PDA

View Full Version : Desktop gone



maryd3954
2005-11-04, 08:19
After running spybot, it found 3 "red" problems that it said I needed to remove. They were Windows Security Center firewall related. After removing them and shutting the computer down, we couldn't boot up again and get the desktop. We had lost windows startup files that load the desktop. This has happened 3 times now. What's going on?
Spybot said that these files were threats. Please help. :(

David Arnatt
2005-11-04, 08:27
I have never seen problems like this running Spybot on any of the computers / laptops here.

Put in your XP CD and do a system restore scan again but dont remove see if it finds the files again.

I am not sure if the program has a bug or if it was a one of incident (some one from spybot team can help with that one)

just do a system restore and check if it fiinds the files again and post back with what they are.

maryd3954
2005-11-05, 06:00
I'm pasting the report that Spybot found. I think when I fix the 2 files that are 'FirewallDisableNotify', I lose my Windows startup, but I don't know. The AproposMedia and the IE plugin are new from today, so I don't think those were the real problem.
Thanks!



--- Search result list ---
AproposMedia: Program directory (Directory, nothing done)
C:\Documents and Settings\Larry and Mary\Local Settings\Application Data\..\Temp\AutoUpdate0\

Windows Security Center.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

IE Plugin: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2175716871-3226743395-489727769-1005\Software\intexp

PSGuard.msmsgs: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell!=Explorer.exe


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

LonnyRJones
2005-11-05, 16:21
Hi

PSGuard is tough to fix, I suggest posting in one (only one) of these forums>

You will need to go to a forum that specifically removes malware; we are not currently setup to do so.
A good place to start:
http://asap.maddoktor2.com/
Choose a site from the list on the left hand side of that page.
It is a long list so to shorten it in no particular order:
TomCoyote
MalWare Removal
Atribune.org
BleepingComputer
Spyware Warrior
Subratam.org
Once at the site read the procedure for posting a HJT log, start your own topic and an authorized helper will assist you as soon as possible.
Be sure to read the site's faqs for tips on prevention and tightening up your computer security.
Good luck.


Edit:
As we now have a Malware forum members should do the following if they wish to be guided through the removal of infections.

If you are not being helped at another site, please follow these instructions.
Before you post a log, and who will advise you. (http://forums.spybot.info/showthread.php?t=288)

Start a topic here:
Malware Forum (http://forums.spybot.info/forumdisplay.php?f=22[/url)

Someone will then take a look at the system and advise you as soon as available to do so.
tashi

split
2005-11-23, 15:30
To remove PSGuard, have a look over http:
URL removed, as this topic has been revived again, see: "BEFORE you POST" -Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)



PSGuard re-installs itself, so it has to be done in safe mode :(

A bit of further information.
I have seen an antivirus scan that picks up all the wininet.dlls dropped by P.S.Guard.

It won't get rid of P.S.Guard though.
It reads....

C:\Program Files\P.S.Guard\database.pkg
Some files of this archive could not be scanned because they are protected by a password. These files will be scanned by the real-time protection the first time the password is entered. If you want to scan them now, remove the password protection.

Files scanned: 62314
Total infected files: 76
Total disinfected files: 0
Total deleted files: 76
Total files unable to scan: 1


P.S.Guard appears password protected, so it wont be removed by a virus scan.

triangle
2006-03-25, 03:25
Greetings,

If you don't want to reinstall windows I suppose you can restore the files, even they were erased. Boot Disk CD image data tools set for data backup, restore and can help. One of it's tools is Uneraser, a really powerful DOS data recovery utility. It should be able to restore vital files back so your problem is solved.

http://www.ntfs.com/boot-disk.htm

dat34
2006-09-26, 20:01
I'm pasting the report that Spybot found. I think when I fix the 2 files that are 'FirewallDisableNotify', I lose my Windows startup, but I don't know. The AproposMedia and the IE plugin are new from today, so I don't think those were the real problem.
Thanks!



--- Search result list ---
AproposMedia: Program directory (Directory, nothing done)
C:\Documents and Settings\Larry and Mary\Local Settings\Application Data\..\Temp\AutoUpdate0\

Windows Security Center.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

IE Plugin: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2175716871-3226743395-489727769-1005\Software\intexp

PSGuard.msmsgs: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell!=Explorer.exe


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---


If you "fix" the entry for:

PSGuard.msmsgs: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell!=Explorer.exe

you will lose your desktop. This is a false positive and should not be "fixed". You can correct this by replacing the Explorer.exe value in that key. I just had to do this on a Windows 2000 machine. After rebooting and logging in, I never got a desktop. The following should work in Windows 2000 and Windows XP:

After logging in, press "CTL-ALT-DEL" to bring up task manager. Select "File", then "New Task (Run)". In the "Open:" box, type explorer.exe and hit OK if you want to browse to your Spybot S&D folder and launch the program to recover the key. If you are familiar with using Regedit, you can run Regedit from Task Manager and manually enter the value in the Shell key.