Desktop disappears!

Discussion in 'Malware Help (A Specialist Will Reply)' started by lilblue82, Feb 17, 2008.

  1. lilblue82

    lilblue82 Private E-2

    I am not sure where to start. When I log into this computer it comes up fine. I can see the desktop and all of the icons. Then everything disappears after about 30 seconds. I can use an application if I clicked on it before everything disappearred. Even the start bar goes away. The only way I can access anything from there is to use the task manager to start a new task or log out and log back in. I have run the malware procedures from the Malware Removal Guide. I had previously ran Trend Micro. This scan said I had a Trojan.Generic. I also get pop ups form registrydefender and dell of all places. I really need some help here. I am running out of options! Thanks so much.
     

    Attached Files:

    lilblue82, Feb 17, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You said you ran the procedures but you did not attach the logs from ComboFix and AVG Antispyware. It will be much easier to fix things if we can get ComboFix to run. To you try to download and run it? It must be saved to your Desktop. Try using Safe Boot mode if necessary.


    See how much of the below you can do even if you have to run some steps in safe mode. As you will notice, these steps are going to require that ComboFix.exe be downloaded to your Desktop.

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below old versions of software:
    Java 2 Runtime Environment, SE v1.4.2_03
    ShopperReports <-- this is adware
    Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Program Files\ShoppingReport\Bin\2.0.24\ShoppingReport.dll
    O2 - BHO: (no name) - {5E4105CA-4469-4DEA-A54E-3ECFCF42618D} - C:\WINDOWS\system32\jkhhi.dll (file missing)
    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\efcdbaw.dll
    O2 - BHO: (no name) - {755A1F8B-46E2-4B44-B626-59965C72D78F} - C:\WINDOWS\system32\awtqp.dll
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [48610c7e] rundll32.exe "C:\WINDOWS\system32\__c007382.dat",b
    O4 - HKCU\..\Run: [A00F1A03253.exe] C:\DOCUME~1\STACYB~1\LOCALS~1\Temp\_A00F1A03253.exe
    O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.24\ShoppingReport.dll
    O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.24\ShoppingReport.dll
    O20 - Winlogon Notify: efcdbaw - C:\WINDOWS\SYSTEM32\efcdbaw.dll
    O20 - Winlogon Notify: __c0034D64 - C:\WINDOWS\system32\__c0034D64.dat
    O23 - Service: crd - Unknown owner - C:\DOCUME~1\STACYB~1\LOCALS~1\Temp\IXP001.TMP\poststp.exe (file missing)

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    Driver::
crd
File::
C:\xcrashdump.dat
C:\WINDOWS\system32\awtqp.dll
C:\WINDOWS\system32\browseui(3).dll
C:\WINDOWS\system32\efcdbaw.dll
C:\WINDOWS\system32\oleaut32(2)(2).dll
C:\WINDOWS\system32\shlwapi(2).dll
C:\WINDOWS\system32\shlwapi(5).dll
C:\WINDOWS\system32\urlmon(2).dll
C:\WINDOWS\system32\urlmon(5).dll
C:\WINDOWS\system32\wininet(2).dll
C:\WINDOWS\system32\wininet(5).dll
C:\WINDOWS\system32\SET2B.tmp
C:\WINDOWS\system32\SET2C.tmp
C:\WINDOWS\system32\SET2D.tmp
C:\WINDOWS\system32\SET2E.tmp
C:\WINDOWS\system32\SET32.tmp
C:\WINDOWS\system32\SET33.tmp
C:\WINDOWS\system32\283700c__.ini
C:\WINDOWS\system32\2E3C900c__.ini
C:\WINDOWS\system32\E44DE00c__.ini
C:\WINDOWS\system32\ihhkj.ini
C:\WINDOWS\system32\ihhkj.ini2
C:\WINDOWS\system32\pqtwa.ini
C:\WINDOWS\system32\pqtwa.ini2
C:\WINDOWS\system32\__c0034D64.dat
C:\WINDOWS\system32\__c00E3D96.dat
C:\WINDOWS\system32\__c007382.dat
C:\Documents and Settings\Stacy Byrd\Local Settings\Temp\_A00F1A03253.exe

Folder::
C:\Program Files\ShoppingReport
C:\Documents and Settings\Stacy Byrd\Local Settings\Temp\xx2
C:\Documents and Settings\Stacy Byrd\Local Settings\Temp\xx3
C:\Documents and Settings\Stacy Byrd\Local Settings\Temp\xx4
C:\Documents and Settings\Stacy Byrd\Local Settings\Temp\xx5
C:\Documents and Settings\Stacy Byrd\Local Settings\Temp\xx6
C:\Documents and Settings\Stacy Byrd\Local Settings\Temp\IXP001.TMP
 
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"RealTray"=-
"QuickTime Task"=-
"48610c7e"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\efcdbaw]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0034D64]
[HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=-
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Stacy Byrd\Local Settings\Temp

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 17, 2008
    #2
  3. lilblue82

    lilblue82 Private E-2

    I have run through everything in your post. Things seem to be much better! Thanks. I would have never come up with something like that myself. Thanks again. I will check back to see if you find anything else wrong.
     

    Attached Files:

    lilblue82, Feb 18, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Did you run the below as requested last time? It does not look like it. Please run it now.
    Make sure you shutdown as much of your Symantec Antivirus protection as possible before doing the below.

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\efcdbaw.dll (file missing)
    O2 - BHO: (no name) - {A6E79D4B-E1D1-4ADA-9851-5CE4759F1A0D} - C:\WINDOWS\system32\awtqp.dll (file missing)
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"xe
    O20 - Winlogon Notify: efcdbaw - efcdbaw.dll (file missing)
    O20 - Winlogon Notify: __c0034D64 - C:\WINDOWS\system32\__c0034D64.dat (file missing)

    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    File::
C:\WINDOWS\system32\mshtmled(3).dll
C:\Documents and Settings\Stacy Byrd\Local Settings\temp\JETE2AA.tmp
 
Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\efcdbaw]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0034D64]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 21, 2008
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds