explorer desktop nuked during cleanup (twice)

Discussion in 'Prevx Releases' started by spazdaddy, Nov 23, 2009.

Thread Status:
Not open for further replies.
  1. spazdaddy

    spazdaddy Registered Member

    Joined:
    Nov 23, 2009
    Posts:
    18
    Location:
    tardopolis, oregon
    hi, i just started using the paid version of prevx 3.0.5.23 and i've run into a little problem. the install went without a hitch - i ran it as administrator with my firewall and its hips set in learning mode. it seems quite stable, fast and seems to get along with everybody just fine.
    during its initial scan there were a couple of detections which i suspected were fps and marked them as such. i later relented thinking "even if they are fps, whats the harm in letting prevx take care of them? - i wasn't using c4f anyway...it's kinda lame lol. so i removed the overrides and rescanned. prevx found them again (see below) and i told it to clean them.
    i followed the instructions and disconnected from the internet and disabled my av real time protection (guard, webguard, mailguard), my firewall and its hips were still in learning mode (althrough i set the firewall and hips to allow all activity from prevx anyway.) the cleanup finished, the prevx interface reurned to its status screen and said System Status: Protected. so far, so good.
    everything settled down and just for general purposes i figured i'd reboot. it took an unusually long time for windows to shut down and after restarting and logging back in it took a very very long time at the welcome screen and once windows started, viola! no desktop, no taskbar, icons, context menus, nothing, just wallpaper and an explorer window. opened my task manager and everything was running except the executables for my tray applets obviously, dwm was even running.
    the obvious registry entry for the shell was still explorer.exe and nothing in system.ini, it all looked okay. tried rebooting a few more times and nada.
    not knowing what might have happened i had prevx undo the cleanup, tried rebooting again and nothing, just wallpaper and an explorer window.
    i finally did a safe mode restore to a point i made right after i installed prevx but right before the cleanup (just a precaution.) and everything is happy again.
    i went through this exact process twice (from prevx install to system restore) with the same results!
    i should note here, this system wasn't having any trouble, its been running great, no unusual processes, resource amounts or network activity. i have pretty good internet hygiene, use a lot of passive protection as well as aggressive av/asw, hips and firewall settings and i don't use ie. i just wanted one more layer that was fast, lightweight and played nice with others, there's some real stinkers out there
    as far as the detections go, i still feel they are fps. i've scanned these files with avira premium 9.0.0.452 (AHEAD set to high), iobit 360 (heuristics set to high), the cleaner and hitman pro and they see nothing, but just as a precaution i renamed them and locked them down, which by the way did not interfere with any subsequent reboots.

    My question here is this, what the heck is happening here? i don't see how one could have anything to do with the other unless this is one super slick little cootie that hijacks the user interface and has no other symptoms
    or am i gonna be running my pc from a file and task manager every time i remove an infection?
    heres some logs of the cleanup:

    [22/11/2009 12:56] The file [c:\users\arp\documents\c4f\c4f vista p2p toolkit\binaries\wf_vb_chatfilepicture.exe] contains a threat of type [High Risk Cloaked Malware] - Identity: 6F03943A006DB20D50EB0066A9E2CE00DD5FB34E
    [22/11/2009 12:56] The file [\??\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dev\C4F Vista P2P Toolkit\Samples\PictureFileChat\(VB Winforms) ChatFilePicture Sample.lnk] contains a threat of type [Infected Entry: [wf_vb_chatfilepicture.exe]] - Identity: 6F03943A006DB20D50EB0066A9E2CE00DD5FB34E
    [22/11/2009 14:56] The file [c:\users\arp\documents\c4f\c4f vista p2p toolkit\binaries\wf_vb_chatfilepicture.exe] contains a threat of type [High Risk Cloaked Malware] - Identity: 6F03943A006DB20D50EB0066A9E2CE00DD5FB34E
    [22/11/2009 14:56] The file [\??\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dev\C4F Vista P2P Toolkit\Samples\PictureFileChat\(VB Winforms) ChatFilePicture Sample.lnk] contains a threat of type [Infected Entry: [wf_vb_chatfilepicture.exe]] - Identity: 6F03943A006DB20D50EB0066A9E2CE00DD5FB34E
    [22/11/2009 15:01] The file [c:\users\arp\documents\c4f\c4f vista p2p toolkit\samples\chatfilepicture\winforms\vb\bin\release\chatfilepicture.exe] contains a threat of type [High Risk Cloaked Malware] - Identity: 6F03943A006DB20D50EB0066A9E2CE00DD5FB34E
    [22/11/2009 15:01] The file [c:\users\arp\documents\c4f\c4f vista p2p toolkit\samples\chatfilepicture\winforms\vb\obj\release\chatfilepicture.exe] contains a threat of type [High Risk Cloaked Malware] - Identity: 6F03943A006DB20D50EB0066A9E2CE00DD5FB34E
    [22/11/2009 15:35] The file [c:\users\arp\documents\c4f\c4f vista p2p toolkit\binaries\wf_vb_chatfilepicture.exe] contains a threat of type [High Risk Cloaked Malware] - Identity: 6F03943A006DB20D50EB0066A9E2CE00DD5FB34E
    [22/11/2009 15:35] The file [\??\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dev\C4F Vista P2P Toolkit\Samples\PictureFileChat\(VB Winforms) ChatFilePicture Sample.lnk] contains a threat of type [Infected Entry: [wf_vb_chatfilepicture.exe]] - Identity: 6F03943A006DB20D50EB0066A9E2CE00DD5FB34E

    Heuristics Settings: Age: 1, Pop: 1, Heu: 2 (Dir: 1)
    Last Scan: Sun 2009-11-22 14:57:48 Pacific Standard Time. Number of Scans: 2. Last Scan Duration: 3 minutes 34 seconds.

    Previously Detected Files:
    c:\users\arp\documents\c4f\c4f vista p2p toolkit\binaries\wf_vb_chatfilepicture.exe [PX5: 6F03943A006DB20D50EB0066A9E2CE00DD5FB34E] Malware Group: High Risk Cloaked Malware


    Prevx v3.0.5.23 Cleanup Log for 22/11/2009 14:59
    (0) Remove File: \DosDevices\c:\users\arp\documents\c4f\c4f vista p2p toolkit\binaries\wf_vb_chatfilepicture.exe

    Cleanup Complete
    =====================================

    File replacement ended in an error.
    File replacement ended in an error.
    Heuristics Settings: Age: 1, Pop: 1, Heu: 2 (Dir: 1)
    Last Scan: Sun 2009-11-22 15:01:20 Pacific Standard Time. Number of Scans: 3. Last Scan Duration: 1 minute 32 seconds.

    Previously Detected Files:
    c:\users\arp\documents\c4f\c4f vista p2p toolkit\binaries\wf_vb_chatfilepicture.exe [PX5: 6F03943A006DB20D50EB0066A9E2CE00DD5FB34E] Malware Group: High Risk Cloaked Malware
    c:\users\arp\documents\c4f\c4f vista p2p toolkit\samples\chatfilepicture\winforms\vb\bin\release\chatfilepicture.exe [PX5: 6F03943A006DB20D50EB0066A9E2CE00DD5FB34E] Malware Group: High Risk Cloaked Malware
    c:\users\arp\documents\c4f\c4f vista p2p toolkit\samples\chatfilepicture\winforms\vb\obj\release\chatfilepicture.exe [PX5: 6F03943A006DB20D50EB0066A9E2CE00DD5FB34E] Malware Group: High Risk Cloaked Malware


    Prevx v3.0.5.23 Cleanup Log for 22/11/2009 15:01
    (0) Remove File: \DosDevices\c:\users\arp\documents\c4f\c4f vista p2p toolkit\samples\chatfilepicture\winforms\vb\bin\release\chatfilepicture.exe
    (1) Remove File: \DosDevices\c:\users\arp\documents\c4f\c4f vista p2p toolkit\samples\chatfilepicture\winforms\vb\obj\release\chatfilepicture.exe

    Cleanup Complete
    =====================================

    current configuration
    vista home premium sp1 32 bit - all updates

    prevx 3.0.5.23
    all protection enabled
    advanced heuristics; medium before age/popularity
    program age heuristics: low
    program popularity heuristics; low

    avira av premium 9.0.0.452
    antivir guard:
    macrovirus heuristic: on
    AHEAD: medium
    antivir webguard:
    macrovirus heuristic: on
    AHEAD: high
    antivir mailguard:
    macrovirus heuristic: on
    AHEAD: high

    outpost firewall 2009 (free)
    stealth mode
    policy: rules wizard
    background policy: block most
    entertainment policy: block most
    hosts protection: optimal (medium i guess)

    hosts file, activex killbits and browser web site blacklisting, java, javascript and plugin whitelisting.

    is this a known issue of any kind with prevx, am i doing something wrong or do i have a very light and stealthy bug on hereth at has no detectable symptoms? any advice would be greatly appreciated.o_O
     
  2. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    it is a FP in the registry that is titled show desktop or something. It happened to me last week and thus my little anger burst of stupidity. I ended up doing a reformat. MBAM also detected it Sunday but I just left it alone. Sorry Joe for not reporting it.
     
  3. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello,
    Thank you for the extensive log and details. The two files Prevx cleaned are duplicates of each other and do appear to be FPs, but it "could" be possible that Explorer is being hung up from loading because of the start menu link pointing to the .exe file possibly not being removed.

    Prevx logs everything it changes and it looks like it didn't modify anything in the registry, but the "(VB Winforms) ChatFilePicture Sample.lnk" file is sticking out to me as a possible area of problems. Shell link (shortcut) resolution within Windows is a complex procedure and could potentially get hung up on a missing file.

    If you would be interested, could you write into report@prevxresearch.com or send me a PM with your email address if you'd like some remote assistance to try and correct the problem?

    Sorry for the inconvenience and I'm sure we'll get this resolved!
     
  4. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    VCREDIST_X86.EXE is what killed my desktop on my daughters computer.
     
  5. mannagills

    mannagills Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    37
    Location:
    Michigan
    I had the same problem as spazdaddy following removal of a gnucash file (which I believe to be a false positive). I recovered in the same manner. It's a shame because I like Prevx other than this issue.
     
  6. spazdaddy

    spazdaddy Registered Member

    Joined:
    Nov 23, 2009
    Posts:
    18
    Location:
    tardopolis, oregon
    yes, that shortcut does point to one of the problematic files. that being the case, it is odd that it wouldn't hang after i rename the executables with an unregistered extension, i think i used .wasteofdiskspace or something. but then again we are talking redmond so who knows? haha
    just as an experiment, i think i'll try killing those shortcuts rescanning, letting prevx clean them again just to see what happens. unless its a startup item i don't recall ever having an invalid shortcut hang my system before, take the one that says problems and solutions for example, well i guess they're half right anyway XD. but there has gotta be some explanation. its not the detections that worry me, its wanting to know what is happening as i'm giving prevx considerable responsibility.
     
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Indeed, and we have had a few reports of this issue as well, but nothing that has allowed us to narrow the problem down and actually find a result.

    Is there any chance that you have a multi-monitor setup? One of the more common causes we're seeing is that somehow the default monitor gets set to an unattached monitor, causing the exact symptoms you're describing.

    Also, when you first ran Prevx and went through cleanup, was that the first time that you had rebooted with Prevx installed? It could be possible that the issue isn't related to cleanup at all, rather, something to do with a clash between Prevx and another piece of software on your system.

    We're very keen on fixing this but not having much luck at the moment in tracking down the cause so any information/suggestions would be welcomed warmly :)
     
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Could you let me know what other security software you're using as well? We're trying to get a more clear picture of where the issue may lie so any information would be very helpful at this point :)
     
  9. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Joe, wanted to also thank you for dealing with my support issue today to. The customer service shown by Prevx on a individual basis is one of a kind.
     
  10. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    No problem, any time :)
     
  11. spazdaddy

    spazdaddy Registered Member

    Joined:
    Nov 23, 2009
    Posts:
    18
    Location:
    tardopolis, oregon
    1. nope, single monitor only.
    2.the two scenarios went like this:
    1st time: install - scan/cleanup - reboot - uninstall - reboot - reboot to safe mode, restore to pre-install point.
    2nd time: install - reboot - scan/cleanup - reboot - undo cleanup - reboot - reboot to safe mode - restore to post install point.

    restoring to a pre cleanup restore point got my desktop back in both cases. undoing the cleanup did not help. i restored to both pre install and post install points, both worked. prevx seems happy now but i am a bit leery about any future cleanups so i need to figure this out.
    as far as software conflicts go i could run a hjt log if you want to see what's on board if that would help?
    -
     
  12. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    if you can get to regedit


    Launch Regedit (See more details on starting regedit)
    Navigate to this key
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer \HideDesktopIcons
    Check that \HideDesktopIcons has two subfolders
    ClassicStartMenu (Controls non-Aero themes)
    NewStartPanel (Controls Aero Graphics)

    If a dword called {4336a54d-038b-4685-ab02-99bb52d3fb8b} exists in NewStartPanel, then simply change its value to hexadecimal 1. If there is no such dword, then this is how you create it.
    With NewStartPanel in the left pane, right-click in the right pane, select New, then DWORD 32-bit, name the value: {4336a54d-038b-4685-ab02-99bb52d3fb8b}.
    Note: you do need the {Curly Brackets}.
    To hide the Public folder on the desktop, set the dword value = 1.
    To display the folder set the dword = 0.
     
  13. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
  14. spazdaddy

    spazdaddy Registered Member

    Joined:
    Nov 23, 2009
    Posts:
    18
    Location:
    tardopolis, oregon
    this was the first place i looked actually and the shell was set to explorer like it should have been.

    i did not look here however. i'll remember that if it should happen again. thx
     
  15. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Thanks for these details - these instructions have just fixed another user's issue which was similar to spazdaddy's. I'm still not quite sure what would trigger these problems (we don't modify those keys, although we do make some preventative modifications into similar areas in case malware could have tampered with the visibility settings).

    spazdaddy - a HijackThis log would definitely be helpful to see if it could shed any light on an incompatibility causing this. If you could send the log to report@prevxresearch.com, we'll report back with what we find.

    Thanks! :)
     
  16. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    UPDATE:

    Hello all,
    We've tracked down the reason and created a fix for this issue. Bizarre as it may be, the issue is solved by:

    Opening Regedit, browsing to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    double clicking the "Shell" value to open it, and just clicking "OK" without changing any data.

    As to why this happens, we're not sure but this will fix it if you're stuck in the black screen state.

    We've made a change to the cleanup engine to now avoid touching this area of the system, although it has been exactly this same way for more than 6 months :doubt: We are therefore suspecting this is a new issue, brought on by an update to the operating system.

    If anyone is still experiencing this problem and does not have System Restore enabled or is having trouble getting to the registry key, please let me know either via a reply or PM and we'll get your PC back up and running properly for you :)

    Sorry for the inconvenience but thank you all for your invaluable assistance!
     
  17. spazdaddy

    spazdaddy Registered Member

    Joined:
    Nov 23, 2009
    Posts:
    18
    Location:
    tardopolis, oregon
    yeah, no surprise redmond would be in the picture. today's string of updates hung their updater, i was at stage 3 30% for about 15 minutes before i had to force a power off so it could finish (not a recommended procedure.):eek:
    the stinkers tried to install that wpf plugin in firefox again too but i put a screeching halt to that nonsense.
    anyway, thats wonderful news. i'll keep the fix in mind and i eagerly await an update. that really is weird though, maybe part of their security through absurdity strategy:ninja:. unfortunately it seems to work better against software vendors than bad guys.
     
  18. DavidCo

    DavidCo Registered Member

    Joined:
    Jul 9, 2005
    Posts:
    503
    Location:
    UK
    PrevxHelp
    Thanks for the heads up on that 'fix'
    I updated today (Vista 32bit) & have had a minor issue.
    Did your 'force' enter (regedit) and fingers crossed:)

    Last time I remember this type of issue was on Environmental Variables, had to do a similar thing to 're-point' 'cos thats what it does.
     
  19. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    so was I of any help? If so does that get me a license extension.;) Because the G in G-Data stands for growth and I am ready to cut this one off my back.;)
     
  20. spazdaddy

    spazdaddy Registered Member

    Joined:
    Nov 23, 2009
    Posts:
    18
    Location:
    tardopolis, oregon
    has this issue been resolved yet? when will i be able to use the cleanup services in prevx(what my license fee is paying for.) without getting my 'puter buggered up?
    my year is ticking away here and i would very much like a fully functional version of the program.
     
  21. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Yes, it is fully fixed and we have a fix and further information available on our blog: http://prevx.com/blog.asp
     
  22. spazdaddy

    spazdaddy Registered Member

    Joined:
    Nov 23, 2009
    Posts:
    18
    Location:
    tardopolis, oregon
    yes, i do basically understand whats going on and why and i also know how to get the shell back now - no problemo. however, what i was actually wondering is when this won't be an issue for prevx anymore - this is what i meant by "fully functional". i get precious few detections on here, most have been from my web guards detecting site content or turned out to be fps. but on the off chance i do get a legitimate detection it would be nice to be able to kill the suspected baddie without going through all of that nonsense, thats kind of why i bought this software in the first place.
     
  23. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    We've released a fixed version, v3.0.5.28, which prevents the problem from occurring in the future. We also have an updated blog post if interested with a definite answer now to the cause/solution to the problem: http://www.prevx.com/blog/141/Windows-Black-Screen-Root-Cause.html
     
  24. spazdaddy

    spazdaddy Registered Member

    Joined:
    Nov 23, 2009
    Posts:
    18
    Location:
    tardopolis, oregon
    woo hoo!:argh: that's all i was looking for. from the 'date modified' it looks like prevx must've updated itself to 3.0.5.28 back on 11/28, my bad. the thing is so quiet and unobtrusive i had no idea - guess i shoulda looked eh?
    thank you, thank you, thank you for all your and everone's help. i've always loved wsf, some of the best people and best help on the web.

    prevx and my system have been running great, rock solid and fast with no loss of functionality. i recently switched my firewall from outpost 2009 to online armor 4.0 and they get along famously. prevx, avira premium and online armor(with good practices of course) seems like quite the bad-ass security combo, i'd probably have to do something pretty stupid to get nailed.

    thanks for a great product and first class support!
     
Thread Status:
Not open for further replies.