C:\Windows\system32\%programfiles% directory gets recreated on reboot

Status
Not open for further replies.
Hi,

My son clicked on something vicious, and we have been inundated with trojans, spyware, you name it. I've followed the basic removal instructions, plus ran scans with super anti-spyware, drweb-cureit and a couple of other tools. Most of the tools found and cured several issues, but I am left with two problems:

1. Despite deleting it in safe mode, c:\windows\system32\%programfiles% directory regenerates when I reboot into normal mode, and I can't delete it. The error message says that "connection wizard is being used by another program or user" - connection wizard is a subdirectory under %programfiles%\Internet explorer. By the way, there are no files in any of the folders in the %programfiles% directory.

2. Internet Explorer was moved from the default directory to c:\windows\Internet Explorer. I tried uninstalling and reinstalling IE, but it stays in the same custom directory. This is a huge problem because we can't get Quick Books up and need to do billing for the month asap.

If anyone has suggestions, I'd be grateful!

Attached are HJT, AVG and Combofix logs.

Thanks in advance,

Amy
 
%PROGRAMFILES% should point to your default 'Program Files' directory. i.e. C:\Program Files usually.

I'm not sure if this will help, but you can try:
* Open 'Registry Editor' (you can select run and enter 'regedit').
* Navigate to 'Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' on the left-hand side.
* On the right hand side, there should be some items. These should be things like 'CommonFilesDir', 'DevicePath' etc
* One of these items should be 'ProgramFilesDir'. Make sure that this points to your REAL program files folder - i.e. usually C:\Program Files
* If it does not exist, right-click on the left hand side, select New > String Value. Call it ProgramFilesDir and enter the path to your Program Files folder.

Not guaranteeing this will work but it's the first thing I'd check.
 
Actually wii-ste your post makes sense. But also prompted me to think that this may be in "Enviroment Variables" in System (in Control Panel) selecting "Advanced" tab too.

Please look at that area as well, you can edit directly from there as well
I'm thinking it might say set %ProgramFiles%=%System%\ or something like that.
 
kimsland said:
Actually wii-ste your post makes sense. But also prompted me to think that this may be in "Enviroment Variables" in System (in Control Panel) selecting "Advanced" tab too.

Please look at that area as well, you can edit directly from there as well
I'm thinking it might say set %ProgramFiles%=%System%\ or something like that.

hi kimsland, that was the first place I looked (I thought I remembered it there) but I can't find it now. I am however using Vista now, so perhaps it was there on XP.
 
Googled

Ok system variables in vista can be found by going to the control panel, hitting "system and maintenance" then clicking "system" and "advanced system settings" then on the system properties click the advanced tab and then the big button "environment variables" bottom left....

Now why didn't I think of that ! (in Vista everything is big)
 
lol I know where to find them. But Vista has no ProgramFilesDir.

Sytem Variables:
NUMBER_OF_PROCESSORS
OS
Path
PATHEXT
PROCESSOR_ARCHITECTURE
PROCESSOR_IDENTIFIER
PROCESSOR_LEVEL
PROCESSOR_REVISION
TEMP
TMP
USERNAME
windir

User Variables:
TEMP
TMP

EDIT: Have just looked on my Server 2003 machine - not in there either
 
kimsland said:
%ProgramFiles%

Whatever its called lol. It's not there - that is the full list on my Vista machine.

Anyway, it might have changed in Vista. I haven't got an XP machine to look on at the moment. If it is in there on XP, then that is one way to change it.
 
Status
Not open for further replies.
Back