# Hijack This Log -- Help please



## Jameseee (Jul 17, 2005)

Spybot reports BookedSpace (7 instances) and Pacimedia.  After restart, they are back.

Ad-Aware found a lot of Vx2 and ImlServer IEPlugins.  VX2Finder no longer finds any Vx2.

There is an entry in the log (20 ... sbmsg.dll) that comes back instantly.  I currently have only a desktop picture -- no Start Menu; no icons.  Task Manager will open and I can run some programs that way (iexplore, etc.), but explorer.exe won't run.  It says it cannot find it.  It says that even if I browse for it and locate it myself.  File size and date are identical to other computers, so ...

Anyway, log follows:

Logfile of HijackThis v1.99.1
Scan saved at 9:05:19 PM, on 7/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\ScsiAccess.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: URL - C:\WINNT\system32\sbmsg.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

Is there any hope?

Thanks for your help.

James


----------



## Byteman (Jul 17, 2005)

Looks like this is your bad boy:
O20 - Winlogon Notify: URL - C:\WINNT\system32\sbmsg.dll

Make sure your machine is set to view all folders/files... (see step 2 in sticky)
Download the VX2 plugin for Ad-AwareSE and install it.

Have HJT remove the O20 entry mentioned above then, click the "Misc Tool section" button and then "Delete File on Reboot" button. Browse to the file
C:\WINNT\system32\sbmsg.dll
Then reboot to Safe Mode, (Pressing the F8 key repeatedly when first booting up), navigate to the file and verify it's gone, (if still there, then shift+delete it).

Then run a full system scan, (not the smartscan) with Ad-AwareSE again, and post back & let us know your status.


----------



## Jameseee (Jul 17, 2005)

Byteman,

Thanks for the help.  

First, I don't know how to change my view to view all files/folders because I cannot open explorer.exe.  I have no desktop icons or Start Menu; just a picture on the desktop.

From the Task Manager; Run option, I can see that the file is still there.  From a Command Prompt, I can see that it is a System File and Read-Only.  I can remove the attributes, but cannot delete the file because the Process is running and Killbox cannot stop it.  Even in Safe Mode, the Process is running.  Also, I have no desktop icons or Start Menu in Safe Mode either regardless of whether I log on as myself or as Administrator.

The VX2 plugin reports "System Clean" but the Ad-Aware scan reports 30 VX2 objects.

I did manage to get Roxio to run so that I now have a backup disk of the data, so I'm in much less of a panic than I was yesterday.

Any other ideas?

Thanks again.

James


----------



## Buzz1927 (Jul 18, 2005)

Hi james.
Byteman asked me to take a look at your log. I think you may have a new variant of this infection. Download L2Mfix and install it. Open the program and double-click "l2mfix.bat". Select option 1, this will scan the computer and make a logfile. Post the bottom part of the log (it should be a list of files) in your next reply. Save the log, we might need it later.


----------



## Jameseee (Jul 18, 2005)

Thanks Buzz,

Here is the information from ltmfix.

**********************************************************************************
Files Found are not all bad files:
Locate .tmp files:
Directory Listing of system files:
 Volume in drive C has no label.
 Volume Serial Number is 5452-387C

 Directory of C:\WINNT\System32

07/18/2005  07:15 AM           417,792 crosys.dll
07/17/2005  07:41 AM           417,792 wtploc.dll
07/17/2005  07:24 AM           417,792 kudic.dll
07/16/2005  06:51 PM           417,792 mrxml2r.dll
07/16/2005  06:44 PM           417,792 mir2c.dll
07/16/2005  06:29 PM            82,432 dees.exe
07/16/2005  06:29 PM           417,792 GXCollection.dll
07/16/2005  06:24 PM           417,792 mkcndmgr.dll
07/16/2005  06:19 PM           417,792 nbmarta.dll
07/16/2005  05:30 PM    <DIR>          dllcache
07/16/2005  01:43 PM           417,792 iaq.dll
07/16/2005  11:53 AM           417,792 mfl_mtf.dll
07/16/2005  11:05 AM           417,792 sbmsg.dll
07/16/2005  09:09 AM           417,792 smcpack.dll
07/16/2005  09:07 AM           417,792 IO41_QC.dll
06/26/2005  03:06 PM           417,792 ibitpki.dll
06/23/2005  11:09 AM           417,792 guard.tmp
06/21/2005  08:49 PM           417,792 kadhu.dll
09/04/2002  11:30 AM    <DIR>          Microsoft
              17 File(s)      6,767,104 bytes
               2 Dir(s)  20,066,299,904 bytes free

While this was scanning, I received the following message twice:

C:\WINNT\AUTOEXEC.NT.  The system file is not suitable for running MS-DOS and Microsoft Windows applications.  Choose 'Close' to terminate the application.

Options were Close and Ignore.  After "Ignore" twice, it completed.

Later.

James


----------



## Buzz1927 (Jul 18, 2005)

Hi James.
Run l2mfix again. When you run l2mfix.bat, select option 2 to run the fix. Hit any key to reboot, when it reboots wait for a notepad log to appear. Let me know how you get on.


----------



## Jameseee (Jul 18, 2005)

OK.  Ran l2mfix.bat Option 2 and rebooted.

No notepad appeared as nothing appears on the desktop.

I believe the following may be the log you are looking for:

L2Mfix 1.03a

Running From:
C:\l2mfix\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access 	NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access 	NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access 	NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access 	NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read        	BUILTIN\Users
(ID-IO) ALLOW  Read        	BUILTIN\Users
(ID-NI) ALLOW  Full access 	BUILTIN\Administrators
(ID-IO) ALLOW  Full access 	BUILTIN\Administrators
(ID-NI) ALLOW  Full access 	NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access 	NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access 	CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
 - adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI)    DENY   --C-------   	BUILTIN\Administrators
(NI)    ALLOW  Full access 	NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access 	NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access 	NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access 	NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read        	BUILTIN\Users
(ID-IO) ALLOW  Read        	BUILTIN\Users
(ID-NI) ALLOW  Full access 	BUILTIN\Administrators
(ID-IO) ALLOW  Full access 	BUILTIN\Administrators
(ID-NI) ALLOW  Full access 	NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access 	NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access 	CREATOR OWNER



Setting up for Reboot


Starting Reboot!

Thanks.

Later.

James


----------



## Buzz1927 (Jul 18, 2005)

Ok, open the l2mfix folder. Find the file called "second.bat" and run that.


----------



## Jameseee (Jul 18, 2005)

OK.  Here is the resulting log file.

Running From:
C:\l2mfix\l2mfix

killing explorer and rundll32.exe 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of explorer.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed 

Second Pass Scanning 

Second pass Completed!
Backing Up: C:\WINNT\system32\crosys.dll
        1 file(s) copied.
...

[Part of log removed due to space limits]

...

deleting: C:\WINNT\system32\guard.tmp  
Successfully Deleted: C:\WINNT\system32\guard.tmp


Zipping up files for submission:
  adding: crosys.dll (188 bytes security) (deflated 48%)
  adding: GXCollection.dll (188 bytes security) (deflated 48%)
  adding: iaq.dll (188 bytes security) (deflated 48%)
  adding: ibitpki.dll (188 bytes security) (deflated 48%)
  adding: IO41_QC.dll (188 bytes security) (deflated 48%)
  adding: kadhu.dll (188 bytes security) (deflated 48%)
  adding: kudic.dll (188 bytes security) (deflated 48%)
  adding: mfl_mtf.dll (188 bytes security) (deflated 48%)
  adding: mir2c.dll (188 bytes security) (deflated 48%)
  adding: mkcndmgr.dll (188 bytes security) (deflated 48%)
  adding: mrxml2r.dll (188 bytes security) (deflated 48%)
  adding: nbmarta.dll (188 bytes security) (deflated 48%)
  adding: sbmsg.dll (188 bytes security) (deflated 48%)
  adding: smcpack.dll (188 bytes security) (deflated 48%)
  adding: wtploc.dll (188 bytes security) (deflated 48%)
  adding: guard.tmp (188 bytes security) (deflated 48%)
  adding: clear.reg (188 bytes security) (deflated 37%)
  adding: echo.reg (188 bytes security) (deflated 12%)
  adding: direct.txt (188 bytes security) (deflated 22%)
  adding: lo2.txt (188 bytes security) (deflated 87%)
  adding: readme.txt (188 bytes security) (deflated 49%)
  adding: report.txt (188 bytes security) (deflated 61%)
  adding: test.txt (188 bytes security) (deflated 88%)
  adding: test2.txt (188 bytes security) (deflated 17%)
  adding: test3.txt (188 bytes security) (deflated 17%)
  adding: test5.txt (188 bytes security) (deflated 17%)
  adding: xfind.txt (188 bytes security) (deflated 84%)
  adding: backregs/46C71DDC-8117-4D25-BD30-A2DB126E6569.reg (188 bytes security) (deflated 70%)
  adding: backregs/7ED75993-9504-4EB8-8571-897750CA5AAB.reg (188 bytes security) (deflated 70%)
  adding: backregs/shell.reg (188 bytes security) (deflated 73%)

Restoring Registry Permissions: 


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access 	NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access 	NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access 	NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access 	NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read        	BUILTIN\Users
(ID-IO) ALLOW  Read        	BUILTIN\Users
(ID-NI) ALLOW  Full access 	BUILTIN\Administrators
(ID-IO) ALLOW  Full access 	BUILTIN\Administrators
(ID-NI) ALLOW  Full access 	NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access 	NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access 	CREATOR OWNER


Restoring Sedebugprivilege:

 Granting SeDebugPrivilege to Administrators   ... successful

deleting local copy: crosys.dll   
deleting local copy: crosys.dll   
deleting local copy: GXCollection.dll   
deleting local copy: GXCollection.dll   
deleting local copy: iaq.dll   
deleting local copy: iaq.dll   
deleting local copy: ibitpki.dll   
deleting local copy: ibitpki.dll   
deleting local copy: IO41_QC.dll   
deleting local copy: IO41_QC.dll   
deleting local copy: kadhu.dll   
deleting local copy: kadhu.dll   
deleting local copy: kudic.dll   
deleting local copy: kudic.dll   
deleting local copy: mfl_mtf.dll   
deleting local copy: mfl_mtf.dll   
deleting local copy: mir2c.dll   
deleting local copy: mir2c.dll   
deleting local copy: mkcndmgr.dll   
deleting local copy: mkcndmgr.dll   
deleting local copy: mrxml2r.dll   
deleting local copy: mrxml2r.dll   
deleting local copy: nbmarta.dll   
deleting local copy: nbmarta.dll   
deleting local copy: sbmsg.dll   
deleting local copy: sbmsg.dll   
deleting local copy: smcpack.dll   
deleting local copy: smcpack.dll   
deleting local copy: wtploc.dll   
deleting local copy: wtploc.dll   
deleting local copy: guard.tmp   
deleting local copy: guard.tmp   

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]


The following are the files found: 
****************************************************************************
C:\WINNT\system32\crosys.dll 
C:\WINNT\system32\crosys.dll 
C:\WINNT\system32\GXCollection.dll 
C:\WINNT\system32\GXCollection.dll 
C:\WINNT\system32\iaq.dll 
C:\WINNT\system32\iaq.dll 
C:\WINNT\system32\ibitpki.dll 
C:\WINNT\system32\ibitpki.dll 
C:\WINNT\system32\IO41_QC.dll 
C:\WINNT\system32\IO41_QC.dll 
C:\WINNT\system32\kadhu.dll 
C:\WINNT\system32\kadhu.dll 
C:\WINNT\system32\kudic.dll 
C:\WINNT\system32\kudic.dll 
C:\WINNT\system32\mfl_mtf.dll 
C:\WINNT\system32\mfl_mtf.dll 
C:\WINNT\system32\mir2c.dll 
C:\WINNT\system32\mir2c.dll 
C:\WINNT\system32\mkcndmgr.dll 
C:\WINNT\system32\mkcndmgr.dll 
C:\WINNT\system32\mrxml2r.dll 
C:\WINNT\system32\mrxml2r.dll 
C:\WINNT\system32\nbmarta.dll 
C:\WINNT\system32\nbmarta.dll 
C:\WINNT\system32\sbmsg.dll 
C:\WINNT\system32\sbmsg.dll 
C:\WINNT\system32\smcpack.dll 
C:\WINNT\system32\smcpack.dll 
C:\WINNT\system32\wtploc.dll 
C:\WINNT\system32\wtploc.dll 
C:\WINNT\system32\guard.tmp 
C:\WINNT\system32\guard.tmp 

Registry Entries that were Deleted: 
Please verify that the listing looks ok.  
If there was something deleted wrongly there are backups in the backreg folder. 
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{46C71DDC-8117-4D25-BD30-A2DB126E6569}"=-
"{7ED75993-9504-4EB8-8571-897750CA5AAB}"=-
[-HKEY_CLASSES_ROOT\CLSID\{46C71DDC-8117-4D25-BD30-A2DB126E6569}]
[-HKEY_CLASSES_ROOT\CLSID\{7ED75993-9504-4EB8-8571-897750CA5AAB}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents: 
****************************************************************************
****************************************************************************


I have not rebooted yet because I wanted to make sure there wasn't something else you wanted me to do first.

Thanks.

James


----------



## Buzz1927 (Jul 18, 2005)

That looks like it got it, go ahead and reboot and post back if everything's ok.


----------



## Jameseee (Jul 18, 2005)

Still no desktop icons or start menu.  Task Manager shows 5 instances of svchost (2 SYSTEM, 2 NETWORK SERVICE, 1 SYSTEM).  This might be normal for this computer; I don't know.

Hijack This log looks good.

Should I try a System Restore or will that be inviting the problem back in?

Please advise.

Thanks for the help.

Later.

James


----------



## Jameseee (Jul 18, 2005)

Sorry, that should have read (2 SYSTEM, 2 NETWORK SERVICE, 1 LOCAL SERVICE)


----------



## Byteman (Jul 18, 2005)

never do a system restore after being infected. System restore saves registry entries and files in system folders and will potentially put the infection back on the machine. (That's why I have people disable it, first thing in the sticky). If you disabled it, it erases all previous restore points. So once you clean again, then you can enable it.


----------



## Jameseee (Jul 18, 2005)

OK.  That's what I thought, but it never hurts to ask.

Unfortunately, without a desktop or start menu, I didn't know how to disable it.  So, it is still enabled.


----------



## Buzz1927 (Jul 18, 2005)

Hi James.
Open the l2mfix folder. At the top should be a folder called "regfixes", open it and double-click on "winlogondefaults.reg". Reboot and see if the desktop's back.


----------



## Jameseee (Jul 18, 2005)

Nope.  No change.

Later.

James


----------



## Buzz1927 (Jul 18, 2005)

Hi James.
Download the XP Fix. Install it and reboot. Can I see a new Hijachthis log as well, please.


----------



## Jameseee (Jul 19, 2005)

No change after XP Fix.  Here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 8:34:44 PM, on 7/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\ScsiAccess.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

I don't mind continuing, but I'm sure you have others to help and this may be one to wipe and reload.  I just don't want to abuse a great resource.  Don't hesitate to make that call, if you think it's necessary.

Thanks.

Later.

James


----------



## Byteman (Jul 19, 2005)

jameseee,
I was asked to interject. See the link below, it may be able to get you back on track. Let us know.   

http://support.microsoft.com/default.aspx?scid=kb;en-us;318027


----------



## Jameseee (Jul 19, 2005)

Thanks guys.

Unfortunately, even after an "in-place upgrade" of Windows XP, I had no desktop or Start Menu.  And, at that point, it took 2.5 minutes after pressing Ctrl-Shift-Esc for the Task Manager to appear and another 3 minutes for Hijack This to load.  It was just getting too messy, so I wiped it.

It was a valiant effort, but ...

Later.

James


----------



## Byteman (Jul 19, 2005)

sorry to hear it, however there are times when a system needs a good format & restore. I assume you backed up any data you needed to be saved? If so, I would run a virus scan on it first thing on it.


----------

