is running fine now
but avenger performed several errors and couldnt accomplish the task u requested.

 

Hi romy,

If Avenger didn't run and your most recent MGlogs were posted after running Avenger, then your computer is still infected.


Please try and remove those files as follows:

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it:

Code:

File::
C:\WINDOWS\system32\boa1.dat
C:\WINDOWS\system32\cs.dat
C:\WINDOWS\system32\ps1.dat
C:\WINDOWS\system32\rc.dat
C:\WINDOWS\system32\L357F.tmp
C:\WINDOWS\system32\L59E0.tmp
C:\WINDOWS\system32\L89E9.tmp
C:\WINDOWS\system32\worsock.dll

Folder::
Enigma Software Group

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

abri

 

ok
while doing the combofix..
towards the end .it performed a windows no disk error..
and when the log came up on notepad, my taskbar and desktop was gone again
(had to use task manager to get it visible agian)
but here are the requested logs.

 

Hi romy,
Please attach the logs.
Thanks.
abri

 

sorry i thot i did
but here

 

Hi romy,

You're still getting some odd drivers.
Please look at what's in the following txt file and let me know:

C:\Documents and Settings\wsddhewd.txt


Then rerun Combofix using the same instructions as in Post 11 only with the contents of this box:

Code:

[B]
Files::

C:\WINDOWS\system32\drivers\vsbabfsi.sys
C:\uyguxbpt.bat
C:\yhpkihtq.bat[/B]

After you do the above, please run CCleaner at the default setting with the Windows tab as the one on top.

Run GetLogs.bat again (in the MGTools folder) and post the Combofix log and the MGlogs.zip (found directly under C).

Thanks.
abri

 

the text file contained this info
Files to delete:

C:\WINDOWS\system32\boa1.dat
C:\WINDOWS\system32\cs.dat
C:\WINDOWS\system32\ps1.dat
C:\WINDOWS\system32\rc.dat
C:\WINDOWS\system32\L357F.tmp
C:\WINDOWS\system32\L59E0.tmp
C:\WINDOWS\system32\L89E9.tmp

Folders to delete:

C:\Program Files\Enigma Software Group

while running combofix.towards the end, windows no disk error.

here are the logs u requested

 

Hi romy,

C:\Documents and Settings\wsddhewd.txt contains the Avenger entries I asked you to delete in Post 7 where it didn't work. You can just delete that file.

Please try posting the MGlogs.zip again so I can see how things look. It is sometimes a problem to attach things here, but several different things help including simply trying again. It also helps to upload them with a different browser or clear the cache of your browser.

Is your computer working now or are you having the same problems you had initially?

abri

 

alright
heres the mgtools log

my computer has been working since the very fiirst post u told me to do.

 

Hi romy,
something seems to go wrong when you try attaching your logs. I would not mind checking them to see if there are any other drivers coming up that shouldn't be. See if you can still attach that last set.

If everything is running okay, I would like for you to go through the final cleanup procedures which will remove our tools and logs from your system. I'll post them here, but if you want to wait to complete them until I can look at your last set of logs, please do.

abri

 

POST 16 CONTAINS the logs..
u didnt tell me to put any on after

 

Hi romy,

Your logs in post 16 show that the files I asked you to delete using Combofix didn't delete. It looks from your Combofix log like you didn't make up the txt file and pull it across to the Combofix icon on the desktop. In order for this to work, Combofix must be installed on the desktop, you must make a notepad file as per the instructions which is stored on the desktop and then that notepad file will be dragged across the desktop on top of the comfofix icon. I will repeat the instructions in detail. Please see if it works this time.

Please try and remove these files as follows:

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it:

Code:

[B]Driver::
vsbabfsi

Files::
C:\WINDOWS\system32\drivers\vsbabfsi.sys
C:\uyguxbpt.bat
C:\yhpkihtq.bat[/B]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

abri

 

here are the requested logs

and things are working fine.

 

Hi romy,
Things are not working right completely, because you still have several drivers that will lead to your problems coming back. I looked at your desktop entries and there is not one for CFScript.txt. This means you have not yet understood my instructions. So far what you are giving me for a Combofix log is simply produced by clicking on Combofix and running it. What I need for you to do is something different. I will walk you through it here:

To begin with copy and paste the contents of the box below into a notepad file. To open notepad go to Start / Accessories and look down through that menu until you come to Notepad and click on it. This will open a blank screen.

Then come back here to this post and copy everything in the box below by hightlighting it and then right-clicking with your mouse and selecting copy. Then go back to the blank notepad window (which may be behind your browser so you will have to minimize your browser) and paste what you copied into the blank notepad window.

After that go to the top of the Notepad file and click on File and then on Save. A window will open up where you can choose where to save the file. Look for the Desktop and click on that. Then give the file the name CFScript. If it is already marked to save as a txt file, you don't have to write in .txt after CFScript. It will do this automatically.

Once you have saved this file onto the desktop, close all your windows so you can see your desktop and look for this file. It will be called CFScript.txt. Point at this with your mouse and click on it and holding down the left mouse key, drag it across your desktop until you come to the red disk with the white X in it with the name Combofix.exe underneath it. That's the Combofix icon. Simply pull the CFScript.txt on top of the Combofix icon and allow it to do whatever it does. It will produce a log when it's finished and if you've done this correctly, you will be able to see that the files we're trying to delete have been deleted.

If you have questions about this please ask. Here is the box with the files that you need to copy. When you copy the contents, you have to copy the words Driver and the File as well:

 

okay i think i named the text file a different name last time
which is why u didnt find it

 

here
i hope it worked!

btw the text file deletes itself
after i drag it in combofix

 

Hi romy,
That worked!

There are still a few more things to do.

Please do the same thing with CFScript that I asked you to do by copying and pasting the contents of the box into Notepad and giving it the name CFScript and then dragging it onto the Combofix icon. This time, however, use the contents of this box:

Code:

File::
C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe
C:\hp\KBD\bak\KBD.EXE
C:\Program Files\AIM\bak\aim.exe
C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak\hphupd06.exe
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\WINDOWS\CREATOR\bak\Remind_XP.exe
C:\WINDOWS\ehome\bak\ehtray.exe
C:\WINDOWS\SMINST\bak\RECGUARD.EXE
C:\WINDOWS\system\bak\hpsysdrv.exe

Folder::
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Program Files\Viewpoint
C:\Program Files\Enigma Software Group

When you finish, attach the Combofix log with your next post.
Thanks.
abri

 

here it is

 

Hi romy,
That was a lot! Things look much better now. How is your computer working? I will go ahead and post you the final cleanup instructions.

abri

 

Thanks a whole bunch!
i can always count on you guys for a brand new computer


everything working great..
!thx again

 

You're welcome!
All the best to you and your computer.