two users D*** and A***, plus Administrator, default user is D***, who is a member of Administrators, Windows 2000 Pro machine.
He booted it and during boot, got a message along the likes of "you have an illegal copy of windows 2000, access is denied, you can access your files from the start button"
He thought this might be for real as he had heard about the recent "legality check" in a Win XP update, though I had never heard of one for Win2K
He hit cancel and the machine continued to boot.
But, he got the default desktop rather than his normal desktop - no wallpaper, none of his icons or shortcuts. The rest of the profile seemed ok - My Documents etc was still there.
When he tried to start Outlook, it acted like he was a new user, didn't find his folders and started asking for install disks.
I came over to investigate - found that he had another problem - when he booted, IE started automatically trying to load a page http://18.104.22.168...orts/blank.html (which is not found) and then something - presumably on that web page, tries to lower the security settings for zone "Internet", but is blocked by Norton.
Ran a full sweep with the local Norton AV and with the Panda remote sweep from PCPitStop.com - nothing. Nothing out of the ordinary in startup entries. A bunch of assorted semi-nasties found and removed using Spybot S&D, but still the initial web-page tries to load.
To the Outlook problem - attempted a re-install from the Office 2000 disk - that seemed to go ok, but instead of asking for install disks, Outlook now just comes up with a "Cannot Start Outlook" message box.
Reinstalled Office from Administrator - that seemed to go ok, and I could start Outlook, and even found his original email files under Documents & Settings for user D***. Logging back in as D*** - no dice - same "Cannot Start" message. Likewise under the A*** user.
Another odd thing - trying to find the Outlook files from user D*** - opening up My Computer gives an error message that your security settings prevent the use of Active X controls on this page and the page may not display correctly - this is true - no disks or anything shown. For some reason, if I am to believe the symbol in the corner, My Computer is in the "Restricted Sites" zone, as shown by the "No Entry" symbol. I could not find a means to change this.
D is a careful user, but judging by the assorted JPG & Zip files on the desktop of the A user, A (his grandson who stays at weekends) is possibly not so careful about accepting "pictures" from pop-up users on MSN messenger and visiting a number of adult websites.
I had to leave at this point, so next time I'll try HiJack This on it and maybe some rootkit detectors.
Any suggestions? I'm particularly curious about "My Computer" being in "Restricted Sites" and how to change this back - maybe a registry edit?
Edited by Ian W, 21 May 2006 - 03:19 PM.