TechSpot

Wingding fonts and random reboots

By ericcothran
Oct 18, 2009
  1. All my system fonts are in wingding or something similar. Before I would get random reboots and blue screens Stop: c000021a {Fatal System Error} The Windows logon process system process terminated unexpectedly with the status of 0xc0000005 (0x00000000 0x00000000)
    the system has been shutdown. Any ideas from the logs?
     
  2. raybay

    raybay TS Evangelist Posts: 7,241   +9

    Re-Install your Windows disk in R for repair mode, not R for Repair Console, and you will likely clear up the problem
    Be sure to back up your data.
     
  3. ericcothran

    ericcothran TS Rookie Topic Starter Posts: 59

    will that fix the rebooting and blue screen error as well?
     
  4. raybay

    raybay TS Evangelist Posts: 7,241   +9

    It should. It may not. It is the first step, in my opinion, in returning the system to normal. Installing Windows in repair mode, repairs all the basic problems in windows. It does NOT do everything. For instance, it will wipe out any added service packs and Windows updates, but that is a good thing when your system is in need of rehabilitation.
    If it doesn't work, that tells you a lot, as well.
     
  5. ericcothran

    ericcothran TS Rookie Topic Starter Posts: 59

    ok, I'l try that soon as i get home from the hospital in the next few days. Any other tips strategies I can do after that? I got a day or 2 before I can get to it, so I'd like to have my gameplan layed out.
     
  6. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    HI ericcothran

    Before you do anything i'd strongly advise you first wait for the opinion from one of the malware experts.

    Raybay is not a malware expert. (nor am I, which is why i didn't try advising you in the first place)... but i will tell you I see what i believe are suspicous entries in your logfiles. So... best not to do anything yet.

    There's a shortage of malware helpers at the moment and since all advice here is done on a volunteer basis, responses tend to be slower on the weekends. But i'll try to steer someone your way to have a look.

    Just one example from your logs
    Code:
    Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\vckwxkrh
    vckwxkrh is not a name of any valid program i know of.. but IMHO it's the type of name a malware infection would create!
     
  7. ericcothran

    ericcothran TS Rookie Topic Starter Posts: 59

    thanks, i'll keep an eye out.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Eric I have looked at the logs. You have malware and I will help you to clean up the system.

    You told us you cannot do anything for a couple of days, but you started 4 different thread, one asking why no one has helped you yet.

    When you get home from the hospital, please rescan with all three programs. Update Malwarebytes and Superantispyware first. Then ATTACH those 2 logs.

    Rescan with HijackThis and PASTE in the new log.

    All of this goes into this thread in your next reply. We will go from there. Do not bump a thread for attention. I have asked the moderator to remove the other threads.
     
  9. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    You'll keep an eye out??? Hey, that's my avatar! :rolleyes:
     
  10. ericcothran

    ericcothran TS Rookie Topic Starter Posts: 59

    I can't make out avast enough to run it cause of the fonts, here is what i have so far:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 10/19/2009 at 07:53 PM

    Application Version : 4.29.1004

    Core Rules Database Version : 4175
    Trace Rules Database Version: 2094

    Scan type : Quick Scan
    Total Scan Time : 00:20:06

    Memory items scanned : 425
    Memory threats detected : 0
    Registry items scanned : 413
    Registry threats detected : 0
    File items scanned : 5002
    File threats detected : 0


    Malwarebytes' Anti-Malware 1.41
    Database version: 2991
    Windows 5.1.2600 Service Pack 3

    10/19/2009 8:11:17 PM
    mbam-log-2009-10-19 (20-11-17).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 180049
    Time elapsed: 38 minute(s), 54 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:12:48 PM, on 10/19/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\windows\explorer.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMWDSrv.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\ups.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    This is only a part of the HijackThis log. The remainder should start with the R0 or R1 entries
     
  12. ericcothran

    ericcothran TS Rookie Topic Starter Posts: 59

    Scan saved at 12:21:42 AM, on 10/20/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMWDSrv.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\ups.exe
    c:\windows\explorer.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    F2 - REG:system.ini: Shell=c:\windows\explorer.exe
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: (no name) - {a58f570a-7866-e761-2cc7-c579e810c56c} - (no file)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - S-1-5-18 Startup: FINAL FANTASY XI (2).lnk = C:\Program Files\PlayOnline\SquareEnix\FINAL FANTASY XI\polboot.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: FINAL FANTASY XI (2).lnk = C:\Program Files\PlayOnline\SquareEnix\FINAL FANTASY XI\polboot.exe (User 'Default user')
    O4 - Startup: FINAL FANTASY XI (2).lnk = C:\Program Files\PlayOnline\SquareEnix\FINAL FANTASY XI\polboot.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1232650802875
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMWDSrv.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 5573 bytes
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thanks Eric. I've asked for a consult on one of the HJT entries- will be back.
     
  14. ericcothran

    ericcothran TS Rookie Topic Starter Posts: 59

    Last time I got on it mozzila would not even open, it would be an immediate crash. I also would like to apologize for the multiple threads, my wife has been diagnosed with breast cancer and she had surgery this past weekend, I've been on the edge here lately (a 2month old and 2year old don't make it better). I was sitting in the hospital and going crazy. I'll keep checking back for an update on directions and thanks for looking into it.
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Eric, please accept my apology. Sometimes our own frustrations come out at the wrong time. I wish the best for your wife. My daughter went through that so I know the extra weight that the family members must carry. The two little ones will run you ragged but are probably enjoying having you to themselves.

    I'll be back later this afternoon for the logs and hopefully with answer to my consult.
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, Eric, let's do this:

    TFC (Temp File Cleaner)

    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

    TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

    TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

    Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

    If you are unable to run the activeX Antivirus Scanners, lets try this Java based solution from Trend Micro.

    Attach Kaspersky log.

    Rescan with HijackThis and paste log in next reply.
     
  17. ericcothran

    ericcothran TS Rookie Topic Starter Posts: 59

    Kaspersky OnLine Scan wasn't available, but I did a full scan with housecall from Trend Micro and found nothing. My fonts are back to normal now, so thats good. Here is my latest HJT file let me know if anything suspect is still on it.
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, looks good. you may never know where the Wingdings came from- sometime it only takes a rboot to solve the wacky ptoblerms. If you are not ahveing any other problems, you can remove the cleaning tools:

    Remove all of the tools we used and the files and folders they created
    • Download OTCleanIt by OldTimer
    • Save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    The tool will delete itself once it finishes.

    If you are prompted to Reboot during the cleanup, select Yes.

    You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
    • Click "OK" to select the partition or drive you want.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one. More details and screenshots for Disk Cleanup in Windows Vista can be found here.

    Use a good, bi-directional firewall(one software firewall)
    Consider these programs for Extra Security
    • Spywareblaster:
    • SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    • IE/Spyad
    • This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    • Google Toolbar Get the free google toolbar to help stop pop up windows.

    If I can be of further assistance, please let me know. I wish the best for your wife.
     
  19. ericcothran

    ericcothran TS Rookie Topic Starter Posts: 59

    I think I know what did the fonts.i tried out ccleaner again and noticed alot of fonts i it to be cleaned, don'tknow why. I saved the registry files and restored them afterI noticed it did it again. So far I dont have anymore random reboots and those tools and you have been very helpful, I thank you. Also, we heard from my wife's Dr. and they believe they got al the cancer on her surgery so things are going our way for once. I'll probably just keep those programs and run them every so often, except for ccleaner, lol. Again thank you and God bless
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    That is good news! I wish her good health in the future.

    You might want to remove the cleaning tools for now- the removal includes the logs they have made. Then occasionally, you could download an run one. If you keep the basic security> one antivirus, one firewall and two or more spyware/adware programs on the system, you shouldn't need the 'heavier' cleaning programs.

    By the way, I forgot to tell you to Empty the Recycle Bin
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...