applications crash with event id (1000)

Discussion in 'Operating Systems' started by Dean11, Jul 9, 2008.

  1. Dean11

    Dean11 New Member

    Messages:
    206
    hi, the past week i have had many games and other programs crash. I checked in event viewer and the programs all have the same error. here are the errors i am getting:

    event id (1000)

    Faulting application cnc3ep1.dat, version 1.0.2955.37387, faulting module msvcr80.dll, version 8.0.50727.762, fault address 0x0001507a.



    event id (1000)

    Faulting application iexplore.exe, version 7.0.5730.13, faulting module mshtml.dll, version 7.0.5730.13, fault address 0x000c3a5c.



    The description for Event ID ( 1000 ) in Source ( Microsoft Office 11 ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: winword.exe, 11.0.5604.0, 3f314a2f, winword.exe, 11.0.5604.0, 3f314a2f, 0, 00071fc8.



    The description for Event ID ( 1000 ) in Source ( Windows Live Messenger ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: msnmsgr.exe, 8.5.1302.1018, 4717a53b, msncore.dll, 8.5.1302.1018, 4717a2fe, 0, 00025829.



    The description for Event ID ( 1000 ) in Source ( Age of Empires 3 ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: age3x.exe, 5.106.906.424, age3x.exe, 5.106.906.424, 00196507


    Faulting application rometw.exe, version 1.0.0.0, faulting module rometw.exe, version 1.0.0.0, fault address 0x006e69a1.


    event id (1000)

    Faulting application first15.exe, version 6.0.21.0, faulting module first15.exe, version 6.0.21.0, fault address 0x00032299.



    i have tried updating drivers, searched the internet and microsoft site for event 1000 with no matching symptoms.
     
  2. hackapelite

    hackapelite VIP Member

    Messages:
    3,610
    What virus/spyware protection and firewall do you have? I think it could be something that you would rather no have on your computer... *I think*

    Someone should come around soon to post instructions for HijackThis & whatnot
     
  3. Dean11

    Dean11 New Member

    Messages:
    206
    I had Avira antivirus and avg but removed avira to see if it was causing the problems but the errors kept occuring. here is my hijack this log:


    Logfile of HijackThis v1.99.1
    Scan saved at 11:30:16 PM, on 9/07/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\Utility\Application\QMICM.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Documents and Settings\Dean\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.telstra.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Telstra BigPond Home Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: BigPond Wireless Broadband 2.0 Auto Dial - {DB92EC3F-697D-4C3B-9A3B-3ABBD23D4A85} - C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\bpwbb2ad.dll
    O4 - HKLM\..\Run: [BigPondWirelessBroadbandCM] "C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe" -tsr
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1204704746722
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1204705239581
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u5-windows-i586-jc.cab
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
     
  4. Dean11

    Dean11 New Member

    Messages:
    206
    could this be the problem?

    O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)


    i did some research on the event 1000 error and its related to user account access rights but im the only user and have admin rights. so im thinking this could be the problem? any ideas?
     
  5. G25r8cer

    G25r8cer Active Member

    Messages:
    6,261
    ^^ Yes that could be the problem. You can fix that entry as it is a "File missing".
     
  6. Dean11

    Dean11 New Member

    Messages:
    206
    yep that fixed it
     
  7. GameMaster

    GameMaster New Member

    Messages:
    3,953
    It's a remote Microsoft "rootkey". It only brings up errors. I will repeat only once more racer, no file or file missing doesn't mean it's not there and shouldn't be considered like "hey it's not there so just fix it". I'll kill you, seriously, if I see that sentence one more time :D Everyone would have learnt it so far.

    Explain it to me, you seem to know better, how come the fixing of this file helped if it doesn't exist? C'mon let me see your intelligence.
     
  8. Dean11

    Dean11 New Member

    Messages:
    206
    okay the error is back but i was playing games for ages after hijackthis 'fixed' the file. it seems after a restart it comes back. do you think i should repair windows or something?
     
  9. Hsv_Man

    Hsv_Man New Member

    Messages:
    912
    I am getting the exact same error as Dean even after a complete reformatt of my drive. it is in my opinion that an update microsoft has released has made explorer.exe unstable whether this was on purpose or not i dont know what i do know is that an explanation is needed and a fix desperately needs to be released. Could this be a ploy on Microsofts behalf to get us out to buy Windows Vista.
     
  10. Ken0302010

    Ken0302010 New Member

    Messages:
    1
    What is HijackThis?

    I found this one at another site and I think it is useful for everyone here:

    What is HijackThis?

    HijackThis is a program originally developed by Merijn Bellekom, a Dutch student studying chemistry and computer science. One of Merijn's programs, Hijackthis, is an essential utility to help find and remove spyware, viruses, worms, trojans and other pests.

    This is a basic guide to understanding the HijackThis logs, what specific sections mean and some tips on reading it yourself. Although its best to have a knowledgeable person help you examine the Hijackthis log and decide what to remove, its helpful to have a basic understanding of what the different sections mean and how they work.

    In March 2007, Merijn sold Hijackthis to TrendMicro because he didnt have the time and energy to update it and support it. Trend Micro has incorporated many of Merijn's changes, updates, and fixes and released a version 2 of Hijackthis.

    Download HijackThis
    To Download the original Hijackthis, click on the following link.
    http://www.pchell.com/downloads/HijackThis.exe

    To Download the NEW HijackThis 2.0, click below
    http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

    New Features
    The newest feature of HijackThis 2.0 is a button called AnalyzeThis that will upload your HijackThis log to the TrendSecure website and compare it to other uploaded log files. You can see a sample screenshot by clicking here. Unfortunately I was hoping for more from this feature, although it does give you a rough estimate of the number of users that have a particular file in their logs as well. For the novice user however this doesnt explain WHAT the file does and if its really a threat or not. A better online tool to analyze the Hijackthis logs is found at http://www.hijackthis.de. There you can either cut and paste a copy of your HijackThis log or upload a log file from your computer to analyze. This information returned from the HijackThis.DE site is much more helpful in determining good and bad items in the log. For a screenshot of the Hijackthis.de analysis click here.
    There appear to be other minor modifications as well.
    Overview of items in the HijackThis logs

    Each line in a HijackThis log starts with a section name. (For technical information on this, click 'Info' in the main window and scroll down. Highlight a line and click 'More info on this item'.)

    R0, R1, R2, R3 - IE Start & Search page
    R0 - Changed registry value
    R1 - Created registry value
    R2 - Created registry key
    R3 - Created extra registry value where only one should be

    What it looks like:

    R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page=http://www.google.com/
    R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL=http://www.google.com/
    R3 - Default URLSearchHook is missing

    What to do:
    If you recognize the URL at the end as your homepage or search engine, it's OK. If you don't, check it and have HijackThis fix it. In cases like a hijacker you may want to leave them til later but in general if you dont recognize it, fix it.
    For the R3 items, always fix them unless it mentions a program you recognize.
    ________________________________________
    F0, F1, F2, F3 - Autoloading programs
    F0 - Changed inifile value
    F1 - Created inifile value
    F2 - Changed inifile value, mapped to Registry
    F3 - Created inifile value, mapped to Registry

    What it looks like:
    F0 - system.ini: Shell=Explorer.exe Openme.exe
    F1 - win.ini: run=hpfsched

    What to do:
    The F0 items are always bad, so fix them.
    The F1 items are usually very old programs that are safe, so you should find some more info on the filename to see if it's good or bad.
    ________________________________________
    N1, N2, N3, N4 - Netscape/Mozilla Start & Search page
    N1 - Change in prefs.js of Netscape 4.x
    N2 - Change in prefs.js of Netscape 6
    N3 - Change in prefs.js of Netscape 7
    N4 - Change in prefs.js of Mozilla

    What it looks like:
    N1 - Netscape 4: user_pref("browser.startup.homepage", "www.google.com"); (C:program FilesNetscapeUsersdefaultprefs.js)
    N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.google.com"); (C:Documents and SettingsUserApplication DataMozillaProfilesdefaulto9t1tfl.sltprefs.js)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%206%5Csearchplugins%5CSBWeb_02.src"); (C:Documents and SettingsUserApplication DataMozillaProfilesdefaulto9t1tfl.sltprefs.js)

    What to do:
    Usually the Netscape and Mozilla homepage and search page are safe. They rarely get hijacked. Should you see an URL you don't recognize as your homepage or search page, have HijackThis fix it.
    ________________________________________
    O1 - Hosts file redirection

    What it looks like:
    O1 - Hosts: 216.177.73.139 auto.search.msn.com
    O1 - Hosts: 216.177.73.139 search.netscape.com
    O1 - Hosts: 216.177.73.139 ieautosearch

    What to do:
    This hijack will redirect the address to the right to the IP address to the left. If the IP does not belong to the address, you will be redirected to a wrong site everytime you enter the address. You can always have HijackThis fix these, unless you knowingly put those lines in your Hosts file.
    ________________________________________
    O2 - Browser Helper Objects

    What it looks like:
    O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:pROGRAM FILESYAHOO!COMPANIONYCOMP5_0_2_4.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll

    What to do:
    If you don't directly recognize a Browser Helper Object's name, use TonyK's BHO List to find it by the class ID (CLSID, the number between curly brackets) and see if it's good or bad. In the BHO List, 'X' means spyware and 'L' means safe. Or Upload your Hijackthis log to the Online HijackThis Analyzer and see if its safe.
    ________________________________________
    O3 - IE toolbars

    What it looks like:
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:pROGRAM FILES\YAHOO!COMPANION\YCOMP5_0_2_4.DLL
    O3 - Toolbar: Popup Eliminator - {86BCA93E-457B-4054-AFB0-E428DA1563E1} - C:pROGRAM FILES\POPUP ELIMINATOR\PETOOLBAR401.DLL (file missing)
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    What to do:
    If you don't directly recognize a toolbar's name, use TonyK's Toolbar List to find it by the class ID (CLSID, the number between curly brackets) and see if it's good or bad. In the Toolbar List, 'X' means spyware and 'L' means safe.
    If it's not on the list and the name seems a random string of characters and the file is somewhere in a folder named 'Application Data', it's definitely bad, and you should have HijackThis fix it. Or Upload your Hijackthis log to the Online HijackThis Analyzer and see if its safe.
    ________________________________________
    O4 - Autoloading programs from Registry

    What it looks like:
    O4 - HKLM..Run: [ScanRegistry] C:WINDOWSscanregw.exe /autorun
    O4 - HKLM..Run: [SystemTray] SysTray.Exe
    O4 - HKLM..Run: [ccApp] "C:program FilesCommon FilesSymantec SharedccApp.exe"
    O4 - Startup: Microsoft Office.lnk = C:program FilesMicrosoft OfficeOfficeOSA9.EXE
    What to do:
    Use PacMan's Startup List to find the entry and see if it's good or bad.
    ________________________________________
    O5 - IE Options not visible in Control Panel

    What it looks like:
    O5 - control.ini: inetcpl.cpl=no

    What to do:
    Unless you've knowingly hidden the icon from Control Panel, have HijackThis fix it.
    ________________________________________
    O6 - IE Options access restricted by Administrator

    What it looks like:
    O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerRestrictions present

    What to do:
    Unless you have the Spybot S&D option 'Lock homepage from changes' active, have HijackThis fix this.
    ________________________________________
    O7 - Regedit access restricted by Administrator

    What it looks like:
    O7 - HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem, DisableRegedit=1

    What to do:
    Always have HijackThis fix this.
    ________________________________________
    O8 - Extra items in IE right-click menu

    What it looks like:
    O8 - Extra context menu item: &Google Search - res://C:WINDOWSDOWNLOADED PROGRAM FILESGOOGLETOOLBAR_EN_1.1.68-DELEON.DLL/cmsearch.html
    O8 - Extra context menu item: Yahoo! Search - file:///C:program FilesYahoo!Common/ycsrch.htm

    What to do:
    If you don't recognize the name of the item in the right-click menu in IE, have HijackThis fix it.
    ________________________________________
    O9 - Extra buttons on main IE toolbar, or extra items in IE 'Tools' menu

    What it looks like:
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)

    What to do:
    If you don't recognize the name of the button or menuitem, have HijackThis fix it.
    ________________________________________
    O10 - Winsock hijackers

    What it looks like:
    O10 - Hijacked Internet access by New.Net
    O10 - Broken Internet access because of LSP provider 'c:progra~1\common~2\toolbarcnmib.dll' missing
    O10 - Unknown file in Winsock LSP: c:program files\newton knows\vmain.dll

    What to do:
    It's best to fix these using LSPFix from Cexx.org or WinsockXPFix
    ________________________________________
    O11 - Extra group in IE 'Advanced Options' window

    What it looks like:
    O11 - Options group: [CommonName] CommonName

    What to do:
    The only hijacker as of now that adds its own options group to the IE Advanced Options window is CommonName. So you can always have HijackThis fix this.
    ________________________________________
    O12 - IE plugins

    What it looks like:
    O12 - Plugin for .spop: C:program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .PDF: C:program Files\Internet Explorer\PLUGINS\ppdf32.dll

    What to do:
    Most of the time these are safe. Only OnFlow adds a plugin here that you don't want (.ofb).
    ________________________________________
    O13 - IE DefaultPrefix hijack

    What it looks like:
    O13 - DefaultPrefix: http://www.pixpox.com/cgi-bin/click.pl?url=
    O13 - WWW Prefix: http://prolivation.com/cgi-bin/r.cgi?

    What to do:
    These are always bad. Have HijackThis fix them.
    ________________________________________
    O14 - 'Reset Web Settings' hijack

    What it looks like:
    O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com

    What to do:
    If the URL is not the provider of your computer or your ISP, have HijackThis fix it.
    ________________________________________
    O15 - Unwanted site in Trusted Zone

    What it looks like:
    O15 - Trusted Zone: http://www.badspyware.com

    What to do:
    Many different spyware and adware programs will add items to the Tursted Zone. In most cases, you'll want to remove these with HijackThis.
    ________________________________________
    O16 - ActiveX Objects (aka Downloaded Program Files)

    What it looks like:
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    What to do:
    If you don't recognize the name of the object, or the URL it was downloaded from, have HijackThis fix it. If the name or URL contains words like 'dialer', 'casino', 'free_plugin' etc, definitely fix it.
    ________________________________________
    O17 - Lop.com domain hijacks

    What it looks like:
    O17 - HKLMSystemCCSServicesVxDMSTCP: Domain = aoldsl.net
    O17 - HKLMSystemCCSServicesTcpipParameters: Domain = W21944.find-quick.com
    O17 - HKLMSoftware..Telephony: DomainName = W21944.find-quick.com
    O17 - HKLMSystemCCSServicesTcpip..{D196AB38-4D1F-45C1-9108-46D367F19F7E}: Domain = W21944.find-quick.com
    What to do:
    If the domain is not from your ISP or company network, have HijackThis fix it. You may want to run the Lop.com uninstaller as well to clean up misc Lop problems.
    ________________________________________
    O18 - Extra protocols and protocol hijackers

    What it looks like:
    O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:pROGRA~1\COMMON~1\MSIETS\msielink.dll
    O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82}
    O18 - Protocol hijack: http - {66993893-61B8-47DC-B10D-21E0C86DD9C8}

    What to do:
    Only a few hijackers show up here. The known baddies are 'cn' (CommonName), 'ayb' (Lop.com) and 'relatedlinks' (Huntbar), you should have HijackThis fix those. Other things that show up are either not confirmed safe yet, or are hijacked by spyware. In the last case, have HijackThis fix it.
    ________________________________________
    O19 - User style sheet hijack

    What it looks like:
    O19 - User style sheet: c:WINDOWS\Java\my.css

    What to do:
    In the case of a browser slowdown and frequent popups, have HijackThis fix this item if it shows up in the log.
    ________________________________________
    O20 - AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys
    What it looks like:
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
    O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
    O20 - Winlogon Notify: dvd4free - C:\WINDOWS\SYSTEM32\dvd4free.dll
    What to do:
    Although some of these files are legitimate, many are spyware/adware hijacks that need to be removed. You can research files in this list by visiting CastleCops 020 List or upload your log to the Hijackthis.de Online Analyzer
    ________________________________________
    O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key
    What it looks like:
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O21 - SSODL: Trayz - {F5B7D0BE-5f02-4211-96DB-386DFA244900} - C:\WINDOWS\lghngdne.dll
    What to do:
    Not all entries are bad, but you should check CastleCops 021 List and the Online Hijackthis Analyzer to verify before deleting an entry.
    ________________________________________
    O22 - SharedTaskScheduler autorun Registry key
    What it looks like:
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    What to do:
    Again, many of these entries are good. The old version of Hijackthis 1.99 didnt check this section, while Hijack version 2 does. SmitFraud attacks usually hide here. Check the CastleCops 022 List and Online Hijackthis Analyzer if you are unsure before deleting.
    ________________________________________
    O23 - Enumeration of NT Services
    What it looks like:
    O23 - Service: AlfaCleanerService - AlfaCleaner.com - C:\Program Files\AlfaCleaner\ACServer.exe
    O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\sdkkv32.exe
    What to do:
    These are services which are loaded by the Service Control Manager in Windows 2000, XP, and Vista. They are generally loaded at bootup, before a user logs in. Firewalls and other important programs but rogue cleaning programs like AlfaCleaner may also load here. Check the CastleCops 023 List and Online Hijackthis Analyzer if you are unsure before deleting.
    ________________________________________
    O24 - Enumeration of ActiveX Desktop Components
    What it looks like:
    What to do:
    What to do:
    ________________________________________
    If something in your log still puzzles you after this short tutorial, there is nothing stopping you from posting at many of the hijackthis related forums on the web.
     

Share This Page