Tip: Run a free scan for common Windows errors ad

re: frozen start menu and icons Monday, October 24, 2005 at 9:45 am Posted by Darko (13 messages posted) I have the same problem and it all started yesterday. I spent several hours trying to fix the problem but could not do a lot. My Windows XP also starts and then there is no way I can start any programs (tried to click on them, tried to use a keyboard, tried to browse in Windows Task Manager). Safe Mode - the same problem. No program is accessible. I cannot even go to Control Panel to try to fix the problem. My plan is to copy some important files from C drive onto D drive by using Safe Mode with Command Prompt option (DOS) and then format C drive. I do not know what else to do. Unfortunately I also could not open Internet Explorer to go to MicroTrend web site (which is a good free on-line anti-virus scan) and eventually solve the problem there (if this is indeed a virus problem). I have talked to some friends and they all say it is probably a virus and the best option is to format C drive. If someone knows better way to solve this problem, please, help. Thanks. Darko On Monday, October 24, 2005 at 7:56 am, Diane wrote: >I hope someone can help me :( >I had been having problems with a stwoyle trojan - it kept coming up in my virus >scan pop up. I tried everything to get rid of it but it never left. > >Now my computer is frozen - It boots up, I can log in to all accounts but when windows >xp (home) desktop comes up, I cannot click anything. The icons and start menu are >frozen. The only thing that seems to work is task manager, but I cannot browse >to find a program to start. This happens under all users and Safe mode does the >same thing. Is there any hope or do I need to reformat? > >Thanks for you help! [Reply or follow-up to this message] re: frozen start menu and icons Monday, October 24, 2005 at 12:53 pm Posted by jcw (5124 messages posted) 1) If you boot into safe mode and open Task Manager, can you start Windows Explorer by typing   EXPLORER   in the New Task... box under TM's File menu?   If yes, can you then do anything in Explorer, or is it frozen? 2) Are you able to boot into safe mode with command prompt?  Does the command prompt window open?  Can you type a command in it which is then carried out?  For example, if you type at the command prompt:   START TASKMGR.EXE   and then press Enter, does your Task Manager open? [Reply or follow-up to this message] re: frozen start menu and icons Monday, October 24, 2005 at 1:32 pm Posted by Darko (13 messages posted) I spent several hours yesterday trying to fix the problem and I believe I tried to open Task Manager in Safe Mode and it did not work. Task Manager did not allow me to browse and, if I remember, typing the command did not help either. I was able to boot in Safe Mode with Command Prompt and I can start some programs from there but not, for example, Internet Explorer (which I needed to go to MicroTrend web site and check on-line virus scan) and Anti-virus program. So, commands in DOS (Safe Mode with Command Prompt) are working fine with some exceptions (anti-virus program cannot be started from Safe Mode with Command Prompt and I also could not start Internet Explorer). Thanks for your reply. On Monday, October 24, 2005 at 12:53 pm, jcw wrote: >1) If you boot into safe mode and open Task Manager, can you start Windows Explorer >by typing   EXPLORER   in the New Task... box under TM's File menu?   If >yes, can you then do anything in Explorer, or is it frozen? > 2) Are you able to boot into safe mode with command prompt?  Does the command >prompt window open?  Can you type a command in it which is then carried out?  For >example, if you type at the command prompt:   START TASKMGR.EXE   and then >press Enter, does your Task Manager open? > > > [Reply or follow-up to this message] re: frozen start menu and icons Monday, October 24, 2005 at 2:23 pm Posted by jcw (5124 messages posted) -- Why can't the AV app. be started from the CP? What happens? What on-board app. are you using? -- What makes you sure that you have the stwoyle trojan? Was it ID'ed as such in your AV scan? Were any other vires or malware ID'ed? -- In the CP window, can you open regedit by typing   REGEDIT   at the command prompt, and then can you move about in the registry editor and use its file menu? -- In the CP window, navigate to your Windows\system32 folder and using the   DIR /P/A   command to view its contents, see if you have the file named "winstyle2.dll". -- In the CP window, navigate to the Program Files directory and review its contents for a folder or file that looks suspicious or unfamiliar to you, e.g.:  Program Files\daily weather forecast\ [Reply or follow-up to this message] re: frozen start menu and icons Monday, October 24, 2005 at 2:48 pm Posted by Darko (13 messages posted) Hi JCW, Diane mentioned stwoyle troyan. Her AV recognized that and she could not delete it in the past. I remember seeing (when in Safe Mode with Command Prompt) file Daily Weather Forecast under Program Files. Based on your note I believe I should delete it right away. I believe I saw the file winstyle2.dll when trying to end some process in Windows Task Manager (or when using Command Prompt). JWC, the problem that I have (and obviously Diane) is that no program can be started either by clicking on it or using a keyboard. It is the same in Safe Mode. All icons and programs are frozen. AV that I have (Zero Knowledge from Telus Internet Provider) cannot be started. It launches but then it freezes. CPU usage at that time is at 100%. AV could not be started from CP because I got a message that the program could not be launched from Safe Mode. I might not be able to reply to your messages again today because I'll go home soon (and my computer does not work properly). Thans again for your reply. On Monday, October 24, 2005 at 2:23 pm, jcw wrote: >-- Why can't the AV app. be started from the CP? What happens? What on-board app. >are you using? > -- What makes you sure that you have the stwoyle trojan? Was it ID'ed as such >in your AV scan? Were any other vires or malware ID'ed? > -- In the CP window, can you open regedit by typing   REGEDIT   at the >command prompt, and then can you move about in the registry editor and use its file >menu? > -- In the CP window, navigate to your Windows\system32 folder and using the   >DIR /P/A   command to view its contents, see if you have the file named >"winstyle2.dll". > -- In the CP window, navigate to the Program Files directory and review its contents >for a folder or file that looks suspicious or unfamiliar to you, e.g.:  Program Files\daily >weather forecast\ > > [Reply or follow-up to this message] re: frozen start menu and icons Monday, October 24, 2005 at 3:32 pm Posted by jcw (5124 messages posted) If you have a folder under Program Files called "Daily Weather Forecast" which you don't recognize, it is bad and should be deleted. Ditto for a file called winstyle2.dll (most likely in:  Windows\system32). In your case, they'll need to be deleted using the command prompt window. I'll assume you know how. You may need to make some changes in the registry first, however, which is why I asked if you were able to open the registry editor via the CP window. Post back tomorrow and let us know where you stand. Btw, in the future, you should get and use an AV program that works in safe mode, e.g. AVG, which as freeware is available at:  »    http://free.grisoft.com/doc/2/lng/us/tpl/v5 [Reply or follow-up to this message] re: frozen start menu and icons Monday, October 24, 2005 at 6:57 pm Posted by Darko (13 messages posted) Thanks to your advice re Daily Weather Forecast I was able to delete it through command prompt. After that everything was easy. Windows XP is up and running now and I do not have problems any more. I run Ad-Aware SE (found several Alexa related files), Spybot and Anti-virus program and it looks now that my computer is clean. Most likely Ad-Aware SE cleaned registry too. Again, thanks for your advices. You were very helpful. Sincerely, Darko On Monday, October 24, 2005 at 3:32 pm, jcw wrote: >If you have a folder under Program Files called "Daily Weather Forecast" which you >don't recognize, it is bad and should be deleted. Ditto for a file called winstyle2.dll >(most likely in:  Windows\system32). >In your case, they'll need to be deleted using the command prompt window. I'll assume >you know how. You may need to make some changes in the registry first, however, >which is why I asked if you were able to open the registry editor via the CP window. > Post back tomorrow and let us know where you stand. > Btw, in the future, you should get and use an AV program that works in safe mode, >e.g. AVG, which as freeware is available at:  »    http://free.grisoft.com/doc/2/lng/us/tpl/v5 > > [Reply or follow-up to this message] re: frozen start menu and icons Monday, October 24, 2005 at 8:34 pm Posted by Diane (2 messages posted) I deleted the Daily Weather forcast file using cp, but I don't see the winstyle2.dll file. My start menu and icons are still fozen. On Monday, October 24, 2005 at 3:32 pm, jcw wrote: >If you have a folder under Program Files called "Daily Weather Forecast" which you >don't recognize, it is bad and should be deleted. Ditto for a file called winstyle2.dll >(most likely in:  Windows\system32). >In your case, they'll need to be deleted using the command prompt window. I'll assume >you know how. You may need to make some changes in the registry first, however, >which is why I asked if you were able to open the registry editor via the CP window. > Post back tomorrow and let us know where you stand. > Btw, in the future, you should get and use an AV program that works in safe mode, >e.g. AVG, which as freeware is available at:  »    http://free.grisoft.com/doc/2/lng/us/tpl/v5 > > [Reply or follow-up to this message] re: frozen start menu and icons Tuesday, October 25, 2005 at 7:52 am Posted by Darko (13 messages posted) My problems unfortunately are not over. After yesterday’s successful try to unfreeze icons and start menu the problems are back. My computer was working fine. After I gained access to icons and start menu I run Freedom Anti-virus (provided by Telus internet provided) which did not find any viruses, I run also Ad-Aware SE (which found Alexa spyware and cleaned it) and Spybot (found two or three files and deleted them). Having a bad experience from the past when one Anti-virus (AV) was able to detect a virus while two or three other AVs could not I run MicroTrend on-line virus scan. MicroTrend found a TROJ_DLOADER.AHD (the file name is C:\WINNT\Q50502281_disk.dll). When I tried to delete it I got a message "access denied". My icons and start menu froze again and the only way I can access some programs is through Command Prompt (CP). Now I am back at start point where I was two days ago. This time there is no “Daily Weather Forecast” file under Program Files. The fact is that I also did not have on my computer that file winstyle2.dll although I mentioned yesterday that I thought I had it. I can access Registry Editor (regedit function) through CP but then I can not close it, I have to restart computer. When I try to move any open windows on the screen you get that paint like picture behind (looks like hundreds of that window behind it). When MicroTrend AV (on-line scan) found that file Q50502281_disk.dll as a Troj_Dloader.AHD virus it offered a solution to delete it through the registry. 1. Go to Safe Mode 2. Right click on Start icon (which is frozen in my case so I could not do it), go to search, type the name of the file, in look in drop-down menu select drive that contains Windows, press enter, select file, delete the file (again, I could not access this because my icons are frozen and I did not know the commands to delete it through CP). 3. Go to Regedit and delete keys: HKEY_CLASSES_ROOT_CLSID and delete 7A7E6D97-B492-4884-9ABB-C31281DCC4R (which I was able to delete), HKEY_LOCAL MACHINE / SOFTWARE / MICROSOFT / WINDOWS / CURRENT VERSION / EXPLORER / SHARED TASK SCHEDULE and delete 7A7E6D97-B492-4884-9ABB-C31281DCC4R = “z” (I was able to delete 7A7E6D97-B492-4884-9ABB-C31281DCC4R but I could not see that “z”). HKEY_LOCAL MACHINE / SOFTWARE / MICROSOFT / WINDOWS / CURRENT VERSION / WINLOGON / NOTIFY and delete “style32” which I could not do because I could not find that WINLOGON / NOTIFY under HKEY_LOCAL MACHINE / SOFTWARE / MICROSOFT / WINDOWS / CURRENT VERSION. HKEY_LOCAL MACHINE / SOFTWARE / MICROSOFT / WINDOWS / CURRENT VERSION / EXPLORER / BROWSER HELPER OBJECT and delete 7A7E6D97-B492-4884-9ABB-C31281DCC4R (which I was able to delete). I was able to run Ad-Aware SE through CP and it found 13 new critical objects (2 registry keys, 10 registry values and 1 file identified – all Alexa related). Ad-Aware SE deleted all 13 objects but my problems continue. In short, my icons and start menu are frozen again(even through Safe Mode), the only access to some programs I have through CP. I have Windows XP without SP/2, I do not have firewall, I have AV provided by Internet provider and Ad-Aware SE and Spybot for spyware problems. Obviously what I have is not enough for protection. JCW, if you know how to solve this problem, please, help. This is very annoying problem. I do not know if this time I can access Internet through CP (I believe I can’t because I had the same problem two days ago). Could you, please, give me instructions how to solve this problem through CP. Thanks again. On Monday, October 24, 2005 at 8:34 pm, Diane wrote: > >I deleted the Daily Weather forcast file using cp, but I don't see the winstyle2.dll >file. My start menu and icons are still fozen. > > > > [Reply or follow-up to this message] re: frozen start menu and icons Tuesday, October 25, 2005 at 9:34 am Posted by jcw (5124 messages posted) I assume that you have been following in this thread the posts by Darko and my replies to them.  Please continue to do so, as my future comments will be posted to Darko but I will try to make them applicable to both of you. -- Did you delete a file, or a folder, called "Daily Weather Forecast"? If you have a folder with that or a similar name that you don't recognize, you need to delete the entire folder (not just the file) using the   RMDIR   command.  I'll assume you are able to work in a CP environment and know how to check for syntax. -- Are you able to use the CP window to open regedit and then work in the registry editor?  If yes, make the registry deletions described in Darko's 7:52 am post today (10-25-05) and my reply to Darko today contemporaneously with this post. On Monday, October 24, 2005 at 8:34 pm, Diane wrote: > >I deleted the Daily Weather forcast file using cp, but I don't see the winstyle2.dll >file. My start menu and icons are still fozen. > > > > [Reply or follow-up to this message] re: frozen start menu and icons Tuesday, October 25, 2005 at 10:12 am Posted by jcw (5124 messages posted) This is difficult because of your having to work solely in the CP window, when we really don't know all of the malicious files that need to be deleted. What we want to try to do is to get you at least "unfrozen" so that you can reboot from the CP window into safe mode and then use Windows to continue cleaning the system. Once you think you may be "unfrozen", reboot from the CP environment into safe mode, not normal mode, and then don't reboot again - keep the system on in safe mode only. This could take a while. If you don't want to engage in this process, I don't know of an alternative other than to use the CP window to copy to removable media the data you don't want to lose, and then do a clean, fresh install of WinXP and then your 3rd-party programs. You said you don't have a firewall.  You should not connect to the internet without a firewall activated, at least the firewall built-in WinXP. Did you delete a file, or a folder, called "Daily Weather Forecast"? If you have a folder with that or a similar name that you don't recognize, you need to delete the entire folder (not just the file) using the   RMDIR   command. Check for proper syntax. Can you find and delete in the CP window that file:   C:\WINNT\Q50502281_disk.dll  ? Review the folders under Program Files and see if there are any there that you don't recognize.  But don't delete anything yet.  Post back if anything looks suspicious. You said you didn't delete because you couldn't find the “style32” registry entry at the place you looked. Look for it under: »   HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify (HKLM = HKEY_LOCAL_MACHINE) Search in regedit for the following and any variants thereof, and if found, delete them (if unsure of whether to delete, post back with what you found): -- Daily Weather Forecast -- style32 -- winstyle2.dll -- winstyle2 In the meantime, I'll see what I can find on that TROJ_DLOADER.AHD you mentioned. If you do get your system unfrozen so that you can boot into safe mode and work in WinXP there, do the following: close any open applications (presumably none are then open); for every user-account on the computer, delete the temp files (in:  Documents and Settings\{user name}\Local Settings\Temp), although you may retain any temp files that a user intentionally placed there and that you recognize as safe; for every user-account on the computer, delete or clear the temporary internet files, history, and cookies, although you may retain those cookies that are needed and that you recognize as safe; for every user-account on the computer, reduce to 10 mb the space for temporary internet files (Internet Options --> General --> Temporary Internet files - Settings); once your system is clean, you may increase that space setting as desired; delete the files in the Windows\Prefetch folder; delete the temp files in the Windows\Temp folder, although you may retain any temp files that a user intentionally placed there and that you recognize as safe; empty the recycle bin; and disable (turn off) your WinXP system restore feature (yes, doing this will remove all restore points, but once your system is clean, you may re-enable the system restore feature and set a new restore point, if desired). To disable system restore:   Control Panel --> System --> System Restore --> check:  Turn Off System Restore --> click Apply or OK --> answer Yes to any follow-up confirmation. [Reply or follow-up to this message] re: frozen start menu and icons Tuesday, October 25, 2005 at 10:30 am Posted by Darko (13 messages posted) Hi JCW, I'll try to do everything as you said in your message posted at 10:12 am on October 25, 2005 when I come home today. Answers to some of your questions: Daily Weather Forecast folder is deleted through CP and is gone from my computer. It is not currently under Program Files. Yes, I can access that file C:\WINNT\Q50502281_disk.dll through CP but I can't delete it. The access is denied. I hope I will be able to unfreeze my icons and start menu today. I will post tomorrow what happened. JWC, do you know if there is any software (anti-virus scan and spyware) that I could buy, run CD and try to fix everything that way? Thanks for all your help. Darko On Tuesday, October 25, 2005 at 10:12 am, jcw wrote: > >This is difficult because of your having to work solely in the CP window, when we >really don't know all of the malicious files that need to be deleted. What we want >to try to do is to get you at least "unfrozen" so that you can reboot from the CP >window into safe mode and then use Windows to continue cleaning the system. Once >you think you may be "unfrozen", reboot from the CP environment into safe mode, not >normal mode, and then don't reboot again - keep the system on in safe mode only. > This could take a while. If you don't want to engage in this process, I don't know >of an alternative other than to use the CP window to copy to removable media the >data you don't want to lose, and then do a clean, fresh install of WinXP and then >your 3rd-party programs. > > You said you don't have a firewall.  You should not connect to the internet >without a firewall activated, at least the firewall built-in WinXP. > > Did you delete a file, or a folder, called "Daily Weather Forecast"? If you >have a folder with that or a similar name that you don't recognize, you need to delete >the entire folder (not just the file) using the   RMDIR   command. Check >for proper syntax. > Can you find and delete in the CP window that file:   C:\WINNT\Q50502281_disk.dll >  ? > Review the folders under Program Files and see if there are any there that you >don't recognize.  But don't delete anything yet.  Post back if anything looks suspicious. > You said you didn't delete because you couldn't find the “style32” registry entry >at the place you looked. > Look for it under: »   HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify > (HKLM = HKEY_LOCAL_MACHINE) > Search in regedit for the following and any variants thereof, and if found, delete >them (if unsure of whether to delete, post back with what you found): > -- Daily Weather Forecast > -- style32 > -- winstyle2.dll > -- winstyle2 > In the meantime, I'll see what I can find on that TROJ_DLOADER.AHD you mentioned. > If you do get your system unfrozen so that you can boot into safe mode and work >in WinXP there, do the following: > close any open applications (presumably none are then open); > for every user-account on the computer, delete the temp files (in:  Documents >and Settings\{user name}\Local Settings\Temp), although you may retain any temp >files that a user intentionally placed there and that you recognize as safe; > for every user-account on the computer, delete or clear the temporary internet >files, history, and cookies, although you may retain those cookies that are needed >and that you recognize as safe; > for every user-account on the computer, reduce to 10 mb the space for temporary >internet files (Internet Options --> General --> Temporary Internet files - Settings); >once your system is clean, you may increase that space setting as desired; > delete the files in the Windows\Prefetch folder; > delete the temp files in the Windows\Temp folder, although you may retain any >temp files that a user intentionally placed there and that you recognize as safe; > empty the recycle bin; and > disable (turn off) your WinXP system restore feature (yes, doing this will remove >all restore points, but once your system is clean, you may re-enable the system restore >feature and set a new restore point, if desired). > To disable system restore:   Control Panel --> System --> System Restore --> > check:  Turn Off System Restore --> click Apply or OK --> answer Yes to any follow-up >confirmation. > > [Reply or follow-up to this message] re: frozen start menu and icons Tuesday, October 25, 2005 at 11:19 am Posted by jcw (5124 messages posted) Further to my earlier post today at 10:12 am, and in reply to your 10:30 am post: -- Where on your HD is that "C:\WINNT\Q50502281_disk.dll" ?  Do you have a WINNT directory?  If so, what else is in it?  You get the access denied message when you try to delete it via the safe mode CP window? -- Also check in your registry editor, and in the following folders, for the files listed below or any variant thereof: Folders:  Windows, Windows\system, Windows\system32, Program Files\Windows NT Files: TROJ_DLOADER.AHD TROJ_SMALL.ATP Win32.DlStwoyle.G Project1.dll Q178937.DLL Q50502281.dll Q50502281_disk.dll Win32/SillyDl.14336.Dll Win32/SillyDL.69632!DLL Stwoyle {any variant} These file-names came from the Trend Micro website, and are to be viewed as bad and to be deleted, but if in doubt, post back with what you find. As to your last question, I believe that Symantec's Norton AV CD could be placed in the CD drive and run to clean vires (useful e.g. when boot sector was dirty and Windows wouldn't boot). Don't know if it would work here - might. Don't know if any other AV vendors' CDs would similarly work here - you would need to investigate. If cost not a big factor and can't solve problem otherwise, may be another alternative to the "copy data - clean reinstall WXP & programs" alternative if the CD were up-to-date enough to detect and delete whatever malicious critter(s) you have. That's part of the problem:  we're not sure what all you have, because the freezing problem you and Diane are having is the first I'm seeing as a result of the "Stwoyle" infection. On the other hand, if such a CD could clean at least enough to "unlock" your system, you would be able to pursue other cleaning procedures off and on line in a Windows environment. Symantec discovered "Stwoyle" June 15, 2005; see: -->   http://securityresponse.symantec.com/avcenter/venc/data/trojan.stwoyle.html so I am less than optimistic that a CD would yet be updated to include it. I have come across a purported fix for "Stwoyle" available on the net. You would need to download it from the net, copy it onto removable media (e.g. a diskette), copy it onto your machine, and then run it. I was hoping that we could get your system unfrozen first as it would be easier to do that in Windows, but your system re-froze before I got back to you today. I can't vouch for this fix, as I've never had to use it. On Tuesday, October 25, 2005 at 10:30 am, Darko wrote: >Hi JCW, > >I'll try to do everything as you said in your message posted at 10:12 am on October >25, 2005 when I come home today. > >Answers to some of your questions: > >Daily Weather Forecast folder is deleted through CP and is gone from my computer. >It is not currently under Program Files. > >Yes, I can access that file C:\WINNT\Q50502281_disk.dll through CP but I can't delete >it. The access is denied. > >I hope I will be able to unfreeze my icons and start menu today. I will post tomorrow >what happened. > >JWC, do you know if there is any software (anti-virus scan and spyware) that I could >buy, run CD and try to fix everything that way? Thanks for all your help. > >Darko > > > [Reply or follow-up to this message] re: frozen start menu and icons Tuesday, October 25, 2005 at 1:33 pm Posted by Darko (13 messages posted) Yes, I have WINNT directory. I guess it is because I had originally Windows 2000 NT installed and then installed Windows XP over it. Yes, I can access that virus file through CP but I can't delete it. Yesterday when I was able to use Windows I tried to delete that file and the access was denied too. Thanks JCW. I'll do my homework today and post the results tomorrow. I am not home right now so I can't do anything at this moment. Thanks again. Darko On Tuesday, October 25, 2005 at 11:19 am, jcw wrote: >Further to my earlier post today at 10:12 am, and in reply to your 10:30 am post: > -- Where on your HD is that "C:\WINNT\Q50502281_disk.dll" ?  Do you have a WINNT >directory?  If so, what else is in it?  You get the access denied message when you >try to delete it via the safe mode CP window? > -- Also check in your registry editor, and in the following folders, for the >files listed below or any variant thereof: > Folders:  Windows, Windows\system, Windows\system32, Program Files\Windows NT > Files: >TROJ_DLOADER.AHD >TROJ_SMALL.ATP >Win32.DlStwoyle.G >Project1.dll >Q178937.DLL >Q50502281.dll >Q50502281_disk.dll >Win32/SillyDl.14336.Dll >Win32/SillyDL.69632!DLL >Stwoyle {any variant} > These file-names came from the Trend Micro website, and are to be viewed as bad >and to be deleted, but if in doubt, post back with what you find. > As to your last question, I believe that Symantec's Norton AV CD could be placed >in the CD drive and run to clean vires (useful e.g. when boot sector was dirty and >Windows wouldn't boot). Don't know if it would work here - might. Don't know if >any other AV vendors' CDs would similarly work here - you would need to investigate. > If cost not a big factor and can't solve problem otherwise, may be another alternative >to the "copy data - clean reinstall WXP & programs" alternative if the CD were up-to-date >enough to detect and delete whatever malicious critter(s) you have. That's part >of the problem:  we're not sure what all you have, because the freezing problem >you and Diane are having is the first I'm seeing as a result of the "Stwoyle" infection. > On the other hand, if such a CD could clean at least enough to "unlock" your system, >you would be able to pursue other cleaning procedures off and on line in a Windows >environment. Symantec discovered "Stwoyle" June 15, 2005; see: > -->   http://securityresponse.symantec.com/avcenter/venc/data/trojan.stwoyle.html > so I am less than optimistic that a CD would yet be updated to include it. > I have come across a purported fix for "Stwoyle" available on the net. You would >need to download it from the net, copy it onto removable media (e.g. a diskette), >copy it onto your machine, and then run it. I was hoping that we could get your >system unfrozen first as it would be easier to do that in Windows, but your system >re-froze before I got back to you today. I can't vouch for this fix, as I've never >had to use it. > > > > [Reply or follow-up to this message] re: frozen start menu and icons Wednesday, October 26, 2005 at 7:47 am Posted by Darko (13 messages posted) After a few hours of trying yesterday afternoon I was able to “unfreeze” my icons and start menu. 1. Started Windows XP in normal mode, icons and start menu frozen. 2. Restarted computer in Safe Mode. The same problems with frozen icons and start menu. Ctrl-Alt-Del to start Windows Task Manager. It opens but could not browse. Had to restart computer because I could not close Windows Task Manager (computer was “busy thinking” and when tried to move Task Manager I got that effect like numerous Task Managers were open behind the front one). 3. Restarted computer in Safe Mode with Command Prompt (CP). Tried to run Spybot – Search & Destroy, could not do it. Tried to run Ad-Aware SE personal and was able to do it. Ad-Aware SE found 13 critical objects (2 registry keys, 10 registry values and 1 file identified: tracking cookie, type IE cache entry, category data miner, object @kazaa.cjt1.net/htm/500/0. Twelve registry entries were related to Alexa. Ad-Aware deleted all 13 objects. 4. Found and deleted (run regedit through CP to open Registry): HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify|style2. Also found and deleted HKEY_CURRENT_USER\Software\Microsoft\Style2. 5. Could not find any of those files that were recommended to be deleted: TROJ_DLOADER.AHD, TROJ_SMALL.ATP, Win32.DlStwoyle.G, Project.dll, Q178937.DLL, Win32/SillyDl.14336.Dll, Win32/SillyDl.69632!DLL or any other Stwoyle virus. The chance is that I could miss some of those files on my computer. Of course, I already had virus Q50502281_disk.dll which could not be accessed (deletion denied). 6. Rebooted computer in normal mode and immediately those 2 deleted files from #4 were back. 7. Went back to CP mode. 8. Deleted all files that start with Q then have 7,8 or 9 numbers behind Q (under WINNT) with extensions .dll, .log and .exe. Tried to delete file Q50502281_disk.dll (after I deleted all other files that start with Q) and surprisingly was able to delete it this time. One file remains undeleted Q3683875.dll which, I suspect, is another virus that could be triggered somehow (I have feeling that those are triggered when AV recognizes them as viurses) . 9. Run start taksmgr.exe from CP successfully and even was able to browse. Once I was able to browse it and had access through some windows screens I did the following: deleted all files from C:\WINNT\Prefetch; deleted all Temp and Temporary Internet Files; reduced the space for Temporary Internet Files to 10 Mb (Internet Options-General-Temporary Internet Files-Settings); emptied Recycle Bin; disabled WinXP system restore feature (Control Panel-System-System Restore-check Turn off System Restore-click Apply and OK-answered Yes to follow-up information). 10. Made all copies of important files from C drive to removable media in the case I have to format C drive. 11. Run Ad-Aware SE and Spybot – Search & Destroy and those two programs did not find anything (looks like the system is clean of spyware). Could not run my AV because it can’t be launched in Safe Mode. 12. All this time my computer was disconnected from Internet and I am still not connected hoping that I could get some additional information today how to finally solve this problem. JCW, I hope you can send me some info now how to pursue other cleaning procedures off and on line (I believe I should have access now to Internet once I got my icons “unfrozen” because I can access any other programs now) in Windows environment. I did not go to Internet because I was afraid I might get all that was cleaned back. I even did not want to shut down computer because I was also afraid that reboot could ruin everything again. Thanks for all your help. It is greatly appreciated. I am also trying to explain in details what I have done so far to unfreeze my computer because, I believe, it will be useful to Diane and probably some other people who might have the same problem. On Tuesday, October 25, 2005 at 11:19 am, jcw wrote: >Further to my earlier post today at 10:12 am, and in reply to your 10:30 am post: > -- Where on your HD is that "C:\WINNT\Q50502281_disk.dll" ?  Do you have a WINNT >directory?  If so, what else is in it?  You get the access denied message when you >try to delete it via the safe mode CP window? > -- Also check in your registry editor, and in the following folders, for the >files listed below or any variant thereof: > Folders:  Windows, Windows\system, Windows\system32, Program Files\Windows NT > Files: >TROJ_DLOADER.AHD >TROJ_SMALL.ATP >Win32.DlStwoyle.G >Project1.dll >Q178937.DLL >Q50502281.dll >Q50502281_disk.dll >Win32/SillyDl.14336.Dll >Win32/SillyDL.69632!DLL >Stwoyle {any variant} > These file-names came from the Trend Micro website, and are to be viewed as bad >and to be deleted, but if in doubt, post back with what you find. > As to your last question, I believe that Symantec's Norton AV CD could be placed >in the CD drive and run to clean vires (useful e.g. when boot sector was dirty and >Windows wouldn't boot). Don't know if it would work here - might. Don't know if >any other AV vendors' CDs would similarly work here - you would need to investigate. > If cost not a big factor and can't solve problem otherwise, may be another alternative >to the "copy data - clean reinstall WXP & programs" alternative if the CD were up-to-date >enough to detect and delete whatever malicious critter(s) you have. That's part >of the problem:  we're not sure what all you have, because the freezing problem >you and Diane are having is the first I'm seeing as a result of the "Stwoyle" infection. > On the other hand, if such a CD could clean at least enough to "unlock" your system, >you would be able to pursue other cleaning procedures off and on line in a Windows >environment. Symantec discovered "Stwoyle" June 15, 2005; see: > -->   http://securityresponse.symantec.com/avcenter/venc/data/trojan.stwoyle.html > so I am less than optimistic that a CD would yet be updated to include it. > I have come across a purported fix for "Stwoyle" available on the net. You would >need to download it from the net, copy it onto removable media (e.g. a diskette), >copy it onto your machine, and then run it. I was hoping that we could get your >system unfrozen first as it would be easier to do that in Windows, but your system >re-froze before I got back to you today. I can't vouch for this fix, as I've never >had to use it. > > > > [Reply or follow-up to this message] re: frozen start menu and icons Wednesday, October 26, 2005 at 11:34 am Posted by jcw (5124 messages posted) I've just had a chance to open your post. I want to review it at greater length and look into a few things. Owing to time, I may not get back to you again today. I hope that is not a problem, and you can leave your unit on over-night if need be. -- Are you running in safe mode now? -- Am I correct that at this moment your system is not frozen and you can operate in a WXP environment with mouse and keyboard? [Reply or follow-up to this message] re: frozen start menu and icons Wednesday, October 26, 2005 at 11:37 am Posted by Darko (13 messages posted) Yes, my computer is running in Safe Mode now and my icons are not frozen anymore so I can operate by using Windows XP. I've tried to find some information about TROJ_DLOADER.AHD on Internet (from work) but it looks that no ona knows anything about it at this moment. As I mentioned, after I deleted those files in WINNT that start with Q, I was able to browse in Task Manager and open all programs with the exception of AV (Freedom, from Zero Knowledge, provided by Telus Internet provided). I constantly get a message that AV cannot run in Safe Mode which was confirmed by Telus CS rep when I phoned. Thanks again for your efforts to find a solution for my problem. On Wednesday, October 26, 2005 at 11:34 am, jcw wrote: >I've just had a chance to open your post. I want to review it at greater length >and look into a few things. Owing to time, I may not get back to you again today. > I hope that is not a problem, and you can leave your unit on over-night if need >be. -- Are you running in safe mode now? -- Am I correct that at this moment >your system is not frozen and you can operate in a WXP environment with mouse and >keyboard? > > > > [Reply or follow-up to this message] re: frozen start menu and icons Wednesday, October 26, 2005 at 11:45 am Posted by jcw (5124 messages posted) Are you a Kazaa user? Do you have it on your computer? You're aware of its danger of leading to infection? [Reply or follow-up to this message] re: frozen start menu and icons Wednesday, October 26, 2005 at 1:14 pm Posted by Darko (13 messages posted) Kazaa is deleted from my computer. My son was using it for a short period of time but I deleted yesterday everything that is related to Kazaa. Darko On Wednesday, October 26, 2005 at 11:45 am, jcw wrote: >Are you a Kazaa user? Do you have it on your computer? You're aware of its danger >of leading to infection? [Reply or follow-up to this message] re: frozen start menu and icons Thursday, October 27, 2005 at 8:46 am Posted by jcw (5124 messages posted) 1) Returning to your paragraph 4 in your prior post, use regedit to see if you still have any "style2" registry key at: -- HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify (where HKLM = HKEY_LOCAL_MACHINE) -- HKEY_CURRENT_USER\Software\Microsoft If you do, delete them. Don't reboot. Remain in safe mode. 1A) If you haven't already done so, delete these registry keys using regedit: -- HKEY_CLASSES_ROOT\CLSID\{6AC3806F-8B39-4746-9C38-6B01CB7331FF} -- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6AC3806F-8B39-4746-9C38-6B01CB7331FF} (where HKLM = HKEY_LOCAL_MACHINE) 2) You mentioned looking for all of the files I had listed except:   Q50502281.dll If you didn't do so before, look for - and if found, delete - that file in the following 4 folders: --> Windows, Windows\system, Windows\system32, Program Files\Windows NT and also in the registry editor (regedit). In deleting that file from any of the above 4 folders, bypass the Recycle bin by holding down the keyboard Shift key while performing the deletion. 3) If I didn't ask you to do this before, review the entire Program Files directory for any folders whose names are unfamiliar or suspicious to you. 4) Open under Control Panel the Add or Remove Program applet to see if there are listed any programs that you don't recognize or appear suspicious. 5) Type   MSCONFIG   in the Run box of the Start box and press Enter. Click on its Startup tab, and review the list of things checked that are supposed to start automatically when WXP starts. Anything there look unfamiliar and suspicious to you? -- Also look in Task Manager, on the Applications tab and the Processes tab, anything there look unfamiliar and suspicious to you? 6) Try again to delete in safe mode this file (which I assume you uncovered as being suspicious) that you couldn't delete from the WINNT directory before:   Q3683875.dll.     Successful? I'm concerned that your WINNT directory has become a haven for the malicious files. You said you have that directory because you installed XP over W2k (not a good practice, btw). How big is that directory at this point? To the best of your knowledge, is it being used at all? Do you recognize everything in it, or conversely are there things in it that appear suspicious? I'd really like to delete the whole folder, and I would think you wouldn't need or miss it, but . . . . And if it's too big, it will be difficult to copy it to removable media. Let me know the answers to my questions before proceeding with the next steps. If you don't want to wait, then at least first review the contents of the WINNT directory for anything that looks suspicious to you, and delete suspicious items; if really in doubt, you could copy such items to a blank diskette first and then delete them. (Note: if you make such a copy, when you are sure you don't need to restore the copied items, delete them from the diskette and then do a long format of the diskette.) 7) Open your hosts file with this command in the Run box on the Start menu (note the space before the first %):   NOTEPAD %SYSTEMROOT%\SYSTEM32\DRIVERS\ETC\HOSTS Hopefully all that you will see there are about 18 lines, each preceded by the # sign, of introductory explanatory material from Microsoft, followed by this line: 127.0.0.1   local host If you find anything else there, let me know, e.g.: 127.0.0.1 www.website-name.com 0.0.0.0 www.website-name.com 8) From a past remark, I assume you don't have a 3rd-party firewall. So make sure that the firewall built-in WXP is activated. Also make sure that the Internet Connection Firewall (ICF)/Internet Connections Sharing (ICS) service is started and has its Startup type set for automatic, and that the Network Location Awareness service is started and has its Startup type set for either manual or automatic (manual will suffice for this service, unless the computer is on a local network, which I assume it isn't). To access the WinXP services and their properties: Control Panel --> Administrative Tools --> Services Or you can type:   SERVICES.MSC   in the Run box on the Start menu and press Enter. 9) Now reboot into safe mode with networking, and see if your system remains unfrozen. If yes, make sure that what I told you to check in steps 7 & 8 above remain true, and if so, then try connecting to the internet. The following steps assume you are OK at this point, but if instead your system is again frozen, then you'll need to reboot into safe mode with command prompt and retrace your previous steps to get unfrozen, and then reboot into safe mode with networking, and repeat the steps above until you again are at this point. 10) Once on the net, go immediately to the Trend Micro on-line AV scanner and at least one of the other on-line AV scanners below, and run scans: -- http://housecall.trendmicro.com/ -- http://www.pandasoftware.com/activescan/com/activescan_principal.htm -- http://us.mcafee.com/root/mfs/default.asp -- http://www.bitdefender.com/scan/licence.php# -- http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym In doing those scans, have them do full system scans (other than removable media drives, which should be empty of removable media). 11) Download this tool: -->   http://users.telenet.be/marcvn/tools/win32delfkil.exe and save it to your desktop. Disconnect from the net. Double-click (or single click - whatever you use to open or run a file) on the saved executable (win32delfkil.exe) to create a new folder (win32delfkil) on your desktop. Close all windows. Then open the win32delfkil folder and double-click on fix.bat. The computer should reboot automatically when done. This is the tool I mentioned to you before about having found on the net. 12) Run Ad-Aware and Spybot S&D again. Run your on-board AV program, assuming it has up-to-date definitions. Let us know how you made out. [Reply or follow-up to this message] re: frozen start menu and icons Thursday, October 27, 2005 at 9:50 am Posted by Darko (13 messages posted) Thanks for your instructions. I’ll post tomorrow what has happened and answer all your questions. For now just a few: Re your point 1) I am quite sure that “style2” is gone but I’ll check it again, of course. Re your point 2) I believe Q50502281.dll is already gone. Re your point 6) The suspicious file Q3683875.dll cannot be deleted even in Safe Mode. I’ll try it again. The problem is that there is always at least one of those Q files in WINNT that cannot be deleted. If I can remember WINNT directory includes folders such cursors, drivers, registration, system, system32, temp and so on. I will check the details and post tomorrow. I believe all those are important folders and should not be deleted. Re your point 12) Ad-Aware and Spybot S&D currently do not find any suspicious files and I will run them again after I do steps 1-11 first. Although you did not ask I will try to post tomorrow HijackThis log too. Thanks again. On Thursday, October 27, 2005 at 8:46 am, jcw wrote: >1) Returning to your paragraph 4 in your prior post, use regedit to see if you still >have any "style2" registry key at: > -- HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify > (where HKLM = HKEY_LOCAL_MACHINE) > -- HKEY_CURRENT_USER\Software\Microsoft > If you do, delete them. Don't reboot. Remain in safe mode. > >1A) If you haven't already done so, delete these registry keys using regedit: > -- HKEY_CLASSES_ROOT\CLSID\{6AC3806F-8B39-4746-9C38-6B01CB7331FF} > -- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper >Objects\{6AC3806F-8B39-4746-9C38-6B01CB7331FF} > (where HKLM = HKEY_LOCAL_MACHINE) > > 2) You mentioned looking for all of the files I had listed except:   Q50502281.dll > If you didn't do so before, look for - and if found, delete - that file in the >following 4 folders: > --> Windows, Windows\system, Windows\system32, Program Files\Windows NT > and also in the registry editor (regedit). > In deleting that file from any of the above 4 folders, bypass the Recycle bin >by holding down the > >keyboard Shift key while performing the deletion. > > 3) If I didn't ask you to do this before, review the entire Program Files directory >for any folders whose > >names are unfamiliar or suspicious to you. > 4) Open under Control Panel the Add or Remove Program applet to see if there are >listed any programs > >that you don't recognize or appear suspicious. > 5) Type   MSCONFIG   in the Run box of the Start box and press Enter. > Click on > >its Startup tab, and review the list of things checked that are supposed to start >automatically when WXP > >starts. Anything there look unfamiliar and suspicious to you? > -- Also look in Task Manager, on the Applications tab and the Processes tab, >anything there look unfamiliar and suspicious to you? > > 6) Try again to delete in safe mode this file (which I assume you uncovered as >being suspicious) that > >you couldn't delete from the WINNT directory before:   Q3683875.dll.     Successful? > I'm concerned that your WINNT directory has become a haven for the malicious >files. You said you > >have that directory because you installed XP over W2k (not a good practice, btw). > How big is that directory > >at this point? To the best of your knowledge, is it being used at all? Do you recognize >everything in it, or > >conversely are there things in it that appear suspicious? I'd really like to delete >the whole folder, and I would > >think you wouldn't need or miss it, but . . . . And if it's too big, it will be difficult >to copy it to removable > >media. Let me know the answers to my questions before proceeding with the next steps. > If you don't want > >to wait, then at least first review the contents of the WINNT directory for anything >that looks suspicious to > >you, and delete suspicious items; if really in doubt, you could copy such items to >a blank diskette first and > >then delete them. (Note: if you make such a copy, when you are sure you don't need >to restore the copied > >items, delete them from the diskette and then do a long format of the diskette.) > > 7) Open your hosts file with this command in the Run box on the Start menu (note >the space before the > >first %):   NOTEPAD %SYSTEMROOT%\SYSTEM32\DRIVERS\ETC\HOSTS > Hopefully all that you will see there are about 18 lines, each preceded by the ># sign, of introductory > >explanatory material from Microsoft, followed by this line: > 127.0.0.1   local host > If you find anything else there, let me know, e.g.: > 127.0.0.1 www.website-name.com > 0.0.0.0 www.website-name.com > > 8) From a past remark, I assume you don't have a 3rd-party firewall. So make >sure that the firewall > >built-in WXP is activated. Also make sure that the Internet Connection Firewall >(ICF)/Internet Connections > >Sharing (ICS) service is started and has its Startup type set for automatic, and >that the Network Location > >Awareness service is started and has its Startup type set for either manual or automatic >(manual will suffice > >for this service, unless the computer is on a local network, which I assume it isn't). > To access the WinXP services and their properties: > Control Panel --> Administrative Tools --> Services > Or you can type:   SERVICES.MSC   in the Run box on the Start menu and > >press Enter. > > 9) Now reboot into safe mode with networking, and see if your system remains >unfrozen. If > >yes, make sure that what I told you to check in steps 7 & 8 above remain true, and >if so, then try > >connecting to the internet. The following steps assume you are OK at this point, >but if instead your system > >is again frozen, then you'll need to reboot into safe mode with command prompt and >retrace your previous > >steps to get unfrozen, and then reboot into safe mode with networking, and repeat >the steps above until you >again are at this point. > > 10) Once on the net, go immediately to the Trend Micro on-line AV scanner and >at least one of the other > >on-line AV scanners below, and run scans: > -- http://housecall.trendmicro.com/ > -- http://www.pandasoftware.com/activescan/com/activescan_principal.htm > -- http://us.mcafee.com/root/mfs/default.asp > -- http://www.bitdefender.com/scan/licence.php# > -- http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym > In doing those scans, have them do full system scans (other than removable media >drives, which should be empty of removable media). > > 11) Download this tool: -->   http://users.telenet.be/marcvn/tools/win32delfkil.exe > and save it to your desktop. Disconnect from the net. Double-click (or single >click - whatever you use > >to open or run a file) on the saved executable (win32delfkil.exe) to create a new >folder (win32delfkil) on your > >desktop. Close all windows. Then open the win32delfkil folder and double-click on >fix.bat. The computer > >should reboot automatically when done. > This is the tool I mentioned to you before about having found on the net. > > 12) Run Ad-Aware and Spybot S&D again. > Run your on-board AV program, assuming it has up-to-date definitions. > >Let us know how you made out. > > > > > [Reply or follow-up to this message] re: frozen start menu and icons Thursday, October 27, 2005 at 10:31 am Posted by jcw (5124 messages posted) Don't run HjT until all other steps have been performed and we are persuaded that you have a fairly clean and stable system. Frankly, I don't want to weed through a log before that point, particularly with your WXP having been installed over W2k. I was afraid that the WINNT directory would have all of the OS-type stuff you mentioned, but I doubt that it is or should be important now given that you use WXP. You don't have a dual boot system there, do you? While I'm at it, if you are in doubt whether you removed all of Kazaa, you could download and use Kazza Be Gone which is available at: http://www.spywareinfo.com/~merijn/downloads.html Note though the warning there expressed. I wouldn't do this until all the other steps have been taken and your system otherwise appears clean. Finally, while I'm here, I'd suggest that after your system is clean and stable, when you have some time, you backup your data and 3rd party programming as needed, and do a clean install of WinXP. References: -- http://support.microsoft.com/?kbid=316941 -- http://www.michaelstevenstech.com/cleanxpinstall.html -- http://www.webtree.ca/windowsxp/clean_install.htm and the links at its end to Black Viper's guides -- http://www.winsupersite.com/showcase/windowsxp_sg_clean.asp On Thursday, October 27, 2005 at 9:50 am, Darko wrote: >Thanks for your instructions. I’ll post tomorrow what has happened and answer all >your questions. For now just a few: > >Re your point 1) I am quite sure that “style2” is gone but I’ll check it again, of >course. > >Re your point 2) I believe Q50502281.dll is already gone. > >Re your point 6) The suspicious file Q3683875.dll cannot be deleted even in Safe >Mode. I’ll try it again. The problem is that there is always at least one of those >Q files in WINNT that cannot be deleted. > >If I can remember WINNT directory includes folders such cursors, drivers, registration, >system, system32, temp and so on. I will check the details and post tomorrow. I believe >all those are important folders and should not be deleted. > >Re your point 12) Ad-Aware and Spybot S&D currently do not find any suspicious files >and I will run them again after I do steps 1-11 first. > >Although you did not ask I will try to post tomorrow HijackThis log too. Thanks again. > > > > [Reply or follow-up to this message] re: frozen start menu and icons Friday, October 28, 2005 at 7:52 am Posted by Darko (13 messages posted) A reply to the message left by JCW on Thursday, October 27, 2005 at 8:46 am 1. Did not find “style2” registry key. 2. Did not find Q50502281.dll. 3. Found some unfamiliar files under Program Files: RXToolBar (deleted), PestPatrol and MSSoap. 4. No suspicious programs found under Control Panel / Add/Remove Programs. 5. Startup has some unfamiliar entries: - C:\\ Program Files \ Daily Weather Forecast \ weather.exe (but, file does not exist now, it was deleted three days ago), - C:\\ WINNT \ Alexa.exe - Incredimail_install [1] 6. Could not delete Q3683875.dll under WINNT. Access denied. Directory WINNT has 1.99 Gb and includes folders such as: addins, backup, config, cursors, debug, fonts, java, media and so on. I do not have a dual boot system. Suspicious files under WINNT are: Crystal, Minidump, MUI, and Software Distribution. 7. Found line 127.0.0.1 local host and two examples above that line: 102.54.94.97 rhino.acme.com and 38.25.63.10 x.acme.com (Those two lines are above local host line and are mentioned as examples). 8. Installed Zone Labs firewall. 9. Rebooted into Safe Mode with Networking, icons not frozen, able to go to Internet. 10. Run MicroTrend on-line virus scan. The scan was very slow. Found one virus but the connection was gone after 5 minutes of waiting for the results of scan. I had to restart computer in Safe Mode with Networking. I know that the virus in question was Q3683875.dll because I noticed during the scan that AV reported a virus while scanning WINNT and files that start with Q. Run Panda on-line scan and it found 1 virus (Q3683875.dll) and disinfected it (but when I went to check under WINNT the file was still there), 6 spyware (all under WINNT: adsldpbc.dll, netdde.dll, smdat32m.sys, system32 / grwinsthlp.exe, system32 / prflbmsgp32.dll and did not write the name of the sixth but I deleted all of them), 18 dialers (Dialer:Dialer.dll in Temp folder – I deleted them all) and 6 suspicious files. One of those suspicious files is: C:\\ Program Files \ InfoUpdate \ iu.exe (firewall was letting me know later on that this file was trying to access the internet). 11. Downloaded the tool you recommended, installed it and it worked. Q3683875.dll was gone when the computer was rebooted automatically (normal mode). I run Ad-Aware SE (did not find anything) and Spybot Search & Destroy (did not find anything), Freedom AV (provided by Telus Internet Provider) and again Panda On-line (which did not find a virus but found two spyware – which I unfortunately did not write down at 1:30 AM) and some suspicious files. I will run a few on-line virus scans today afternoon hoping that my problems are gone. The important news is that there are no Q files under WINNT anymore, they are all gone. Thanks for all your help. I hope that everything is going to be fine so I do not have to bother you again. If you have any additional recommendations I’d appreciate them. Thanks again. You’ve been a great help and without your instructions I would have to reformat C drive. Darko On Thursday, October 27, 2005 at 8:46 am, jcw wrote: >1) Returning to your paragraph 4 in your prior post, use regedit to see if you still >have any "style2" registry key at: > -- HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify > (where HKLM = HKEY_LOCAL_MACHINE) > -- HKEY_CURRENT_USER\Software\Microsoft > If you do, delete them. Don't reboot. Remain in safe mode. > >1A) If you haven't already done so, delete these registry keys using regedit: > -- HKEY_CLASSES_ROOT\CLSID\{6AC3806F-8B39-4746-9C38-6B01CB7331FF} > -- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper >Objects\{6AC3806F-8B39-4746-9C38-6B01CB7331FF} > (where HKLM = HKEY_LOCAL_MACHINE) > > 2) You mentioned looking for all of the files I had listed except:   Q50502281.dll > If you didn't do so before, look for - and if found, delete - that file in the >following 4 folders: > --> Windows, Windows\system, Windows\system32, Program Files\Windows NT > and also in the registry editor (regedit). > In deleting that file from any of the above 4 folders, bypass the Recycle bin >by holding down the > >keyboard Shift key while performing the deletion. > > 3) If I didn't ask you to do this before, review the entire Program Files directory >for any folders whose > >names are unfamiliar or suspicious to you. > 4) Open under Control Panel the Add or Remove Program applet to see if there are >listed any programs > >that you don't recognize or appear suspicious. > 5) Type   MSCONFIG   in the Run box of the Start box and press Enter. > Click on > >its Startup tab, and review the list of things checked that are supposed to start >automatically when WXP > >starts. Anything there look unfamiliar and suspicious to you? > -- Also look in Task Manager, on the Applications tab and the Processes tab, >anything there look unfamiliar and suspicious to you? > > 6) Try again to delete in safe mode this file (which I assume you uncovered as >being suspicious) that > >you couldn't delete from the WINNT directory before:   Q3683875.dll.     Successful? > I'm concerned that your WINNT directory has become a haven for the malicious >files. You said you > >have that directory because you installed XP over W2k (not a good practice, btw). > How big is that directory > >at this point? To the best of your knowledge, is it being used at all? Do you recognize >everything in it, or > >conversely are there things in it that appear suspicious? I'd really like to delete >the whole folder, and I would > >think you wouldn't need or miss it, but . . . . And if it's too big, it will be difficult >to copy it to removable > >media. Let me know the answers to my questions before proceeding with the next steps. > If you don't want > >to wait, then at least first review the contents of the WINNT directory for anything >that looks suspicious to > >you, and delete suspicious items; if really in doubt, you could copy such items to >a blank diskette first and > >then delete them. (Note: if you make such a copy, when you are sure you don't need >to restore the copied > >items, delete them from the diskette and then do a long format of the diskette.) > > 7) Open your hosts file with this command in the Run box on the Start menu (note >the space before the > >first %):   NOTEPAD %SYSTEMROOT%\SYSTEM32\DRIVERS\ETC\HOSTS > Hopefully all that you will see there are about 18 lines, each preceded by the ># sign, of introductory > >explanatory material from Microsoft, followed by this line: > 127.0.0.1   local host > If you find anything else there, let me know, e.g.: > 127.0.0.1 www.website-name.com > 0.0.0.0 www.website-name.com > > 8) From a past remark, I assume you don't have a 3rd-party firewall. So make >sure that the firewall > >built-in WXP is activated. Also make sure that the Internet Connection Firewall >(ICF)/Internet Connections > >Sharing (ICS) service is started and has its Startup type set for automatic, and >that the Network Location > >Awareness service is started and has its Startup type set for either manual or automatic >(manual will suffice > >for this service, unless the computer is on a local network, which I assume it isn't). > To access the WinXP services and their properties: > Control Panel --> Administrative Tools --> Services > Or you can type:   SERVICES.MSC   in the Run box on the Start menu and > >press Enter. > > 9) Now reboot into safe mode with networking, and see if your system remains >unfrozen. If > >yes, make sure that what I told you to check in steps 7 & 8 above remain true, and >if so, then try > >connecting to the internet. The following steps assume you are OK at this point, >but if instead your system > >is again frozen, then you'll need to reboot into safe mode with command prompt and >retrace your previous > >steps to get unfrozen, and then reboot into safe mode with networking, and repeat >the steps above until you >again are at this point. > > 10) Once on the net, go immediately to the Trend Micro on-line AV scanner and >at least one of the other > >on-line AV scanners below, and run scans: > -- http://housecall.trendmicro.com/ > -- http://www.pandasoftware.com/activescan/com/activescan_principal.htm > -- http://us.mcafee.com/root/mfs/default.asp > -- http://www.bitdefender.com/scan/licence.php# > -- http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym > In doing those scans, have them do full system scans (other than removable media >drives, which should be empty of removable media). > > 11) Download this tool: -->   http://users.telenet.be/marcvn/tools/win32delfkil.exe > and save it to your desktop. Disconnect from the net. Double-click (or single >click - whatever you use > >to open or run a file) on the saved executable (win32delfkil.exe) to create a new >folder (win32delfkil) on your > >desktop. Close all windows. Then open the win32delfkil folder and double-click on >fix.bat. The computer > >should reboot automatically when done. > This is the tool I mentioned to you before about having found on the net. > > 12) Run Ad-Aware and Spybot S&D again. > Run your on-board AV program, assuming it has up-to-date definitions. > >Let us know how you made out. > > > > > [Reply or follow-up to this message] re: frozen start menu and icons Friday, October 28, 2005 at 9:07 am Posted by jcw (5124 messages posted) As to your item 5 in your earlier post today: -- uncheck those 3 items on the startup page of msconfig. -- then open regedit and go to: » HKLM\Software\Microsoft\Shared Tools\MSConfig\startupreg » HKLM\Software\Microsoft\Shared Tools\MSConfig\startupfolder and there delete the sub-keys for the same 3 items. Close regedit, and those 3 items should be gone from the startup page of msconfig on the next reboot. Deleted the 2 reg keys I mentioned in step 1A of my post at 8:46 am on October 27, 2005, if not already deleted?  If hesitant to do so, back-up those keys first by exporting them to a convenient location.   (No need to reply.) I continue to feel that the WINNT directory should be unnecessary for your computer to work properly and given this last experience, is a good candidate for deletion, as I had expressed in a prior post. If you could find a way to back it up, even piece-meal on CDs, I'd be inclined to do so (unless you do a clean install as I favor as you know). Btw, of the 4 files (folders?) that you listed as questionable in your WINNT directory (Crystal, Minidump, MUI, and Software Distribution), Minidump and MUI are OK. Yes, the MicroTrend on-line AV system scan usually is slow. No other recommendations except what I said in my post on Thursday, October 27, 2005 at 10:31 am. [Reply or follow-up to this message] re: frozen start menu and icons Sunday, October 30, 2005 at 4:13 pm Posted by Darko (13 messages posted) I just wanted to inform you that I do not have any problems with viruses and spyware now. Thanks for all your help last week. On Friday, October 28, 2005 at 9:07 am, jcw wrote: >As to your item 5 in your earlier post today: > -- uncheck those 3 items on the startup page of msconfig. > -- then open regedit and go to: > » HKLM\Software\Microsoft\Shared Tools\MSConfig\startupreg > » HKLM\Software\Microsoft\Shared Tools\MSConfig\startupfolder > and there delete the sub-keys for the same 3 items. > Close regedit, and those 3 items should be gone from the startup page of msconfig >on the next reboot. > Deleted the 2 reg keys I mentioned in step 1A of my post at 8:46 am on October >27, 2005, if not already deleted?  If hesitant to do so, back-up those keys first >by exporting them to a convenient location.   (No need to reply.) > I continue to feel that the WINNT directory should be unnecessary for your computer >to work properly and given this last experience, is a good candidate for deletion, >as I had expressed in a prior post. If you could find a way to back it up, even >piece-meal on CDs, I'd be inclined to do so (unless you do a clean install as I favor >as you know). Btw, of the 4 files (folders?) that you listed as questionable >in your WINNT directory (Crystal, Minidump, MUI, and Software Distribution), Minidump >and MUI are OK. > Yes, the MicroTrend on-line AV system scan usually is slow. > No other recommendations except what I said in my post on Thursday, October 27, >2005 at 10:31 am. [Reply or follow-up to this message] Tip: Use one of the [Reply or follow-up to this message] links above to add a message to this thread Search this forum Start a new thread on a different subject Report abuse of the forum Return to the Windows XP Discussion Forum