Solve : I have a question concerning ShowDeskFix?

1.	Solve : I have a question concerning ShowDeskFix?
Answer» Just a question, I'm studying about fighting malware right now, I love to look around for frsh HJT log to PRACTICE by myself. And today i come across these entries O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user') And I wonder what is ShowDeskFix? As I try to GOOGLE around and check in many forums. and all I can find is, some experts adviced the user to have HJT fix it, and some forums just ignore it. But no information about it what so ever??? I check them with hijackthis and here is the result; O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE') Unknown application. O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE') Unknown application. O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM') Unknown application. O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user') Nasty (2.99 / 5.00) Still, confuse, what is it? And should it be fixed by HJT or should it be left alone?I can't find any source of that entry, either, but since this command silently (/s) unregisters (/u) vital Windows dll (shell32.dll), I'd definitely consider it as nasty.Tough call without seeing some other virus scans. I like Bronis DIAGNOSIS. Looks bad. I did find this though. Could it be some rouge desktop hijacker? Quote To restore the show desktop icon: run: regsvr32 /s /n /i:U shell32 http://www.msfn.org/board/lofiversion/index.php/t91884.html Quote To restore the show desktop icon: run: regsvr32 /s /n /i:U shell32 INTERESTING... Since that command is set to run every time, computer starts, it may actually keep restoring desktop icons to some "bad" state, preferred by some malware ...but, as you said: Quote Tough call without seeing some other virus scans. Thank you for your answer. I just google ShowDeskFix, and come up with many problem helper forum that include this entry in HJT. As it original, I seem to forget which and where I saw it first But what if I will not look at the word "[ShowDeskFix]" but look at command line "RunOnce" instead, will it mean that it is safe to have HJT fix it? Sorry for asking too many questions? I SEE you asked at BC also. Maybe they can shed some light on it. Until then. Understanding and Interpreting HijackThisI think, it's perfectly fine to fix it through HJT. Remember, HJT always creates backup, but I don't think, it'll be necessary to use it in this case. I'm pretty sure, I recall these entries in someone else HJT log, and deleting them caused no harm.

Answer»

Just a question, I'm studying about fighting malware right now, I love to look around for frsh HJT log to PRACTICE by myself. And today i come across these entries
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')

And I wonder what is ShowDeskFix? As I try to GOOGLE around and check in many forums. and all I can find is, some experts adviced the user to have HJT fix it, and some forums just ignore it. But no information about it what so ever??? I check them with hijackthis and here is the result;

O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE') Unknown application.

O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE') Unknown application.

O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM') Unknown application.

O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user') Nasty (2.99 / 5.00)

Still, confuse, what is it? And should it be fixed by HJT or should it be left alone?I can't find any source of that entry, either, but since this command silently (/s) unregisters (/u) vital Windows dll (shell32.dll), I'd definitely consider it as nasty.Tough call without seeing some other virus scans. I like Bronis DIAGNOSIS. Looks bad. I did find this though.

Could it be some rouge desktop hijacker?

Quote

To restore the show desktop icon:

run:
regsvr32 /s /n /i:U shell32

http://www.msfn.org/board/lofiversion/index.php/t91884.html Quote

To restore the show desktop icon:

run:
regsvr32 /s /n /i:U shell32

INTERESTING...
Since that command is set to run every time, computer starts, it may actually keep restoring desktop icons to some "bad" state, preferred by some malware
...but, as you said:
Quote

Tough call without seeing some other virus scans.

Thank you for your answer. I just google ShowDeskFix, and come up with many problem helper forum that include this entry in HJT. As it original, I seem to forget which and where I saw it first
But what if I will not look at the word "[ShowDeskFix]" but look at command line "RunOnce" instead, will it mean that it is safe to have HJT fix it? Sorry for asking too many questions? I SEE you asked at BC also. Maybe they can shed some light on it.

Until then. Understanding and Interpreting HijackThisI think, it's perfectly fine to fix it through HJT.
Remember, HJT always creates backup, but I don't think, it'll be necessary to use it in this case.
I'm pretty sure, I recall these entries in someone else HJT log, and deleting them caused no harm.

Solve : I have a question concerning ShowDeskFix?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment