Posts by gerbil

Weird. Perhaps your AV/AM services decided to work. But usually they say they've killed something.
Those logs appear clean.

PP, I don't think this shell extension is approved, actually...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5011B86C-7743-018B-900E-25D254391AE6}
Dunno why these escape MBAM...
uRun: [FEXeTWLLHYgf.exe] c:\documents and settings\all users\application data\FEXeTWLLHYgf.exe
uRun: [iVV8cvvMWNUBz] c:\documents and settings\all users\application data\iVV8cvvMWNUBz.exe
Some weirdness on the McENUI key...
mRun: [McENUI] ¸????A??9]????
\McENUI.exe /hide
And these:
S1 auxipnzh;auxipnzh;\??\c:\windows\system32\drivers\auxipnzh.sys --> c:\windows\system32\drivers\auxipnzh.sys [?]
S1 edvfrcqi;edvfrcqi;\??\c:\windows\system32\drivers\edvfrcqi.sys --> c:\windows\system32\drivers\edvfrcqi.sys [?]
S1 plejjdlu;plejjdlu;\??\c:\windows\system32\drivers\plejjdlu.sys --> c:\windows\system32\drivers\plejjdlu.sys [?]
2011-01-05 22:08:08 53248 ----a-w- c:\windows\system32\drivers\sst1F4.sys
2011-01-05 22:08:08 0 ----a-w- c:\windows\system32\drivers\sst1F4.tmp

Do you use Windows Messenger, Betty? If not, remove it... go Control Panel > Add/Remove Pgms. In the LH panel click Add/Remove Windows Components; when that box loads scroll down to Windows Messenger and uncheck it, click Next..

You mean, you click Export List, and then you cannot type a filename into the Filename box? [Save as Type should be Text... .txt]
That window, if in Desktop, should show contained folders such as My Computer, My Docs.. Can you save any other .txt file from Notepad to your desktop?

Yes, usp10.dll is a protected file. Renaming it will generate another copy from cache. Or should... And then restart... see *.
Renaming... it's easy to lose track of renamed files, I put a couple of zeroes in front, then they go to the top of the list for easy deletion upon restart [* the sys may still be using it if it was already loaded, even though renamed, and so deletion will not be permitted]. So 00usp10.dll.old

You are correct, caper... I use TV occasionally, it requires the target user to dl a component, they must give you their TV passkey, they can watch what you do, they have full termination control.
Easier, nicer, to knock on the door and have a pleasant, helpful, friendly chat.

Asus sometimes place a Power Good led near Sata sockets. Just so people don't mistake the power status when they dive in to plug things.

Team Viewer requires the full cooperation of the user of the computer being monitored. Hence Team in TeamViewer.
What you need to do what you are thinking of, ie.. snoop...is a network sniffer like Cain. Better still is to get to know your daughter, get more involved in her life. And do what caper advises. It can be a risky, slimy place for an impressionable child. She will move on from pictures of fairies and horses.

Okay. Hope you didn't run the second phase of Setup in your lappy instead of in the tablet...

Easily enough. Expand the section you wish to present...eg. Applications. Then go Action tab > Export List, and save on your desktop as some .txt file. Make sure in Notepad that Format > Wordwrap is unchecked, select and paste to your post in this forum.
If there is a particular line error you wish us to comment upon you might rclick it, go Properties, and post what it says there. Otherwise we must research the error codes from the log. To post the content of that Error Properties window lclick the little button with the 2 pages shown on it : this copies the window contents to your clipboard. Paste into your post.

So... did you get it working, Rik?

Hi. Restart your computer, press F8 several times while POST is running and before IDE/drives detection completes.
- On the Windows Advanced Options Menu,
*** select Last Known Good Configuration and press Enter. If Windows loads, all is well. If it does not load then restart it, and using F8 again..
*** select Safe Mode with Command Prompt and press Enter.
- If given the option select your Microsoft Windows XP and press Enter.
- Log in by using your account if an administrator, otherwise use the Administrator account and password. NOTE: The password is blank by default unless you set a password.
-press Yes to bypass System Restore.
=See if you can run chkdsk command successfully in Safe Mode:
chkdsk c: /f -it will ONLY run on reboot.

Dates... dates... there is a reasonable chance that the OP is dead by now... :)

Happy, you jus gotta close off some of these ancient threads.. :)

Cookies are benign; on their own they can do nothing, they record a few details only for the site mentioned in their name to shortcut procedures, direct preferences. It disappoints me that an AV scan even bothers to mention them. But, as Judy suggested, modify your browser settings to accept cookies only from the page visited. That way you won't get cookies from advertisements on the page unless you visit their sites.
A great and free cleaner is CCleaner.

Simple things first regarding the bad pool error. You might check your hard drive for errors [some software might be introducing an error because of minor corruption].... In the Start, Run window enter...
chkdsk /r
After that, stop and then uninstall your AV service [Avast], then reinstall it.

Gee. You almost totally disguise your advertisement with the potted Microsoft OS history. Almost. I hope your students do not expect tutelage of a high standard of English expression.

Or there is this, one I use, WinToFlash. If there is a simpler method, I have not bothered to look for it... Anyway, you seem to be sorted - this is for information only.
Use this software and your XP installation cd to make a bootable USB flashdrive XP installation... just dclick the wintoflash.exe for the wizard to start.

I'm not surprised, Leonie. :) .... that scan only searches and lists vulnerable areas, by itself it makes no alterations. I need to see that logfile it produced - it likely will be in the folder in which you saved hijackthis.

Leonie, so that we may see what we are dealing with, could you do this, please?
Hijackthis - download the executable file from: http://www.bleepingcomputer.com/files/hijackthis.php
- unzip if necessary; copy hijackthis.exe to a new FOLDER placed either alongside your program files or on your desktop.
Start Hijackthis via the desktop icon or by dclicking hijackthis.exe.
- CLOSE ALL OTHER APPLICATIONS and any open windows including the explorer window containing HijackThis.
- click the Scan and Save a Logfile button. Post the log here.

Nice going, I try.
Cheers.

Hi. Could I see the results of this scan, please; it should give a better idea of what is trying to start?
HiJackThis:
You have a choice of versions, installable program or stand-alone executable; in action they are fundamentally identical.

i] -download hijackthis: http://www.majorgeeks.com/download5554.html or http://www.filehippo.com/download_hijackthis/
-dclick that .msi file to install Hijackthis as a program. Else...
ii] - download the executable file from: http://www.bleepingcomputer.com/files/hijackthis.php
- unzip if necessary; copy hijackthis.exe to a new FOLDER placed either alongside your program files or on your desktop.
Start Hijackthis via the desktop icon or by dclicking hijackthis.exe.
- CLOSE ALL OTHER APPLICATIONS and any open windows including the explorer window containing HijackThis.
- click the Scan and Save a Logfile button. Post the log here.

"The idea I had was to remove the hdd, plug it up to my laptop (via a usb adapter), throw the windows cd contents onto it and install it."

Well, roughly that... what you should do is pull the hdd and plug it into another system using some adapter, as you suggest.
Format that hdd; let's say you give it a drive letter G:
Then with the installation cd inserted into that secondary sys [as, say, D:], use the cmd window to run winnt32.exe with the following switches:
d:\i386\winnt32 /syspart:g: /tempdrive:g: /makelocalsource /noreboot
When that phase completes the sys will pause; to ensure that your new system partition will be C: and not G: you must delete the MIGRATE.INF file in G:\$WIN_NT.~BT\
Reinstall the hdd back into the tablet and power up. Setup should continue. Or give an error... :)
[that cmd line runs the Setup phase that copies the temp files required to G:, marks it as Active, copies all other installation files over so the cd is not required again, and halts; if you then don't delete MIGRATE.INF your system partition would remain as G:, which you likely would not want].

Perhaps one or more of those pgms has Startup entries remaining? You can delete them from C:\Docs and Setts\either You or All Users\Start Menu\Programs.

Bobby, when you reloaded the system [re-installed Windows?] did you do a normal/full format of the system partition rather than a quick format? If not, you might try running chkdsk [rclick Local Disk C:, > Properties >Tools > Error Checking/Check now, check both boxes and Start it].

From BIOS, youcannot restore Windows. Have you tried entering Safe Mode from the Advanced Options screen? Press F8 during boot when prompted.

Gotcha, rch... you're using it as an on-demand scanner. I don't know the CA product now, so I don't know how that works... but as long as you don't have its services running, fine.
Interesting that installing new sware can damage that dll: there's a bug there somewhere.
That's another thing, ISPs and board manufs like to be a final solution for subscribers/buyers, and so a lot of them do offer a rebadged AV service from one of the majors. That is how I first came into contact with CA - a free offering with a mb.
Malware writers I think have to be very careful about not using a filename that is part of an AV service. One thing a good AV does is be very protective of itself; any unauthorized alteration and... WHINGE.

HP n M$. The cold war never ended for those chaps.

Perhaps not. But, UmxSbxExw.dll...
"User mode executive module helper DLL"
Publisher (Verified) CA
Entry path: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
Entry name: UmxSbxExw.dll
Program path & name: "c:\windows\system32\umxsbxexw.dll"
Product Version info:- Host Intrusion Prevention System, File Version 6.0.2.87 Copyright (c) 2006 CA
Perhaps the OP uses another, rebranded version - eTrust, Tiny Software, or a different CA component. The web is full of problems with it that arise after the installation of some other software. I think the practical solution is to totally remove and then reinstall the AV service.
I'm not even gunna ask what a secondary AV service is.

Neat stuff. And yes, you cannot expect any one AV service to be right up there with the latest, even if they do updates several times a day. Using a basket like hitman does is smart.

"My client is wanting to install an application that strengthens her mind "
Nothing like investigating the possibilities and then fixing your own sys to do that.
I have Asus boards, they seem fairly accepting of RAM brands. This one is running some junk-brand [ok, rebranded] reasonably hi-spec set. The individual chips are well-known.
"The RAM on the system is DDR PC2700 and on the other side it says 64X64 PC3200 DDR. " What? Is that on the one stick? It has to be one or the other. The PC3200 spec is the error-free maximum speed they can get from the RAM. Try derating it via BIOS to a lower speed, see if it works then. If it does, the RAM is not up to its rated specification of 400MHz.

Why not unhide the partition and run its installer, putting MC back on the sys?
A simple command line tool for such a task, and many more, is MBRWiz.exe.

Naw. It's part of a Computer Associates firewall or AV service. Try uninstalling it, then reinstalling. Or just get a free AV/firewall package.

Post the MBAM log [it is also saved under Logs tab in MBAM].

When you are to dl the windows updates, instead of doing it automatically via the update service, go to the site and dl the related KBxxxx exes. That way you have all the updates available for slipstreaming if you so wish, no need to dl them again. Just an idea...
Shame about the ol installation.

There is likely an error witht the way that drive is associated with Windows. That information is held under this key in registry : HKLM/System/MountedDevices
Simply delete the whole MountedDevices key and restart; it will be recreated with new volume names for all currently connected drives; the errant msg should disappear.
Why not just edit your personal information? That way you won't be stalked by nerds....

This is still relevant, churva.
http://technet.microsoft.com/en-au/library/dd423379.aspx

Tooth fairies don't do hdd miracles. Either a quick or full format will erase your file records from the MFT, a full format will also carry out what yu already did, a scan for bad sectors.
It does not hurt to repeat chkdsk /r. Just in case. Use the RC on your installation cd to run chkdsk c: /r again.

Glad to help.
Paste these two lines into the Start > Run box, pressing Enter after each, and agreeing to query in cmd window [press y].
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0
REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0
Most likely you were hit by some malware. It would pay to run this as a check:
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you when it completes... do not click the Save Logfile button.
Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Copy and post that log [it is also saved under Logs tab in MBAM].
Merry Christmas...

You could restore these 2 entries from hijackthis backup. They are benign, and useful.
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
This one is a USB connection monitor. Up to you. It is not needed.
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe

Uh-oh.... okay, in that advanced options screen near the foot is an option to stop auto-restart on error. Enable that, try to start in Normal mode, give the full details of that next blue screen.

No problem, Trampaw. Hope you pull through. I won't ask about "some women".. :)
c:\windows\servicepackfiles\i386 -is explorer.exe there? It darn well should be in the SP3 unpack. If it is, drag it over to c:\windows.
Or... If it is not there, do you still have the SP3 exe, WindowsXP-KB936929-SP3-x86-ENU.exe ? If so, you can expand it from there...:
If that file is saved on your C: drive you could use this command, or modify the path to suit. Paste these into the Run window in Task Manager, and let them run:

"c:\WindowsXP-KB936929-SP3-x86-ENU.exe" /X:c:\SP3files
expand -r c:\SP3files\i386\explorer.ex_ c:\windows

Those two will unpack the windows SP3 downloaded exe to c:\sp3files, and then expand explorer into c:\windows, where it should be. Try then to run it via TM.
Take care to spot the spaces in those commands.. :)
- there is one after this: 86-ENU.exe"
-and one after this: \explorer.ex_ plus the 2 obvious ones near the front of the 2nd line.

No problem, Trampaw. Hope you pull through. I won't ask about "some women".. :)
c:\windows\servicepackfiles\i386 -is explorer.exe there? It darn well should be in the SP3 unpack. If it is, drag it over to c:\windows.

I think I understand that... you mean that when you switch on the PSU by its own switch [usually on the rear panel] the system turns on also. The system power switch on modern mbs is basically a transistor latch operated primarily by a switch impulse from the front panel button; it also has software-controlled inputs from the mb [normal & emergency shutdowns, BIOS controlled shutdown]. So it seems as if that transistor latch is damaged to the point of being always on. Pretty much, the CPU fan should also start at a low speed until control inputs tell it to throttle up, or whatever. Sorry, but I'm thinking major mb damage here to several component systems. Fan speed control is usually integrated with fan speed and temperature sensing plus voltage sensing into one IC. eg a Winbond monitoring IC. I don't know your mb, but that chip may also have power control built into it.
A spark in the PSU could be the result of a brief short-circuit in there and who knows what voltages it sent thru what wires?, or a component burning out under overload from a sudden failure in a supplied circuit eg the mb.
Best of luck. I could point out that most mb problems are not worth fixing unless under warranty.

Can only guess.... if system lights show then go off I have to think that something pulls down the power supply sense circuit and it then switches off internally some supplies to the mb. The drain could be from anything... graphics card, RAM, CPU, drives. Try disconnecting all those: pull the graphics card [does your mb have onboard graphics?], unplug power from hdd, leave only one RAM module, and try again.
If you don't have integrated graphics in your mb, then pull the vid card and connect oyur hdd... listen for disk activity/watch the hddd led at boot for activity [you won't see anything onscreen].
If still nothing then I could suppose that your mb silently died.

Quite often, malwares disable Task Manager via registry settings to prevent simple detection and termination of their own processes.
smsmcp gave you the steps to correct those registry settings, a detailed guide to writing new key values and data content.

If you have XP Pro, then click Start, click Run and type in gpedit.msc
In the Group Policy Editor that pops, expand:
User Configuration, Administrative Templates, System, Ctrl+Alt+Del Options.
Dclick Remove Task Manager to change its setting.

Else, if you have XP Home, or also, you can delete the key value instead of disabling it as smsmcp showed; I think deletion is better:
Paste or type this into the Start > Run box:
reg delete HKCU\software\microsoft\windows\currentversion\policies\system /v disabletaskmgr /f
And all should be fine.
You could also run this:
reg delete HKLM\software\microsoft\windows\currentversion\policies\system /v disabletaskmgr /f

Very likely the message is the result of a malware process or startup item calling that dll.
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you when it completes... do not click the Save Logfile button.
Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Copy and post that log [it is also saved under Logs tab in MBAM].

I must admit that I have not tried it, but it may be possible to run that SP3 installer over the top of your current installation without first reverting to SP2. Give it a try - at worst it can only deny. Ok, i hope.

Trampaw [is that your grandkids name for you?] check if you have this folder:
c:\windows\$NtServicePackUninstall$ - you should, unless you deliberately deleted it, from when you did either an online update or ran the self installer for SP3. It contains all the files etc necessary to rollback to SP2, including an SP2 explorer.exe version. So rolling back to SP2 would then be an option [use the Control Panel|Add/Remove Pgms page for that], and then re-updating to SP3. I prefer to use the self-installer package for that : http://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=5B33B5A8-5E76-401F-BE08-1E1555D4F3D4&displaylang=en
Uninstalling via Control Panel [start it with IE, dclick Add, Remove Pgms, click Windows XP Service Pack 3], and then reinstalling would probably be the easiest option to restore your sys.
And then run another virus, malware check.

Either is worth trying... but if you are unseating then you may as well pull comletely and try a restart. Follow the usual precautions you were informed of with the new modules.

Ah. Possibly too few people do know of the commonality between IE and Explorer. You can use Explorer to go on the web, too, by entering a web address, but in a limited way because Explorer cannot handle hpertext. And you can not only find files from there, but run them if executable, or if you prefer, open them.
For the life of me I cannot remember the folder where a backup copy of Explorer.exe is kept if you have not done an SP upgrade but merely have an untouched installation. But as I said, obviously you do not have one.
Right, we need to know your XP Pro version... SP? Explorer is version specific... - and I will say this: upgrading from SP2 to SP3 will solve your problem if such is available as an option.