1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

"Detected SPYware! System error #384"?

Discussion in 'Virus & Other Malware Removal' started by rewy, Jul 28, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. rewy

    rewy Thread Starter

    Joined:
    Sep 8, 2003
    Messages:
    11
    I followed the tips in this thread to get rid of the same bug, however I would appreciate if someone could look through this log file to see if there is anything else that I need to delete. I followed the instructions for "dmc2005's " fix, but it appears that program didn't fix everything. So, thanks in advance.


    Logfile of HijackThis v1.98.0
    Scan saved at 8:14:24 PM, on 7/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\system32\ps2.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\addins\xmldrv.exe
    C:\WINDOWS\System32\bcqkgs.exe
    C:\windows\system32\cmss.exe
    C:\Program Files\AutoUpdate\AutoUpdate.exe
    C:\WINDOWS\System32\WUAUMQR.EXE
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Documents and Settings\Owner\Application Data\eber.exe
    C:\WINDOWS\System32\xuavctp.exe
    C:\WINDOWS\System32\PackethSvc.exe
    C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
    C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\YifU.exe
    C:\WINDOWS\System32\YifU.exe
    C:\WINDOWS\System32\dgsatcha.exe
    C:\WINDOWS\System32\dmdgr.exe
    c:\documents and settings\owner\local settings\temp\2oOkhVN.exe
    C:\Program Files\RemoveSpy (Russ)\HighjackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/greg/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
    R3 - Default URLSearchHook is missing
    O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
    O2 - BHO: (no name) - {55508B8C-E42B-4A41-BAAA-6002DFC7B70E} - C:\WINDOWS\System32\ndpc.dll
    O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\Owner\LOCALS~1\Temp\vrdlmx.dat
    O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\e659biyu6nbf3.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\Cja1K.exe
    O4 - HKLM\..\Run: [xmldrv] C:\WINDOWS\addins\xmldrv.exe
    O4 - HKLM\..\Run: [System32] C:\WINDOWS\system.exe
    O4 - HKLM\..\Run: [htwoskdeonfq] C:\WINDOWS\System32\bcqkgs.exe
    O4 - HKLM\..\Run: [cmssSystemProcess] c:\windows\system32\cmss.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Winsock2 driver] WUAUMQR.EXE
    O4 - HKLM\..\Run: [2oOkhVN] c:\documents and settings\owner\local settings\temp\2oOkhVN.exe
    O4 - HKLM\..\Run: [u38Q36j] dgsatcha.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
    O4 - HKCU\..\Run: [f0r4RWHnO] dmdgr.exe
    O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
    O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\eber.exe
    O4 - HKCU\..\Run: [Mmqizdhg] C:\WINDOWS\System32\xuavctp.exe
    O4 - HKCU\..\Run: [xxyy] C:\WINDOWS\System32\xxyy\okjkafnb.exe
    O4 - HKCU\..\RunOnce: [Winsock2 driver] WUAUMQR.EXE
    O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
    O4 - Global Startup: dcom.exe
    O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
    O9 - Extra button: Microsoft® VBScript® Console - {15C8018A-9AAD-43F2-9797-F5FEC727F57F} - (no file)
    O9 - Extra 'Tools' menuitem: VBScript Terminal - {15C8018A-9AAD-43F2-9797-F5FEC727F57F} - (no file)
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: Microsoft® VBScript® Terminal - {15C8018A-9AAD-43F2-9797-F5FEC727F57F} - C:\WINDOWS\System32\COMDLG32.OCX (HKCU)
    O9 - Extra 'Tools' menuitem: VBScript Terminal - {15C8018A-9AAD-43F2-9797-F5FEC727F57F} - C:\WINDOWS\System32\COMDLG32.OCX (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.skoobidoo.com
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab
    O18 - Filter: text/html - {8F26567F-658E-438C-BA79-FC2ACFE13588} - C:\WINDOWS\System32\ndpc.dll
    O18 - Filter: text/plain - {8F26567F-658E-438C-BA79-FC2ACFE13588} - C:\WINDOWS\System32\ndpc.dll
    O21 - SSODL: System - {6FF5F0AC-CB79-4098-927A-408DD454D149} - C:\WINDOWS\system32\system32.dll (file missing)
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I have split your post off into your own thread. In the future if you have a Question/Problem please start a "New Thread". It get's too confusing trying to address two different people's problem in the same thread and you may get overlooked.

    Please continue in this thread.
     
  3. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Please do this:

    Click here to download FindNFix.

    Extract it (it should autoextract to C:\FindnFix when you double click it)

    Go to the C:\FindnFix folder and doubleclick on !LOG!.BAT and let it run. It will generate a log.txt file. Copy and paste log.txt back here in your next reply.
     
  4. rewy

    rewy Thread Starter

    Joined:
    Sep 8, 2003
    Messages:
    11
    Below is the Find N Fix log file for the affected machine. Again, any help is appreciated in advance.



    »»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»»»
    »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

    Microsoft Windows XP [Version 5.1.2600]
    »»»IE build and last SP(s)
    6.0.2800.1106 SP1-Q818529-Q330994-Q824145-Q837009-Q832894-Q823353-Q831167
    The type of the file system is NTFS.
    C: is not dirty.

    Thu 29 Jul 04 21:19:25
    9:19pm up 0 days, 1:04

    »»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»
    The list will produce a small database of files that will match certain criteria.
    You must know how to ID the file based on the filters provided in
    the scan, as not all the files flagged are bad.
    Ex: read only files, s/h files, last modified date. size, etc.
    The filters provided should help narrow down the list, and hopefully
    pinpoint the culprit.
    Along with that,registry scan logged at the end should match the
    corresponding file(s) listed.
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Unless the file match the entire criteria, it should not be pointed to remove
    without attempting to confirm it's nature!
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
    If in doubt, always search the file(s) and properties according to criteria!

    The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder
    »»»»»»»»»»»»»»»»»»***LOG!***(*updated 7/29)»»»»»»»»»»»»»»»»

    »»»*»»»*Use at your own risk!»»»*»»»*

    Scanning for file(s)...
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»» (*1*) »»»»» .........
    »»Locked or 'Suspect' file(s) found...

    C:\WINDOWS\System32\MSII.DLL +++ File read error
    \\?\C:\WINDOWS\System32\MSII.DLL +++ File read error

    »»»»» (*2*) »»»»»........
    MSII.DLL Can't Open!

    »»»»» (*3*) »»»»»........

    C:\WINDOWS\SYSTEM32\
    bridge.dll Wed Jul 28 2004 8:47:54p ..SHR 0 0.00 K
    d2kpax.dll Wed Jul 28 2004 8:47:54p ..SHR 0 0.00 K
    jac.dll Wed Jul 28 2004 8:47:54p ..SHR 0 0.00 K
    msii.dll Sat Jun 19 2004 7:31:58a A...R 57,344 56.00 K
    msxslab.dll Wed Jul 28 2004 8:47:52p ..SHR 0 0.00 K
    system32.dll Wed Jul 28 2004 8:47:54p ..SHR 0 0.00 K

    6 items found: 6 files (5 H/S), 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K

    unknown/hidden files...

    C:\WINDOWS\SYSTEM32\
    bridge.dll Wed Jul 28 2004 8:47:54p ..SHR 0 0.00 K
    d2kpax.dll Wed Jul 28 2004 8:47:54p ..SHR 0 0.00 K
    jac.dll Wed Jul 28 2004 8:47:54p ..SHR 0 0.00 K
    mslib32.dll Thu Jul 22 2004 10:20:56p A.S.. 24,576 24.00 K
    mssdk32.dll Thu Jul 22 2004 10:24:00p A.S.. 136 0.13 K
    msxslab.dll Wed Jul 28 2004 8:47:52p ..SHR 0 0.00 K
    system32.dll Wed Jul 28 2004 8:47:54p ..SHR 0 0.00 K

    7 items found: 7 files, 0 directories.
    Total of file sizes: 24,712 bytes 24.13 K

    »»»»» (*4*) »»»»».........
    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\BRIDGE.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\D2KPAX.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\JAC.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\MSII.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\MSLIB32.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\MSSDK32.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\MSXSLAB.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\SYSTEM32.DLL
    SNiF 1.34 statistics

    Matching files : 8 Amount in bytes : 82056
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL

    »»»»»(*5*)»»»»»
    ¯ Access denied ® ..................... MSII.DLL .....57344 19.06.2004

    »»»»»(*6*)»»»»»
    fgrep: can't open input C:\WINDOWS\SYSTEM32\MSII.DLL

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»»Search by size...


    C:\WINDOWS\SYSTEM32\
    msii.dll Sat Jun 19 2004 7:31:58a A...R 57,344 56.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 57,344 bytes 56.00 K

    No matches found.

    No matches found.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\MSII.DLL
    SNiF 1.34 statistics

    Matching files : 1 Amount in bytes : 57344
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    SNiF 1.34 statistics

    Matching files : 0 Amount in bytes : 0
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    SNiF 1.34 statistics

    Matching files : 0 Amount in bytes : 0
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL

    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

    »»Dumping Values........
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    »»Member of...: (Admin logon required!)
    User is a member of group YOUR-ZE8CXVR8TT\None.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group \LOCAL.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.


    »»»»»»Backups created...»»»»»»
    9:21pm up 0 days, 1:07
    Thu 29 Jul 04 21:21:49

    A C:\FindNFix\keyback.hiv
    --a-- - - - - - 8,192 07-29-2004 keyback.hiv
    A C:\FindNFix\keys1\winkey.reg
    --a-- - - - - - 287 07-29-2004 winkey.reg
    *Temp backups...
    .
    ..
    keyback2.hi_
    winkey2.re_


    C:\FINDNFIX\
    JUNKXXX Thu Jul 29 2004 9:19:20p .D... <Dir>

    1 item found: 0 files, 1 directory.

    »»Performing string scan....
    00001150: nc}e vk : f AppInit_DLLs G
    00001190: C : \ W I N D O W S \ S y s t e m 3 2 \ m s i i . d l l
    000011D0: h vk UDeviceNotSelectedTimeout 1 5
    00001210: P 9 0 vk ' zGDIProcessHandle
    00001250:Quota" vk x Spooler2 y e s _ h
    00001290: ( X vk 5swapdisk vk
    000012D0: . TransmissionRetryTimeout h ( X
    00001310: vk ' 0 USERProcessHandleQuota0 @KGT^W DAP^
    00001350:U^T I`b}&7C u|s (!a`{`sbA MCP]XCAM |qk`~1 k SWVCAM wnf,6|d @R
    00001390:XM WZ ET F TU_GX UVAT MEQFEP T XGPV ] Oxa7-wygIJL 'yzds~
    000013D0:v-FJRXSOE ZVWY RFmexaL A LCD QT_ [X KNZWEV J[XY QBN QY Q[
    00001410:X ^P h H cU F[BWQRWEX Y RT E AGQ Z^P C jbxwd
    00001450:JK/}nc}eu0FJRXSOE ZVWY ^^WWTY JD GX [email protected] \ LEQADT F CFSA
    00001490:T YP J~30qxzaLL {vybvx$* E]\PX H_[\R AU [email protected] L T^WY
    000014D0:] SDM\RC T[_ W IZ^Z T] S ]V : NG eP \ XRTRC MU
    00001510: QBLNDW E MU]V ADEea~rb Lsrmexc'7 E]\PX H_[\R A QYSFX_ CS[
    00001550:] HRFA T[DZX_ QYSFX_ UFCF ][QAD A W[MB_^ [E]\PE ]D J
    00001590:~30qxzaLL {vybvx$* E[ARBAF a`{b D [email protected] LK[[]Q\ V\GKYT A W]Z
    000015D0: U]\ R [\ [S T=QAD `VR [TQT \ WJ

    ---------- WIN.TXT
    fùAppInit_DLLs֍æGÀÿÿÿC
    --------------
    --------------
    $01180: AppInit_DLLs
    $011EF: UDeviceNotSelectedTimeout
    $0123F: zGDIProcessHandleQuota
    $012D8: TransmissionRetryTimeout
    $01328: USERProcessHandleQuota0
    $016DB: WXXPXIAFWESSYX
    $017B7: EPAFUV_WBAAFK
    $01895: YSPTAFUVGAVV
    --------------
    --------------
    C:\WINDOWS\System32\msii.dll
    --------------
    --------------
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    A handle was successfully obtained for the
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
    This key has 0 subkeys.
    The AppInitDLLs value exists and reports as 58 bytes, including the 2 for string termination.

    [AppInitDLLs]
    Ansi string : "C:\WINDOWS\System32\msii.dll"
    0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.
    0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.
    0020 6d 00 33 00 32 00 5c 00 6d 00 73 00 69 00 69 00 | m.3.2.\.m.s.i.i.
    0030 2e 00 64 00 6c 00 6c 00 00 00 | ..d.l.l...
    
     
  5. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Be sure to Follow the next set of steps carefully, in the exact order specified.

    Get ready to restart:
    First doubleClick on the FIX.bat file in the C:\FINDnFIX\Keys1 folder.
    Wait for the popup -Alert to restart your computer in 15 seconds.

    After the computer restarts and you are back in Windows, navigate to C:\Windows\System32 folder:
    Locate and select the MSII.DLL file (as it will be visible)
    And use the folder's top menu and got to Edit >
    Move to Folder...
    Select the C:\FINDnFIX\junkxxx as destination and move
    the MSII.DLL there.
    -----------------------------------------------------------------------------------------------------------

    Now look in the C:\FINDnFIX folder and locate the RESTORE.bat file. Doubleclick it to run it.

    Wait for it to run and it will and it will produce a 'log1.txt' file! Copy that log and paste it here!

    -----------------------------------------------------------------------------------------------------------

    *Note:
    Do not change/move around or
    tamper with any of the file(s) folder(s) and path
    included in the 'FINDnFIX' folder.
     
  6. rewy

    rewy Thread Starter

    Joined:
    Sep 8, 2003
    Messages:
    11
    I followed the directions above through until the restart. Following the restart the computer would offer the options of restarting normally in windows, safe mode, safe mode with networking, safe mode with prompt or restart to last good configuration. Regardless of the response, the machine automatically restarts itself continuously. Before, at least, my brother could use the rest of the computer applications other than IE, but know we can't even get it to run.

    Any help is greatly appreciated as soon as possible.
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I don't know what happened unless you somehow picked the wrong file to move. I have had users perform these same steps hunreds of times and never seen this happen.

    Did you try to boot to "Last known good configuration"?
     
  8. rewy

    rewy Thread Starter

    Joined:
    Sep 8, 2003
    Messages:
    11
    Actually I never had the chance to move the specified file. My problem came up between the lines of "Wait for the popup - Alert to restart your computer in 15 seconds." and "After the computer restarts and you're back in Windows ... " in the instructions lised in your post above. Everything was proceeding in order until that point in the process.

    I have tried to scrape together information from other posts throughout this site, but am still unsure of how to proceed.
     
  9. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Did you try "Last known good configuration"?
     
  10. rewy

    rewy Thread Starter

    Joined:
    Sep 8, 2003
    Messages:
    11
    None of the options worked, including the "Last known good configuration".

    Also, the reboot into safe mode via F8, as suggested in the Operating System Forum, still resulted in the continuous restart (even all the options there).

    Is there some type of system restore function that can be run from the Windows disk?

    I'm sorry about this enigma, ans it looks like you've had a busy day, but I appreciate your input.

    Russ
     
  11. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    If you have your XP disk you could do a repair install.

    Does it just keep rebooting back to the boot menu? Please describe exactly what it does.
     
  12. rewy

    rewy Thread Starter

    Joined:
    Sep 8, 2003
    Messages:
    11
    Yes, it keeps rebooting back to the boot menu. After Fix n Find restarted the computer, the boot menu came up offering the options of restarting in safe mode, safe mode with networking, safe mode with command prompt, last known good configuration or the normal Windows startup. The normal Windows start was the highlighted "default" choice. Next to that option was a countdown clock starting at 25 or 30 seconds. This menu screen used slightly different language from the menu I've seen after restarting a computer while tapping the F8 key. It apologized for the inconvenience and that the computer may have experience a hardware or software problem.

    The first time it restarted via Fix n Find, I simply let the clock run down, it started up with the blue and white HP screen then at the time the desktop should show up it rebooted back to the boot menu. I let it do this again, then the third time I hit enter after a few seconds of the countdown. I then began to scroll up to restart in safe mode (didn't work), then in last known good configuration (didn't work), then safe mode with networking (didn't work), then in safe mode with command prompt (didn't work), then last known good configuration again (didn't work).

    I then turned off the computer via the power button. After awhile I turned on the computer and tapped the F8 key during startup. I tried all options there and the problem continued in the exact same manner. With each failed attempt, the machine behaved exactly the same as far as the processes it went through to restart.

    I have printed "Microsoft Knowledge Base Article - 315341" in an effort to see if that helps in the event I need to perform an in-place reinstall of XP.
     
  13. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Any progress here?
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/255617

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice