Posts by gerbil

It seems as if you are missing a registry key which launches the explorer shell. You can paste the line below into the Start, Run window, or alternatively, into a cmd window, and press Enter - it will add/correct the respective entry in your registry. The change will be apparent at your next system startup.

reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon" /v Shell /t REG_SZ /d explorer.exe /f

It would be handy if you could tell us the exact Stop Code shown in the blue screen message. To see that, it may be that you must disable automatic restarting after an error: when you start your system, press F8 a few times after hard disk detection - you should see the black Advanced Boot Options window; choose Disable automatic restart on system failure.
The next time it bluescreens you will be able to write down that code.

Does the server have the printer driver software installed on it also?

Had not heard back, so I thought I would drop this in. Should take care of the problem for you.
If you are using XP, then make this registry change on the computer {clean or infected one} that you will use to clean the thumb drives [UFDs]; just paste it into a cmd window:

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t reg_dword /d 0xDF /f
[this changes value from default 0x91]; this will disable Autorun.inf activation for all but CD drives. The worm cannot then self-activate from the inserted UFD.
If you are using W7, then cancel any Autoplay window that pops. Autorun.inf files are ignored by default for drives other than CD type.
Finally, insert and delete unusual files from your UFDs.
Next, for XP or W7 on the infected computers, make this batch file: copy the following lines into a notepad; save as MyBatch.bat, all files, to your desktop:

@echo off
 cd "%homepath%\desktop"
 reg query HKCU\SOFTWARE > rq.txt
 reg query HKLM\SOFTWARE\Microsoft >> rq.txt
 reg query HKCU\SOFTWARE /v e_magic >> rq.txt
 if not errorlevel 1 reg delete HKCU\SOFTWARE /v e_magic /f
 reg query HKLM\SOFTWARE\Microsoft /v 0022ff03 >> rq.txt
 if not errorlevel 1 reg delete HKLM\SOFTWARE\Microsoft /v 0022ff03 /f
 rq.txt
 exit

...cos I'd like to see those entries. And that should stop it in its tracks.

I'm going with a "broken" BIOS. USB [and PS2, if available] hardware support should just work in BIOS. Perhaps you need to flash.

Because you're having fun playing with it, I'll keep it simple:
You should search $WEBHAX.NFC,crys - possibly a phone hack. Note spelling.
http://news.softpedia.com/news/Microsoft-Experts-Details-Clever-Propagation-Mechanism-of-Gamarue-Malware-333499.shtml
http://blogs.technet.com/b/mmpc/archive/2013/02/27/the-strange-case-of-gamarue-propagation.aspx
Just delete the files and reg entries, there are no protections. The second link gives you clues as to how.
TrustedInstaller.exe is used by the Windows Module Installer service in W7, for Windows Update and Automatic Updates. It resides in Windows\Servicing, not in a temp folder. But you can see that from the second link.

Hello, John.
This error, "error was reported from the transport layer..." is likely something to do with the driver you just tried to install not being able to communicate correctly with the system; it could be incompatible with XP?... but that's all I am qualified to say in that regard. I suggest that you use Device Manager to roll back to the previous, native, Microsoft driver. If that fails then use Device Manager to uninstall the sil raid card driver; upon restart windows will automatically search for and install its native driver [in DevManager, dclick the sil raid card; on Driver tab use the desired button].
Then, as before, use msconfig to remove the sil controller hint at startup.
Finally, uninstall that package you installed as in "C:\program files, sata raids. there were 3 folders. I opened one "3132 sata rades" there was a install icon, I installed..."
That's interesting re the missing Msconfig subkey in registry. I suspect that is another, unrelated error, and I do not know how to resolve it. Just in case it's a navigation problem, run this in a cmd window.... either a txt file will pop on your desktop or an error msg of key not found in the cmd window [paste in the line]:
reg query "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig" >> msconf.txt && start msconf.txt
Post the notepad content.
The MS driver is obviously running your raid card adequately; you may not consider it worth your while persisting …

Okay. If you want to clean up a bit and remove the entry from msconfig then what you do depends upon where the item was located in Msconfig. If it was, as you say, under the Startup tab then it's pretty simple:
1] if listed as a common startup/startup in msconfig then unchecking the item in Msconfig will have actually deleted it from the Startup folder in C:\Docs n Setts and stored it in registry...
2] if listed with a registry key in msconfig then unchecking the item in Msconfig will have actually moved it from the that key [usually HKCU or HKLM...\Run] to another...
In both cases the entry will now be under HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig in a subkey, startupfolder or startupreg.
Simply delete its subkey from startupfolder or its valuename from startupreg and it will disappear from msconfig.
What is the make of your current Raid card? I'm going to guess Silicon Image. The message "no sil controller found in the system. press the button to exit the application" is possibly coming from some part of the card application or firmware; the actual program or driver is not where it was - moved or deleted. The reg or msconfig entries give you the original pathname of the applicatior. The card is using the native Windows Raid controller software now, and so is working.

Can only guess, but possibly in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services or Control\CriticalDeviceDatabase keys you have a Silicon Images service trying to start. You could search those keys for the words SIL or SILICON.
Does the message appear if you start in Safe Mode?
You could use a Windows API scanne/monitor to output the name of the process putting up the text you mention in its codebox.

By now you have likely read up on Sality and know that you have some hard choices and work ahead of you. Yes, it is curable, but while protected system executables will not be infected, many other system files may be. Certainly the executables of other softwares will be infected as you run them [the virus gets their pathnames from the MUICache as they run]. The problem is that they may be damaged by bad infectors and recovery will not be possible, the result being the occurrence of continual errors, slowdowns etc necessitating ongoing repair jobs. The recommendation is generally to run a curative from one of the major AV vendors, then save pure data files to another drive, watching for the appearance on that drive of any executable [.exe, .pif, .cmd] or autorun.inf file. Next you wipe and reinstall the OS and all your softwares from original sources, scan your data drive and reload your data.

The tab key measures spaces along a line, from the beginning of the [any] line. Mine in notepad.exe is equivalent to 8 spaces; thus:
-a tab- 12345... the "1" would be one tab position along the line. In this browser, on this site, a tab is equivalent to 4 spaces, but the tab action is way ropey on this site.

Is tcpip.sys always the driver mentioned in the stop msgs? You do mention that you are working on the internet when the error occurs...

If it's a modern laptop there is no way he could forget the bios/system pw because if set he needed it every time he powered up.... anti theft. Lappie mobos have much more stringent bios security thean desktops [I wonder why?...]. I understand that flashing desktop and very old lappie bioses will clear passwords, but not if it is stored off-chip in NVRAM. And you must have a bios that allows power-on flashing. Same goes with CMOS clearing. If I'm ever bedridden for weeks I might play with this.
Some interesting? stuff happening over at mydigitallife wih bios recovery boot block flashing. Then there are EEPROM readers, but I note that a lot of bios chips are soldered these days and require a heat gun to remove - the chip can literally be toast. I don't want ever to have to solder a new one in place.

The BIOS password? Before running cracks for that, just clear your CMOS memory on the mobo; that's where it is commonly stored.
But you might just have a mobo or laptop with the pw stored in non-volatile flash memory, or even on the hdd... search for your model.... in which case google for solutions.

Get imgburn. It's free. Build a recovery set of files from your two discs, then use Imgburn to create an image [an .iso file] from them on your hdd [Create image file from files/folders]. Default settings should work; extract boot files from one of the recovery discs. Creating a bootable image is not straightforward, is not a one-click operation, but the Imgburn helpfiles should steer you through it. There is no need to burn a cd, so no cost as you learn.
Get Unetbootin. It's free. Use that to load the iso onto your UFD.

Skip infection checks... no way is that 8400 GS a gaming card. It is not anywhere near the min requ for Proto2...
http://www.hwcompare.com/7109/geforce-8400-gs-512mb-vs-geforce-gt-430/
But you have it; if you set the lowest graphics res your monitor can stand [640x] then you might get a playable framerate.
Might. It was only ever an entry-level card, was not as good as the card it was meant to replace.
"I have a new Windows 7 Ultimate 32-bit PC". New? I just checked, that card was new in 2007. Okay, it is this century, but you did well to find one. There should be no stock anywhere.

Mus be a rainy sunday, all over the world....

"the highest users are "system" and "Service Host:local Service (Network Restricted)(7)" is what you see in TM. That's a restricted view. Download Process Explorer from http://technet.microsoft.com/en-us/sysinternals/bb795533, check in properties of that svchost which service is being run by it.

You might run GMER, OTL to give us a lead, a chance. OldTimer Listit.
Luckily for you, it sounds like a dud malware. Then again, maybe only that bit is dud...

You might copy and save the following as rq2.bat to your desktop, dclick the bat file to run it. Safe or normal mode...

reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SytNxobj /f
del /f /q C:\Users\Chiz\AppData\Local\Temp\kerlamnc.exe
del /f /q C:\Users\Chiz\AppData\Local\kscbnlrs\sytnxobj.exe
del /f /q C:\Users\Chiz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sytnxobj.exe
del /f /q C:\Users\Chiz\AppData\Local\kscbnlrs

Wise, though, because your language is not mine, to first check that you don't know any of those objects...

If you want to burden your brain with knowledge and not dope and incense, then this covers the vagaries of installing with OEM discs: http://wiki.lunarsoft.net/wiki/Product_IDs#Windows_XP_complete_list_-_English_locale
And this, a grab from anandtech.com, tells how to modify XP discs to allow installation from the wrong medium version. eg retail to OEM, as here, or vv.:
"Full retail (FPP) media can easily be modified to accept OEM product keys, and vice versa. Copy the CD to your hard drive. Locate and open SETUPP.INI (i386 directory) in Notepad. There should be a line similar to:

Pid=76477000

Doesn't matter what the number actually is (it will be different for Home, Professional, and other packages per the Lunarsoft WIKI chart). Just change the last three digits, whatever they are, to "OEM" (without quotes). e.g. Pid=76477000 would become Pid=76477OEM to go to an OEM media. Change the last three digits to the number shown on the Lunarsoft WIKI page to go from OEM to that version of retail.

That's should be all there is to it. Save and burn back to CD, and it should work with the appropriate product key."
I've not had to do this stuff, but both sites are reputable. And you are only risking a cd.
Damn hippies. Tsk....
:)
A bit more.... I've not used Macrium Reflect, I have Minitool Partition Wizard Home [free]; it's rather good and so I have no urge to check other softwares. You might at least glance at their …

Most users never need to enter the registry, or make modifications specifically. Did the fix above solve the shutdown problem, or do you still need help with that?
Before you wipe and reformat, if that is what you wish to do, make sure that you have the Product Key - it is likely on a sticker on the side? of the tower. If not, use software to extract it eg Magical Jelly Bean [yeah, I know... damn hippies...], and record it for use with your new installation. Another is WinKeyFinder - google them.
With XP you will need a disc - XP cannot be downloaded as can Windows 7. Borrow one of the same type as your installation. For example, both those keyfinder tools will give your Product ID also; if it contains -OEM- then you have an OEM installation, for example, and will need an OEM disc.

Press the Start button, choose Run, and paste into the Run box..
control sysdm.cpl,,3
Or go Control Panel, System, and choose Advanced tab.
There select Startup and Recovery Settings button, on that page deselect the Automatically restart checkbox. You system should now sutdown correctly.
Your problem likely arose because upon shutdown an error was being detected, and XP was set to restart upon an error [you do mention a dll error box flashing].
Age is no excuse. Be proud that you're tackling stuff.
I always make and update images, as RJ suggests. Fortnightly, roughly.

Phew. Numbers.

To enlarge...
The ATA-6 /Ultra DMA100 standard provides for a 48 bit LBA address space for sectors [Ultra DMA133 is just faster], so that is the current hardware limit, I believe. 2^48 * 512B sector size = 144 * 10^15, or 128 * 2^50. That is 128PB. 2^50 is a PiB.
NTFS itself uses 32 bit addressing internally, although it is capable of 64 bits; NTFS uses 4KB clusters as address blocks by default, so theoretically you have a partition size maximum of 16TB. 2^32 * 4096 = 17.6 * 10^ 12, or 16 * 2^40. 2^40 is a Tib.
But if you forgo file compression capability you can set a cluster size up to 64KB with the format command.... and the limit for NTFS is then 256TB. Who needs file compression on a volume like that?

You're the chap who drives past, thinking there's a reasonably good chance of making it to the next petrol station....
Samsung may have a tool to "repair" bad sectors on their drives, but you are wise to backup all data before hand. That takes another drive. SMART will likely by now have exhausted its reserve of sectors to use as replacements.
HDD Regen costs almost as much as a new drive....
Don't go for an air pilot's licence. You have quite the wrong attitude.

Try starting it without RAM at all for a reference racket. It will beep.....

Asus? Likely AMI BIOS, then. Here is a list of AMI beep codes: http://www.bioscentral.com/beepcodes/amibeep.htm
1L2S is a vid BIOS problem, 2S is RAM. Hmmm. I'm going to guess that you disturbed your RAM block; that could be reflected in the video problem [video uses some RAM]. Open up, reseat your RAM. Ground your mitts to the chassis first, won't you? [a quick rub of your fingers on metal frame will suffice].

Boot into the one you want to keep. If the two Windows are in the one partition, eg. C: drive then there will be Windows and Windows(2)- identify the surplus windows [best if it is Windows(2) because that (2) will carry over into other stuff....] and delete its Windows folder. Transfer any documents you might wish to keep, [copy...]. Delete the folder doc n setts(2). Now go Start > Run, paste:
control sysdm.cpl,,3 -and press OK.
Select Settings in Startup and Recovery, press Edit for the startup options; in the notepad that pops delete the line that corresponds to the unwanted Windows, [check that Default entry matches the remaining Windows], Save it.

If you don't think you need it then simply uninstall it. And miss out on a lot of those annoying video ads in your browser. Tsk. Life exists without FlashPlayer.

luis, CP Add/Remove reads the registry key entries at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall.
If an application is listed there [a key entry] with a DisplayName value then it will appear in A/R Pgms. If the key contains a value Uninstallstring then the Uninstall tab will appear alongside in A/R Pgms. If the actual uninstaller is represented and working and has uninstall info available if required, then the app will uninstall.
Sounds like your Uninstall key is missing/damaged, else CP is damaged [appwiz.cpl]. Try running:
regsvr32 appwiz.cpl -in a cmd window.
If that does not work then M$ has a Fixit for CP. You would G this... xp control panel fixit add/remove and find this... http://support.microsoft.com/kb/266668

For an infection such as you describe you could run these, in this order:

http://www.bleepingcomputer.com/forums/topic114351.html [combofix, just show the results you have already]
http://www.bleepingcomputer.com/download/adwcleaner/dl/125/
http://oldtimer.geekstogo.com/OTL.exe
For OTL, press Scan All Users, Minimal Output, Standard Registry ALL, check both LOP and Purity boxes, leave other sections as they are.
Under the Custom Scan box paste this in:

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT

• Press Run Scan.
  The scan will take maybe 5 minutes; 2 notepads will present [saved to the place from where you ran OTL.exe] - please post both.
  Post all results, please.

Hospital reading for you... :)
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Value Name: NoFileMru - prevents common dialogue boxes from showing recently used entries.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ||
Value Name: NoRecentDocsMenu - this will remove My Recent Docs from Start Menu [there is a checkbox for it in Start, Properties, Customise, Advanced ...]
Value Name: ClearRecentDocsOnExit - empties the record of these objects upon logoff.
Value Name: NoRecentDocsHistory - this prevents complying applications from recording used objects, ie. it removes the Recent folder.
HKCU hive is for you; placing the above in HKLM hive instead would block for all users.
And so it goes. XP records a multitude of recent documents operations in registry [another is the Run box in Start: NoRunMRU], as well as searches. As far as I know, there is no blanket reg key which when used would control all of those records. You can prevent them/block them individually. Some applications do it also, and they too must be blocked individually. Windows also records in registry all programs, shortcuts and links that are used by users, and also certain system executables, when and how often. All, since installation.
Clearing tracks is a laborious job. You can find, I'm sure, web softwares that will do some or much of what you want.

And then, of course, there are traps for the uninformed, or unwary, which come at a price. Diagnostics software usually check device manager and driver lists. You and Device Doctor will do that for free. Speed up the net? If such programs don't install proxies and use proxy servers to overcome slow net hops then i believe that all they can do is commence downloading stuff even before you decide [or if]. They certainly cannot fix your line problems or upgrade your ISP connection. Registry fixes? Yurk. Risky, and a waste of time.

If you are using XP, then I would tell you to try re-registering shdocvw.dll, or maybe to dl a fresh copy from M$ updates and registering that. It appears in lots of KB$s. Do...
regsvr32 shdocvw.dll in a cmd window.
In W7 or Vista... I don't know, i don't have them. Search in system32, if it's there, then...

MRU. Yeah. He's all about track hiding, like for when you use your mum's computer and she opens up Photoshop and sees in Open Recent an item "HotChickSex.jpg"....
Lots of apps record this info, pdf readers etc...., not just browsers. As an example, Foxit records in reg the last 50 documents opened - this is not for snoop value, but simply to enable restoring the document with the view settings you used with that particular item. Handy.
For many applications that adhere to M$ policy you can stop the practice by using a selection of the key values from the above OP post. You would put them in HKCU, not HKLM, else your savvy mum might sus interference. Why would you do it? Track hiding. Who wants to give up convenience?
As he posts, there is software that reads Registry to list all MRU entries... :)

The Delete key will take you into the AMI Bios. There, I think, under Advanced Options you should find you hard drive listed along with any others, eg. an inserted UFD key or drive. Switch the orders. Alternatively, press F8 key immediately after power on and you should be presented with a one-time boot order screen [you must have your external drive connected before powering on].
I have a feeling your hdd has a problem... "status:oxc000000f info: the boot selection failedbecause a required device is inaccessible." -it could be that windows has spat a driver, in which case you need a repair cd, or that the hdd is corrupt or bad.... try to run chkdsk on it, or get a bootable UFD diagnostic software from the drive manufacturer.
Your 2GB of RAM.... it was either incompatible, or bad. Most RAM I have encountered is lifetime guaranteed. Return it.

.

No butterfly sneezes there. But Hijackthis only does a simple scan compared to more modern types... eg OTL.

Malwarebytes on-demand ANTISPYWARE scanner is still free - look for it on their site.
To remove AVG ANTIVIRUS go to their site and download their removal tool.
AVIRA or AVAST are possibly the best, free ANTIVIRUS products atm.

Try piping the output of a tree command to a txt file. Your dbase may not be able to cope with the non-alphanumerics, though...
eg: tree G: /F > C:\filelist.txt

Threw out McAfee and put on AVG.
Aw, heck. For a light and hardworking load use Avira, or Avast. Both free. Either outperform the two you mention. And it's not only the opinion expressed in the report BigPaw recommended in his link above.
A lot of that committed memory you mention is going to be on your paging file. Mem mgmnt ensures only that needed absolutely, immediately or often is actually in RAM.

My key shows an entry from my AV at AppInit_DLLS.. otherwise it's the same as M$'s default key.
Nothing showed in the Modify Binary data action? Then do as Jim suggested and get Autoruns, see what shows there.

Mods, I have decided that if your code detection monster finds code in my innocuous posts then it is simplest to just code the whole damn thing. Looks bad, doesn't it?

Couple of ways to do this...
Rclick the AppInit_DLLS Value name, choose Modify or Modify Binary Data, sweep your cursor across the data field to highlight and choose Delete.
Better still is to create this batch file and run it - it will expose hidden values in AppInit_DLLS data, and expose any hidden value names:
Save these two lines in a notepad as query.bat to your desktop, dclicking it will pop rq.txt.

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" >rq.txt
start rq.txt

You should see this [default \Windows subkey]:

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout    REG_SZ  15
    GDIProcessHandleQuota   REG_DWORD   0x2710
    Spooler REG_SZ  yes
    swapdisk    REG_SZ  
    TransmissionRetryTimeout    REG_SZ  90
    USERProcessHandleQuota  REG_DWORD   0x2710
    AppInit_DLLs    REG_SZ

Then you could delete that \Windows subkey and add it back with this reg file [attached] of the default Currentversion\Windows subkey. Save all the content via Notepad as Windowsdefault.reg [no .txt extension], then dclick the file to merge it; a msg about success should pop. If it does not, then rclick the file, choose Merge.

This link covers the simple removal process quite thoroughly:
http://malwaretips.com/Thread-How-to-remove-System-Progressive-Protection-virus

Use regedit to open the registry to the HKLM/Software/Microsoft/Windows/CurrentVersion/Uninstall key, highlight it.
Under Edit tab, in Find type...
java
& ensure only the top 3 boxes are checked. Delete any entries found [the subkeys in {} ].
The pgm JavaRa should also do the job?

Super, I just googled "common software manager" and found only two instances of that exact term [there must be more out there..?]. Both from memory were to do with voice recogn swares. But apart from that, basic methodology is to track what is running, and what it is a part of. You could use Process Explorer from MSinternals for that. Do a search in it [search tool] before the halt for "common software" as a start.

Or I guess that doen't matter. reset.log is just a file to write to.
I hate networking.. too complex.

"netsh int ip reset reset.log"
should be... netsh int ip reset resetlog.txt