[Didylu]

Hello,
I read an article about adding a safe mode option to the boot menu in Windows XP. It had me go to system properties/advanced tab/ edit in startup and recovery. I tried to do what it said, all it did was get the window intaller requesting a disc I do not have for TrayApp. I can't cancel it and system restore can't fix it.
Here is what it says in the boot.ini.notepad now:

[boot loader]
timeout=0
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /TUTag=CK4V36 /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition1(\WINDOWS="MicrosoftWindowsXP"/noexecute=optin/fastdetect/TUTag=CK4V36-BAK

Can someone please tell me how to stop the windows installer and make the TrayApp go away?
Any and all help will be very much appreciated.
Thank you,
Diane Mitchell

[Advertisements]

[boot loader]
timeout=0
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /TUTag=CK4V36 /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition1(\WINDOWS="MicrosoftWindowsXP"/noexecute=optin/fastdetect/TUTag=CK4V36-BAK

(emphasis added)

Try this with proper spacing:

[boot loader]
timeout=0
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /TUTag=CK4V36 /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="MicrosoftWindowsXP" /noexecute=optin /fastdetect /TUTag=CK4V36-BAK

It looks like you are using an alternate kernel, so I have no idea how that's going to affect your safe mode, or if you need to specify the TUTag if you aren't loading the TUKernel.

EDIT: Correct me if I'm wrong, but the second entry isn't a safe mode entry, it's just without the alternate kernel. The proper entry for true Safe Mode is:

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="MicrosoftWindowsXP" /fastdetect /safeboot:network

The safeboot switch can be replaced with /safeboot:minimal for normal Safe Mode or safeboot:minimal(alternateshell) for Safe Mode with Command Prompt. I also took out the DEP switch (noexecute=optin) for Safe mode.

Edited by The Admiral, 22 September 2008 - 06:42 AM.

[The Admiral]

[boot loader]
timeout=0
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /TUTag=CK4V36 /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition1(\WINDOWS="MicrosoftWindowsXP"/noexecute=optin/fastdetect/TUTag=CK4V36-BAK

(emphasis added)

Try this with proper spacing:

[boot loader]
timeout=0
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /TUTag=CK4V36 /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="MicrosoftWindowsXP" /noexecute=optin /fastdetect /TUTag=CK4V36-BAK

It looks like you are using an alternate kernel, so I have no idea how that's going to affect your safe mode, or if you need to specify the TUTag if you aren't loading the TUKernel.

EDIT: Correct me if I'm wrong, but the second entry isn't a safe mode entry, it's just without the alternate kernel. The proper entry for true Safe Mode is:

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="MicrosoftWindowsXP" /fastdetect /safeboot:network

The safeboot switch can be replaced with /safeboot:minimal for normal Safe Mode or safeboot:minimal(alternateshell) for Safe Mode with Command Prompt. I also took out the DEP switch (noexecute=optin) for Safe mode.

Edited by The Admiral, 22 September 2008 - 06:42 AM.

[Didylu]

Dear Admiral, Sir,
I really tried. I cut my code and copied and pasted yours so it would be exactly right with no typos. Unfortunately, this did not solve my problem. I restarted a couple of times to make sure. I tried to send you a screen shot of the TrayApp. This is what it says:

The feature you are trying to use is on a CD-ROM or other removable disc that is not available.
Insert the 'TrayApp' disc and click OK.

I have no such disc that I am aware of. If I click cancel:


! an installation package for the application TrayApp cannot be found. Try the installation again using a valid copy of the installation package 'TrayApp.msi'.

I was sure it would work. Do you have anymore ideas?
I appreciate your time and trouble.
Thank you so much,
Diane Mitchell

[The Admiral]

I'm sorry Didylu, but further research shows that TUKernel is not a kernel replacement you want, or are probably aware of. TUKernel is a pretty bad malware, judging by the fact that the third Google result is tukernel.exe - Dangerous.

Because I'm not malware staff, I will be unable to assist you further with this problem until we are able to resolve this TUKernel problem. Please follow the directions HERE, and if the problem isn't resolved, follow the directions in Step 5 of those directions to post a Hijack This! log so we can disinfect your system. Once we're all clear, return to this thread so we can continue adding Safe Mode to your boot menu.

[Didylu]

Thanks Admiral,
I will do as you suggest. You have been very helpful.
I'll let you know.
Didylu

[Didylu]

Dear Admiral,
I got a little confused and don't think I sent the hijack log. I sent them other stuff, but they said not to post more than once. I will give you the hijack log. If you can give it to them I would appreciate it. If you can't I will understand.
HIJACK LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:06:11 PM, on 9/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\AOL\1221713528\ee\AOLSoftware.exe
C:\Program Files\AOL 9.1\waol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Secunia\PSI (RC3)\psi.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Documents and Settings\Owner\Application Data\mjusbsp\st00000\mjsetup.exe
C:\Documents and Settings\Owner\Application Data\mjusbsp\magicJack.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1221713528\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [MagicSpeedBooster] C:\Program Files\Smart PC Solutions\Magic Speed\MagicSpeedBooster.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Secunia PSI (RC3).lnk = C:\Program Files\Secunia\PSI (RC3)\psi.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Secunia PSI (RC3).lnk = C:\Program Files\Secunia\PSI (RC3)\psi.exe (User 'Default user')
O4 - .DEFAULT Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe (User 'Default user')
O4 - Startup: Secunia PSI (RC3).lnk = C:\Program Files\Secunia\PSI (RC3)\psi.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1221596387383
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1221706103078
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9581 bytes

Thanks again. It's working fine. That thing just annoys me and seems to be interfering with other downloads.
Didylu

[The Admiral]

Actually, it would be better if you went into your post and edited it to include this log - it looks like you have the MBAM log, which is great. So at the bottom of your post, click the button, select Quick Edit, and just paste in this log. Don't create a new post though, you're right about that. I am worried about this, it doesn't look like anything nice you want on your system. Glancing over the log, there are some entries that jump out to me, but I am not qualified to give malware advice and need one of our experts to look at it. I'll be keeping an eye on your topic in the malware forum.

If it takes longer than three days for someone to look at your topic, please follow the instructions in this thread to post a new topic in the Waiting Room, where it will receive special attention.

Edited by The Admiral, 23 September 2008 - 09:40 PM.

[Didylu]

Thanks so much. You are great!
Diane

[Didylu]

Dear Admiral,
Great news! I found and used the Windows Installer and Clean up Utility. Within it I found TrayApps and deleted it. Before that Microsoft fixed my corrrupted Net Framework remotely. Now all is well. Thanks for your time and help.
Sincerely,
Diane
I am happy again!