Possible Virus? XP theme has been deleted

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

punku10

Thread Starter
Joined
Aug 19, 2004
Messages
97
I have a student where i work who has this problem

The theme is not deleted because all the files are still in

C:\windows\resources

The XP theme on his computer has been dissabled His Start menu and everything has been reset to classic view and you can't select Windows XP in any of the menus to change it...

Also his network card has been dissabled and when i go to open up the device manager nothing comes up no matter how long i let it sit there..

If anyone can help i'd really appreciate it!!!!
 

mjack547

Malware Specialist
Joined
Sep 1, 2003
Messages
3,181
You want to post a Hijackthis log I assume, and you can easily do this by using a floppy disk provided both computers have that type of drive (3.5 floppy drive, or A:\)

Download Hijackthis.exe to a floppy disk---the link is down at the end of my reply.

Put the disk into the bad computer's floppy drive, after the pc is started up.

You do not need Internet access on that pc to do this.

Open Windows Explorer and hit C: drive so the folders etc show over on the right side.

At the top, select File>New Folder, but rename the new folder to HJT, then, hit Drive A: to see the hijackthis.exe file, then EDIT> Copy, then click on the new HJT folder on drive C: that you made, EDIT> Paste and the hijackthis.exe file should be copied to C:\HJT folder so you can run it on the bad pc.

When you have hijackthis.exe in the HJT folder:

Start hijackthis.exe by double clicking it from the HJT folder and use the Scan button, it will scan and when done the Save Log button will show. Save the log as hijackthis.txt and copy and paste it back to the floppy disk.

Take the floppy disk to a good computer you access TSG with, come back to this thread, and copy and paste the log to a Reply to this thread.

http://tools.radiosplace.com/HijackThis.exe

NOTE: We are used to helping with pc's that do not have good Internet access, you can work this way but there will of course be a lot of going back and forth to post new logs, do the fixes... but after a few, there should be an improvement
 

punku10

Thread Starter
Joined
Aug 19, 2004
Messages
97
Logfile of HijackThis v1.99.0
Scan saved at 12:26:32 PM, on 1/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\fol188\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: GuruNet - {E8893D9E-169E-4a05-B0B6-FC5809D1AA77} - C:\PROGRA~1\GuruNet\Toolbar\GuruNetToolbarU.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104890687437
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CRBC
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CRBC
 

mjack547

Malware Specialist
Joined
Sep 1, 2003
Messages
3,181
Well I do not see anything on your log. I have pm another member to take a look and see what they can advise you on
 

punku10

Thread Starter
Joined
Aug 19, 2004
Messages
97
Thanks for the fast help..

Yeah i know there couldn't be that much stuff on it i just reinstalled windows on it yesturday it only took this kid one day to mess it up this bad lol :confused:
 
Joined
Dec 9, 2000
Messages
45,855
This is not a "security" issue, but an Administrative rights issue. I'll leave the call to you. Someone has probably installed a restriction either through the group policy editor or through the registry directly.

This restriction forces users to use the classic Windows start menu, instead of the new format introduced with Windows XP.



The location is here:

User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Name: NoSimpleStartMenu
Type: REG_DWORD (DWORD Value)
Value: (1 = force classic menu, 0 = default)

There may be something similar for network cards, possibly this:

Enabling this option disables access to the Network Control Panel icon.



User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Network]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Network]
Name: NoNetSetup
Type: REG_DWORD (DWORD Value)
Value: (0 = disabled, 1 = enabled)

> frankly it sounds like this is not or was not his computer prior to the reinstall. These restrictions would not necessarily be removed by an "overinstall" -- I'm not really sure about that.
 

punku10

Thread Starter
Joined
Aug 19, 2004
Messages
97
I found out that all of the.. administrative Services have been dissabled.

Is there anyway to restart all of them at once there are many of them and so far restarting each one individually is taking forever
 
Joined
Dec 9, 2000
Messages
45,855
I'm not sure what you are saying here. All Microsoft services couldn't be disabled or the system would be inoperable. Possibly the system is in a "clean boot" configuration which disables all NON Microsoft services. This is done through Msconfig.

You wouldn't want to enable every non starting service, that is not only a performance downer but a security risk as well.

If you have administrative rights you can selectively enable desirable services using:

services.msc

or going to the Services profile in Administrative Tools.

If other methods have been used to prevent enabling of services, I'm not going to want to get further into this, since there is no valid reason why this should be the case in a personal system.
 

punku10

Thread Starter
Joined
Aug 19, 2004
Messages
97
in the services profile under admin tools almost every single service was disabled.

I have no idea how or why this could happen either?
 
Joined
Dec 9, 2000
Messages
45,855
It could very well happen if the computer was an office or public one and these policies were instituted to prevent tampering.

Otherwise, I don't know either. Keep in mind that following a reinstall, you MUST enable a firewall even before a connection is established, and only then can you safely install the necessessary security patches.

Fail to do that and you will be reinfected with msblaster/lsass infections that will be shutting things down in minutes. I see no evidence of that though, yet. Some people try to fix these things by disabling the rpc service. Do that, and you won't be able to do anything with service properties until you use some complex method of re-enabling it.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top