Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No icons, taskbar, start menu


  • Please log in to reply
15 replies to this topic

#1 possumbarnes

possumbarnes

  • Members
  • 333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee, USA
  • Local time:04:29 AM

Posted 02 November 2009 - 04:51 PM

Please help because this is driving me nuts!!

Client brought me their PC. Boot it up and I get just the desktop wallpaper. Nothing else shows. No icons, task bar, or start menu. When I first started, CTRL-ALT-DEL wouldn't give me the task manager either. Using a very round about way, by going thru safe mode with cmd prompt, I was able to run ComboFix and Malwarebytes Anti-malware and clean a lot of spyware off of it. After that, I can now access the task manager and run most any program. I've used the task manager to install and run other spyware and virus killers and am pretty sure that the computer is clean now. However, I can't get the desktop to work at all.

Using task manager, I can use regedit, msconfig, and others like that, but I cannot run CONTROL.EXE or EXPLORER.EXE. When I type either of those two commands into the New Task field, I get the following error:
Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

The one thing that I've noticed that may or may not be relevant: The windows files are installed under C:\WINNT, not under C:\WINDOWS.
C:\WINDOWS doesn't exist, but C:\windows (all lowercase letters) does exist and it has a single file in it. C:\windows\temp\GLF27.exe is the only folder and file I can find in that directory. As I said, this may or may not be relevant info.

I've tried various things: used a "Restore desktop icons and task bar" script from Kellys-corner-xp.com; checked various registry entries per google searches; ran a program I found called "Re-enable properties" that is supposed to fix a no icons issue. Nothing has made a dent in this problem.

Anybody have any other ideas? I really don't want to reinstall Windows if I don't have to.

OS: Windows XP Home (no idea what SP though because I don't know how to get that info without going into My Computer properties.

Edited by possumbarnes, 02 November 2009 - 04:53 PM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:04:29 AM

Posted 02 November 2009 - 05:16 PM

Sounds like another rootkit infection
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 possumbarnes

possumbarnes
  • Topic Starter

  • Members
  • 333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee, USA
  • Local time:04:29 AM

Posted 02 November 2009 - 06:01 PM

I think a rootkit may have caused this, but I think I've gotten rid of it. (I hope so anyway). MBAM and SAS scan completely clean, and ComboFix doesn't seem to find anything either. I think I'm left with the residual registry junk from that rootkit. Any ideas on how to get the desktop back?
What's more irrational--a guy who believes in a God he cannot see or a guy who is offended by a God he doesn't believe in?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:29 AM

Posted 02 November 2009 - 06:12 PM

Please run System File Checker sfc /scannow... For more information on this tool see How To Use Sfc.exe To Repair System Files

NOTE for Vista users..The command needs to be run from an elevated Command Prompt.
Click Start, type cmd into the Start/Search box,
right-click cmd.exe in the list above and select 'Run as Administrator'


You will need your operating system CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC

Then click File.. then New Task(Run)

In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
Let it run and insert the XP CD when asked.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 possumbarnes

possumbarnes
  • Topic Starter

  • Members
  • 333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee, USA
  • Local time:04:29 AM

Posted 02 November 2009 - 07:52 PM

sfc /scannow ran but didn't fix the problem. I hadn't tried that one yet so thanks. Any other ideas?
What's more irrational--a guy who believes in a God he cannot see or a guy who is offended by a God he doesn't believe in?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:29 AM

Posted 03 November 2009 - 02:59 PM

This is the only other thing I can think of...
Click on the link below:
http://www.kellys-korner-xp.com/xp_tweaks.htm
Scroll down to #195 and on the Right side side.
Click on "Restore Desktop Icons and Taskbar".
Run the application and reboot.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 joseibarra

joseibarra

  • Members
  • 1,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:04:29 AM

Posted 03 November 2009 - 04:19 PM

If Kelly's doesn't do it, please answer the following:

If Explorer will not run how are you maneuvering around to determine that files/folder do/don't not exist? How are you running the commands that do work?

When you get into Task Manager, try to Run these two separate commands (copy/paste them exactly):

Rundll32.exe shell32.dll,Control_RunDLL

Does Control Panel Open?

Rundll32.exe shell32.dll,Control_RunDLL desk.cpl

Does Display Properties open?

You did run sfc /scannow from start to finish and it did not ask any questions? Unfortunately, it it does find something to do and does it, there will not be a message on the screen, but it will be in the Event Log.

From Task Manager, Run this command t open the Event Viewer:

%SystemRoot%\system32\eventvwr.msc /s

If that doesn't work, just try entering:

eventvwr.msc

Look in the System log for any Events where the Source column says Windows File Protection. Are there any events from the date/time you ran sfc /scannow?

Edited by joseibarra, 03 November 2009 - 04:29 PM.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#8 possumbarnes

possumbarnes
  • Topic Starter

  • Members
  • 333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee, USA
  • Local time:04:29 AM

Posted 03 November 2009 - 07:08 PM

Boopme, I've already tried Kelly's #195. It didn't work.

Joseibarra, with the exception of "explorer.exe" and "control.exe", I can use the NEW TASK Browse button to browse to any program I want to run in order to start a new task. But, when I try to start explorer or control panel that way, I get that error mentioned above.
The first command did not open the Control Panel. It just gave me the error mentioned above.
The second command opened the Display Properties window. I didn't see anything out of the ordinary in the display properties window though.
The third command opened Event Viewer. There were 2 Windows File Protection entries at about that time:The first one was Windows File Protection file scan was started. The second was about 15 minutes later stating WFP file scan completed successfully.

Thanks for the help. I'm starting to think a full recovery is going to be needed to fix this though. What else can I try?
What's more irrational--a guy who believes in a God he cannot see or a guy who is offended by a God he doesn't believe in?

#9 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:06:29 PM

Posted 03 November 2009 - 07:18 PM

What else can I try?

Have a look at the approach used in the following link, to get explorer.exe (copied/pasted and re-named as aaa.exe) to run.
http://forums.majorgeeks.com/showpost.php?...mp;postcount=64

BTW GLF27.exe is probably not something you would be wanting to leave on the system >>> malware ?

I am strongly inclined to think that you are likely to still have an active rootkit infection and suggest you investigate that thoroughly if you are intent on retaining this Windows installation and don't want to wipe the hard drive to clean-install Windows.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#10 joseibarra

joseibarra

  • Members
  • 1,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:04:29 AM

Posted 04 November 2009 - 08:41 AM

This whole WINNT thing indicates this may have once been a Windows 2000 system, so all my stuff is c:\windows and you will have to adjust accordingly. I forgot about that browsing thing :thumbsup:

From TM, Run notepad.exe and see if notepad opens. Close it.

Let's verify Windows File Protection is functioning by deleting some boring protected file:

Browse to your WINNT folder and (hopefully) locate the notepad.exe you just ran. Delete it. If WFP is okay, in a few seconds, notepad.exe should silently be replaced and there will be an event in the system log stating such and then running notepad.exe again should work okay again - even though you just deleted it. That means WFP is working. The event will be something like:

Description:
File replacement was attempted on the protected system file c:\windows\notepad.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.


From your browsing, make a copy of explorer.exe and call it myexplorer.exe (or whatever you want with a .exe extension). Then run the copy of explorer.exe that has a different name. In TM, Run myexplorer.exe and see if the My Documents folder opens.

You won't get all your desktop stuff, but you will know if a copy of explorer.exe with a different name runs which means the malware doesn't like explorer.exe to be a running process, but doesn't know/care about myexplorer.exe, so your explorer.exe may be afflicted and needs replacing.

If all looks good, using TM, browse to and delete explorer.exe and WFP will replace it (we know WFP works if notepad.exe was replaced) look for the event in the event log like:

Description:
File replacement was attempted on the protected system file c:\windows\explorer.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5512.

Then see if the explorer.exe replacement will run or if you get the same error.

Are you able to run your Internet browser from TM? Run iexplore.exe and see if IE opens and connects to the Internet. If yes, we can download some malicious software removal tools such as:

Download, install, update and do a full scan with these free malware detection programs:

Malwarebytes (MBAM): http://malwarebytes.org/
SUPERAntiSpyware: (SAS): http://www.superantispyware.com/

They can be uninstalled later if desired.

You would have to download them and then browse to the executables with TM, etc. but if you can get them to run, that would be good.

Edited by joseibarra, 04 November 2009 - 08:57 AM.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#11 possumbarnes

possumbarnes
  • Topic Starter

  • Members
  • 333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee, USA
  • Local time:04:29 AM

Posted 04 November 2009 - 09:22 AM

Everything being in a WINNT folder has got me messed up too, but I think this computer has always been XP simply because the MS sticker with the key code on it is for XP Home. Of course, it could have been recovered with Win2000 at some point in the past and upgraded with XP. I don't know.

WFP is working. It replaced notepad.exe just as you described, however, when I try to copy or simply delete explorer.exe, I get an "Access is denied" pop up. I can't copy it or delete it.

As stated, I can use the TM browser to run any program except explorer.exe and control.exe. I can get online and download whatever I want. I had to boot into safe mode command prompt and run ComboFix from a flash drive. After that, I was able to get the Task Manager open. Once I had TM available, I scanned with MBAM and then SAS in safe mode. Both ran clean after full scans. I'll run them again just to make sure we're still clean.

I'm burning an Ubuntu 9.04 CD right now to try to copy and rename explorer.exe per the MajorGeeks link suggested a few posts ago.

Also, I'm going to download one of the alternatives to Windows Explorer just to make it easier to navigate. Also, do you think the program "Unlocker" will help me to unlock explorer.exe so it can be deleted?
What's more irrational--a guy who believes in a God he cannot see or a guy who is offended by a God he doesn't believe in?

#12 possumbarnes

possumbarnes
  • Topic Starter

  • Members
  • 333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee, USA
  • Local time:04:29 AM

Posted 04 November 2009 - 09:56 AM

I ran a RootRepeal scan per instructions I found in the AII forum. Here is the log if anyone can decypher it. Does it indicate a rootkit infection? MBAM is doing a quick scan now to verify its clean. UPDATE: MBAM and SAS both completed a quick scan in the last half hour or so and both found nothing at all.

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/11/04 08:41
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINNT\System32\Drivers\dump_atapi.sys
Address: 0xEFF9E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINNT\System32\Drivers\dump_WMILIB.SYS
Address: 0xF9DE9000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINNT\system32\drivers\rootrepeal.sys
Address: 0xEF6B4000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINNT\ftpcache\ftpcache
Status: Locked to the Windows API!

Path: C:\WINNT\occache\occache
Status: Locked to the Windows API!

Path: C:\WINNT\Offline Web Pages\Offline Web Pages
Status: Locked to the Windows API!

Path: C:\WINNT\Config\Config
Status: Locked to the Windows API!

Path: C:\WINNT\SxsCaPendDel\SxsCaPendDel
Status: Locked to the Windows API!

Path: C:\WINNT\Connection Wizard\Connection Wizard
Status: Locked to the Windows API!

Path: C:\WINNT\mui\mui
Status: Locked to the Windows API!

Path: C:\WINNT\l2schemas\l2schemas
Status: Locked to the Windows API!

Path: C:\WINNT\twain_32\Lexmark\Lexmark
Status: Locked to the Windows API!

Path: C:\WINNT\ime\imejp98\imejp98
Status: Locked to the Windows API!

Path: C:\WINNT\Installer\tsclientmsitrans\tsclientmsitrans
Status: Locked to the Windows API!

Path: C:\WINNT\$hf_mig$\KB942840\KB942840
Status: Locked to the Windows API!

Path: C:\WINNT\$hf_mig$\KB943460\KB943460
Status: Locked to the Windows API!

Path: C:\WINNT\WinSxS\InstallTemp\InstallTemp
Status: Locked to the Windows API!

Path: C:\WINNT\wt\updater\updater
Status: Locked to the Windows API!

Path: C:\WINNT\Registration\CRMLog\CRMLog
Status: Locked to the Windows API!

Path: C:\WINNT\Debug\UserMode\UserMode
Status: Locked to the Windows API!

Path: C:\WINNT\Downloaded Installations\{6FB8D67A-9BAD-4361-9B96-E2970783552D}\{6FB8D67A-9BAD-4361-9B96-E2970783552D}
Status: Locked to the Windows API!

Path: C:\WINNT\Downloaded Installations\{776CF092-CDE6-4CC1-9323-1F7D57645868}\{776CF092-CDE6-4CC1-9323-1F7D57645868}
Status: Locked to the Windows API!

Path: C:\WINNT\Downloaded Installations\{7BEC6146-FBFC-4AEB-87F6-5F27F46A607A}\{7BEC6146-FBFC-4AEB-87F6-5F27F46A607A}
Status: Locked to the Windows API!

Path: C:\WINNT\Downloaded Installations\{885582E4-09F5-4CE2-8234-187CEDE982B8}\{885582E4-09F5-4CE2-8234-187CEDE982B8}
Status: Locked to the Windows API!

Path: C:\WINNT\Downloaded Installations\{E203CB2F-0012-42D1-8BF2-4B0E799AF4C2}\{E203CB2F-0012-42D1-8BF2-4B0E799AF4C2}
Status: Locked to the Windows API!

Path: C:\WINNT\Downloaded Program Files\CONFLICT.1\CONFLICT.1
Status: Locked to the Windows API!

Path: C:\WINNT\Downloaded Program Files\CONFLICT.2\CONFLICT.2
Status: Locked to the Windows API!

Path: C:\WINNT\Downloaded Program Files\CONFLICT.3\CONFLICT.3
Status: Locked to the Windows API!

Path: C:\WINNT\Downloaded Program Files\CONFLICT.4\CONFLICT.4
Status: Locked to the Windows API!

Path: C:\WINNT\Downloaded Program Files\CONFLICT.5\CONFLICT.5
Status: Locked to the Windows API!

Path: C:\WINNT\browserxtras\pn\pn
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\temp\temp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\tmp\tmp
Status: Locked to the Windows API!

Path: C:\WINNT\java\trustlib\trustlib
Status: Locked to the Windows API!

Path: C:\WINNT\msapps\msinfo\msinfo
Status: Locked to the Windows API!

Path: C:\WINNT\ime\chsime\applets\applets
Status: Locked to the Windows API!

Path: C:\WINNT\ime\CHTIME\Applets\Applets
Status: Locked to the Windows API!

Path: C:\WINNT\ime\imejp\applets\applets
Status: Locked to the Windows API!

Path: C:\WINNT\ime\imjp8_1\applets\applets
Status: Locked to the Windows API!

Path: C:\WINNT\ime\imkr6_1\applets\applets
Status: Locked to the Windows API!

Path: C:\WINNT\ime\imkr6_1\dicts\dicts
Status: Locked to the Windows API!

Path: C:\WINNT\ime\shared\res\res
Status: Locked to the Windows API!

Path: C:\WINNT\PCHealth\ERRORREP\QHEADLES\QHEADLES
Status: Locked to the Windows API!

Path: C:\WINNT\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF
Status: Locked to the Windows API!

Path: C:\WINNT\PCHealth\ERRORREP\UserDumps\UserDumps
Status: Locked to the Windows API!

Path: C:\WINNT\PCHealth\HelpCtr\BATCH\BATCH
Status: Locked to the Windows API!

Path: C:\WINNT\PCHealth\HelpCtr\HelpFiles\HelpFiles
Status: Locked to the Windows API!

Path: C:\WINNT\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs
Status: Locked to the Windows API!

Path: C:\WINNT\PCHealth\HelpCtr\Temp\Temp
Status: Locked to the Windows API!

Path: C:\WINNT\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Status: Locked to the Windows API!

Path: C:\WINNT\SoftwareDistribution\SelfUpdate\Registered\Registered
Status: Locked to the Windows API!

Path: C:\WINNT\Sun\Java\Deployment\Deployment
Status: Locked to the Windows API!

Path: C:\WINNT\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint
Status: Locked to the Windows API!

Path: C:\WINNT\PCHealth\HelpCtr\System\DFS\DFS
Status: Locked to the Windows API!

Path: C:\WINNT\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup
Status: Locked to the Windows API!

Path: C:\WINNT\SoftwareDistribution\Download\b4a99ee77ab6fc9b948ad07f463a379f\backup\backup
Status: Locked to the Windows API!

Path: C:\WINNT\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup
Status: Locked to the Windows API!

Path: C:\WINNT\SoftwareDistribution\Download\fbdd9f75315c1cf9ff63f37aaca267d3\backup\backup
Status: Locked to the Windows API!

Path: C:\WINNT\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup
Status: Locked to the Windows API!

Path: C:\WINNT\SoftwareDistribution\Download\37f6297b42610206c3fdeaf1ae71345e\backup\backup
Status: Locked to the Windows API!

Path: C:\WINNT\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup
Status: Locked to the Windows API!

Path: C:\WINNT\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAP11.tmp\ZAP11.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAP174.tmp\ZAP174.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAP245.tmp\ZAP245.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAP247.tmp\ZAP247.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAP249.tmp\ZAP249.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAP24B.tmp\ZAP24B.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAP24D.tmp\ZAP24D.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAP24F.tmp\ZAP24F.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAP251.tmp\ZAP251.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAP255.tmp\ZAP255.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAP257.tmp\ZAP257.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAP259.tmp\ZAP259.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAP25B.tmp\ZAP25B.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAP25D.tmp\ZAP25D.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAP25F.tmp\ZAP25F.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAP261.tmp\ZAP261.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAP263.tmp\ZAP263.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAP265.tmp\ZAP265.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAP267.tmp\ZAP267.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAP269.tmp\ZAP269.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAP278.tmp\ZAP278.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAP28E.tmp\ZAP28E.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAP51.tmp\ZAP51.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAP52.tmp\ZAP52.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAP54.tmp\ZAP54.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6.tmp\ZAP6.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC1.tmp\ZAPC1.tmp
Status: Locked to the Windows API!

Path: C:\WINNT\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Application Data\MySpace\IM\Logs\MySpaceIM-20080111-172440.log
Status: Visible to the Windows API, but not on disk.

Path: C:\WINNT\Help\SBSI\Training\WXPPer\Cbz\Cbz
Status: Locked to the Windows API!

Path: C:\WINNT\Help\SBSI\Training\WXPPer\Lib\Lib
Status: Locked to the Windows API!

Path: C:\WINNT\Help\SBSI\Training\WXPPer\Wave\Wave
Status: Locked to the Windows API!

Path: C:\WINNT\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Status: Locked to the Windows API!

Path: C:\WINNT\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Status: Locked to the Windows API!

Path: C:\WINNT\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs
Status: Locked to the Windows API!

Path: C:\WINNT\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\10
Status: Locked to the Windows API!

Path: C:\WINNT\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\DellDriverDownloadManager.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\DellDriverDownloadManager.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\DellDriverDownloadManager.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Core.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Core.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\DellDriverDownloadManager.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Interop.IWshRuntimeLibrary.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Interop.IWshRuntimeLibrary.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\stdole.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\stdole.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Xceed.Compression.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Xceed.Compression.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\LGVQQNOH.NGM\0741HMEO.9GW\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\WINNT\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft
Status: Locked to the Windows API!

Path: C:\WINNT\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft
Status: Locked to the Windows API!

Path: C:\WINNT\SoftwareDistribution\Download\73a765a7ebf2e1b5a6655f2bb798b30f\backup\sp1qfe\asms\60\msft\windows\common\common
Status: Locked to the Windows API!

==EOF==

Edited by possumbarnes, 04 November 2009 - 10:25 AM.

What's more irrational--a guy who believes in a God he cannot see or a guy who is offended by a God he doesn't believe in?

#13 possumbarnes

possumbarnes
  • Topic Starter

  • Members
  • 333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee, USA
  • Local time:04:29 AM

Posted 04 November 2009 - 10:49 AM

Have a look at the approach used in the following link, to get explorer.exe (copied/pasted and re-named as aaa.exe) to run.
http://forums.majorgeeks.com/showpost.php?...mp;postcount=64

BTW GLF27.exe is probably not something you would be wanting to leave on the system >>> malware ?

I am strongly inclined to think that you are likely to still have an active rootkit infection and suggest you investigate that thoroughly if you are intent on retaining this Windows installation and don't want to wipe the hard drive to clean-install Windows.


Burned a new Ubuntu CD and booted on it. I was able to copy and rename explorer.exe to aaa.exe as suggested in the link. Rebooted and used TM to run aaa.exe. Explorer opened right up. Now, I'm starting to think there's still an active rootkit on here.

Anybody got any other ideas?
What's more irrational--a guy who believes in a God he cannot see or a guy who is offended by a God he doesn't believe in?

#14 joseibarra

joseibarra

  • Members
  • 1,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:04:29 AM

Posted 04 November 2009 - 11:20 AM

That is progress (I hope).

I found that if explorer.exe is running (I assumed it was not), then you will not be able to delete it and would have to use TM to end the explorer.exe process, then delete it. WFP will replace it if you are running Windows. It sounds like you accomplished some of that with your Ubuntu CD, but you need explorer.exe running somehow (if possible).

For my system with XP installed in c:\windows, when WFP replaces a missing protected file (like explorer.exe or notepad.exe) it looks in:

c:\windows\system32\dllcache

for the replacement files to copy and copies it. This is how it works.

If you can navigate there somehow and kill/delete the "real" explorer.exe and copy in the one from dllcache - either by booting XP again, killing the explorer.exe process, then deleting it and letting WFP replace it (like it did with notepad.exe) etc. or from Ubuntu... The idea is to totally replace the explorer.exe that is now suspicious with another copy.

There are usually other copies of explorer.exe besides the one in c:\windows. On my system copies are in:

c:\windows\system32\dllcache (in here for sure)
c:\windows\servicepackfiles\i386
c:\windows\$ntservicepackuninstall$

Yes - you still have some problem, but maybe you can be moved into the Am I Infected forum by some nice BC moderator.

Since you can get on the Internet, you can download whatever they think is best.

I will not be able to help you with any Ubuntu commands

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#15 possumbarnes

possumbarnes
  • Topic Starter

  • Members
  • 333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee, USA
  • Local time:04:29 AM

Posted 04 November 2009 - 02:53 PM

BINGO!! That did it. I booted on the Ubuntu 9.04 CD, went to the WINNT folder and deleted "explorer.exe". Then, I went to the WINNT\dllcache folder and copied that "explorer.exe" file over to the WINNT folder. Rebooted and the desktop is back to normal now. Explorer.exe must have been corrupted by the rootkit.

Thanks for the valuable help, Jose. This problem is resolved.
What's more irrational--a guy who believes in a God he cannot see or a guy who is offended by a God he doesn't believe in?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users