Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

something very wrong


  • Please log in to reply

#1
whyme

whyme

    Member

  • Member
  • PipPip
  • 39 posts
Desktop is still covered with a blue screen that displays the icons i have added since downloading some scanners and cleaning products suggested by this forum. Icons, for some reason double on the desktop during installation. Ny normal operationg programs are not showing on the desktop, as they should, but i can reach them through the start menu. Interestingly, right click option does not work on the desktop and the date and time are one day behind. Here is the log. Please, please help.
Logfile of HijackThis v1.99.1
Scan saved at 11:43:55 AM, on 4/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\atievxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\23c929be5c0510672389df589a274f77\update\update.exe
C:\WINDOWS\explorer.exe
C:\DOCUMENTS AND SETTINGS\JEFF\DESKTOP\HijackThis-3.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 64.62.171.156
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{0AF3CEB9-E8A8-47C5-A08B-FC74C2C80C58}: NameServer = 68.42.244.5,68.42.244.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{0AF3CEB9-E8A8-47C5-A08B-FC74C2C80C58}: NameServer = 68.42.244.5,68.42.244.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{0AF3CEB9-E8A8-47C5-A08B-FC74C2C80C58}: NameServer = 68.42.244.5,68.42.244.6
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
  • 0

Advertisements


#2
Lightninghawk

Lightninghawk

    Member

  • Member
  • PipPipPip
  • 128 posts
Hi, I'm not sure who gave you suggestions before, but here's what you can do and it should at least solve your spy-ware problems.
I'm am assuming that you are running Windows XP

1. While in normal mode ---
Click "Start" --> "Run" --> type "msconfig" --> check the box that says "Normal Startup (devices & drivers only)" --
--[this will allow nothing else to start-up when you boot your computer] -- --
--> Restart your computer in "safe mode"
[to do so press "F8" when you computer first turns on]
--> When in safe mode run your Hijackthis, Since the programs are no longer running it will be able to delete them...

You can select everything in the list if you like and click fix selected or you can go through and select your choice. Either way it will get the job done without delete needed files. HJT has a feature that searches out mistakes made by the user in selection process. I discovered this by accident, but it is now how I use HJT.

Other Programs you should consider using are
-- Ad-aware SE www.lavasoft.com
-- Spybot - Search & Destroy
You already have AVG :tazz:

Also After you fix selected on your log rescan to see what is left and repost it.

When you complete these steps be sure to go and entirely delete the Webroot folder if it is still there.

C:\Program Files\Webroot

Hope that this was helpful. Let me know if there is anything else I can help you with.
  • 0

#3
whyme

whyme

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Thank you for helping me. I did what you instructed, and the screen remains blue, with only 'newly' added icons on display. Almost all scanning programs, including the antivirus have now left the tray. Does that me they are no longer operating? Here is the new log. Any suggestions on what could be wrong, and why my desk top is out of wack?

Logfile of HijackThis v1.99.1
Scan saved at 1:10:39 PM, on 4/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atievxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\09f90ca71f121fc242fc1d513238d41e\update\update.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\DOCUMENTS AND SETTINGS\JEFF\DESKTOP\HijackThis-3.exe

O15 - Trusted IP range: 64.62.171.156
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
  • 0

#4
whyme

whyme

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
fogot to mention, could not delete webroot spyeare program. error said access denied because part of the file is in use. Also, i do have those other products. Are they not operatng?
  • 0

#5
Lightninghawk

Lightninghawk

    Member

  • Member
  • PipPipPip
  • 128 posts
They are operating. Not currently but they are operational. When I had you change your startup it removed them from startup. That is why they do not show in your icon tray currently.

Why your screen is just solid blue I do not understand.
What OS does your system have?

Is it just the background that is blue?
Is there a possibility that your graphics card may be bad?

Also when did this problem first occurr?
Who helped you?
Was it in this forum? If so what is the forum link so that I can read it?

Please answer these questions.

If you use the fast reply option you can continue viewing the topic while you reply. This way you can revert back to this post to see the questions.
  • 0

#6
whyme

whyme

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
i am using XP. i believe the graphics card is fine, because everything work works.
The problem first appeared Thursday night. Thursday night i uploaded the webroot spyware removal program and set firefox to be my default browser. i looged back in after making these changes and still had a dialogoue box appear that said "Is your computer infected with spyware?" with a yes or no option. regardless of which option i would choose, it the horeserver browser would eventually appear. Through my own investigation i may discovered that I had the open32.exe problem and was attempting to fix it by deleting the file from the program list, but of course it did not work. While attempting to make corrections, the screen went red and displayed a spyware removal add in the center. The red screen superimposed over my desktop, displaying only mycomputer, mydocuments, the recycle bin and my network places folder. After this happened i went to the taskmanager and looked at the process. They were pulsating inside the task manager and so i began to remove processes that were added since my change to firefox and adding webroot spy removal system. The red screen efentually went away, but instead of bringing up my original desktop, it turned to the blue color and showed only the same icons as i mentioned above. Friday at work i entered 'open32.exe into a google search and found this site. It took me right to a problem that sounded like mine, offered by someone named "Mort" I then registered and went through the five steps before posting my log. However, while downloading and installing these programs, i noticed that i got two icons for each new program on my 'new' desktop. I ran through the five steps yesterda as closely as possible, but had trouble finding the MSO Explot fix and so i have not done that. This morning i posted and finshed the steps suggested to "Mort", by doing the HSFix.bat in safe mode, ran the CleanUp program as directed and i still have this darned blue screen. Wile it is entirely possible that i did something to screw up the desktop, i am concerned about the duplicate icons when installing new programs. Of course i don't expect anyone to work a miracle, but i am hoping for one.
  • 0

#7
Lightninghawk

Lightninghawk

    Member

  • Member
  • PipPipPip
  • 128 posts
Well keep praying for a miricle. :tazz: It still might happen. If I were you I would definately unistall webroot. Also since you have been installing programs you might want to send me a list of the programs on your add and remove programs list. Not things like AVG. things that you know for a fact are suposed to be there, but things that look suspious and have rarely used, or use extremely high or low amounts of space. on the right hand side of the add remove programs dialogue box.
To get there.

Click "start" --> Control Panel --> Add/remove Programs.

I am at work so it may be a few minutes before I post again.
  • 0

#8
whyme

whyme

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
i have removed the webroot spy sweeper program. This is the only way i could think of to show you my program screen. hope this helps If there is a better way please let me know. I really appreciate your time

Attached Files


  • 0

#9
Lightninghawk

Lightninghawk

    Member

  • Member
  • PipPipPip
  • 128 posts
Good job. I didn't expect a print screen :tazz: Do me a favor though and scroll down it and make a couple more so i can see the whole list ;).. Good thinking.. and that "Cleanup" can go..
  • 0

#10
whyme

whyme

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
clean up is gone!
Three sheets make the whole of what is on this page. The first of the second page is also the last of the first page. The third page has a program highlighted. This program is the last of the second page. Let me know if i can do more to help you help me.

Attached Files


  • 0

Advertisements


#11
whyme

whyme

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
a bump for my convienance please.
  • 0

#12
Lightninghawk

Lightninghawk

    Member

  • Member
  • PipPipPip
  • 128 posts
spyware doctor 3.2 I've never heard of it. so i'm not sure if its any good. everything else looks fine. Again Good Job on thinking of that.

Back to your problem. :tazz:
can you change the background of your computer or what?.. i mean is the blue part just an unusual tint.. or what?
maybe something just changed your background... hard to do, but it's possible.

Sorry it took so long to reply, I work at a hospital lab so when it gets busy i can't touch a computer.

You did say that you ran ad-aware and spybot in safe mode right?....

and are you fimiliar with regedit?

Edited by Lightninghawk, 02 April 2005 - 03:23 PM.

  • 0

#13
whyme

whyme

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
First, don't worry about time, i am sure the people you are helping are in more dire need then I. Besides, it gave me time to clean up the manuals and papers of instruction piled too high, so now i can build a shrine in here to you when you help me fix this problem. Second, i did not run the as-aware or spybot in safe mode, only in normal so i will do that next. Peculiar, number 3. I went to the control panel to try and change my theme or desktop and it will not budge from the blue color. I does not accept the theme change or the background change. it does accept a color change, but the change merely outlines the icons, leaving the rest of the desk top in solid blue. Again, my major concern are that all the program i use have icons on the desktop that are no longer available. Not that it has hampered my ability to use them, just makes it seem that there is somebody on my computer, hiding my desktop from me. Did i mention the date in the tray is one day behind. You think that tells us anything? If possible, could you let me know right away if i should run those programs in safe mode or do you want me to wait for your futhur analysis?
  • 0

#14
Lightninghawk

Lightninghawk

    Member

  • Member
  • PipPipPip
  • 128 posts
I think you should run them in safe mode. Also if this does not work you may want to consider a system restore. If you know how to work it then just take your computer back a day or two before everything happened... Only if running the programs in safe mode does not work.

I'll will return shortly. I'm getting off work now.
  • 0

#15
whyme

whyme

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
I ran search and destroy and ad aware in safe mode. Both came up clean. I have not heard of regedit. I am curious. I am concerned that if i do a system restore that the grabage that was on my computer before i ran all of these scans last night will return. All these scans found substantial junk and it now seems as if it is all cleared out. The computer is flying around now, so speed is not a factor. Incidently, when i rebooted into normal mode, my background did change color, but it still will not let me into the windows XP background. This makes we wonder if in my absent minded haste do rid myself of the original red spyware add that ate my desktop, i accidentally deleted a file that supported my desktop integrity. Any thoughts on the date change. This may sound stupid but i thought it might have suggested a intrusion by someone on the other side of the international date line, who is borrowing my resources.(whatever that means) What do suggest next?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP