Unable to right click icons

[mechBgon]

sweet 😎

 

[Cooliwhip]

On the other hand, maybe not..... on reset it returned to c:\desktop and futher searching found a second entry under system, same branch as the last post that says common desktop -> c:\desktop. Curses.

 

[Cooliwhip]

Ok, I changed every last dang one to be just like the ones around them, for they ALL said C:\Desktop.

So for some it was %CURRENTUSER%\Desktop or whatever, and now they all match...

and.... IT'S ALL BACK! My beloved icons! It's restored! It's ALIVE!!!!!

mechBgon, your da man. /bow/praise/pilepetalsatyourfeet

 

[mechBgon]

What I would do next, as a fact-finding step, is to go ahead and create that Limited-class account named "Visitors." See if its desktop behavior is normal.

If it is normal behavior on the new account, then you can create a new account for yourself too. Copy over your desktop icons and Favorites and whatnot, then delete your previous account out of C:\Docs & Settings. After that, you can re-name your new account to the name of your old account if you like.

 

[mechBgon]

Originally posted by: CooliwhipIT'S ALL BACK! My beloved icons! It's restored! It's ALIVE!!!!!

excellent! 🙂

FINAL SCORE
Cooliwhip 1
malware 0



😀

 

[Cooliwhip]

Well, I had some help... Thanks.

I did just get a pesky error though:
Window is titled 16 bit Windows Subsystem
C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the application.

Close closes the error message, ignor closes the error message...either way, nothing else happens. This happens any time I try to run something that is a little old, like an old game or program or whatever. Oddly angband seems to work but Capture the Flag doesn't, nor does the occational autoplay.

It must be related...I guess I'll keep finding these from time to time as I try to put it through it's paces for any remaining damage.

 

[mechBgon]

Doing a little Google for "AUTOEXEC.NT," it appears to have to do with an installer:

http://unodocs.nmsu.edu/RoboDocs/WebHelp/jinitiator/ji_05.htm

What concerns me is partly that something might be trying to install, it makes me think about the possibility of rogue services. If you post a HijackThis logfile, that would be interesting to see.

Also, at this point I'd right-click My Computer, choose Manage > Local Users & Groups > Users, right-click each Administrator-class user account, and give them strong passwords (Cooliwhip@AT would be good) to thwart exploitation of your system's Admin powers or administrative shares. This will let you get to the system's normally-invisible Administrator account if it has one, too.

 

[Cooliwhip]

After reading that doc you linked to, it seems its important for ANY 16 bit program (hence the old ones) and that the installer program that most use just happens to be one of many 16 bit programs out there. So I checked, and sure enough, I don't have that file at ALL in the system. It may have had an error in it and one of the bazillion scans I did deleted it. I restored it from the repair directory as suggested. And it works. Here is, however, my Hijackthis log:

Logfile of HijackThis v1.99.0
Scan saved at 1:57:14 PM, on 3/19/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe *Keyboard extra features
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe *Keyboard extra features
C:\Program Files\Logitech\MouseWare\system\em_exec.exe *My Mouser
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe *Keyboard extra features
C:\Program Files\Maxthon\Maxthon.exe *Browser
C:\Program Files\hijackthis\HijackThis.exe *Duh 🙂
C:\WINDOWS\System32\taskmgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe *Keyboard
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe *mouse
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Startup: Shortcut to TeaTimer.lnk = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm *Flashget, nice threaded dl manager
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm *Flashget, nice threaded dl manager
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe *Flashget, nice threaded dl manager
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe *Flashget, nice threaded dl manager
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...l.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Netropa NHK Server - Unknown - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe *Keyboard

 

[mechBgon]

Cool 🙂 Dropping it into http://hijackthis.de analyzer, it looks ok, except that as it says, you're running an outdated Service Pack on there (SP1). SP2 would be a good idea. I'd download the whole SP2 installer and install it while the system's in Safe Mode so the antivirus software doesn't interfere with the installation. Another cool goodie is Microsoft Baseline Security Analyzer, for seeing deeper into your Microsoft patching than Windows Update and Office Update combined can do.

Once SP2 is installed, you can also fully enable Data Execution Prevention like this picture, to help add defense against some types of buffer-overflow attacks.

 

[Cooliwhip]

I usually like to wait a while before putting in a new service pack, just to see how it turns out. I know that this one adds a ton of protection etc, but on the other hand, unless the culprit in question tries again (and he so wont, he feels rotten), then I should be fine. That said, I'm sure I will get it sooner rather then much later, but I like to let other people do Microsofts beta testing on their service packs. 🙂

 

[mechBgon]

If you just set up a Visitor account and make it Limited-class, that's a biggie for keeping him safe. But like you say, he probably doesn't even want to chance it now 😱

 

[skyking]

second that good recommendation. limited account coupled with some proactive stuff, either javacool's spywareblaster or the microsoft antispyware goes a long way toward preventing this kind of infection.