Sign in with
Sign up | Sign in
Your question

At startup error messages stop loading desktop

Last response: in Windows XP
Share
October 10, 2011 6:08:08 PM

Hello,
My computer was infected by kazy malware/virus which was removed by radialpoint security system and then few files by malwarebytes'anti malware.But the new problem arises when i start up the window,desktop doesn't load and tons of error messages pops up,all related to c:\dococument and setting\all users \application data \...........exe didn't found or c:\local service \........ exe or c:\win\xpsp2\system32\........exe etc etc.I keep on ok and new name arises.All those names are fake. When i start taskmanager by pressing ctrl+alt+delete and terminate explorer.exe it stops then to after getting back the explorer.exe desktop arises and the computer works like normal.I have checked tasklist and tried to terminate the process of explorer.exe by taskkill command.It says explorer.exe (pid 1800) is a child of pid 1780.When i try to terminate pid 1780 ,it's not found.I have tried all known procedures to find out pid 1780 but it's hidden.( I once logged in by checking show hidden files )but nothing worked.I tried safe mode,safemode with networking etc but the same issue.Error messages pops on and through taskmanager when explorer exe is deleted and again started it works fine.Also i may add that the explorer.exe when showing error messages is set to high priority but after terminating it and starting again ,it shows normal priority.That makes me think that it may be manipulated or compromised.I run radianpoint security services realtime anti virus supplied by my ip provider and also malwarebytes anti malware software but it didn't find no more threats.Is that issue going to grow into more serious issue or if I don't fix it wouldn't cause any problems than I have to all the time keep on removing and again bringing in explorer.exe?
October 10, 2011 10:07:49 PM

iancog said:
Hello,
My computer was infected by kazy malware/virus which was removed by radialpoint security system and then few files by malwarebytes'anti malware.But the new problem arises when i start up the window,desktop doesn't load and tons of error messages pops up,all related to c:\dococument and setting\all users \application data \...........exe didn't found or c:\local service \........ exe or c:\win\xpsp2\system32\........exe etc etc.I keep on ok and new name arises.All those names are fake. When i start taskmanager by pressing ctrl+alt+delete and terminate explorer.exe it stops then to after getting back the explorer.exe desktop arises and the computer works like normal.I have checked tasklist and tried to terminate the process of explorer.exe by taskkill command.It says explorer.exe (pid 1800) is a child of pid 1780.When i try to terminate pid 1780 ,it's not found.I have tried all known procedures to find out pid 1780 but it's hidden.( I once logged in by checking show hidden files )but nothing worked.I tried safe mode,safemode with networking etc but the same issue.Error messages pops on and through taskmanager when explorer exe is deleted and again started it works fine.Also i may add that the explorer.exe when showing error messages is set to high priority but after terminating it and starting again ,it shows normal priority.That makes me think that it may be manipulated or compromised.I run radianpoint security services realtime anti virus supplied by my ip provider and also malwarebytes anti malware software but it didn't find no more threats.Is that issue going to grow into more serious issue or if I don't fix it wouldn't cause any problems than I have to all the time keep on removing and again bringing in explorer.exe?


To be blunt; Restore your OS.
m
0
l
October 11, 2011 7:25:40 AM

Thanks for the suggestion.But the restore is not possible as recovery console wasn't installed.Here is a report by combofix
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-11 00:15:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

IPC error: 2 The system cannot find the file specified.
scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...

combofix said the rootkit is infected.
Now what should i do?
Thanks
m
0
l
Related resources
October 11, 2011 8:20:39 AM

iancog said:
Thanks for the suggestion.But the restore is not possible as recovery console wasn't installed.Here is a report by combofix
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-11 00:15:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

IPC error: 2 The system cannot find the file specified.
scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...

combofix said the rootkit is infected.
Now what should i do?
Thanks



What AV do you use ? Go to their support forum & report your findings.

Since you used Malwarebytes also, their forums have excellent removal support: http://forums.malwarebytes.org/
Register and start a post in the removal forum and post your findings.
m
0
l
October 11, 2011 8:52:53 AM

Try sfc /scannow in cmd.

I seriously doubt it will do much.

Looks like a lot of damage there.

I will just retrieve all of the user files and reinstall window.
m
0
l
October 11, 2011 8:55:25 AM

Pyree said:
Try sfc /scannow in cmd.

I seriously doubt it will do much.

Looks like a lot of damage there.

I will just retrieve all of the user files and reinstall window.


Already suggested that - Glad you agree - Too much damage already.
m
0
l
October 11, 2011 9:02:11 AM

I know. It is hard to persuade people to reinstall OS. Usually it take two people or more for the persuasion to work.
m
0
l
October 11, 2011 4:05:30 PM

Thanks for the suggestion.I personally don't have problem to reinstall OS. which i was really thinking to do so before getting on this forum, but then my major issue in it is i don't have re installation cd's (activation keys) for many other software.It's a real headache/pain .I have tons of software that i don't want to lose and hence all this attempt to salvage.I agree with both of you that it's better to reinstall but still i want to give it a try to save the present installation.I will go to other forums as suggested by Ksiemb and see if it helps.Should i also get cdcleaner and run it?Luckily ,computer still works normal after the initial start up ritual of removing explorer.exe and starting it again.I have already started moving all favorite files to external hd so in case ,i don't lose everything. (Moderator of this site has one article on how to remove malware and I gotten combofix by reading it.It has a link for cdcleaner software too.) Thanks again for reading my problem and the help. if AV is audio video ,I have zoom player and vech web player beta other than usual window media player,real player etc.Then I also have VLC player that i hardly use.I think the trojan came through youtube because it suddenly started showing up when i clicked the link for youtube from my email.But it doesn't matter much now as the damage is already done and I have to salvage what I can . Another question I have is if I don't get to fix it or don't re install the OS, is it risky to be on net as hackers can get to know where i go etc?Or the start up issue has nothing to do with trojan now ? I am getting paranoid here now.
m
0
l
October 11, 2011 7:23:29 PM

iancog said:
Thanks for the suggestion.I personally don't have problem to reinstall OS. which i was really thinking to do so before getting on this forum, but then my major issue in it is i don't have re installation cd's (activation keys) for many other software.It's a real headache/pain .I have tons of software that i don't want to lose and hence all this attempt to salvage.I agree with both of you that it's better to reinstall but still i want to give it a try to save the present installation.I will go to other forums as suggested by Ksiemb and see if it helps.Should i also get cdcleaner and run it?Luckily ,computer still works normal after the initial start up ritual of removing explorer.exe and starting it again.I have already started moving all favorite files to external hd so in case ,i don't lose everything. (Moderator of this site has one article on how to remove malware and I gotten combofix by reading it.It has a link for cdcleaner software too.) Thanks again for reading my problem and the help. if AV is audio video ,I have zoom player and vech web player beta other than usual window media player,real player etc.Then I also have VLC player that i hardly use.I think the trojan came through youtube because it suddenly started showing up when i clicked the link for youtube from my email.But it doesn't matter much now as the damage is already done and I have to salvage what I can . Another question I have is if I don't get to fix it or don't re install the OS, is it risky to be on net as hackers can get to know where i go etc?Or the start up issue has nothing to do with trojan now ? I am getting paranoid here now.



My reference to AV pertained to Anti Virus, not audio Video. You do have one, I assume. Ccleaner can't hurt, hell, you have been pretty well trashed already; it will get rid of junk files, and who knows, there may be something left over in your internet cache. And therein lies the problem; One never knows what remnants of an infection are not removed, ergo the reinstall is always the best solution. You may still be at risk, and I really suggest posting on malwarebytes forum, where a knowledgeble tech will have you run various scans like gmer, combofix, etc etc etc, to see if they catch anything that is left over. And get some disk imaging software ASAP and use it regularly since you have no way to re-install !
m
0
l
October 11, 2011 11:10:32 PM

Thanks a million for your help.The problem is resolved.I have downloaded autoruns and deleted all file not found entries .After reboot the computer started with out any problem.No more error messages and desktop loaded normally.Apparently the malware that had infected the system had following entry
cd6997 e g c:\win\xpsp2\3919014349:848717846.exe
The autoruns program was advised by bleeping computer moderator .Thanks for your advise to go on their forum for advise.
God bless
Regards
m
0
l
!