| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 95021 | 2008-11-21 03:17:00 | Crash after windows logon | dmurck02 (14343) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 721762 | 2008-11-21 03:17:00 | My computer will boot up but immediately after i login it will start to load a little and then crash. It quickly goes to the blue screen of death and then reboots. I can't get recovery mode to work either. I was able to get into safe mode and run HJT. I did a few upgrades to my PC recently but i am not sure if this is software related. Any help you guys can give me would be appreciated. Thanks! Here is the log: Logfile of HijackThis v1.99.1 Scan saved at 8:14:49 PM, on 11/20/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\explorer.exe C:\Program Files\HijackThis 1.99.1\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe r O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [RestartNeroSetup] "C:\DOCUME~1\DAVIDM~1\LOCALS~1\Temp\Nero Web\SetupXu.exe" MODE="update" STARTMODE="2" USERSEL="3" FAMILYNAME="Nero 7" RUNSETUPXU="1" UPGRADE="1" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NI.GSCNS] "C:\DOCUME~1\DAVIDM~1\LOCALS~1\Temp\winvsnet.tmp" O4 - HKLM\..\Run: [d4d5b660] rundll32.exe "C:\WINDOWS\system32\ocpbwaot.dll",b O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.ex e /DropDisc O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O11 - Options group: [INTERNATIONAL] International* O15 - Trusted Zone: *.amaena.com O15 - Trusted Zone: *.antimalwareguard.com O15 - Trusted Zone: *.antispyexpert.com O15 - Trusted Zone: *.avsystemcare.com O15 - Trusted Zone: *.gomyhit.com O15 - Trusted Zone: *.imageservr.com O15 - Trusted Zone: *.imagesrvr.com O15 - Trusted Zone: *.onerateld.com O15 - Trusted Zone: *.safetydownload.com O15 - Trusted Zone: *.spyguardpro.com O15 - Trusted Zone: *.storageguardsoft.com O15 - Trusted Zone: *.trustedantivirus.com O15 - Trusted Zone: *.virusremover2008.com O15 - Trusted Zone: *.virusschlacht.com O15 - Trusted Zone: *.amaena.com (HKLM) O15 - Trusted Zone: *.antimalwareguard.com (HKLM) O15 - Trusted Zone: *.antispyexpert.com (HKLM) O15 - Trusted Zone: *.avsystemcare.com (HKLM) O15 - Trusted Zone: *.gomyhit.com (HKLM) O15 - Trusted Zone: *.imageservr.com (HKLM) O15 - Trusted Zone: *.imagesrvr.com (HKLM) O15 - Trusted Zone: *.onerateld.com (HKLM) O15 - Trusted Zone: *.safetydownload.com (HKLM) O15 - Trusted Zone: *.spyguardpro.com (HKLM) O15 - Trusted Zone: *.storageguardsoft.com (HKLM) O15 - Trusted Zone: *.trustedantivirus.com (HKLM) O15 - Trusted Zone: *.virusremover2008.com (HKLM) O15 - Trusted Zone: *.virusschlacht.com (HKLM) O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL L O20 - AppInit_DLLs: wbsys.dll pmnovo.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: MSSQL$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing) O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - C:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing) O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE O23 - Service: WMP300NSvc - Unknown owner - C:\Program Files\Linksys\WMP300N\WLService.exe" "WMP300N.exe (file missing) |
dmurck02 (14343) | ||
| 721763 | 2008-11-21 03:33:00 | Disable system restore (altho, you probably cant do this, since you did this in safe mode) Tick these then tick fix checked Close browsers Uninstall all versions of Java after, yours is out of date. Link below O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [RestartNeroSetup] "C:\DOCUME~1\DAVIDM~1\LOCALS~1\Temp\Nero Web\SetupXu.exe" MODE="update" STARTMODE="2" USERSEL="3" FAMILYNAME="Nero 7" RUNSETUPXU="1" UPGRADE="1" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [NI.GSCNS] "C:\DOCUME~1\DAVIDM~1\LOCALS~1\Temp\winvsnet.t mp" O4 - HKLM\..\Run: [d4d5b660] rundll32.exe "C:\WINDOWS\system32\ocpbwaot.dll",b (find this file after then delete it) If you dont use Nero Home, tick this O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE If you didnt add these, tick them O15 - Trusted Zone: *.amaena.com O15 - Trusted Zone: *.antimalwareguard.com O15 - Trusted Zone: *.antispyexpert.com O15 - Trusted Zone: *.avsystemcare.com O15 - Trusted Zone: *.gomyhit.com O15 - Trusted Zone: *.imageservr.com O15 - Trusted Zone: *.imagesrvr.com O15 - Trusted Zone: *.onerateld.com O15 - Trusted Zone: *.safetydownload.com O15 - Trusted Zone: *.spyguardpro.com O15 - Trusted Zone: *.storageguardsoft.com O15 - Trusted Zone: *.trustedantivirus.com O15 - Trusted Zone: *.virusremover2008.com O15 - Trusted Zone: *.virusschlacht.com O15 - Trusted Zone: *.amaena.com (HKLM) O15 - Trusted Zone: *.antimalwareguard.com (HKLM) O15 - Trusted Zone: *.antispyexpert.com (HKLM) O15 - Trusted Zone: *.avsystemcare.com (HKLM) O15 - Trusted Zone: *.gomyhit.com (HKLM) O15 - Trusted Zone: *.imageservr.com (HKLM) O15 - Trusted Zone: *.imagesrvr.com (HKLM) O15 - Trusted Zone: *.onerateld.com (HKLM) O15 - Trusted Zone: *.safetydownload.com (HKLM) O15 - Trusted Zone: *.spyguardpro.com (HKLM) O15 - Trusted Zone: *.storageguardsoft.com (HKLM) O15 - Trusted Zone: *.trustedantivirus.com (HKLM) O15 - Trusted Zone: *.virusremover2008.com (HKLM) O15 - Trusted Zone: *.virusschlacht.com (HKLM) Then reboot, then get malwarebytes below, update it then scan Then get trojan remover below do the same. Then select all options under utilities |
Speedy Gonzales (78) | ||
| 721764 | 2008-11-21 04:40:00 | Disable system restore (altho, you probably cant do this, since you did this in safe mode) Cause you can, doesn't matter how you booted. |
pctek (84) | ||
| 721765 | 2008-11-21 05:45:00 | All those "trusted zone" entries are malware/spyware domains! | bevy121 (117) | ||
| 721766 | 2008-11-21 11:22:00 | Read this to help with your auto reboot problem www.microsoft.com (so you can read what the BSOD screen says), do it from safe mode. Also, check your event viewer (in Start>Control Panel>Administrative Tools> (double click) Computer Management). Write the BSOD message down, and post it here, may be helpful (also any relevant events from the viewer at the time it crashes). |
feersumendjinn (64) | ||
| 721767 | 2008-11-23 01:20:00 | hi everyone. Thank you for your help so far. I was able to use HJT and get rid of all the files that you suggested and the "trusted sites." I also disable the auto recovery and the reboot after crash so i was able to get the BSOD error. it reads Stop: 0x0000008E (0xC0000005,0xb6d43b75,0xB5B617E8, 0x00000000). I will try to rerun HJT a little later and post the new results. |
dmurck02 (14343) | ||
| 721768 | 2008-12-25 18:14:00 | I had the same stop code: 0x0000008e (0xc0000005, 0x8e955b3a, 0x997826ec, 0x00000000) I suspect that is was a program that was started from the Run subkey defined in registry. I exported the Run subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run to run.reg so I was able to recover all entries. Then I deleted all keys in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run and rebooted Windows, and now I was able to login without the stop code ! After investigating all Run keys I found that the program CLIStart.exe was the one causing the stop code. I imported the run.reg and removed the key "StartCCC"="C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe". Just to verify the it is CLIStart.exe that was causing the stop code, I just launched the CLIStart.exe and the stop code occurred immediately after. |
jravnsba (14344) | ||
| 1 | |||||