Desktop disappears

Did you try running explorer.exe from Task Manager? If so, does it bring back your Desktop?

This may or may not be malware.

 

What version of Windows are you running?

Does your Desktop showup in safe boot mode?

Can you run iexplore.exe from Task Manager? iexplore.exe is Internet Explorer. If you can run iexplore.exe see if you can download and save the below to your C:\ folder

MGtools.exe

Let me know if you can do this. Also let me know what happens in safe boot mode.

 

Okay then in normal boot mode open Task Manager and run the C:\MGtools.exe program. A command prompt window should open and you will see information scrolling in it as it runs its scans. It will tell you when it is done. When it finishes, run iexplore.exe and come here and attach the C:\MGlogs.zip file that will be created if MGtools.exe runs properly.


See: HOW TO: Attach Items To Your Post

 

Looks like all copies of Windows Explorer on your hard disk are possibly infected.

Let's see if you can redownload and run the patch in the below Microsoft KB article:

http://www.microsoft.com/downloads/...B9-3088-4C39-AAFE-0707F2A0534B&displaylang=en

Save the file to your root folder and run it if possible. Then reboot and see if there is any change.

If the above does not help then do the below run iexplore.exe again. Open two sessions if you can so you can follow along with the instructions in one window and run the actual steps in the other.

From Task Manager run this C:\MGtools\analyse.exe This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF17824.exe /c C:\combo-fix\Combobatch.bat
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\RunOnce: [combofix] C:\WINDOWS\system32\CF17824.exe /c C:\combo-fix\Combobatch.bat
O4 - HKCU\..\Run: [Systweak Ad and Popup Blocker] "C:\Program Files\Advanced System Optimizer\adblock.exe"

After clicking Fix, exit HJT.

In the second iexplore.exe window, enter C:\ into the address bar and click Go. This should give you access to the C:\ root folder. Locate the below files and right click on them and select delete. If anything will not delete, note it it to tell me later, but continue on.

C:\0.com
C:\1.bat
C:\1aq1obb.bat
C:\2.cmd
C:\8386nac.com
C:\90imhpnc.exe
C:\930jn.bat
C:\9mf.exe
C:\dp.cmd
C:\h8i.com
C:\imt8.cmd
C:\ka1nk.bat
C:\lgnaqil.exe
C:\lgrncie.bat
C:\mka.bat
C:\ocbqsqj.bat
C:\p0sc9t.cmd
C:\p1t.bat
C:\qjatw9aj.exe
C:\qpe6.com
C:\sdc.bat
C:\uqb0julr.bat
C:\vt6e.cmd
C:\w2qagd.com
C:\x.bat
C:\yp.bat

Now enter C:\Windows into the address bar and click Go and delete the below files:
C:\WINDOWS\bbqexuaw.txt
C:\WINDOWS\mrofinu1001186.exe
C:\WINDOWS\mrofinu1001186.exe.tmp

Now enter C:\Windows\TEMP into the address bar and click Go and delete the below files:
C:\WINDOWS\TEMP\DIL1D.tmp
C:\WINDOWS\TEMP\DIL20.tmp
C:\WINDOWS\TEMP\DIL28.tmp
C:\WINDOWS\TEMP\DIL2A.tmp
C:\WINDOWS\TEMP\DIL2C.tmp
C:\WINDOWS\TEMP\DIL2E.tmp
C:\WINDOWS\TEMP\VRR1.tmp
C:\WINDOWS\TEMP\VRR14.tmp
C:\WINDOWS\TEMP\VRR15.tmp
C:\WINDOWS\TEMP\VRR16.tmp
C:\WINDOWS\TEMP\VRR19.tmp
C:\WINDOWS\TEMP\VRR1B.tmp
C:\WINDOWS\TEMP\VRR1C.tmp
C:\WINDOWS\TEMP\VRR1F.tmp
C:\WINDOWS\TEMP\VRR2.tmp
C:\WINDOWS\TEMP\VRR27.tmp
C:\WINDOWS\TEMP\VRR29.tmp
C:\WINDOWS\TEMP\VRR2B.tmp
C:\WINDOWS\TEMP\VRR2D.tmp
C:\WINDOWS\TEMP\VRR3.tmp
C:\WINDOWS\TEMP\VRR4.tmp
C:\WINDOWS\TEMP\VRR5.tmp
C:\WINDOWS\TEMP\VRR6.tmp

Now enter C:\Documents and Settings\Paulette Headley\Local Settings\temp into the address bar and click Go and delete the below files:
C:\Documents and Settings\Paulette Headley\Local Settings\temp\WT8.tmp
C:\Documents and Settings\Paulette Headley\Local Settings\temp\WT9.tmp

After attempting to delete all of the above files reboot and run C:\MGtools\GetLogs.bat either normally if possible, or from Task Manager or from iexplorer using the address bar trick I used above.

 

Okay I want to try a new version of MGtools built just for you. Download this View attachment MGtoolsDT.exe to your C:\ folder like you have down previously. Then from Task Manager run C:\MGtoolsDT.exe

Then attach the new C:\MGlogs.zip file before doing the below.

Now reboot your PC and see if there is any change. If you have a Desktop, please run SUPERAntiSpyware, Malwarebytes Anti-Malware, and ComboFix from the READ & RUN ME immediately and then attach their logs.

 

Okay but was there any change to your no Desktop problem?

 

I still see the below two problem files (which I tried to remove )

Code:

"C:\WINDOWS\"
mrofin~1.exe  Jul  6 2008       55808  "mrofinu1001186.exe"
mrofin~1.tmp  Jul  6 2008       55808  "mrofinu1001186.exe.tmp"

I did not expect that they would get removed with what I did but it was worth a try. Other files were removed though.

If still having the same problem, please try running that process again after booting your PC to Safe Mode with command prompt. If the command prompt opens properly, you can just type in the same you were running them from Task Manager. That is just type in C:\MGtoolsDT.exe. Also in this mode try running ComboFix which I see you saved to C:\. Just type C:\cf.exe

Attach the new MGlogs.zip file and attach the C:\combofix.txt log if it runs.

 

Okay now that I see all of your logs, I see the main reason for your problem with the Desktop and why my fixed worked. Every executable file for your Windows Operating System and possibly every executable file on your PC appears to be infected. This includes your useless antivirus program which may even be broken! Does it work right now?

You may be looking at a total clean reinstall after deleting partitions, recreating partions, and formatting. It appears that you may have a Virut (also called Virtob) or Parite infection or something similar that has injected itself into all of your EXE files. We can try to fix this, but odds are high that we may not be successful and also you may not be able to trust your PC even when it appears to be fixed since many infected files could be missed. Also the act of trying to remove the infection could potentially render your PC unbootable.

Do you have your Windows boot CD?

Do you have important data you need off this PC? I suggest backing it up while you still can but DO NOT back up any executable type files.

How would you like to proceed?

 

Not necessarily. You may need to reinstall drivers for various hardware you may have. Like drivers for graphics, sound,....etc cards. Thus you will need either a CD with these files or you will have to download them from the manufacturer of your PC or from the company that makes the cards. Then you will need to reinstall all of your other software that is not part of Windows. This includes protection software, MS Office....etc. You will then need to go online and get all updates for Windows and your other software just reinstalled.

It would be best to work this in the Software Forum as we really only have the time to work the malware side of things here. There are various websites that also have tips on doing this. Examples:

http://rcc.bgsu.edu/info/Windows_XP_Installation

http://www.petri.co.il/install_windows_xp_pro.htm

It is pretty straight forward. More issues arise from things like below which you find out after the reinstall

• Forgetting to backup anything you need.
• Backing up infected files by mistake
• Not having all the necessary drivers for your hardware
• realizing you have a lot of tweaking to do to get your setup back to the way you had it before.

See the below:

How to Protect yourself from malware!

I recommend that you use another PC and download the programs now and burn them to a CD so that you can install them on your PC after the reinstall and before reconnecting to the internet. It is best to have protection in place (even if not fully updated) before connecting.