Questions

Wierd issue with XP

Tags:
+
0 Votes
Locked

Wierd issue with XP

coyboss
I have a Windows XP Pro SP2 machine that has begun to act strange.

All his short cuts on the desktop only open the printer dialogue box, none do what they are supposed to.
When you right click there is no option to open/ or open with, only options are to make short cut, delete,...

When you clik start button,
run creates a short cut
Internet Explorer creates short cut
Search only creates short cut
My Computer works right
Control panel works right
My Documents works right.

None of his icons or start menu options will allow you to right click and open or open with.

Could there be some sort of virus or other malware that would cause this type of issue?

Am currently running scan with Norton Enterprise edition for viruses (updated 2/20/09)

Thanks in advance.

IKE
  • +
    0 Votes
    BFilmFan

    Delete the profile for that user and log back into the system.

    Is the issue resolved? If so, mark this answer as helpful so that other people can benefit from the answer.

    +
    0 Votes
    coyboss

    But do I save all his data and settings?

    Or completely delete it all??

    IKE

    +
    0 Votes

    No

    Wizard-09

    You DO NOT delete any data you create a new profile 1st like user1 if he works you then copy all the data to the new profile and rename the old profile to .old incase you missed any info DO NOT delete the profile.

    +
    0 Votes
    coyboss

    I wil try these tips and see if it helps.
    Should everything work out I will make as solved!

    IKE

    +
    0 Votes
    coyboss

    New profile (user account) doesn't fix the issue.

    I still have the same issues with the new account.

    Anything else we can try?

    BTW Norton scan found no infections (at least according to it).

    I can't get on Web to even try an online scanner such as housecall.

    IKE

    +
    0 Votes
    coyboss

    Great ideas there BfilmFan,
    but I have 1 porblem, it won't
    let me get on the web, so I can't
    go and download those programs.

    I will try running the rootkit revealer form a flash drive and see what happens.

    LEt U KNOw

    +
    0 Votes
    Slayer_

    Open up task manager, if you need to, use Control + Alt + Delete.
    Switch to Applications tab. Click new task. Type "Iexplore.exe".

    +
    0 Votes
    Jacky Howe

    that should indicate as to whether it is infected or not.

    +
    0 Votes
    coyboss

    Ok I did an upgrade from regular XP Pro SP2 to XP Pro SP3 from within Windows and it fixed the issue.

    It appears that something was corrupted int he registry and it caused the links in the profile(s) to not work correctly.

    Hope this can help someone else in the future.

    +
    0 Votes
    Wizard-09

    That when you rename the old profile you need to shutdown and restart because some files maybe in use and you will be unable to copy them so once you rename the profile clean do the system before trying to copy data.

    +
    0 Votes
    Slayer_

    I am unsure how to fix this however. Probably need to copy it from a machine that is working by reading the registry and remaking the keys manually.

    A reinstall of the system would be easier. (Install Windows overtop of the old install, all files will remain, if u make a new user accoutn with the same name as the old one, it will create a new profile folder with a slightly different name, you can just merge them to restore most of your settings. All drivers will remain installed and will be detected automatically when you load Windows for the first time. All applications will need to be reinstalled)

    +
    0 Votes
    coyboss

    How about if I do an upgrade install from Sp2 to SP3?

    I do have a XP Pro SP3 Disk, I could just run it from within windows and try to do that.

    DO you think this might fix it?

    Thanks in advance.
    IKE

    +
    0 Votes
    Slayer_

    But isnt that just the saem as installing SP3?

    IT's Iffy as I have never tried that as a solution before.

    +
    0 Votes
    coyboss

    This is a FULL install CD with SP3 on it instead of SP2, so I would think WIndows will see it as an upgrade and do the upgrade steps and hopefully fix the issues.

    Correct?

    +
    0 Votes
    willcomp

    I think sinisterslay may be correct about links.

    See #12 on this web page: http://www.kellys-korner-xp.com/xp_tweaks.htm

    +
    0 Votes
    coyboss

    After Running Rootkit Revealer I ended up with about 58 registry entries that had the following issue
    "Data Missmatch between Windows API and Raw Hive Data"

    I am thinking that this means WIndows is Corrupted, and I will need to re-install Windows.

    Let me know if I am wrong.

    IKE

    +
    0 Votes
    Dumphrey

    but it could be a sign of system corruption. Dig around on google about the particular entries.

    Have you run any registry cleaners lately?

    +
    0 Votes
    Jacky Howe

    Follow the steps below with the System started and restarted in Safe Mode with Networking. Running in Safe Mode loads a minimal set of drivers for the Operating System. You can use these options to start Windows so that you can modify the registry or load or remove drivers.

    Removing malware from System Restore points
    To remove the malware, you must first disable System Restore, then scan the system with up-to-date antivirus software - allowing it to clean, delete, or quarantine any viruses found. After the system has been disinfected, you may then re-enable System Restore. The steps for disabling System Restore vary, depending on whether the default Start Menu or the Classic Start Menu is being used.

    Default Start Menu XP
    If using the default Start Menu, click Start | Control Panel | Performance and Maintenance | System. Select the System Restore tab and check "Turn off System Restore".

    Classic Start Menu XP
    If using the Classic Start Menu, click Start | Settings | Control Panel and double-click the System icon. Select the System Restore tab and check "Turn off System Restore".

    Vista
    Start, right mouse click Computer and select Properties. Select Advanced System Properties, click contine and then System Protection. Untick the box nect to Local Disk C: and click on Turn System Restore off.


    After scanning the system and removing the offending malware, re-enable System Restore by repeating the steps, this time removing the check from "Turn off System Restore".

    Click Start, Run type msconfig and press Enter.

    Now if you have the Configuration Utility open.
    Configure selective startup options
    In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.
    Click to clear the Process SYSTEM.INI File check box.
    Click to clear the Process WIN.INI File check box.
    Click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.
    Click the Services tab.
    Click to select the Hide All Microsoft Services check box.
    Click Disable All, and then click OK.
    When you are prompted, save the settings and restart the PC.
    When the System is disinfected re-run the Configuration Utility and in the System Configuration Utility dialog box, click the General tab, and then click Normal Startup.

    Download Malwarebytes Anti-Malware, install it and update it.

    Click this link <a href="http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe" target="_blank"><u>malwarebytes</u></a>

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.

    I would keep scanning with it until it is clean by closing out and rebooting and running it again.

    Just to be on the safe side when you finish do an online scan with Bitdefender. Or Google for an online scanner.

    Click this link <a href="http://www.bitdefender.com/scan8/ie.html" target="_blank"><u>bitdefender</u></a>

    If you can't access the internet to update MBAM try the instructions below to clear a path to the internet to be able to run MBAM.

    From another PC download and install Spybot, update it and copy the the installed folders to a USB Stick.

    Restart the PC in Safe Mode, navigate to the USB stick and run Spybot.

    Download Spybot - Search & Destroy and install it. Update it. http://www.safer-networking.org/en/download/index.html

    With the new strains of Virus that have been created you may find it necessary to rename the executable files so that they will work. Rename mbam-setup.exe and then navigate to the install folder and rename mbam.exe. Do not change the files extension from .exe. Do the same with Spybot.

    Also run this Rootkit Revealer GMer

    Click this <a href="http://www.gmer.net/index.php" target="_blank"><u>gmer</u></a>

    FAQ

    Click this <a href="http://www.gmer.net/faq.php" target="_blank"><u>link</u></a>

    BleepingComputer
    Click this <a href="http://www.bleepingcomputer.com/malware-removal/" target="_blank"><u>bleepingcomputer</u></a>

    How to check the Host file

    Step 1: Click the Start button and select Run. Now type the following text in that Run box and press Enter:

    notepad c:\WINDOWS\system32\drivers\etc\hosts

    Step 2: You will see a new notepad window on your screen containing some information. You should have a single entry of 127.0.0.1 localhost. If there are any other entries in there it means that those sites are being blocked and it is probably due to an infection.

    If it is the DNS changer fixwareout will remove this.

    http://download.bleepingcomputer.com/lonny/Fixwareout.exe

    The DNSChanger trojan is usually a small file (about 1.5 kilobytes) that is designed to change the 'NameServer' Registry key value to a custom IP address. This IP address is usually encrypted in the body of a trojan. As a result of this change a victim's computer will contact the newly assigned DNS server to resolve names of different webservers. And some of the resolved names will not point to legitimate websites - they will point to fake websites that look like real ones, but are created to steal sensitive information (like credit card numbers, logins and passwords).

    VARIANT: Trojan.Win32.DNSChanger.al

    Update your Antivirus software.

    <i>Keep us informed as to your progress if you require further assistance.</i>

    <HR>
    <i>If you think that any of the posts that have been made by all TR Members, have solved or contributed to solving the problem, please Mark them as <b>Helpful</b> so that others may benefit from the outcome. </i>

  • +
    0 Votes
    BFilmFan

    Delete the profile for that user and log back into the system.

    Is the issue resolved? If so, mark this answer as helpful so that other people can benefit from the answer.

    +
    0 Votes
    coyboss

    But do I save all his data and settings?

    Or completely delete it all??

    IKE

    +
    0 Votes

    No

    Wizard-09

    You DO NOT delete any data you create a new profile 1st like user1 if he works you then copy all the data to the new profile and rename the old profile to .old incase you missed any info DO NOT delete the profile.

    +
    0 Votes
    coyboss

    I wil try these tips and see if it helps.
    Should everything work out I will make as solved!

    IKE

    +
    0 Votes
    coyboss

    New profile (user account) doesn't fix the issue.

    I still have the same issues with the new account.

    Anything else we can try?

    BTW Norton scan found no infections (at least according to it).

    I can't get on Web to even try an online scanner such as housecall.

    IKE

    +
    0 Votes
    coyboss

    Great ideas there BfilmFan,
    but I have 1 porblem, it won't
    let me get on the web, so I can't
    go and download those programs.

    I will try running the rootkit revealer form a flash drive and see what happens.

    LEt U KNOw

    +
    0 Votes
    Slayer_

    Open up task manager, if you need to, use Control + Alt + Delete.
    Switch to Applications tab. Click new task. Type "Iexplore.exe".

    +
    0 Votes
    Jacky Howe

    that should indicate as to whether it is infected or not.

    +
    0 Votes
    coyboss

    Ok I did an upgrade from regular XP Pro SP2 to XP Pro SP3 from within Windows and it fixed the issue.

    It appears that something was corrupted int he registry and it caused the links in the profile(s) to not work correctly.

    Hope this can help someone else in the future.

    +
    0 Votes
    Wizard-09

    That when you rename the old profile you need to shutdown and restart because some files maybe in use and you will be unable to copy them so once you rename the profile clean do the system before trying to copy data.

    +
    0 Votes
    Slayer_

    I am unsure how to fix this however. Probably need to copy it from a machine that is working by reading the registry and remaking the keys manually.

    A reinstall of the system would be easier. (Install Windows overtop of the old install, all files will remain, if u make a new user accoutn with the same name as the old one, it will create a new profile folder with a slightly different name, you can just merge them to restore most of your settings. All drivers will remain installed and will be detected automatically when you load Windows for the first time. All applications will need to be reinstalled)

    +
    0 Votes
    coyboss

    How about if I do an upgrade install from Sp2 to SP3?

    I do have a XP Pro SP3 Disk, I could just run it from within windows and try to do that.

    DO you think this might fix it?

    Thanks in advance.
    IKE

    +
    0 Votes
    Slayer_

    But isnt that just the saem as installing SP3?

    IT's Iffy as I have never tried that as a solution before.

    +
    0 Votes
    coyboss

    This is a FULL install CD with SP3 on it instead of SP2, so I would think WIndows will see it as an upgrade and do the upgrade steps and hopefully fix the issues.

    Correct?

    +
    0 Votes
    willcomp

    I think sinisterslay may be correct about links.

    See #12 on this web page: http://www.kellys-korner-xp.com/xp_tweaks.htm

    +
    0 Votes
    coyboss

    After Running Rootkit Revealer I ended up with about 58 registry entries that had the following issue
    "Data Missmatch between Windows API and Raw Hive Data"

    I am thinking that this means WIndows is Corrupted, and I will need to re-install Windows.

    Let me know if I am wrong.

    IKE

    +
    0 Votes
    Dumphrey

    but it could be a sign of system corruption. Dig around on google about the particular entries.

    Have you run any registry cleaners lately?

    +
    0 Votes
    Jacky Howe

    Follow the steps below with the System started and restarted in Safe Mode with Networking. Running in Safe Mode loads a minimal set of drivers for the Operating System. You can use these options to start Windows so that you can modify the registry or load or remove drivers.

    Removing malware from System Restore points
    To remove the malware, you must first disable System Restore, then scan the system with up-to-date antivirus software - allowing it to clean, delete, or quarantine any viruses found. After the system has been disinfected, you may then re-enable System Restore. The steps for disabling System Restore vary, depending on whether the default Start Menu or the Classic Start Menu is being used.

    Default Start Menu XP
    If using the default Start Menu, click Start | Control Panel | Performance and Maintenance | System. Select the System Restore tab and check "Turn off System Restore".

    Classic Start Menu XP
    If using the Classic Start Menu, click Start | Settings | Control Panel and double-click the System icon. Select the System Restore tab and check "Turn off System Restore".

    Vista
    Start, right mouse click Computer and select Properties. Select Advanced System Properties, click contine and then System Protection. Untick the box nect to Local Disk C: and click on Turn System Restore off.


    After scanning the system and removing the offending malware, re-enable System Restore by repeating the steps, this time removing the check from "Turn off System Restore".

    Click Start, Run type msconfig and press Enter.

    Now if you have the Configuration Utility open.
    Configure selective startup options
    In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.
    Click to clear the Process SYSTEM.INI File check box.
    Click to clear the Process WIN.INI File check box.
    Click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.
    Click the Services tab.
    Click to select the Hide All Microsoft Services check box.
    Click Disable All, and then click OK.
    When you are prompted, save the settings and restart the PC.
    When the System is disinfected re-run the Configuration Utility and in the System Configuration Utility dialog box, click the General tab, and then click Normal Startup.

    Download Malwarebytes Anti-Malware, install it and update it.

    Click this link <a href="http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe" target="_blank"><u>malwarebytes</u></a>

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.

    I would keep scanning with it until it is clean by closing out and rebooting and running it again.

    Just to be on the safe side when you finish do an online scan with Bitdefender. Or Google for an online scanner.

    Click this link <a href="http://www.bitdefender.com/scan8/ie.html" target="_blank"><u>bitdefender</u></a>

    If you can't access the internet to update MBAM try the instructions below to clear a path to the internet to be able to run MBAM.

    From another PC download and install Spybot, update it and copy the the installed folders to a USB Stick.

    Restart the PC in Safe Mode, navigate to the USB stick and run Spybot.

    Download Spybot - Search & Destroy and install it. Update it. http://www.safer-networking.org/en/download/index.html

    With the new strains of Virus that have been created you may find it necessary to rename the executable files so that they will work. Rename mbam-setup.exe and then navigate to the install folder and rename mbam.exe. Do not change the files extension from .exe. Do the same with Spybot.

    Also run this Rootkit Revealer GMer

    Click this <a href="http://www.gmer.net/index.php" target="_blank"><u>gmer</u></a>

    FAQ

    Click this <a href="http://www.gmer.net/faq.php" target="_blank"><u>link</u></a>

    BleepingComputer
    Click this <a href="http://www.bleepingcomputer.com/malware-removal/" target="_blank"><u>bleepingcomputer</u></a>

    How to check the Host file

    Step 1: Click the Start button and select Run. Now type the following text in that Run box and press Enter:

    notepad c:\WINDOWS\system32\drivers\etc\hosts

    Step 2: You will see a new notepad window on your screen containing some information. You should have a single entry of 127.0.0.1 localhost. If there are any other entries in there it means that those sites are being blocked and it is probably due to an infection.

    If it is the DNS changer fixwareout will remove this.

    http://download.bleepingcomputer.com/lonny/Fixwareout.exe

    The DNSChanger trojan is usually a small file (about 1.5 kilobytes) that is designed to change the 'NameServer' Registry key value to a custom IP address. This IP address is usually encrypted in the body of a trojan. As a result of this change a victim's computer will contact the newly assigned DNS server to resolve names of different webservers. And some of the resolved names will not point to legitimate websites - they will point to fake websites that look like real ones, but are created to steal sensitive information (like credit card numbers, logins and passwords).

    VARIANT: Trojan.Win32.DNSChanger.al

    Update your Antivirus software.

    <i>Keep us informed as to your progress if you require further assistance.</i>

    <HR>
    <i>If you think that any of the posts that have been made by all TR Members, have solved or contributed to solving the problem, please Mark them as <b>Helpful</b> so that others may benefit from the outcome. </i>