Author Topic: I cant apply the XP Theme :( (Read 884 times)

Bond2k · « **on:** May 08, 2005, 06:53:11 PM »

I follow the instructions to delete the sex.exe VIRUS

ok this is the Problem y star the CleanUp soft and I restard my WIndows XP .

But Now my Windows XP only have the CLASSIC STYLE no the Windows XP Style (the Green start button and the BLUE BARS)

HOW I CAN REPAIR this ? please!! some HELP !

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />

guestolo · « **Reply #1 on:** May 08, 2005, 06:58:37 PM »

Been seeing the hijacker remove this option in Display properties

Can you do the following for me
Register to the forum and supply a Hijackthis log

Could you also do the following

Can you download and UNZIP to desktop
Get2.zip so you now have Get2.bat on your desktop
Double click on Get2.bat, a text file called Export2.txt will be placed on your desktop
Can you copy and paste that info back here

Could you also
Download and unzip to desktop Export.zip so you now have Export.bat on the desktop
Double click on Export.bat and a new text file will appear on the desktop
Export.txt
Can you copy and paste that back here

Here's how to post a Hijackthis log
Click Here

Bond2k · « **Reply #2 on:** May 08, 2005, 10:46:40 PM »

Ok thx !

Here is IT

HIJACKTHIS :

Logfile of HijackThis v1.99.0
Scan saved at 22:37:48, on 08/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Archivos de programa\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\Archivos de programa\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\ARCHIV~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Java\jre1.5.0_01\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\ScreenPrint32 v3\ScreenPrint32.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\WINDOWS\System32\cmd32.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\gluher.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\memo\Datos de programa\ubss.exe
C:\WINDOWS\System32\fraser.exe
C:\WINDOWS\System32\w?auclt.exe
C:\Archivos de programa\CxtPls\CxtPls.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Archivos de programa\Grisoft\AVG Free\avgcc.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\My Downloads\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Archivos de programa\CxtPls\cxtpls.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6A51D558-89C5-4115-8256-683C8CF78279} - C:\WINDOWS\System32\mkhlf.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O2 - BHO: (no name) - {CBD69F06-0FEB-0A37-95AD-273023112496} - C:\WINDOWS\System32\vztuj.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [vptray] C:\ARCHIV~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AttuneClientEngine] C:\ARCHIV~1\Aveo\Attune\bin\attune_ce.exe
O4 - HKLM\..\Run: [ScreenPrint32] C:\Archivos de programa\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [Corel Reminder] "C:\Archivos de programa\Corel\Graphics10\Register\NAVBrowser.exe" /r /i "C:\Archivos de programa\Corel\Graphics10\Register\NavLoad.ini"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [xhulxtf] c:\windows\system32\xhulxtf.exe
O4 - HKLM\..\Run: [2FrV3tU] gluher.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Lrat] C:\Documents and Settings\memo\Datos de programa\ubss.exe
O4 - HKCU\..\Run: [Jo09RjYsO] fraser.exe
O4 - HKCU\..\Run: [Cmaml] C:\WINDOWS\System32\w?auclt.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Backward Links - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Similar Pages - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmtrans.html
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.145/x29.chm::/trs29.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c7.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/178e8eefbaff85...RdxIE601_es.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{308F1D95-9812-41F8-8E4D-B6AA088E7B5F}: NameServer = 200.33.148.196 200.33.148.202
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Crypkey License - Unknown - crypserv.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Archivos de programa\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Servicio del administrador de discos lógicos - Unknown - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Escritorio remoto compartido de NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: DSDM de DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Archivos de programa\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Plug and Play - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Sistema de ayuda de tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Registros y alertas de rendimiento - Unknown - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen - Unknown - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe

GET2 :

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000b1
"NoActiveDesktopChanges"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispBackgroundPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000

EXPORT :

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="Temas"
"Group"="UIGroup"
"ObjectName"="LocalSystem"
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,6f,00,6f,\
00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00,00,00,00,00,00,00,00,00
"Description"="Proporciona administración de temas de experiencia de usuario."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
73,00,68,00,73,00,76,00,63,00,73,00,2e,00,64,00,6c,00,6c,00,00,00
"ServiceMain"="ThemeServiceMain"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes\Enum]
"0"="Root\\LEGACY_THEMES\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

OK

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #3 on:** May 09, 2005, 12:41:31 AM »

Still some cleaning to do on your system

Download and Unzip to desktop iSearch.zip so you now have iSearch.reg on the desktop
We'll need this later
[attachment=208:attachment]

You may want to Print this out or save these instructions too a Notepad file and save it to your desktop

Do another scan with Hijackthis and put a check next to these entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Archivos de programa\CxtPls\cxtpls.dll

O2 - BHO: (no name) - {6A51D558-89C5-4115-8256-683C8CF78279} - C:\WINDOWS\System32\mkhlf.dll (file missing)

O2 - BHO: (no name) - {CBD69F06-0FEB-0A37-95AD-273023112496} - C:\WINDOWS\System32\vztuj.dll

O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O4 - HKLM\..\Run: [AttuneClientEngine] C:\ARCHIV~1\Aveo\Attune\bin\attune_ce.exe

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [xhulxtf] c:\windows\system32\xhulxtf.exe
O4 - HKLM\..\Run: [2FrV3tU] gluher.exe

O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile

O4 - HKCU\..\Run: [Lrat] C:\Documents and Settings\memo\Datos de programa\ubss.exe
O4 - HKCU\..\Run: [Jo09RjYsO] fraser.exe
O4 - HKCU\..\Run: [Cmaml] C:\WINDOWS\System32\w?auclt.exe

O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: (HKLM)

O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.145/x29.chm::/trs29.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c7.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/178e8eefbaff85...RdxIE601_es.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Using Windows Explorer >>Find and delete these files or folders if they exist
C:\WINDOWS\System32\cmd32.exe <-file, exact name
C:\WINDOWS\System32\vztuj.dll <-file
c:\windows\system32\xhulxtf.exe <-file
C:\WINDOWS\System32\fraser.exe <-file
C:\WINDOWS\System32\gluher.exe <-file
C:\Documents and Settings\memo\Datos de programa\ubss.exe <-file

C:\Archivos de programa\CxtPls <-folder
C:\WINDOWS\isrvs <-folder
C:\Program Files\AutoUpdate <-folder

Afterwards, Double click on iSearch.reg and allow to merge to the registry

Restart back to Normal mode

Download and save too Desktop
FixAprop.exe
by Symantec's
Run the tool and let it scan your drive and let it fix whatever it finds
Restart your computer again when it's done

Back in Windows
Run another scan with Hijackthis and post a fresh log

Also, could you do the following
Download and Unzip to desktop Grab.zip so you now have Grab.bat on the desktop
Double click on Grab.bat and post the contents of the new text file Grab.txt
[attachment=209:attachment]

One last thing
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad
In Notepad click FILE>>SAVE AS
Name the file as find.bat
Save this file on the desktop
Double click on find.bat and post back the contents of the text file that opens

Code: [Select]

dir C:\WINDOWS\System32\w?auclt.exe /a h > files.txt
notepad files.txt

Also
Navigate to this folder
C:\WINDOWS\Resources\Themes
Open the Themes folder
Let me know if you see the following
Luna folder
Luna.theme
WindowsClassic.theme

Bond2k · « **Reply #4 on:** May 09, 2005, 03:28:06 PM »

Ok the fILES THAT you say are there :

Luna folder
Luna.theme
WindowsClassic.theme

BUT STILL I CANT CHANGE THE THEME ( this is Over? )

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' />

HIJACKTHIS :

Logfile of HijackThis v1.99.0
Scan saved at 15:18:04, on 09/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\ARCHIV~1\SYMANT~1\SYMANT~1\vptray.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\Java\jre1.5.0_01\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\crypserv.exe
C:\Archivos de programa\ScreenPrint32 v3\ScreenPrint32.exe
C:\Archivos de programa\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\Archivos de programa\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\My Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *new-search.net*;*x-google.net*
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [vptray] C:\ARCHIV~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ScreenPrint32] C:\Archivos de programa\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [Corel Reminder] "C:\Archivos de programa\Corel\Graphics10\Register\NAVBrowser.exe" /r /i "C:\Archivos de programa\Corel\Graphics10\Register\NavLoad.ini"
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Backward Links - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Similar Pages - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Crypkey License - Unknown - crypserv.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Archivos de programa\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Servicio del administrador de discos lógicos - Unknown - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Escritorio remoto compartido de NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: DSDM de DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Archivos de programa\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Plug and Play - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Sistema de ayuda de tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Registros y alertas de rendimiento - Unknown - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen - Unknown - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe

GRAB.BAT :

Windows Registry Editor Version 5.00

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"WCreatedUser"="1"
"LoadedBefore"="1"
"LMVersion"="103"
"ThemeActive"="1"
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,52,00,65,00,73,00,6f,00,75,00,72,00,63,00,65,00,73,00,5c,\
00,74,00,68,00,65,00,6d,00,65,00,73,00,5c,00,4c,00,75,00,6e,00,61,00,5c,00,\
4c,00,75,00,6e,00,61,00,2e,00,6d,00,73,00,73,00,74,00,79,00,6c,00,65,00,73,\
00,00,00
"LastUserLangID"="3082"
"ColorName"="NormalColor"
"SizeName"="NormalSize"

FIND.BAT :

El volumen de la unidad C no tiene etiqueta.
El n£mero de serie del volumen es: C8A2-B2C8

Directorio de C:\WINDOWS\System32

09/09/2002 12:51 142.848 wuauclt.exe
02/05/2005 11:17 421.888 w?auclt.exe
2 archivos 564.736 bytes

Directorio de C:\Documents and Settings\memo\Desktop

guestolo · « **Reply #5 on:** May 09, 2005, 03:36:01 PM »

We had to get rid of some bad files that were infecting you
Just want a little bit more info

Can you do the following please
Download Find1.zip and UNZIP it
Double click Find1.bat and copy and paste back the text file that opens

Could you also do a Search on your computer
You will have to use the Windows Search feature
Search for
luna.msstyles
If you find luna.msstyles can you let me know what location and the size of the file, thanks

Before performing a search, ensure under Advanced options you have
the first 3 options checked

Bond2k · « **Reply #6 on:** May 09, 2005, 05:39:20 PM »

Ok...

The File luna.msstyles is NOT HERE

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' />
I search it but i dont Find it

This is the other Info

Find.zip :

El volumen de la unidad C no tiene etiqueta.
El n£mero de serie del volumen es: C8A2-B2C8

Directorio de C:\WINDOWS\Resources\Themes

22/04/2003 12:02 <DIR> .
22/04/2003 12:02 <DIR> ..
08/05/2005 18:10 <DIR> Luna
24/08/2001 11:00 1.222 Luna.theme
24/08/2001 11:00 3.025 Windows Classic.theme
2 archivos 4.247 bytes

Directorio de C:\WINDOWS\Resources\Themes\Luna

08/05/2005 18:10 <DIR> .
08/05/2005 18:10 <DIR> ..
22/04/2003 12:00 <DIR> Shell
0 archivos 0 bytes

Directorio de C:\WINDOWS\Resources\Themes\Luna\Shell

22/04/2003 12:00 <DIR> .
22/04/2003 12:00 <DIR> ..
22/04/2003 12:01 <DIR> Homestead
22/04/2003 12:02 <DIR> Metallic
22/04/2003 12:01 <DIR> NormalColor
0 archivos 0 bytes

Directorio de C:\WINDOWS\Resources\Themes\Luna\Shell\Homestead

22/04/2003 12:01 <DIR> .
22/04/2003 12:01 <DIR> ..
24/08/2001 11:00 362.496 shellstyle.dll
1 archivos 362.496 bytes

Directorio de C:\WINDOWS\Resources\Themes\Luna\Shell\Metallic

22/04/2003 12:02 <DIR> .
22/04/2003 12:02 <DIR> ..
24/08/2001 11:00 362.496 shellstyle.dll
1 archivos 362.496 bytes

Directorio de C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor

22/04/2003 12:01 <DIR> .
22/04/2003 12:01 <DIR> ..
24/08/2001 11:00 361.472 shellstyle.dll
1 archivos 361.472 bytes

Total de archivos en la lista:
5 archivos 1.090.711 bytes
17 dirs 23.990.444.032 bytes libres

guestolo · « **Reply #7 on:** May 09, 2005, 09:56:43 PM »

Can I have you update your version of Hijackthis
You can download the latest version from my signature below
Save it to your
C:\My Downloads\
folder, allow it to overwrite the old version if prompted

Afterwards
Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *new-search.net*;*x-google.net*

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart the computer

Back in Windows, Create a fresh restore point
START>>Programs>>Accessories>>System Tools>>System Restore
Create a new restore point
Name it and click Create
When that's done

Download and UNZIP to desktop Repair.zip
[attachment=214:attachment]

Double click on Repair.reg and allow to merge to the registry

Download and Save to desktop
Restore Luna Theme--Resources.zip from Kellys-korner
UNZIP the contents to the
C:\Windows folder
Allow to overwrite if prompted

Post back a fresh Hijackthis log afterwards

Could you also double click on
Find1.bat and post back the contents of log that opens

Also doulbe click on Export.bat and post back the contents of Export.txt

Bond2k · « **Reply #8 on:** May 09, 2005, 10:32:34 PM »

ok !! THATS IT !! THE THEME COMES LIFE AGAIN !!! THANKYOU VERY MUCH !!!!!!!!!!!!!! this FORUM is excelent !!!! i´m going to recomend it to MANY PEOPLE !!!!! i speack SPANISH but I undertand ALL THAT YOU SAY !!

Ok , here is what you tell me to post :

HIJACKTHIS :

Logfile of HijackThis v1.99.1
Scan saved at 22:24:02, on 09/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Archivos de programa\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\Archivos de programa\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\RunDll32.exe
C:\ARCHIV~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Java\jre1.5.0_01\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\ScreenPrint32 v3\ScreenPrint32.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\My Downloads\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [vptray] C:\ARCHIV~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ScreenPrint32] C:\Archivos de programa\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [Corel Reminder] "C:\Archivos de programa\Corel\Graphics10\Register\NAVBrowser.exe" /r /i "C:\Archivos de programa\Corel\Graphics10\Register\NavLoad.ini"
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Backward Links - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Similar Pages - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{308F1D95-9812-41F8-8E4D-B6AA088E7B5F}: NameServer = 200.33.148.196 200.33.148.202
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Archivos de programa\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Archivos de programa\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

FIND.BAT

El volumen de la unidad C no tiene etiqueta.
El n£mero de serie del volumen es: C8A2-B2C8

Directorio de C:\WINDOWS\Resources\Themes

22/04/2003 12:02 <DIR> .
22/04/2003 12:02 <DIR> ..
08/05/2005 18:10 <DIR> Luna
24/08/2001 11:00 1.222 Luna.theme
24/08/2001 11:00 3.025 Windows Classic.theme
2 archivos 4.247 bytes

Directorio de C:\WINDOWS\Resources\Themes\Luna

08/05/2005 18:10 <DIR> .
08/05/2005 18:10 <DIR> ..
22/04/2003 12:00 <DIR> Shell
0 archivos 0 bytes

Directorio de C:\WINDOWS\Resources\Themes\Luna\Shell

22/04/2003 12:00 <DIR> .
22/04/2003 12:00 <DIR> ..
22/04/2003 12:01 <DIR> Homestead
22/04/2003 12:02 <DIR> Metallic
22/04/2003 12:01 <DIR> NormalColor
0 archivos 0 bytes

Directorio de C:\WINDOWS\Resources\Themes\Luna\Shell\Homestead

22/04/2003 12:01 <DIR> .
22/04/2003 12:01 <DIR> ..
24/08/2001 11:00 362.496 shellstyle.dll
1 archivos 362.496 bytes

Directorio de C:\WINDOWS\Resources\Themes\Luna\Shell\Metallic

22/04/2003 12:02 <DIR> .
22/04/2003 12:02 <DIR> ..
24/08/2001 11:00 362.496 shellstyle.dll
1 archivos 362.496 bytes

Directorio de C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor

22/04/2003 12:01 <DIR> .
22/04/2003 12:01 <DIR> ..
24/08/2001 11:00 361.472 shellstyle.dll
1 archivos 361.472 bytes

Total de archivos en la lista:
5 archivos 1.090.711 bytes
17 dirs 23.894.749.184 bytes libres

EXPORT.BAT :

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="Temas"
"Group"="UIGroup"
"ObjectName"="LocalSystem"
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,04,00,19,\
00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00,00,00,00,00,00,00,00,00
"Description"="Proporciona administración de temas de experiencia de usuario."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
73,00,68,00,73,00,76,00,63,00,73,00,2e,00,64,00,6c,00,6c,00,00,00
"ServiceMain"="ThemeServiceMain"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes\Enum]
"0"="Root\\LEGACY_THEMES\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

if there are something else PLEASE TELL ME http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\'\' /> Thanx !!!!!!!

guestolo · « **Reply #9 on:** May 09, 2005, 10:50:37 PM »

Still doesn't look right

Can you look for this file and delete it if found
It may not be there, but take a look

C:\Themes.txt <-this file

Then navigate to this directory
C:\WINDOWS\Resources\Themes\Luna
Open the Luna folder
Do you see a Shell folder(the shell folder you should see)
but do you see a Luna.msstyles file?

Can you double click on Find1.bat again and post the log please

Also, when you navigate to this folder
C:\WINDOWS\Resources
how many Resources folders do you see?
How many Themes folders do you see?
I'm just checking

Bond2k · « **Reply #10 on:** May 10, 2005, 12:39:38 AM »

SOORRY ! I SEND YOU BAD INFO , AFTER INSTALL THE RESOURCE FOLDER I make a mistake and i dont refresh the Info in the Find1.bat TEX FILE and the others .

Sorry , but i correct that and all is OK i send you againd de Find1.bat

And the files that you say are There and they are OK !

Thanx !!!!

El volumen de la unidad C no tiene etiqueta.
El n£mero de serie del volumen es: C8A2-B2C8

Directorio de C:\WINDOWS\Resources\Themes

09/05/2005 22:26 <DIR> .
09/05/2005 22:26 <DIR> ..
09/05/2005 22:26 <DIR> Luna
23/08/2001 07:00 1.222 Luna.theme
23/08/2001 07:00 3.025 Windows Classic.theme
2 archivos 4.247 bytes

Directorio de C:\WINDOWS\Resources\Themes\Luna

09/05/2005 22:26 <DIR> .
09/05/2005 22:26 <DIR> ..
24/08/2001 11:00 4.186.256 luna.msstyles
22/04/2003 12:00 <DIR> Shell
1 archivos 4.186.256 bytes

Directorio de C:\WINDOWS\Resources\Themes\Luna\Shell

22/04/2003 12:00 <DIR> .
22/04/2003 12:00 <DIR> ..
09/05/2005 22:26 <DIR> Homestead
09/05/2005 22:26 <DIR> Metallic
09/05/2005 22:26 <DIR> NormalColor
0 archivos 0 bytes

Directorio de C:\WINDOWS\Resources\Themes\Luna\Shell\Homestead

09/05/2005 22:26 <DIR> .
09/05/2005 22:26 <DIR> ..
24/08/2001 11:00 362.496 shellstyle.dll
1 archivos 362.496 bytes

Directorio de C:\WINDOWS\Resources\Themes\Luna\Shell\Metallic

09/05/2005 22:26 <DIR> .
09/05/2005 22:26 <DIR> ..
24/08/2001 11:00 362.496 shellstyle.dll
1 archivos 362.496 bytes

Directorio de C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor

09/05/2005 22:26 <DIR> .
09/05/2005 22:26 <DIR> ..
24/08/2001 11:00 361.472 shellstyle.dll
1 archivos 361.472 bytes

Total de archivos en la lista:
6 archivos 5.276.967 bytes
17 dirs 23.849.721.856 bytes libres

guestolo · « **Reply #11 on:** May 10, 2005, 08:21:38 PM »

Sorry for the delay, is everything still OK??

Can you do the following please

Print this out or save too a Notepad file on the desktop

Restart the computer into safe mode

Remember I had you run Find.bat and this was the output
====================================
09/09/2002 12:51 142.848 wuauclt.exe <--good guy
02/05/2005 11:17 421.888 w?auclt.exe <-bad guy
====================================

Navigate to this folder
C:\WINDOWS\System32
Open the System32 folder

We're looking to delete the bad guy

They both MAY have the same name as wuauclt.exe, the ? mark will not show
and they will have different icons

You just want to delete the bad guy
Right click on the file and left click properties
The bad w?auclt.exe will have a date of 02/05/2005
and an approximate size of 408kb
Delete only that one

If you have trouble finding the bad guy
In the system32 folder, try click on VIEW it the top toolbar
then select Details>>
On the right arrange by size and look for the approximate file size

When you find the one with the approximate size and date, you probably found the bad guy
Send it to the recycle bin for now

Restart back to Normal mode and post one last hijackthis log
Also run Find.bat again and post a fresh log

guestolo · « **Reply #12 on:** May 14, 2005, 02:43:17 AM »

As this problem appears resolved I'll lock this topic
Bond2k. If you need it reopened, please PM a Mod or the site Admin and supply a link to this thread

TheTechGuide Forum

News:

Author Topic: I cant apply the XP Theme :( (Read 884 times)

Bond2k

I cant apply the XP Theme :(

guestolo

I cant apply the XP Theme :(

Bond2k

I cant apply the XP Theme :(

guestolo

I cant apply the XP Theme :(

Bond2k

I cant apply the XP Theme :(

guestolo

I cant apply the XP Theme :(

Bond2k

I cant apply the XP Theme :(

guestolo

I cant apply the XP Theme :(

Bond2k

I cant apply the XP Theme :(

guestolo

I cant apply the XP Theme :(

Bond2k

I cant apply the XP Theme :(

guestolo

I cant apply the XP Theme :(

guestolo

I cant apply the XP Theme :(