1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Missing text on desktop and blank error messages

Discussion in 'Virus & Other Malware Removal' started by hammernb, Nov 23, 2010.

Thread Status:
Not open for further replies.
  1. hammernb

    hammernb Thread Starter

    Nov 23, 2010
    I have recently ran into a most interesting problem. I have missing text on my desktop, in folders, and in the Start Menu. I assumed that I had a virus of some kind so I used DBAN on my drive. I actually used it three times and then re-installed windows XP Pro SP3. However in the morning (after my computer does it's standard 3am full virus scan) I am having the same problem. It seems that the only way to correct the problem is to force shutdown my computer and reboot.

    Please note: That when I noticed this problem it was actually occurring on all 4 of my networked computers. After i noticed it happening on all 4 computers I shut them all down, changed my routers password, randomly picked one computer to DBAN 3x, and never allows the 3 infected computers to touch the network where the 1st computer was located. After DBAN had finished I re-installed the OS and got it back up and running. I did my standard antivirus (Avira, Lavasoft, Spybot, & Spyware Blaster) installs and set Avira to update everyday at 3pm and perform a full scan for viruses at 3am. The following morning after the computer was well since finished with the 3am scan i found that it was still doing the same exact thing with text missing under icons on the desktop and in folders and error messages were popping up with nothing in them.

    Also please note: All four computers have entirely different hardware, all four computers are running Windows XP (3 are running Pro and 1 is running Home), all four have Avira (Update at 3pm, full scan at 3am), Lavasoft, Spybot, & Spyware Blaster, all four have shared folders with one another, and the three infected computers have been turned off and unplugged since i started working on the randomly selected one to have it's drive wiped and re-installed with Windows XP.

    Following is my hijack this log for that computer after it had been rebuilt:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 9:19:05 AM, on 11/21/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
    C:\Program Files\Orb Networks\Orb\bin\OrbLauncher.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\HFXP2\hfxp.exe
    C:\Program Files\AirVideoServer\AirVideoServer.exe
    C:\Documents and Settings\Bryon J. Hammer\Application Data\Dropbox\bin\Dropbox.exe
    C:\Program Files\NoSleepHDv2.0 (Fixed)\NoSleepHDv2.0.exe
    C:\Program Files\xSleep\xSleep.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\Orb Networks\Orb\bin\Orb.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\Orb Networks\Orb\bin\OrbjetManager.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Documents and Settings\Bryon J. Hammer\My Documents\Downloads\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKLM\..\Run: [LogMeIn Hamachi Ui] "C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
    O4 - HKLM\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbLauncher.exe" --background
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [hfxp] C:\Program Files\HFXP2\hfxp.exe
    O4 - HKCU\..\Run: [AirVideoServer] C:\Program Files\AirVideoServer\AirVideoServer.exe
    O4 - Startup: Dropbox.lnk = C:\Documents and Settings\Bryon J. Hammer\Application Data\Dropbox\bin\Dropbox.exe
    O4 - Startup: Shortcut to NoSleepHDv2.0.exe.lnk = C:\Program Files\NoSleepHDv2.0 (Fixed)\NoSleepHDv2.0.exe
    O4 - Startup: Shortcut to xSleep.exe.lnk = C:\Program Files\xSleep\xSleep.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1290189153078
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

    End of file - 8882 bytes

    Any assistance is greatly needed and appreciated
  2. hammernb

    hammernb Thread Starter

    Nov 23, 2010
    before I used DBAN to wipe my drive I did get a positive virus scan for trojan.win32.generic!BT. I disabled System Restore before the wipe.
  3. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Aug 27, 2003
    What file was detected as trojan.win32.generic!BT?

    The common denominator seems to be Avira. I think you're seeing the effects of a memory leak bug in Avira.

    I also see that you have Avira plus Microsoft Security Essentials and you shouldn't have two anti-virus programs as they will conflict with each other.

    I would recommend uninstalling Avira and see if the problem you're experiencing is solved as a first course of action.
  4. hammernb

    hammernb Thread Starter

    Nov 23, 2010
    The positive detection of the Trojan was an mp3 file that I had download from the net. I simply deleted it. And you suggestion about Avira was correct. I uninstalled Avira and Microsoft Security Essentials and installed AVG and have not had a single problem on my 4 computers or network since then. I can sure tell you that it looked like a Trojan but in fact is was a simple memory leak. I have been a proud user of Avira for over 10 years and this is the first time that I have had problems with it. Now I am a proud AVG user. I think the problem is now solved. I will post again is anything else happens. Thank you Cookiegal for you suggestion.
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Aug 27, 2003
    I'd just like to say that most, if not all, anti-virus manufacturers, both paid and free, have had major gaffes of some sort at one time or other, such as deleting vital system files (false positives) thus rendering customers' systems unbootable. Avira is working on a fix which should come sometime next week and I wouldn't hesitate to go back to it if you don't like AVG but of course, that's entirely up to you.

    But I'm glad that uninstalling it solved the problems you were having which indeed have many people thinking they are infected with malware. :)
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/964315