Sign in with
Sign up | Sign in
Your question

Error on desktop startup

Last response: in Windows XP
Share
July 23, 2010 2:39:44 AM

hi everyone,

I just finished wiping my families computer of a virus (antivir solution pro) and other trojans etc that were found on there when using the following:
-windows defender
-avg
-malwarbytes - antimalware

everything seems to be fine except after it boots and brings me to the desktop i get the following error message.

"Error loading C:\\WINDOWS\system32\msgciutr.dll The specific module could not be found"

i click ok and thats the end of it, no more threats found on any of the software. Does anyone know what this could meen or how it could be fixed.

it should also be noted that i used the following process to rid the computer of antivir solution pro.
link > http://www.geekpolice.net/malware-removal-guides-f12/re...

thanks for your help

More about : error desktop startup

July 23, 2010 3:15:22 AM

ive also noticed that when i connect it to the internet the router light goes crazy as though the computer is talkting to the internet. when i open task manager there seems to be a large number of

svchost.exe processes running, i know malware can disguise itself under that name but i dont have the knowledge to know which are real and which arnt.

would a print screen of the taskmanager be handy at all?
m
0
l
July 23, 2010 3:49:22 AM

tarshm said:
hi everyone,

I just finished wiping my families computer of a virus (antivir solution pro) and other trojans etc that were found on there when using the following:
-windows defender
-avg
-malwarbytes - antimalware

everything seems to be fine except after it boots and brings me to the desktop i get the following error message.

"Error loading C:\\WINDOWS\system32\msgciutr.dll The specific module could not be found"

i click ok and thats the end of it, no more threats found on any of the software. Does anyone know what this could meen or how it could be fixed.

it should also be noted that i used the following process to rid the computer of antivir solution pro.
link > http://www.geekpolice.net/malware-removal-guides-f12/re...

thanks for your help



What you are seeing is the Windows startup looking for that file. It is Good that it doesn't find it:

See: http://www.prevx.com/filenames/910143624810701835-X1/MS...

The file name is still in your startup list, but is not present to be started, so a harmless error is showing.

I could drag you through the registry to knock it out, but that get's tiresome and not everybody is comfortable about going into the registry editor.

So, I'm advising to download "Autoruns" from Microsoft: (Free)

http://technet.microsoft.com/en-us/sysinternals/bb96390...

Run the program. Click the "Logon" tab and look for suspicious entries.
Under the Description bar, it will indicate the vendor or description of the programs.

Hackers usually don't go through all the trouble of "filling in the blanks" and they also may not know a word of English, or any other language other than their own, so look for just a bunch of keys for a filename (possibly), with no description and an executable that might say "file not found". You can block it (un-check it) from starting with windows and see if that cures the error.. If you un-check something that turns out to be useful, you can return and check the box enabling it again.

When you find the culprit, you can return to Autoruns, Right-click the entry and choose to delete that registry key. No more error at startup.

m
0
l
Related resources
July 23, 2010 4:04:38 AM

thank you very much for your help, ill have a crack at this then get back to you.
m
0
l
July 23, 2010 4:10:14 AM

ok i think i may have found 2 culprits however, if you dont mind ill post an image of the "logon" tab as you seem to have vast amounts of experience with this stuff.
m
0
l
July 23, 2010 4:36:22 AM

ive also found a file called "ogix.exe" under doc and settings\owner\application data.

should i just flat out delete this?
m
0
l
July 23, 2010 5:06:39 AM

tarshm said:
ive also found a file called "ogix.exe" under doc and settings\owner\application data.

should i just flat out delete this?

Best reply I have ever seen.

Autoruns claims it ("ogix.exe") does not exist, but if it does exist, yes delete it.

See
:
http://www.prevx.com/filenames/1586383143755153628-X1/O...

Your anti-virus programs found and removed the culprits, however, a registry entry pointing to them is not in itself a virus, so they stayed.

Here is a picture showing what to do. I included the windowssearch.exe to be unchecked because nobody uses it and it slows your system down. You can come back and re-check it if you ever want to.


m
0
l
July 23, 2010 5:11:13 AM

yep, the error messege is gone and ive deleted the two suspicious files. Ill go on the internet with it and see what happens. Is there a possible way i can do a good clean of the system to get things out that i and the antivirus software cant see.

i cant do a fresh install unfortunately.

thanks alot for your help
m
0
l
July 23, 2010 5:11:42 AM

oh and what did you mean by "best reply ive ever seen"?
m
0
l
July 23, 2010 5:18:12 AM

tarshm said:
oh and what did you mean by "best reply ive ever seen"?



You have no idea how many times a person comes here for help, only to change their story half-way through the repair suggested. Most people come here, ask for help and never come back to say it worked or not. It's almost like they expect live-chat or something.

You went so far as to provide a picture of what you see. That makes a huge difference.
:wahoo: 
m
0
l
July 23, 2010 5:29:11 AM

:) .. ok when i connect it to the internet via ethernet (only way) and moniter the connection its constantly downloading and sending, also noted on the router light which is flickering nonstop. I dont think ive observed this before when the computer is idle either.

Ive tried going to windows updater and it cannot connect to the server, but anything else is fine, and windows defender gives me a "code 0x80072efe" error when i try and update.

any suggestions
m
0
l
July 23, 2010 5:29:43 AM

tarshm said:
yep, the error messege is gone and ive deleted the two suspicious files. Ill go on the internet with it and see what happens. Is there a possible way i can do a good clean of the system to get things out that i and the antivirus software cant see.

i cant do a fresh install unfortunately.

thanks alot for your help


This is not easily done. If you have tons of money, you could buy various Anti-Virus packages, run them one at a time and see if different one's find things the others missed, if you know there is a problem to be found that is.

The better companies are searching for viruses 24/7 and do a pretty good job of updating their AV definitions so we can try to stay safe. The only major AV company I don't like is Mcafee antivirus.
They never seem to be up to date and keep missing too much malware, some of it that has been around for months. I don't appreciate the hundreds of registry entries Symantec makes, so that leaves Kaspersky Lab as my best choice award. They don't miss things, they won't plug up your registry, it can be enabled/disabled easily... I've no complaints about them. To each his own.
m
0
l
July 23, 2010 5:36:11 AM

tarshm said:
:) .. ok when i connect it to the internet via ethernet (only way) and moniter the connection its constantly downloading and sending, also noted on the router light which is flickering nonstop. I dont think ive observed this before when the computer is idle either.

Ive tried going to windows updater and it cannot connect to the server, but anything else is fine, and windows defender gives me a "code 0x80072efe" error when i try and update.

any suggestions


The suggestion is to download the free 30 trial of Netpeeker.
It works. It will show every network connection in/out of the computer and tons more. Read all about it and download it here:

http://www.net-peeker.com/index.htm
m
0
l
July 23, 2010 5:37:33 AM

Just had a poke around in C\documents and settings\owner and theres 3 files there that were created a few minutes ago when i let it connect to the internet, they are:

-NTUSER \DAT FILE
-ntuser.dat \text doc
m
0
l
July 23, 2010 5:45:21 AM

tarshm said:
Just had a poke around in C\documents and settings\owner and theres 3 files there that were created a few minutes ago when i let it connect to the internet, they are:

-NTUSER \DAT FILE
-ntuser.dat \text doc
Normal, ignore
m
0
l
July 23, 2010 5:54:33 AM

appreciate the input aford10, ill give that a go in a sec. Tigsounds, ill have screenshots of netpeek up in a sec, theres one connection that is just going nuts on down/up loading.
m
0
l
July 23, 2010 6:01:39 AM

tarshm said:
appreciate the input aford10, ill give that a go in a sec. Tigsounds, ill have screenshots of netpeek up in a sec, theres one connection that is just going nuts on down/up loading.


One of the fun things about NetPeeker is that you can block it.
m
0
l
July 23, 2010 6:05:00 AM

Yeah i can see the block ability, just not sure what ill be block thats all. You should consider that i live in rural australia on a 512Kbps adsl connection. i would let it go and see what happens but when my young brother was on the computer he walked away and when he came back 30min thats when antivir had installed itself.

heres the screenshots.

http://i820.photobucket.com/albums/zz129/jstoc17/netppe...

http://i820.photobucket.com/albums/zz129/jstoc17/enlarg...
m
0
l
July 23, 2010 6:08:13 AM

im gathering by your guide (even though i have not put it into use) that you do not feel AVG free is substantial enough?
m
0
l
July 23, 2010 6:14:16 AM

tarshm said:
Yeah i can see the block ability, just not sure what ill be block thats all. You should consider that i live in rural australia on a 512Kbps adsl connection. i would let it go and see what happens but when my young brother was on the computer he walked away and when he came back 30min thats when antivir had installed itself.

heres the screenshots.

http://i820.photobucket.com/albums/zz129/jstoc17/netppe...

http://i820.photobucket.com/albums/zz129/jstoc17/enlarg...


That is your computer talking to your router. (192.168.0.1)
m
0
l
July 23, 2010 6:15:17 AM

Nope. I've seen AVG fail on a number of times to block malware. The detection rate is low compared to comparable malware software. It's also a bit of a resource hog.
m
0
l
July 23, 2010 6:18:29 AM

oh lol, any chance you can explain why its doing so? all my wireless devices only trigger the light flickering when im actively downloading and uploading, yet this conitnues when the PC is idled.

Never the less your wisdom continues to keep me in awe.
m
0
l
July 23, 2010 6:19:38 AM

tarshm said:
im gathering by your guide (even though i have not put it into use) that you do not feel AVG free is substantial enough?


There is some free stuff out there that works pretty good. I like the paid versions because they tend to include threats of any level. Free, you get what you paid for and they may not include lower-level menaces. Free usually doesn't include any support from vendor at all, paid, you can email or call them and they'll respond with help that works.
m
0
l
July 23, 2010 6:26:03 AM

tarshm said:
oh lol, any chance you can explain why its doing so? all my wireless devices only trigger the light flickering when im actively downloading and uploading, yet this conitnues when the PC is idled.

Never the less your wisdom continues to keep me in awe.


You must be talking about aford10... :D 

Netpeeker will capture and log the exchange to/from your computer and the router... If you can understand cryptic binary exchanges, it could tell you exactly what they say to each other all day.
My computer used to have lively conversations with my router until I forced a static IP connection from the computer to the router. Now they rarely speak to each other anymore... almost sad.
m
0
l
July 23, 2010 6:28:51 AM

haha, i will try aford's guide tonight and post what ever happens tomorrow morniing so about 16hours or so. Out of the 3 suggested virus solutions youve offered in the guide which would i use in substitution of avg? keeping in mind ill be using malwarebyte (free)
m
0
l
July 23, 2010 6:31:37 AM

P.S. I see in your screen-shot that your throttle is enabled... why?
m
0
l
July 23, 2010 6:34:12 AM

tarshm said:
haha, i will try aford's guide tonight and post what ever happens tomorrow morniing so about 16hours or so. Out of the 3 suggested virus solutions youve offered in the guide which would i use in substitution of avg? keeping in mind ill be using malwarebyte (free)


I've used them all (as they say) and I like Kaspersky the best.
I also run Black Ice Firewall, even though it is now discontinued and considered obsolete.


m
0
l
July 23, 2010 6:35:36 AM

Not sure about the throttle???. Im going offline for a while, just to get fresh air.

Appreciate the time mate :) 
m
0
l
July 23, 2010 6:37:27 AM

tarshm said:
Not sure about the throttle???. Im going offline for a while, just to get fresh air.

Appreciate the time mate :) 
Breathe the good air down under.. the throttle is the second green light from the left, marked with just a "T" Disable it!

P.S. I run Netpeeker 3.10 myself.
m
0
l
July 23, 2010 11:30:18 PM

Ok so we estabilished that the svchost.exe was talking to the router due to the IP address, which i see know is the routers static one.

Ive obversed it a little more this morning and have two screenshots, one of the "system" and the other of "services.exe". Im not sure if i mentioned it but not only is the router port flickering so is the internet light (as though its actively talking to someone out there on the interent).

System -> http://i820.photobucket.com/albums/zz129/jstoc17/System...

Service -> http://i820.photobucket.com/albums/zz129/jstoc17/Servic...

Its also come up with a few notifications of firewall blocking, not really sure about that but. The internet still baffles me with all its code, and Ip etc.


Regarding Aford10's guide i did not use the "combofix.exe" program as when i closed avg and windows defender (even the resident shield through task manager) it kept telling me it was running and that i was putting my PC at risk if i attempted to use combofix. i cannot start it in safemode either as hitting F8 only lets me choose the boot device. Every thign else is saying its clean though.

Also regarding Aford10's guide, currently im running AVG free and windows defender, aswell as Malwarebytes free (so just for scans) Based on your suggested antivir solutions what would you recommend i do, im a little hazy on what exactly each suit does.

thanks so much for your help. :) 
m
0
l
July 23, 2010 11:36:26 PM

Also i noticed its having a good conversation with the "intenet assigned numbers authority", but im guessing thats a good thing ??
m
0
l
July 24, 2010 4:13:57 AM

What kind of PC is it? Some other common keystrokes to enter the safe mode menu are ESC, F1, F2, F9, F11, and delete.

There are often services running, even when the AV application is closed. You can run combofix even if another AV service is running. I normally get notified that Avast is still running. I would recommend running it. Malwarebytes can remove most any infection, but combofix is the only scanner I've seen that can catch infections that malwarebytes can't.

AVG is an ok AV. It's more of a resource hog, and also has lower detection rates than the other AVs recommended.
m
0
l
July 24, 2010 5:22:24 AM

tarshm said:
Also i noticed its having a good conversation with the "intenet assigned numbers authority", but im guessing thats a good thing ??


There's something fishy going on here.

Your computer shouldn't have any dealings with IANA.

Your screen-shot of "Services.exe" is very suspicious. I looked at my system and Netpeeker doesn't show it, and I checked my other 2 machines and none of them have "Services.exe" running in the network connections either. They are all Win XP SP2.

That thing had 32 outgoing connections within less than 2 minutes. There may have been many more as NetPeeker will erase them after a pre-determined time (that you can set).
If you want to see only the current, active connections, click the trash can at the bottom of NetPeeker.

"Services.exe" has been used as a virus name for years.

Your machine could be be a spam-bot or worse.

Make sure the Netpeeker firewall is enabled, (Green light at top right that show the letter "F")

Try right-clicking on the Services.exe entry in Netpeeker and select Kill Process.
If it can't be killed, select Block it !. A firewall rule making window will appear, all you need to do is click Save. There are criterias that can be filled in, but leaving them blank means any, such as: Local address, if left blank will mean any local address, remote address, blank=any remote address. The rule will block Services.exe from going on the network or internet.

Once the rule is made, you must interrupt the connection as most firewalls will not stop an in-progress connection.

Click: Start>settings>control panel>network connections>
Right-click on your network connection that has you connected to the internet.
Click Disable
After it has been disabled, click Enable.
This is a brute-force method of doing an Ipconfig /renew.
You should start getting firewall block alerts that Services.exe is trying to go on the Internet.

Click on the Services.exe in NetPeeker, and see the path to the file (program) in the right pane. Go there using Windows Explorer and read properties to that thing. It may say it's Microsoft, if so, check all entries to see if appears to be genuine. A virus may be piggy-backing it.

Microsoft Services.exe is found in C׃\Windows\system32 and C׃\Windows ERDNT\cache and C׃\Windows\system32\dll cache and has a file size of 106KB (108,132 Bytes)

You need a real anti-virus program.

So, try to kill services.exe, or block it. Let us all know the results.

m
0
l
July 24, 2010 5:43:26 AM

Just in case you missed it..

NetPeeker will do a "WhoIs" an any connection, active or not. You can see where the connection destination is by right-clicking on a connection and selecting "Who is it?"

I looked up some of the connections you show in the picture of your Services.exe, and it is making connections all over the world. Just a bit suspicious.
m
0
l
July 25, 2010 2:41:47 AM

Tigsounds > its quite odd, the services.exe connection is not even there anymore, and the router is back to its old idle state. I will endevour to follow your guide if it reamerges though. Ill defently moniter it as much as possible this week and update you.

aford > its a ye old P4 so its defently in its old age, when i get some time ill try your suggestions.

with regards to the AV programs could you possibly make a specific suggestion as to what would be benifitial in place of avg and windows defender
m
0
l
July 25, 2010 3:23:30 AM

My top AV suggestions would be Avast 5.0 or Microsoft Security Essentials.
m
0
l
July 25, 2010 3:54:00 AM

ok cheers, as ive said before im not too savy with the antivirus side of things so what will i need to be fully protected?. just either of those two, both in conjunction?, turn of microsoft defender?
m
0
l
July 25, 2010 3:58:01 AM

I wouldn't run them together. Pick one or the other. They both offer real time updates, and internet security. You could leave defender on. Another good software is Winpatrol. It'll notify you if something tries to modify your system.
http://www.winpatrol.com/
m
0
l
July 25, 2010 4:13:16 AM

ok if theres really no difference ill just use whatever, im guessing winpatrol is a side software program for the reason you described?. Any chance out of avast and windows sec. that you know which is least recource hungry, been a P4 i dont want to give it any more loading that what it needs.
m
0
l
July 25, 2010 5:31:11 AM

Both are similar. After using both, I don't notice either as being more resource hungry than the other. You should try both and see which you like better.

Yes, winpatrol is used in conjunction. If something slips by the antivirus software, winpatrol will notify you when malware tries to alter your system.
m
0
l
July 25, 2010 10:03:14 PM

tigsounds said:
There's something fishy going on here.

Your computer shouldn't have any dealings with IANA.

Your screen-shot of "Services.exe" is very suspicious. I looked at my system and Netpeeker doesn't show it, and I checked my other 2 machines and none of them have "Services.exe" running in the network connections either. They are all Win XP SP2.

That thing had 32 outgoing connections within less than 2 minutes. There may have been many more as NetPeeker will erase them after a pre-determined time (that you can set).
If you want to see only the current, active connections, click the trash can at the bottom of NetPeeker.

"Services.exe" has been used as a virus name for years.

Your machine could be be a spam-bot or worse.

Make sure the Netpeeker firewall is enabled, (Green light at top right that show the letter "F")

Try right-clicking on the Services.exe entry in Netpeeker and select Kill Process.
If it can't be killed, select Block it !. A firewall rule making window will appear, all you need to do is click Save. There are criterias that can be filled in, but leaving them blank means any, such as: Local address, if left blank will mean any local address, remote address, blank=any remote address. The rule will block Services.exe from going on the network or internet.

Once the rule is made, you must interrupt the connection as most firewalls will not stop an in-progress connection.

Click: Start>settings>control panel>network connections>
Right-click on your network connection that has you connected to the internet.
Click Disable
After it has been disabled, click Enable.
This is a brute-force method of doing an Ipconfig /renew.
You should start getting firewall block alerts that Services.exe is trying to go on the Internet.

Click on the Services.exe in NetPeeker, and see the path to the file (program) in the right pane. Go there using Windows Explorer and read properties to that thing. It may say it's Microsoft, if so, check all entries to see if appears to be genuine. A virus may be piggy-backing it.

Microsoft Services.exe is found in C׃\Windows\system32 and C׃\Windows ERDNT\cache and C׃\Windows\system32\dll cache and has a file size of 106KB (108,132 Bytes)

You need a real anti-virus program.

So, try to kill services.exe, or block it. Let us all know the results.


ok i blocked it (as i cant kill it)did the reset of network connections. now microsoft wants to validate my windows xp.... i just said later. when i searched for the services.exe i fund it in the

-c:\windows\system32 only (attatched screen shot)
-c:\windows\Erdent only has a HIV-backup folder in it and im not sure about the third one.
m
0
l
July 25, 2010 11:34:07 PM

tarshm said:
ok i blocked it (as i cant kill it)did the reset of network connections. now microsoft wants to validate my windows xp.... i just said later. when i searched for the services.exe i fund it in the

-c:\windows\system32 only (attatched screen shot)
-c:\windows\Erdent only has a HIV-backup folder in it and im not sure about the third one.


Kaspersky
m
0
l
July 26, 2010 3:23:13 AM

haha..itll fix all my problems?, even the bad feeling i have inside when i think about letting windows attempt to validate itself?
m
0
l
July 31, 2010 5:33:09 AM

Thought id just let anyone reading this know that i ended up doing a fresh install of XP on the computer (got new CD drive), and am now running microsoft security essentials on all my computers. I find it to be great and havnt had any issues since.

Big thanks to you guys who helped me through all this, and although there was obviously something deep within it, and i did a whole wipe the knowledge is much appreciated.

thanks
m
0
l
July 31, 2010 5:55:35 AM

Thanks for the update,
Happy to help.
m
0
l
!