Malware - can't open some configuration dialogs/windows
June 27, 2011 8:16 AM   Subscribe

Windows XP. I can't get my Date/Time dialog to popup when clicking the clock, nor the video card/monitor properties to pop up (when right clicking desktop and choosing "properties"). I also have auto updates not being allowed to be turned on (or rather, the service is on, but in the control panel it says it can't be turned on). I think i got hit w/something a while back, but everything I've done to fix it isn't working.

I've used Malwarebytes and MSE. Both have gotten rid of infections, and I got most stuff working, but something is having these modules turned off. I ran "sfc /scannow" and that did prompt me for the disc for a few files, but in the end it didn't help. I went to see if a service is turned off. I finally got the auto-updates service on, but that doesn't help the control panel. I believe there's a few other control panel windows that I can't get open.

Am I going to have to do a reinstall from scratch? Is there anything else I can do? Is there ANY way to install the base system of Windows without overwriting all my user data? Is there any easy way to backup my data and programs (especially the programs - I don't want to have to reinstall all of them if I can avoid it).

The most minimally disruptive solution the better. Thanks!
posted by symbioid to Computers & Internet (28 answers total)
 
From a command prompt try loading the control panel applets directly:

c:\>dir %windir%\system32\*.cpl
c:\>control (name of cpl file you want to load...for example: timedate.cpl)
posted by samsara at 8:49 AM on June 27, 2011


Take the steps provided here to see if those registry keys are there, and remove them as the article states if they are.

If the above is the problem, and this doesn't fix Windows Update, let me know.
posted by deezil at 8:58 AM on June 27, 2011


Regarding your date/time, are you right-clicking the clock? When you right-click the clock, it should show you a list of taskbar and toolbar related options, and right underneath "toolbars" it should say "adjust date/time"... Are those options not showing up at all?
posted by amyms at 8:59 AM on June 27, 2011


I'm not at home now. If I right-click the option shows up, but when I select it... nothing happens. I'll try the registry keys thingy. I have a feeling it's something like that. I'll also try the control panel from the command line. I'll have to do this tonight when I get home... Any other tips to try out before then I'd still appreciate.
posted by symbioid at 9:01 AM on June 27, 2011


Those keys weren't there, alas.

I was also able to start the panels by using the command line.

The following .cpls are able to work by clicking on them within the GUI from the "Control Panel" window:

admin tools
folder options
fonts
network connections
printers and faxes
scanners and cams
scheduled tasks
taskbar and start menu

Everything else can't open via clicking (including updates, security center, firewall, uninstall software, add/remove hardware)...

Any more info would be appreciated...
posted by symbioid at 3:53 PM on June 27, 2011


If you have made System Restore Points, or allowed the system to create them automatcally, they might be your best friend in these circumstances, depending on the depth (number) of System Restore Points you have, and whether any of them were made with your system still in a known good state. By default, Windows XP makes SRPs before applying updates, so if you've limited the disk space for SRPs (forcing Windows to overwrite oldest SRPs), and have gone a long time automatically applying monthly updates, you may not be able to get back to a known good state, but if you can, this, and a subsequent forced update (to get all the later security fixes since that known good restore), is the quickest way back to sanity.
posted by paulsc at 4:52 PM on June 27, 2011


paulsc - i've never used those before... if i use one - will i lose everything else that I've done since then (i.e. my media, projects, etc...)? Or does it only restore other system settings? It makes me nervous. I may have to resort to either that or a full on reinstall, but I'm hoping that I can figure out just what the heck is going on. It seems like it's gotta be some sort of registry setting. Or something. *sigh*.
posted by symbioid at 5:09 PM on June 27, 2011


User data files like media should be unaffected by reverting to a previous restore point, since they typically don't call for updating the system Registry. But programs you've installed since that restore point may not work correctly, as you'll be restoring a previous, working version of your Registry, and programs generally do need to make new Registry keys to operate properly. However, you can just re-install such programs, and they'll work fine.
posted by paulsc at 5:21 PM on June 27, 2011


System restore would be a mostly safe thing to do if you have a previous state. You won't lose any documents but might have some software that'll need attention afterwards.

Otherwise I think we can still help fix this too. Since many of the .cpls seem to load via command line, this might be a registry or shell issue. Let's start with testing out the shell. In a command prompt, try the following.

To check whether the timedate.cpl can load:
rundll32 shell32.dll,Control_RunDLL timedate.cpl

To check if the file association is correct for .cpl files
start timedate.cpl

If the second test fails to load the applet, you may just need to re-associate the filetype.

Open Windows Explorer, go to View>FolderOptions, click the FileTypes tab, scroll to Control Panel Extension. Ensure that it is opening with RUNDLL32 and the open command is similar to:
c:\windows\system32\rundll32.exe shell32.dll,Control_RunDLL %1,%*

A few questions:

- Are you running or have you run a registry "tweaker" before this problem started?
- Can you think of any new software that may have affected the behavior of XP as being installed?
- Do you have any logs of what you might have been hit with previously?
- Are you seeing anything unusual in your Application and System event logs? (right-click My Computer/Manage)

Also, if all else fails, try Dial-A-Fix which is still very useful for Windows XP. When running this program, do the security template fix (under the hammer icon) to restore all your registry and file security descriptors to defaults.
posted by samsara at 6:19 PM on June 27, 2011


Hmm... Well I can load from the prompts with those commands, and the filetype association seems right. (though it's "%1",%* with the quotes -- maybe that's it? then again, why would some load and others not?) Apart form that, though it matches what you have.

I'm trying dial-a-fix and it looks like what I need but it just seems stuck on clearing temp files, and if i cancel that and try to do the WU/WUAU instead, it's stuck on the EventLog Service.

Finally, I don't see the "security template" fix in the hammer menu, nor do I see an option that looks like it at all there, actually. :(

I'm just gonna let the dialafix keep running - I know sometimes things just go and go and eventually work (and I think the page even said some things do that. but not sure if the WU/AU is one of those).

As for tweakers? Yeah, I've used CCleaner, and haven't had a problem before. I'm 99.9% positive I got hit with a driveby and while I thought I cleaned it up w/MSE and MBAM, it made changes that haven't been detected and still are corrupting it somehow. I ran Super AntiSpyware and that caught some temp remnants of one or two. :(

My biggest problem is that I don't know when this specific incident really started. My life has been busy lately and I haven't paid a lot of attention. I thought I resolved the updates a while ago, but it looks like it's still not fully fixed - and I don't think I'd've known there was an issue until I clicked the clock and no applet came up.

Thanks for all the tips. I'll let you know if dialafix works or doesn't...
posted by symbioid at 9:36 PM on June 27, 2011


I think the "security template" fix is called Repair Permissions under that menu. Here is the help page on the topic with a standalone app that could be run in its place.
posted by samsara at 5:23 AM on June 28, 2011


I hope someone's still reading this.

I logged into safe mode w/admin account and ran dialafix. It didn't fix anything. I'll try running from my regular account as well (it kept stalling out on me when running from my regular account, hence the reboot into safe mode).

I can't remember if i tested beforehand or not, but I *can* click the control panel things from the admin account, so I don't know if it was fixed by dialafix or not.

OK, when I try to run repair permissions in my normal account it says cannot open the file secedit.chm. (2 popups give that warning, and after I close each it goes back to the "hammer" submenu options again).

In both admin and my account the run and run as user in the "tools options" .cpl associations are properly using the command (w/"%1" or whatever it is)

The commands in the registry for opening .cpl are correct and the HKLM\Software\Windows\Control Panel (I think that's the node) in my regular account do match the keys in the admin account. I don't know if there's another control panel setting somewhere, but that was the main branch in the registry that I saw with a list of the applets and other assorted info.
posted by symbioid at 7:07 PM on June 28, 2011


oh oh - i remember - I did download the command line/console version of the permissions repair and it worked fine from the command line. (i wonder if that's related to the same way I can't run the .cpl from the gui)... hrmm...
posted by symbioid at 7:14 PM on June 28, 2011


Can you open your security center with Start > Run > wscui.cpl ?
posted by amyms at 11:44 PM on June 28, 2011


That .chm error is interesting. Ok let's backtrack a little and get a clearer picture of how things are configured.

What do you see when looking under this registry key?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
(you can clear everything out under here if you'd like..in particular anything under \explorer if it exists)

Let's get a concise profile of what's going on. Download and run OTL which is a more comprehensive HijackThis (fill checkboxes for LOD and Parity checks and run a full scan). After reviewing the resulting log and XXXX'ing out anything that might be private, paste the results on Pastebin (recommending pastebin as you can delete it later since there's no delete button on MeFi).

In the meantime while the log is being reviewed, let's check for rootkits that Malwarebytes and MSE might have missed. Download and run GMER and TDSSKiller to check for common rootkits. I suspect you may have been hit with Smitfraud before so try this fix as well (create a restorepoint beforehand).

Also, as a last resort there's ComboFix. Definitely make sure to create a restore point before running and follow the directions closely. If you want, hold off on this one until the OTL logs have been looked at, but I'm listing it here just in case you want to try it as well...generally works great, but can bomb in certain scenarios.
posted by samsara at 6:12 AM on June 29, 2011


Oh also, if you run any fix or clear out any registry keys, reboot the PC and try opening control panel applets to see if any particular step helped.
posted by samsara at 6:13 AM on June 29, 2011


OK, weird - I ran OTL, and it popped up notepad, but the 2 notepad windows were empty. I rebooted. and now the 2 txt files are there, but now the OTL icon is missing from my desktop. Anyways, here's the files... OTL is WAAAAAAY to large for pastebin. (I did a full check after I saw nothing show up in the notepad window - maybe that's why?) anyways, I'm chopping it into 6 parts. If you need something smaller so you don't have to comb through too much, LMK and I can rerun it and paste in the smaller data...


Extras
OTL 1
OTL 2
OTL 3
OTL 4
OTL 5
posted by symbioid at 5:21 PM on June 29, 2011


GMER ROOTKIT/MALWARE RESULTS
posted by symbioid at 11:15 PM on June 29, 2011


I had the following keys under the policies key(is that the right term?)

Attachments -> ScanWithAntiVirus
Explorer -> HonorAutoRunSetting
NonEnum -> 3 of those long hex keys surrounded by curlies
Ratings -> Blank
system ->
dontdisplaylastusername
legalnoticecaption
legalnoticetext
shutdownwithoutlogon
undockwithoutlogon

-------
Do I just delete the actual folder things on the left for each submenu/key whatever?
Or do I just delete the keys and data on the right hand for each of these?
posted by symbioid at 11:21 PM on June 29, 2011


Finally - SmitFraudFix Log

Also: I had TDSSKiller before, but downloaded from the page in case there's an update and nothing reported.

I may end up using ComboFix, but that's a drastic measure, right?

Anyways, hopefully these logs can help narrow down a potential solution... Thanks again for all the help...
posted by symbioid at 11:36 PM on June 29, 2011


amyms - yeah... all the control panel things work from the command line and some that didn't seem to work I now can get working from the command line at minimum (which is good, I got my firewall repaired and such)... now it's trying to figure out how to get things working by clicking on them!
posted by symbioid at 11:37 PM on June 29, 2011


From your logs, I don't believe you have anything bad still running on your PC (you can delete those now if you'd like)...so before Combo-fix, let's try these two options first:

- Replace your Shell Open registry keys.

It's likely the second link will work. What I think happened is your "Open" shell keys within the control panel were corrupted. Here are the values they should be:

HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe ""%1"""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools,0x00000020,0

- Requesting this Microsoft KB843551 hotfix might also solve the issue.
posted by samsara at 5:31 AM on June 30, 2011


*It's likely unhookexec.inf will work.* (sheesh some days I wish I had a dedicated proofreader..)
posted by samsara at 5:33 AM on June 30, 2011


Also if all else fails, including combofix, still look into reverting to a previous system state before the issure began... (start/programs/accessories/system tools/system restore). You won't lose any documents as it'll simply restore your system state (registry and dlls). You can also try another go at sfc /scannow just to make sure those corrupted files it detected before are fixed.

The only other places I can think of to look are environment variables and registry keys related to the control panel:

Environment Variables:
Open a CMD prompt and type:

echo %path%
This should echo the folders Windows searches in when running programs. Your system32 folder must be there for a lot of things to work correctly.

echo %systemroot%
This should return the location of your Windows folder. The control panel uses this path extensively (eg. %systemroot%\system32\intl.cpl)

Registry Keys:

HKEY_CU\Software\Microsoft\Windows\CurrentVersion\Policies (you can export this to a file, then delete everything including folders under this key)
HKEY_CU\Software\Polices\ (same as above)
HKEY_LM\Software\Microsoft\Windows\CurrentVersion\Policies (same as above)
HKEY_LM\Software\Polices\ (same as above)

HKEY_CR\cplfile\shell\cplopen\command (ensure this is correct...rundll32.exe ...etc)
HKEY_LM\Software\Classes\cpfile\shell\cplopen\command (ensure this is correct)
----
HKEY_LM\Software\Microsoft\Windows\CurrentVersion\Control Panel\ (double-check the items here to make sure they're pointing to the right locations...most will be found in Extended Properties)

I've uploaded a copy of my control panel .reg file to pastebin here. Be sure to export your Control Panel key first however just in case you need to restore. (in regedit, right click on the Control Panel key and select export..save as backup.reg. in pastebin, copy/paste the RAW data to a file called import.reg, save, and double-click import.reg to import it in)

Other than that, I'm just about to the end of ideas unfortunately. I think there's a "Open" shell extension hidden somewhere in the registry that's just for the Control Panel, but I'm not seeing anything online or in the registry itself about it. It's also possible that the malware you had did some destructive work where keys are missing or corrupted...you may want to consider a full on XP repair (boot off the install CD, skip the screen for the Recovery Console, Press F8 to agree, R to repair). A repair will keep your programs and documents intact, but will set your XP OS back to where you'll have to re-apply critical updates.

You can also install XP over top of your existing installation, or look into Windows 7 perhaps. Installing on a drive that already has Windows will move all the data into a folder called "Windows.old" This method would require reinstalling all the programs you had before however. If you find anything new, or if any of the suggestions above helped let me know.
posted by samsara at 6:24 AM on June 30, 2011


One more thing!!!

I was able to recreate the issue you were having exactly by fudging the %systemroot% variable. However if this was redefined it would cause XP to become very unstable.

But that made me think...The "Control Panel" key in the above post might be the culprit where they're pointing to something different than the values in the pastebin I posted. My current theory is, when you click Open in the control panel, it's trying to load something else other than the .cpl

Hope that helps!
posted by samsara at 6:40 AM on June 30, 2011


Awesome. I'll monkey around tonight, I hope that's it...
posted by symbioid at 7:27 AM on June 30, 2011


YES! It's working! :D

I downloaded the unhookexec.inf and at first it didn't seem to do it, then i attempted to install the MS hotfix, but it wouldn't install (since I have SP3, and it's an SP2), but then I went and tried the clock again and it worked, as well as the regular control panel!

Thanks very much!

And thanks to everyone else who tried to help out.
posted by symbioid at 6:32 PM on June 30, 2011


Whew, excellent!
posted by samsara at 5:25 AM on July 1, 2011


« Older How best to sleep while on a layover in Frankfurt?   |   Special-snowflake jeans required Newer »
This thread is closed to new comments.