1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Possible Virus? XP theme has been deleted

Discussion in 'Virus & Other Malware Removal' started by punku10, Jan 27, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. punku10

    punku10 Thread Starter

    Joined:
    Aug 19, 2004
    Messages:
    97
    I have a student where i work who has this problem

    The theme is not deleted because all the files are still in

    C:\windows\resources

    The XP theme on his computer has been dissabled His Start menu and everything has been reset to classic view and you can't select Windows XP in any of the menus to change it...

    Also his network card has been dissabled and when i go to open up the device manager nothing comes up no matter how long i let it sit there..

    If anyone can help i'd really appreciate it!!!!
     
  2. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    You want to post a Hijackthis log I assume, and you can easily do this by using a floppy disk provided both computers have that type of drive (3.5 floppy drive, or A:\)

    Download Hijackthis.exe to a floppy disk---the link is down at the end of my reply.

    Put the disk into the bad computer's floppy drive, after the pc is started up.

    You do not need Internet access on that pc to do this.

    Open Windows Explorer and hit C: drive so the folders etc show over on the right side.

    At the top, select File>New Folder, but rename the new folder to HJT, then, hit Drive A: to see the hijackthis.exe file, then EDIT> Copy, then click on the new HJT folder on drive C: that you made, EDIT> Paste and the hijackthis.exe file should be copied to C:\HJT folder so you can run it on the bad pc.

    When you have hijackthis.exe in the HJT folder:

    Start hijackthis.exe by double clicking it from the HJT folder and use the Scan button, it will scan and when done the Save Log button will show. Save the log as hijackthis.txt and copy and paste it back to the floppy disk.

    Take the floppy disk to a good computer you access TSG with, come back to this thread, and copy and paste the log to a Reply to this thread.

    http://tools.radiosplace.com/HijackThis.exe

    NOTE: We are used to helping with pc's that do not have good Internet access, you can work this way but there will of course be a lot of going back and forth to post new logs, do the fixes... but after a few, there should be an improvement
     
  3. punku10

    punku10 Thread Starter

    Joined:
    Aug 19, 2004
    Messages:
    97
    Logfile of HijackThis v1.99.0
    Scan saved at 12:26:32 PM, on 1/27/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\userinit.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\fol188\Desktop\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: GuruNet - {E8893D9E-169E-4a05-B0B6-FC5809D1AA77} - C:\PROGRA~1\GuruNet\Toolbar\GuruNetToolbarU.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104890687437
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CRBC
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CRBC
     
  4. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    Well I do not see anything on your log. I have pm another member to take a look and see what they can advise you on
     
  5. punku10

    punku10 Thread Starter

    Joined:
    Aug 19, 2004
    Messages:
    97
    Thanks for the fast help..

    Yeah i know there couldn't be that much stuff on it i just reinstalled windows on it yesturday it only took this kid one day to mess it up this bad lol :confused:
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    This is not a "security" issue, but an Administrative rights issue. I'll leave the call to you. Someone has probably installed a restriction either through the group policy editor or through the registry directly.

    This restriction forces users to use the classic Windows start menu, instead of the new format introduced with Windows XP.



    The location is here:

    User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
    Explorer]
    System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
    Explorer]
    Name: NoSimpleStartMenu
    Type: REG_DWORD (DWORD Value)
    Value: (1 = force classic menu, 0 = default)

    There may be something similar for network cards, possibly this:

    Enabling this option disables access to the Network Control Panel icon.



    User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
    Network]
    System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
    Network]
    Name: NoNetSetup
    Type: REG_DWORD (DWORD Value)
    Value: (0 = disabled, 1 = enabled)

    > frankly it sounds like this is not or was not his computer prior to the reinstall. These restrictions would not necessarily be removed by an "overinstall" -- I'm not really sure about that.
     
  7. punku10

    punku10 Thread Starter

    Joined:
    Aug 19, 2004
    Messages:
    97
    I found out that all of the.. administrative Services have been dissabled.

    Is there anyway to restart all of them at once there are many of them and so far restarting each one individually is taking forever
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I'm not sure what you are saying here. All Microsoft services couldn't be disabled or the system would be inoperable. Possibly the system is in a "clean boot" configuration which disables all NON Microsoft services. This is done through Msconfig.

    You wouldn't want to enable every non starting service, that is not only a performance downer but a security risk as well.

    If you have administrative rights you can selectively enable desirable services using:

    services.msc

    or going to the Services profile in Administrative Tools.

    If other methods have been used to prevent enabling of services, I'm not going to want to get further into this, since there is no valid reason why this should be the case in a personal system.
     
  9. punku10

    punku10 Thread Starter

    Joined:
    Aug 19, 2004
    Messages:
    97
    in the services profile under admin tools almost every single service was disabled.

    I have no idea how or why this could happen either?
     
  10. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    It could very well happen if the computer was an office or public one and these policies were instituted to prevent tampering.

    Otherwise, I don't know either. Keep in mind that following a reinstall, you MUST enable a firewall even before a connection is established, and only then can you safely install the necessessary security patches.

    Fail to do that and you will be reinfected with msblaster/lsass infections that will be shutting things down in minutes. I see no evidence of that though, yet. Some people try to fix these things by disabling the rpc service. Do that, and you won't be able to do anything with service properties until you use some complex method of re-enabling it.
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/323974

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice