Desktop icons gone

  • Thread starter Thread starter Sirius
  • Start date Start date
Not mine, hers. I'm not sure why. She has Free AVG... i guess it's not the

best. And with AVG she had not good firewall..



"PA Bear [MS MVP]" wrote in message

news:eNVfoYV$KHA.1448@TK2MSFTNGP06.phx.gbl...

> Why dint ur av app catch it?

>

> Sirius wrote:

>> It found o.dat that was missed by mbam and dr. web.

>>

>> "PA Bear [MS MVP]" wrote in message

>> news:e0kVhDQ$KHA.980@TK2MSFTNGP04.phx.gbl...

>>> QED: Why did it find anything?

>>>

>>> Sirius wrote:

>>>> Thank you, Jose. I did a scan in safe mode with DR Web Cure it an

>>>> quarantined everything it found.

>>>>

>>>> I was able to run a safe mode scan with mbam older version.

>>>> I can not get the new verison of mbam to work.

>>>> Keep getting the "mbam error expanding variables 0 9".

>>>> Every scan takes a very long time because there is a lot.

>>>>

>>>> Now I am doing Avast boot time scanner. I'll post back with what you

>>>> suggested when finished.

>>>>

>>>> Thanks again.

>>>>

>>>> "Jose" wrote in message

>>>> news:e9433a4b-574a-4d1e-8d9f-acd9b94118e2@o12g2000vba.googlegroups.com...

>>>> On May 26, 12:12 pm, "Sirius" wrote:

>>>>> It's happening in safe mode also.

>>>>> Is there a way to manually extract a copy of the registry from a

>>>>> restore

>>>>> point?

>>>>>

>>>>> "Db" wrote in message

>>>>>

>>>>> news:C1615B6A-FD0F-408B-ACAE-77D6C8439838@microsoft.com...

>>>>>

>>>>>

>>>>>

>>>>>> sometimes when the desktop

>>>>>> fails to load,

>>>>>

>>>>>> it is a sign of a problem with

>>>>>> the registry hive.

>>>>>

>>>>>> you might try opening the

>>>>>> task manager and killing all

>>>>>> instances of explorer.exe

>>>>>

>>>>>> then launch a new instance

>>>>>> of explorer.exe

>>>>>

>>>>>> however, given that you are

>>>>>> also unable to amend the

>>>>>> startups in msconfig,

>>>>>

>>>>>> the issues above may be

>>>>>> indicative of a serious problem

>>>>>> with the registry hive

>>>>>

>>>>>> the registry hive, like any file

>>>>>> on the disk can become un-

>>>>>> indexed by the mft.

>>>>>

>>>>>> there is also a possibility that

>>>>>> a program has locked up the

>>>>>> registry to keep it from being

>>>>>> modified.

>>>>>

>>>>>> the above can be caused by

>>>>>> malware or some anti viral

>>>>>> program that was intentionally

>>>>>> installed.

>>>>>

>>>>>> because there are several

>>>>>> methods to address the issue

>>>>>> or issues above,

>>>>>

>>>>>> my first suggestion is to

>>>>>> simply boot into safe

>>>>>> mode.

>>>>>

>>>>>> in there you can see if

>>>>>> performance is better than

>>>>>> in normal mode.

>>>>>

>>>>>> in there you can use system

>>>>>> restore and see if there is a

>>>>>> functional point to execute.

>>>>>

>>>>>> in there you can amend the

>>>>>> startups and services via

>>>>>> msconfig;

>>>>>

>>>>>> disabling all startups and

>>>>>> non microsoft services.

>>>>>

>>>>>> --

>>>>>> --

>>>>>> db·´¯`·...¸>

>>>>>

>>>>>> DatabaseBen, Retired Professional

>>>>>

>>>>>> ~~~~~~~~~~~~~~~

>>>>>> This NNTP newsgroup is evolving to:

>>>>>

>>>>>> http://answers.microsoft.com/en-us/default.aspx

>>>>>

>>>>>> "Sirius" wrote in message

>>>>>> news:e3sPxWN$KHA.5916@TK2MSFTNGP04.phx.gbl...

>>>>>>> Hello People

>>>>>

>>>>>>> This is my friends computer - again. It seems she really got it

>>>>>>> messed

>>>>>>> up.

>>>>>

>>>>>>> Also some programs missing from the start menu also, like system

>>>>>>> restore.

>>>>>>> I was able to access system restore from the help and support, went

>>>>>>> back

>>>>>>> about a month, but the icons did not come back.

>>>>>>> Some minor spyware and adware infections were found.

>>>>>

>>>>>>> Also, in msconfig I can't turn off some startup items. After I

>>>>>>> uncheck

>>>>>>> them they keep coming back. They are:

>>>>>

>>>>>>> ntuser.dat, ntuser.dat.LOG, ntuser.ini, and ~ (tilde file).

>>>>>

>>>>>>> Is there any way to get back her icons - I'm not even sure what she

>>>>>>> had

>>>>>>> exactly -? Or are they gone forever?

>>>>>

>>>>>>> Thank you.

>>>>

>>>> If I were you, I would stop "trying" things. You can try things all

>>>> day long nd it doesn't seem to be working very well.

>>>>

>>>> Did booting in Safe Mode help you at all? Describe what you learned

>>>> from that exercise and what you will do next.

>>>>

>>>> You need to have some known starting point so get there and then work

>>>> on the issues. Nothing you describe sounds too terrible, but some of

>>>> the ideas to get your system working are way overboard - but, you can

>>>> do what you want of course.

>>>>

>>>> You should stop messing with msconfig, turning things off and on,

>>>> don't worry about extracting just registry files from a restore point,

>>>> etc. If SR is missing or borken, no problem - we can fix it later

>>>> but first you need to get stabilized.

>>>>

>>>> If your system boots and can get on the Internet, you con't need to

>>>> slave it in another machine - fix it where it is.

>>>>

>>>> To eliminate questions and guessing, please provide additional

>>>> information about your system.

>>>>

>>>> Click Start, Run and in the box enter:

>>>>

>>>> msinfo32

>>>>

>>>> Click OK, and when the System Summary info appears, click Edit, Select

>>>> All, Copy and then paste the information back here.

>>>>

>>>> There will be some personal information (like System Name and User

>>>> Name), and whatever appears to be private information to you, just

>>>> delete it from the pasted information.

>>>>

>>>> Perform some scans for malicious software, then fix any remaining

>>>> issues:

>>>>

>>>> Download, install, update and do a full scan with these free malware

>>>> detection programs:

>>>>

>>>> Malwarebytes (MBAM): http://malwarebytes.org/

>>>> SUPERAntiSpyware: (SAS): http://www.superantispyware.com/

>>>>

>>>> They can be uninstalled later if desired.

>
 
Thank you, Jose.



I sincerely hope there is nothing seriously wrong with this system.



My friend had only AVG on it for protection. It did not protect her well,

obviously.



Dr Web is a portable scanner which I ran from a flash drive.



I did a scan with mbam older version but the definitions were not up to

date. The update was trying to install the new version.

The definition was from 6-09.



I was doing a clean start with the help of msconfig is what I meant,

hoping that would make mbam work.

Then I discovered that some checkmarks kept coming back in the startup tab,

namely:



ntuser.dat, ntuser.dat.LOG, ntuser.ini, and ~ (tilde file).



Which I found very strange, never seen it before on other pc startup.



I've decided to run a health test on the hardware next. If the hard drive is

dying, that could cause data corruptions.





"Jose" wrote in message

news:b163d9f1-e69b-4ef6-adb5-52bd23ef641f@o4g2000vbo.googlegroups.com...

On May 26, 1:02 pm, "Sirius" wrote:

> Thank you, Jose. I did a scan in safe mode with DR Web Cure it an

> quarantined everything it found.

>

> I was able to run a safe mode scan with mbam older version.

> I can not get the new verison of mbam to work.

> Keep getting the "mbam error expanding variables 0 9".

> Every scan takes a very long time because there is a lot.

>

> Now I am doing Avast boot time scanner. I'll post back with what you

> suggested when finished.

>

> Thanks again.

>

> "Jose" wrote in message

>

> news:e9433a4b-574a-4d1e-8d9f-acd9b94118e2@o12g2000vba.googlegroups.com...

> On May 26, 12:12 pm, "Sirius" wrote:

>

>

>

>

>

> > It's happening in safe mode also.

> > Is there a way to manually extract a copy of the registry from a restore

> > point?

>

> > "Db" wrote in message

>

> >news:C1615B6A-FD0F-408B-ACAE-77D6C8439838@microsoft.com...

>

> > > sometimes when the desktop

> > > fails to load,

>

> > > it is a sign of a problem with

> > > the registry hive.

>

> > > you might try opening the

> > > task manager and killing all

> > > instances of explorer.exe

>

> > > then launch a new instance

> > > of explorer.exe

>

> > > however, given that you are

> > > also unable to amend the

> > > startups in msconfig,

>

> > > the issues above may be

> > > indicative of a serious problem

> > > with the registry hive

>

> > > the registry hive, like any file

> > > on the disk can become un-

> > > indexed by the mft.

>

> > > there is also a possibility that

> > > a program has locked up the

> > > registry to keep it from being

> > > modified.

>

> > > the above can be caused by

> > > malware or some anti viral

> > > program that was intentionally

> > > installed.

>

> > > because there are several

> > > methods to address the issue

> > > or issues above,

>

> > > my first suggestion is to

> > > simply boot into safe

> > > mode.

>

> > > in there you can see if

> > > performance is better than

> > > in normal mode.

>

> > > in there you can use system

> > > restore and see if there is a

> > > functional point to execute.

>

> > > in there you can amend the

> > > startups and services via

> > > msconfig;

>

> > > disabling all startups and

> > > non microsoft services.

>

> > > --

> > > --

> > > db·´¯`·...¸>

>

> > > DatabaseBen, Retired Professional

>

> > > ~~~~~~~~~~~~~~~

> > > This NNTP newsgroup is evolving to:

>

> > >http://answers.microsoft.com/en-us/default.aspx

>

> > > "Sirius" wrote in message

> > >news:e3sPxWN$KHA.5916@TK2MSFTNGP04.phx.gbl...

> > >> Hello People

>

> > >> This is my friends computer - again. It seems she really got it

> > >> messed

> > >> up.

>

> > >> Also some programs missing from the start menu also, like system

> > >> restore.

> > >> I was able to access system restore from the help and support, went

> > >> back

> > >> about a month, but the icons did not come back.

> > >> Some minor spyware and adware infections were found.

>

> > >> Also, in msconfig I can't turn off some startup items. After I

> > >> uncheck

> > >> them they keep coming back. They are:

>

> > >> ntuser.dat, ntuser.dat.LOG, ntuser.ini, and ~ (tilde file).

>

> > >> Is there any way to get back her icons - I'm not even sure what she

> > >> had

> > >> exactly -? Or are they gone forever?

>

> > >> Thank you.

>

> If I were you, I would stop "trying" things. You can try things all

> day long nd it doesn't seem to be working very well.

>

> Did booting in Safe Mode help you at all? Describe what you learned

> from that exercise and what you will do next.

>

> You need to have some known starting point so get there and then work

> on the issues. Nothing you describe sounds too terrible, but some of

> the ideas to get your system working are way overboard - but, you can

> do what you want of course.

>

> You should stop messing with msconfig, turning things off and on,

> don't worry about extracting just registry files from a restore point,

> etc. If SR is missing or borken, no problem - we can fix it later

> but first you need to get stabilized.

>

> If your system boots and can get on the Internet, you con't need to

> slave it in another machine - fix it where it is.

>

> To eliminate questions and guessing, please provide additional

> information about your system.

>

> Click Start, Run and in the box enter:

>

> msinfo32

>

> Click OK, and when the System Summary info appears, click Edit, Select

> All, Copy and then paste the information back here.

>

> There will be some personal information (like System Name and User

> Name), and whatever appears to be private information to you, just

> delete it from the pasted information.

>

> Perform some scans for malicious software, then fix any remaining

> issues:

>

> Download, install, update and do a full scan with these free malware

> detection programs:

>

> Malwarebytes (MBAM): http://malwarebytes.org/

> SUPERAntiSpyware: (SAS): http://www.superantispyware.com/

>

> They can be uninstalled later if desired.



MBAM does not recommend running in Safe Mode.



There was some issue on certain systems (especially with other

scanning tools installed) reporting the error like you describe with

MBAM 1.46.



It does not indicate a seriously compromised system. It indicates a

system that had had a bunch of other stuff run on it that can't tell a

legitimate file from a bad file (Avast!, Dr, Web Cureit!) and then the

system had been tampered with by the user (self inflicted wounds).



If you have MBAM 1.46:



Uninstall MBAM from Add/Remove Programs



Reboot



Download and run mbam-clean.exe from here:



http://www.malwarebytes.org/mbam-clean.exe



Reboot again.



Go back to malwarebytes.org and download version 1.45.



Install and do a full scan with MBAM 1.45



Sadly, I don't know what you mean about "doing things" to files in

your msconfig....



Your msinfo32 information looks fine to me.
 
Tried it, did not help. Thank you.





"George" wrote in message

news:O9P76rZ$KHA.4308@TK2MSFTNGP04.phx.gbl...

> Have you tried UNCHECKING it, rebooting, then CHECKING it and rebooting

> again? May not do anything but you won't lose anything by trying.

>

>

> "Sirius" wrote in message

> news:uQgw3ET$KHA.1068@TK2MSFTNGP05.phx.gbl...

>> Unfortunately, no. Not so simple. The checkmark is there but does not

>> mean a thing....

>>

>>

>> "George" wrote in message

>> news:uWxm3kP$KHA.5044@TK2MSFTNGP04.phx.gbl...

>>> About the desktop, could it possibly be something simple like:

>>>

>>> Right click on desktop > Arrange Icons By > checkmark on Show Desktop

>>> Icons ?

>>>

>>> George

>>>

>>>

>>> "Sirius" wrote in message

>>> news:e3sPxWN$KHA.5916@TK2MSFTNGP04.phx.gbl...

>>>> Hello People

>>>>

>>>> This is my friends computer - again. It seems she really got it messed

>>>> up.

>>>>

>>>> Also some programs missing from the start menu also, like system

>>>> restore. I was able to access system restore from the help and support,

>>>> went back about a month, but the icons did not come back.

>>>> Some minor spyware and adware infections were found.

>>>>

>>>> Also, in msconfig I can't turn off some startup items. After I uncheck

>>>> them they keep coming back. They are:

>>>>

>>>> ntuser.dat, ntuser.dat.LOG, ntuser.ini, and ~ (tilde file).

>>>>

>>>> Is there any way to get back her icons - I'm not even sure what she had

>>>> exactly -? Or are they gone forever?

>>>>

>>>> Thank you.

>>>>

>>>

>>>

>>

>>

>

>
 
The hard drive is fine, passed all tests.





"Jose" wrote in message

news:b163d9f1-e69b-4ef6-adb5-52bd23ef641f@o4g2000vbo.googlegroups.com...

On May 26, 1:02 pm, "Sirius" wrote:

> Thank you, Jose. I did a scan in safe mode with DR Web Cure it an

> quarantined everything it found.

>

> I was able to run a safe mode scan with mbam older version.

> I can not get the new verison of mbam to work.

> Keep getting the "mbam error expanding variables 0 9".

> Every scan takes a very long time because there is a lot.

>

> Now I am doing Avast boot time scanner. I'll post back with what you

> suggested when finished.

>

> Thanks again.

>

> "Jose" wrote in message

>

> news:e9433a4b-574a-4d1e-8d9f-acd9b94118e2@o12g2000vba.googlegroups.com...

> On May 26, 12:12 pm, "Sirius" wrote:

>

>

>

>

>

> > It's happening in safe mode also.

> > Is there a way to manually extract a copy of the registry from a restore

> > point?

>

> > "Db" wrote in message

>

> >news:C1615B6A-FD0F-408B-ACAE-77D6C8439838@microsoft.com...

>

> > > sometimes when the desktop

> > > fails to load,

>

> > > it is a sign of a problem with

> > > the registry hive.

>

> > > you might try opening the

> > > task manager and killing all

> > > instances of explorer.exe

>

> > > then launch a new instance

> > > of explorer.exe

>

> > > however, given that you are

> > > also unable to amend the

> > > startups in msconfig,

>

> > > the issues above may be

> > > indicative of a serious problem

> > > with the registry hive

>

> > > the registry hive, like any file

> > > on the disk can become un-

> > > indexed by the mft.

>

> > > there is also a possibility that

> > > a program has locked up the

> > > registry to keep it from being

> > > modified.

>

> > > the above can be caused by

> > > malware or some anti viral

> > > program that was intentionally

> > > installed.

>

> > > because there are several

> > > methods to address the issue

> > > or issues above,

>

> > > my first suggestion is to

> > > simply boot into safe

> > > mode.

>

> > > in there you can see if

> > > performance is better than

> > > in normal mode.

>

> > > in there you can use system

> > > restore and see if there is a

> > > functional point to execute.

>

> > > in there you can amend the

> > > startups and services via

> > > msconfig;

>

> > > disabling all startups and

> > > non microsoft services.

>

> > > --

> > > --

> > > db·´¯`·...¸>

>

> > > DatabaseBen, Retired Professional

>

> > > ~~~~~~~~~~~~~~~

> > > This NNTP newsgroup is evolving to:

>

> > >http://answers.microsoft.com/en-us/default.aspx

>

> > > "Sirius" wrote in message

> > >news:e3sPxWN$KHA.5916@TK2MSFTNGP04.phx.gbl...

> > >> Hello People

>

> > >> This is my friends computer - again. It seems she really got it

> > >> messed

> > >> up.

>

> > >> Also some programs missing from the start menu also, like system

> > >> restore.

> > >> I was able to access system restore from the help and support, went

> > >> back

> > >> about a month, but the icons did not come back.

> > >> Some minor spyware and adware infections were found.

>

> > >> Also, in msconfig I can't turn off some startup items. After I

> > >> uncheck

> > >> them they keep coming back. They are:

>

> > >> ntuser.dat, ntuser.dat.LOG, ntuser.ini, and ~ (tilde file).

>

> > >> Is there any way to get back her icons - I'm not even sure what she

> > >> had

> > >> exactly -? Or are they gone forever?

>

> > >> Thank you.

>

> If I were you, I would stop "trying" things. You can try things all

> day long nd it doesn't seem to be working very well.

>

> Did booting in Safe Mode help you at all? Describe what you learned

> from that exercise and what you will do next.

>

> You need to have some known starting point so get there and then work

> on the issues. Nothing you describe sounds too terrible, but some of

> the ideas to get your system working are way overboard - but, you can

> do what you want of course.

>

> You should stop messing with msconfig, turning things off and on,

> don't worry about extracting just registry files from a restore point,

> etc. If SR is missing or borken, no problem - we can fix it later

> but first you need to get stabilized.

>

> If your system boots and can get on the Internet, you con't need to

> slave it in another machine - fix it where it is.

>

> To eliminate questions and guessing, please provide additional

> information about your system.

>

> Click Start, Run and in the box enter:

>

> msinfo32

>

> Click OK, and when the System Summary info appears, click Edit, Select

> All, Copy and then paste the information back here.

>

> There will be some personal information (like System Name and User

> Name), and whatever appears to be private information to you, just

> delete it from the pasted information.

>

> Perform some scans for malicious software, then fix any remaining

> issues:

>

> Download, install, update and do a full scan with these free malware

> detection programs:

>

> Malwarebytes (MBAM): http://malwarebytes.org/

> SUPERAntiSpyware: (SAS): http://www.superantispyware.com/

>

> They can be uninstalled later if desired.



MBAM does not recommend running in Safe Mode.



There was some issue on certain systems (especially with other

scanning tools installed) reporting the error like you describe with

MBAM 1.46.



It does not indicate a seriously compromised system. It indicates a

system that had had a bunch of other stuff run on it that can't tell a

legitimate file from a bad file (Avast!, Dr, Web Cureit!) and then the

system had been tampered with by the user (self inflicted wounds).



If you have MBAM 1.46:



Uninstall MBAM from Add/Remove Programs



Reboot



Download and run mbam-clean.exe from here:



http://www.malwarebytes.org/mbam-clean.exe



Reboot again.



Go back to malwarebytes.org and download version 1.45.



Install and do a full scan with MBAM 1.45



Sadly, I don't know what you mean about "doing things" to files in

your msconfig....



Your msinfo32 information looks fine to me.
 
On May 27, 10:34 am, "Sirius" wrote:

> Thank you, Jose.

>

> I sincerely hope there is nothing seriously wrong with this system.

>

> My friend had only AVG on it for protection. It did not protect her well,

> obviously.

>

> Dr Web is a portable scanner which I ran from a flash drive.

>

> I did a scan with mbam older version but the definitions were not up to

> date. The update was trying to install the new version.

> The definition was from 6-09.

>

> I was doing  a clean start with the help of msconfig is what I meant,

> hoping that would make mbam work.

> Then I discovered that some checkmarks kept coming back in the startup tab,

> namely:

>

> ntuser.dat, ntuser.dat.LOG, ntuser.ini, and ~ (tilde file).

>

> Which I found very strange, never seen it before on other pc startup.

>

> I've decided to run a health test on the hardware next. If the hard driveis

> dying, that could cause data corruptions.

>

> "Jose" wrote in message

>

> news:b163d9f1-e69b-4ef6-adb5-52bd23ef641f@o4g2000vbo.googlegroups.com...

> On May 26, 1:02 pm, "Sirius" wrote:

>

>

>

>

>

> > Thank you, Jose. I did a scan in safe mode with DR Web Cure it an

> > quarantined everything it found.

>

> > I was able to run a safe mode scan with mbam older version.

> > I can not get the new verison of mbam to work.

> > Keep getting the "mbam error expanding variables 0 9".

> > Every scan takes a very long time because there is a lot.

>

> > Now I am doing Avast boot time scanner. I'll post back with what you

> > suggested when finished.

>

> > Thanks again.

>

> > "Jose" wrote in message

>

> >news:e9433a4b-574a-4d1e-8d9f-acd9b94118e2@o12g2000vba.googlegroups.com....

> > On May 26, 12:12 pm, "Sirius" wrote:

>

> > > It's happening in safe mode also.

> > > Is there a way to manually extract a copy of the registry from a restore

> > > point?

>

> > > "Db" wrote in message

>

> > >news:C1615B6A-FD0F-408B-ACAE-77D6C8439838@microsoft.com...

>

> > > > sometimes when the desktop

> > > > fails to load,

>

> > > > it is a sign of a problem with

> > > > the registry hive.

>

> > > > you might try opening the

> > > > task manager and killing all

> > > > instances of explorer.exe

>

> > > > then launch a new instance

> > > > of explorer.exe

>

> > > > however, given that you are

> > > > also unable to amend the

> > > > startups in msconfig,

>

> > > > the issues above may be

> > > > indicative of a serious problem

> > > > with the registry hive

>

> > > > the registry hive, like any file

> > > > on the disk can become un-

> > > > indexed by the mft.

>

> > > > there is also a possibility that

> > > > a program has locked up the

> > > > registry to keep it from being

> > > > modified.

>

> > > > the above can be caused by

> > > > malware or some anti viral

> > > > program that was intentionally

> > > > installed.

>

> > > > because there are several

> > > > methods to address the issue

> > > > or issues above,

>

> > > > my first suggestion is to

> > > > simply boot into safe

> > > > mode.

>

> > > > in there you can see if

> > > > performance is better than

> > > > in normal mode.

>

> > > > in there you can use system

> > > > restore and see if there is a

> > > > functional point to execute.

>

> > > > in there you can amend the

> > > > startups and services via

> > > > msconfig;

>

> > > > disabling all startups and

> > > > non microsoft services.

>

> > > > --

> > > > --

> > > > db·´¯`·...¸>

>

> > > > DatabaseBen, Retired Professional

>

> > > > ~~~~~~~~~~~~~~~

> > > > This NNTP newsgroup is evolving to:

>

> > > >http://answers.microsoft.com/en-us/default.aspx

>

> > > > "Sirius" wrote in message

> > > >news:e3sPxWN$KHA.5916@TK2MSFTNGP04.phx.gbl...

> > > >> Hello People

>

> > > >> This is my friends computer - again. It seems she really got it

> > > >> messed

> > > >> up.

>

> > > >> Also some programs missing from the start menu also, like system

> > > >> restore.

> > > >> I was able to access system restore from the help and support, went

> > > >> back

> > > >> about a month, but the icons did not come back.

> > > >> Some minor spyware and adware infections were found.

>

> > > >> Also, in msconfig I can't turn off some startup items. After I

> > > >> uncheck

> > > >> them they keep coming back. They are:

>

> > > >> ntuser.dat, ntuser.dat.LOG, ntuser.ini, and ~ (tilde file).

>

> > > >> Is there any way to get back her icons - I'm not even sure what she

> > > >> had

> > > >> exactly -? Or are they gone forever?

>

> > > >> Thank you.

>

> > If I were you, I would stop "trying" things. You can try things all

> > day long nd it doesn't seem to be working very well.

>

> > Did booting in Safe Mode help you at all? Describe what you learned

> > from that exercise and what you will do next.

>

> > You need to have some known starting point so get there and then work

> > on the issues. Nothing you describe sounds too terrible, but some of

> > the ideas to get your system working are way overboard - but, you can

> > do what you want of course.

>

> > You should stop messing with msconfig, turning things off and on,

> > don't worry about extracting just registry files from a restore point,

> > etc. If SR is missing or borken, no problem - we can fix it later

> > but first you need to get stabilized.

>

> > If your system boots and can get on the Internet, you con't need to

> > slave it in another machine - fix it where it is.

>

> > To eliminate questions and guessing, please provide additional

> > information about your system.

>

> > Click Start, Run and in the box enter:

>

> > msinfo32

>

> > Click OK, and when the System Summary info appears, click Edit, Select

> > All, Copy and then paste the information back here.

>

> > There will be some personal information (like System Name and User

> > Name), and whatever appears to be private information to you, just

> > delete it from the pasted information.

>

> > Perform some scans for malicious software, then fix any remaining

> > issues:

>

> > Download, install, update and do a full scan with these free malware

> > detection programs:

>

> > Malwarebytes (MBAM):http://malwarebytes.org/

> > SUPERAntiSpyware: (SAS):http://www.superantispyware.com/

>

> > They can be uninstalled later if desired.

>

> MBAM does not recommend running in Safe Mode.

>

> There was some issue on certain systems (especially with other

> scanning tools installed) reporting the error like you describe with

> MBAM 1.46.

>

> It does not indicate a seriously compromised system.  It indicates a

> system that had had a bunch of other stuff run on it that can't tell a

> legitimate file from a bad file (Avast!, Dr, Web Cureit!) and then the

> system had been tampered with by the user (self inflicted wounds).

>

> If you have MBAM 1.46:

>

> Uninstall MBAM from Add/Remove Programs

>

> Reboot

>

> Download and run mbam-clean.exe from here:

>

> http://www.malwarebytes.org/mbam-clean.exe

>

> Reboot again.

>

> Go back to malwarebytes.org and download version 1.45.

>

> Install and do a full scan with MBAM 1.45

>

> Sadly, I don't know what you mean about "doing things" to files in

> your msconfig....

>

> Your msinfo32 information looks fine to me.



You should not have not have entries like that in the msconfig Startup

tab, so I don't get it at all, so let's see your startup information:



Download and install CCleaner from here and the Startup information to

a text file. Launch CCLeaner, click Tools, Startup, Save to text file

and save the startup information to your desktop (or someplace you can

find it) open the file with a text editor, select all and paste the

contents back here:



http://www.piriform.com/ccleaner



Uninstall CCleaner later fif you don't like it (most people seem to

like it for it's other features).



Uninstall any old versions of MBAM, reboot, install the latest

versions of MBAM (no problem for me with 1.46), update and do a fill

scan.



If MBAM does not work, define what does not work means. It won't

install, it won't launch, etc. We have our ways to make it talk....
 
I don't see a "save to text file" in ccleaner for the startup, only for the

installed programs.



I do like ccleaner myself. I agree, those entries should not be there.



I have error messages when I try to start mbam "mbam error expanding

variables 0 9".



Hard drive passed the hardware test. Are you around this holliday weekend?



Thank you.



"Jose" wrote in message

news:514c0132-499a-4358-8d2f-b51e63e10156@d12g2000vbr.googlegroups.com...

On May 27, 10:34 am, "Sirius" wrote:

> Thank you, Jose.

>

> I sincerely hope there is nothing seriously wrong with this system.

>

> My friend had only AVG on it for protection. It did not protect her well,

> obviously.

>

> Dr Web is a portable scanner which I ran from a flash drive.

>

> I did a scan with mbam older version but the definitions were not up to

> date. The update was trying to install the new version.

> The definition was from 6-09.

>

> I was doing a clean start with the help of msconfig is what I meant,

> hoping that would make mbam work.

> Then I discovered that some checkmarks kept coming back in the startup

> tab,

> namely:

>

> ntuser.dat, ntuser.dat.LOG, ntuser.ini, and ~ (tilde file).

>

> Which I found very strange, never seen it before on other pc startup.

>

> I've decided to run a health test on the hardware next. If the hard drive

> is

> dying, that could cause data corruptions.

>

> "Jose" wrote in message

>

> news:b163d9f1-e69b-4ef6-adb5-52bd23ef641f@o4g2000vbo.googlegroups.com...

> On May 26, 1:02 pm, "Sirius" wrote:

>

>

>

>

>

> > Thank you, Jose. I did a scan in safe mode with DR Web Cure it an

> > quarantined everything it found.

>

> > I was able to run a safe mode scan with mbam older version.

> > I can not get the new verison of mbam to work.

> > Keep getting the "mbam error expanding variables 0 9".

> > Every scan takes a very long time because there is a lot.

>

> > Now I am doing Avast boot time scanner. I'll post back with what you

> > suggested when finished.

>

> > Thanks again.

>

> > "Jose" wrote in message

>

> >news:e9433a4b-574a-4d1e-8d9f-acd9b94118e2@o12g2000vba.googlegroups.com...

> > On May 26, 12:12 pm, "Sirius" wrote:

>

> > > It's happening in safe mode also.

> > > Is there a way to manually extract a copy of the registry from a

> > > restore

> > > point?

>

> > > "Db" wrote in message

>

> > >news:C1615B6A-FD0F-408B-ACAE-77D6C8439838@microsoft.com...

>

> > > > sometimes when the desktop

> > > > fails to load,

>

> > > > it is a sign of a problem with

> > > > the registry hive.

>

> > > > you might try opening the

> > > > task manager and killing all

> > > > instances of explorer.exe

>

> > > > then launch a new instance

> > > > of explorer.exe

>

> > > > however, given that you are

> > > > also unable to amend the

> > > > startups in msconfig,

>

> > > > the issues above may be

> > > > indicative of a serious problem

> > > > with the registry hive

>

> > > > the registry hive, like any file

> > > > on the disk can become un-

> > > > indexed by the mft.

>

> > > > there is also a possibility that

> > > > a program has locked up the

> > > > registry to keep it from being

> > > > modified.

>

> > > > the above can be caused by

> > > > malware or some anti viral

> > > > program that was intentionally

> > > > installed.

>

> > > > because there are several

> > > > methods to address the issue

> > > > or issues above,

>

> > > > my first suggestion is to

> > > > simply boot into safe

> > > > mode.

>

> > > > in there you can see if

> > > > performance is better than

> > > > in normal mode.

>

> > > > in there you can use system

> > > > restore and see if there is a

> > > > functional point to execute.

>

> > > > in there you can amend the

> > > > startups and services via

> > > > msconfig;

>

> > > > disabling all startups and

> > > > non microsoft services.

>

> > > > --

> > > > --

> > > > db·´¯`·...¸>

>

> > > > DatabaseBen, Retired Professional

>

> > > > ~~~~~~~~~~~~~~~

> > > > This NNTP newsgroup is evolving to:

>

> > > >http://answers.microsoft.com/en-us/default.aspx

>

> > > > "Sirius" wrote in message

> > > >news:e3sPxWN$KHA.5916@TK2MSFTNGP04.phx.gbl...

> > > >> Hello People

>

> > > >> This is my friends computer - again. It seems she really got it

> > > >> messed

> > > >> up.

>

> > > >> Also some programs missing from the start menu also, like system

> > > >> restore.

> > > >> I was able to access system restore from the help and support, went

> > > >> back

> > > >> about a month, but the icons did not come back.

> > > >> Some minor spyware and adware infections were found.

>

> > > >> Also, in msconfig I can't turn off some startup items. After I

> > > >> uncheck

> > > >> them they keep coming back. They are:

>

> > > >> ntuser.dat, ntuser.dat.LOG, ntuser.ini, and ~ (tilde file).

>

> > > >> Is there any way to get back her icons - I'm not even sure what she





You should not have not have entries like that in the msconfig Startup

tab, so I don't get it at all, so let's see your startup information:



Download and install CCleaner from here and the Startup information to

a text file. Launch CCLeaner, click Tools, Startup, Save to text file

and save the startup information to your desktop (or someplace you can

find it) open the file with a text editor, select all and paste the

contents back here:



http://www.piriform.com/ccleaner



Uninstall CCleaner later fif you don't like it (most people seem to

like it for it's other features).



Uninstall any old versions of MBAM, reboot, install the latest

versions of MBAM (no problem for me with 1.46), update and do a fill

scan.



If MBAM does not work, define what does not work means. It won't

install, it won't launch, etc. We have our ways to make it talk....
 
Sirius wrote:

> I have error messages when I try to start mbam "mbam error expanding

> variables 0 9".



That is the result of the malware you have. You will continue to go

around in circles as long as you to try to run MBAM while still in the

infected system. In another post you mentioned you would consider

slaving the drive to a working PC. That's your ticket. (Either that or

perform a Clean Install.)



Or just continue to spin your wheels...
 
On May 28, 12:37 pm, "Sirius" wrote:

> I don't see a "save to text file" in ccleaner for the startup, only for the

> installed programs.

>



Then you may have an old version of CCleaner - they added it recently

in 2.31.1153 (that was nice of them)



Get CCleaner here:



http://www.ccleaner.com/



If MBAM installs okay but will not launch, rename mbam.exe to jose.exe

and launch jose.exe (the malware will not be expecting that. Or maybe

it will by now...).



Your MBAM installation could also be afflicted - uninstall MBAM from

Add/Remove Programs, reboot and install it again and report the

results.



If you still have a problem, run SAS from the other link I provided.
 
Daave,



I respect everybody's suggestions. Some of them

will not work. If I slave the drive. Jose, for instance.



Thank you.



"Daave" wrote in message

news:OSI7goq$KHA.5536@TK2MSFTNGP02.phx.gbl...

> Sirius wrote:

>> I have error messages when I try to start mbam "mbam error expanding

>> variables 0 9".

>

> That is the result of the malware you have. You will continue to go around

> in circles as long as you to try to run MBAM while still in the infected

> system. In another post you mentioned you would consider slaving the drive

> to a working PC. That's your ticket. (Either that or perform a Clean

> Install.)

>

> Or just continue to spin your wheels...

>
 
Jose, here it is:



Yes HKCU:Run ctfmon.exe C:\WINDOWS\system32\ctfmon.exe

Yes HKCU:Run swg "C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

No HKCU:Run ctfmon C:\WINDOWS\system32\ctfmon.exe

No HKCU:Run DesktopWeather "C:\Program Files\The Weather Channel

FW\Desktop\DesktopWeather.exe"

No HKCU:Run notifyapp C:\Documents and Settings\Owner\Application

Data\Jenkat\Jenkat Games Arcade\notifyapp.exe

No HKCU:Run NBJ "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

No HKCU:Run smileycons C:\Program Files\Smileycons\smileycons.exe

No HKCU:Run SUPERAntiSpyware C:\Program

Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

No HKCU:Run GoogleToolbarNotifier "C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

No HKCU:Run wweb32

Yes HKLM:Run MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe

/auto

Yes HKLM:Run avast5 C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui

No HKLM:Run AdobeARM "C:\Program Files\Common

Files\Adobe\ARM\1.0\AdobeARM.exe"

No HKLM:Run Reader_sl "C:\Program Files\Adobe\Reader

9.0\Reader\Reader_sl.exe"

No HKLM:Run avgtray C:\PROGRA~1\AVG\AVG9\avgtray.exe

No HKLM:Run CarbonitePreinstaller "C:\Program

Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst

/reshowat=1800

No HKLM:Run brctrcen C:\Program Files\Brother\ControlCenter2\brctrcen.exe

/autorun

No HKLM:Run CorelIOMonitor C:\Program Files\Corel\Corel Paint Shop Pro Photo

X2\CorelIOMonitor.exe

No HKLM:Run CTHELPER CTHELPER.EXE

No HKLM:Run GWInkMonitor "C:\Program Files\Gateway\Gateway Ink

Monitor\GWInkMonitor.exe"

No HKLM:Run InCD C:\Program Files\Ahead\InCD\InCD.exe

No HKLM:Run IndexSearch C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

No HKLM:Run NeroCheck C:\WINDOWS\system32\NeroCheck.exe

No HKLM:Run NvCpl RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

No HKLM:Run NvMcTray RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

No HKLM:Run nwiz nwiz.exe /install

No HKLM:Run pptd40nt C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

No HKLM:Run QTTask "C:\Program Files\QuickTime\QTTask.exe" -atboottime

No HKLM:Run RealPlay C:\Program Files\Real\RealPlayer\RealPlay.exe

SYSTEMBOOTHIDEPLAYER

No HKLM:Run BrStDvPt C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe

No HKLM:Run SSBkgdupdate "C:\Program Files\Common Files\Scansoft

Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

No HKLM:Run jusched "C:\Program Files\Common Files\Java\Java

Update\jusched.exe"

No Startup Common ntuser.dat \ntuser.dat

No Startup Common ntuser.dat.LOG \ntuser.dat.LOG

No Startup Common ntuser.ini \ntuser.ini

No Startup Common ~ \~







"Jose" wrote in message

news:5185d1a0-6324-4f90-85cc-54d09eabcd1e@m33g2000vbi.googlegroups.com...

On May 28, 12:37 pm, "Sirius" wrote:

> I don't see a "save to text file" in ccleaner for the startup, only for

> the

> installed programs.

>



Then you may have an old version of CCleaner - they added it recently

in 2.31.1153 (that was nice of them)



Get CCleaner here:



http://www.ccleaner.com/



If MBAM installs okay but will not launch, rename mbam.exe to jose.exe

and launch jose.exe (the malware will not be expecting that. Or maybe

it will by now...).



Your MBAM installation could also be afflicted - uninstall MBAM from

Add/Remove Programs, reboot and install it again and report the

results.



If you still have a problem, run SAS from the other link I provided.
 
I'm not sure I follow, Sirius.



Slaving the drive is probably the only way to properly scan for malware

at this point (especially if you want to use MBAM). If you are unable to

slave the drive and if none of the other suggestions work, I think you

need to copy the data and perform a Clean Install.



If you are able to figure out another way, that's cool. But from what

I've seen in this thread, your PC is probably too compromised. And

although a Clean Install can take some time to do, it would have been a

lot quicker than the alternatives!



You could also try booting off one of the rescue CDs mentioned here:



http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/



Good luck.





Sirius wrote:

> Daave,

>

> I respect everybody's suggestions. Some of them

> will not work. If I slave the drive. Jose, for instance.

>

> Thank you.

>

> "Daave" wrote in message

> news:OSI7goq$KHA.5536@TK2MSFTNGP02.phx.gbl...

>> Sirius wrote:

>>> I have error messages when I try to start mbam "mbam error expanding

>>> variables 0 9".

>>

>> That is the result of the malware you have. You will continue to go

>> around in circles as long as you to try to run MBAM while still in

>> the infected system. In another post you mentioned you would

>> consider slaving the drive to a working PC. That's your ticket.

>> (Either that or perform a Clean Install.)

>>

>> Or just continue to spin your wheels...
 
This thread got pretty complicated.



Jose wanted me to post an msinfo32, then print the startup items

from ccleaner latest version from the sick computer itself.



I did a scan with superantyspyware, nothing.



Trendmicro sysclean, nothing found. Also their rubotted and rootkit

buster, nothing found.



My friend is out of town for the weekend and I don't have the installation

disks to do a clean install. Untill then, I don't mind learning

and trying new things.









"Daave" wrote in message

news:eED%23Npt$KHA.348@TK2MSFTNGP06.phx.gbl...

> I'm not sure I follow, Sirius.

>

> Slaving the drive is probably the only way to properly scan for malware at

> this point (especially if you want to use MBAM). If you are unable to

> slave the drive and if none of the other suggestions work, I think you

> need to copy the data and perform a Clean Install.

>

> If you are able to figure out another way, that's cool. But from what I've

> seen in this thread, your PC is probably too compromised. And although a

> Clean Install can take some time to do, it would have been a lot quicker

> than the alternatives!

>

> You could also try booting off one of the rescue CDs mentioned here:

>

> http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

>

> Good luck.

>

>

> Sirius wrote:

>> Daave,

>>

>> I respect everybody's suggestions. Some of them

>> will not work. If I slave the drive. Jose, for instance.

>>

>> Thank you.

>>

>> "Daave" wrote in message

>> news:OSI7goq$KHA.5536@TK2MSFTNGP02.phx.gbl...

>>> Sirius wrote:

>>>> I have error messages when I try to start mbam "mbam error expanding

>>>> variables 0 9".

>>>

>>> That is the result of the malware you have. You will continue to go

>>> around in circles as long as you to try to run MBAM while still in

>>> the infected system. In another post you mentioned you would

>>> consider slaving the drive to a working PC. That's your ticket.

>>> (Either that or perform a Clean Install.)

>>>

>>> Or just continue to spin your wheels...

>

>
 
Jose, did you see this?



"Sirius" wrote in message

news:ulcbf4s$KHA.3880@TK2MSFTNGP04.phx.gbl...

> Jose, here it is:

>

> Yes HKCU:Run ctfmon.exe C:\WINDOWS\system32\ctfmon.exe

> Yes HKCU:Run swg "C:\Program

> Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

> No HKCU:Run ctfmon C:\WINDOWS\system32\ctfmon.exe

> No HKCU:Run DesktopWeather "C:\Program Files\The Weather Channel

> FW\Desktop\DesktopWeather.exe"

> No HKCU:Run notifyapp C:\Documents and Settings\Owner\Application

> Data\Jenkat\Jenkat Games Arcade\notifyapp.exe

> No HKCU:Run NBJ "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

> No HKCU:Run smileycons C:\Program Files\Smileycons\smileycons.exe

> No HKCU:Run SUPERAntiSpyware C:\Program

> Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

> No HKCU:Run GoogleToolbarNotifier "C:\Program

> Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

> No HKCU:Run wweb32

> Yes HKLM:Run MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe

> /auto

> Yes HKLM:Run avast5 C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui

> No HKLM:Run AdobeARM "C:\Program Files\Common

> Files\Adobe\ARM\1.0\AdobeARM.exe"

> No HKLM:Run Reader_sl "C:\Program Files\Adobe\Reader

> 9.0\Reader\Reader_sl.exe"

> No HKLM:Run avgtray C:\PROGRA~1\AVG\AVG9\avgtray.exe

> No HKLM:Run CarbonitePreinstaller "C:\Program

> Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst

> /reshowat=1800

> No HKLM:Run brctrcen C:\Program Files\Brother\ControlCenter2\brctrcen.exe

> /autorun

> No HKLM:Run CorelIOMonitor C:\Program Files\Corel\Corel Paint Shop Pro

> Photo X2\CorelIOMonitor.exe

> No HKLM:Run CTHELPER CTHELPER.EXE

> No HKLM:Run GWInkMonitor "C:\Program Files\Gateway\Gateway Ink

> Monitor\GWInkMonitor.exe"

> No HKLM:Run InCD C:\Program Files\Ahead\InCD\InCD.exe

> No HKLM:Run IndexSearch C:\Program

> Files\ScanSoft\PaperPort\IndexSearch.exe

> No HKLM:Run NeroCheck C:\WINDOWS\system32\NeroCheck.exe

> No HKLM:Run NvCpl RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

> No HKLM:Run NvMcTray RUNDLL32.EXE

> C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

> No HKLM:Run nwiz nwiz.exe /install

> No HKLM:Run pptd40nt C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

> No HKLM:Run QTTask "C:\Program Files\QuickTime\QTTask.exe" -atboottime

> No HKLM:Run RealPlay C:\Program Files\Real\RealPlayer\RealPlay.exe

> SYSTEMBOOTHIDEPLAYER

> No HKLM:Run BrStDvPt C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe

> No HKLM:Run SSBkgdupdate "C:\Program Files\Common Files\Scansoft

> Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

> No HKLM:Run jusched "C:\Program Files\Common Files\Java\Java

> Update\jusched.exe"

> No Startup Common ntuser.dat \ntuser.dat

> No Startup Common ntuser.dat.LOG \ntuser.dat.LOG

> No Startup Common ntuser.ini \ntuser.ini

> No Startup Common ~ \~

>

>

>

> "Jose" wrote in message

> news:5185d1a0-6324-4f90-85cc-54d09eabcd1e@m33g2000vbi.googlegroups.com...

> On May 28, 12:37 pm, "Sirius" wrote:

>> I don't see a "save to text file" in ccleaner for the startup, only for

>> the

>> installed programs.

>>

>

> Then you may have an old version of CCleaner - they added it recently

> in 2.31.1153 (that was nice of them)

>

> Get CCleaner here:

>

> http://www.ccleaner.com/

>

> If MBAM installs okay but will not launch, rename mbam.exe to jose.exe

> and launch jose.exe (the malware will not be expecting that. Or maybe

> it will by now...).

>

> Your MBAM installation could also be afflicted - uninstall MBAM from

> Add/Remove Programs, reboot and install it again and report the

> results.

>

> If you still have a problem, run SAS from the other link I provided.

>

>
 
You must log in or register to reply here.
Back
Top