re: frozen start menu and icons
Thursday, October 27, 2005 at 9:50 am
Windows XP Annoyances Discussion Forum
Posted by Darko
(13 messages posted)
Thanks for your instructions. I’ll post tomorrow what has happened and answer all
your questions. For now just a few:
Re your point 1) I am quite sure that “style2” is gone but I’ll check it again, of
course.
Re your point 2) I believe Q50502281.dll is already gone.
Re your point 6) The suspicious file Q3683875.dll cannot be deleted even in Safe
Mode. I’ll try it again. The problem is that there is always at least one of those
Q files in WINNT that cannot be deleted.
If I can remember WINNT directory includes folders such cursors, drivers, registration,
system, system32, temp and so on. I will check the details and post tomorrow. I believe
all those are important folders and should not be deleted.
Re your point 12) Ad-Aware and Spybot S&D currently do not find any suspicious files
and I will run them again after I do steps 1-11 first.
Although you did not ask I will try to post tomorrow HijackThis log too. Thanks again.
On Thursday, October 27, 2005 at 8:46 am, jcw wrote:
>1) Returning to your paragraph 4 in your prior post, use regedit to see if you
still
>have any "style2" registry key at:
>
-- HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify
>
(where HKLM = HKEY_LOCAL_MACHINE)
>
-- HKEY_CURRENT_USER\Software\Microsoft
>
If you do, delete them. Don't reboot. Remain in safe mode.
>
>1A) If you haven't already done so, delete these registry keys using regedit:
>
-- HKEY_CLASSES_ROOT\CLSID\{6AC3806F-8B39-4746-9C38-6B01CB7331FF}
>
-- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
>Objects\{6AC3806F-8B39-4746-9C38-6B01CB7331FF}
>
(where HKLM = HKEY_LOCAL_MACHINE)
>
>
2) You mentioned looking for all of the files I had listed except: Q50502281.dll
>
If you didn't do so before, look for - and if found, delete - that file in the
>following 4 folders:
>
--> Windows, Windows\system, Windows\system32, Program Files\Windows NT
>
and also in the registry editor (regedit).
>
In deleting that file from any of the above 4 folders, bypass the Recycle bin
>by holding down the
>
>keyboard Shift key while performing the deletion.
>
> 3) If I didn't ask you to do this before, review the entire Program Files directory
>for any folders whose
>
>names are unfamiliar or suspicious to you.
> 4) Open under Control Panel the Add or Remove Program applet to see if there
are
>listed any programs
>
>that you don't recognize or appear suspicious.
> 5) Type MSCONFIG in the Run box of the Start box and press Enter.
> Click on
>
>its Startup tab, and review the list of things checked that are supposed to start
>automatically when WXP
>
>starts. Anything there look unfamiliar and suspicious to you?
>
-- Also look in Task Manager, on the Applications tab and the Processes tab,
>anything there look unfamiliar and suspicious to you?
>
> 6) Try again to delete in safe mode this file (which I assume you uncovered
as
>being suspicious) that
>
>you couldn't delete from the WINNT directory before: Q3683875.dll. Successful?
> I'm concerned that your WINNT directory has become a haven for the malicious
>files. You said you
>
>have that directory because you installed XP over W2k (not a good practice, btw).
> How big is that directory
>
>at this point? To the best of your knowledge, is it being used at all? Do you recognize
>everything in it, or
>
>conversely are there things in it that appear suspicious? I'd really like to delete
>the whole folder, and I would
>
>think you wouldn't need or miss it, but . . . . And if it's too big, it will be
difficult
>to copy it to removable
>
>media. Let me know the answers to my questions before proceeding with the next steps.
> If you don't want
>
>to wait, then at least first review the contents of the WINNT directory for anything
>that looks suspicious to
>
>you, and delete suspicious items; if really in doubt, you could copy such items
to
>a blank diskette first and
>
>then delete them. (Note: if you make such a copy, when you are sure you don't need
>to restore the copied
>
>items, delete them from the diskette and then do a long format of the diskette.)
>
>7) Open your hosts file with this command in the Run box on the Start menu (note
>the space before the
>
>first %): NOTEPAD %SYSTEMROOT%\SYSTEM32\DRIVERS\ETC\HOSTS
>
Hopefully all that you will see there are about 18 lines, each preceded by the
># sign, of introductory
>
>explanatory material from Microsoft, followed by this line:
> 127.0.0.1 local host
>
If you find anything else there, let me know, e.g.:
>127.0.0.1 www.website-name.com
>0.0.0.0 www.website-name.com
>
>8) From a past remark, I assume you don't have a 3rd-party firewall. So make
>sure that the firewall
>
>built-in WXP is activated. Also make sure that the Internet Connection Firewall
>(ICF)/Internet Connections
>
>Sharing (ICS) service is started and has its Startup type set for automatic, and
>that the Network Location
>
>Awareness service is started and has its Startup type set for either manual or automatic
>(manual will suffice
>
>for this service, unless the computer is on a local network, which I assume it isn't).
>
To access the WinXP services and their properties:
> Control Panel --> Administrative Tools --> Services
>Or you can type: SERVICES.MSC in the Run box on the Start menu
and
>
>press Enter.
>
>9) Now reboot into safe mode with networking, and see if your system remains
>unfrozen. If
>
>yes, make sure that what I told you to check in steps 7 & 8 above remain true, and
>if so, then try
>
>connecting to the internet. The following steps assume you are OK at this point,
>but if instead your system
>
>is again frozen, then you'll need to reboot into safe mode with command prompt and
>retrace your previous
>
>steps to get unfrozen, and then reboot into safe mode with networking, and repeat
>the steps above until you
>again are at this point.
>
> 10) Once on the net, go immediately to the Trend Micro on-line AV scanner and
>at least one of the other
>
>on-line AV scanners below, and run scans:
>
-- http://housecall.trendmicro.com/
>
-- http://www.pandasoftware.com/activescan/com/activescan_principal.htm
>
-- http://us.mcafee.com/root/mfs/default.asp
>
-- http://www.bitdefender.com/scan/licence.php#
>
-- http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
> In doing those scans, have them do full system scans (other than removable media
>drives, which should be empty of removable media).
>
> 11) Download this tool: --> http://users.telenet.be/marcvn/tools/win32delfkil.exe
>
and save it to your desktop. Disconnect from the net. Double-click (or single
>click - whatever you use
>
>to open or run a file) on the saved executable (win32delfkil.exe) to create a new
>folder (win32delfkil) on your
>
>desktop. Close all windows. Then open the win32delfkil folder and double-click on
>fix.bat. The computer
>
>should reboot automatically when done.
>
This is the tool I mentioned to you before about having found on the net.
>
>12) Run Ad-Aware and Spybot S&D again.
>
Run your on-board AV program, assuming it has up-to-date definitions.
>
>Let us know how you made out.
>
>
>
>
>
|
All messages in this thread [show all]
 | | | | | | |  | | | | | |  | re: frozen start menu and icons (Darko: Thu, Oct 27, 2005, 9:50 am) |
| |
| |
Return to the Windows XP Discussion Forum
|
|
