|
#1
August 25th, 2005, 12:16 PM
|
|||
|
|||
Annoying Problem
I'm running Windows XP, and i've had this oproblem for somtime i have tried everything from reformatting to installing all of the new sound drivers. Nothing doesnt help. When i play audio or anything shockwave,flash related, my computer either locks up or restarts(On its own), and when it boots back up again i get a window system error type msg.Its does this relaly often. its become annyoing.In my Error log theres 2 things
System ErrorError code 000000d1, parameter1 00000000, parameter2 000000ff, parameter3 00000000, parameter4 00000000. Saturday, August 06, 2005Service Control ManagerThe IPSEC Services service terminated with the following error: The authentication service is unknown Im not sure if this is realted to the problem or not, but if anyone has any idea whatso ever on what this maybe or how to solve it please let me know. 
|
|
#2
August 25th, 2005, 05:29 PM
|
||||
|
||||
|
Well you have a problem with audio so we need some more info.
Is this a system that has been running fine and then this developed? Did you add a new sound card? Had you changed something (settings, inside the computer case, new program install)?
|
|
#4
August 26th, 2005, 09:42 AM
|
|||
|
|||
|
The computer was working fine, and started having the problem.
There was a new sound card added, But the computer was working fine for the longest time with it.As for the settings, there was a new mother board,and a few other things, but it as all installed the same day, and like i said it was working for along time, andthen the problem jsut occured unexpedictly. I did try installing,new drivers etc. When the computer locks up instead of restarting, the processing light on the computer tower freezes also.
|
|
#5
August 26th, 2005, 02:13 PM
|
||||
|
||||
|
That message is a hardware incompatibility message....and obviously it has to do with Flash applications as well.
One possibility is a virus believe it or not...you need to do one of the better online virus scanners: housecall.trendmicro.com to rule that out. If you have onboard sound or another soundcard I would try putting it on and removing this one (what is this card creating the problem by the way?) Are you running Norton antivirus? There are frequetn incompatibilities between norton and various soundcards and other software...might try disabling it while running what crashes the pc...or any other antivirus for that matter. Flash acxtivities can appear to be virus like to incompetent antivirus software,a dn also bad spyware prevention software. When all else fails, I frequently will use Acronis or Ghost to make an image file, then begin uninstalling possible programs until I catch the conflict, then restore with the image file and remove the problem maker. Unfortunately XP restore just isn't that reliable to use in this way. Go back if it's still around and finally runs right in XP, could also be used the same way. One more thought would be to download and install jv16 Power Tools and check through the first screen for dangling remains from unistalls. The driver from original soundcard could also be creating thsi problem and when I uninstall soemthing, I always double check with jv16 to see it all was taken out. ( www.jv16.org)
|
|
#6
August 26th, 2005, 02:42 PM
|
||||
|
||||
|
At the bottom of this page is HijackThis.
If you could run that and paste the log file here please. I want to see what's starting up with the computer. There may be some third party (not Microsoft) sound program making your life miserable.
|
|
#7
August 26th, 2005, 06:31 PM
|
|||
|
|||
|
Running processes:
C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\crypserv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lexmark 3300 Series\lxccmon.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\MSMSGS.EXE C:\Program Files\Internet Call Manager\ICM.EXE C:\WINDOWS\System32\lxcccoms.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Trucking\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R3 - URLSearchHook: (no name) - {EFFADDA0-2418-3100-1429-0E6EE672AD99} - DCC_send.dll (file missing) F3 - REG:win.ini: run= N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Trucking\Application Data\Mozilla\Profiles\default\n3lpeaw0.slt\prefs.j s) O1 - Hosts: localhost 127.0.0.1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [WordPerfect Office 1215] C:\Program Files\WordPerfect Office 12\Programs\Registration.exe /title="WordPerfect Office 12" /date=081905 serial=WS12WTX-9999998-UYR lang=EN O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe O4 - HKLM\..\Run: [bingo9] utsgmon.exe O4 - HKLM\..\Run: [321102] wormexe.exe O4 - HKLM\..\Run: [hclean32.exe] C:\WINDOWS\System32\hclean32.exe O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtim e.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe" O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [dmblu.exe] C:\WINDOWS\System32\dmblu.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe" O4 - HKCU\..\Run: [34763] WhatsNewBot.exe O4 - HKCU\..\Run: [CToolBar] Serviceprocess.exe O4 - HKCU\..\Run: [gabber] pizda.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O4 - Startup: Internet Call Manager.LNK = C:\Program Files\Internet Call Manager\ICM.EXE O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Win32 Classes - O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_cheatx.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {5B59DA81-5B9E-4F3D-AF5B-A0C644037165} (AIM PicDownloader Control) - http://pictures04.aim.com/ygp/aol/pl...IM.9.5.1.5.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124952498247 O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.walmartphotocentre.ca/activex/PCAXSetup.cab? O17 - HKLM\System\CCS\Services\Tcpip\..\{3138E954-0166-4820-A941-3A4723D43901}: NameServer = O17 - HKLM\System\CCS\Services\Tcpip\..\{359B592A-FF9A-407D-B932-CCB82F4E83AC}: NameServer = O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxcccoms.exe Last edited by JugHead; August 27th, 2005 at 09:55 PM.
|
|
#8
August 27th, 2005, 08:18 AM
|
||||
|
||||
|
You'll need to go here to Panda ActiveScan.
after filling out info and downloads complete, select Local Disks to scan. Save the log at the end please and post it here.
|
|
#9
August 27th, 2005, 11:00 AM
|
|||
|
|||
|
Incident Status Location
Spyware:spyware/istbar No disinfected C:\DOCUMENTS AND SETTINGS\TRUCKING\LOCAL SETTINGS\TEMP\iinstall.exe Adware:adware/apropos No disinfected C:\DOCUMENTS AND SETTINGS\TRUCKING\LOCAL SETTINGS\TEMP\cfout.txt Adware:adware/sidefind No disinfected C:\DOCUMENTS AND SETTINGS\TRUCKING\LOCAL SETTINGS\TEMP\sidefind.exe Adware:adware/sahagent No disinfected C:\DOCUMENTS AND SETTINGS\TRUCKING\LOCAL SETTINGS\TEMP\sahagent.exe Adware:adware/ncase No disinfected C:\DOCUMENTS AND SETTINGS\TRUCKING\LOCAL SETTINGS\TEMP\180sainstallersilsais1.exe Spyware:spyware/betterinet No disinfected C:\WINDOWS\SYSTEM32\msexnpfi.exe Spyware:spyware/wareout No disinfected C:\WINDOWS\SYSTEM32\loadctr32.exe Spyware:spyware/yoursitebar No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\YSBactivex.dll Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\FAVORITES\AdultGambling.url Adware:adware/sbsoft No disinfected C:\WINDOWS\rdt.ini Adware:adware/wupd No disinfected Windows Registry Dialer:dialer.bqw No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\CONC Adware:adware/startpage.na No disinfected Windows Registry Virus:W32/Sdbot.CTK.worm Disinfected C:\WINDOWS\SYSTEM32\nmc32.exe Virus:W32/Sdbot.CTK.worm Disinfected C:\WINDOWS\SYSTEM32\TFTP27440 Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM32\msexnpbi.exe Virus:Trj/Qhost.BP Disinfected C:\WINDOWS\SYSTEM32\hclean32.exe Spyware:Spyware/ISTBar No disinfected C:\WINDOWS\Downloaded Program Files\YSBactivex.dll Spyware:Spyware/ISTBar No disinfected C:\Documents and Settings\Trucking\Local Settings\Temp\iinstall.exe Adware:Adware/SideFind No disinfected C:\Documents and Settings\Trucking\Local Settings\Temp\sidefind.exe Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Trucking\Local Settings\Temp\sahagent.exe Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Trucking\Local Settings\Temp\GPEHLF48.dll Adware:Adware/nCase No disinfected C:\Documents and Settings\Trucking\Local Settings\Temp\180sainstallersilsais1.exe Adware:Adware/nCase No disinfected C:\Documents and Settings\Trucking\Local Settings\Temp\res153.tmp Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Trucking\Local Settings\Temp\update.exe Virus:W32/Sdbot.CTK.worm Disinfected C:\Documents and Settings\Trucking\Local Settings\Temp\473.tmp Virus:W32/Sdbot.CTK.worm Disinfected C:\Documents and Settings\Trucking\Local Settings\Temp\474.tmp Spyware:Spyware/ISTBar No disinfected C:\Documents and Settings\Trucking\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jav ainstaller.jar-3c936701-2990c660.zip[InstallerApplet.class] Adware:Adware/nCase No disinfected C:\System Volume Information\_restore{1F24AFF6-B61E-4017-A02C-48E9D8DA1003}\RP64\A0230302.dll Adware:Adware/SurfAccuracy No disinfected C:\System Volume Information\_restore{1F24AFF6-B61E-4017-A02C-48E9D8DA1003}\RP64\A0230313.exe Adware:Adware/SurfAccuracy No disinfected C:\System Volume Information\_restore{1F24AFF6-B61E-4017-A02C-48E9D8DA1003}\RP64\A0230315.exe Spyware:Spyware/WareOut No disinfected C:\System Volume Information\_restore{1F24AFF6-B61E-4017-A02C-48E9D8DA1003}\RP65\A0230318.exe Spyware:Spyware/WareOut No disinfected C:\System Volume Information\_restore{1F24AFF6-B61E-4017-A02C-48E9D8DA1003}\RP65\A0230319.exe Spyware:Spyware/BargainBuddy No disinfected C:\System Volume Information\_restore{1F24AFF6-B61E-4017-A02C-48E9D8DA1003}\RP65\A0230376.exe Spyware:Spyware/BargainBuddy No disinfected C:\System Volume Information\_restore{1F24AFF6-B61E-4017-A02C-48E9D8DA1003}\RP65\A0230381.exe Adware:Adware/SideFind No disinfected C:\System Volume Information\_restore{1F24AFF6-B61E-4017-A02C-48E9D8DA1003}\RP65\A0230383.EXE Adware:Adware/SAHAgent No disinfected C:\System Volume Information\_restore{1F24AFF6-B61E-4017-A02C-48E9D8DA1003}\RP65\A0230386.exe Adware:Adware/SAHAgent No disinfected C:\System Volume Information\_restore{1F24AFF6-B61E-4017-A02C-48E9D8DA1003}\RP65\A0231306.dll Adware:Adware/SAHAgent No disinfected C:\System Volume Information\_restore{1F24AFF6-B61E-4017-A02C-48E9D8DA1003}\RP65\A0231307.exe Spyware:Spyware/YourSiteBar No disinfected C:\System Volume Information\_restore{1F24AFF6-B61E-4017-A02C-48E9D8DA1003}\RP65\A0231312.dll Spyware:Spyware/BetterInet No disinfected C:\System Volume Information\_restore{1F24AFF6-B61E-4017-A02C-48E9D8DA1003}\RP101\A0451048.exe Virus:W32/Sdbot.CTK.worm Disinfected C:\System Volume Information\_restore{1F24AFF6-B61E-4017-A02C-48E9D8DA1003}\RP129\A0511257.exe Virus:Trj/Qhost.BP Disinfected C:\System Volume Information\_restore{1F24AFF6-B61E-4017-A02C-48E9D8DA1003}\RP129\A0511258.exe Virus:Trojan Horse Renamed D:\Other\Program Files\Visual Basic 4.zip[database.dat] Adware:Adware/nCase No disinfected D:\Temp\salm.exe Adware:Adware/nCase No disinfected D:\Temp\salmhook.dll
|
|
#10
August 27th, 2005, 05:47 PM
|
||||
|
||||
|
We need to boot to Safe Mode with Networking, press F8 key at one second intervals
while the computer starts and select Safe Mode with Networking. We need to stay in safe mode, if you reboot normal much of that junk will replicate itself. Start Run... type msconfig hit enter Startup(tab) uncheck everything in there Apply OK Start Run... type regedit hit enter My Computer is highlighted in the menu Edit Find... search for wupd delete when found then press F3 to continue search, when done My Computer is highlighted search for startpage.na delete when found then press F3 to continue search, when done on the left side of regedit go here HKEY_CURRENT_USER Software\Microsoft\Internet Ezplorer\main\CONC delete that entire folder (CONC) from the left side close regedit Search (click once on Desktop and push F3 key) files and folders, then select C: search for temp your looking for folders only, delete all the temp folders that show up. Then with Windows Explorer (windows key + e) delete all of these files... C:\Documents and Settings\Trucking\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jav ainstaller.jar-3c936701-2990c660.zip C:\Documents and Settings\All Users\Favorites\AdultGambling.url C:\WINDOWS\rdt.ini C:\WINDOWS\SYSTEM32\msexnpfi.exe C:\WINDOWS\SYSTEM32\loadctr32.exe C:\WINDOWS\SYSTEM32\msexnpbi.exe C:\WINDOWS\Downloaded Program Files\YSBactivex.dll D:\Temp\salm.exe D:\Temp\salmhook.dll Shut off Windows XP System Restore Control Panel System System Restore(tab) turn that off. We have more to do, say when your finished all the above... ...I'll need the User Name you sign on to Windows XP with please. "TRUCKING"? Last edited by Spider; August 27th, 2005 at 05:57 PM.
|
|
#12
August 27th, 2005, 07:00 PM
|
|||
|
|||
|
I have everything done, there wasnt a CONC folder, and theres files below that werent there, they probably were removed earlier today when i used spydoctor.I do log on as Trucking
C:\Documents and Settings\Trucking\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jav ainstaller.jar-3c936701-2990c660.zip C:\WINDOWS\rdt.ini C:\WINDOWS\Downloaded Program Files\YSBactivex.dll D:\Temp\salm.exe D:\Temp\salmhook.dll
|
|
#13
August 27th, 2005, 09:31 PM
|
||||
|
||||
|
Start
Run... type cmd hit enter type cd\ hit enter type cacls "c:\system volume information" /E /G Trucking:F hit enter (should report processed dir: c:\System Volume Information) (leave that command prompt window open) Open a Windows Explorer in it's menu... Tools Folder Options... View(tab) uncheck Hide protected operating system files (Recommended). It's going to ask "r u sure?"=yes put a check on Show hidden files and folders uncheck Hide file extensions for known file types Apply OK two-click C: two-click System Volume Information Delete everything in there. Some *.log files won't delete so go into the folders and delete all but the *.log file name if indicated. When done back to the commad prompt we left open... type cacls "c:\system volume information" /E /R Trucking hit enter (should report processed dir: c:\System Volume Information) close Command Prompt close Windows Explorer Search C: for "temporary internet files" (with the quote marks) delete contents of all found. Empty Recycle Bin Reboot to Safe Mode with Networking and go do another Panda Scan. Log from that scan here please. Last edited by Spider; August 27th, 2005 at 09:38 PM.
|
|
#14
August 27th, 2005, 09:42 PM
|
||||
|
||||
|
Also could you edit your HijackThis log up there and remove these numbers
*.*.*.* *.*.*.* when you do, I will *.*.*.* *.*.*.* mine to. Last edited by Spider; August 27th, 2005 at 10:41 PM.
|
|
#15
August 27th, 2005, 10:34 PM
|
|||
|
|||
|
I did the first part of what you told me and when i type it and hit enter, i get a messaging saying
Cals command can be run only on disk drives that use the NTFS file system. Also while i was at it i checked the system volume information and the folder is empty.
|
 |
| Bookmarks |
«
Previous Topic
|
Next Topic
»
| Topic Tools | |
|
|
All times are GMT +1. The time now is 04:51 AM.
