| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 71512 | 2006-08-08 02:18:00 | Windows Crashes on Startup | drifterjoe (10935) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 476994 | 2006-08-08 08:21:00 | Boot into safe mode again run HJT tick these entries and tick fix checked O20 - Winlogon Notify: wineij32 - C:\WINDOWS\SYSTEM32\wineij32.dll <- delete this file in safe mode. O23 - Service: Task Manager Message Service (TSKMS) - Unknown owner - C:\WINDOWS\taskms.exe <- I think this is some kind of malware. Delete this file in safe mode too. Search for this file too ssfhvdlo.exe. If its still on your system, delete it in safe mode. O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe What version of CD Creator are u using?? Is it updated, coz V5 without updates isnt compatible with XP. Is the system crashing now? |
Speedy Gonzales (78) | ||
| 476995 | 2006-08-08 08:41:00 | ya deleted and no good, i found the ewido scan, finally got to the end of it to delete the files and gave me an error and had to shut it down, it did find like 400 something files, ill have to try it again i guess, also i have no idea about the cd creater i dont think i ever used it, have no idea what it is, but i think im gonna call it a night, im gonna have to finish this tomorrow, thanks for your help and heres another log Logfile of HijackThis v1.99.1 Scan saved at 3:44:43 AM, on 8/8/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\HijackThis 1.99.1\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 169.254.181.44 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printra y.exe O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134601016\ee\AOLSoftware.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - Startup: PowerReg Scheduler V3.exe O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - housecall60.trendmicro.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - go.microsoft.com O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - update.microsoft.com O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - us-housecall.trendmicro-europe.com O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - autos.msn.com O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) - O20 - Winlogon Notify: wineij32 - C:\WINDOWS\SYSTEM32\wineij32.dll O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE O23 - Service: Task Manager Message Service (TSKMS) - Unknown owner - C:\WINDOWS\taskms.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe |
drifterjoe (10935) | ||
| 476996 | 2006-08-08 08:46:00 | Hmmm these entries are still there O20 - Winlogon Notify: wineij32 - C:\WINDOWS\SYSTEM32\wineij32.dll O23 - Service: Task Manager Message Service (TSKMS) - Unknown owner - C:\WINDOWS\taskms.exe Then get this (dl.filekicker.com) from here (www.simplysup.com) install it and click on scan. Then select the 3rd - 7th option under the utilities menu. |
Speedy Gonzales (78) | ||
| 476997 | 2006-08-09 02:22:00 | ya! finally success, I was able to perform a system restore and now everything works... just want to give you one last hijackthis list to see if anything was restored onto it.. Logfile of HijackThis v1.99.1 Scan saved at 9:42:26 PM, on 8/8/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\HijackThis 1.99.1\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 169.254.181.44 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\RunOnce: [{D32470A1-B10C-4059-BA53-CF0486F68EBC}] RunDll32.exe C:\DOCUME~1\joe\LOCALS~1\Temp\3.1.60.2-EasyShrx.Dll,_UninstallPlatform@16 C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup O4 - Startup: PowerReg Scheduler V3.exe O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - housecall60.trendmicro.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - go.microsoft.com O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - download.ewido.net O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - update.microsoft.com O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - us-housecall.trendmicro-europe.com O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - autos.msn.com O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) - O20 - Winlogon Notify: wineij32 - C:\WINDOWS\SYSTEM32\wineij32.dll O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Task Manager Message Service (TSKMS) - Unknown owner - C:\WINDOWS\taskms.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe |
drifterjoe (10935) | ||
| 476998 | 2006-08-09 02:35:00 | Just a few more things to fix and then your all done . . . Make sure all windows and browsers are closed and open HijackThis . Click on Open the Misc Tools Section Click on Delete a File on Reboot In the File Name field of the Enter File to be Deleted window, copy and paste the following: C:\WINDOWS\SYSTEM32\wineij32 . dll C:\WINDOWS\taskms . exe Press the Open button (You are notified that the file in question will be deleted on reboot) . Click Yes when asked whether you want to restart the computer . Restart HijackThis, hit ‘Do A System Scan Only’ and put checks next to the following, close all browser windows (including this one) then click on 'Fix Checked': R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank O4 - Startup: PowerReg Scheduler V3 . exe O20 - Winlogon Notify: wineij32 - C:\WINDOWS\SYSTEM32\wineij32 . dll O23 - Service: Task Manager Message Service (TSKMS) - Unknown owner - C:\WINDOWS\taskms . exe reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . It is very important not only to keep Sun Java up to date but also to remove older versions which have security holes and can be exploited by malware such as Vundo . Please follow the steps to remove older version Java components 1 . Close any open programs you may have running, especially your web browser 2 . Click Start > Control Panel * Depending on your OS or configuration, you may have to click Start > Settings > Control Panel 3 . Open Add or Remove Programs * If you have Windows 98 or Windows 2000, open Add/Remove Programs 4 . Click once on any item listing Java Runtime Environment in the name * Not every version of Java will begin with "Java" so be sure to read each entry in the list 5 . Click the Remove or Change/Remove button 6 . Follow steps 4 and 5 as many times as necessary to remove all versions of Java . ** If you are asked to reboot at any point during the uninstallations, please do so . Then go back to Add/Remove and continue with the removals . 7 . Next, navigate to and delete:C:\Program Files\Java <<<<<<this folder if found 8 . Reboot your PC once all Java components have been removed . 9 . Proceed with reinstalling Java by going to This site ( . java . com/en/download/index . jsp" target="_blank">www . java . com) and downloading the latest version ( Version 5 . 0 Update 7 ) from the website . Save it, do not run it . When the download is complete, close the browser and install it . |
Pancake (6359) | ||
| 476999 | 2006-08-09 03:11:00 | :thumbs: Thank you's so much for helping me through this, just one last question, can you's recommend any good firewalls I could install? | drifterjoe (10935) | ||
| 477000 | 2006-08-09 03:54:00 | Ok . No problem . . . . . . Firewall info is on here . If you wish to do so, here are a few things that you can do that will help keep your computer a bit more clean and secure . . If you have not already done so, you might want to run Disk Cleanup and run it in each user's profile: Run Disk Cleanup Click "Start > Programs > Accessories > System Tools > Disk Cleanup" Please make sure the following are checked: -- Downloaded Program Files -- Temporary Internet Files -- Recycle Bin -- Temporary Files Click "OK" and Disk Cleanup will delete those files for you . Now that you are clean its now is a good time to flush out your restored files . To flush the XP System Restore Points: (Using XP, you must be logged in as Administrator to do this . ) Go to Start>Run and type msconfig Press enter . When msconfig opens, click the Launch System Restore Button . On the next page, click the System Restore Settings Link on the left . Check the box labeled Turn Off System Restore . Reboot . Go back in and turn System Restore ON . A new Restore Point will be created . How Do I Protect My Computer Against Future Malware Now I'm Clean . NOTE:You may have already taken some of these steps . Update your anti-virus software & Windows operating system on a daily or weekly basis . Microsoft also distributes updates to its operating systems . These updates fix security holes or other problems that make a computer susceptible to security breaches . How to update your Windows operating system (http://www . windowsupdate . com/) Know What You're Installing Check the source . To avoid malware, make sure your software comes from a reputable source . Be particularly suspicious of sponsored software (software that relies on advertising) or software that claims to speed up your Internet connection . Use Custom Install . If you feel comfortable with software installation, you can choose Custom Install (as opposed to Typical Install) . Custom Install allows you to select only the software components you wish to install, and leave out others (such as potential spyware) . Modify Security Settings (Internet Explorer 6) To reduce the risk of installing malware, you can set Internet Explorer to high security mode . To do so: Open Internet Explorer . Go to Tools > Internet Options… . On the Internet Options screen, select the Security tab, then select the Internet icon (if it is not already selected) . Under Security level for this zone, click Default Level . Set the slider to High . Note: You may have to lower the security level to view certain Web sites . Next, select the Trusted Sites icon . Under Security level for this zone, click Default Level . Set the slider to Medium . Click Apply, then OK to save the changes . Some Recommended Protection Programs Each tool has its own strengths for identifying and removing specific types of malware . To thoroughly check your computer, its recommend that you use more than one malware removal program . Don't forget to back up your data files before starting a scan! Some available programs are: Ad-Aware (http://www . lavasoft . com/) SpyBot Search & Destroy ( . safer-networking . org/en/index . html" target="_blank">www . safer-networking . org) Now that you are clean, to help protect your system I recommend that you get the following free programs: SpywareBlaster ( . javacoolsoftware . com/spywareblaster . html" target="_blank">www . javacoolsoftware . com) to help prevent spyware from installing . SpywareGuard ( . javacoolsoftware . com/spywareguard . html" target="_blank">www . javacoolsoftware . com) to catch and block spyware . IESpy-Ad ( . aumha . org/secure . htm" target="_blank">www . aumha . org)to block access to malicious websites so you cannot be redirected to them from an infected site or email . WinPatrol (http://www . winpatrol . com/) to monitor any changes that programs make to the registry . If you do not have a firewall, here is a free one for personal use: ZoneAlarm (http://www . zonelabs . com/) . zonelabs . com/store/content/company/products/trial_zaFamily/trial_zaFamily . jsp?lid=home_freedownloads" target="_blank">www . zonelabs . com . zonelabs . com/store/content/company/products/znalm/comparison . jsp?dc=12bms&ctry=US&lang=en&lid=ho_za" target="_blank">www . zonelabs . com Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List . It will save you a lot of grief, as well as money if you are thinking of purchasing . Here is the link: . spywarewarrior . com/rogue_anti-spyware . htm" target="_blank">www . spywarewarrior . com If you want to know just how effective your anti-spyware program is, or how well any of the "rogue" programs listed at the above link work, check this for an independent comparison of several anti-spyware programs: . spywarewarrior . com/asw-test-guide . htm" target="_blank">www . spywarewarrior . com Here is a helpful article: "So how did I get infected in the first place?" . biz/postlite7736- . html" target="_blank">computercops . biz . pchelpforum . com/index . php?page=protect" target="_blank">www . pchelpforum . com Let us know if we have not resolved your problem . Otherwise, you are good to go . Happy and Safe Surfing! |
Pancake (6359) | ||
| 1 2 | |||||