Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked By Worm.win32.netbooster


  • Please log in to reply
19 replies to this topic

#1 polygrinder

polygrinder

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 18 June 2008 - 12:05 PM

My computer is infected with something called Live AntiSpy 2.1, now my popups claim infection by Worm.Win32.Netbooster. When I boot I cannot access anything. If I press Cntrl+Alt+Delete the Task Manager has been "disabled by the administrator. I can only boot into Safe Mode and have functionality.

My system runs WinXPn Pro SP2.

I followed instructions from another thread and ran Malwarebytes' Anti-Malware. Here is my log.

What do I do from here to get rid of this problem.

Malwarebytes' Anti-Malware 1.17
Database version: 864

4:56:48 PM 6/17/2008
mbam-log-6-17-2008 (16-56-48).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 315857
Time elapsed: 2 hour(s), 30 minute(s), 35 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 5
Registry Keys Infected: 26
Registry Values Infected: 9
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 38

Memory Processes Infected:
E:\Documents and Settings\Administrator\Local Settings\Temp\csrssc.exe
(Trojan.Downloader) -> Unloaded process successfully.
E:\Documents and Settings\Administrator\Local Settings\Temp\csrssc.exe
(Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
E:\WINDOWS\system32\ljJBrQkI.dll (Trojan.Vundo) -> Unloaded module
successfully.
E:\WINDOWS\system32\urqNHYSK.dll (Trojan.Vundo) -> Unloaded module
successfully.
E:\WINDOWS\system32\jfiehayd.dll (Trojan.Downloader) -> Unloaded module
successfully.
E:\WINDOWS\system32\nvrsma.dll (Trojan.Agent) -> Unloaded module
successfully.
E:\WINDOWS\system32\rqRLcCtT.dll (Trojan.Vundo) -> Unloaded module
successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{e29f1fbe-3c7f-421d-b3ca-8491c59c6d30} (Trojan.Vundo) ->
Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{e29f1fbe-3c7f-421d-b3ca-8491c59c6d30}
(Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}
(Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\urqnhysk (Trojan.Vundo) -> Quarantined and deleted
successfully.
HKEY_CLASSES_ROOT\CLSID\{c5af49a2-94f3-42bd-f434-2604812c897d}
(Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{c5af49a2-94f3-42bd-f434-2604812c897d}
(Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{984c42ae-0b1d-4495-b16b-935da5671133}
(Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\narqwe
(Backdoor.Rustock) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\narqwe
(Backdoor.Rustock) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\narqwe
(Backdoor.Rustock) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\narqwe
(Backdoor.Rustock) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\e405.e405mgr (Trojan.BHO) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\e405.e405mgr.1 (Trojan.BHO) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) ->
Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined
and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\E404.e404mgr (Trojan.BHO) -> Quarantined and
deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1d6931f4-6f48-424c-ad55-3d3aa5ea2bf8}
(Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{1d6931f4-6f48-424c-ad55-3d3aa5ea2bf8} (Trojan.Vundo) ->
Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\rqrlcctt (Trojan.Vundo) -> Quarantined and deleted
successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) ->
Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\e404.e404mgr (Trojan.BHO) -> Quarantined and deleted
successfully.
HKEY_CLASSES_ROOT\e404.e404mgr.1 (Trojan.BHO) -> Quarantined and
deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{62f7f0f9-ed6f-4a3a-b23c-849388a545a7}
(Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rtsplgob.bvpk (Trojan.FakeAlert) -> Quarantined and
deleted successfully.
HKEY_CLASSES_ROOT\rtsplgob.toolbar.1 (Trojan.FakeAlert) -> Quarantined
and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a82c43ce
(Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}
(Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5af49a2-94f3-42bd-f434-2604812c897d}
(Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jnskdfmf9eldfd
(Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jdgf894jrghoiiskd
(Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Extensions\CmdMapping\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\RamDrive
(Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{1d6931f4-6f48-424c-ad55-3d3aa5ea2bf8}
(Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\xkefqtgs
(Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication
Packages (Trojan.Vundo) -> Data: e:\windows\system32\ljjbrqki -> Delete
on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger) -> Data: kdtjy.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication
Packages (Trojan.Vundo) -> Data: e:\windows\system32\ljjbrqki ->
Delete on reboot.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions
(Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted
successfully.

Folders Infected:
E:\WINDOWS\system32\763444 (Trojan.BHO) -> Quarantined and deleted
successfully.

Files Infected:
E:\WINDOWS\system32\kjorvsvf.dll (Trojan.Vundo) -> Quarantined and
deleted successfully.
E:\WINDOWS\system32\fvsvrojk.ini (Trojan.Vundo) -> Quarantined and
deleted successfully.
E:\WINDOWS\system32\ljJBrQkI.dll (Trojan.Vundo) -> Delete on reboot.
E:\WINDOWS\system32\IkQrBJjl.ini (Trojan.Vundo) -> Quarantined and
deleted successfully.
E:\WINDOWS\system32\IkQrBJjl.ini2 (Trojan.Vundo) -> Quarantined and
deleted successfully.
E:\WINDOWS\system32\mdmggqns.dll (Trojan.Vundo) -> Quarantined and
deleted successfully.
E:\WINDOWS\system32\snqggmdm.ini (Trojan.Vundo) -> Quarantined and
deleted successfully.
E:\WINDOWS\system32\urqNHYSK.dll (Trojan.Vundo) -> Delete on reboot.
E:\WINDOWS\system32\jfiehayd.dll (Trojan.Downloader) -> Delete on
reboot.
E:\Documents and Settings\Administrator\Local Settings\Temp\csrssc.exe
(Trojan.Downloader) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\kdtjy.exe (Rootkit.DNSChanger) -> Delete on reboot.
E:\Documents and Settings\Micheal\Local Settings\Temp\winlogan.exe
(Trojan.Downloader) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\763444\763444.dll (Trojan.BHO) -> Quarantined and
deleted successfully.
C:\pxny.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
E:\Documents and Settings\LocalService\Local Settings\Temporary
Internet Files\Content.IE5\SZWVMBM3\wmvcodec2.03[1].exe (Trojan.Vundo) ->
Quarantined and deleted successfully.
E:\Documents and Settings\Micheal\Local Settings\Temp\csrssc.exe
(Trojan.Downloader) -> Quarantined and deleted successfully.
E:\Documents and Settings\Micheal\Local Settings\Temporary Internet
Files\Content.IE5\B0C2MPTN\Antivirus2008PRO[1].exe (Rogue.Installer) ->
Quarantined and deleted successfully.
E:\WINDOWS\epmq.exe (Trojan.FakeAlert) -> Quarantined and deleted
successfully.
E:\WINDOWS\system32\narqwe.sys (Backdoor.Rustock) -> Quarantined and
deleted successfully.
E:\WINDOWS\system32\ntpl.bin (Trojan.Agent) -> Quarantined and deleted
successfully.
F:\System Volume
Information\_restore{D57DA168-446A-455C-BC02-9D8FB9D8F7C5}\RP43\A0005691.exe (Spyware.OnlineGames) -> Quarantined and deleted
successfully.
F:\System Volume
Information\_restore{D57DA168-446A-455C-BC02-9D8FB9D8F7C5}\RP51\A0006289.exe (Spyware.OnlineGames) -> Quarantined and deleted
successfully.
E:\WINDOWS\system32\nvrsma.dll (Trojan.Agent) -> Delete on reboot.
E:\WINDOWS\system32\rqRLcCtT.dll (Trojan.Vundo) -> Delete on reboot.
E:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and
deleted successfully.
E:\WINDOWS\system32\fcccyXRk.dll (Trojan.Vundo) -> Quarantined and
deleted successfully.
E:\WINDOWS\xkefqtgs.dll (Trojan.FakeAlert) -> Quarantined and deleted
successfully.
E:\WINDOWS\pebgkxwq.exe (Trojan.FakeAlert) -> Quarantined and deleted
successfully.
E:\Documents and Settings\Micheal\Favorites\Online Security Test.url
(Rogue.Link) -> Quarantined and deleted successfully.
E:\Documents and Settings\Di\Desktop\Spyware&Malware Protection.url
(Rogue.Link) -> Quarantined and deleted successfully.
E:\Documents and Settings\Di\Desktop\Privacy Protector.url (Rogue.Link)
-> Quarantined and deleted successfully.
E:\Documents and Settings\Di\Desktop\Error Cleaner.url (Rogue.Link) ->
Quarantined and deleted successfully.
E:\Documents and Settings\Micheal\Favorites\Error Cleaner.url
(Rogue.Link) -> Quarantined and deleted successfully.
E:\Documents and Settings\Di\Favorites\Error Cleaner.url (Rogue.Link)
-> Quarantined and deleted successfully.
E:\Documents and Settings\Micheal\Favorites\Privacy Protector.url
(Rogue.Link) -> Quarantined and deleted successfully.
E:\Documents and Settings\Di\Favorites\Privacy Protector.url
(Rogue.Link) -> Quarantined and deleted successfully.
E:\Documents and Settings\Micheal\Favorites\Spyware&Malware
Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
E:\Documents and Settings\Di\Favorites\Spyware&Malware Protection.url
(Rogue.Link) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,908 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:36 PM

Posted 18 June 2008 - 02:22 PM

Did you reboot the computer after using MBAM? If it encounters a file that is difficult to remove, you need to restart the computer so the malware can be fully removed. Failure to do so will prevent MBAM from removing all the malware. Your log indicates some files will be deleted on reboot. If you have not rebooted, make sure you do this. When done, rescan again with MBAM, click the Logs tab and copy/paste the contents of the new report in your next reply.

Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
-- Disconnect from the Internet and temporarily disable your anti-virus and any anti-malware real time protection before performing a scan.

When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply. Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 polygrinder

polygrinder
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 19 June 2008 - 12:57 AM

Here is the Malwarebytes log.

Malwarebytes' Anti-Malware 1.17
Database version: 869

10:23:05 PM 6/18/2008
mbam-log-6-18-2008 (22-23-05).txt

Scan type: Quick Scan
Objects scanned: 48548
Time elapsed: 17 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

----------------------------------------------------------------------------

Here is the SDFix report.


SDFix: Version 1.194
Run by Administrator on Thu 06/19/2008 at 00:10

Microsoft Windows XP [Version 5.1.2600]
Running From: E:\sdfix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting


Checking Files :

Trojan Files Found:

E:\WINDOWS\system32\scif\MSWINSCK.OCX - Deleted
E:\WINDOWS\Temp\removalfile.bat - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,

http://www.gmer.net
Rootkit scan 2008-06-19 00:30:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE103

18}\Properties]
"DeviceType"=dword:00000002
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE103

18}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE103

18}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE103

18}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE103

18}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE103

18}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\MRxDAV\EncryptedDirectories]
@=""

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpoli

cy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll

,-22019"
"E:\\3dsmax7\\3dsmax.exe"="E:\\3dsmax7\\3dsmax.exe:*:Enabled:3ds max 7"
"E:\\Program Files\\backburner 2\\monitor.exe"="E:\\Program Files\\backburner

2\\monitor.exe:*:Enabled:backburner 2.3 monitor"
"E:\\Program Files\\backburner 2\\manager.exe"="E:\\Program Files\\backburner

2\\manager.exe:*:Enabled:backburner 2.3 manager"
"E:\\Program Files\\backburner 2\\server.exe"="E:\\Program Files\\backburner

2\\server.exe:*:Enabled:backburner 2.3 server"
"E:\\Program Files\\Avant Browser\\avant.exe"="E:\\Program Files\\Avant

Browser\\avant.exe:*:Enabled:Avant Browser"
"E:\\Program Files\\eDonkey2000\\edonkey2000.exe"="E:\\Program

Files\\eDonkey2000\\edonkey2000.exe:*:Enabled:edonkey2000"
"E:\\Documents and Settings\\Micheal\\Local Settings\\Temporary Internet

Files\\Content.IE5\\OLIZOPY3\\wowclient-downloader[1].exe"="E:\\Documents and

Settings\\Micheal\\Local Settings\\Temporary Internet

Files\\Content.IE5\\OLIZOPY3\\wowclient-downloader[1].exe:*:Enabled:Blizzard Downloader"
"E:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"="E:\\Program

Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe:*:Enabled:Dreamweaver 8"
"E:\\Program Files\\BitTorrent\\bittorrent.exe"="E:\\Program

Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"E:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"="E:\\Program Files\\Autodesk\\3ds Max

9\\3dsmax.exe:*:Enabled:Autodesk 3ds Max 9 32-bit"
"E:\\Program Files\\Autodesk\\Backburner\\monitor.exe"="E:\\Program

Files\\Autodesk\\Backburner\\monitor.exe:*:Enabled:backburner 2.3 monitor"
"E:\\Program Files\\Autodesk\\Backburner\\manager.exe"="E:\\Program

Files\\Autodesk\\Backburner\\manager.exe:*:Enabled:backburner 2.3 manager"
"E:\\Program Files\\Autodesk\\Backburner\\server.exe"="E:\\Program

Files\\Autodesk\\Backburner\\server.exe:*:Enabled:backburner 2.3 server"
"E:\\Program Files\\iTunes\\iTunes.exe"="E:\\Program

Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"E:\\Program Files\\LimeWire\\LimeWire.exe"="E:\\Program

Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"E:\\Program Files\\Alias\\Maya8.0\\bin\\maya.exe"="E:\\Program

Files\\Alias\\Maya8.0\\bin\\maya.exe:*:Enabled:Maya"
"E:\\Program Files\\Autodesk\\Cleaner XL 1.5\\Cleaner XL.exe"="E:\\Program

Files\\Autodesk\\Cleaner XL 1.5\\Cleaner XL.exe:*:Enabled:Cleaner XL"
"E:\\Program Files\\BitRoll\\BitRoll.exe"="E:\\Program

Files\\BitRoll\\BitRoll.exe:*:Enabled:Torrent P2P application"
"E:\\Program Files\\uTorrent\\utorrent.exe"="E:\\Program

Files\\uTorrent\\utorrent.exe:*:Enabled:æTorrent"
"E:\\Program Files\\Java\\jre1.5.0_10\\bin\\javaw.exe"="E:\\Program

Files\\Java\\jre1.5.0_10\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition

binary"
"E:\\WINDOWS\\system32\\java.exe"="E:\\WINDOWS\\system32\\java.exe:*:Enabled:Java™ 2

Platform Standard Edition binary"
"E:\\Program Files\\discreet\\combustion 4\\combustion.exe"="E:\\Program

Files\\discreet\\combustion 4\\combustion.exe:*:Enabled:combustion"
"E:\\Documents and Settings\\Micheal\\Desktop\\utorrent.exe"="E:\\Documents and

Settings\\Micheal\\Desktop\\utorrent.exe:*:Enabled:æTorrent"
"E:\\Program Files\\Bonjour\\mDNSResponder.exe"="E:\\Program

Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"E:\\Program Files\\Crazybump Beta Test_6-2\\CrazyBump.exe"="E:\\Program Files\\Crazybump

Beta Test_6-2\\CrazyBump.exe:*:Enabled:CrazyBump"
"E:\\Program Files\\iView MediaPro3\\IVIEW_MP.exe"="E:\\Program Files\\iView

MediaPro3\\IVIEW_MP.exe:*:Enabled:iView Multimedia"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpoli

cy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll

,-22019"

Remaining Files :


File Backups: - E:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 14 May 2006 104,448 A..H. --- "E:\documents\~WRL0002.tmp"
Sun 14 May 2006 104,448 A..H. --- "E:\documents\~WRL0004.tmp"
Mon 25 Sep 2006 34,304 A..H. --- "E:\documents\~WRL0056.tmp"
Tue 13 Dec 2005 43,520 A..H. --- "E:\documents\~WRL0096.tmp"
Sun 24 Sep 2006 23,552 A..H. --- "E:\documents\~WRL0237.tmp"
Tue 13 Dec 2005 41,472 A..H. --- "E:\documents\~WRL0334.tmp"
Tue 13 Dec 2005 43,520 A..H. --- "E:\documents\~WRL0675.tmp"
Thu 29 Dec 2005 25,600 A..H. --- "E:\documents\~WRL0749.tmp"
Thu 29 Dec 2005 22,528 A..H. --- "E:\documents\~WRL0969.tmp"
Sat 13 May 2006 102,912 A..H. --- "E:\documents\~WRL1052.tmp"
Tue 20 Dec 2005 33,792 A..H. --- "E:\documents\~WRL1111.tmp"
Tue 13 Dec 2005 33,280 A..H. --- "E:\documents\~WRL1421.tmp"
Tue 13 Dec 2005 46,592 A..H. --- "E:\documents\~WRL1628.tmp"
Tue 13 Dec 2005 40,448 A..H. --- "E:\documents\~WRL1867.tmp"
Thu 29 Jun 2006 26,112 A..H. --- "E:\documents\~WRL2138.tmp"
Tue 19 Sep 2006 32,768 A..H. --- "E:\documents\~WRL2201.tmp"
Thu 29 Dec 2005 24,064 A..H. --- "E:\documents\~WRL2338.tmp"
Mon 24 Oct 2005 21,504 A..H. --- "E:\documents\~WRL3295.tmp"
Mon 24 Oct 2005 21,504 A..H. --- "E:\documents\~WRL3373.tmp"
Sun 27 Nov 2005 20,992 A..H. --- "E:\documents\~WRL3453.tmp"
Sun 7 May 2006 102,912 A..H. --- "E:\documents\~WRL3564.tmp"
Tue 12 Oct 2004 24,576 A..H. --- "E:\documents\~WRL3715.tmp"
Fri 13 Jan 2006 22,016 A..H. --- "E:\documents\~WRL3840.tmp"
Sun 14 May 2006 104,448 A..H. --- "E:\documents\~WRL3948.tmp"
Thu 24 Nov 2005 19,968 A..H. --- "E:\documents\~WRL3972.tmp"
Mon 19 Feb 2007 31,232 ...H. --- "E:\Documents and Settings\~WRL0208.tmp"
Wed 7 Mar 2007 13,165,056 ...H. --- "E:\Documents and Settings\~WRL0646.tmp"
Sun 18 Feb 2007 27,648 ...H. --- "E:\Documents and Settings\~WRL0892.tmp"
Sun 18 Feb 2007 26,112 ...H. --- "E:\Documents and Settings\~WRL1078.tmp"
Mon 19 Feb 2007 30,720 ...H. --- "E:\Documents and Settings\~WRL1120.tmp"
Wed 7 Mar 2007 23,040 ...H. --- "E:\Documents and Settings\~WRL1149.tmp"
Wed 7 Mar 2007 24,576 ...H. --- "E:\Documents and Settings\~WRL1171.tmp"
Sun 18 Feb 2007 28,672 ...H. --- "E:\Documents and Settings\~WRL1214.tmp"
Wed 7 Mar 2007 24,576 ...H. --- "E:\Documents and Settings\~WRL1378.tmp"
Sun 18 Feb 2007 27,136 ...H. --- "E:\Documents and Settings\~WRL1482.tmp"
Sun 18 Feb 2007 28,160 ...H. --- "E:\Documents and Settings\~WRL1542.tmp"
Mon 19 Feb 2007 31,232 ...H. --- "E:\Documents and Settings\~WRL1636.tmp"
Wed 7 Mar 2007 1,613,312 ...H. --- "E:\Documents and Settings\~WRL1718.tmp"
Mon 19 Feb 2007 31,232 ...H. --- "E:\Documents and Settings\~WRL2142.tmp"
Wed 7 Mar 2007 1,606,144 ...H. --- "E:\Documents and Settings\~WRL2249.tmp"
Mon 19 Feb 2007 31,744 ...H. --- "E:\Documents and Settings\~WRL2393.tmp"
Sun 18 Feb 2007 30,208 ...H. --- "E:\Documents and Settings\~WRL2434.tmp"
Sun 18 Feb 2007 30,208 ...H. --- "E:\Documents and Settings\~WRL2652.tmp"
Sun 18 Feb 2007 26,112 ...H. --- "E:\Documents and Settings\~WRL2926.tmp"
Sun 18 Feb 2007 29,696 ...H. --- "E:\Documents and Settings\~WRL2958.tmp"
Wed 7 Mar 2007 31,744 ...H. --- "E:\Documents and Settings\~WRL3399.tmp"
Wed 7 Mar 2007 13,346,816 ...H. --- "E:\Documents and Settings\~WRL3492.tmp"
Wed 7 Mar 2007 16,755,712 ...H. --- "E:\Documents and Settings\~WRL3529.tmp"
Sun 18 Feb 2007 27,648 ...H. --- "E:\Documents and Settings\~WRL3687.tmp"
Wed 7 Mar 2007 1,606,144 ...H. --- "E:\Documents and Settings\~WRL4059.tmp"
Wed 23 Apr 2008 40,448 ...H. --- "E:\eudy media\~WRL1188.tmp"
Wed 14 Feb 2007 21,504 ...H. --- "E:\eudy media\~WRL1795.tmp"
Sun 11 Feb 2007 23,040 ...H. --- "E:\Foodland\~WRL0850.tmp"
Mon 12 Feb 2007 23,552 ...H. --- "E:\Foodland\~WRL1735.tmp"
Mon 5 Feb 2007 22,016 ...H. --- "E:\Foodland\~WRL2621.tmp"
Mon 12 Feb 2007 23,552 ...H. --- "E:\Foodland\~WRL3661.tmp"
Tue 26 Sep 2006 127,488 A..H. --- "E:\Luxury\~WRL2930.tmp"
Tue 20 Dec 2005 33,280 A..H. --- "E:\Mini dvd tape labels\~WRL0514.tmp"
Tue 20 Dec 2005 31,744 A..H. --- "E:\Mini dvd tape labels\~WRL0562.tmp"
Tue 20 Dec 2005 31,744 A..H. --- "E:\Mini dvd tape labels\~WRL0598.tmp"
Sun 18 Sep 2005 101,376 A..H. --- "E:\Word Docs\~WRL0157.tmp"
Wed 10 Jan 2007 8 ..SHR --- "E:\WINDOWS\system32\1E0B05A1E3.sys"
Wed 10 Jan 2007 4,704 A.SH. --- "E:\WINDOWS\system32\KGyGaAvL.sys"
Wed 3 Jan 2007 4,348 A.SH. --- "E:\Documents and Settings\All

Users.WINDOWS\DRM\DRMv1.bak"
Sun 25 May 2008 24,064 ...H. --- "E:\Documents and Settings\Micheal\My

Documents\~WRL0257.tmp"
Sun 25 May 2008 25,088 ...H. --- "E:\Documents and Settings\Micheal\My

Documents\~WRL0765.tmp"
Sun 25 May 2008 36,352 ...H. --- "E:\Documents and Settings\Micheal\My

Documents\~WRL0840.tmp"
Mon 26 May 2008 40,960 ...H. --- "E:\Documents and Settings\Micheal\My

Documents\~WRL1109.tmp"
Sun 25 May 2008 29,696 ...H. --- "E:\Documents and Settings\Micheal\My

Documents\~WRL1503.tmp"
Mon 26 May 2008 37,888 ...H. --- "E:\Documents and Settings\Micheal\My

Documents\~WRL1863.tmp"
Mon 26 May 2008 39,424 ...H. --- "E:\Documents and Settings\Micheal\My

Documents\~WRL2720.tmp"
Sun 20 Apr 2008 25,600 ...H. --- "E:\Documents and Settings\Micheal\My

Documents\~WRL2869.tmp"
Sun 25 May 2008 33,792 ...H. --- "E:\Documents and Settings\Micheal\My

Documents\~WRL2898.tmp"
Tue 13 Feb 2007 21,504 ...H. --- "E:\Documents and Settings\Micheal\My

Documents\~WRL2910.tmp"
Sun 25 May 2008 34,816 ...H. --- "E:\Documents and Settings\Micheal\My

Documents\~WRL3243.tmp"
Fri 13 Jun 2008 27,532 ...H. --- "E:\Program Files\Ipswitch\WS_FTP

Professional\wsftpgui.exe-CommandBars"
Sun 5 Aug 2001 738 ..SH. --- "E:\Program Files\Pixologic\ZBrush3\zmem02svr.dll"
Sat 11 Nov 2006 0 A.SH. --- "E:\Documents and Settings\All

Users.WINDOWS\DRM\Cache\Indiv01.tmp"
Thu 11 Jan 2007 384,000 ...H. --- "E:\Documents and Settings\Micheal\My

Documents\Environmental Design MAB4013\~WRL3753.tmp"
Tue 29 Jan 2008 0 A..H. ---

"E:\WINDOWS\SoftwareDistribution\Download\bc066f3f60df1b38218903dd0d40ce98\BIT18.tmp"
Fri 25 Feb 2005 27,648 A..H. --- "E:\documents\AID

Bachelors\Courses_MMA\Courses_MMA\3rdQuater\~WRL3769.tmp"
Fri 15 Sep 2006 26,624 A..H. --- "E:\documents\AID

Bachelors\MAB3043_Materials___Lighting3zip\MAB3043_Materials___Lighting\MAB4013

Environmental Design\~WRL0003.tmp"
Fri 15 Sep 2006 46,592 A..H. --- "E:\documents\AID

Bachelors\MAB3043_Materials___Lighting3zip\MAB3043_Materials___Lighting\MAB4013

Environmental Design\~WRL0124.tmp"
Fri 15 Sep 2006 28,672 A..H. --- "E:\documents\AID

Bachelors\MAB3043_Materials___Lighting3zip\MAB3043_Materials___Lighting\MAB4013

Environmental Design\~WRL2850.tmp"
Fri 15 Sep 2006 28,160 A..H. --- "E:\documents\AID

Bachelors\MAB3043_Materials___Lighting3zip\MAB3043_Materials___Lighting\MAB4013

Environmental Design\~WRL3661.tmp"
Sat 16 Dec 2006 48,128 ...H. --- "E:\Documents and Settings\Micheal\Application

Data\Microsoft\Word\~WRL2400.tmp"

Finished!

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,908 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:36 PM

Posted 19 June 2008 - 06:44 AM

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Also let me know how your computer is running and if there are any more reports/signs of infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 polygrinder

polygrinder
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 19 June 2008 - 02:46 PM

quietman7,

Thanks for the help. Below is the SUPERAntiSpyware Scan Log. My system is much better. The only thing I am still having an issue with is my desktop. I Cannot get my desktop image to show. The image shows during the boot process once windows comes up. But then disappears once the system is fully booted. Basically my desktop is a white background with my shortcuts, folders and files on the desktop showing up with their text/names with a blue border around them. I have gone into Display Properties and tried to load a background but nothing works.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/19/2008 at 01:38 PM

Application Version : 4.15.1000

Core Rules Database Version : 3469
Trace Rules Database Version: 1460

Scan type : Complete Scan
Total Scan Time : 03:37:08

Memory items scanned : 170
Memory threats detected : 0
Registry items scanned : 7849
Registry threats detected : 0
File items scanned : 44740
File threats detected : 0

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,908 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:36 PM

Posted 20 June 2008 - 06:34 AM

Go to Start > Control Panel > Display. Click on the "Desktop" tab, then the "Customize Desktop..." button.
Click on the "Web" tab, then under Web Pages, uncheck and delete everything you find (except "My Current Home page").
These are some common malware related entries you may see:
  • Security Info
  • Warning Message
  • Security Desktop
  • Warning Homepage
  • Privacy Protection
  • Desktop Uninstall
If present, select each entry and click the Delete button.
Also, make sure the Lock desktop items box is unchecked. Click "Ok", then "Apply" and "Ok".

When done go back into your Desktop Settings and you should be able to change the color/theme to whatever you want.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 polygrinder

polygrinder
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 20 June 2008 - 09:20 AM

That was it. There was a "Privacy Protection" tab it there. I inchecked it and deleted it and now I am all back to normal. Thanks for your efforts.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,908 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:36 PM

Posted 20 June 2008 - 09:27 AM

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 polygrinder

polygrinder
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 20 June 2008 - 05:42 PM

Done. Thanks so much for your help.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:36 PM

Posted 20 June 2008 - 08:23 PM

Hello I've also noticed ...
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
Now do the New restore point again as in Post #8.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 polygrinder

polygrinder
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 20 June 2008 - 11:51 PM

Old Java removed. New Java installed. New Restore point created and old restore points deleted.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,908 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:36 PM

Posted 21 June 2008 - 06:29 AM

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
• "Simple and easy ways to keep your computer safe".
• "How did I get infected?, With steps so it does not happen again!".
• "Best Practices - Internet Safety for 2008".
• "Hardening Windows Security - Part 1 & Part 2".
• "IE Recommended Minimal Security Settings".
• "How to Set Security Options in the Firefox Browser".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 polygrinder

polygrinder
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 23 June 2008 - 04:12 PM

Now I have a new problem. Now my computer is going to the "blue screen of death". After I boot my computer the SUPERAntiSpyware sotware comes up and then the computer shuts down to the blue screen. What can i do?

I can boot into safe mode and the computer runs ok. Only when I boot into normal mode does it dump to the blue screen.

Edited by polygrinder, 23 June 2008 - 04:30 PM.


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,908 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:36 PM

Posted 23 June 2008 - 04:46 PM

The symptoms you describe could be malware related or they could be due to hardware or overheating problems caused by a failed processor fan, bad memory (RAM), failing power supply, underpowered power supply, CPU overheating, motherboard, video card, faulty drivers, BIOS and firmware problems, dirty hardware, etc. If the computer is overheating, it usually begins to shutdown/restart on a more regular basis.

In Windows XP, the default setting is for the computer to reboot automatically when a fatal error or crash occurs. You may not see the error code because the computer reboots too fast. You should be able to see the error by looking in the Event Log. Read "How To Use the Event Viewer Applet". You can then gather more information doing a search of the Event ID number.
Also see Memory Dumps in XP, Overview of memory dump file options for Windows 2000/XP/2003 and How to read small memory dump files in Windows 200/XP/2003.

An alternative is to turn off the automatic reboot feature so you can actually see the error code/STOP Message when it happens - this is also known as the Blue Screen Of Death (BSOD).

To change the recovery settings and Disable Automatic Rebooting, go to Start > Run and type: sysdm.cpl
Click Ok or just press WINKEY + Pause/Break keys to bring up System Properties.
  • Go to the Advanced tab and under "Startup and Recovery", click on the "Settings" button and go to "System failure".
  • Make sure "Write an event to the system log" is checked and that "Automatically restart" is UNchecked.
  • Click "OK" and reboot for the changes to take effect.
Doing this won't cure your problem but instead of crashing and restarting you will get a blue diagnostic screen with an error code and other information that will allow you to better trace your problem. You can use Google to search the error code or post it back here along with any files/drivers listed so we can help you investigate the cause.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 polygrinder

polygrinder
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 23 June 2008 - 05:33 PM

OK, here is the Error Log. I was doing a Window's online update when the first event happened.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 6/23/2008
Time: 16:29:15
User: N/A
Computer: EUDY1
Description:
The following boot-start or system-start driver(s) failed to load:
eeCtrl
Fips
intelppm
SASDIFSV
SASKUTIL
SCDEmu
SPBBCDrv
SRTSP
SRTSPX
SYMTDI

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 6/23/2008
Time: 16:28:19
User: NT AUTHORITY\SYSTEM
Computer: EUDY1
Description:
DCOM got error "This service cannot be started in Safe Mode "
attempting to start the service EventSystem with arguments "" in order to run
the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Event Type: Information
Event Source: Save Dump
Event Category: None
Event ID: 1001
Date: 6/23/2008
Time: 16:27:48
User: N/A
Computer: EUDY1
Description:
The computer has rebooted from a bugcheck. The bugcheck was:
0x1000008e (0xc0000005, 0x89939731, 0xb85d6c3c, 0x00000000). A dump was saved
in: E:\WINDOWS\Minidump\Mini062308-04.dmp.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Event Type: Error
Event Source: System Error
Event Category: (102)
Event ID: 1003
Date: 6/23/2008
Time: 16:18:02
User: N/A
Computer: EUDY1
Description:
Error code 1000008e, parameter1 c0000005, parameter2 89937731,
parameter3 b85dec3c, parameter4 00000000.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45 System E
0008: 72 72 6f 72 20 20 45 72 rror Er
0010: 72 6f 72 20 63 6f 64 65 ror code
0018: 20 31 30 30 30 30 30 38 1000008
0020: 65 20 20 50 61 72 61 6d e Param
0028: 65 74 65 72 73 20 63 30 eters c0
0030: 30 30 30 30 30 35 2c 20 000005,
0038: 38 39 39 33 37 37 33 31 89937731
0040: 2c 20 62 38 35 64 65 63 , b85dec
0048: 33 63 2c 20 30 30 30 30 3c, 0000
0050: 30 30 30 30 0000


Event Type: Error
Event Source: System Error
Event Category: (102)
Event ID: 1003
Date: 6/23/2008
Time: 16:18:21
User: N/A
Computer: EUDY1
Description:
Error code 1000008e, parameter1 c0000005, parameter2 89933731,
parameter3 b85d6c3c, parameter4 00000000.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45 System E
0008: 72 72 6f 72 20 20 45 72 rror Er
0010: 72 6f 72 20 63 6f 64 65 ror code
0018: 20 31 30 30 30 30 30 38 1000008
0020: 65 20 20 50 61 72 61 6d e Param
0028: 65 74 65 72 73 20 63 30 eters c0
0030: 30 30 30 30 30 35 2c 20 000005,
0038: 38 39 39 33 33 37 33 31 89933731
0040: 2c 20 62 38 35 64 36 63 , b85d6c
0048: 33 63 2c 20 30 30 30 30 3c, 0000
0050: 30 30 30 30 0000


Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 6/23/2008
Time: 16:23:59
User: N/A
Computer: EUDY1
Description:
The Windows sharing object service failed to start due to the following
error:
The system cannot find the file specified.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Event Type: Error
Event Source: System Error
Event Category: (102)
Event ID: 1003
Date: 6/23/2008
Time: 16:08:56
User: N/A
Computer: EUDY1
Description:
Error code 1000008e, parameter1 c0000005, parameter2 89937731,
parameter3 b85dec3c, parameter4 00000000.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45 System E
0008: 72 72 6f 72 20 20 45 72 rror Er
0010: 72 6f 72 20 63 6f 64 65 ror code
0018: 20 31 30 30 30 30 30 38 1000008
0020: 65 20 20 50 61 72 61 6d e Param
0028: 65 74 65 72 73 20 63 30 eters c0
0030: 30 30 30 30 30 35 2c 20 000005,
0038: 38 39 39 33 37 37 33 31 89937731
0040: 2c 20 62 38 35 64 65 63 , b85dec
0048: 33 63 2c 20 30 30 30 30 3c, 0000
0050: 30 30 30 30 0000


Event Type: Information
Event Source: Save Dump
Event Category: None
Event ID: 1001
Date: 6/23/2008
Time: 16:14:30
User: N/A
Computer: EUDY1
Description:
The computer has rebooted from a bugcheck. The bugcheck was:
0x1000008e (0xc0000005, 0x89933731, 0xb85d6c3c, 0x00000000). A dump was saved
in: E:\WINDOWS\Minidump\Mini062308-03.dmp.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Event Type: Information
Event Source: SRTSP
Event Category: None
Event ID: 2003
Date: 6/23/2008
Time: 16:13:39
User: N/A
Computer: EUDY1
Description:
Symantec Antivirus minifilter successfully loaded.
Data:
0000: 00 00 00 00 01 00 54 00 ......T.
0008: 00 00 00 00 d3 07 08 40 ....Ó..@
0010: 00 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 6/23/2008
Time: 16:16:34
User: N/A
Computer: EUDY1
Description:
The Windows sharing object service failed to start due to the following
error:
The system cannot find the file specified.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Event Type: Information
Event Source: Save Dump
Event Category: None
Event ID: 1001
Date: 6/23/2008
Time: 16:05:12
User: N/A
Computer: EUDY1
Description:
The computer has rebooted from a bugcheck. The bugcheck was:
0x1000008e (0xc0000005, 0x89937731, 0xb85dec3c, 0x00000000). A dump was saved
in: E:\WINDOWS\Minidump\Mini062308-02.dmp.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type: Information
Event Source: SRTSP
Event Category: None
Event ID: 2003
Date: 6/23/2008
Time: 16:04:22
User: N/A
Computer: EUDY1
Description:
Symantec Antivirus minifilter successfully loaded.
Data:
0000: 00 00 00 00 01 00 54 00 ......T.
0008: 00 00 00 00 d3 07 08 40 ....Ó..@
0010: 00 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 6/23/2008
Time: 16:07:47
User: N/A
Computer: EUDY1
Description:
The Windows sharing object service failed to start due to the following
error:
The system cannot find the file specified.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Event Type: Error
Event Source: System Error
Event Category: (102)
Event ID: 1003
Date: 6/23/2008
Time: 15:53:31
User: N/A
Computer: EUDY1
Description:
Error code 1000008e, parameter1 c0000005, parameter2 8992a731,
parameter3 f7946c3c, parameter4 00000000.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45 System E
0008: 72 72 6f 72 20 20 45 72 rror Er
0010: 72 6f 72 20 63 6f 64 65 ror code
0018: 20 31 30 30 30 30 30 38 1000008
0020: 65 20 20 50 61 72 61 6d e Param
0028: 65 74 65 72 73 20 63 30 eters c0
0030: 30 30 30 30 30 35 2c 20 000005,
0038: 38 39 39 32 61 37 33 31 8992a731
0040: 2c 20 66 37 39 34 36 63 , f7946c
0048: 33 63 2c 20 30 30 30 30 3c, 0000
0050: 30 30 30 30 0000

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 6/23/2008
Time: 16:00:11
User: N/A
Computer: EUDY1
Description:
The Windows sharing object service failed to start due to the following
error:
The system cannot find the file specified.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Event Type: Error
Event Source: Windows Update Agent
Event Category: Software Sync
Event ID: 16
Date: 6/23/2008
Time: 00:57:04
User: N/A
Computer: EUDY1
Description:
Unable to Connect: Windows is unable to connect to the automatic
updates service and therefore cannot download and install updates according
to the set schedule. Windows will continue to try to establish a
connection.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 57 69 6e 33 32 48 52 65 Win32HRe
0008: 73 75 6c 74 3d 30 78 30 sult=0x0
0010: 30 30 30 30 30 30 30 20 0000000
0018: 55 70 64 61 74 65 49 44 UpdateID
0020: 3d 7b 30 30 30 30 30 30 ={000000
0028: 30 30 2d 30 30 30 30 2d 00-0000-
0030: 30 30 30 30 2d 30 30 30 0000-000
0038: 30 2d 30 30 30 30 30 30 0-000000
0040: 30 30 30 30 30 30 7d 20 000000}
0048: 52 65 76 69 73 69 6f 6e Revision
0050: 4e 75 6d 62 65 72 3d 30 Number=0
0058: 20 00




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users