Several things dont' work in XP - strange

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by asmodee, Sep 18, 2007.

  1. asmodee

    asmodee Private E-2

    First of all, I am a computer technician and I remove malware and spyware for a living. I have been doing it professionally for more than 6 years and I am very good at it. If I can't fix it without wiping it down, nobody in my area can, so please know that I need a real expert here, not simple fixes. I have been Googling this for 2 days now.

    My problems are 3 fold. First, the Display tab is missing from the Display Properties window.

    Next, when I click on Start and All Programs, nothing happens, but ONLY if I have it set to "Start Menu". It works fine with "Classic Start Menu".

    Finally, when I click on Start and Run, it tells me that it cannot create a shortcut here and asks if I want to create one on the desktop. If I say yes it creates a shortcut to &Run on the desktop, which also does not work. Once again, this is ONLY if I have it set to "Start Menu" and again it works fine with "Classic Start Menu".

    The computer did have a minimal amount of spyware, a WhenU search bar, mostly. A few other things, but nothing I noted as being particularly alarming. I know the computer did have registry permissions issues, which is common with some spyware and which I fixed. I know this because before the fix, at every boot, I would have to unblock the Kodak software in the Windows firewall. After the fix I had to unblock it 1 time and it has not come up again. I have also run a registry patch I made myself to remove any permissions settings which has always worked before. DialAFix says it detected no policy settings. I have also used regsvr32 to unregister and re-register several DLL files, a patch usually reserved for fixing Logo Testing errors. I have also run sfc /scannow.

    I am at my wit's end here. My only thought is that there must be system files missing or corrupted, but SFC found none. Any suggestions at all? I really don't want to wipe it down if I don't have to. It makes me feel as if I've lost against the spyware, which hasn't happened in a LONG time!
     
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am going to move this thread to the malware section and ask you to do the following:

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.
    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
      • CounterSpy
      • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
      • Bitdefender - from step 6
      • Panda Scan - from step 6
      • runkeys.txt - the log from GetRunKey.bat
      • newfiles.txt - the log from ShowNew.bat
      • HijackThis
    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
     
  3. asmodee

    asmodee Private E-2

    Thanks for your quick response, Tim. Unfortunately, it really doesn't help me much. I have already check for spyware (AdAware, Spybot, Windows Defender) and viruses (AVG Antivirus). I have also dumped all the temp files, temporary internet files and prefetch directories manually and gone through HijackThis about a dozen times. I have repaired the registry permissions and removed all the policy restrictions (whether they were there or not). I have also gone through c:, Program Files, Windows, System and System32 with a fine tooth comb, listing files by date of creation and checking the publisher for all the recent files (This mostly in Windows and System32). I have also run 3 rootkit detectors (RKDetector 0.62, BlackLight and IceSword 1.22). I have gone over every running file to see where it is running from to make sure nobody snuck in svchost.exe running from the Windows directory instead of System32 or something along those lines. If this system is not clean there is some new stealth thing out there that I haven't seen. I usually remove spyware files by hand before running the spyware removal tools just to make sure that I stay up on what they are doing. Whether it's a Windows error or a left over registry hack from spyware, the only thing left are the issues I mentioned.

    I have attached the logs from the 2 batch files mentioned in the link in your post. I look forward to tearing those files apart when I get time, hopefully some time in the next couple of weeks, to see what I can learn from them :)

    Thank you again. I do appreciate the help. Please don't read the above comments as me being 'snippy'. I sometimes seem to come of that way in typed responses (I tend to forget that the 'tone' in my head does not translate well to text), but I promise you that I am nothing but grateful for your help. If you insist, I will try to run all of those steps, but doing this for a living I really do not have that kind of time to have a single computer taking up my limited bench space. If I had to guess, I would say this is a registry issue and was really hoping to get a list of keys to check, though I still have to check the desktop.ini in several folders. Thanks again.
     

    Attached Files:

  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I'm not seeing anything in the two logs....(though Windows Defender ought to go!).

    Have you tried this:
    Boot your system with the Windows XP Install CD, let the system boot into the Setup. Once in the Setup, choose to run the Recovery Console.

    You will now be presented with a screen similar to good old DOS.

    First, we will recover the System Hive.

    Now, type in the following commands with pressing Enter after each line.

    md tmp
    copy C:\windows\system32\config\system C:\windows\tmp\system.bak
    delete C:\windows\system32\config\system
    copy C:\windows\repair\system C:\windows\system32\config\system

    Be very careful when you are typing in these commands, one wrong move, and you have, broken Windows XP.

    Also, change the C in the commands to whatever your Windows XP drive letter is.

    Attempt to boot the system, if it doesn't boot, get back into the Recovery Console and do the following commands.

    md tmp
    copy C:\windows\system32\config\software C:\windows\tmp\software.bak
    delete C:\windows\system32\config\software
    copy C:\windows\repair\software C:\windows\system32\config\software
     
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Secondly, check this:

     
  6. asmodee

    asmodee Private E-2

    Well Tim, it is obvious that you are truly a god among men when it comes to computers. This did not work for me, however, and I am out of time. People get twitchy when they can't get to Yahoo Games. I did a lot of work last night with Filemon and Regmon to try to track it down, but I think that would take me at least another day. I am not THAT familiar with the intricacies of the registry and a lot of what was coming up was from CLSIDs, which I have NO knowledge of at all. I am going to have to do a repair install and hope it doesn't break any software they need and can't get back. It makes me nervous since I saw that ProE is installed on this computer. That is a VERY expensive engineering software similar to AutoCAD, but supposedly with more kick or something. Not sure. I've used AutoCAD at previous employment (to draw electrical schematics. Can you tell the company was owned by a mechanical engineer?), but not ProE.

    I have done one last scan with Filemon and Regmon and attached the logs to this reply just because you strike me as the kind of guy who might want to see them. I started them, waited to make sure nothing unrelated popped up, then clicked the Start button. Being careful to make sure I did not 'mouse over' anything, I noted where they both stopped. Filemon ended the click on the Start button with line 14, Regmon with line 332. I then moved the mouse directly to Run and clicked as quickly as I could. The 'Create Shortcut' dialog popped up immediately and I stopped the recording as quickly as I could on both. I ran them simultaneously so that you could match the time line, but keep in mind that means that I did not get them both stopped immediately afterwards, so there is probably some extra stuff on the end from the mouse cursor passing over various area. I am now going to start the repair install, which I am quite sure will fix this problem. If it does not, I will let you know that I had to wipe it down.

    Thanks for trying, Tim. I hope some of the info I provided you may some day help someone. If it was my own system instead of someone else's we would keep at this. I love a challenge and I love to learn. That's why I'm in this business. Unfortunately, my customers just don't seem to understand geek honor very well. Thanks again, Tim. You've been awesome.
     

    Attached Files:


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds