Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

STOP Screen


  • Please log in to reply
6 replies to this topic

#1 Always_in_need

Always_in_need

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 28 July 2005 - 01:38 PM

STOP: c000026c (Unable to Load Device Driver)
\??\C:\WINNT\system32\msudp4.sys device driver could not be loaded. Error Status was 0xc0000020.

That's error message I get whenever I try to log on to windows, but this occurs right before what should be the normal sign in screen. Now this screen is called the Stop Screen. I of course have never heard of a Stop screen, but I do know it's blue, and blue is not a great computer screen color. Now this occured after my last restart, and I was using hijackthis to rid myself of clicksearch.com (home page evil) and of course I must've for some reason or another taken that system file out as well (note my problem with click search comes and goes while in safe mode). I am currently in safe mode and fear for the fact I will ocne again have to bring this computer in. If there is any other information you need to know just ask, I think I got it all.

This is my current hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 2:30:06 PM, on 28/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Matt's stuff\HijackThis.exe

O4 - HKLM\..\Run: [SysMemory manager] c:\winnt\system32\mdms.exe
O4 - HKLM\..\Run: [Service Host] C:\WINNT\system32\Services\{EE98C0C6-1035-4ADC-A4E9-9441A1D60283}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINNT\system32\Services\{EE98C0C6-1035-4ADC-A4E9-9441A1D60283}\SECURITY.EXE
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nhq.ci.gc.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nhq.ci.gc.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nhq.ci.gc.ca
O20 - Winlogon Notify: tcpG4T - C:\WINNT\SYSTEM32\tcpG4T.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Entrust Login Interface (ELIService) - Entrust® - C:\WINNT\etlisrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE

Edited by Always_in_need, 28 July 2005 - 02:27 PM.


BC AdBot (Login to Remove)

 


#2 Always_in_need

Always_in_need
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 28 July 2005 - 02:27 PM

*NOTE: msvdp4.sys is actually msudp4.sys.

#3 perculator

perculator

  • Members
  • 190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:12 AM

Posted 28 July 2005 - 06:13 PM

Hello,

Start your computer in Safe mode

Start hijack this and put a check at the following lines

O4 - HKLM\..\Run: [SysMemory manager] c:\winnt\system32\mdms.exe

O4 - HKLM\..\Run: [Service Host] C:\WINNT\system32\Services\{EE98C0C6-1035-4ADC-A4E9-9441A1D60283}\SVCHOST.EXE

O4 - HKLM\..\Run: [Disk Keeper] C:\WINNT\system32\Services\{EE98C0C6-1035-4ADC-A4E9-9441A1D60283}\SECURITY.EXE

O20 - Winlogon Notify: tcpG4T - C:\WINNT\SYSTEM32\tcpG4T.dll

now click Fix checked
and close hijack this

***
Now remove the following files

c:\winnt\system32\mdms.exe
C:\WINNT\SYSTEM32\tcpG4T.dll
C:\WINNT\system32\msudp4.sys

And remove the following folder

C:\WINNT\system32\Services


***
Restart your computer in normal mode.
Run hijack this and post a fresh log on this board

#4 Always_in_need

Always_in_need
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 29 July 2005 - 01:19 PM

Thanks but I tried everything you of course said, and everytime I went to delete the three files, they always said "Access Denied. Source File In use" I've encountered this problem often in the past as well.

Services was successfully deleted, and msupd4.sys says specifically.

Cannot Deleted msupd4.sys: There has been a sharing violation. The source or destination file may be in use.

My new log

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\mdms.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Matt's stuff\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = google.com
O4 - HKLM\..\Run: [SysMemory manager] c:\winnt\system32\mdms.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nhq.ci.gc.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nhq.ci.gc.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nhq.ci.gc.ca
O20 - Winlogon Notify: tcpG4T - C:\WINNT\SYSTEM32\tcpG4T.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Entrust Login Interface (ELIService) - Entrust® - C:\WINNT\etlisrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE

Edited by Always_in_need, 29 July 2005 - 01:26 PM.


#5 perculator

perculator

  • Members
  • 190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:12 AM

Posted 29 July 2005 - 06:22 PM

Hello,

Start hijack this and put a check at the following lines

O4 - HKLM..Run: [SysMemory manager] c:winntsystem32mdms.exe

O20 - Winlogon Notify: tcpG4T - C:WINNTSYSTEM32 cpG4T.dll

Click Fix checked
And close hijack this



Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

c:winntsystem32mdms.exe
C:WINNTSYSTEM32 cpG4T.dll
C:WINNTsystem32msudp4.sys

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

If your computer does not restart automatically, please restart it manually.


After the restart,

Run hijack this and post a fresh log together with your comment on how things are going now

#6 Always_in_need

Always_in_need
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 31 July 2005 - 06:22 PM

PendingFileRenameOperations Registry Data has been Removed by External Process!

uh that shows up when I tried.

*note: I made a mistake myself, it worked, at least I think it worked.

well I tried what you suggested, and everything looked like it worked, but I'm not sure if it only works on a normal reboot, because I still have the Stop screen problem, and the only way I can access anything is Safe mode with networking.

My current Hijack this Log

Logfile of HijackThis v1.99.1
Scan saved at 7:27:05 PM, on 31/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Matt's stuff\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = google.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nhq.ci.gc.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nhq.ci.gc.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nhq.ci.gc.ca
O20 - Winlogon Notify: tcpG4T - tcpG4T.dll (file missing)
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Entrust Login Interface (ELIService) - Entrust® - C:\WINNT\etlisrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE

Edited by Always_in_need, 31 July 2005 - 06:37 PM.


#7 perculator

perculator

  • Members
  • 190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:12 AM

Posted 01 August 2005 - 02:59 PM

hello, pretty stubborn there



check the following line again in hijack this

O20 - Winlogon Notify: tcpG4T - tcpG4T.dll (file missing)

click Fix checked
and close hijack this


No matter how you do it but get cleanup on your computer, i wish you luck
Download CleanUp!.
If that doesn’t work, use this link.
Here is a tutorial which describes its usage:
http://www.bleepingcomputer.com/tutorials/how-to-use-cleanup/

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Scan local drives for temporary files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

Once it's done, press Close. Reboot the system


now keep your fingers crossed and do, the following scan.
Panda virus check
Make sure you got [b]autoclean
selected

and after that perform the following
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Check off the 2 boxes next to the Box that says "Generate StartupList log"
  • Click on the button "Generate StartupList log"
  • Copy and past the StartupList onto your post
, together with a fresh hijack this log


please tell me things are getting better




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users