Made it to Step 8 - need expertise

Status
Not open for further replies.

RXILAND

Posts: 22   +0
After son opened attachment "is this a picture of you", my pc Windows XP home version began doing strange things;
- hourglass attached to mouse and wouldn't go away as though something unable to load in background (still doing this)
- system started to get very slow
- when I went to log into my account I would be booted out and a message "Page_fault_in_nonpaged_area" and I would have to reboot

I have no clue what virus this is although I did notice some file names during the scans such as zlob.downloader and virtumundo...I have attached the logs as per removal instructions but have no clue what to do next.

- My updated McAfee scan also detected some "cut wail" files and are now quarantined.

I would sincerely appreciate any sound advice
 
From a malware point of view, your logs are clean. If McAfee has quarantined all processes for cutwail, they are now out of your system and can be deleted.

I did notice some file names during the scans such as zlob.downloader and virtumundo.
Scan will show what process they are checking for, usually at lower left of screen. That does not mean that you have the infection. It's part of the program's database.

You are slow because you have too many programs ans processes starting at boot. This make the startup slower, the surfing slower because all that starts on boot runs in the background. It will also make shutdown slower because each of those programs and processes have to close.

You have control over this by unchecking everything on the Startup menu except the antivirus program, firewall, touchpad if on laptop. Every thing else can be started manually when needed:
Start> Run> msconfig> enter> Selective Startup> Startup menu> UNCHECK all but the processes mentioned above> Apply> OK> Reboot

NOTE: you will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup to retain the changes.

To check for the source of the error:
Start> Run> cmd> type in eventvwr
Do this on each the System and the Applications logs:
1. Click to open the log>
2. Look for the Error that corresponds to the time of the message>
3 .Right click on the Error> Properties>
4. Click on Copy button, top right, below the down arrow
5. Paste here (Ctrl V)
Please ignore Warnings. Don't paste the entire log.
 
System and Application logs

Bobbye;
I thank you for your response! I am posting the errors around the time of being booted out of my computer as suggested:

APPLICATION ERRORS
Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 12/2/2008
Time: 4:08:59 PM
User: N/A
Computer: DF37SC61
Description:
Faulting application dlbtbmon.exe, version 1.0.5.0, faulting module hid.dll, version 5.1.2600.5512, fault address 0x00001ab4.

Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 64 6c 62 ure dlb
0018: 74 62 6d 6f 6e 2e 65 78 tbmon.ex
0020: 65 20 31 2e 30 2e 35 2e e 1.0.5.
0028: 30 20 69 6e 20 68 69 64 0 in hid
0030: 2e 64 6c 6c 20 35 2e 31 .dll 5.1
0038: 2e 32 36 30 30 2e 35 35 .2600.55
0040: 31 32 20 61 74 20 6f 66 12 at of
0048: 66 73 65 74 20 30 30 30 fset 000
0050: 30 31 61 62 34 0d 0a 01ab4..


Event Type: Error
Event Source: MsiInstaller
Event Category: None
Event ID: 11706
Date: 12/2/2008
Time: 4:18:11 PM
User: DF37SC61\Shonna
Computer: DF37SC61
Description:
Product: Microsoft Office 2000 SR-1 Standard -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Standard. The Windows installer cannot continue.

For more information, see Help and Support Center go.microsoft.com/fwlink/events
Data:
0000: 7b 30 30 30 32 30 34 30 {0002040
0008: 39 2d 37 38 45 31 2d 31 9-78E1-1
0010: 31 44 32 2d 42 36 30 46 1D2-B60F
0018: 2d 30 30 36 30 39 37 43 -006097C
0020: 39 39 38 45 37 7d 998E7}


Event Type: Error
Event Source: crypt32
Event Category: None
Event ID: 8
Date: 12/2/2008
Time: 8:09:29 PM
User: N/A
Computer: DF37SC61
Description:
Failed auto update retrieval of third-party root list sequence number from: download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved


For more information, see Help and Support Center go.microsoft.com/fwlink/events.asp

SYSTEM ERRORS:

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/2/2008
Time: 8:09:39 PM
User: NT AUTHORITY\SYSTEM
Computer: DF37SC61
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}


Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 12/2/2008
Time: 8:10:26 PM
User: N/A
Computer: DF37SC61
Description:
The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:
A device attached to the system is not functioning.


Event Type: Error
Event Source: Dhcp
Event Category: None
Event ID: 1002
Date: 12/2/2008
Time: 8:18:32 PM
User: N/A
Computer: DF37SC61
Description:
The IP address lease 192.168.100.11 for the Network Card with network address 000F9F274409 has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).


Naturally there are multiple errors from the 2nd onward but these are the repetitive errors.
Your knowledge is most sincerely appreciated!
Shonna
 
Nice job. Here's the breakdown:
1. App Error: 1000> Faulting application dlbtbmon.exe, version 1.0.5.0, faulting module hid.dll Date: 12/2/2008 Time: 4:08:59 PM
dlbtbmon.exe is a process bundled with Dell AIO Printers and adds extra diagnostics functionality
hid.dll is a library file for the USB interface HID, which processes user interface devices.

C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
Take the printer off of the Startup menu. That should stop this error:
Start> Run> msconfig> Selective Startup> Startup tab> UNCHECK all Dell printer related processes> Apply> OK
2. 11706, MsiInstaller> No valid source could be found for product Date: 12/2/2008 Time: 4:18:11 PM
Product: Microsoft Office 2000 SR-1 Standard -- Error 1706.

Logon as an Administrator, uninstall Office, and using the customized setup, reinstall the components required with the drop-down list set to "Run all from My Computer" rather than the default of "Run from My Computer". When installation is complete, go into every possible Office component from the Start button to ensure that it does not prompt for the Microsoft Office media.

If you do not wish to uninstall Microsoft Office then a partial fix is as follows. Logon to each user account that has this problem in turn, and run the registry fix from>>
Windows Installer starts unexpectedly in an Office 2000 program on Windows NT 4.0, Terminal Server Edition, or on Windows 2000 Server with Terminal Services enabled
http://support.microsoft.com/default.aspx?scid=kb;en-us;274473
3. Event 8, Source crypt32 Date: 12/2/2008 Time: 8:09:29 PM
Install Root Certificates Update (rootsupd.exe) from Microsoft.
This is an OPTIONAL update.
4. Event Source: DCOM Date: 12/2/2008 Time: 8:09:39 PM
Event Category: None
Event ID: 10005
No error- it doesn't start in Safe Mode along with other processes.
5. 7001, Service Control Manager, Date: 12/2/2008 Time: 8:10:26 PM
The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:
A device attached to the system is not functioning.
The service needs some hardware to be present in order to run

If NetBIOS over Transmission Control Protocol/Internet Protocol (TCP/IP) is disabled, this error will occur.
To correct the problem: Backup the Registry before the regedit,
1. Open Device Manager and check Show hidden devices on the View menu.
2. Double-click Non-Plug and Play Drivers and NetBIOS over Tcpip.
3. Select Use this device (enable).
4. Use Regedt32 to navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon.
5. Double-click DependOnService.
6. Click in the MULT-STRING Editor to de-select the entries.
7. If LanmanServer is NOT listed, add LanmanServer as a new line.
8. Exit Regedt32.
9. Shutdown and Restart your computer.

http://windowsitpro.com/article/art...ent-7001-or-7003-in-the-system-event-log.html

See next post for last Event.
 
6. Event Source: DHCP, Event ID: 1002 Date: 12/2/2008Time: 8:18:32 PM

The IP address lease 192.168.100.11 for the Network Card with network address 000F9F274409 has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).

This usually resolves after DHCPNACK is sent and rec'd. If not, see below:

This behavior can occur because the DHCP server service is not bound to a statically-configured Transmission Control Protocol/Internet Protocol (TCP/IP) adapter, which is usually the internal adapter.

NOTE: If the network cable is not attached to the network, Windows will not allow any service to bind to TCP/IP.

To resolve this behavior, configure the bindings for the DHCP Server service:

1. Click Start, point to Programs, click Administrative Tools, and then click DHCP.
2. In the DHCP Console, right-click the server object, and then click Properties.
3. Click the Advanced tab, and then click Bindings.
4. Under Connections and Server Bindings, enable the user interface that is to be used to service DHCP client requests.
5. Click OK, click OK, and then close the DHCP Console.
6. Click Start, point to Programs, click Administrative Tools, and then click Services.
7. Locate and restart the DHCP server service.

http://support.microsoft.com/default.aspx?scid=kb;en-us;298490
 
Status
Not open for further replies.
Back