Please help get rid of smitfraud remnants

[Mosaic1]

Are you able to delete the custom.theme file?


There may be more to it than just ownership. Please give me any and all error messages you get when you try to delete custom.theme

I have a FAT32 file system and can't test, but there could be special permissions set on custom theme.


Let's do something we were going to do and haven't yet.

Run filemon
Set the filter to
rundll32.exe

Open display properties. Try to change your desktop wallpaper.

Just let it go as usual.

Then save the log and look for access denied messages.

Or email it to me and I'll have a look.

 

[Mosaic1]

Once I see those Access denied messages we can check the files and/or folders involved using a tool you already have called cacls.

 

[Millslord]

This access denied message did not reappear.

Thx

Mills

 

[Mosaic1]

Can you please run Filemon according to my last directions and send me the log?

 

[Millslord]

Dear Mosaic,

No error messages when deleting custom theme.

I've emailed you two files. The first depicts the system in the state it was after I ran smitfraud.fix - if you remember it corrected the problem when run under WinXP normal mode - and the second file is after I rebooted - with the problem reoccuring.

 

[Mosaic1]

Let's see if regmon gives us anything.

Make sure your dsplay properties doesn't work.


Then set the Regmons filter to rundll32.exe

Open display properties and try to change the wallpaper.

Send me the regmon report please.

You never told me if you are able to change your screensaver or anything else . Is this more than just the wallpaper? This information is important.


When you ran Filemon, did you do it exactly the same as when the error was generated? Did you use the Scroll on the mouse? If not, can you do it that way please.


Also, use serch and search for *.theme

Let me know what you find.

 

[Mosaic1]

When you double click on Custom.theme, does it open in Display Properties?

 

[Mosaic1]

This has been a long topic. Please be careful to do everything and post all results here.

I'd like to see some registry keys too.

Download and save the zip. Extract the batch it contains (exportit.bat) and then double click on it. When it has finished and the command window closes, there will be a file named themes.txt.

Please upload themes.txt in you next reply here.

 

[Millslord]

Hi again,

I am able to change screensaver.

I am unable to change wallpaper or theme.

I will do the tests later on and let you know asap.

thx

 

[Millslord]

Yes, display properties pops up when I double-click on custom.theme.

I've e-mailed you the results of the tests.

 

[Mosaic1]

You sent me two copies of the filemon report by mistake. Can you please double check and send me the real Regmon report? Thanks.

 

[Millslord]

I've just emailed you the files.

thx

 

[Mosaic1]

I'm not seeing anything in the logs except maybe a possible language issue. And I can't test that here.

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\My Pictures SUCCESS "%USERPROFILE%\Ôá ÝããñáöÜ ìïõ\Ïé åéêüíåò ìïõ"

Does this folder exist?


"%USERPROFILE%\Ôá ÝããñáöÜ ìïõ\Ïé åéêüíåò ìïõ"



When Smitfraudfix runs. it sets your wallpaper to nothing.

Are you saying that then you can go in and change it to anything you like? But then after a restart, you can't?

I had thought you said that you just can't change it at all.

Can you clarify?

What language is your System set to please?

Can you send me a copy of your custom.theme file when you have the problem please?

 

[Millslord]

System is in Greek. Yes I mean that,

After Smitfraudfix runs I can go in and change it to anything I like. After restart, I cannot.

 

[Mosaic1]

That would point to a restriction of some type. But I see nothing in your logs. Regmon shows us what keys are accessed. And it does show that Windows is looking for restrictions which it doesn't find.
This is baffling. And the logs you sent were logs from when you have the problem?

I'll have to give this more thought.

 

[Mosaic1]

WE never really did get to the bottom of the regsvr32 themeui.dll problem.


You have tried several things which have fixed the changing wallpaper problem. Then after reboot an it's back. Everything would effect the registry. But Regmon isn't showing us any problems when we monitor. There's only so much Smitfraud does. And removing registry restrictions is the big thing which would effect this problem. But how yours is behaving is strange. woith these restrictions in place, the area which shows you the choices would be dimmed and yours is not.


Can you run smitfraudfix again please? As soon as it has finished running, go to start >Run

Type
regsvr32 /i themeui.dll


Press enter

Does it succeed now?

After a restart, can you try it again?

regsvr32 /i themeui.dll


Do you now get an error?

 

[Millslord]

Thx

I will try this on Sunday as I am away.

Kind regards,

Mills

 

[Millslord]

Dear Mosaic,

After running Smitfraud fix I was able to change the wallpaper and successfully register themeui.dll.

After reboot I am unable to change the wallpaper or theme BUT I can successfully register themeui.dll. I no longer get any errors regarding this.

Any ideas?

Thx

Mills

 

[Mosaic1]

Hi,

To tell you the truth, I'm baffled. I have scoured your Regmon and Filemon logs. There is no indication of any restrictions being in place at all. Otherwise I'd say the restrictions have been put back in place. But Regmon shows keys being queried for restrictions with none being found. Filemon show no access denied on any of the files it accesses either.

Smitfraud and the fix only do so much.

At one point you used a script to disable Active Desktop and that worked for a while too.




Let's have another look at the registry.

Download Registry Search from this link:

http://www.xs4all.nl/~fstaal01/downloads/regsearch.zip

unzip to a folder on the desktop and then run the exe.

For the search, enter

Policies


Press ok

This will take a bit to run. When finished, it will create a text file.

Post the results please.


Then do the same for Restrictions please.


Quick question. When you open display properties and click the desktop tab, is the list of files dimmed out instead of being white?


What does the themes page look like?

 

[Mosaic1]

You use Xp Pro, correct?

I do too. Although I have nothing showing in my registry regarding any wallpaper policy and can change mine at will, there's something here. A leftover.

The Policy editor shows a wallpaper policy in effect even though I removed the registry entries I had added earlier.

Can you find the hidden folder:

C:\WINDOWS\system32\GroupPolicy


Inside the Group Policy folder will be these subfolders:
Machine
User
Adm

Open each one and then look for a file named:
Registry.pol

Don't edit them. Please just open in notepad and then see what they say. Or make copies and send them to me.

Let me know which one is from each folder.

Mine has a policy or two still listed. No ill effects here but if you have anything in there, I'll have you open gpedit.msc and properly remove it later. Then we'll see if anything changes.

There are proper ways of doing things in Windows. Sometimes bypassing those can cause problems. It's worth a try.