TechSpot

Vista changes theme upon booting up

By mretzloff
Apr 21, 2010
  1. This morning I booted my Vista PC up and it changed the theme to classic. It also disabled network access, the security center, etc. Is this a problem with Vista or is this a virus? Please let me know. Thank you.
     
  2. Route44

    Route44 TechSpot Ambassador Posts: 11,966   +70

    This sounds like a serious infection particularly in the fact that your security and network access is disabled.

    Go to out Virus and Malware forum and read the sticky Updated 8 Steps. Follow the advice given step by step. When you finish those steps post at that forum along with the required 3 Logs.

    Good luck.
     
  3. Matthew

    Matthew TechSpot Staff Posts: 5,266   +92

    I have moved the topic to the Virus and Malware Removal board. Feel free to continue here with logs from the 8 Steps.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please follow the steps on the link Matthew left for you. When finished, paste the logs into your next reply. We will review them and see if malware is present.

    A note: if you've done the scans previously, please note that we have updated the Preliminary Virus and Malware Removal thread and the steps are a bit different. We even left out a step so you only have 7!

    Edit: Thanks Matthew!
     
  5. mretzloff

    mretzloff TS Rookie Topic Starter Posts: 116

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'd like you to do the following:

    1. Right click on the Taskbar> Properties> Start tab> Uncheck Classic and Check Start> Apply> Reboot. Let me know if that stays after the reboot.

    2. Go to the Control Panel> Add/Remove Programs> be sure 'show updates' is checked> find the last update and let me know the date.

    3. Check the GMER log again- this is not all of it- only one section. I'd like to see the full log.

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2]. Close any open browsers.
      [3]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [4]. If Combofix asks you to install Recovery Console, please allow it.
      [5]. If Combofix asks you to update the program, always allow.
      [6]. Close any open browsers and Double click on combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix.
    [/list].

    Leave the answers to questions and combofix report on next reply.
     
  7. mretzloff

    mretzloff TS Rookie Topic Starter Posts: 116



    Thank you very much for your reply.

    1. The Start Menu was already selected. The Classic was not.

    2. I cannot access the Control Panel, as well as everything else. I get a message saying "Illegal operation attempted on a registry key that has been marked for deletion".

    I did, however, manage to access the Control Panel after booting into Safe Mode. I clicked on "Programs and Features" (the standard Add/Remove was not there) and then clicked on "View installed updates". It said there are no updates installed.

    3. I scanned again with GMER. I have this log: View attachment GMER Log.log

    If this is still not the full log, please let me know what I am doing wrong.

    4. Here is the ComboFix report: View attachment Combo Fix Log.txt


    Out of curiosity, is SUPERAntiSpyware no longer any good? I saw that it has been removed from the 8 steps thread. What about CCleaner? I am just curious.

    Thank you again for your help.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    My apology! Somehow your reply didn't make it to my feedback. By the way, you don't need to quote my replies. I meant to ask you- did you try rebooting again after the change?

    Another function you should go through is the Error Checking. Error-checking is known as Check Disk ( chkdsk). Sometimes that will handle a 'glitch'. Do you run this when you run the maintenance. If you have not, please run it now: Be sure all active Windows are closed. This can take a while if you don't do it regularly. Let it finish- it will reboot when through.

    You can run this from a Command Prompt which requires Administrative privileges:
    • Click on Start> All Programs > Accessories> Command Prompt
    • Right-click over the Command Prompt menu item.
    • Choose Run as Administrator from the context menu for Command Prompt.
      [o]Note that the title bar says Administrator: Command Prompt
    • At the admin prompt, type chkdsk /f (Note space between the k and slash. It needs to be there)
      [o]The /f parameter will fix problems. If you get a prompt that the drive is in use and offering to schedule Check Disk for the next boot, you can say yes and reboot the computer to start.

    After the Error Checking has completed:
    I know you want to magically find what caused the change.But we're going to have to dig harder. There are a couple of entries to check here: Since this is already on your system, please disable ALL of your security before you run it. None was disabled in first run and that can interfere with the scan.

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:

    Code:
    File::
    c:\users\Retzloff\AppData\Local\temp
    
    Folder::
    
    DirLook:
    C:\kxlcikow.sys
    
    Registry::
    Driver::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

    Then : Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Leave the new Combofix report and Eset log in your next reply.
     
  9. mretzloff

    mretzloff TS Rookie Topic Starter Posts: 116

    I could not run the online scanner because my system is not allowing me to access the Internet. Here is the Combo Fix log:

    View attachment ComboFix.txt


    Thank you for your help.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Where is the rest of the Combofix report? It's missing about half of it. You can note that the last line starts off but doesn't finish and the rest of the report is missing:

    2010-02-04 22:2..............the output stops here..............

    I rechecked GMER and it's okay as is. But I need the rest of the information from Combofix.
    =====================================
    You started this thread 5 days ago- that would be on or about 4/21. I see this on 4/21:
    2010-04-21 18:44:04 222497358 ----a-w- c:\windows\MEMORY.DMP

    Time and date wise, this happened right before the GMER install. you need some help debugging a MEMORY.DMP file.- I don't do that.
    ====================================
    Check for the full Combofix log please- I can't do anything else. It isn't likely that you suddenly got malware overnight while the system was off-or was it? Did any auto-update come in overnight?
    ================================
    Before I forget again:
    SAS doesn't usually give any 'new' information- other than Tracking Cookies. Technically speaking, those aren't an issue. As for CCleaner, we felt that TFC did a good job of removing the temporary internet files without the danger of removing too much as CCleaner can do at times. But this is only in our preliminary scan- you can use those programs when you want.=
    ===========================
    Did you run the Error Check? And when did you loose internet access?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...