Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

All .exe files damaged - no desktop


  • Please log in to reply
18 replies to this topic

#1 syncro

syncro

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 02 November 2009 - 12:46 PM

Hi,

I had the security tool virus 2 days ago. All sorts of pops up came up. I thought it had been removed with mbam. But the next morning I switched on the laptop and all exe files were damaged. I tried to restart again and now there is no task bar, no icons and no desktop.

The only thing I can use is cntl alt del for task manager. I have rescued the data that I need except some very important emails. I need to access outlook express to get the emails back. I cannot access and hidden files.

I have been reading for over 1 day now and tried all suggestions.

I cannot load safety mode (F8). I cannot boot from disk on start up.

I can use mbam and it keep finding about 11 issues. I remove them and restart but the problem persists.

I hope i can save the laptop.

Please help if you are able.

Many thanks

I am running windows XP

The errors given by mbam include:

Trojan.Cutwail
Trojan.Agent
Malware.Trace

Edited by syncro, 02 November 2009 - 12:49 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:05 AM

Posted 02 November 2009 - 12:56 PM

Hello and welcome. You may need to run this from a USB or by burning it to a CD. Or copying it into the Task Mananger folder.
Run this Do Not reboot then rerun MBam. Reboot after MBAM.

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
Do not reboot the computer, you will need to run the application again


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


If you cannot use the Internet,you will need access to another computer that has a connection.
From there save mbam-setup.exe to a flash,usb,jump drive or CD. Now transfer it to the infected machine, then install and run the program.
If you cannot transfer to or install on the infected machine, try running the setup (installation) file directly from the flash drive or CD by double-clicking on mbam-setup.exe so it will install on the hard drive.
***
Manually Downloading Updates:
Manually download them from HERE and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 syncro

syncro
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 02 November 2009 - 01:21 PM

Thanks for your fast reply - much appreciated.

I did as you asked.

The black box came up.

I then ran mbam -



Malwarebytes' Anti-Malware 1.41
Database version: 3056
Windows 5.1.2600 Service Pack 3

03/11/2009 02:14:03
mbam-log-2009-11-03 (02-13-37).txt

Scan type: Quick Scan
Objects scanned: 101490
Time elapsed: 11 minute(s), 31 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
C:\WINDOWS\system32\4F.tmp (Trojan.Downloader) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\4F.tmp (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\.\4F.tmp (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\48.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Thomas Crawford\Local Settings\Temporary Internet Files\Content.IE5\8DGBWRIE\lo[1].txt (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Thomas Crawford\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> No action taken.
C:\Documents and Settings\Thomas Crawford\reader_s.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Thomas Crawford\restorer32_a.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\restorer32_a.exe (Trojan.FakeAlert) -> No action taken.



this is the log before i removed all the files - the virus wont show the log after removing everything!

it brings up a screen saying access is denied.

Thanks again - please advise me further.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:05 AM

Posted 02 November 2009 - 02:17 PM

Ok, we'll work thru it.
Next run ATF and SAS:,if safe mode is prohited ,run in normal,but let me know.
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.



Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 syncro

syncro
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 02 November 2009 - 02:49 PM

Thanks again,

I cant save anything to desktop as it doesnt exist at the moment.

can i just save to c:// drive?

#6 syncro

syncro
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 02 November 2009 - 02:56 PM

safe mode does not work at all. It just gives me the blue screen of death and then reboots?

#7 syncro

syncro
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 02 November 2009 - 03:26 PM

it will not allow me to open ATF cleaner.

the messages says: windows cannot access the specified device, path or folder. you may not have the appropriate permissions to access them.

this is the issue i have will programs. the virus will not allow them to be opened.

Hope you can help. Should I run the other programs as you suggested?

Thanks

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:05 AM

Posted 02 November 2009 - 03:35 PM

Rats!! Yes run them if you can even from normal for now.
safe mode with command prompt

Can you get in to safe mode with command prompt?
If you can, type C:\windows\system32\restore\rstrui.exe in to the command prompt and press return. This should allow you to run system restore to an earlier date.


Two things to try to get a desktop. Also yes you can install them there if that works for you.

Open Task Manager (Ctrl + Alt + Del) and go to File >> New Task (Run...) >> type explorer.exe >> Enter


Then, do a search for your explorer.exe via your search function..

You may find the copy of explorer.exe via either of below locations..

C:\WINDOWS\ServicePackFiles\i386\explorer.exe
C:\WINDOWS\system32\dllcache\explorer.exe

Just choose either one of them and copy/paste it to C:\WINDOWS folder..



Please run System File Checker sfc /scannow... For more information on this tool see How To Use Sfc.exe To Repair System Files

NOTE for Vista users..The command needs to be run from an elevated Command Prompt.
Click Start, type cmd into the Start/Search box,
right-click cmd.exe in the list above and select 'Run as Administrator'


You will need your operating system CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC

Then click File.. then New Task(Run)

In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
Let it run and insert the XP CD when asked.

Edited by boopme, 02 November 2009 - 03:36 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 syncro

syncro
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 02 November 2009 - 06:43 PM

i ran SUPERAntiSpyware and it found 36 problems (trojans) - i quarantined them but the start up is still the same - no change. This happens when i remove viruses with mbam also. The virus seems to regenerate itself on startup. I cant access safe mode either.

the computer wont let me run explorer.exe

mbam wont let me update (the virus wont allow it)

I cant use notepad, so superantispyware will not open a log file?

As you can see - there are so many problems to get round?

#10 syncro

syncro
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 02 November 2009 - 06:48 PM

i found explorer.exe at C:\WINDOWS\ServicePackFiles\i386\explorer.exe

i can copy it but im not allowed to paste. i get the following message:

cannot copy explorer: access is denied

make sure that the disk is not full or write-protected adn that the file is not currently in use

any ideas? the desktop, taskbar and right click functions are still missing.

the only way i can access anything is via task manager.

thanks for your help

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:05 AM

Posted 03 November 2009 - 02:39 PM

Hi, did SAS at least find and remove things other than cookies?
Reboot ..Run RKill again then Rerun MBAM (MalwareBytes) like this: (updating if you can)

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 syncro

syncro
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 03 November 2009 - 04:18 PM

Yes it removed numerous trojans

but the start up is still the same - no desktop, no taskbar etc

#13 syncro

syncro
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 03 November 2009 - 04:41 PM

here is the mbam log - thankfully i was able to update before running the scan. a bit of good news:-

Malwarebytes' Anti-Malware 1.41
Database version: 3095
Windows 5.1.2600 Service Pack 3

04/11/2009 05:39:27
mbam-log-2009-11-04 (05-38-54).txt

Scan type: Quick Scan
Objects scanned: 101754
Time elapsed: 11 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Thomas Crawford\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> No action taken.
C:\Documents and Settings\Thomas Crawford\reader_s.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Thomas Crawford\restorer32_a.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\restorer32_a.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Thomas Crawford\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

i removed all the items and rebooted

thanks

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:05 AM

Posted 03 November 2009 - 05:07 PM

Try this on the desktop issue.
No Task Bar or Icons

Click on the link below:
http://www.kellys-korner-xp.com/xp_tweaks.htm
Scroll down to #195 and on the Right side side.
Click on "Restore Desktop Icons and Taskbar".
Run the application and reboot.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 syncro

syncro
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 03 November 2009 - 05:14 PM

sorry that virus(s) wont let the executable file run

pop up window says "application not found"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users