[gerryf]

baffling...could you downlaod and attach a hijackthis log for me in your next post


Some rare trojans/worms will prevent you from loading safemode so they cannot be removed.

[Advertisements]

gerryf,
Will be able to do later today and report back about 6pm (EST).
Thanks for cont review..ZiaMan

[ZiaMan]

gerryf,
Will be able to do later today and report back about 6pm (EST).
Thanks for cont review..ZiaMan

[ZiaMan]

[size=7]gerrf,
Sorry for delay. Prior to HJT log, ran (under Temp op syst choice):
AD-aware-SE
CWShredder
Spybot S&D
Ewido
Trend Housecall
=============================

Logfile of HijackThis v1.99.1
Scan saved at 5:17:41 AM, on 1/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\hp\KBD\kbd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis011106.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [KBD] C:\hp\KBD\kbd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SCB
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {225781F3-B27C-4182-83F1-CBF79247D36B} (PHSVPNPortal.VPNPortalCtl) - http://portal.partne...HSVPNPortal.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123626779531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123627393531
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {ED324F9E-715D-4BE2-B6DF-44FCB674AADF} (DDSC Class) - https://man.dph.stat...rces/msddsc.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[gerryf]

Lot of stuff going on in there....

When you tap the f8 key, and see the boot menu (not the one with the three choices, but the one that lists safe mode, normal mode, safe mode with networking...etc

Have you tried

Enable VGA mode?

I don't see anything specific in the the log, though I do not care for the omnipass opxgina

There is nothing wrong with it, it's legitimate software used for password and biometrics detection...I just always get a little concerned about custom ginas since they are such a critical phase of the boot process. I would think that if it worked in normal mode, it would work in safe mode.

[ZiaMan]

Chose "Enable VGA Mode" . Then selected regular "W-XP Home Edition" - system scrolls the drivers , but then kicks back to rebooting with the Compaq logo screen.
If I choose "Enable VGA Mode" and then select Temp op system, system went to "Starting Windows" , definitely in a larger font than usual. Eventually went to listing only two users - Max and Logan . Did not list me as Owner (Administrator) , nor my wife (who doesn't have a password to start Windows).
Chose Logan , entered his password, and system eventually went into Desktop.

Should I check Omnipass opxgina in HTJ? I do not/will not use for biometrics.
And what do mean by "custom ginas"? Not familair with this. What is "ginas" cryptic for?

[gerryf]

gina = Graphical Identification and Authentication (GINA) DLL

It is used to obtain a user's account name and password. The default GINA.dlland is responsible for showing the the standard Windows logon dialog box.

Microsoft allows for non-standard or custom GINAs so people can use different user identification mechanisms. For example, I think your's might be used for a thumbprint recognition device?

It is not a huge deal...I wouldn't worry about it. The GINA wouldn't be called until later in the boot process anyway.

However, the vga mode working is interesting.

Have we disabled auto-reboot? I do not think we did, since it is normally not an issue in safemode.

Right click MY COMPUTER, choose PROPERTIES, choose ADVANCED, choose SETTINGS button in STARTUP AND RECOVERY section....is AUTOMATICALLY REBOOT CHECKED?

If so, uncheck it, and then reboot into safe mode...it should kick up a blue screen stop error. If it does, post back as much info as possible...if not, well, I've got some more ideas.

[ZiaMan]

Was checked, so unchecked.
Rebooted and chose Safe Mode.
Got blue screen with following info (summary):
A problem has been detected and W. has been shut down. to prevent damage
IRQL_NOT_LESS_OR_EQUAL
If this is first time seeing this stop error screen, then restart. If appear again, check that any new HW or SW is properly installed. If new installation, ask HW or SW manufacturer for updates.
If problem continues, disable or remove any newly installed HW or SW. Disable BIOS memory options such as Caching or shawdowing. If need to to use Safe Mode, use F8....blah, blah.
Technical Information

Edited by ZiaMan, 11 January 2006 - 11:19 PM.

[ZiaMan]

Sent off before finished previous reply.
To complete text of blue screen Technical Information:

"Technical Information
0x0000000A (0xF79A0354, 0x000000FF,0x00000001, 0x804E5619)"

Had to use power button to shut down and then restart.

[gerryf]

OK, we are getting somewhere. Now, given that vga mode worked, we can almost bet that this is a driver error.

Since it worked in vga mode, I am tending to video error (isn't this where we came in?)

The second parameter in this list is 0x000000FF and refers to the IRQL, which I am fairly certain is 15

start > run
devmgmt.msc
<enter>

Go to VIEW > RESOURCES by TYPE, choose IRL, and expand it...what is using IRQ 15?

In the meantime, download this:

http://www.drivercleaner.net/

Get the newest radeon drivers for your card here:

http://www.omegadrivers.net/

[gerryf]

Oh, and go here:
http://support.intel...b/CS-009247.htm

and download the chipset drivers for the intel 865 chipset (NOT THE GRAPHIC drivers)

[ZiaMan]

Will be able to get to late afternoon, early evening.
Want to do in corrct oder:

Do you want me to unistall the ATI card , then use the Driver Cleaner PE, then reinstall the ATI card, then add new drivers?
or do not unistall/reinstall ATI card at all, and just use the Driver Cleaner prior to updating the ATI driver?
or use Driver Cleaner after updating both ATI card and chipset drivers?
Thanks..ZiaMan

[gerryf]

Well, I was curious about the information on the IRQ, but this is what i want you to do.

Install driver cleaner pro (can't recall if it asks you to install for this user or every user...choose every user

then

Start > Control Panel > Add/remove.

Remove anything that says Intel Extreme Graphics, ATI RADEON.

Reboot into ENABLE VGA MODE

(note, your other log ins are there they are just not seeable because the resolution is 640 by 480.

Run driver cleaner and choose anything with ATI and Intell extreme, then clean

Reboot into NORMAL mode. Cancel any windows install wizard.

Run the intel chipset installation

Run the omega corner ati driver install routine.

Reboot into normal mode

Reboot into safe mode

Work?

[ZiaMan]

Phoned home, and got some help .

Re: IRQ 15 ==> (ISA) 15 - Secondary IDE Channel.

Will be able to do driver work early evening and then report back.
...Z

[ZiaMan]

Installed Driver Cleaner Pro.
Uninstalled all ATI's listed (several).
Tried to uninstall the "Intel Graphics" listed in Uninstall list but it remained. Note - it did not have any file size listed.
Went ahead and ran Driver Cleaner. Chose all ATI's and the Intel Graphic from list, and removed. Did not perform Cab Cleaner as suggested by Driver Cleaner site.
Rebooted. Installed I865 Chipstep Software Installation Utility 7.2.2.1006 and the ATI v2.6.87/Catalyst 5.12 drivers.
Rebooted into Normal "temp" mode.
Then did following:
1. Hit F8 at right time. Chose Safe Mode, got blue Safe Mode text bottom left, with list of op systems above. Chose W-XP HE (regular) . Got blue error screen "A problem has been deteced.....", with same Techincal Information as listed before.
Powered off PC , and then turned on .
2. Did not hit F8 this time. Waited and chose "Temp" op system.
Got "we aplogize ...." screen, with the multi-choice of start up modes.
Chose "Safe Mode".
Got the same blue screen as before " A problem has been detected...." with same Technical Information as before.
Powered off PC and then turned on.
3. Chose Temp at start up, let start.
Restarted, hit F8 at right time, chose Safe Mode, and then Temp op system. Got blue screen "A problem has been detected.....".
Had to power off to restart computer.
So same as before - Temp mode will start op system and get me to desktop. Safe Mode not working.

Question - since I now downloaded the Radeon Omega Drivers v2.6.87, Catalyst 5.12 offical drivers from the Omegadrivers.net site, I do not need to also reinstall the Catalyst CD that came with the card , correct?

Won't be able to get back on until Fri 01/13 . Maybe it will be lucky day!
...Z

[ZiaMan]

Another note - Tried but now cannot run Half-Life2 or old Halo. Simply will not start up. CD spins, but eventaully nothing starts up. Was working earlier this evening for sons prior to uninstall of ATI and Intel, and install of drives fom links given. Is this becasue have not reinstalled ATI Radeon 9600XT cd??
I now do get error message about DirctDraw not being enabled when trying to start games.
Should I reintall CD, and then go to Omega download site for drivers again?
"ATI Hydravision" under All Programs says [Empty} when I mouse-over "ATI Hydravision".