Here are the 3 logs. It is my girlfriends computer and she has been having some problems with the computer. It at first was just extremely slow, I couldn't find anything really that was making it slow down. But then when she booted up she would have a web page show up as her desktop. However at first she would just need to set her image back as her desktop and it'd be back to normal until next boot. But now that same web page is locked as her desktop. Won't allow me to change it, and its really slow. So before coming here I removed all programs on the computer to free up some space. I'm going to run a disk frag tonight. But after running the 8 steps you posted, the web page doesn't appear anymore. However it is still applied to be there, but rather than showing up its just a white wallpaper. Still not able to change it. I can't post the link because I only have 2 posts, but it shows up as a jpg. However its not a jpg, it is an actual web page with working links. So any help would be appreciated. Thank you for any help.

Attached Files

	hijackthislog.txt (9.2 KB, 2 views)
	mbam-log-2008-11-13 (21-21-50).txt (10.7 KB, 2 views)
	superantilog.txt (3.0 KB, 2 views)

A belated welcome to TS.

First task - get rid of the pesky desktop.

MBAM & SAS have whacked down a lot of bad stuff.

Restart in safe mode, NO networking -

A normal desktop is expected {else skip to 'Try This"

Re-run MBAM (quick scan); Repeat until 0 infections or no further progress.
(Restart if log indicates reboot)

Re-run SAS.

Run HJT. Tick the following & Select Fix
Restart computer.

}Try This
:: here if pesky desktop is still displayed
Bring up Task Manager (cntl-alt-del)

Select > File > new task > browse for HJT > run HJT & tick/Fix

If pesky desktop is always on-top, use keys alt-tab to select the HJT window.
It is not known if this can overcome that setting. Hold alt for each press of tab.

Restart computer - safe mode

Run MBAM & SAS & HJT

Post logs & relate progress.

Use normal mode anytime it appears the O24 condition has been suppressed.

Otherwise, try safe mode with networking.

Seems to be running a lot better after this whole 8 step process. In safe mode the background appeared black so I skipped to try this. Rebooted in safe and still was black but in the display settings I was now allowed to actually customize my settings compared to before they were locked, however it doesn't actually change anything. Booted back into normal to check it out in normal and to post the logs. Desktop still that white it changed to after completing the 8 steps, same as in safe though, I can change the settings but it alters nothing. Here's the logs. Thank you.

Attached Files

	mbam-log-2008-11-17 (22-23-09).txt (834 Bytes, 2 views)
	SUPERAntiSpyware Scan Log - 11-17-2008 - 22-57-25.log (1.3 KB, 4 views)
	hijackthis2008-11-17.txt (6.7 KB, 2 views)

Curses. Make that double curses.

I wish I could put a name on this infection. I think this is an after effect.
I wish the policies here didn't restrict file types.

Missed this last time - BUT Wait! Desk top issue; not browser issue
I expected the subsequent MBAM scan would have reported this
My recall abilities are somewhat limited.
Resorted to gurgle 'antivirus 2008 desktop"
HJT > advanced menu > can bring back R1 changes similar to R1 quoted above. User choice.

Please post back to report your progress. When you share your success we all benefit.

Alright so, no luck. Are you sure its from that program? I actually have that on my lap top and have recently noticed it was bad news. So thanks for it in that case helps a lot, very easy fix. But however I did cutie's version of regedit and it accomplished nothing. Unless I have to reboot, it never said to reboot so I didn't. Now I didn't try the other version because the tab is there. After the first set of HJT fixes along with the deletions from the scans in the 8 steps I'm pretty sure you got the background. However it left something behind that allows me not to change anything. I'm going to upload a video to youtube to show you what I got. Since the fixes I still can't click in the box full of desktop choices, but now I can at least change the color. Only other thing it allows me to do is click customize desktop. I just uploaded a short video just showing whats going on. It's probably just something short and easy.

[ame="http://www.youtube.com/watch?v=wikU3YtezHc"]You tube video of locked desktop settings[/ame] Sorry for double post, I meant to attach a text file seeing I wasn't allowed to post links yet, but for some reason it didn't attach. Here you go.

Amazing - how did you do that? I forget how to check the properties on the posted image.

Now for the problem - are you willing to experiment?

I vetted the company which led me back to cnet. That's good enough for me.

Software Title (free version) : RRT (Remove Restrictions Tool) - sergiwa.com

LINK REMOVED
LINK REMOVED
Screen shots using the software ....@ raymond.cc

LINK REMOVED - see modified link below. Retain this link showing desired path.
From the list -
39 – No Display >> So the user cannot access the Display control Panel to change the display settings

LINK REMOVED] -
The hperlink to obtain a feature list is "rrt" between the quoted text and the prominent graphic for 'CaSIR' application. Graphic is higher on the page.
I think that this might work & correct the problem.

Please advise.

What are you telling me to do? Are you saying RRT did it or to use RRT? Or are you saying to use CaSir? not really sure what your asking me to do. Not really sure what to do with RRT at first I thought u meant use it, but then it seems like you think that is what was used to do this or something of that sort. Sorry about this.

I recommend that you obtain & use the software referred to as "RRT". Its description seems to indicate that it will restore the missing tabs for controlling the desktop display.

The hyperlink to D/L the software points to cnet (download dot com).

The redundant D/L gives a different entry point at cnet. You must navigate from there.

The publisher is in Lybia. I finally found a copy of this product @cnet.

Cnet tests products they D/L. It is free of malware.

I was trying to describe landmarks on the page to find the tiny "rrt" link to the freeware descriptions. It would be easy to spot the large graphic for CaSIR - which is not free.

The freeware is available there, BUT that copy is not certified by cnet.

The first link to the feature list seems to function differently on a repeat visit. The alternate link forces you to navigate the site to get to the feature list.

Screen Shots of the application's menus can be found at the site owned by Raymond,cc

I cannot vouch that the software will correct your problem. I have not used it. Hence I call it an experiment. It took about 3 hours doing gurgle to find Raymond.cc & find a trustworthy cite.

In other posts I admit to laziness when it comes to typing these messages. I take shortcuts when I can.

Alright well I'm still not sure how to use this program. The only buttons check boxes I can check are; Hidden Files/Folders, Hidden File Extensions, Firewall SharedAccess. I don't want to check that and click remove all that doesn't really seem like what you want me to do. But that is the only thing I see available to me.

This is the preferred tool recommended @TS for general cleaning of registry hacks caused by malware.
Download RatsCheddar
It contains a program written by Rathat, and it is a Policy Controller.
Save and extract this program to the desktop.
Once extracted, Double click on the RatsCheddar.exe file.
Enable everything, then click Exit
Reboot your Computer.

^^^^^^^^^^^^^
Bummer! I practiced on my computer.

All that was offered to me was "fire wall shared access"

I accepted changes. I never expected any findings.

However, there is no ability to view the Vault to obtain information about the change.

The screen shot depicts version 2 and indicates the freeware fixes limited to
Remove Restrictions Tool is able to re-enable:
- Registry Tools (regedit) - Ctrl+Alt+Del - Folder Options - Show Hidden Files

Version 4 is the current D/L. The stated restrictions mentioned the Vault Viewer & Realtime Monitoring. Who knows what other limitations?

Assuming no such limitation then this leads to the conclusion we need to look elsewhere.

ComboFix produces a log that looks at pieces of the registry. It is worth trying. Actually, the tools does a lot of cleaning & produces the log. The remaining challenge is to look past all the "pepper" in the log
Instruction provided by Blind Dragon

[extra]
The referenced MSKB article gives permission to delete any occurance of "NoDispAppearancePage". MSKB See Here . It gives a rationale for going beyond what was covered in the video clips. Your clip showed all tabs present. One of the cited clips showed the restoration of the tabs. There is a boat-load more of those video clips. There may be gold in there somewhere.