Posts by gerbil

If you saw chkdsk run without any action from you then it likely means the session manager [via autochk] detected a disk had not been shut down correctly.
Because you have not logged on yet [or seen the Welcome screen] the registry has not been updated yet to reflect a good logon, so you should try using your F8 key during startup to gain access to the Advanced Options screen -choose Last Known Good Configuration.

Oh dear. All that for just $60... bargain. Quoting from the HDDRegenerator site:
"Bad sectors are a part of the disk surface which contains not readable.. information. As a result .. you may have difficulties to read and copy data from your disk, your operating system becomes unstable and finally your computer may unable to boot altogether. When a hard drive is damaged with bad sectors.... you risk losing information stored on it. The HDD Regenerator can repair damaged hard disks without affecting or changing existing data. As a result, previously unreadable and inaccessible information is restored."
I like that. If data is recoverable from bad sectors then Windows chkdsk program will restore it for no cost.
If bad sectors are not recoverable then HDD manufacturers have free utilities which evaluate sectors on a disk, recognize those which are bad and with truly irrecoverable data, and then give you the option of writing zeroes to those sectors - the drive firmware is then forced to return those sectors to usable status. These utilities will also recover readable data as per chkdsk. All free.
j2130, may I suggest that you try running chkdsk from a Windows Setup disk? Use Setup to start the Recovery Console; "chkdsk" is a command in there. Running "chkdsk /?" will give you a list of available parameters.

Well, wireshark is a packet capture tool, and that's what it does. If you are trying to learn the gist of captures then one suggestion is to turn off all but one traffic source application. Next is to construct useful display filters so you see only the traffic you are interested in; once you have that set then to reduce the capture file size you can set a capture filter that accords with what you wish to display. eg... you could ignore a running bit torrent download and concentrate on email packets, say. Take note, too, of the colouring rules - they identify the type of packet.
Packets are not very human-friendly, in general.... you are seeing computer chit-chat.

Wireshark. Every byte. Every connection. Every IP.

MBAM will remove them both, completely. It's the best way, they both spread themselves widely thru your sys/registry; forget manual removal.
You loaded some doubtful app which had them as an accompaniment - you did not read the license conditions, if any.

Depending on timings of your actions, using SR would have rolled back your drivers to what partially worked before, but did not again. Hmmm. What happens with Safe Mode?
A bit of info would be handy, your mb model and vid card model [ATI GFX doesn't really cut it].

Totally unfamiliar with the Dell Diagnostic CD... I thought it would be a standalone, bootable thing, but it sounds as if it uses core parts of the OS on the machine it wishes to test? So it might be your HAL playing up? Here:
http://msdn.microsoft.com/en-us/library/ff554406(v=vs.85).aspx

I think so... :(. But I am out of my depth here right now. CPU architecture falls WAY outside my interests; you have to draw a line somewhere. I use a proprietary system benchmarking software, but there is likely something to do the job at no cost. Gurgling gives me these of some interest:
http://www.softpedia.com/get/System/Benchmarks/CPUMark.shtml
or go wild here: http://majorgeeks.com/downloads4.html
Any chance of dropping your CPU into another sys?

Interesting re Avast BS. You might play with it by leaving it on, and going into Expert Settings there and adding a trusted process for your game; leave it checking for low-level rootkits etc.

The reference is probably to address line mapping, so expect trouble with memory sticks, you might hope, but more likely the cpu. If your BIOS allows it, use expanded bios reporting options so that it at least does a quick check of memory addressing. And try memtest86+ .... gurgle for that, the download choices are down the page a ways, and options are for all the usual bootable media. There are CPU tests out there.

Avast has a gaming mode. Are you using that?
It's the job of an AV to examine every new or changed file that is loaded to mem, or downloaded...
As far as Avast and ZA conflicting, the linked post above is TEN years old!! One would hope that two majors would have sorted it out by now.

It seems that your sound device is actually working, at least to the extent that the system can recognise it, and know that the driver is incorrect, or corrupt.
These chaps are good: http://members.driverguide.com/
Just paste into Search your C-Media AC97 Audio Device, or [better..] choose Sound Card and follow through. You might come to this page:
http://members.driverguide.com/driver/detail.php?driverid=136560
Grab that file [register, please.] and install it.

Hi, gnuma...
"I went to Control Panel>System but I don't find an Advanced Tab. what didn't I do?"... Beats me. Does entering this into the Run box go there directly?:
control sysdm.cpl ,3
But anyway.... the following should work for you:

[boot loader]
timeout=5
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

So go back to where you got that file from, delete the second disk config line in the Notepad and go File, Save. And that is it.
The second disk configuration line with rdisk(1) in it refers to a second hard drive which you obviously don't have installed, so ntldr throws up that error message. In fact, rdisk(x) is the position of your disk on the mb adapter. With EIDE controllers and most setups, the primary boot drive is on the first adapter, so is rdisk(0)

Could we have a look at this?
"Start Windows, then go CP > System > Advanced tab, Startup n Recovery Settings button. Click the Edit button. A notepad should pop with your boot.ini file. You can post it here for our guidance on editing it.
[Just occasionally, during installation Setup will leave an entry that controls its automatic restart during installation; it may be that..or a spurious entry with a misconfigured disk parameter, all fixable]"

.

Gee... I led you astray there. It's been a while since I did a boot log.... so I did one just to check. Here is the proper way... :( :
To do one, run procmon.exe; stop the logging via the magnifier button. In Options, check Enable Boot Logging, and restart your system.
Upon the restart, boot logging will halt the moment you run procmon.exe; then choose to Save the log somewhere [it will be 200MB more or less if you stop it quickly; the logging continues until you run procmon.exe].
Once Saved [and only when saved], the log will be presented in Process Monitor's window.
As far as setting a Duration filter goes, you may need to play a little bit with its time values. Using Duration is only a start - some processes continue without interrupting the startup. For example, winlogon.exe runs continuously once it starts, so will explorer.
Really, what you are looking for is large jumps in Relative Time, but I don't know how to filter for that... scrolling and eye-balling the column will always work.
You might also try disabling your AV and restarting.
Access denied... there will be a few relating mainly to Winmm access requests.

Isn't this new "Google paradigm" sweet? You are now actually able to clock up some sleep, Jude.

Hi, Jeannot. Buffer overflow results are normal; the query will be remade but with allowance for a longer data reply; there may be 100 or 200 of them. Another common result is Name not found - the software is written for many eventualities.
But Access denied? - I have not seen that in a Boot log. What processes were involved? [use filter: result exlcudes denied then exclude]

Hello, jeannot, well, we can rule out malware [you scanned] and non-M$ services, and probably drivers. Hmm... did you check the Event viewer [via Admin tools]?
And did you run Memtest86+ [from http://www.memtest.org/ ? Halfway down that page you have a good choice of builds for floppy, cd or USB.
The only other thing I can suggest to nail this down is to get and run Process Monitor from http://technet.microsoft.com/en-au/sysinternals/bb896645 -put it somewhere for fast access, perhaps into a new folder on your desktop.
You need to boot log with it, so start it via procmon.exe and halt the logging immediately via the little magnifier glass; go Options > Enable Boot Logging.
Restart your sys; when you are able start Process Monitor, answer No to saving the log and immediately stop the logging.
Add the Duration column. You are looking for anything with a duration longer than oh... to start with... maybe 0.02 seconds. Easiest is to set a filter for that; use Duration Less than 0.02 then Exclude. Add and Apply that.
That filter should leave you with a few disk accesses, reads or writes. Too much info? Your sys is slow...Increase the filter time to 0.1 sec... there should be nothing. But something is dragging its feet, and this might bring it out. To modify a filter find it in the list, dclick it to put it in the edit line, vary it, Add and Apply.
Post …

It sounds as if your mail server is not a good one; I guess it is not your ISP?
You should not be receiving timeouts if it is your ISP, if a third party mail server then who knows...? It may be busy, your connection slow, it may just not be very compatible with Outlook. Some webmailservers block mail clients unless you pay. Are you using a proxy client to interface Outlook with the mail server? You'll know what I mean if you are...
Anyway, if clearing your mail from the server helps for a while, then do it again but also delete the pop3uidl.dbx file from your mail store [Outlook will rebuild it when next you start it].
Your mail store is found by going to Tools > Options > Maintenance in Outlook.
I reckon it's a dodgy mail server...
While you are doing that, first in your mail store delete pop3 and smtp log folders if they exist, then open Outlook and in the Maintenance page check the Mail logging for Troubleshooting box. When you fail to receive an email check the last entry block in pop3.log - it will give you an idea of the problem. Below is the listing in my pop3 log for the successful reception by me of one short email [there are 112 emails awaiting deletion on my server, they will be deleted when I delete them from OE].

Outlook Express 6.00.2900.5931 (xpsp_sp3_gdr.100129-1321)
POP3 Log started …

Jeannot, "the computer start fast but when the pc comes to the logon screen it stays for 2 minutes or more at : windows wordt gestart ( windows starting)." implies that your sys is having trouble either with services or drivers and hardware. It is at that point that ntoskrnl is loading services [drivers] from the list passed to it by ntldr [the default controlset], and seeing whether the hardware functions. So when you next start your sys check in device manager for any devices with a yellow "?" next to them. That will indicate either a bad driver of hardware item.
To find a sticky service is tougher. If you have tried your Restore Points and they do not help, then try the following:
Just to be safe, first start your sys in Safe Mode. Works? Right, run msconfig [from Safe Mode will do], and under Sevices tab check the Hide Microsoft Services box, then uncheck all that remain [except any for your keyboard], including your AV and firewall. Restart. Recheck the boxes if no change.
Under General tab select Diagnostic Services and restart [you will lose ALL restore points if you do this...]. No change? Set it back to Normal start.
Say how you get on...

Yeah. OP is not giving much detail - we don't know if it is slow coming to logon screen, or after. Big difference regards third party apps.. most won't load until userinit.exe runs.
As far as boot scans by AVs, Avast can be set to do one, but it is obvious, with an info screen; it runs before winlogon.exe.

At logon there won't be a whole lot of background pgms running, certainly no third party apps, and the internet connection quality will hardly be a bugbear then. Most malware won't have started at that time [cannot be ruled out, though]. Sure, 4 GB of mem is more than XP can recognise, but one bad bit is one too many. Bluescreens with W7, slow login with XP...

I don't bother with oc, just read about it; that does seem like a large oc, though, from the standard 2.7GHz? Try backing that off [that's the first rule on a badly performing oc job, isn't it?]. Does it game ok? Check your memory with Memtest86+ [the bluescreens suggest a possible problem].
But sometimes installations just seem to go bad, little bits of sysfile corruption that slow things down. If just a few weeks into it, I'd consider a reinstallation. I know it's a pest, a time waster, but sometimes it works. A last resort, though.

I have the latest version of CCleaner [as on the link caper posted, .1457]; it cleans at least as well as earlier versions, is free, is still configurable. Mine I configure to clean Java caches etc., and other temp files that I have moved.

Your firewall, AV or cleaning softwares likely have tools inside their Options tab to do just that job for you.

Safi, the default is the boot.ini of Setup, the one it makes for itself when it is organising its restart. That the default option fails with cd inserted means some of its files already copied are corrupt; don't run Setup from an existing Windows installation...
anyway, to fix your boot.ini so that you start XP Pro normally just change it to this:

[Boot Loader]
Timeout=5
Default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[Operating Systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Easiest way is CP > System > Advanced tab > Startup n Recovery Settings button, Edit.
The timeout of 5 secs is immaterial if there is only one option - you won't see the menu screen.
Oh, and delete that folder, C:\$WIN_NT$.~BT if it exists... it's the temp files for installation.

Er.. dodge AVG. Avast? Avira? Comodo? All available free, all good.

I only know of the UAC from playing with other's vista installations... it just doesn't LEARN. A decent firewall like that of Comodo has that capability if you use its settings and popups correctly, and then the UAC is not required. I note that the latest Avast AV has one [but it can learn]; the Comodo firewall is more comprehensive in its detections/actions - I like it.

"The drive also does not hav any bad sectors ethier... This leads me to think that this computer itself is going bad...". Not necessarily. It is just that the FAT structure has been corrupted, there is no way to repair that. Even deleting all files won't fix the structure. A quick or full format will create a new FAT structure.
Note, RJ, that if the parking lot is NTFS, the attendant will hold small cars in his register and not put them in the lot.. :) Strong paper.
Back to FATs...
"You will notice the same if, when you format your drive you do not check the quick-format option. Instead of just rewriting the file allocation table, the format process must rewrite each sector on the drive." No, a full format does not do that, it rebuilds the FAT and boot sector data and performs a surface scan for bad sectors.
Further, I am quite sure that it is not possible for a user to do a lowlevel format... that is manufacturer base stuff to establish the track/sector layout pattern, other disk parameters, map bad sectors and write all that into the onboard drive controller so it can manage read/writes, do the actual data management.
Writing all zeroes or any other bit pattern to java's disk won't help, that is just a security measure, it is what so-called low-level format tools do [nor will it hurt]. After any sort of format the new FAT will …

"I ran chkdsk and it found some .log files and other file that I don't use to have 'invalid allocation units' or 'invalid size' errors".
This is where you get to reformat that drive [partition]. These are irrecoverable errors in your MFT. Its structure has been compromised. Copy off what you wish/can, and reformat it.

PP, I cannot comment on Comodo's worth... should be good.. I lost the address of a german ratings group whose work I valued, cannot seem to find them via searches. As far as reinstalling goes, well, I would have done it weeks back, it is just a night's work, it is what I said yest? I, too, am often uncomfortable with the time span of some solutions/quests, I wonder at the resilience of the OPs, but that's how it can be with solution sites, time zones, work commitments... As an OP I'd not last a week! But that is not to underestimate the value of these sites.. helpers often put in a lot more effort than someone could reasonably afford to pay for; the help, too, can be of higher quality.
Comodo doing the DNS lookup is just their way of safeguarding browsers from bad web addresses instead of using a referral service like that of others. Upon reflection, I don't know why I edited in that kh should use the DNS server supplied by her ISP.
I did have a somewhat similar issue with a friend's sys and Java several weeks ago; it would not update, the installer would run and halt with an error message; this continued even after uninstallation of the loaded Java, running JavaRa.... I eventually solved it by judicious key deletions {JavaRa leaves heaps], but did not identify the culprit; it was a key, or number of.
But anyway...

Yes. kh, that is what I wanted to see, that key query result. I use Comodo, and I was puzzled as to why guard32.dll was not listed in your DDS log instead of a blank.
Thanks.

I am not sure the \Windows key value name AppInit_DLLS should appear with no entry? I might expect this to be used by parts of some AV service or similar... I don't like the Null entry much; it is possible to give a key value name a null entry, and then assign a data to it. I know that if App_Init_Dlls is empty then DDS does not report it.
I have watched this struggle occasionally, from afar... I think the OP has chosen the right course, reinstall. Something is broken, and badly.
kw, maybe you could paste this into a cmd window, and post c:\showkey.text ? Just my curiosity, really...
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v appinit_dlls > c:\showkey.txt

:)

And your DNS lookup is via Comodo, not your ISP. Gee, they are taking over your internet. You really should use the DNS servers given by your ISP.

I'm hardly surprised at that.. :). This si a quick one: ==RKU from http://www.kernelmode.info/ARKs/RKUnhookerLE.EXE -start it, select Report tab, Scan, and tick Drivers and Stealth Code. If the generated report contains anything please save it, and post it.

Long thread. Did you ever run a rootkit scan [apart from that in Combofix], kh?

Ouch. a hard lesson for one so young. Yes, People do need to be aware that on the net is forever. Comes down to misplaced trust.. for your young friend, in a stranger [and that is so often fraught], and a lack of regard for other people {I wish that was not a growing thing, but I fear it is; it's possible to understand why]. We take so much pleasure in someone else's misfortune... that is, after all, a solid basis for humour [did you never burst out laughing when a friend fell in a puddle?], as well as some other disturbing feeling... them, not us.
But anyway...

Crikey, j, you'll make everyone paranoid. Well, not quite everyone, Facebook will go on...
And yes, the file will be in a "temp" store on his computer [as well as any place he saves it to], and will stay there until he cleans or it is cycled out with age... could be months. And even then it will remain on disk, not at all lost, until it is overwritten...
Baby, we must hear this file.... we just must.. :)

You're welcome, Mazekx. I guess I could have added that you should update and do a final scan and removal with MBAM to see if any other malware files have been unhidden. And now update your Java.
Cheers.

Hello, Mazekx, those two logs show clean [the rk warning is because of Safeboot, which is fine]. No new files were found for deletion. Are these two entries part of your corporate settings?
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2915997116-4131603029-1789207793-41665\Scripts\Logon\0\0]
"Script"=cambiar administrado por.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2915997116-4131603029-1789207793-41665\Scripts\Logon\1\0]
"Script"=SitiosdeConfianza.cmd

I suspect they are... so, go Start, Run and enter:
"%userprofile%\desktop\combofix.exe" /uninstall
-combofix will start, and remove combofix and its folders. And then you are good to go.

ComboFix contains embedded files and processes which may be recognised by your antivirus as hacking tools or trojans; your AV may delete them without prompting and so cause unpredictable results like an incomplete scan or stalling. It presents a risk you may not accept; however I see your "I can't uninstall it because it is a corporate tool and I haven't right to uninstall it nor stop it" ... in that case, because Combofix will run in Safe Mode [WITH Networking], and McAfee will not then be active, then do that.

That is a good start. Combofix has at least been initialised at some point.... please go Start > Run, and enter..
c:\combofix /uninstall

==Download a fresh copy to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or from: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : close other applications and save work, TURN OFF your Antivirus, Antispyware and Firewall for the duration of this scan.
- to run it dclick the Combofix.exe icon and follow the prompts to start it. If you do not have it installed already, Combofix will download and install the Recovery Console on your system.
A word of caution - do not touch your mouse/keyboard until the scan has completed [your computer will restart automatically] when a log, C:\Combofix.txt , will pop onto your desktop - post that log in your next reply.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

==Download and run this rootkit scanner from http://www.kernelmode.info/ARKs/RKUnhookerLE.EXE
-Select Report tab > Scan, tick only Drivers and Stealth Code. If the report contains anything save the file and post it.
Please comment on how the system runs.

Hello, Mazekx, yes, you do have a rootkit and associated infection.
TDSSKiller
==Download tdsskiller from this link, save it to your desktop:
http://support.kaspersky.com/downloads/utils/tdsskiller.exe -you may need to download it to a clean computer and then transfer it to the desktop using a USB flash drive.
Start TDSSKiller via this command, NOT the icon:
"%userprofile%\desktop\tdsskiller.exe" -l C:\tdssrpt.txt <==paste this into Start, Run...
- click Scan. If TDSSKiller finds a rootkit and prompts a Cure then press Continue [a reboot may be required]; press Continue also on Skip prompt. Do not delete or quarantine any files.
Post the log from C:\.

Because we are speaking different languages and because you have a corporate computer, there may be softwares that I am not familiar with... so please examine these files and folders - if they are NOT familiar to you then follow the instructions below:
c:\documents and settings\administrator\dati applicazioni\irsuty\tyodq.exe
c:\docume~1\admini~1\datiap~1\Vuynyf
c:\docume~1\admini~1\datiap~1\Irsuty
c:\windows\miatil.dll

If, as I suspect, they are unknown to you then:
==Please copy the text in the box to a Notepad [format/wordwrap unchecked] and save as fixkey.bat to your desktop; dclick it to run...

reg delete HKCU\software\microsoft\windows\currentversion\run /v Csuwileyocoz /f
reg delete HKCU\software\microsoft\windows\currentversion\run /v {063FE004-5120-2042-71E3-DC8952D33A7B} /f

Delete these folder/files:
c:\documents and settings\administrator\dati applicazioni\irsuty\tyodq.exe
c:\docume~1\admini~1\datiap~1\Vuynyf
c:\docume~1\admini~1\datiap~1\Irsuty
c:\windows\miatil.dll

Go to Control Panel, Add/Remove Pgms and remove all old versions of Java. [6.0.24 is current]. Wait until your system is clean before installing the latest …

M$'s advice when experiencing faults in the FAT [file allocation table] is to reformat that volume.

It is Explorer which is having trouble with file extensions. Explorer is a shell inside which you play. Task Manager is also a shell; like Explorer it uses the registry to find how to handle files, hence you cannot go File > NewTask, cmd.exe, but here the Ctrl key offers a special shortcut.
The cmd window is another shell, it has no such trouble with file extensions, it has no need to look up the key HKCR\.exe to find handlers. So...
Ctrl-Shift-Esc opens a TM window.
In TM, going File, then Ctrl-lclick NewTask opens a cmd window.
Inside that window you can run .exes.. eg regedit.

"I imagine malware has altered file association entries in your registry, and the solution to that is here: http://www.dougknox.com/xp/file_assoc.htm "
It is Explorer which is having trouble with file extensions. Explorer is a shell inside which you play. The cmd window is another shell, it has no such trouble with file extensions.
Ctrl-Shift-Esc opens a TM window.
In TM, going File, then Ctrl-lclick NewTask opens a cmd window.
Inside that window you can run .exes.. eg regedit.

" Obviously i have some sort of virus that caused all of this."
"I was able to boot from my xp disc and repair it. I am currently midway through the repairing...."
A decent rule for using an OS is to not try to install software while it is infected. The previous poster was short on detail, he wanted you to open the Recovery Console which is presented as an option around about where you elected to go with a Repair Installation. But this is not a problem chkdsk can fix.... I imagine malware has altered file association entries in your registry, and the solution to that is here: http://www.dougknox.com/xp/file_assoc.htm
Continuing with the Repair will blast your OS back to the stoneage, you lose all your settings, may need to reinstall software, you will need to dl and install ALL updates, Security and otherwise.
If indeed you do have malware then the problem will reoccur, a Repair will not interfere with it at all. Cancel out of the Repair and use the fixes in that link, then run MBAM:
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found …

I could have added... Sality incorporates a blocklist - any file or site mentioned in that list will not run or load. That would be why you experience problems with some sites. I don't know what is currently on that list but I would make a bet that the writers have included SalityKiller etc.
It is memory-resident, and so will choose whether to infect any executable that is run, or any html, and furthermore it writes into registry an entry that causes its driver to be loaded in safe mode.