Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

computer shuts down

Started by gremlin , Jan 11 2005 07:49 PM

  • Please log in to reply

#1
gremlin
Posted 11 January 2005 - 07:49 PM

gremlin

    New Member

  • Member
  • Pip
  • 7 posts
Hope you guys can help because I am stumped!

My brother's computer will start up and then go into a warning that "Services.exe has terminated due to a Status Code 128" error from NT Authority and that it will shut down in 60 seconds .
He is on Windows 2000 Service pack 4. Pentium3 500MB

I can get in on Safe mode, but cannot connect to the internet. I downloaded to a USB sandisk (from MY home) and have run Spybot, Ad-aware, Stinger, and CWshredder as well as his Mcafee virus scan. One problem is that I cannot update the spybot, etc after they are loaded to his computer due to no internet. Just can't do it in 60 seconds on his dialup! I cleaned out quite a bit of trash, but still have not been able to overcome the shutdown.

I went to Microsoft for info and found a reg fix #318447 for Lanmanserver, but that did not solve the problem. There were no reg keys to correct.

The problem started after Windows 2000 service pack 4, and Ipod software was installed, then I connected to the internet the first time. I did try to remove Service pack 4 and Ipod software, but could not do so in Safe mode.

Be aware that I am doing this remotely and will have to take your advice over to his computer tomorrow and try the fix, then come home and reply to success or failure, so if you can give me several steps, it might shorten the process.

This is all the info I have at this point. What should I be looking for? I have the Hijack log as follows.


Thanks in advance for any assistance you can offer.

Gremlin


Logfile of HijackThis v1.99.0
Scan saved at 6:06:07 PM, on 1/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
F:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.att.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.att.net/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnet.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.att.net/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\WINDOWS\TEMP\TV MEDIA\TVMBHO.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Security Agent Manager] mssce.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvpmf32.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\RunServices: [Security Agent Manager] mssce.exe
O4 - HKCU\..\Run: [Security Agent Manager] mssce.exe
O4 - HKCU\..\RunServices: [Security Agent Manager] mssce.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O16 - DPF: v3cab - http://searchmiracle.com/cab/3.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.over...com/WildApp.cab
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - (no file)
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe



Thanks again! I can usually handle most problems, but this has had me for a week!
  • 0

Advertisements

#2
ilago
Posted 13 January 2005 - 05:40 AM

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi Gremlin

Shutdowns of this nature can have a number of causes. The most common is any variant of the Blaster worm/virus but it's not the only one. If you have run Stinger, I would expect that it would have picked those viruses up when it scanned. Some spyware programs also cause this problem.

I presume that this log was done in Safe Mode because very few processes are running - for example a firewall and antivirus software are not running. There are certainly some problems in the log so we'll start with those and then see if we can get a HijackThis scan in normal mode which will give us some more information about running processes. There is evidence of a couple of well-known spyware programs. Stay in Safe Mode and do this much. I don't think this will catch everything though :tazz:

Open Hijack This and click on Do system scan. Check the following items. Close any open windows and click fix checked.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\WINDOWS\TEMP\TV MEDIA\TVMBHO.DLL (file missing)
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvpmf32.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O16 - DPF: v3cab - http://searchmiracle.com/cab/3.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.over...com/WildApp.cab
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - (no file)

Open Windows Explorer > Tools > Folder Options > View, select:

Show hidden files and folders
Display the contents of system folders

Uncheck:
Hide extensions for known file types
Hide protected operating system files

Find and delete these files

C:\windows\system32\ kalvpmf32.exe
c:\temp\salm.exe - this file is important but delete all files in the temp folder and sub-folders - you don't need to delete the folders. There should be no .exe files running out of the \temp folder
C:\WINDOWS\system32\ maxspeed.exe

Use Windows Explorer to delete all the Temporary Internet Files including the files in the sub-folders.

Reboot into normal mode. To stop the computer shutting down in 60 seconds problem:

As soon as the Windows screen with the error message comes up:

Go to Start > Run and type this command in the run box.

shutdown -a

and click on OK.

You should now be able to work in normal mode, which will give you some more options for problem solving. Do another HijackThis log and post that.
  • 0

#3
gremlin
Posted 17 January 2005 - 02:02 PM

gremlin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Sorry to take so long to get back on this. I had an urgent out of town business trip. Anyway It looks like the fix is working. He has had no shut down since I fixed the items you listed.
I was able to boot normally and access the internet to update the definitions for adaware, Spybot, etc and re-ran all programs. I cleaned anything suggested.
It still boots up fine.

I tried to run his virus protection (Mcafee) and found it was disabled (cannot find file). I asked him to reload and update Mcafee and then run and let me know if anything was found. He did not find anything in his virus scan. It should now be running at startup.

All seems to be working normally and to you Sir a very heartfelt thanks! You guys are WONDERFUL!

I will verify his antivirus is updated on a regular basis to avoid a repeat of this. Next step is to add a firewall.

I have posted the last HIJACK log for your review. This was done before the Mcafee was reinstalled. If there is anything that should still be cleared please let me know.

Logfile of HijackThis v1.99.0
Scan saved at 6:28:09 PM, on 1/13/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\mssce.exe
C:\Program Files\iPod\bin\iPodService.exe
F:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.att.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.att.net/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnet.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.att.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Security Agent Manager] mssce.exe
O4 - HKLM\..\RunServices: [Security Agent Manager] mssce.exe
O4 - HKCU\..\Run: [Security Agent Manager] mssce.exe
O4 - HKCU\..\RunServices: [Security Agent Manager] mssce.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
  • 0

#4
ilago
Posted 18 January 2005 - 04:47 AM

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi gremlin

Now we can see a bit more of what is happening.

Open HijackThis and click on "Open Misc Tools Section" and "Open Process Manager"

Find this process in the list, select it and click on "Kill Process". Read the name very carefully as there may be some names that are similar but that are genuine files.

mssce.exe

Then click on Back which will open the HijackThis Scan Screen. Click on Scan. When the scan is complete check all the following items. Then disconnect from the internet and close all open windows including this browser window and click on Fix checked.


O4 - HKLM\..\Run: [Security Agent Manager] mssce.exe
O4 - HKLM\..\RunServices: [Security Agent Manager] mssce.exe
O4 - HKCU\..\Run: [Security Agent Manager] mssce.exe
O4 - HKCU\..\RunServices: [Security Agent Manager] mssce.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Open Windows Explorer and find this file

C:\WINDOWS\system32\ mssce.exe Delete file only. If you have a problem deleting it - reboot into Safe Mode for the deletion.

Reboot and do a fresh HijackThis log in Normal Mode.

Install some prevention for the future. Although this isn't your computer you should reinforce the need for basic internet security and safe surfing habits.

A firewall is essential if the computer is on the internet. These all have free versions.

Zone Alarm http://www.Zonelabs.com/
Sygate http://soho.sygate.c...ownload_buy.htm
Tiny Personal Firewall http://www.webmasterfree.com/tpfw.html
Kerio Personal Firewall http://www.kerio.com/kpf_download.html

Keep the firewall up to date and read alerts before clicking Yes.

Keep Windows and Internet Explorer fully up to date - use automatic updates if possible.

See if the user will consider using Firefox or Mozilla as a browser. They are free and more secure than internet explorer. Firefox is easy to use and doesn't take long to get used to. http://www.mozilla.org

Don't click on OK or yes on any advert on a webpage or in spam email.

Keep antivirus program up to date and do regular scans
Keep Adaware up to date and do regular scans
Keep Spybot Search and Destroy up to date and do regular scans

These are free and will help to keep quite a lot of spyware off any PC:

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacools...areblaster.html
SpywareGuard http://www.javacools...sgdownload.html - gives real time monitoring of common spyware changes.

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. The download is quite a long way down the page - but the page is worth reading for more information about spyware.
https://netfiles.uiu...ww/resource.htm
  • 0

#5
gremlin
Posted 27 January 2005 - 11:45 AM

gremlin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
HI!
I finally was able to correct the last issues. He has reloaded the antivirus and hopefully updated to current protection. Here is teh latest Hijacjk log. All seems to be running well!
Thanks for your help!

Gremlin

PS - have you seen Bob Livingston's windows secrets article re:Adware out today- Windows Secrets Newsletter
Issue 46 — 2005.01.27
very comprehensive and informative. It mirrors some of what this site is advocating, but it should be required reading for all computer users. You may want to take a look and possible suggest a posting of it in the initial forum of what to do first.



Logfile of HijackThis v1.99.0
Scan saved at 6:41:05 PM, on 1/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Blake and Alex\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.att.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.att.net/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnet.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.att.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InstallNAIProduct] "D:\Vsp\setup.exe" /RUNKEY
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O23 - Service: AVSync Manager - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
  • 0

#6
ilago
Posted 28 January 2005 - 05:22 AM

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi Gremlin

That looks pretty good. If he installs enough basic protection and is careful while using the internet it should keep you out of trouble for a while :tazz:

There's a lot of good information in these two topics as well.

http://www.geekstogo..._Log-t2852.html

http://www.geekstogo...ources-t38.html
  • 0

#7
gremlin
Posted 31 January 2005 - 09:34 AM

gremlin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Many thanks for a job well done.
You will never know how much you've helped educate me on the spyware problem and it's prevention.

Again Thank you!

Gremlin
  • 0

#8
ilago
Posted 01 February 2005 - 07:24 AM

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Glad it helped :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP