Not so far as the desktop and IE issues are concerned, no. In fact, the computer scans clean. That's why I'm thinking this may be a permissions or desktop/wallpaper settings issue now - I've found many references to post-cleanup desktop wallpaper lockup in various malware forums.
It's as though my Windows 2000 system had switched over to a new desktop format or setting. When I right-click on the desktop, the menu begins with the "Active Desktop" drop-down menu which I don't recall seeing before (or maybe I always ignored it). In that menu, under "Customize Desktop/Display Properties/Web", I can in fact choose a desktop-sized image to become my desktop wallpaper, and it will do so. In other words, I seem to have switched to a whole new way of choosing wallpaper. But all choices under the Background tab are grayed out. I can't choose an image there, or tile or stretch etc.
Meanwhile, the same "Web" window has the choice "Show Web Content on my Active Desktop" chosen but grayed out (unalterable)", and - oops - here's something I didn't notice before ... under Appearance, the Item "Desktop" is indicated to be ... the color black!
Maybe this is where the black desktop is coming from?
So I keep thinking I just need to recover the default Windows 2000 desktop/wallpaper/IEtoolbar settings or permissions or whatever. Perhaps this is a "policies" setting? That for some reason when I log on, I no longer have permission to alter these items? (Many companies want their cubicle computers' wallpaper to be the company logo, and they don't want emplyees changing it, so they lock them out of altering the wallpaper.)
Logfile of HijackThis v1.99.1
Scan saved at 8:51:25 PM, on 6/4/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Any ideas where I go from here? Do you know of any W2K fix-it forums?
I couldn't think of the word earlier, but in addition to registry settings and permissions, I think this may be a "policies" issue, wherein a policy setting is in effect which locks me out of altering the desktop and IE toolbar.
Thanks,
Milehighguy
Logfile of HijackThis v1.99.1
Scan saved at 4:03:41 PM, on 6/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Try posting your problem in the Windows 2000 Forum here on DELL
This is my normal post for when you are clear - which you now are - or seem to be. Please advise of any problems you still have :-
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here: Instructions for - Spybot S & D and Ad-aware
Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here:
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Active Desktop/NoChangingWallpaper ("If the value is 0 (or not in the registry) the policy is disabled or not configured. Options on the Background tab are enabled." Since the value was 0, yet options in the Background tab were NOT enabled - I opted to delete the entry altogether.
and
System/Wallpaper ("If this entry does not appear in the registry, no wallpaper is displayed by default, but users can select the wallpaper of their choice.")
Bertha2
711 Posts
0
June 3rd, 2005 08:00
Hey milehigh,
Im sure I helped you out before??
Anyway as you said you have tried fixing items in HJT (which is not what we advise) Its best if we do the following:
Run HJT, config, Backups, Check all items, Restore.
Now run HJT again and post the Log back here
Bertha2
milehighguy
28 Posts
0
June 3rd, 2005 16:00
Hello,
Unfortunately, I have no applicable backup. Although I've used this forum before, I didn't even know about the backups option on HJT until recently.
So I was hoping a return to the Microsoft defaults for desktop and IE toolbar permissions would restore functions ...
Milehighguy
Bertha2
711 Posts
0
June 3rd, 2005 18:00
Have you attempted to fix anything yourself though using HJT?
Bertha2
milehighguy
28 Posts
0
June 3rd, 2005 20:00
Hi,
Not so far as the desktop and IE issues are concerned, no. In fact, the computer scans clean. That's why I'm thinking this may be a permissions or desktop/wallpaper settings issue now - I've found many references to post-cleanup desktop wallpaper lockup in various malware forums.
It's as though my Windows 2000 system had switched over to a new desktop format or setting. When I right-click on the desktop, the menu begins with the "Active Desktop" drop-down menu which I don't recall seeing before (or maybe I always ignored it). In that menu, under "Customize Desktop/Display Properties/Web", I can in fact choose a desktop-sized image to become my desktop wallpaper, and it will do so. In other words, I seem to have switched to a whole new way of choosing wallpaper. But all choices under the Background tab are grayed out. I can't choose an image there, or tile or stretch etc.
Meanwhile, the same "Web" window has the choice "Show Web Content on my Active Desktop" chosen but grayed out (unalterable)", and - oops - here's something I didn't notice before ... under Appearance, the Item "Desktop" is indicated to be ... the color black!
Maybe this is where the black desktop is coming from?
So I keep thinking I just need to recover the default Windows 2000 desktop/wallpaper/IEtoolbar settings or permissions or whatever. Perhaps this is a "policies" setting? That for some reason when I log on, I no longer have permission to alter these items? (Many companies want their cubicle computers' wallpaper to be the company logo, and they don't want emplyees changing it, so they lock them out of altering the wallpaper.)
Thanks,
Milehighguy
Bertha2
711 Posts
0
June 4th, 2005 20:00
Please post a new HJT Log
Bertha2
milehighguy
28 Posts
0
June 5th, 2005 01:00
Scan saved at 8:51:25 PM, on 6/4/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\wfxsnt40.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\11Wave\WaveBuddy WLAN Card & Adapter Utility\WlanMonitor.exe
C:\Program Files\Hijackthis\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} -
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Acrobat Assistant.lnk = Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WLAN Configuration & Monitor Utility.lnk = 11Wave\WaveBuddy WLAN Card & Adapter
O8 - Extra context menu item: Open Image in New Window - res://C:\Program
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{742D85CE-90EE-4A2B-B6E6-B62C03C94EB0}: NameServer =
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. -
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: GEARSecurity_BackUp - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: GoToMyPC - Unknown owner - \\Jesse\jesse\Program Files\Expertcity\GoToMyPC\g2svc.exe"
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. -
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE
Bertha2
711 Posts
0
June 5th, 2005 17:00
Run Hijackthis and check the following:
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
Now with all windows clsed click "fix"
This is all I see wrong in your Log, post a new one back here
Bertha2
milehighguy
28 Posts
0
June 5th, 2005 21:00
Scan saved at 4:03:41 PM, on 6/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\wfxsnt40.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\11Wave\WaveBuddy WLAN Card & Adapter Utility\WlanMonitor.exe
C:\Program Files\DVD2SVCD\DVD2SVCD.exe
C:\Program Files\TMPGEnc-Cracked\TMPGEnc.exe
C:\Program Files\Hijackthis\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Acrobat Assistant.lnk = Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WLAN Configuration & Monitor Utility.lnk = 11Wave\WaveBuddy WLAN Card & Adapter Utility\WlanMonitor.exe
O8 - Extra context menu item: Open Image in New Window - res://C:\Program Files\PopUpCop\popupcop.dll/imagenew
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{742D85CE-90EE-4A2B-B6E6-B62C03C94EB0}: NameServer = 67.97.234.4,151.164.1.8
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: GEARSecurity_BackUp - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: GoToMyPC - Unknown owner - \\Jesse\jesse\Program Files\Expertcity\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE
Bertha2
711 Posts
0
June 6th, 2005 07:00
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Managing Windows Millennium System Restore
or
Windows XP System Restore Guide
re-enable system restore with instructions from tutorial above
Instructions for - Spybot S & D and Ad-aware
Follow this list and your potential for being infected again will reduce dramatically.
milehighguy
28 Posts
0
June 7th, 2005 03:00
http://www.microsoft.com/resources/documen...entry/93252.asp
and:
http://www.microsoft.com/resources/documen...entry/93214.asp
What I ended up doing was deleting the registry entries for:
HKCU/Software/Microsoft/Windows/Current Version/Policies/...
Active Desktop/NoChangingWallpaper ("If the value is 0 (or not in the registry) the policy is disabled or not configured. Options on the Background tab are enabled." Since the value was 0, yet options in the Background tab were NOT enabled - I opted to delete the entry altogether.
and
System/Wallpaper ("If this entry does not appear in the registry, no wallpaper is displayed by default, but users can select the wallpaper of their choice.")
Voila. Full control restored.