954,229 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Have something to say? Contribute New Article Reply to this Article
2 Years Ago
Show Comments
-1

Desktop Icons and Start menu gone

Hello All,

I'm new here and was wondering if someone could help me with a issue I'm having with my computer.

First off, I'm infected with a virus that has taken away my desktop icons and start menu. I've tried to run explorer.exe via the task manager and I get a message saying, "Windows cannot access the specified path, device, or file. I'm not sure what else to do.

Also, every time I try to run superantispyware, or spybot it stops in the middle and disappears.

If someone knows of any possible solutions, I would greatly appreciate it if you let me know.

Thanks!

Kenney
Junior Poster in Training
61 posts since Sep 2009
Reputation Points: 10
Solved Threads: 0
 
2 Years Ago
0
If someone knows of any possible solutions, I would greatly appreciate it if you let me know.


Hi Kenney,

If you are able, please followstep 8 in the linky below to run MBA-M and have it Remove what it finds. If it runs, post the log.
http://www.daniweb.com/forums/thread134865.html

Should that fail:
Please download FindWPP.zip and RightClick on FindWPP.zip and Extract the FindWPP folder to your desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run for as long as it takes.
A log should pop up - please post that for me.

Best Luck :)
PP

PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
 
2 Years Ago
0

Hello PhilliePhan,

Thanks so much for your help on this. Its been driving me batty for a couple of days now. My log is posted below. Please let me know if there's anything else needed. I was unable to run MBA-M....it just shuts down in the middle of the scan.
Thanks,
Kenney

Kenney
Junior Poster in Training
61 posts since Sep 2009
Reputation Points: 10
Solved Threads: 0
 
2 Years Ago
0
Thanks so much for your help on this. Its been driving me batty for a couple of days now. My log is posted below. Please let me know if there's anything else needed. I was unable to run MBA-M....it just shuts down in the middle of the scan.


Well . .. That's odd. You posted the contents of the batch file rather than the log. How did you manage that? All you need to do is DoubleClick on RunThis.bat.....

Try running it again. If using Vista, try RightClicking and Run as Administrator....

PP:)

PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
 
2 Years Ago
0

Hi PP,

Everytime I click on runthat.bat I get that batch sequence. I open the file via, winrar and there are other applications in the folder, i.e fixit.reg, pv.exe, and swxcacls.exe. But as I said when I click on runthat.bat I get the aforementioned batch sequence. When I click on the other apps, a black screen pops up and then quickly disappears.
Thanks in advance for your help...

Kenney
Junior Poster in Training
61 posts since Sep 2009
Reputation Points: 10
Solved Threads: 0
 
2 Years Ago
0
But as I said when I click on runthat.bat I get the aforementioned batch sequence. When I click on the other apps, a black screen pops up and then quickly disappears.
Thanks in advance for your help...


Happy to try to help :)

-- That is odd.
Can you get a command prompt?
Start > Run > cmd Enter
or
Start > Run > command.com Enter?

If you can get a command prompt and the FindWPP folder is on your Desktop as it should be, do this:
At the command prompt, copy&paste or type"%userprofile%\desktop\FindWPP\RunThis.bat" and hit enter.
See if it runs that way.

PP :)

PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
 
2 Years Ago
0

Ok, I was able to get a cmd prompt via the task manager. I copied the text and it says it scanned my computer. Hopefully this is a useful log. Please see below. Thanks!


Microsoft Windows XP [Version 5.1.2600]
Tue 09/29/2009
09:01 PM

FindWPP is running from C:\Documents and Settings\Administrator

RUNNING PROCESSES


EXE KEY MODIFIED?

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"


CHECKING SELECT POLICIES KEYS

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoBandCustomize"=dword:00000000
"NoMovingBands"=dword:00000000
"NoCloseDragDropBands"=dword:00000000
"NoSetTaskbar"=dword:00000000
"NoToolbarsOnTaskbar"=dword:00000000
"NoSaveSettings"=dword:00000000
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"HonorAutoRunSetting"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001


LOOKING FOR REPLACED FILES

Looking for cngaudit.dll

Looking for eventlog.dll

Looking for imm32.dll

Looking for logevent.dll

Looking for netlogon.dll

Looking for ntelogon.dll

Looking for qmgr.dll

Looking for rasauto.dll

Looking for scecli.dll

Looking for sceclt.dll

Looking for sfcfiles.dll

LOOKING FOR SUSPICIOUS FILES


SEARCH AND DESTROY KNOWN FILES

Looking for windows Police Pro.exe

No matches found.
Looking for dddesot.dll

No matches found.
Looking for wisdstr.exe

No matches found.
Looking for desote.exe

No matches found.
Looking for svchasts.exe

No matches found.
Looking for ppp4.dat

No matches found.
Looking for sysnet.dat

No matches found.
Looking for bincd32.dat

No matches found.
Looking for ppp3.dat

No matches found.
Looking for desot.exe

No matches found.
Looking for wispex.html

No matches found.
Looking for qcfbc.wbg

No matches found.
Looking for svchast.exe

No matches found.
Looking for dbsinit.exe

No matches found.
Looking for braviax.exe

No matches found.
Looking for bennuar.old

No matches found.
Looking for ~.exe

No matches found.



EXE KEY STILL MODIFIED?

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"


SUSPECT REG KEYS

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000]
"Service"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
"DeviceDesc"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000]
"Service"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
"DeviceDesc"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000\Control]
"ActiveService"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000]
"Service"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
"DeviceDesc"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000]
"Service"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
"DeviceDesc"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000\Control]
"ActiveService"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"

CHECKING MBAM

C:\PROGRA~1\MALWAR~1\
mbam.exe Thu Sep 10 2009 2:53:56p A.... 1,312,080 1.25 M

1 item found: 1 file, 0 directories.
Total of file sizes: 1,312,080 bytes 1.25 M
*******************************************************************************
File: C:\Program Files\malwarebytes' anti-malware\mbam.exe

Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
\Everyone
Allowed Full Control

No Auditing set

Owner: Administrator (GPC1121-134CA48\Administrator)

Kenney
Junior Poster in Training
61 posts since Sep 2009
Reputation Points: 10
Solved Threads: 0
 
2 Years Ago
0
Ok, I was able to get a cmd prompt via the task manager. I copied the text and it says it scanned my computer. Hopefully this is a useful log. Please see below. Thanks!


Well . . . I don't think everything was extracted properly to the FindWPP folder. Either that, or it ran from the zip. Either way, it didn't run properly . . . But, no worries. I still see enough.


Let's try this:

Please Download Win32kDiag from a linky below and save it to your Desktop.
http://ad13.geekstogo.com/Win32kDiag.exe
http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe
-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to.
-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please post the entire log for me and we’ll go from there.

It should run - let me know if it doesn't.
Be sure to let it run until is says "Finished" before posting the log!

PP :)

PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
 
2 Years Ago
0

Hi PP,

It finished running. It should be attached to this message. Please let me know what you think...

Thanks.

Attachments Win32kDiag.txt (105.69KB)
Kenney
Junior Poster in Training
61 posts since Sep 2009
Reputation Points: 10
Solved Threads: 0
 
2 Years Ago
0
It finished running. It should be attached to this message. Please let me know what you think...


OK - Now we are getting somewhere.First, please move Win32kDiag.exe to the Desktop.


Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in Red below and copy it using Ctrl+C or RightClick > Copy:

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll


-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

THEN:

Click START > RUN and then Copy&Paste the following into the command field: "%userprofile%\desktop\win32kdiag.exe" -f –r

That should produce a log, as well. Please post it for me.

Let me know how that works and we'll go to the next step.

PP :)

PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
 
2 Years Ago
0

Hi PP,

I get an error message when trying to post the above statement in Avenger. It says invalid script. Script must begin with a command directive.

Kenney
Junior Poster in Training
61 posts since Sep 2009
Reputation Points: 10
Solved Threads: 0
 
2 Years Ago
0

Hi PP,

I get an error message when trying to post the above statement in Avenger. It says invalid script. Script must begin with a command directive.


You have to copy ALL the text in red . .. Including the part that says "Files to move" or you'll get that error.

Be sure to do everything carefully and exactly as I have spelled it out. That includes putting the downloaded files where I specify, etc... Otherwise, we'll just get bogged down.
Feel free to ask any questions or let me know if I need to clarify anything - A forum setting is not the easiest for malware removal....


Try again and let me know. I'll be back on in an hour or so - need to head out for a bit.

PP :)

PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
 
2 Years Ago
0

Hi PP,

Yeah, I'm sorry about that. I can be a idot sometimes.
A log didn't pop up for Avenger after the computer rebooted though. My desktop just appeared as usual...nothing else happened.

Anyway, can we back on this tomorrow? I've got a long day tomorrow. Once again thanks for your help. You're doing an excellent job helping a not so technical guy. Let me know of any other suggestions and I'll get on them first chance I get tomorrow.

Kenney
Junior Poster in Training
61 posts since Sep 2009
Reputation Points: 10
Solved Threads: 0
 
2 Years Ago
0
Anyway, can we back on this tomorrow? I've got a long day tomorrow. Once again thanks for your help. You're doing an excellent job helping a not so technical guy. Let me know of any other suggestions and I'll get on them first chance I get tomorrow.


I am generally around in the evening (EST). We can pick this up then.
You should probably keep this computer offline as much as possible until we finish. This baddie comes in varying degrees of difficulty and I'd hate to see it call for reinforcements.

-- I do want to see the Avenger log. Try looking atC:\avenger.txt and see if it is there.

-- Also, run that second step with win32kdiag.exe
 exactly as I wrote it and post that log.

What we are attempting to do is to get you machine to a point where we can run some tools and have them complete their runs.....

Be back Wednesday evening.
PP :)

PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
 
2 Years Ago
0

Hi PP,

I hope you're having a wonderful Wednesday.

Ok, first off, I can't find the avenger log anywhere. I ran it yesterday and it rebooted my computer but a log didn't pop up and currently I don't see it.
Secondly I tried running your second instruction. Each time I attempt it I get a message saying it is not recognized as an internal or external command operable program or batch file.
FYI, because I don't have a start menu, I'm running it from the task manager feature, and just inputting what you have in the designated area.
Thanks.

Kenney
Junior Poster in Training
61 posts since Sep 2009
Reputation Points: 10
Solved Threads: 0
 
2 Years Ago
0
I hope you're having a wonderful Wednesday.


It's a dank and dreary Wednesday in my neck of the woods...

We really need to get this step done before we can try any removal tools, so let's do this:

Please Download a fresh copy of Win32kDiag from a linky below and save it to your C:\Drive. (C:\Win32kDiag.exe)
http://ad13.geekstogo.com/Win32kDiag.exe
http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

Then, try the following command and post me the log:
"C:\win32kdiag.exe" -f –r

And we'll go from there.

PP :)

PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
 
2 Years Ago
0

Hi PP,

Please see the attached log. Please let me know what you think.

Thanks.

Attachments Win32kDiag.txt (111.58KB)
Kenney
Junior Poster in Training
61 posts since Sep 2009
Reputation Points: 10
Solved Threads: 0
 
2 Years Ago
0
Please see the attached log. Please let me know what you think.


Well. . . . Part of what we were trying to do got done. Let's go ahead and try this next step:

If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to Combo-Fix and then download it to your Desktop as that and follow the instructions in the linky very carefully to run it and then post the combofix log for me. Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

If it runs, post me the log.

Cheers :)
PP

PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
 
2 Years Ago
0

Ok, I let combo fix run and everything was ok until I came back to my computer to find it idle and the screen savor on. Well, it completed all 50 stages and deleted some files, etc, but then it said something failed and it logged me off. So, basically I have no log to report right now. It seemed like it was real close to being finished.
Should I run it again?

It took a long time...so I'll just try to run in again tomorrow if you say its ok. Let me know! Thanks!

Kenney
Junior Poster in Training
61 posts since Sep 2009
Reputation Points: 10
Solved Threads: 0
 
2 Years Ago
0
It took a long time...so I'll just try to run in again tomorrow if you say its ok. Let me know! Thanks!


Look for the log at C:\Combofix.txt and post it if it exists.
-- Try doing a search of the machine forCombofix / Combo-fix / Qoobox and let me know if anything shows up.

If you can't find any of those, go ahead and try to run Combofix again. Do it in Safe Mode this time and see if it saves a log...
To boot to Safe Mode, tap F8 on reboot to get the Safe Boot options. Do not use MSConfig to boot to safe mode!

Best Luck :)
PP

PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
 

This article has been dead for over three months

Post: Markdown Syntax: Formatting Help
You
 
 
© 2012 DaniWeb® LLC
Home | About Us | Contact Us | Terms of Service | Advertising Opportunities
RSS Feed RSS Feed