Smithfraud-C, PSguard and Bestweblinks question

Thanks to the information I found on this site I was able to eradicate these nasty pests but I have one thing left to fix that is bugging me a little bit.

Although my PC seems to be working fine now and no spyware or viruses are being detected when I boot up windows 2000, I used to get a light blue background behind the splash screen - please wait...windows is starting up...preparing network connections etc. Now the background is black (I assume this is a remnant from when the virus changed my desktop background to a black background with the red spyware warning message on it) The black background also persists when windows is shutting down when it used to be light blue before my system was compromised. After bootup the wallpaper I normally use is now restored and displays properly.

Can anyone tell me which registry setting controls the background screen color at startup and shutdown so I can reset it to its former light blue again?

Thanks,
Dave

 

Hi Chaslang,

Thank you for replying. I have attached the log which was generated at the time I was in the process of eradicating the virus.

I was able to do a little research on the net while at work today and found a site which gave me the registry key that controls the bootscreen background colour for all versions of windows which I will share:
HKEY_USERS\.DEFAULT\Control Panel\Colors which the virus set the value data to "0 0 0" which is black. I was able to reset the value to "58 110 165" which is the light blue I was after by comparing it with my wife's machine's registry (also running windows 2000) reboot and now I get the light blue background at bootup and shutdown.

If you would like I can post my HJT log pre and post infection if you would like to verify that the log is now indeed clean. I am not sure at this point if any other registry setings have been altered which I am not aware of as yet.

Thanks again for all of the help you are providing on this site, judging by the number of posts since last evening, its apparent that you all are very busy helping people combat these nasty bugs.

Dave

 

Hello again Chaslang,

Yes, as I stated in my first post, your forum is a very excellent source of information for removing spyware which provided me with sufficient information through browsing tutorials/stickies/advice on similar HJT logs to eradicate this most invasive virus. I have all the latest Win2k updates, Ad-Aware pro along with SB S&D and Antivirus Personal Classic installed and this bug steamrolled right over them and infected my system.

I have performed the recommended cleaning processes in the tutorials and done the recommended online scans using trend micro which indicated the system is no longer compromised. I did not however install ewidow as recommended in some of the posts or import any of the registry fixes you provided a link to. I also went into control panel and reset all my internet settings back to default (medium on the slider bars?) for each icon.

I installed the latest version of HJT and fixed the suspect log entries in safe mode, ran SMITHREM, antivirus, SB S&D and ad-aware in safemode, reboot run HJT and I think the log looks pretty good now with all things Win2k/internet running smoothly as before.

Attached is the HJT log file after performing the cleaning procedures recommended here.

Let me know if you think my HJT log is clean.

Thanks again,
Dave

 

Hi Chaslang,

Thanks for the info regarding the readme first update, RavAntivirus gives me an all clear so I guess I'm good to go!
Thanks again for helping me out and also for the favorable report on my HJT log. My system has been running well again with no problems that I can detect.

Have a great weekend!