Hello All,

I'm new here and was wondering if someone could help me with a issue I'm having with my computer.

First off, I'm infected with a virus that has taken away my desktop icons and start menu. I've tried to run explorer.exe via the task manager and I get a message saying, "Windows cannot access the specified path, device, or file. I'm not sure what else to do.

Also, every time I try to run superantispyware, or spybot it stops in the middle and disappears.

If someone knows of any possible solutions, I would greatly appreciate it if you let me know.

Thanks!

If someone knows of any possible solutions, I would greatly appreciate it if you let me know.

Hi Kenney,

If you are able, please follow step 8 in the linky below to run MBA-M and have it Remove what it finds. If it runs, post the log.
http://www.daniweb.com/forums/thread134865.html

Should that fail:
Please download FindWPP.zip and RightClick on FindWPP.zip and Extract the FindWPP folder to your desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run for as long as it takes.
A log should pop up - please post that for me.

Best Luck :)
PP

Hello PhilliePhan,

Thanks so much for your help on this. Its been driving me batty for a couple of days now. My log is posted below. Please let me know if there's anything else needed. I was unable to run MBA-M....it just shuts down in the middle of the scan.
Thanks,
Kenney

Thanks so much for your help on this. Its been driving me batty for a couple of days now. My log is posted below. Please let me know if there's anything else needed. I was unable to run MBA-M....it just shuts down in the middle of the scan.

Well . .. That's odd. You posted the contents of the batch file rather than the log. How did you manage that? All you need to do is DoubleClick on RunThis.bat.....

Try running it again. If using Vista, try RightClicking and Run as Administrator....

PP:)

Hi PP,

Everytime I click on runthat.bat I get that batch sequence. I open the file via, winrar and there are other applications in the folder, i.e fixit.reg, pv.exe, and swxcacls.exe. But as I said when I click on runthat.bat I get the aforementioned batch sequence. When I click on the other apps, a black screen pops up and then quickly disappears.
Thanks in advance for your help...

But as I said when I click on runthat.bat I get the aforementioned batch sequence. When I click on the other apps, a black screen pops up and then quickly disappears.
Thanks in advance for your help...

Happy to try to help :)

-- That is odd.
Can you get a command prompt?
Start > Run > cmd Enter
or
Start > Run > command.com Enter?

If you can get a command prompt and the FindWPP folder is on your Desktop as it should be, do this:
At the command prompt, copy&paste or type "%userprofile%\desktop\FindWPP\RunThis.bat" and hit enter.
See if it runs that way.

PP :)

Ok, I was able to get a cmd prompt via the task manager. I copied the text and it says it scanned my computer. Hopefully this is a useful log. Please see below. Thanks!

Microsoft Windows XP [Version 5.1.2600]
Tue 09/29/2009 
09:01 PM

FindWPP is running from C:\Documents and Settings\Administrator                                     

        RUNNING PROCESSES                           


        EXE KEY MODIFIED?                           


[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"


        CHECKING SELECT POLICIES KEYS                       


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoBandCustomize"=dword:00000000
"NoMovingBands"=dword:00000000
"NoCloseDragDropBands"=dword:00000000
"NoSetTaskbar"=dword:00000000
"NoToolbarsOnTaskbar"=dword:00000000
"NoSaveSettings"=dword:00000000
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"HonorAutoRunSetting"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001


        LOOKING FOR REPLACED FILES                      

Looking for cngaudit.dll                                    

Looking for eventlog.dll                                    

Looking for imm32.dll                                   

Looking for logevent.dll                                    

Looking for netlogon.dll                                    

Looking for ntelogon.dll                                    

Looking for qmgr.dll                                    

Looking for rasauto.dll                                 

Looking for scecli.dll                                  

Looking for sceclt.dll                                  

Looking for sfcfiles.dll                                    

        LOOKING FOR SUSPICIOUS FILES                        


        SEARCH AND DESTROY KNOWN FILES                      

Looking for windows Police Pro.exe                              

No matches found.
Looking for dddesot.dll                                 

No matches found.
Looking for wisdstr.exe                                     

No matches found.
Looking for desote.exe                                  

No matches found.
Looking for svchasts.exe                                    

No matches found.
Looking for ppp4.dat                                    

No matches found.
Looking for sysnet.dat                                  

No matches found.
Looking for bincd32.dat                                 

No matches found.
Looking for ppp3.dat                                    

No matches found.
Looking for desot.exe                                   

No matches found.
Looking for wispex.html                                 

No matches found.
Looking for qcfbc.wbg                                   

No matches found.
Looking for svchast.exe                                 

No matches found.
Looking for dbsinit.exe                                 

No matches found.
Looking for braviax.exe                                 

No matches found.
Looking for bennuar.old                                 

No matches found.
Looking for ~.exe                                       

No matches found.



        EXE KEY STILL MODIFIED?                                         


[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"


        SUSPECT REG KEYS                                            

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000]
"Service"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
"DeviceDesc"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000]
"Service"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
"DeviceDesc"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000\Control]
"ActiveService"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000]
"Service"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
"DeviceDesc"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000]
"Service"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
"DeviceDesc"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000\Control]
"ActiveService"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"

        CHECKING MBAM                                               

C:\PROGRA~1\MALWAR~1\
   mbam.exe       Thu Sep 10 2009   2:53:56p  A....      1,312,080     1.25 M

1 item found:  1 file, 0 directories.
   Total of file sizes:  1,312,080 bytes      1.25 M
*******************************************************************************
File: C:\Program Files\malwarebytes' anti-malware\mbam.exe

                    Permissions:
*******************************************************************************
                  Username
Type     Permissions               Inheritance
*******************************************************************************
                  \Everyone
Allowed  Full Control              

No Auditing set

Owner: Administrator (GPC1121-134CA48\Administrator)

Ok, I was able to get a cmd prompt via the task manager. I copied the text and it says it scanned my computer. Hopefully this is a useful log. Please see below. Thanks!

Well . . . I don't think everything was extracted properly to the FindWPP folder. Either that, or it ran from the zip. Either way, it didn't run properly . . . But, no worries. I still see enough.


Let's try this:

Please Download Win32kDiag from a linky below and save it to your Desktop.
http://ad13.geekstogo.com/Win32kDiag.exe
http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to.
-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please post the entire log for me and we’ll go from there.

It should run - let me know if it doesn't.
Be sure to let it run until is says "Finished" before posting the log!

PP :)

Hi PP,

It finished running. It should be attached to this message. Please let me know what you think...

Thanks.

It finished running. It should be attached to this message. Please let me know what you think...

OK - Now we are getting somewhere.

First, please move Win32kDiag.exe to the Desktop.


Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in Red below and copy it using Ctrl+C or RightClick > Copy:


Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll


-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.


THEN:

Click START > RUN and then Copy&Paste the following into the command field: "%userprofile%\desktop\win32kdiag.exe" -f –r

That should produce a log, as well. Please post it for me.

Let me know how that works and we'll go to the next step.

PP :)

Hi PP,

I get an error message when trying to post the above statement in Avenger. It says invalid script. Script must begin with a command directive.

Hi PP,

I get an error message when trying to post the above statement in Avenger. It says invalid script. Script must begin with a command directive.

You have to copy ALL the text in red . .. Including the part that says "Files to move" or you'll get that error.

Be sure to do everything carefully and exactly as I have spelled it out. That includes putting the downloaded files where I specify, etc... Otherwise, we'll just get bogged down.
Feel free to ask any questions or let me know if I need to clarify anything - A forum setting is not the easiest for malware removal....


Try again and let me know. I'll be back on in an hour or so - need to head out for a bit.

PP :)

Hi PP,

Yeah, I'm sorry about that. I can be a idot sometimes.
A log didn't pop up for Avenger after the computer rebooted though. My desktop just appeared as usual...nothing else happened.

Anyway, can we back on this tomorrow? I've got a long day tomorrow. Once again thanks for your help. You're doing an excellent job helping a not so technical guy. Let me know of any other suggestions and I'll get on them first chance I get tomorrow.

Anyway, can we back on this tomorrow? I've got a long day tomorrow. Once again thanks for your help. You're doing an excellent job helping a not so technical guy. Let me know of any other suggestions and I'll get on them first chance I get tomorrow.

I am generally around in the evening (EST). We can pick this up then.
You should probably keep this computer offline as much as possible until we finish. This baddie comes in varying degrees of difficulty and I'd hate to see it call for reinforcements.

-- I do want to see the Avenger log. Try looking at C:\avenger.txt and see if it is there.

-- Also, run that second step with win32kdiag.exe
exactly as I wrote it and post that log.

What we are attempting to do is to get you machine to a point where we can run some tools and have them complete their runs.....

Be back Wednesday evening.
PP :)

Hi PP,

I hope you're having a wonderful Wednesday.

Ok, first off, I can't find the avenger log anywhere. I ran it yesterday and it rebooted my computer but a log didn't pop up and currently I don't see it.
Secondly I tried running your second instruction. Each time I attempt it I get a message saying it is not recognized as an internal or external command operable program or batch file.
FYI, because I don't have a start menu, I'm running it from the task manager feature, and just inputting what you have in the designated area.
Thanks.

I hope you're having a wonderful Wednesday.

It's a dank and dreary Wednesday in my neck of the woods...

We really need to get this step done before we can try any removal tools, so let's do this:

Please Download a fresh copy of Win32kDiag from a linky below and save it to your C:\Drive. (C:\Win32kDiag.exe)
http://ad13.geekstogo.com/Win32kDiag.exe
http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

Then, try the following command and post me the log:
"C:\win32kdiag.exe" -f –r

And we'll go from there.

PP :)

Hi PP,

Please see the attached log. Please let me know what you think.

Thanks.

Please see the attached log. Please let me know what you think.

Well. . . . Part of what we were trying to do got done. Let's go ahead and try this next step:

If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to Combo-Fix and then download it to your Desktop as that and follow the instructions in the linky very carefully to run it and then post the combofix log for me. Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

If it runs, post me the log.

Cheers :)
PP

Ok, I let combo fix run and everything was ok until I came back to my computer to find it idle and the screen savor on. Well, it completed all 50 stages and deleted some files, etc, but then it said something failed and it logged me off. So, basically I have no log to report right now. It seemed like it was real close to being finished.
Should I run it again?

It took a long time...so I'll just try to run in again tomorrow if you say its ok. Let me know! Thanks!

It took a long time...so I'll just try to run in again tomorrow if you say its ok. Let me know! Thanks!

Look for the log at C:\Combofix.txt and post it if it exists.
-- Try doing a search of the machine for Combofix / Combo-fix / Qoobox and let me know if anything shows up.

If you can't find any of those, go ahead and try to run Combofix again. Do it in Safe Mode this time and see if it saves a log...
To boot to Safe Mode, tap F8 on reboot to get the Safe Boot options. Do not use MSConfig to boot to safe mode!

Best Luck :)
PP

Happy Thursday PP,

Ok, I was able to run combo-fix in safe mode, and it actually produced a log...so thankful!

Anyway please see the attached log and let me know what you think...

K

Happy Thursday.....
Anyway please see the attached log and let me know what you think...

Agreed! So Happy It's Thursday! ;) That's my favorite . . . Right up there with TGIF!

Anyhoo, that log looks great! A ton of nasty crap was removed.
We still have a bunch to do, though.....

Let's do this next:
Update your MBAM and run the Quick Scan in Normal Windows boot and have it remove what it finds and then post the log for me.

PP :)

Hi PP,

Ooops, I'm sorry, I did the full system scan. And as you can tell, it took a long time. Anyway, the logs are attached. Two logs popped up and I didn't know which would be the most useful. Please let me know what you think.

Thanks.

K.

Ooops, I'm sorry, I did the full system scan. And as you can tell, it took a long time. Anyway, the logs are attached. Two logs popped up and I didn't know which would be the most useful. Please let me know what you think.

Hi Kenney,

Looking better.... Let's do this and see if we can get all the logs to show clean:

First:
REBOOT and Update MBAM and run one more Quick Scan and have it remove what it finds.

Then:
DELETE your current copy of Combofix and Download a fresh one to the Desktop. You don't need to rename it this time.
Run it in Normal Windows Boot and post me that log along with MBAM log and we'll see if we can't wrap this up.....

Be sure to do the MBAM first and then follow up with Combofix.

I'll be able to check in briefly Friday evening EST.

Cheers :)
PP

Happy Friday PP,

I was able to run a scan in malwarebytes.

I also was able to run a scan in combofix too.

Please let me what you think.

Kenney

Please let me what you think.

Hi Kenney,

TGIF :)

That looks good, although you didn't have MBAM remove the baddies it found.
-- Run the Quick Scan again and REMOVE all that it finds and post the log for me. There is a backdoor trojan detected that I want to make sure gets removed.

Everything else looks OK - How are things running now?

I will say that you have altogether too many anti-malware apps on the machine now. We can thin those down a bit.

After you run MBAM and remove those last remnants, please do this:
• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.


Then
, please run HijackThis in Normal windows boot and post the scanlog for me along with that last MBAM Log.

Also, you can DELETE these:
C:\Win32kDiag.exe
C:\PKBTEMP


Also - I would like to check these:

C:\windows\install.dat
C:\logevent.dll

Go here ---> and use the Browse Button at the top of the page to navigate to each of those items and and Submit them for analysis. Let me know what you find. If even one scanner reports malware, let me know.

Post those results along with the two logs I requested and we'll see what remains to be done.

Cheers :)
PP

Hello PP,

I hope your Saturday is going well.

Ok, my computer seems to be running a lot better now. However, I still don't have any desktop icons present. Currently when I log on my background is the only thing present. I'm still having to navigate via the task manger. I tried typing in explorer.exe in the run field however I continue to get the same error message, can't find specified path, etc.

I ran the quick scan in malwarebytes and nothing was found (please see attached log). I also scanned the items below via the website you posted and they found nothing.

I can't find hijackthis on my computer, so I wasn't able to run a scan from there.

Overall it seems as though the computer is mostly clean. I just hope we can get the desktop icons and start menu back so I can stop using the task manager for everything. But overall everything you have done has worked. You've saved me a great deal of heart ache and trouble.

If you have any other things you would like for me to check, please let me know.

Thanks.
K

Overall it seems as though the computer is mostly clean. I just hope we can get the desktop icons and start menu back so I can stop using the task manager for everything. But overall everything you have done has worked. You've saved me a great deal of heart ache and trouble.

If you have any other things you would like for me to check, please let me know.

Hi Kenney,

I am going to be here infrequently over the weekend - so don't worry that I deserted you or anything like that..... :)

I think we can fix the Desktop & explorer issue with a little registry hacking, but I'd like you to do a few things first, just to be thorough and make sure all the proper files are present and intact after your malware battle:

1) Please run System File Checker and let me know the results. Here is an excellent linky on how to do that:
http://www.updatexp.com/scannow-sfc.html

2) Navigate to C:\Windows\explorer.exe and RENAME it to explorer.old
Now try to run that via task manager and see if it works.

3) Download Kenney.bat
-- DoubleClick on it to run it and post me the log (peek.txt) that pops up.


Let me know the results of the above and I'll try to check back as time permits.

Cheers :)
PP

Hi PP,

Its Sunday, which for me means football day.

Nevertheless, I had time to follow your instructions this morning.

I've attached the log, peek.txt. Please let me know what you think.

I also tried to rename the explorer.exe but was unsuccessful. I get a message saying, " Cannot rename explorer: Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use." Please let me know if you have any further suggestions.

I also ran the system file checker, and it progressed right through with no problem. So I'm guessing nothing was found during the scan.

Anyway, I 'll be checking back periodically as time permits today.

Please let me know what you think.

Thanks.
Kenney

Please let me know what you think.

Well..... I did not see what I was looking for.

Let's try this:
Post me a log from SilentRunners. Instructions in linky below:
http://www.silentrunners.org/sr_scriptuse.html

My gut feeling is that this is probably something simple and I am missing it.....

PP :)