I have a question concerning ShowDeskFix

[atittaya23]

Just a question, I'm studying about fighting malware right now, I love to look around for frsh HJT log to practice by myself. And today i come across these entries
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')

And I wonder what is ShowDeskFix? As I try to google around and check in many forums. and all I can find is, some experts adviced the user to have HJT fix it, and some forums just ignore it. But no information about it what so ever??? I check them with hijackthis and here is the result;

O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE') Unknown application.

O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE') Unknown application.

O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM') Unknown application.

O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user') Nasty (2.99 / 5.00)

Still, confuse, what is it? And should it be fixed by HJT or should it be left alone?

[Broni]

I can't find any source of that entry, either, but since this command silently (/s) unregisters (/u) vital Windows dll (shell32.dll), I'd definitely consider it as nasty.

[evilfantasy]

Tough call without seeing some other virus scans. I like Bronis diagnosis. Looks bad. I did find this though.

Could it be some rouge desktop hijacker?

To restore the show desktop icon:

    run:
    regsvr32 /s /n /i:U shell32

http://www.msfn.org/board/lofiversion/index.php/t91884.html

[Broni]

To restore the show desktop icon:

    run:
    regsvr32 /s /n /i:U shell32

Interesting...
Since that command is set to run every time, computer starts, it may actually keep restoring desktop icons to some "bad" state, preferred by some malware
...but, as you said:

Tough call without seeing some other virus scans.

[atittaya23]

Thank you for your answer. I just google ShowDeskFix, and come up with many problem helper forum that include this entry in HJT. As it original, I seem to forget which and where I saw it first   
But what if I will not look at the word "[ShowDeskFix]" but look at command line "RunOnce" instead, will it mean that it is safe to have HJT fix it? Sorry for asking too many questions? 

[evilfantasy]

I see you asked at BC also. Maybe they can shed some light on it.

Until then. Understanding and Interpreting HijackThis

[Broni]

I think, it's perfectly fine to fix it through HJT.
Remember, HJT always creates backup, but I don't think, it'll be necessary to use it in this case.
I'm pretty sure, I recall these entries in someone else HJT log, and deleting them caused no harm.