Solved

security center issue

Posted on 2008-06-13
20
1,019 Views
Last Modified: 2011-10-19
upon booting up get the error message userinit failed to load.....have no task bar or start menu. also windows security center gives the error message "rundll32.exe application error.
0
Comment
Question by:DRAHannah
  • 11
  • 8
20 Comments
 
LVL 1

Expert Comment

by:Sureshbharathy
Comment Utility
Click Start, click Run, type eventvwr.msc in the Open box, and then press Enter.
Click the Application category.

Look For Recent Errors > Double Click on them > Another Windows Will open > On the Right Side use the Double Notepad icon to copy the error paste them here
0
 

Author Comment

by:DRAHannah
Comment Utility
Event Type:      Warning
Event Source:      WinDefend
Event Category:      None
Event ID:      3004
Date:            14/06/2008
Time:            10:42:05 AM
User:            N/A
Computer:      DEANO
Description:
Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.
 For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
       Scan ID: {C56E8616-B8C2-4611-8D2C-04ED1CB08230}
       User: DEANO\Default
       Name: Unknown
       ID:
       Severity: Not Yet Classified
       Category: Not Yet Classified
       Path Found: clsid:HKLM\SOFTWARE\CLASSES\CLSID\{047B6F67-A3D4-4245-BE45-F409B0B76F09};regkey:HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{047B6F67-A3D4-4245-BE45-F409B0B76F09};regkey:HKLM\SOFTWARE\CLASSES\CLSID\{047B6F67-A3D4-4245-BE45-F409B0B76F09};bho:HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{047B6F67-A3D4-4245-BE45-F409B0B76F09};file:C:\WINDOWS\system32\bpevupov.dll
       Alert Type: Unclassified software
       Detection Type:

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 

Author Comment

by:DRAHannah
Comment Utility
here is an entry from the event viewer .........also there is a virus trojan preventing me from turning automatic updates on; it has disabled the  automatic services update tab.....in the window i have noted this (path to executable)
C:\WINDOWS\system32\svchost.exe -k netsvcs
0
 
LVL 32

Expert Comment

by:r-k
Comment Utility
(1) Download Autoruns from: http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

(2) Run the program. It lists a bunch of things that start when Windows starts.

(3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
    Important -> Then click the Refresh button in the toolbar.

(4) This will give you a shorter, more meaningful list.

(5) Examine that list and disable anything suspicious by un-checking it. Then reboot and see if it helped.

(6) If not, or if not sure, you can use the File -> Save as.. option in Autoruns to save the list to a text file and then copy and paste it here.

0
 

Author Comment

by:DRAHannah
Comment Utility
Ok here is the autoruns text file....Also windows one care is frequently finding this trojan when i use the internet
0
 

Author Comment

by:DRAHannah
Comment Utility
the trojan is
AutoRunsDrahannah.txt
0
 

Author Comment

by:DRAHannah
Comment Utility
win32/boaxxe.b
0
 
LVL 32

Expert Comment

by:r-k
Comment Utility
OK, The following are the Autoruns entries that are causing your problems:

+ {047B6F67-A3D4-4245-BE45-F409B0B76F09}                  c:\windows\system32\bpevupov.dll
+ {752F6141-87AF-4A97-B34B-22475F519348}                  File not found: C:\WINDOWS\system32\iifddcYR.dll

+ C:\WINDOWS\system32\iifddcYR                  File not found: C:\WINDOWS\system32\iifddcYR

Run Autoruns again as before and un-check these three entries. Then exit Autoruns and restart your computer. Run Autoruns again as before and make sure these entries are still un-checked. If they are then hopefully the symptoms will be cleared up. Do post back in any case.
0
 

Author Comment

by:DRAHannah
Comment Utility
Thanks very much. I have unchecked these and they have stayed unchecked. The trojan hasn't popped back up again YET tonight! Do we delete these unchecked files or do we leave them there??
drahannah-AutoRuns2.txt
0
 
LVL 32

Accepted Solution

by:
r-k earned 250 total points
Comment Utility
Glad to hear that. If things stay OK I recommend deleting those files (some may be missing already). It's not essential.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Closing Comment

by:DRAHannah
Comment Utility
Awsome thanks for the fix......
0
 
LVL 32

Expert Comment

by:r-k
Comment Utility
Thanks and good luck :)
0
 

Author Comment

by:DRAHannah
Comment Utility
Spoke too soon;it seems that i now have a jpeg virus?Trojan. Every Jpeg i have wont open; i get "windows cant access the specified file....you donr have the correct permisions"...etc I have attached another autoruns below. I noticed in the properties tab that the folder has the read only tab checked despite me unchecking and applying to the folder.  Is this the W32/Perrun-A virus?
AutoRuns180608.txt
0
 
LVL 32

Expert Comment

by:r-k
Comment Utility
I notice the following bad entries in the new log:

+ {047B6F67-A3D4-4245-BE45-F409B0B76F09}                  c:\windows\system32\bpevupov.dll
+ {752F6141-87AF-4A97-B34B-22475F519348}                  File not found: C:\WINDOWS\system32\iifddcYR.dll

I thought these are ones you disabled before. Can you run Autoruns again, disable them, then reboot and make sure they really stay disabled? Thanks.
0
 

Author Comment

by:DRAHannah
Comment Utility
these 2 enteries were unchecked......here is the next scan thanks.
190608AutoRuns.txt
0
 
LVL 32

Expert Comment

by:r-k
Comment Utility
That pesky dll is still there. Locate c:\windows\system32\bpevupov.dll with Windows Explorer, then try the following:

(0) If running XP Home, boot in safe mode, if XP Pro, then start with step (1)

(1) Right click on the file in Windows Explorer or My Computer, select Properties

(2) Click on the Security tab.

(3) Click on the Advanced button.

(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"

(5) Close all windows.

(6) Reboot (into normal mode)

After reboot the file will be unable to run (because no one can access them any more). The symptoms should be gone.

0
 

Author Comment

by:DRAHannah
Comment Utility
Hey i am running XP pro but there is no security tab; can i locate it and delete it; should i do it in safe mode?
0
 

Author Comment

by:DRAHannah
Comment Utility
sorry about the list....my 4gb flash drive has this worm:win32/hamweq!inf infecting the autorun.inf
even though windows live care picks it up is it really gone when windows live care "removes" it?
0
 
LVL 32

Expert Comment

by:r-k
Comment Utility
"..Hey i am running XP pro but there is no security tab; can i locate it and delete it; should i do it in safe mode? "

If you have XP Pro, then disable "Simple File Sharing" to get the Security tab back.

In Win Explorer (or My Computer), select Tools -> Folder Options.
Click on the View tab
Scroll down and un-check the "Use Simple File sharing.." checkbox.

After that you should be able to use my tip above on disabling the file by changing permissions.

Deleting the file will either not work because it is "in use", or it will come back even if you delete it.
0
 
LVL 32

Expert Comment

by:r-k
Comment Utility
"..my 4gb flash drive has this worm:win32/hamweq!inf infecting the autorun.inf "

First, I would disable autoplay to prevent the USB drive infecting your computer in the future:

 http://www.howtogeek.com/howto/windows/disable-autoplay-of-audio-cds-and-usb-drives/
 http://www.etalkindia.com/computer_it_tutorials_articles/tiphow_to_disable_usb_cd_dvd_autoplay_autorun_in_windows_xp-t2046.0.html

Next, scan your USB drive with your AV software and see if the virus is detected and cleaned up.
Even if it is, reboot and repeat the scan to be sure it is not detected again.

You may wish to post the question about the USB infection as a new question. That way more people will get to see it and you may get a better answer.

0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now