Results 1 to 7 of 7

Thread: Desktop gone

  1. #1
    Junior Member
    Join Date
    Nov 2005
    Location
    Boulder Creek, Ca
    Posts
    3

    Default Desktop gone

    After running spybot, it found 3 "red" problems that it said I needed to remove. They were Windows Security Center firewall related. After removing them and shutting the computer down, we couldn't boot up again and get the desktop. We had lost windows startup files that load the desktop. This has happened 3 times now. What's going on?
    Spybot said that these files were threats. Please help. :(

  2. #2
    Junior Member
    Join Date
    Nov 2005
    Location
    Perth, Western Australia
    Posts
    20

    Default

    I have never seen problems like this running Spybot on any of the computers / laptops here.

    Put in your XP CD and do a system restore scan again but dont remove see if it finds the files again.

    I am not sure if the program has a bug or if it was a one of incident (some one from spybot team can help with that one)

    just do a system restore and check if it fiinds the files again and post back with what they are.

  3. #3
    Junior Member
    Join Date
    Nov 2005
    Location
    Boulder Creek, Ca
    Posts
    3

    Default desktop gone

    I'm pasting the report that Spybot found. I think when I fix the 2 files that are 'FirewallDisableNotify', I lose my Windows startup, but I don't know. The AproposMedia and the IE plugin are new from today, so I don't think those were the real problem.
    Thanks!



    --- Search result list ---
    AproposMedia: Program directory (Directory, nothing done)
    C:\Documents and Settings\Larry and Mary\Local Settings\Application Data\..\Temp\AutoUpdate0\

    Windows Security Center.FirewallDisableNotify: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

    Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

    IE Plugin: User settings (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-2175716871-3226743395-489727769-1005\Software\intexp

    PSGuard.msmsgs: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell!=Explorer.exe


    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

  4. #4
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi

    PSGuard is tough to fix, I suggest posting in one (only one) of these forums>
    You will need to go to a forum that specifically removes malware; we are not currently setup to do so.
    A good place to start:
    http://asap.maddoktor2.com/
    Choose a site from the list on the left hand side of that page.
    It is a long list so to shorten it in no particular order:
    TomCoyote
    MalWare Removal
    Atribune.org
    BleepingComputer
    Spyware Warrior
    Subratam.org
    Once at the site read the procedure for posting a HJT log, start your own topic and an authorized helper will assist you as soon as possible.
    Be sure to read the site's faqs for tips on prevention and tightening up your computer security.
    Good luck.
    Edit:
    As we now have a Malware forum members should do the following if they wish to be guided through the removal of infections.

    If you are not being helped at another site, please follow these instructions.
    Before you post a log, and who will advise you.

    Start a topic here:
    Malware Forum

    Someone will then take a look at the system and advise you as soon as available to do so.
    tashi
    Last edited by tashi; 2006-03-25 at 04:14. Reason: Added information as topic was revived

  5. #5
    Junior Member
    Join Date
    Nov 2005
    Posts
    2

    Default PSGuard removal

    To remove PSGuard, have a look over http:
    URL removed, as this topic has been revived again, see: "BEFORE you POST" -Preliminary Steps



    PSGuard re-installs itself, so it has to be done in safe mode :(

    A bit of further information.
    I have seen an antivirus scan that picks up all the wininet.dlls dropped by P.S.Guard.

    It won't get rid of P.S.Guard though.
    It reads....

    C:\Program Files\P.S.Guard\database.pkg
    Some files of this archive could not be scanned because they are protected by a password. These files will be scanned by the real-time protection the first time the password is entered. If you want to scan them now, remove the password protection.

    Files scanned: 62314
    Total infected files: 76
    Total disinfected files: 0
    Total deleted files: 76
    Total files unable to scan: 1


    P.S.Guard appears password protected, so it wont be removed by a virus scan.
    Last edited by tashi; 2006-09-26 at 20:11. Reason: Removed url, added link

  6. #6
    Junior Member
    Join Date
    Mar 2006
    Posts
    1

    Default

    Greetings,

    If you don't want to reinstall windows I suppose you can restore the files, even they were erased. Boot Disk CD image data tools set for data backup, restore and can help. One of it's tools is Uneraser, a really powerful DOS data recovery utility. It should be able to restore vital files back so your problem is solved.

    http://www.ntfs.com/boot-disk.htm

  7. #7
    Junior Member
    Join Date
    Sep 2006
    Posts
    1

    Exclamation RE:desktop gone

    Quote Originally Posted by maryd3954 View Post
    I'm pasting the report that Spybot found. I think when I fix the 2 files that are 'FirewallDisableNotify', I lose my Windows startup, but I don't know. The AproposMedia and the IE plugin are new from today, so I don't think those were the real problem.
    Thanks!



    --- Search result list ---
    AproposMedia: Program directory (Directory, nothing done)
    C:\Documents and Settings\Larry and Mary\Local Settings\Application Data\..\Temp\AutoUpdate0\

    Windows Security Center.FirewallDisableNotify: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

    Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

    IE Plugin: User settings (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-2175716871-3226743395-489727769-1005\Software\intexp

    PSGuard.msmsgs: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell!=Explorer.exe


    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

    If you "fix" the entry for:

    PSGuard.msmsgs: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell!=Explorer.exe

    you will lose your desktop. This is a false positive and should not be "fixed". You can correct this by replacing the Explorer.exe value in that key. I just had to do this on a Windows 2000 machine. After rebooting and logging in, I never got a desktop. The following should work in Windows 2000 and Windows XP:

    After logging in, press "CTL-ALT-DEL" to bring up task manager. Select "File", then "New Task (Run)". In the "Open:" box, type explorer.exe and hit OK if you want to browse to your Spybot S&D folder and launch the program to recover the key. If you are familiar with using Regedit, you can run Regedit from Task Manager and manually enter the value in the Shell key.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •