Solved trojan.zlob activity~shell32.dll icons have gone.

I tried changing resolution and theme, I rebooted with the new theme. The only difference was that the Recycle Bin on the desktop adopted the new theme correctly but returned to the same state as before when I switched back.

Those registry values are coming out as hex again:

Is that because I have the editor set up wrong or something?

Thanks for sticking with this.

Paul

 

Thanks for that additional info. Gives me some more areas to check in your hive. What theme do you normally use?

The hex is correct for an export. It translates to this.

%SystemRoot%\System32\shell32.dll,3

If you look at the Default value for those keys in regedit, it should be displayed as such, and the type should be REG_EXPAND_SZ

I did notice a missing default key in your hive, and a couple that don't belong. Whether or not it's the cure I don't know, but lets replace it anyway. Create another reg fix with the following and merge it.

Code:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanc ed]

After merging it, make some changes in display settings, icon sizes, etc, then logoff/on.


I'm getting a late start tonight and have some catching up to do. Not sure I'll get anywhere with analysing the hive tonight. Hang in there ..... I'm not about to throw in the towel yet.

 

Hi Dave

I don't usually use any particular theme. I use a modified default XP theme with the Olive Green colour set and a fixed width font (Lucida Console). While we've been working on this I've tried all sorts of exotic stuff from the XP Plus! disc and the basic XP theme and Classic.

I've applied the new fix and fiddled around with resolution and icon sizes etc. I've done a couple of reboots but nothing has changed.

I appreciate you hanging in there. Everything else is running so well I'd like to get the icon thing sorted out and take an image of the current setup.

Paul

EDIT: Something I was thinking of last night. This all started with Trojan.zlob and Michael from Norton posted on the first page with a link to their fix which involves some registry editing. I haven't done any of that because Geri appeared to have got rid of the Trojan, perhaps you could take a look and see if it's relevant?

 

Hi Paul,

None of the recommendations from Symantec for zlob removal would have any effect toward the current problem. Though I know of none offhand, RE: zlob and any effect on icons, I will do some digging.

While researching your hive file, I noticed an extremely large number of values that represent customized folder views. Large enough to suggest you might have customized the view of almost every folder on the drive individually. It may be that clearing out these keys/values would help. They sometimes get corrupted, leaving incorrect 'other tasks' in folders, etc. It will however, set all folder views back to default. If you're game to try, read on.

First, lets make a backup. Highlight and copy the bolded command in the cdoe box below.

Code:

[B]regedit /e  "%systemdrive%\shellnoroam.reg" HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam[/B]

Click Start>Run and paste the command in the Run dialog, then hit Enter.
Navigate to your drive root (normally C:\) and verify the existence of the shellnoroam.reg file, and it's content.
Now, create the following reg file, save it and merge it.

Code:

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags]

Reboot for changes to take effect.

Meanwhile, I am still studying your user hive ..... it's very tedious, and there's much to compare/decipher.

 

I guess that's possible. Although the install is only just over a year old I have a preference for list or detail view and have a habit of right clicking and choosing one or the other of those whenever the mood strikes.

I've applied the fix and now most views seem to be icons or tiles except where thumbnails are appropriate. There has been no change to the icon problem however.

I can't tell you how much I appreciate your efforts. I've never had a malware problem before (apart from an incident with the 'stoned' virus about 20 years ago) and I've certainly never had anything like this icon problem.

Thank you for your help and don't knock yourself out. I have the patience to wait for a result.

Paul

 

I'd like to get a look at some current values. Please copy the contents of the code box below and paste it into a command window. Post the log it produces.

Code:

@echo off
reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID /s >clsid.txt
start notepad clsid.txt
exit
cls

Then, paste the following command in the Start>Run dialog and hit enter. (it varies a tad from previously)

regsvr32 /i shell32.dll

Reboot and give me a status. Still your account only affected?

 

OK, here's the new log:

I'll be back later with the results of the new regsvr32 command.

Paul

 

The command was successful opening a dialogue with "DllRegisterServer and DllInstall in shell32.dll succeeded." There is no noticeable effect on my account, I've changed resolution and theme.

With the Admin and my wife's account the story is different. One folder in the root directory of C: is now affected in each account. Here are screenshots of the admin account and my wife's account. The folder for UBCD4WIN is now showing the blank/placeholder icon while all other folders appear to be correct. I'm hoping that this is exactly as you expected and is leading to a solution.

Paul

 

Paul, we need one of those head bang icons. That was not the result I had hoped for, and the registry export looks fine (I think I sent the fix for those keys via email).

Lets try something different. Download iColorFolder 1.4.2 and the Skin Pack 1.2.1
Install iColorFolder (select a default skin), then the skin pack (install all available icon styles).
When complete, the iColorFolder GUI will open.
Select an icon style, check the box Use generic folder icon defined in skin, click Apply, then OK.
Check to see if the icons are applied to all folders.
You can restart the GUI from All Programs>iColorFolder>Skin Selector

 

Yaaaaahhhhooooo!

I didn't have to do anything. As soon as the iColorFolder Installation finished everything was fixed. Apart from the UBCD4WIN folder but I was able to change that using the customize tab in properties. I selected WindowsXP skin in the installer, it finished and everything popped into the right icon.

Thank you so much.

Is there anything else I should do before you call it resolved?

Paul

 

Well, I'm not celebrating just yet. I installed iColorFolder and tracked the changes to see if it modified some things in the user hive that I am missing while studying your hive, in hopes that it might lead to an actual fix. I still don't see it, but here's the real test. Uninstall iColorFolder and the skin pack (uninstallers available on the All Programs>iColorFolder list - do the skins first), reboot and see if you have the default folder icons back. If so, then the problem is really fixed, not just a workaround.

 

You can start celebrating

After uninstalling iColorFolder (which I'd never heard of and actually like) everything is looking fine.

I know you'd like to find out how it fixed it and I'm happy to help if you still have the stomach for it. One clue may be in the Most Frequently Used list. One of the registry fixes way back stopped it working and I reinstated it using the properties. Two items, photoshop and dosbox.conf, had the blank/placeholder icon in that list. .conf is assigned to notepad. When the iColorFolder install finished both icons were restored to normal.

So what do you want me to do? Or are you just happy to call it resolved?

Paul

 

WOOT!!

I'm just happy to hear that it's actually fixed! Just shows that there are still many aspects of the registry I don't fully understand, and gives me areas for study. I have the hive, the logs from installing/uninstalling iColorFolder (it is a cool app, heh? )... maybe I'll figure it out one day.

Your trust, patience and co-operation has been awesome. Thank you! Lets wait and see if Geri has anything to add before marking this topic resolved. In the meantime, go ahead and clean up all the clutter from our exports and such. Make sure you check your username folder ... most of the logs produced from a command window live there.

 

I'd like to thank both you and Geri for all the help you've given me with this. As well as fixing two tedious and annoying problems I've learned a lot from you, my computer is booting and running faster than I remember it ever doing and I've found a very special community here.

Thanks guys.

Paul

 

Oftentimes we learn together.

I'm happy I was able to help. You're very welcome, Paul.

 

Thanks Dave...You're the best !!

Hi Paul
OK, well that was a long haul.

After you have cleaned up everything from Dave I would suggest running ATF Cleaner.

Also run another Kaspersky scan to make sure everthing is still clean, post the log if anything is found.

Thanks
Geri

 

Worth the work though.

I've run ATF Cleaner and Kaspersky is just starting so I'll report back in about seven hours.

Thanks

Paul

 

I'm sorry this took so long, we've had a few power failures and Kaspersky was not completed. Here's the report, I think it's clear:

If you're going to mark this resolved, please correct my typo in the thread title it's been haunting me for weeks.

Paul

 

Hi
OK that looks good.

Please look at this link for some preventive recommendations, It could keep you from ending up back here to the Malware and Virus Removal Forums.
http://www.windowsbbs.com/showthread.php?t=67958

Surf Safely
Geri

 

Thank you Geri.

Paul