Please help get rid of smitfraud remnants

I'm hoping that File Protection will give you a new copy of themeui.dll from your service pack install files.

SFC is a good idea. Please go ahead on it. BUT it often doesn't do the trick. So we may still need to do some digging and replace some files manually.
 
Last edited:
Tomorrow, I'll do some more diagnostics and see what files are accessed when I use display properties.

I take it you still can't register themeui.dll?
 
It would be a good idea to create a new folder somewhere on your system drive, even the desktop, for reports and apps I'll be asking you to use and generate.

I know there's a newer utility to replace regmon and filemon, but for now, I want you to use them to generate shorter reports.

It's very imortant you follow the directions as given or the report will be many Megabytes long, and therefore unmanageable.

We'll be generating several reports in the next few days as we monitor avtivity. Some will be very large.

-------------------------------------

Let's start with themeui.dll
If you still can't register themeui.dll, let's see if you are getting any access denied messages in the registry. We'll use Regmon for that.

Run Regmon.
Go to the toolbar and click on Options. From the options menu, click on Filter/Highlight.

When the dialog appears, in the include box type this:

Regsvr32

Then press ok.

Minimize regmon.

Go to start > run

Type
regsvr32 /i themeui.dll

Press enter.

After you get whatever message regsvr32 gives you, restore regmon and go to the file menu, and then save as:

Themeui Regmon

Save as type:
Regmon Data log.

Zip that and upload it into your next post please.

--------------------------------------

Next, we'll use filemon in the same way.

Download Filemon here:
http://download.sysinternals.com/Files/Filemon.zip

Unzip it.

Run Filemon. And do exactly as you did with Regmon. Set the filter.
Minimize Filemon.

Run regsvr32 /i themeui.dll
Press enter.

Restore Filemon.

Save the log as Themeui Filemon

Save as Type: Filemon Data Log.

Zip and upload into the next post.

------------

These two logs are going to show if access is denied to files or registry keys. Plus, filemon will give us a list of files accessed during your registration of themeui.dll.

This is a start. Later we'll monitor opening display properties and an attempted wallpaper change. Those logs will be considerably larger.


I need to know if renaming themeui.dll was allowed.

Do you run on NTFS or FAT32 file system?

If not sure, open my computer. Right click on the hard drive icon and click Porperties.

When the properties sheet comes up, look at what is listed next to

File system:

Let me know.
 
Hi Mosaic,

and many thx for your help.


View attachment 1181

View attachment 1182

I am using NTFS.

Renaming themeui.dll was successful but when I copied a fresh themeui.dll I was trying to rename the one back to its original name while I was trying to delete the other. Impossible. I had to cut and paste on of the two onto desktop where it still is, since I am unable to delete it.
 
I ran regomon and used the filter for 'display'

This is what I received below, among other things

5.34800911 rundll32.exe:3160 QueryValue HKCU\Control Panel\Appearance\DisplayThemesPage NOT FOUND
 
Hi Millslord,

You're welcome.

Renaming themeui.dll was successful but when I copied a fresh themeui.dll I was trying to rename the one back to its original name while I was trying to delete the other. Impossible. I had to cut and paste on of the two onto desktop where it still is, since I am unable to delete it.
Click to expand...

Don't leave a dll out on the desktop. Put it in a folder. DO that first and if successful, continue.


Check to see if you have themeui.dll in system32

Rename the copy of themeui.dll which is in system32.

Then wait a minute. Reopen the system32 folder and see if File protection has put a new copy of themeui.dll into system32.

This is a test of File protection.

Let me know.



I don't have that registry key or value either.


Plesae let's take this one step at a time . I realize that's hard, but otherwise this is going to become very confusing.


I don't want any logs yet. I want to see if file protection will replace themeui.dll

If it does, then try to register themeui.dll. If it won't register and you get an error, make a note of the error and then do the filemon and regmon routine again and post the new logs please.
 
Last edited:
Will you try something please? I want to have File Protection replace another file. This probably won't do it, but it is one we should replace anyway.

Go to start >Run and type

Resources
Press enter.

This should open your Windows\resources folder

Click on the Themes folder.
Inside the themes folder, click on the Luna Folder.

Now right click on this file:
luna.msstyles


Choose rename.

Rename the file as oldluna.msstyles

Close up the folder. File protection should replace it.

Give it about 30 seconds. Now go back and be sure that along with the renamed file, you now have luna.msstyles in the folder. If not,then name oldluna.msstyles back to luna.msstyles

Otherwise, if you do, then Double click on this new copy of luna.msstyles

This will open display properties.

Can you change the wallpaper?

Let me know step by step how things go. What succeeded and what failed.
 
I want you to follow these instructions I give you one post at a time please.


Another file, and this is a big one, is uxtheme.dll

Find it in the system32 folder.

Rename it as olduxtheme.dll


Close system32 and wait about 30 seconds.

Reopen system32 and look to see if File Protection has put in a new copy of uxtheme.dll

If so, great. If not, rename olduxtheme.dll back.


Sometimes when trying to rename back, you'll get an error that the file already exists. That just means that File protection has finally kicked in and replaced the file. Then just do nothing. Forget about the renaming back. Don't panic or try to move the file you renamed. You can delete it if you like.

Just be sure that you don't restart until you have these files in place.
]
Once you have them, restart the computer. See if any of this helps.


There are a few more files to try later. And of course, the registry which is very important.

When you reinstalled Service Pack 2, did you first uninstall it?

And have you visited Windows Update? If not, you should do that as soon as possible.
 
Hi Mosaic,

Sorry for the delay in responding. I was away from PC.

Renaming files didn't help. File Protection failed to kick in in all instances.

No, I did not uninstall SP2 prior to reinstallation.

Windows Update is always on auto.

Thx

Mills
 
Hi Millslord,

I believe you should uninstall the service pack and then reinstall it for maximum results.

Can you see what version those files are and then get copies from your SP2 CD or Service pack files if the versions are not earlier than these please?


I don't want to skip anything.



Mo
 
One more thing. Windows File protection should have warned you that those files were missing when you renamed them and ask for your install CD.

Let's see if you are missing sfc_os.dll
Have a look in system32 for sfc_os.dll and sfcfiles.dll

Are they there?
 
I uninstalled SP2 and reinstalled it afresh. Ran Win Update too.

The files are the same version as the SP2 files. E.g. uxtheme.dll is 6.0.2900.2180.

Regards,

Mills
 
When I try changing a theme by scrolling the highlighted area using the wheel mouse button (I can't click on an option - the windows just disappears) I get the following error message:

Could not load theme. Access denied.

File: C:\Documents and Settings\adminX2\Application Data\Microsoft\Window\Themes\Custom.Theme
 
That message is important. Because you have the NTFS file system, file ownership and security comes into play.



Let's see if you can take ownership of this file:

C:\Documents and Settings\adminX2\Application Data\Microsoft\Window\Themes\Custom.Theme


Follow the directions here:

http://support.microsoft.com/kb/308421

See if that helps.
 
I followed the instructions in the MS KB below:

How to take ownership of a file
Note You must be logged on to the computer with an account that has administrative credentials.

To take ownership of a file, follow these steps: 1. Right-click the file that you want to take ownership of, and then click Properties.
2. Click the Security tab, and then click OK on the Security message (if one appears).
3. Click Advanced, and then click the Owner tab.
4. In the Name list, click Administrator, or click the Administrators group, and then click OK.

The administrator or the Administrators group now owns the file. To change the permissions on the files and folders under this folder, go to step 5.
5. Click Add.
6. In the Enter the object names to select (examples) list, type the user or group account that you want to give access to the file. For example, type Administrator.
7. Click OK.
8. In the Group or user names list, click the account that you want, and then select the check boxes of the permissions that you want to assign that user.
9. When you are finished assigning permissions, click OK.

No security tab under custom.theme located in

C:\Documents and Settings\adminX2\Application Data\Microsoft\Windows\Themes\Custom.Theme








 
Did you read the entire article? For that security tab to show up on files and folders, you have to follow the rest of the directions.
 
Oh yes, I see what you mean. I've now read and followed the entire article and the other article therein.
I had and still have full control of the respective file. Problem situation remains.
 
That's crazy. I use the smitfraudfixutility under Windows normal mode and everything works fine. I restart the machine and problem reoccurs. :sad: :sick:
 
You must log in or register to reply here.
Back
Top