re: frozen start menu and icons
Friday, October 28, 2005 at 7:52 am
Windows XP Annoyances Discussion Forum
Posted by Darko
(13 messages posted)
A reply to the message left by JCW on Thursday, October 27, 2005 at 8:46 am
1. Did not find “style2” registry key.
2. Did not find Q50502281.dll.
3. Found some unfamiliar files under Program Files: RXToolBar (deleted), PestPatrol
and MSSoap.
4. No suspicious programs found under Control Panel / Add/Remove Programs.
5. Startup has some unfamiliar entries:
- C:\\ Program Files \ Daily Weather Forecast \ weather.exe (but, file does not
exist now, it was deleted three days ago),
- C:\\ WINNT \ Alexa.exe
- Incredimail_install [1]
6. Could not delete Q3683875.dll under WINNT. Access denied. Directory WINNT has
1.99 Gb and includes folders such as: addins, backup, config, cursors, debug, fonts,
java, media and so on. I do not have a dual boot system. Suspicious files under WINNT
are: Crystal, Minidump, MUI, and Software Distribution.
7. Found line 127.0.0.1 local host and two examples above that line: 102.54.94.97
rhino.acme.com and 38.25.63.10 x.acme.com (Those two lines are above local host line
and are mentioned as examples).
8. Installed Zone Labs firewall.
9. Rebooted into Safe Mode with Networking, icons not frozen, able to go to Internet.
10. Run MicroTrend on-line virus scan. The scan was very slow. Found one virus but
the connection was gone after 5 minutes of waiting for the results of scan. I had
to restart computer in Safe Mode with Networking. I know that the virus in question
was Q3683875.dll because I noticed during the scan that AV reported a virus while
scanning WINNT and files that start with Q.
Run Panda on-line scan and it found 1 virus (Q3683875.dll) and disinfected it (but
when I went to check under WINNT the file was still there), 6 spyware (all under
WINNT: adsldpbc.dll, netdde.dll, smdat32m.sys, system32 / grwinsthlp.exe, system32
/ prflbmsgp32.dll and did not write the name of the sixth but I deleted all of them),
18 dialers (Dialer:Dialer.dll in Temp folder – I deleted them all) and 6 suspicious
files. One of those suspicious files is: C:\\ Program Files \ InfoUpdate \ iu.exe
(firewall was letting me know later on that this file was trying to access the internet).
11. Downloaded the tool you recommended, installed it and it worked. Q3683875.dll
was gone when the computer was rebooted automatically (normal mode). I run Ad-Aware
SE (did not find anything) and Spybot Search & Destroy (did not find anything), Freedom
AV (provided by Telus Internet Provider) and again Panda On-line (which did not find
a virus but found two spyware – which I unfortunately did not write down at 1:30
AM) and some suspicious files. I will run a few on-line virus scans today afternoon
hoping that my problems are gone. The important news is that there are no Q files
under WINNT anymore, they are all gone.
Thanks for all your help. I hope that everything is going to be fine so I do not
have to bother you again. If you have any additional recommendations I’d appreciate
them. Thanks again. You’ve been a great help and without your instructions I would
have to reformat C drive.
Darko
On Thursday, October 27, 2005 at 8:46 am, jcw wrote:
>1) Returning to your paragraph 4 in your prior post, use regedit to see if you
still
>have any "style2" registry key at:
>
-- HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify
>
(where HKLM = HKEY_LOCAL_MACHINE)
>
-- HKEY_CURRENT_USER\Software\Microsoft
>
If you do, delete them. Don't reboot. Remain in safe mode.
>
>1A) If you haven't already done so, delete these registry keys using regedit:
>
-- HKEY_CLASSES_ROOT\CLSID\{6AC3806F-8B39-4746-9C38-6B01CB7331FF}
>
-- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
>Objects\{6AC3806F-8B39-4746-9C38-6B01CB7331FF}
>
(where HKLM = HKEY_LOCAL_MACHINE)
>
>
2) You mentioned looking for all of the files I had listed except: Q50502281.dll
>
If you didn't do so before, look for - and if found, delete - that file in the
>following 4 folders:
>
--> Windows, Windows\system, Windows\system32, Program Files\Windows NT
>
and also in the registry editor (regedit).
>
In deleting that file from any of the above 4 folders, bypass the Recycle bin
>by holding down the
>
>keyboard Shift key while performing the deletion.
>
> 3) If I didn't ask you to do this before, review the entire Program Files directory
>for any folders whose
>
>names are unfamiliar or suspicious to you.
> 4) Open under Control Panel the Add or Remove Program applet to see if there
are
>listed any programs
>
>that you don't recognize or appear suspicious.
> 5) Type MSCONFIG in the Run box of the Start box and press Enter.
> Click on
>
>its Startup tab, and review the list of things checked that are supposed to start
>automatically when WXP
>
>starts. Anything there look unfamiliar and suspicious to you?
>
-- Also look in Task Manager, on the Applications tab and the Processes tab,
>anything there look unfamiliar and suspicious to you?
>
> 6) Try again to delete in safe mode this file (which I assume you uncovered
as
>being suspicious) that
>
>you couldn't delete from the WINNT directory before: Q3683875.dll. Successful?
> I'm concerned that your WINNT directory has become a haven for the malicious
>files. You said you
>
>have that directory because you installed XP over W2k (not a good practice, btw).
> How big is that directory
>
>at this point? To the best of your knowledge, is it being used at all? Do you recognize
>everything in it, or
>
>conversely are there things in it that appear suspicious? I'd really like to delete
>the whole folder, and I would
>
>think you wouldn't need or miss it, but . . . . And if it's too big, it will be
difficult
>to copy it to removable
>
>media. Let me know the answers to my questions before proceeding with the next steps.
> If you don't want
>
>to wait, then at least first review the contents of the WINNT directory for anything
>that looks suspicious to
>
>you, and delete suspicious items; if really in doubt, you could copy such items
to
>a blank diskette first and
>
>then delete them. (Note: if you make such a copy, when you are sure you don't need
>to restore the copied
>
>items, delete them from the diskette and then do a long format of the diskette.)
>
>7) Open your hosts file with this command in the Run box on the Start menu (note
>the space before the
>
>first %): NOTEPAD %SYSTEMROOT%\SYSTEM32\DRIVERS\ETC\HOSTS
>
Hopefully all that you will see there are about 18 lines, each preceded by the
># sign, of introductory
>
>explanatory material from Microsoft, followed by this line:
> 127.0.0.1 local host
>
If you find anything else there, let me know, e.g.:
>127.0.0.1 www.website-name.com
>0.0.0.0 www.website-name.com
>
>8) From a past remark, I assume you don't have a 3rd-party firewall. So make
>sure that the firewall
>
>built-in WXP is activated. Also make sure that the Internet Connection Firewall
>(ICF)/Internet Connections
>
>Sharing (ICS) service is started and has its Startup type set for automatic, and
>that the Network Location
>
>Awareness service is started and has its Startup type set for either manual or automatic
>(manual will suffice
>
>for this service, unless the computer is on a local network, which I assume it isn't).
>
To access the WinXP services and their properties:
> Control Panel --> Administrative Tools --> Services
>Or you can type: SERVICES.MSC in the Run box on the Start menu
and
>
>press Enter.
>
>9) Now reboot into safe mode with networking, and see if your system remains
>unfrozen. If
>
>yes, make sure that what I told you to check in steps 7 & 8 above remain true, and
>if so, then try
>
>connecting to the internet. The following steps assume you are OK at this point,
>but if instead your system
>
>is again frozen, then you'll need to reboot into safe mode with command prompt and
>retrace your previous
>
>steps to get unfrozen, and then reboot into safe mode with networking, and repeat
>the steps above until you
>again are at this point.
>
> 10) Once on the net, go immediately to the Trend Micro on-line AV scanner and
>at least one of the other
>
>on-line AV scanners below, and run scans:
>
-- http://housecall.trendmicro.com/
>
-- http://www.pandasoftware.com/activescan/com/activescan_principal.htm
>
-- http://us.mcafee.com/root/mfs/default.asp
>
-- http://www.bitdefender.com/scan/licence.php#
>
-- http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
> In doing those scans, have them do full system scans (other than removable media
>drives, which should be empty of removable media).
>
> 11) Download this tool: --> http://users.telenet.be/marcvn/tools/win32delfkil.exe
>
and save it to your desktop. Disconnect from the net. Double-click (or single
>click - whatever you use
>
>to open or run a file) on the saved executable (win32delfkil.exe) to create a new
>folder (win32delfkil) on your
>
>desktop. Close all windows. Then open the win32delfkil folder and double-click on
>fix.bat. The computer
>
>should reboot automatically when done.
>
This is the tool I mentioned to you before about having found on the net.
>
>12) Run Ad-Aware and Spybot S&D again.
>
Run your on-board AV program, assuming it has up-to-date definitions.
>
>Let us know how you made out.
>
>
>
>
>
|
All messages in this thread [show all]
 | | | | | | |  | | | | | |  | re: frozen start menu and icons (Darko: Fri, Oct 28, 2005, 7:52 am) |
| |
| |
| |
Return to the Windows XP Discussion Forum
|
|
