# Restore Active Desktop freezes



## starry_mom (Dec 22, 2004)

I don't know much at all about computers, but this is bothering me. When our computer starts, the Restore Active Desktop comes up. If you click on it to restore, the computer freezes. If I try Control, Alt, Delete, it does nothing, I have to push the Reset button. My son recently installed Hijack This, and we also have Ad-aware and Spybot, which he runs daily because we are getting a lot of pop-ups and spyware on our computer. We have Windows ME, outside of that, I don't know too much more about it. My son hasn't done anything about this, so I am trying to see if anyone can give me any ideas I can give to him to fix this. Thanks, Starry_mom


----------



## Rollin' Rog (Dec 9, 2000)

First and foremost, disable that old buggy feature by right clicking on the Desktop. I think the context menu there is "Active desktop > "view as web page" (or visa/versa). Just remove the check for it.

Then post a HijackThis Scanlog here for review. Make sure you have the latest version, 1.99

Direct HijackThis download link: http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Make sure it is downloaded to and run from a permanent folder of its own, not a temp one or directly on the desktop


----------



## starry_mom (Dec 22, 2004)

Okay, here's the logfile.

Logfile of HijackThis v1.99.0
Scan saved at 9:45:43 PM, on 12/24/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LEXMARKX73\ACMONITOR_X73.EXE
C:\PROGRAM FILES\LEXMARKX73\ACBTNMGR_X73.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HWTVAA.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cboss.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Http://www.cboss.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by cboss Community Network
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\WINDOWS\ALL USERS\APPLICATION DATA\SETUP\SETUP.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_3_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [okyjvltdqx] C:\WINDOWS\SYSTEM\HWTVAA.EXE
O4 - HKLM\..\Run: [webebot] c:\windows\system\webebot.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1063 (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.scotlandonline.com/communicate/push.cab
O16 - DPF: {ED4E6F97-FA1A-4634-B550-AABFEB8DA009} (TulipPlayer Class) - http://abc.go.com/primetime/movies/rosered/gargoyle/TulipPlayer2.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio4_0_2_10.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/Components/Ocx/Exterior/Outside.cab
O16 - DPF: HushEncryptionEngine - https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O21 - SSODL: URLREWIN - {CA2DB500-5ECF-11D2-B28F-0080C8383C7B} - C:\WINDOWS\SYSTEM\netknl.dll


----------



## JSntgRvr (Jul 1, 2003)

Download and run the following programs:

CWShreder

http://www.majorgeeks.com/download4086.html

Adaware (Update this program's definitions on line prior to the Scan)

http://www.lavasoftusa.com/support/download/

Spybot (Update this program's definitions on line prior to the Scan)

http://spybot.eon.net.au/en/download/index.html

Delete all malware found, restart the computer, then run HJT again and post a new log.


----------



## Rollin' Rog (Dec 9, 2000)

Have these instructions printed or in a convenient Notepad (or Wordpad) file so you can view them in Safe Mode. Have "show hidden (or all) files" checked in Folder Options > View in case you have to search for any hidden files to delete. Also ensure you do NOT have "hide file extensions..." enabled in Folder Options > View

Download and unzip to a convenient location the CoolWebShredder, CWShredder.exe available here: http://www.intermute.com/spysubtract/cwshredder_download.html

Then:

*1 >> Restart in Safe Mode:* http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

*2 >> In Safe Mode run the CoolWebShredder* and have it "fix" detected problems. *Then run HijackThis* and check and "fix" the following entries:

O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\WINDOWS\ALL USERS\APPLICATION DATA\SETUP\SETUP.DLL

^^ the entire "setup" folder in this path is likely a part of the Hijack. Have a look to see what is there. It can probably be deleted.

http://computercops.biz/clsid-1379.html

O4 - HKLM\..\Run: [okyjvltdqx] C:\WINDOWS\SYSTEM\*HWTVAA.EXE*
O4 - HKLM\..\Run: [webebot] c:\windows\system\*webebot.exe*
O21 - SSODL: URLREWIN - {CA2DB500-5ECF-11D2-B28F-0080C8383C7B} - C:\WINDOWS\SYSTEM\*netknl.dll*

^^ manually look for and delete the files if present

*3 >> Go to Start > Run* and enter *cmd* and a command shell will open. At the prompt carefully type and enter each line:

*Additional cleanup instructions:* Go to the Control Panel > Internet Options applet. Clear the Temporary Internet Cache, History and Offline Content. Go to the Programs tab and select "reset web settings", including your home page if it has been altered. You can reset that later to what you desire.

Go to Start > Run, enter *%temp%* and then click Edit > Select All. Right click on the selected files and folders and delete them

* >> Reboot*

I would also too recommend installng, UPDATING and running a full Ad-Aware SE scan. Include the VX2 plugin and post a new Scanlog when ready.

Ad-Aware Home Page

http://download.lavasoft.de.edgesuite.net/public/plvx2cleaner.exe
The VX2 plugin will be available in the "add-ons" window once installed and is run from there.


----------



## starry_mom (Dec 22, 2004)

We do have CWShredder, Spybot, and AdAware, the latter of the two are run basically on a daily basis since we get so much spyware.

That %temp% command got rid of some 400 files (99 MB).

I still can't click on the "Restore active desktop" button and when I try to disable the option in the preferences menu the computer freezes, so that's not a remedy to the problem.

Here's the new logfile.

Logfile of HijackThis v1.99.0
Scan saved at 12:11:26 AM, on 12/26/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LEXMARKX73\ACMONITOR_X73.EXE
C:\PROGRAM FILES\LEXMARKX73\ACBTNMGR_X73.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by cboss Community Network
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_3_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1063 (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.scotlandonline.com/communicate/push.cab
O16 - DPF: {ED4E6F97-FA1A-4634-B550-AABFEB8DA009} (TulipPlayer Class) - http://abc.go.com/primetime/movies/rosered/gargoyle/TulipPlayer2.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio4_0_2_10.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/Components/Ocx/Exterior/Outside.cab
O16 - DPF: HushEncryptionEngine - https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab


----------



## wimpy (Dec 21, 2004)

starry_mom said:


> I don't know much at all about computers, but this is bothering me. When our computer starts, the Restore Active Desktop comes up. If you click on it to restore, the computer freezes. If I try Control, Alt, Delete, it does nothing, I have to push the Reset button. My son recently installed Hijack This, and we also have Ad-aware and Spybot, which he runs daily because we are getting a lot of pop-ups and spyware on our computer. We have Windows ME, outside of that, I don't know too much more about it. My son hasn't done anything about this, so I am trying to see if anyone can give me any ideas I can give to him to fix this. Thanks, Starry_mom


Frozen as you are ?
See my post on "freezes" describe it better.


----------



## JSntgRvr (Jul 1, 2003)

Have Hijackthis Fix the Following:

O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1063 (file missing)

Start the Computer in Safe Mode. Search and delete the following files and folders:

Powereg
webshots.lnk
image.lnk
PowerReg Scheduler.exe
PowerReg SchedulerV2.exe
PowerReg Scheduler V2.exe
PowerReg Scheduler V3.exe
PowerReg.dat
powerreg schedulerv3.exe
powerreg scheduler.exe

There is more information here about PowerReg Adware:

http://www.securemost.com/articles/rm_powerreg_scheduler.htm

Once done, go to Start->Run, type Scanregw.exe, and click Ok. If asked to save the registry, select Yes. Restart the computer.

Keep us informed!


----------



## Rollin' Rog (Dec 9, 2000)

Try method 3 here for disabling Active Desktop:

http://support.microsoft.com/?kbid=190228

There are also some registry restrictions that could be added if you have problems with this.

If the above doesn't work, try to "clean boot" the system and see if you still encounter the problem. If not there is something else under startups that is causing an error.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q267288

I would also try moving off the desktop as many icons as possible as its possible something there is causing the startup error.


----------

