Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

System Stopped (Desktop) [RESOLVED]


  • This topic is locked This topic is locked

#1
Lightbulb

Lightbulb

    Member

  • Member
  • PipPip
  • 31 posts
When I boot up, my background reads:

System stopped ... (other stuff) and basically states I have spyware running
I cannot change my wallpaper.

The problem came up when "Spy Sheriff" somehow got onto my computer. I already removed it but my desktop is still messed up.

Your help would be GREATLY apperciated.

Thanks,


Logfile of HijackThis v1.99.1
Scan saved at 10:59:53 PM, on 6/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\Documents and Settings\sean\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe

Edited by Lightbulb, 11 June 2005 - 10:05 PM.

  • 0

Advertisements


#2
Lightbulb

Lightbulb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
sorry, didnt mean to bump

Edited by Lightbulb, 11 June 2005 - 10:06 PM.

  • 0

#3
Koretek

Koretek

    Member

  • Member
  • PipPipPip
  • 340 posts
Hiya Lightbulb,
Are you still needing help there buddy?
  • 0

#4
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Lightbulb and welcome to GeeksToGo! My name is Excal and I will be helping you.

I can see that you have some malware issues. This maybe a few step process in removing it. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.


I will have a fix posted for you in a few minutes.



:tazz:


Excal
  • 0

#5
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Go to Start > Control Panel > Add or Remove Programs and remove the following:

SpySheriff

Exit Add or Remove Programs.

Delete the following, in bold, if found:

C:\Program Files\SpySheriff <-whole folder
C:\Windows\Desktop.html
C:\winstall.exe

Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis. Place a check next to the following items, if found, and click FIX CHECKED:

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

Close HiJackThis.

Copy everything inside the quote box below (starting with REGEDIT4). Paste it into Notepad. Go up to "File > Save As", then click the drop-down box to change the "Save As Type" to "All Files". Save it as fixspy.reg on your desktop. *Make sure there is NO blank line above REGEDIT4

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"ForceActiveDesktopOn"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"Wallpaper"=-


Double-click fixspy.reg on your desktop. When asked if you want to merge with the registry click YES. After the merged successfully prompt, please reboot your computer.

You should be able to change your desktop back to normal now.

Please Post a new HiJackThis log.
  • 0

#6
Lightbulb

Lightbulb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Ok i did what you said and it worked!! Thankyou soo much you guys are soo very helpful. Here is my Hijackthis logfile liked you asked for. Thanks again!


Logfile of HijackThis v1.99.1
Scan saved at 5:08:29 PM, on 6/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\Documents and Settings\sean\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
  • 0

#7
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Lightbulb,

Glad to see it worked :tazz:

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted

please run this online virus scan: ActiveScan - Save the results from the scan!

Please post an Active scan log and a fresh HiJackThis log. Let me know how your computer is running. NOTE It looks like you cut off a portion of your HiJackThis log when you last posted it, please ensure that you have the very top to the very bottom of the log included....thanks ;)
  • 0

#8
Koretek

Koretek

    Member

  • Member
  • PipPipPip
  • 340 posts
Hi Lightbulb,

Isnt that missing part of the scan? The HijackThis should also run from its own folder too and right now I am not sure just where it is did you make that folder or is that indeed a Temp Folder?

If you would like to post an entire scan we can check it out and help you much better Sean!
  • 0

#9
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Being helped in another thread now? alrighty then....lol


Excal
  • 0

#10
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP