Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Interesting Problem! [RESOLVED]


  • This topic is locked This topic is locked

#31
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download Aimfix and run it. See if it fixes anything.

Then do this:

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

regedit /e c:\1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults"
regedit /e c:\2.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults"
copy c:\1.txt+c:\2.txt c:\3.txt
del c:\1.txt
del c:\2.txt
notepad c:\3.txt
del c:\3.txt
del delete.bat
exit


Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it to run it.
  • 0

Advertisements


#32
firstwok

firstwok

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Here is the hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 11:44:44 AM, on 10/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\wuauclt.exe
C:\WINNT\Profiles\Ron Wang's\Desktop\HijackThis.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#33
firstwok

firstwok

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Here is something from the "delete.bat".

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
"shell"=dword:00000000


Also, AIMFix didn't find anything to fix.
  • 0

#34
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hmm..nothing else from that delete.bat file run? There should be another set of lines for HKEY_CURRENT_USER...maybe that's the problem...
  • 0

#35
firstwok

firstwok

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
May somebody please reply?
  • 0

#36
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
What's the problem still? Blue background? I asked you earlier if you can run the smitfraud.reg file on those accounts? So, can you run that .reg file without any problems? See if you can change the background after a restart.
  • 0

#37
firstwok

firstwok

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I can't run smitfraud.reg on one account. In Display Properties when I choose appearance I am unable to change Windows and Buttons, Color Scheme and Font Size. Windows and Buttons are stuck on Windows Classic style. The background is still blue, I can't choose a screensaver and I can't change the theme. One account's background is ok I think.

Edited by firstwok, 13 October 2005 - 08:10 PM.

  • 0

#38
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, are the other accounts ok though?

We'll chuck this account then and create a new one for it. Create a new acccount (Start->Control Panel->User Accounts and click Create a new account...give it a name and give it administrator access. Now I want you to open up c:\documents and settings\ and open up your old username account (with the blue background problem). Copy all the files/folders there except for the two ntuser files. Leave those behind! (very important) Paste the copied files/folders to your new account folder. Overwrite what's there.

Now login to that new account and see if you have any problems. Run some programs and test out everything that you would normally do on your old account to make sure everything is working properly. If all is well, go back to Control Panel->User Account and delete the old username. Then go to c:\documents and settings\ and delete the old username folder.

Any problems now?
  • 0

#39
firstwok

firstwok

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Looks like most of the problems are gone except for I can't change Windows and Buttons in Apperance in the Display properties. Thanks for your help on this problem.
  • 0

#40
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Try creating that new account and moving all those folders over (it should move all your current files over as well). If you have any problems with this, feel free to ask for help in the Windows forum.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP