Unable to right click icons

[Cooliwhip]

So a bit of backstory. I normaly run a very tight ship, virus and *ware free. However, today I come home from work to find my brother in law has used my computer. How do I know? Because he was staying there and google was left open, search topic was something like: Halo 2 cracks...... you can see where this is going. After HiJackThis, Ad-aware, AVG, Housecall, ActiveScan, Spy-bot and hours of checking settings I am getting closer to my good old system... only a few things left.

The most anoying of which is that I can not rt. click on any icons on the desktop or in explorer. I can however rt. click on web sites, task bars, start menu icons, etc. And that is really stumping me. I must say though that part of my pure ownage today involved what I think was theme abuse or some such because not only was my desktop hijacked (and replaced with an empty one.... oh wait, that's still empty too), but the sounds were turned on... but I have no idea. Yeah, I forgot, I'm missing all my desktop icons.... except the 4 main ones. However, when I go to docs&settings etc. there they are, all 473 of my much beloved desktop icons. However, I can't rt. click on them.

I'll add as well that I tried gpedit.msc and I start getting a little unsure what I am doing when I get that deep, but it seemed like nothing was set. All the things were set as "not configured." Now I believe that's how it's supposed to be unless you want to specify a certain set up. But I didn't see anything around there that would be for disabling rt. mousing...

Oh, and I discovered that rt. mouse dragging an icon will pop up the correct options for move/copy/etc., but not just a rt. click. And also selecting an icon and hitting my keyboards context menu also does nil.

Help. Me. Please?

 

[mechBgon]

1) get free 30-day trial of Kaspersky Antivirus Personal 5 from http://www.kaspersky.com/trials

2) download the updates_x folder from Kaspersky's FTP site (this is the SuperSecure database, not generally recommended for daily use)

3) disconnect your network cable (or power down your wireless access point) and uninstall AVG

4) take a snack break hey, ya only live once...

5) install Kaspersky

6) on the Settings tab, set the real-time and on-demand scanners both to Maximum

7) on the Settings tab, click "Configure Updater" and set it to update from a local folder (the updates_x folder you downloaded), like shown here

8) now right-click the Kaspersky tray icon and have it actually do the update

9) Disable the Windows System Restore feature

10) reboot into Safe Mode (sounds like you know how to do this)

11) run an exhaustive scan using Kaspersky.



Reason I go into all of that is because there are some viruses that do disable your right-click capabilities (among other things) and I don't recall offhand which ones, it was a couple months ago that I read about one last Welcome to the Forums and I hope that's some help

It might also be good to grab the Microsoft AntiSpyware beta software, and to password-protect your own account on Windows and create a Limited account called "Visitors" that is not password-protected. A Limited account is a very strong boost to your other security measures, because it cannot alter the contents of the Windows directory, write to the important parts of the Registry, or install software (including spyware/adware). It puts exploits at a severe disadvantage.

 

[daniel49]

wonders what would have happened if you just rewound the system to b.b.l. (before brother inlaw)?

also that is really annoying is he 12 or something?

 

[Cooliwhip]

No system restore action on that computer. All that has ever done for me is lag the thing and back up any viruses I may have. Anyway, he's not 12, but not that techy either, he should know better though....grrr.

Also, by owned, I mean I went from 0 to well over 100 hits with spy-bot, 60 with housecall, another 10+ with AVG etc.

I'm doing as suggested and running the Kaspareiadnksdfnsky virus scanner thingie in safe mode, offline. I think that's going to take a fortnight. It's sitting comfortably at 0% right now, but claimed to have found (but not yet repaired) a few things. So maybe there is some hope? I'm holding out until 1% for my sake of mind, then going to bed. Maybe it will be over 10% when I wake up....

 

[Raincity]

The first scan with Kaspersky takes awhile. While the first scan takes place Kaspersky tags all your files with a ADS string that is used to speed up future scans.

 

[Cooliwhip]

It finished the scan and there are 3 files that it says are infected but cannot delete. Nor can I manually delete them from safe mode/command prompt only. In spite of -r-a-s-h.

They are:
draw32.dll
vtd_16.exe
vdnt32.dll

all of them are in the /system32 folder.

 

[Cooliwhip]

Let me add as well that scanning the system32 directory after a restart (again in safe mode) with three scanners results in nothing. I think I may be clean now, but the damage is still there, I still can't get any context windows to show up on icons in explorer. My brother-inlaw feels so bad that I told him I fixed it already.... only now he's coming over today so I really hope I can get it fixed. Did I miss something in the gpedit.msc? It seems like it's something that would be there....

 

[mechBgon]

Originally posted by: Cooliwhip
It finished the scan and there are 3 files that it says are infected but cannot delete. Nor can I manually delete them from safe mode/command prompt only. In spite of -r-a-s-h.

They are:
draw32.dll
vtd_16.exe
vdnt32.dll

all of them are in the /system32 folder.

Interesting. Could you run HijackThis from here and post the log output in this thread? Also, it would be interesting to look at the Security, Permissions and Ownership of those files (disable Simple File Sharing in Control Panel > Folder Options to get at the NTFS goodies). I'm talking about like in this picture for example of resetting Ownership.

My thought is that either those files maybe have been registered as Services, or they have been specially set up on their security/permissions/ownership to deny you access.

HijackThis also has a Misc. tools > Delete a file on reboot function that makes Windows do the dirty work, that could be worth a shot too

 

[compusaguy]

damn dude, your computer should be able to survive any web pages without being affected like this. Backup, reformat, and reinstall.

 

[mechBgon]

Originally posted by: Cooliwhip
Let me add as well that scanning the system32 directory after a restart (again in safe mode) with three scanners results in nothing. I think I may be clean now, but the damage is still there, I still can't get any context windows to show up on icons in explorer. My brother-inlaw feels so bad that I told him I fixed it already.... only now he's coming over today so I really hope I can get it fixed. Did I miss something in the gpedit.msc? It seems like it's something that would be there....

It's probably a Registry setting (heck, you could try Control Panel > Mouse and see if you can reset the mouse to default behavior there). One other option is to run Windows Setup from CD, bypass the initial "Repair" option in favor of "Install," then let it examine your hard drive. It'll ask where to install Windows to, you aim it at the C: partition, and it spots the C:\WINDOWS directory and asks if you want that repaired? and you have it Repair.

Result: Windows gets reinstalled, your data and programs are still there, but you do need to reinstall all your Windows patches. Completion time, probably an hour to do the Repair-install and another hour to get it all topped off with your patches and stuff.

 

[Cooliwhip]

I'll try a few of those things, the ownership and the hijack this bit, I've run hijack this on a scan while doing this and it looks pretty dang clean to me. I can still do that if you want. Anyway, while that goes on let me report as well that I did some more snooping around in the gpedit.msc, and did find a few things that describe EXACTLY what is wrong.... only they weren't set. I disabled the option, and it still doesn't work, but it makes me wonder if there is any way to override or set those options somewhere else? Here's a copy paste example found in:
User Cofiguration -> Administrative Templates -> Windows components -> Windows Explorer
Remove Windows Explorer's default context menus:

Removes shortcut menus from the desktop and Windows Explorer. Shortcut menus appear when you right-click an item.

If you enable this setting, menus do not appear when you right-click the desktop or when you right-click the items in Windows Explorer. This setting does not prevent users from using other methods to issue commands available on the shortcut menus.

Doesn't that sound familier? So I disabled it (disabled the removal then..right?) and no love, and how about this one:
User Configuration -> Administrative Templates -> Desktop
Hide and disable all items on the desktop:
Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, My Computer, and My Network Places.

Removing icons and shortcuts does not prevent the user from using another method to start the programs or opening the items they represent.


Again, rather familiar. Anyway, let me try the other recomended options....

 

[Cooliwhip]

You will love this. rt. click is disabled, so I select draw32.dll and go to file then properties.... nothing. Try a few more things. Nice, properties is disabled..... grrrr

I'm going to try to have hijack kill on restart and failing that a registry dive.

 

[Cooliwhip]

More info:
hijack this wasn't able to delete vtd_16.exe on restart that I can see (It's still there). I do notice however that it is now listed from safemode run of hijack this as a run on startup, killing that removes it from the list....but not from the system. And it shows up again after a restart.

So I tried to de-check it, then told it to delete after restart, and there it is, right in the system32 directory again.

 

[mechBgon]

My interest in the HijackThis log was to see the Services list, see if there's any bogus ones in there. It does sound like you pretty much vaporized the malware, like you said. HJT also has that file-remover option if you wanted to try to get those last three files off of the system as a formality.

BTW if you'll be using the Kaspersky trialware for a while, you'll want to set the Configure Updater panel to updatie from Internet w/extended databases, so it's not still looking at your local updates_x folder for updates as the days go by.

Some of the Bropia worms (which spread via MSN Messenger) disable the right-click capability, as it turns out. Maybe your BIL got Messenger going and got an IM from an infected contact. Symantec has a Bropia-removal tool here that says it reverses the registry entries made by Bropia, so you might run that real quick if the mouse issue remains.

 

[mechBgon]

BTW, you can use the keyboard shortcut ALT Enter to open the Properties panel of something after you select it, if that helps.

 

[Cooliwhip]

And now for the good news: draw.dll and vtd_16.exe are now gone and not listed in the hijackthis startup list. Apparently having it kill vtd_16.exe on restart doesn't work, but dechecking it, cleaning it, deleting it and then having it kill draw.dll on restart appears to have worked. Now for damage repair.

So I'm running the software now, there HAS to be some registry garbage left in there somewhere, because ALT-Enter doesn't work either... no properties for me. No rt. click, and on the origional user profile I have, no desktop (although files are still there if I browse through to the desktop). All that is probably some sort of registry damage. I hope that symantec thing works! Otherwise I'll just have to start diving I guess.... I'm just really adverse to installing, reinstalling, installing over etc because I usually cause as many problems as I fix that way. And besides, I'm stuborn, and that makes me think the virus won....

 

[mechBgon]

And besides, I'm stuborn, and that makes me think the virus won

I know what you mean. But "Mutual Assured Destruction" is next-best :evil:

 

[mechBgon]

Here's a virus description that fits your three stubborn files: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.haxdoor.c.html

It does register stuff as services. You might go in and look for the Registry entries detailed there.

Also note how it "Opens TCP port 16661 and various random ports." As a damage-containment measure against threats that do this type of thing (very common nowdays), consider locking down your router so it forbids TCP and UDP traffic on all ports that you don't actually NEED open, both inbound and outbound. Ports I can think that you'd want left open:

20 and 21 for FTP
25 for SMTP email if you use it
53 for DNS
80 for standard Web
110 for POP3 email if you use it
443 for secure Web (HTTPS)
possibly 3389 if you use Remote Desktop Connection for anything

and then add any ports that your games might use. Blocking all the rest, on out to 65535, will keep a lot of the Backdoor-type stuff from doing its dirty work, and your router can't be subverted, unlike Windows.

 

[Cooliwhip]

Ok, the problem here is that maybe the other virus removal systems were TOO good. Because symantic couldn't FIND that virus with the scanner you suggested I get, it didn't do the registry stuff either.... and so I have no fix there. I'll check the things you suggested in the registry, but none of that looks like it effects mouse use, desktop, properties, etc. So that may have come from some other source or virus. I don't suppose there is a rad registry checker that can look for anomolies like that? (That's right, I used the word Rad, and I'm proud of it)

 

[Cooliwhip]

Sub question: What is the likelyhood of screwing up my computer even worse if I just say, backup the registry of this one, and install it on the broken one and have it overwrite away....

 

[mechBgon]

Doing a little Googling, I found someone recommending this: http://www.nirsoft.net/utils/shexview.html Evidently it can show, enable & disable Windows shell extensions.

 

[mechBgon]

Oooo, also look for this registry key & value: http://v2.tlab404.com/forum/forum_posts.asp?TID=127

Sub question: What is the likelyhood of screwing up my computer even worse if I just say, backup the registry of this one, and install it on the broken one and have it overwrite away....

IMHO that sounds like certain disaster

 

[Cooliwhip]

HOT DIGGITY DOG!
The post said that:
Value Name = NoViewContextMenu

Data = (0 = disabled, 1 = enabled)

and suggested I look in current user. Well, I looked in system instead because it was user-independant. And guess what it was set to?
Not 0, not 1....but 2. 2?!?! Set to 2?! What the heck is 2 doing there?! That's like an off on light switch that someone set to pulsate or something. Anyway, I set to 0 to disable the no view and I got CONTEXT MENUS!!!!! For all users!!!

There is only one thing left. I think whatever references are in the registry that point to the desktop got moved to who knows where, because doc&settings/username/desktop has all my icons, and they aren't there on my origional desktop. There could be the no desktop display option in the registry as well turned on...not sure....

 

[Cooliwhip]

More info, I copied a folder onto that desktop to see what happens and... two showed up. So aside from getting 2 of them, I can put icons there, so it's not disabled that. However, when I tried to remove the copied folders, one deleted ok and the other said it couldn't. Trying to open said folder resulted in this error:
C:\desktop\*foldername*\ refers to a location that is unavailiable etc.

So desktop got pointed to a desktop folder on C root, that is empty. Should be easy to find that in the registry...

 

[Cooliwhip]

I searched in current user for c:\desktop and found a listing under:
Current user -> software -> microsoft -> windows -> explorer -> Shell folders

that says desktop and that location along side things like mydocs etc. all pointing to the right spot, I'll change that and reset and I bet you I got my beloved icons back!