# Task manager / desktop disabled



## nikkavy (Oct 6, 2008)

Hello,
I think I've been infected with something and hoping someone on this site might be able to help. I'm running win XP sp3 on a pretty standard PC.

My computer was running very slow and when I restart, I now find my taskbar / start menu is missing, along with all my desktop items. When I use ctrl-alt-del I get an error message "Task Manager has been disabled by your administrator"

I cannot run anything except from the command line window and I don't have hijackthis installed.

I started in safe mode, ran REGEDIT to remove the "disable taskbar" section but each time I exit registry editor it resets so that when I re enter to check, the entry has returned and set back to 1.

Any help would be appreciated!
thank you.
cassy


----------



## dvk01 (Dec 14, 2002)

Please download Malwarebytes' Anti-Malware to your desktop
from http://thespykiller.co.uk/downloads/mbam-setup.exe or http://www.malwarebytes.org/affiliates/thespykiller/mbam-setup.exe

Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

Update Malwarebytes' Anti-Malware. Launch Malwarebytes' Anti-Malware. Then click Finish.

If an update is found, it will download and install the latest version. Press Update to make sure the latest database is loaded. 
Once the program has loaded, select Perform quick scan, then click Scan. 
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. 
Please include this log in your next reply.


----------



## nikkavy (Oct 6, 2008)

Hi, thank you so much for your speedy response!

I can't figure out a way to load the software you suggested onto my computer as it will pretty much only do 2 things:

1)load in safe mode with command prompt - I can use cmd to run regedit, etc but I have no desktop / icons / system tray / taskbar or start menu key functions (screen background is just black with "safe mode" in 4 corners and a cmd window in center).

2) load normally which just gives me the "desktop background" image with no icons / system ray / taskbar or start menu key functions

Since this doesn't allow me to navigate anything, or install anything. I had an idea to download the program to my laptop, which works fine, burn a cd and open it somehow thru the cmd window on the malfunctioning laptop but I'm not sure of the commands and whether I can access any kind of autorun from the command window.

Any thoughts on this?
thanks!
cassy


----------



## dvk01 (Dec 14, 2002)

if it that bad, I would suggest the safest solution is to format & reinstall


----------



## nikkavy (Oct 6, 2008)

Actually last night I discovered that I can get into Explorer although I still have no task manager / start button.
I was able to install spybot SD and Hijack this although the program you were suggesting gave an error message on attempt to install (I can do it again and post the error message if that helps). 
I am able to run both, would it help to post my HJT log or list the malware found by spybot SD?
thanks!
cassy


----------



## dvk01 (Dec 14, 2002)

if you can get into explore then post a hjt log & we can see from that and decide on next step

post the error message MBAM gave


----------



## nikkavy (Oct 6, 2008)

Hi Derek,

Sorry for replying to this so late - I thought my post went thru last week but today I realized it didn't  So I'm reposting it, also my logs were too big for the site so I am adding them as attachments.

I actually tried a couple of other things (before I read your post) and it seems to be getting better.

I ran spybot, let it remove the items it found. But each time I restarted it found the same things so I removed spybot, installed Mbam, let it remove the items it found (it found a lot more and took a lot longer to scan). 

After running mbam in safe mode and restarting in safe mode I got ctrl-alt-del functionality back! 
Regedit no longer shows "tskmgr disable".
I removed mbam, reinstalled spybot, ran it again, it found "hitbox" and removed it.

Now both mbam and spybot claim they don't find any items.
When I run in safe mode, I have a taskbar / start menu and can see all my desktop items. I can use the start menu to navigate and start programs. However I have no network access.

When I start in normal mode I get only a desktop picture with no icons or start menu/taskbar. I still have ctrl-alt-del and can start the "explorer.exe" process to navigate my hard disk but have no internet access. I have to use ctrl-alt-del and explorer window to navigate everything - it shows everything on my desktop, etc. but the items don't actually appear on the desktop. Also everything runs extremely slow and explorer "hangs" for a while before opening a window. One time when I tried to shut down it said it could not shut down a process called "proxydesktop" but it doesn't show that message every time.

Thanks so much for your help, I'm posting my HJT and spybot logs from a scan I did this morning. Sorry they are so long but hopefully they are what you're expecting to see. I looked at your website and figured out you're in the UK so now I know when to look for your posts. BTW, the hedgehogs are adorable! Too bad I live in an apartment in Seattle, WA - wish I could adopt one or a few!
cassy


----------



## dvk01 (Dec 14, 2002)

Please disable SpybotSD TeaTimer, as it may hinder the removal of the infection. You can enable it after you're clean.
To disable SpybotSD TeaTimer:

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
Uncheck Teatimer box.
Click Allow Change box.

You can follow this link if you need help: http://russelltexas.com/malware/teatimer.htm

Please visit *Combofix Guide & Instructions * for instructions for downloading and running ComboFix: especially follow the advice about installing the recovery console

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply


----------



## nikkavy (Oct 6, 2008)

hi derek

I went over the instructions for recovery console and started the install but as zoo. As I ran the first command I got an error message saying windows could not start setup because the version of windows on my computer is newer than the one on the cd. I think this is because I'm running g SP3.

Any suggestions on getting the recovery console running? The Internet connection is not working on my computer but I can use another one and burn a cd to get data I to my desktop if needed.
Thanks!
Cassy


----------



## dvk01 (Dec 14, 2002)

forget recovery console for now & just run combofix


----------



## nikkavy (Oct 6, 2008)

Hi Derek,

When I restarted after attempting to do the recovery console my desktop reappeared briefly, but I still don't have internet connectivity.

I downloaded combofix on my other computer and copied it to the desktop.
When I run combofix (in safe mode) it opens a windows dialog that says "select a group to convert" (it looks similar to when you tell MS word you want to insert something from a file, where it shows the contents of a directory for you to pick the file from). The directory that it defaults to is "Windows" then that window closes. It's asking for a *.grp file.

I never saw any of the things bleepingcomputer said would come up when combofix was run.

I wanted to make sure there wasnt' a problem with the combofix file so I downloaded, copied, installed it again but had the same result.

Also when I try to start it in regular mode I get the same thing.


----------



## dvk01 (Dec 14, 2002)

lets see if this will get internet back

Download LSPfix here: http://www.cexx.org/lspfix.htm
run the application. Just run it, you will see a list of files in the left hand pane and possibly some in the right hand pane. Do not change any of them, just tick the"I know what i'm doing" box & press finish and the program will do anything necessary


----------



## nikkavy (Oct 6, 2008)

Hi Derek,
I ran lspfix, it says there are no problems. I tried running it anyway but it said it found nothing to fix.

Just to be clear, when I start in normal mode I am still missing taskbar and desktop. Sometimes when I try to shut down it says it's trying to close a program called proxydesktop. I am not sure what that is, could it be part of the problem?
cassy


----------



## dvk01 (Dec 14, 2002)

I have never seen that error with combofix 

I think that whatever has happened is going to be almost impossible to fix on a forum and it might be better to consider a format & reinstall

do you have your windows disc


----------



## nikkavy (Oct 6, 2008)

i do have my windows disk and disks for all my software but i really dont want to lose all my data and while i have some backups they're not terribly recent.
If I do a format & reinstall, can i back up my data to my second (physically separate disk but it is an internal drive) disk so that I can get my data back?

For example, my Outlook backup is too big to save to a cd or dvd so the only place I have to back it up is on my second disk, unless I buy an external drive which I could do but would really prefer not to.


Will the reinstall delete the data from my second disk?

Any more ideas why things seem to work almost normally when I run in safe mode but everything is hidden when I run in regular mode?
thanks!
cassy


----------



## dvk01 (Dec 14, 2002)

Yes you can backup all data to a second hard disc

It would be a good idea to do that anyway just in case

lets just see if this shows us something first

Download *RSIT* (random's system information tool) from here to your desktop, then click on the *RSIT.exe* to start the scan.

If necessary allow it to locate or download a copy of HijackThis as needed.

Once the scan completes a textbox will open - copy/paste those contents here for review please. The log can also be found at C:\rsit\log.txt.

*RSIT will also create a second log*, info.txt, which will be minimized to your taskbar. Post that here as well please (it will also be stored at C:\rsit\info.txt).

You can use separate posts here when replying and posting the log files if needed.


----------



## nikkavy (Oct 6, 2008)

Hi Derek,
I copied rsit to my desktop and tried to run it but I keep getting a dialog box that says:
"AutoIt error"
Line -1
Error: Variable used without being declared.
OK
The only option is to click OK then nothing happens.
cassy


----------



## dvk01 (Dec 14, 2002)

I got that some times as well

just run it again & it normally works ok


----------



## nikkavy (Oct 6, 2008)

Hi Derek,
I tried running it a few times in normal mode and safe mode and every time it gets to "listing services and drivers" it gives the Line -1 error. It just stops at that point, if I click OK on the message the program stops.

There was a log file created in the directory you mentioned, I will post it in reply to this post.
cassy


----------



## dvk01 (Dec 14, 2002)

if both combofix & rsit don't run, I think we are having big problems

lets see whether this one runs

Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.
In the *Processes * group click *Non-Microsoft* 
In the *Win32 Services * group click *Non-Microsoft* 
In the *Driver Services * group click *Non-Microsoft* 
In the *Registry * group click *ALL* 
In the *Files Created Within* group click *30 days* Make sure Non-Microsoft only is *CHECKED*
In the *Files Modified Within* group select *30 days* Make sure Non-Microsoft only is *CHECKED*
In the *File String Search* group select *ALL*
in the *Additional scans sections* please press select *all *and then *unselect* event viewer. *uncheck *non-microsoft only 
Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file 
Use the * Reply* button and *attach the notepad file here*. I will review it when it comes in.


----------



## nikkavy (Oct 6, 2008)

Hi Derek,
I tried to dl winpfind but couldn't get to the download site
I googled it and found a page on bleepingcomputer with posts saying this program has been retired by Oldtimer for some reason. I wasn't sure, though, what has replaced it.

Do you know if there is something else I should use, or perhaps have another link where I could download it?
cassy


----------



## dvk01 (Dec 14, 2002)

sorry I am having one of my bad days

it has changed to otscanit

Download *OTScanIt.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *OTScanIt* on your desktop.

Close any open browsers.
If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
Open the *OTScanit* folder and double-click on *OTScanit.exe* to start the program.
Now click the *Run Scan *button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
If the log is too large to post, use the *Reply* button, scroll down to the attachments section and attach the notepad file here.


----------



## nikkavy (Oct 6, 2008)

Hi Derek,
Thanks for getting back to me!
I ran the program, it only took a few minutes. I just used the default settings so please let me know if I should have chosen a more detailed scan.

thank you, I'm posting my log as an attachment because the system says it's too long 
cassy


----------



## dvk01 (Dec 14, 2002)

Start *OTScanIt*. Copy/Paste the information in the Code box below into the pane where it says *"Paste fix here"* and then click the Run Fix button.


```
[Registry - Non-Microsoft Only]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YN -> {05A98586-F8C8-434A-8B4D-4AF4AF2920A7} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. []
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {6C19F73F-58DB-417D-967F-89636720F4B8} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\urqpnOGy.dll [Reg Error: Value  does not exist or could not be read.]
[Files/Folders - Created Within 30 days]
NY -> bvpelegp.ini -> %SystemRoot%\System32\bvpelegp.ini
NY -> 4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> qiidjftf.dll -> %SystemRoot%\System32\qiidjftf.dll
NY -> tdssserf1.dll -> %SystemRoot%\System32\tdssserf1.dll
NY -> 4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files/Folders - Modified Within 30 days]
NY -> bvpelegp.ini -> %SystemRoot%\System32\bvpelegp.ini
[Empty Temp Folders]
[ZipFiles]
[Reboot]
```
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. *Post that information back here along with a new OTScanIt scan*.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.


----------



## dvk01 (Dec 14, 2002)

then
it looks like a rootkit is active hiding things

download gmer rootkit detector from http://gmer.net

unzip it & double click the gmer.exe file

select rootkit tab & press scan

when it has finished press copy & post back the log it makes


----------



## nikkavy (Oct 6, 2008)

Hi Derek,

I ran OTscan but it got stuck, so I had to stop it.
When I started the program again it gave me the first log, then said it wasn't finished and needed to reboot, so I did that and ran it again which gave the second log.

Log 1:
&#65533;&#65533;[


----------



## nikkavy (Oct 6, 2008)

Derek,
It looks like the logs didn't post correctly so I'm attaching them here.
cassy


----------



## dvk01 (Dec 14, 2002)

OT logs look OK

lets see the log Gmer made to see if the rootkit is still active

how is the computer at the moment


----------



## nikkavy (Oct 6, 2008)

Hi Derek,
I downloaded gmer and tried to run it. It just opened a cmd window then gave me what looks like an error message, said:
"16 bit MS-DOS Subsystem"
C:\DOCUME`1\cvaughn\Desktop.... (the path to the gmer file I was trying to run)
The NTVDM CPU has encountered an illegal instruction.
CS:056d IP:010a OP:63 20 4f 53 20 Choose "close" to terminate the application.

The first time I chose Close and it just closed. Second time I chose "ignore".



Then I got another box
"16 bit MS-Dos subsystem"
(path to the gmer file.exe)
The NTVDM CPU has encountered an illegal instruction.
CS:056d IP: 1109 OP:65 63 69 66 69 Choose "close" to terminate the application.
I chose ignore.

I got two more of these boxes, chose ignore for both of them, then the program just closed.

_______________

You asked me what problems or weird things are still going on, so here's the list:

I read on a forum that the proxy desktop thing was related to too many explorer processes running so I tried what seemed to work for other people. 

When my computer starts to the blank desktop 
I go into the running processes window of taskmanager and stop all the explorer.exe processes, then start new task explorer.exe (this is in normal mode).

Then my desktop and start menu show up (with the little yellow !triangle! over my network connection that says Limited or no connectivity. When I go to Support on this it says the problem occurred because the network did not assign a network address to the computer.
Under details it gives the connection details which shows my mac address. and confirms that there's no IP address or subnet mask for the mac address. The DNS server shows up as 192.168.2.1. When I click Repair I get a msg saying Windows could not finish repairing the problem because the following action cannot be completed: Renewing your IP address
For assistance contact the person who manages your network.

Another strange thing is that I can't even log onto my router using firefox (usually I can log into the router when there's no internet). My laptop and my housemates laptop are still getting signal from the router just fine.

Also windows explorer is running extremely slow. When I click to explore my computer the flashlight shows up for maybe 6 minutes. My computer is not super fast but it's not normally that slow. It can find things in My documents just fine but when I want it to go to my computer to get the files off of the SD card reader (that's how I've been getting files on & off the desktop) it takes a very long time but does open eventually.

Strangely MS Outlook ran OK without checking messages - I was able to backup my whole file. But when I run itunes, it looks really strange on the screen. All the background is "transparent". I can see all the playlists but the chrome color of the gui background is completely missing. Also it takes a really long time to load.

Well I hope some of that info is helpful - I am really hoping I don't have to reinstall windows but I am backing things up to my second drive in case I have to..
cassy


----------



## dvk01 (Dec 14, 2002)

Ah
now we know the problem, stopping all the other tools running to do the fixes

Go here and use the appropriate fix for your system
http://www.tech-forums.net/computer/topic/29806.html


----------



## nikkavy (Oct 6, 2008)

Hi Derek,
I followed the link you gave but I think they moved something, I am not sure if it's the right page.
I downloaded the fie for xp pro (xpprofiles.exe) from the page the link sent me to, copied it over to my desktop and ran the exe. It just said "3 files extracted" to folder c:'\\windows\system32, "overrwrite files without prompting" was checked. It didn't do anything else that I can tell. I restarted my computer and everything is still the same.

Do I now need to run the other fixes - if so, in what order?
cassy


----------



## dvk01 (Dec 14, 2002)

try gmer first see if it runs & get a log from that


----------



## nikkavy (Oct 6, 2008)

I get all the same error messages as before when I try to run gmer.
cassy


----------



## dvk01 (Dec 14, 2002)

That should have fixed the error that stops gmer running

I don't see any solution to this one except format & reinstall


----------

