A doozie of a problem!

[Ingenou]

Hi

I downloaded F-Secure and, once I had installed it & restarted the PC, the machine has locked on start up (it gets to the main desktop and allows me to click on 'Start' - which then freezes).

Is there anything I can do from DOS? (I don't even know how to start in DOS mode!).

My machine is as follows:

1.8GHz Pentium 4
Windows XP Home Edition
Nvidia GForce3 64Mb
256Mb Memory
60Gb HDD
DVD
CD-RW
1.44Mb Floppy
Realtek 6419 NIC


I'm on this forum via dial-up on an Athlon 1.1GHz, Windows ME, 128Mb etc etc

 

[mtbird]

Ingenou....
Try starting the computer in safe mode. As it starts to boot, press the F8 key. Choose safe mode from the menu.
If it will allow you in, then you have the choice of going to add/remove and uninstalling the program or going to start>run, type in msconfig. Click on the startup tab and uncheck anything associated with the program. Reboot and see if all is back to normal.

Hope this helps.

Debe

 

[Ingenou]

Hiya

Yes, thanks, I've got it working in safe mode.

Trouble is, when I try & restore the system to an earlier point, the PC restarts and then just freezes on wallpaper. If I hit Ctrl+Alt+Del to open Task Manager, it takes an age for that to open and, although I'm running a LOT of processes, there are no applications running.

This is getting very strange!

Any idea of what else I can do from 'Safe' mode?

Thank you again.

 

[mtbird]

I'm not quite sure what you have already done Did you uninstall the F-Secure or uncheck anything in msconfig ?? Are you saying that you tried a system restore in safe mode and it failed ?

 

[Ingenou]

Yes, I just started in safe mode, chose a 'system checkpoint' (last Thurs) to restore to and it didn't work. I'm quite baffled!

 

[Ingenou]

Or it would be more accurate to say that I don't know if it worked, as it will ONLY start in safe mode. Any other start up results in the same freezing on wallpaper. Aaaarrrgh!

 

[mtbird]

I would suggest to you again to go back in to safe mode and uninstall the program. Also go into msconfig and make sure there is nothing checked that is associated with that program. Reboot again and see if the problem is corrected.
If it is still causing problems, you could try the option of "last known good configuration" from the same menu that you choose safe mode. But try uninstalling first.


Debe

 

[Ingenou]

Thanks, I'll give that a go.

I have uninstalled (thru add/remove in control panel) the suspect application (F-Secure), but it made no difference. I'll ry that 'last known good config' you mentioned... if you don't hear from me for some time you'll know the PC is a pile of smouldering ashes! LOL

 

[Ingenou]

Hiya

Well, it worked! Thank you!!!

I found that I also still had components not completely uninstalled of an early ZoneAlarm that I thought I had got rid of.

Do you happen to know what 'csrss.exe' & 'smss.exe' are? They are sitting in 'processes' within Task Manager and I have no idea what they are. Virus?

Anyway, thank you very much for the advice, if I hadn't slopped coffee into my cell-phone and fried the circuitry, this would have been a great ending to the day.

Bye for now

Paul

 

[mtbird]

Excellent !!
Those files are legitimate system files....

csrss - csrss.exe - Process Information
Process File: csrss or csrss.exe
Process Name: Client/Server Runtime Server Subsystem
Description: The Windows Client Server Runtime Subsystem handles Windows and Graphics Functions for all Subsystems

smss - smss.exe - Process Information
Process File: smss or smss.exe
Process Name: Session Manager Subsystem
Description: The Session Manager Subsystem initializes system environment variables, MS-DOS devices names such as LPT1 and COM1, loads the kernel for the Win32 subsystem, and starts the Windows Logon Process

But they can also be associated with a virus......

http://securityresponse.symantec.com/avcenter/venc/data/w32.dalbug.worm.html

Are you running a good antivirus program ?? Just to be on the safe side, you can run an online scan to check your system.....

http://housecall.antivirus.com/


Debe

 

[Ingenou]

Hi

Thank you!!! You really know your stuff! Do you work for Microsoft, or something?

I was trying to install F-Secure, as that anti-virus product was tested as best in two publications, here in the uk. I was running Norton Anti-Virus, but that was voted 3rd and - according to 'Stop Sign' - I had 16 viruses that Norton hadn't picked up (despite running daily updates & weekly scans).

I'll try those links you gave.

Kind regards

Paul

 

[Ingenou]

I've also got a program called 'IBS' that I certainly didn't install purposely and another called 'exact update' - again, never heard of it.

Additionally, there is something called ;lsass.exe' and tow lots of 'svchost.exe' running in the Processes section of Task Manager.

Do you think I'm riddled with viruses? (Well, my pC, not me! LOL)

 

[Ingenou]

IBS is MASSIVE! 93.41Mb!! Ever heard of it?? I'm stumped.

 

[mtbird]

Good Morning Paul

The lsass.exe and svchost.exe are legitimate.....nothing to worry about. As for the IBS, I'm not familiar with it and can't get any clear information on it. Where is it located on your computer ? Can you right click on some of the files or file and click properties. Does it give you any information on the origin ?

Please run the scan from housecall for now. We want to be sure you are virus free. As far as a antivirus......I have run Norton for many years and it has protected me well. I don't know why you would have the problems you did, unless you didn't have the settings correct.
If you want to try installing F-secure again, I would suggest making sure that you have nothing running in the background while it is loading, firewalls, etc.

Now, go here....

http://www.lurkhere.com/~nicefiles/index.html

and download the Startuplist 1.51 program. It will create a text file that you can copy and paste into your reply for us to look at.
We can go from there

Debe

 

[Ingenou]

Well, here goes - it looks like pure gibberish to me!!



StartupList report, 1/28/2003, 3:34:11 PM
StartupList version: 1.51
Started from : C:\Documents and Settings\Local Settings\Temp\Temporary Directory 1 for startuplist151.zip\StartupList.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Microsoft Works\WkDetect.exe
c:\progra~1\exact\exactupdate00067.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\Documents and Settings\Local Settings\Temp\Temporary Directory 1 for startuplist151.zip\StartupList.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXSUPMON = C:\WINDOWS\System32\LXSUPMON.EXE RUN
MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
SmcService = C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
CORESYS = C:\PROGRA~1\ACCESS~1\EXPL32\CORESRV.EXE
CoreSrv = "C:\PROGRA~1\ACCESS~1\EXPL32\CORESRV.EXE "

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Microsoft Works Update Detection = C:\Program Files\Microsoft Works\WkDetect.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------


Enumerating Browser Helper Objects:

BabeIE - (no file) - {00000000-0000-0000-0000-000000000000}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Yahoo! Companion BHO - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll - {13F537F0-AF09-11d6-9029-0002B31F9E59}
(no name) - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse0.dll - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6}
MediaLoads Enhanced - C:\Program Files\MediaLoads Enhanced\ME1.DLL - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
eXact Browser Companion - c:\progra~1\exact\exacttoolbar00038.dll - {F9765480-72D1-11D4-A75A-004F49045A87}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Liquid Audio Auto Update Agent.job
Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job
WTR.job

--------------------------------------------------

Enumerating Download Program Files:

[{0C3F7D74-ADA5-4976-8908-A8189590DAFA}]
CODEBASE = http://expressit.broderbund.com/Plugin/3DGreetings/vroom.CAB

[{30528230-99F7-4BB4-88D8-FA1D4F56A2AB}]
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe

[{74D05D43-3236-11D4-BDCD-00C04F9A3B61}]
CODEBASE = http://a840.g.akamai.net/7/840/537/2002060602/housecall.antivirus.com/housecall/xscan53.cab

[{7A32634B-029C-4836-A023-528983982A49}]
CODEBASE = http://fdl.msn.com/public/chat/msnchat42.cab

[{9DBAFCCF-592F-FFFF-FFFF-00608CEC297B}]
CODEBASE = http://www.exactsearchbar.com/mailcom/Download/Standalone/exactSetup.exe

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37576.1431712963

[{A17E30C4-A9BA-11D4-8673-60DB54C10000}]
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll

[{A1DC3241-B122-195F-B21A-000000000000}]
CODEBASE = http://www.blowsearch.com/TB/The_Ultimate_Browser_Enhancer.exe

[{AE9DCB17-F804-11D2-A44A-0020182C1446}]
CODEBASE = file://D:\Resources\IntraLaunch.CAB

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[{E6A3C1E2-F792-483E-9133-596215172BE9}]
CODEBASE = http://runonce.msn.com/setacceptlang.cab

--------------------------------------------------
End of report, 5,816 bytes
Report generated in 0.453 seconds