Solved

security center issue

Posted on 2008-06-13
20
1,029 Views
Last Modified: 2011-10-19
upon booting up get the error message userinit failed to load.....have no task bar or start menu. also windows security center gives the error message "rundll32.exe application error.
0
Comment
Question by:DRAHannah
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 8
20 Comments
 
LVL 1

Expert Comment

by:Sureshbharathy
ID: 21783841
Click Start, click Run, type eventvwr.msc in the Open box, and then press Enter.
Click the Application category.

Look For Recent Errors > Double Click on them > Another Windows Will open > On the Right Side use the Double Notepad icon to copy the error paste them here
0
 

Author Comment

by:DRAHannah
ID: 21783927
Event Type:      Warning
Event Source:      WinDefend
Event Category:      None
Event ID:      3004
Date:            14/06/2008
Time:            10:42:05 AM
User:            N/A
Computer:      DEANO
Description:
Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.
 For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
       Scan ID: {C56E8616-B8C2-4611-8D2C-04ED1CB08230}
       User: DEANO\Default
       Name: Unknown
       ID:
       Severity: Not Yet Classified
       Category: Not Yet Classified
       Path Found: clsid:HKLM\SOFTWARE\CLASSES\CLSID\{047B6F67-A3D4-4245-BE45-F409B0B76F09};regkey:HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{047B6F67-A3D4-4245-BE45-F409B0B76F09};regkey:HKLM\SOFTWARE\CLASSES\CLSID\{047B6F67-A3D4-4245-BE45-F409B0B76F09};bho:HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{047B6F67-A3D4-4245-BE45-F409B0B76F09};file:C:\WINDOWS\system32\bpevupov.dll
       Alert Type: Unclassified software
       Detection Type:

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 

Author Comment

by:DRAHannah
ID: 21783961
here is an entry from the event viewer .........also there is a virus trojan preventing me from turning automatic updates on; it has disabled the  automatic services update tab.....in the window i have noted this (path to executable)
C:\WINDOWS\system32\svchost.exe -k netsvcs
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 32

Expert Comment

by:r-k
ID: 21785482
(1) Download Autoruns from: http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

(2) Run the program. It lists a bunch of things that start when Windows starts.

(3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
    Important -> Then click the Refresh button in the toolbar.

(4) This will give you a shorter, more meaningful list.

(5) Examine that list and disable anything suspicious by un-checking it. Then reboot and see if it helped.

(6) If not, or if not sure, you can use the File -> Save as.. option in Autoruns to save the list to a text file and then copy and paste it here.

0
 

Author Comment

by:DRAHannah
ID: 21788559
Ok here is the autoruns text file....Also windows one care is frequently finding this trojan when i use the internet
0
 

Author Comment

by:DRAHannah
ID: 21788563
the trojan is
AutoRunsDrahannah.txt
0
 

Author Comment

by:DRAHannah
ID: 21788571
win32/boaxxe.b
0
 
LVL 32

Expert Comment

by:r-k
ID: 21788868
OK, The following are the Autoruns entries that are causing your problems:

+ {047B6F67-A3D4-4245-BE45-F409B0B76F09}                  c:\windows\system32\bpevupov.dll
+ {752F6141-87AF-4A97-B34B-22475F519348}                  File not found: C:\WINDOWS\system32\iifddcYR.dll

+ C:\WINDOWS\system32\iifddcYR                  File not found: C:\WINDOWS\system32\iifddcYR

Run Autoruns again as before and un-check these three entries. Then exit Autoruns and restart your computer. Run Autoruns again as before and make sure these entries are still un-checked. If they are then hopefully the symptoms will be cleared up. Do post back in any case.
0
 

Author Comment

by:DRAHannah
ID: 21792537
Thanks very much. I have unchecked these and they have stayed unchecked. The trojan hasn't popped back up again YET tonight! Do we delete these unchecked files or do we leave them there??
drahannah-AutoRuns2.txt
0
 
LVL 32

Accepted Solution

by:
r-k earned 250 total points
ID: 21793468
Glad to hear that. If things stay OK I recommend deleting those files (some may be missing already). It's not essential.
0
 

Author Closing Comment

by:DRAHannah
ID: 31467127
Awsome thanks for the fix......
0
 
LVL 32

Expert Comment

by:r-k
ID: 21805250
Thanks and good luck :)
0
 

Author Comment

by:DRAHannah
ID: 21812605
Spoke too soon;it seems that i now have a jpeg virus?Trojan. Every Jpeg i have wont open; i get "windows cant access the specified file....you donr have the correct permisions"...etc I have attached another autoruns below. I noticed in the properties tab that the folder has the read only tab checked despite me unchecking and applying to the folder.  Is this the W32/Perrun-A virus?
AutoRuns180608.txt
0
 
LVL 32

Expert Comment

by:r-k
ID: 21815145
I notice the following bad entries in the new log:

+ {047B6F67-A3D4-4245-BE45-F409B0B76F09}                  c:\windows\system32\bpevupov.dll
+ {752F6141-87AF-4A97-B34B-22475F519348}                  File not found: C:\WINDOWS\system32\iifddcYR.dll

I thought these are ones you disabled before. Can you run Autoruns again, disable them, then reboot and make sure they really stay disabled? Thanks.
0
 

Author Comment

by:DRAHannah
ID: 21817065
these 2 enteries were unchecked......here is the next scan thanks.
190608AutoRuns.txt
0
 
LVL 32

Expert Comment

by:r-k
ID: 21819875
That pesky dll is still there. Locate c:\windows\system32\bpevupov.dll with Windows Explorer, then try the following:

(0) If running XP Home, boot in safe mode, if XP Pro, then start with step (1)

(1) Right click on the file in Windows Explorer or My Computer, select Properties

(2) Click on the Security tab.

(3) Click on the Advanced button.

(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"

(5) Close all windows.

(6) Reboot (into normal mode)

After reboot the file will be unable to run (because no one can access them any more). The symptoms should be gone.

0
 

Author Comment

by:DRAHannah
ID: 21820085
Hey i am running XP pro but there is no security tab; can i locate it and delete it; should i do it in safe mode?
0
 

Author Comment

by:DRAHannah
ID: 21820112
sorry about the list....my 4gb flash drive has this worm:win32/hamweq!inf infecting the autorun.inf
even though windows live care picks it up is it really gone when windows live care "removes" it?
0
 
LVL 32

Expert Comment

by:r-k
ID: 21826510
"..Hey i am running XP pro but there is no security tab; can i locate it and delete it; should i do it in safe mode? "

If you have XP Pro, then disable "Simple File Sharing" to get the Security tab back.

In Win Explorer (or My Computer), select Tools -> Folder Options.
Click on the View tab
Scroll down and un-check the "Use Simple File sharing.." checkbox.

After that you should be able to use my tip above on disabling the file by changing permissions.

Deleting the file will either not work because it is "in use", or it will come back even if you delete it.
0
 
LVL 32

Expert Comment

by:r-k
ID: 21826596
"..my 4gb flash drive has this worm:win32/hamweq!inf infecting the autorun.inf "

First, I would disable autoplay to prevent the USB drive infecting your computer in the future:

 http://www.howtogeek.com/howto/windows/disable-autoplay-of-audio-cds-and-usb-drives/
 http://www.etalkindia.com/computer_it_tutorials_articles/tiphow_to_disable_usb_cd_dvd_autoplay_autorun_in_windows_xp-t2046.0.html

Next, scan your USB drive with your AV software and see if the virus is detected and cleaned up.
Even if it is, reboot and repeat the scan to be sure it is not detected again.

You may wish to post the question about the USB infection as a new question. That way more people will get to see it and you may get a better answer.

0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question