[dansersdeeds]

Today, 12:34 PM Post #1


New TEG Forum Member


Group: Members
Posts: 1
Joined: Today, 12:15 PM
Member No.: 21,496

I just started having this problem after my monitor freaked out on me day before yesterday. Now, everytime my PC is restarted, it shows this error window:
"This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown initiated by NT Authority\System."
and also says below:
"Windows must now restart because the DCOM Server Process Launcher Service terminated unexpectedly."

Then the PC restarts itself and brings up same window.

I have AVG which has found nothing. I've done all kinds of checks, scans, etc. with Ad-Aware, Panda, SpyBot, etc. I've made a listing with HiJackThis but don't know exactly how to read it.
I did a recovery back to Wednesday which didn't fix it.
Is there anyone who really knows what's going on with this? What is causing this and my PC to keep reastarting. I've found the command that will stop the restarting..."shutdown -a". It works but this doesn't fix the DCOM problem.
I went in and found the DCOM in Admin. Tools. It was set to Automatic. I clicked on the Start...not knowing what it does.
Please, I'm looking/needing the correct answer to why this happened and how to fix this right. Thank you.

Here is my HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:13:08 PM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: PokerTime Poker - {7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79} - C:\Program Files\PokerTimeMPP\MPPoker.exe (file missing)
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe (file missing)
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter...oad/tgctlcm.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by123fd.bay12...es/MsnPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com...ageUploader.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...wlscbase969.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162315930953
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157504859171
O16 - DPF: {737D14F8-4090-11D4-AE0E-0010830243BD} (SysVerChk Control) - http://pointa.autode...l/SysVerChk.ocx
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://connect2.pb.com/dana-cached/setup/J...perSetupSP1.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

[quietman7]

Download and scan with MS Malicious Software Removal Tool.
click on the link "Skip the details and download the tool"

Please download AVG Anti-Rootkit and save to your desktop

• Double click avgarkt-setup-1.1.0.42.exe to install. By default it will install to C:\Program Files\GRISOFT\AVG Anti-Rootkit
  
• Accept the license and follow the prompts to install.
  
• You will be asked to reboot to finish the installation so click "Finish".
  
• After rebooting, double-click the icon for AVG Anti-Rootkit on your desktop.
  
• You will see a window with four buttons at the bottom.
  
• Click "Search For Rootkits" and the scan will begin.
  
• You will see the progress bar moving from left to right. The scan will take some so be patient and let it finish.
  
• When the scan has finished, a small window will open so you can view the results.
  
• Right click and select "Save Result To File".
  
• By default the file will be saved with a .csv extension. (You can use notepad to open the .cvs file)
  
• Copy and paste the results in your next reply.
  
• If anything was found, click "Remove selected items"
  
• If nothing was found, please click the "Perform in-depth Search" saving anything found to file as before.

Please download rootchk.exe and save to your desktop

• Temporarily disable any real-time monitoring programs <- click on this link for a list and see the Note below).
  
• Disconnect from the Internet.
  
• Double-click on rootchk.exe to run the program.
  
• A command prompt window will open as the scan begins and then close.
  
• When the scan is completed, a logfile named rootlog.txt will open and be saved to the root directory usually C:\.
  
• Copy and paste the contents of the log into your next reply.

Note: To avoid false positives, it is important that you disable ZoneAlarm Pro firewall or any other security program that protects your registry (Teatimer, Adwatch, Prevx, etc) before running a rootchk scan.

Reports/logs to post in your next reply:
* AVG Anti-Rootkit log
* rootlog.txt
* A fresh HijackThis log

[dansersdeeds]

I appreciate you writing back. I did do the Malicious Software thing too. I forgot to list it. It found nothing, but I will do it again...as I"ve been fighting this all day. I actually went in, found the settings for the DCOM, as the one person suggested, and turned it off (telling it to do no action)...hoping it won't hurt anything for the time being. I am burned out for today, but will try to do the others you suggested. Thank you.

quietman, on Jun 2 2007, 04:54 PM, said:

Download and scan with MS Malicious Software Removal Tool.
click on the link "Skip the details and download the tool"

Please download AVG Anti-Rootkit and save to your desktop

• Double click avgarkt-setup-1.1.0.42.exe to install. By default it will install to C:\Program Files\GRISOFT\AVG Anti-Rootkit
  
• Accept the license and follow the prompts to install.
  
• You will be asked to reboot to finish the installation so click "Finish".
  
• After rebooting, double-click the icon for AVG Anti-Rootkit on your desktop.
  
• You will see a window with four buttons at the bottom.
  
• Click "Search For Rootkits" and the scan will begin.
  
• You will see the progress bar moving from left to right. The scan will take some so be patient and let it finish.
  
• When the scan has finished, a small window will open so you can view the results.
  
• Right click and select "Save Result To File".
  
• By default the file will be saved with a .csv extension. (You can use notepad to open the .cvs file)
  
• Copy and paste the results in your next reply.
  
• If anything was found, click "Remove selected items"
  
• If nothing was found, please click the "Perform in-depth Search" saving anything found to file as before.

Please download rootchk.exe and save to your desktop

• Temporarily disable any real-time monitoring programs <- click on this link for a list and see the Note below).
  
• Disconnect from the Internet.
  
• Double-click on rootchk.exe to run the program.
  
• A command prompt window will open as the scan begins and then close.
  
• When the scan is completed, a logfile named rootlog.txt will open and be saved to the root directory usually C:\.
  
• Copy and paste the contents of the log into your next reply.

Note: To avoid false positives, it is important that you disable ZoneAlarm Pro firewall or any other security program that protects your registry (Teatimer, Adwatch, Prevx, etc) before running a rootchk scan.

Reports/logs to post in your next reply:
* AVG Anti-Rootkit log
* rootlog.txt
* A fresh HijackThis log

[quietman7]

Ok. When doing a search on the net for your particular problem, you will find this is a common complaint with various causes and possible solutions. What works for one person may not work for another. However, Some rootkits have been found to be accompanied by BSOD's and various stop error/shutdown messages so we need to check for this before going further.

[dansersdeeds]

quietman, on Jun 3 2007, 10:34 AM, said:

Ok. When doing a search on the net for your particular problem, you will find this is a common complaint with various causes and possible solutions. What works for one person may not work for another. However, Some rootkits have been found to be accompanied by BSOD's and various stop error/shutdown messages so we need to check for this before going further.

Hello, yes, you are right with the searching part, on the Internet, it's been very frustrating and exhausting...being very concerned about finding the RIGHT fix...not causing more problems. At this point, I did find the suggestion of having it take no action. PC's behaving fairly normal, a little slow in clicking on some things. BUT, yes, what works for one may not work for another. I have seen this. I am not familiar with this rootkit. Will you, please, explain more about it? What is BSOD? I haven't heard that acronym before. Need to check for this? before we go further?

[YLstang]

Blue Screen of Death

[quietman7]

See Blue Screen Of Death (BSOD) for more info. Rootkits can cause BSODs/stop errors/shutdowns because Windows treats them as drivers.

The article "Rootkits and how to combat them" will give you some basic info on what they are.

[dansersdeeds]

quietman, on Jun 4 2007, 05:15 AM, said:

See Blue Screen Of Death (BSOD) for more info. Rootkits can cause BSODs/stop errors/shutdowns because Windows treats them as drivers.

The article "Rootkits and how to combat them" will give you some basic info on what they are.

I knew that, lol, DUH, sorry...hadn't seen it put that way. I have not been dealing with any BSOD.

[quietman7]

Since your dealing with the system is shutting down...shutdown initiated by NT Authority\System we need to see if a rootkit may be responsible. I have dealt with some rootkits (Rustock) that will cause this although it was related to services.exe and not Dcom. A rootkit may not be a factor in your case but we need to eliminate that as a possible cause.