[croder]

Hi, folks. Am running XP Home, SP2 fully updated, with an admin account for offline and a restricted account for online. Keep getting a Notepad document pop-up on start-up for the Restricted account, showing I have a Desktop.ini problem tied to Article ID # 330132 at: http://support.micro...spx?scid=330132 (in which I get this message):

[.ShellClassInfo] LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-2197

Followed both versions of suggested resolutions for deleting the Desktop.ini file, and got nowhere. The Desktop.ini file containing -2197 did show up in a few of the files, AND on the start menu---and so I killed them (or so I thought). But the document still pops up every time I log in to the Restricted account, but *NOT* the admin account.

The weird part here is, I went through three tries at removal and then decided to just remove the Restricted account altogether, through the Control Panel. That part went fine. Then I created a new Restricted account (same name as before)---and it came back with every single one of my original settings for that original account. (That part seriously spooked me: I thought gone was gone.)

Any ideas here? Am I dealing with a rootkit down beneath the OS? If so, will I need a special tool for TRULY wiping the drive, for a totally fresh install? Or---can this be solved with less drastic means than a reinstall? I do have a copy of Rootkit Revealer but discovered it makes even less sense to me than a HijackThis log.

[Advertisements]

Hi, croder, Welcome to Geeks to go. I'm fairly sure we can help you.

I suspect you have malware/worms/viruses/yuk!! There is definitely malware out there that produces your symptoms.

Go to this page at GTG http://www.geekstogo...?showtopic=2852

There we give you instructions for downloading and running Lavasoft Adaware, CWShredder, and Spybot.

Do those scans. Sometimes with adaware and spybot, the removal process may require that you scan and reboot with those several times before they comeup clean. Believe it or not, I have heard of cases where people have had to run Adaware seven times, before the scan finally came up clean. Sometimes you also need to run the scans in safe mode for them to be effective.

We also ask you to run a trojan scan and an online virus scan. Let those programs fix everything they find. And if you dont have a permanent antivirus running, install AVG as we recommend there.

If you are still having problems or the scans continue to show infections, then you need to download and run Hijackthis. Dont fix anything with it yet, most of the stuff it shows is good. Save the log from the scan and post it as a new topic in our HJT forum here http://www.geekstogo...o-Here-f37.html. Describe the symptoms you're having, and tell them you've already done adaware and spybot.


Best Regards,

EMCguy

[EMCguy]

Hi, croder, Welcome to Geeks to go. I'm fairly sure we can help you.

I suspect you have malware/worms/viruses/yuk!! There is definitely malware out there that produces your symptoms.

Go to this page at GTG http://www.geekstogo...?showtopic=2852

There we give you instructions for downloading and running Lavasoft Adaware, CWShredder, and Spybot.

Do those scans. Sometimes with adaware and spybot, the removal process may require that you scan and reboot with those several times before they comeup clean. Believe it or not, I have heard of cases where people have had to run Adaware seven times, before the scan finally came up clean. Sometimes you also need to run the scans in safe mode for them to be effective.

We also ask you to run a trojan scan and an online virus scan. Let those programs fix everything they find. And if you dont have a permanent antivirus running, install AVG as we recommend there.

If you are still having problems or the scans continue to show infections, then you need to download and run Hijackthis. Dont fix anything with it yet, most of the stuff it shows is good. Save the log from the scan and post it as a new topic in our HJT forum here http://www.geekstogo...o-Here-f37.html. Describe the symptoms you're having, and tell them you've already done adaware and spybot.


Best Regards,

EMCguy

[dsenette]

The weird part here is, I went through three tries at removal and then decided to just remove the Restricted account altogether, through the Control Panel. That part went fine. Then I created a new Restricted account (same name as before)---and it came back with every single one of my original settings for that original account. (That part seriously spooked me: I thought gone was gone.)

follow emcguy's instructions for the malware...but...just for your knowledge...xp always assumes that you just made a mistake...no matter how intentional your action...so it keeps the association to the SID of that user...just in case you accidentily deleted the user...so when you create a user with the same name....it's basically the same user

[croder]

Thanks for your comments.

I've used AVG paid version for more than a year and do daily updates/scans. Spybot S&D was on my system but this evidently wiped it out. I reinstalled, updated, scanned, and nothing found---but that was on the admin side, because Restricted User won't let me download SS&D. I also got clear scans in admin for CoolWebShredder, and clean A/V scans at TrendMicro and Symantec, as well as Microsoft Malicious Software Tool. (Thought I'd mention that last one for the amusement factor.)

Whatever this is, it's also killed my access to Internet Explorer 6 for the admin account. Got that one back, but now can't access it on the Restricted side. This rogue Notepad document has reinstalled itself in the Accessories folder, as well as every time I reboot to the Restricted account, even after going through every folder I have in All Users, opening and studying each Desktop.ini file.

Will proceed to the HijackThis program, but I have a related question to dsenette, who said,

just for your knowledge...xp always assumes that you just made a mistake...no matter how intentional your action...so it keeps the association to the SID of that user...just in case you accidentily deleted the user...so when you create a user with the same name....it's basically the same user

Is there an easy way for me to identify which SID is in place for that user, and remove it? Thanks.

Also, to anyone: does HijackThis specifically examine the Favorites folder? This was the one Notepad document I'm now worried about reinstalling, if this mess does lead to a full disk wipe using DoD standards before reinstalling off the Win-XP CD.

[EMCguy]

Hi croder

Hijack this focuses on how programs start up in windows. In order for malware to do it's dastardly deeds, it need to start up somewhere somehow. If the malware is starting up somehow from the favorites, then HJt would likley pick it up

But standard practice in our malware forums is to use a number of other tools that supplement HJT, like panda active scan, which does a fine job of finding malware in the favorites. Once it is found, the malware staff can then help you remove it.

Formattiing and reinstalling is a last ditch effort that often doesnt work. try the malware forum first.

Sometimes malware removal on multiple users computers can be problematic. Be sure you tell your helper there that you have two users, and tell them where you are doing the scans from

Good Luck & best regards

EMCguy

[croder]

I do not intend to allow Microsoft's version of a disk wipe before reinstalling, and that's what this is beginning to look like I'll need. I'll be doing a DoD wipe of 35 overwrites, and THEN the CD reinstall.

Not having IE6 prevents me from access to several of the sites your forum says I need wares from. In any event, in Panda's case they market by doing a free scan which only removes a few of the problems and then want you to buy their **** to clean the rest. That's just plain shabby. The A/V from Ewido has been recently recommended to me, but the forum page strongly states I should not have two A/V at the same time. I paid for AVG. Am I to uninstall AVG to run Ewido, or is this like TrendMicro and Symantec's free scans from outside?

Sorry I'm sounding so grumpy here, but this is beginning to really grind at me. So much of this conflicts with my existing software, or is unaccessible to me, that I can't see how your malware folks will even talk to me unless and until I've gone through all the steps.

[makai]

You needn't uninstall AVG to use Ewido. Ewido isn't so much an antivirus application so there will be no conflicts... at least I haven't had any on all three of my machines, and my work machines.

Somehow you must be able to get the required software and run them before posting to the Malware forum. If you don't, then the reply you get there will be for you to go and get the software first and then return after you've run through them. If you have to, download and transfer the required software by flash drive, floppy, zip or whatevers so you can run them on your machine. You don't have to run everything, just make an honest attempt. The malware people will more than gladly assist you if it turns out you absolutely cannot do this on your own.

Try to be patient. I know how it is when something is jacked! We'll do whatever it takes to help you.

[EMCguy]

Not having IE6 prevents me from access to several of the sites your forum says I need wares from.

If your cant do those scans, then just post your HJT log to the malware forum and tell them you cant do those other scans. They run across that all the time.

In any event, in Panda's case they market by doing a free scan which only removes a few of the problems and then want you to buy their **** to clean the rest. That's just plain shabby.

Au Contraire. Their scan is really cool, and it eliminates viruses and worms for free. The adware and spyware it will not remove for free, but they tell your where all the bad guys are, and our malware folks can help you remove it manually. The coolest thing about panda is that they track the infections that they find, and publish a weekly report on the top infections

The A/V from Ewido has been recently recommended to me, but the forum page strongly states I should not have two A/V at the same time. I paid for AVG. Am I to uninstall AVG to run Ewido, or is this like TrendMicro and Symantec's free scans from outside?

No you do not have to unistall AVG. Ewido is really an adware spyware type scanner and doesn't conflict with resident AV's to my knowledge.

Sorry I'm sounding so grumpy here, but this is beginning to really grind at me. So much of this conflicts with my existing software, or is unaccessible to me, that I can't see how your malware folks will even talk to me unless and until I've gone through all the steps.

Malware makes everyone grumpy. The main reason we ask people to do those scans is because some infections are simple enough that the automated tools are all we need. If you're badly broke, you cant do them. If you can do HJT, thats all they need to get you started.

Talk to the malware folks. They seen it many times before.

Good Luck & best regards

EMCguy

[dsenette]

the malware forum is your best bet right now....they can remove a vast majority of the malware that you need removed....and if they can't get it all...they can get enough for you to be able to run the programs neccessary to remove them...

also...alot of the authors of the tools that they will have you use....spend alot of time here....so they will know the manual removal instructions for any of the funky stuff....so don't worry about not being able to dl certain things....just be detailed in your post...they will help you out..