1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Access to Control Panel denied

Discussion in 'Virus & Other Malware Removal' started by Sharcy, Jun 28, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Sharcy

    Sharcy Thread Starter

    Joined:
    Jun 28, 2004
    Messages:
    20
    This may need to go under the WindowsXP subforum, but it seems to have started out with adware problems. I had been infected with one of the Cool Web Search variants recently, which kept changing my about:blank homepage. I managed to get rid of that with CWShredder.
    Now, however, I can't access any of my Control Panel features. I've run HT and Spybot, but don't see anything suspicious left. I've gone through the Registry manually, but again, nothing that looks out of the ordinary.

    Searching the Web for this problem, I only came across similar problems from people running Win98; they were told to reinstall rundll32.exe from their cab-files. However, I'm using XP and that solution doesn't work.

    Does anyone have an idea how to solve this?
     
  2. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Please download Adaware from the link below first
    http://www.lavasoftusa.com/software/adaware/. & update it B4 scanning.
    In settings under 'scanning,' have it set to
    'scan within archives,'
    'scan active processes,'
    'scan registry,'
    'deepscan registry'
    'scan my IE Favourites for banned URL's,'
    'scan my host's file.'
    In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.'
    Also in 'tweaks' under 'cleaning engine' set it to 'Automatically try to unregister
    objects prior to deletion' & 'let Windows remove files in use at next reboot.'
    Select 'activate in-depth scan' before starting scan.
    When the scan is finished select 'next.'
    Remove what it finds by placing a check in the box to the left of the object. Reboot
    -----------------------------------------------------------------------------------------------

    Create a folder on your hard drive somewhere like in "My Documents" and name it Hijackthis
    Download 'Hijack This to its own folder http://www3.ns.sympatico.ca/c.bennett03/moboswindowclinic1.html
    Doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log, load it in Notepad, and copy its contents here. Most of what it lists
    will be harmless or even essential, don't fix anything yet.
    __________________
     
  3. Sharcy

    Sharcy Thread Starter

    Joined:
    Jun 28, 2004
    Messages:
    20
    Removed a couple of registry entries with AdAware, but as I suspected that didn't solve the Control Panel problem after reboot. Oh, this problem also causes the Synaptics software on my laptop not to work, which means I can't use my touchpad or additional keys. Here is my current HT log:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:41:23, on 28-6-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\System32\RoamMgr.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\1XConfig.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    C:\Program Files\GENERIC\Power4 Gear\BatteryLife.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\WINDOWS\System32\LVComS.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\PIMEX\Pimex.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Servant Salamander\salamand.exe
    C:\Program Files\HijackThis\HijackThis.exe
    C:\PocoMail3\Poco.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\GENERIC\Power4 Gear\BatteryLife.exe 1
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\System32\LVComS.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - Startup: Pimex Reminder.lnk = C:\Program Files\PIMEX\Pimex.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/156e899fa5b5f40d5016/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37966.5444328704
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    This needs to go and it was part of your download accelerator so if you wish to continue using it then reinstall it..

    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)


    Your synaptics software i loaded and running so give a system restore a try before going any further.
     
  5. Sharcy

    Sharcy Thread Starter

    Joined:
    Jun 28, 2004
    Messages:
    20
    I deleted that line, but still no luck with all of the Control Panel features or the Synaptics software (even though it is loaded, I know). I'm running out of options here. It's not a rights issue; I'm administrator, and the problem also occurs under a different user. Apart from Control Panel, I get the same error when running cmd.exe from the Windows\system32 directory.... but when I move it up one level, it works fine.

    Anybody?! :(
     
  6. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
  7. Sharcy

    Sharcy Thread Starter

    Joined:
    Jun 28, 2004
    Messages:
    20
    It found nothing that could be causing this. A couple of Sober infected files were found in my mail attachment folder (I use PocoMail), but those have never been executed. The only thing that raised an eyebrow was this line:

    C:\Program Files\Common Files\Webroot Shared\Internet.dll - Backdoor:Win32/Ferat.1_0 -> Suspicious

    By the way, system restore doesn't work either. No matter which point I select, I get a "Restore incomplete" error when I try.

    However, I have found something interesting in the System Event Viewer.

    On June 19, this entry:
    File replacement was attempted on the protected system file c:\windows\system32\cmd.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.0.

    Then, on June 25, this:
    File replacement was attempted on the protected system file c:\windows\system32\shell32.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2800.1233.

    Both dates correspond with the dates that I subsequently lost control over first cmd and then Control Panel, and CWShredder did find some nasties on those dates. Could it be that in restoring those files after they were attacked, Windows has inadvertedly looked me out of them? They don't seem to be altered. And if so, how do I gain permission again?
     
  8. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Well I could zip up a couple of those and email them then you could replace with those if you wish..
    make sure the cmd.exe file is 367 KB
    and the shell32.dll file is 7.96 MB in size
     
  9. Sharcy

    Sharcy Thread Starter

    Joined:
    Jun 28, 2004
    Messages:
    20
    But if I try copying them, won't XP overrule that again? They are protected files after all, right?
     
  10. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Well first is this.. Are they the correct size like i asked previously ?
    Even if you tried copying a new version it couldn't be any worse than things are now..
     
  11. Sharcy

    Sharcy Thread Starter

    Joined:
    Jun 28, 2004
    Messages:
    20
    Agreed...
    Well, the file sizes are not the same as you gave. But cmd.exe is 375.808, and that's the same size as when I extract it from the XP cd that came with my laptop (SP1, according to the release notes). File version is 5.1.2600.0.
    Shell32.dll is 8.240.640 bytes, file version 6.0.2800.1233, but when I extract it from the CD it's 8.336.384 bytes for file version 6.0.2800.1106. Strange.
    The versions in system32\dllcache, or course, correspond to the ones in system32.
     
  12. Sharcy

    Sharcy Thread Starter

    Joined:
    Jun 28, 2004
    Messages:
    20
    Just tried copying the cmd.exe to dllcache first and then to system32, but I still get the access denied error. I have the feeling it's not in the files themselves. Could it be blocked somewhere else? A registry setting maybe?
     
  13. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Follow this via regedit and see if anything exists in the right pane please.
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\

    as well as this one to see if there is anything concerning a policy on the control panle.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
    Explorer]
     
  14. Sharcy

    Sharcy Thread Starter

    Joined:
    Jun 28, 2004
    Messages:
    20
    Not in those levels themselves, but there are subkeys. Under LM there's NonEnum, Ratings (empty) and system, under CU there's Explorer. All those, except Ratings, have keys with values.
     
  15. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    I guess next would bve to check for missing and/or corrupted files so insert the xp cdrom then go to start /run / and paste sfc /scannow

    When it finishes reboot.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/244038

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice