I NEED HELP TO!!!

[binxgook]

Seems like Dareutwo isnt the only one having problems. I dont know what the fuck happened tp my pc but thier is definately something wrong. O.k. heres the deal I keep getting a message theat " SYSTEM IS SHUTTING DOWN" something to the effect of authurized by NT/AUTHO
and that WIN/32system/Sass.exe has encountered a fatal error no. 128.

My system shuts down and restarts again??? I have reformatted my harddrive (twice now) and nothing is working. I have run several spyware programs and removed a few thing here and thier but it has not helped.
If my screen saver pops on and I come back on to the computer it then freezes up.

Any ideas would be greatly appreciated as I have battling with this for about a week

Corection its lsass.exe

[Cleo]

Have you tried this www.apple.com

[binxgook]

Quote:

Originally Posted by Cleo

Have you tried this www.apple.com

Thanks Cleo

[plateman]

I havent ran into that did you try and google it and search microsoft's site.. I just ran Sass.exe and found stuff about it.. did you format the whole drive or just a partition?

[stuveltje]

ha i had that months ago, my only sulution was, whipe out all on my puter and reininstal all my shit, sorry cant help you here

[N J]

Use hijackthis.exe to find those programs

[Linkster]

I would get something like hijackthis and run it from a safe boot on the admin account and then on every other account you have on the computer - assuming its XP

Make sure you are disconnected from the net when you do it in safe mode and then post the report it generates - it will give an idea of which trojan/virus/hijacker you are dealing with and we can go from there

[binxgook]

Linkster this is what Hijackthis came up with:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\mcafee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\mcafee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\Program Files\mcafee.com\Agent\mcupdate.exe /embedding
O4 - HKLM\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\AutoStarterR.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - C:\Program Files\mcafee.com\VSO\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[plateman]

I'll play a little without researching the entries - get rid of everything that says http://srch-us4.hpwis.com/

see if this is a legit program - Program Files\Zero Knowledge\Freedom\FreeBHOR.dll if not get rid of it, all entries to it

and anything your not sure of google it and see if its a legit program..

and you should be doing this in safe mode with sys restore off, so I would take out everthing with this http://srch-us4.hpwis.com/ reboot and run everything again and post another log and see if your ok - and also dont surf unless you download all the ms patches

[Linkster]

With that log - do what plateman suggested - run the hijackthis and check "fix" on all of those entries - then go get yourself a copy of the newest spysweeper and run a full sweep to get it out of your registry entries.
Once spysweeper has cleaned it all out - if you are an affiliate of ARS, you will have to go into your hosts file and delete the line entry for adultrevenueservice if you want to be able to see your ARS stats
Otherwise - you might also look at MS's new spy program as well but spysweeper will keep you clean from these types of infections.

The hpwis stuff is a hijack - the FreeBHOR is legitimate if you run the Freedom privacy suite - if not its also a hijack made to look like the protection suite

[N J]

Easy log analysers:

http://www.hijackthis.de/
http://hjt.networktechs.com/

or search google for hijackthis analyser for more.

[Useless]

Quote:

Originally Posted by N J

Easy log analysers:

http://www.hijackthis.de/
http://hjt.networktechs.com/

or search google for hijackthis analyser for more.

http://www.greenguysboard.com/board/...94&postcount=8

RIF

[N J]

Quote:

Originally Posted by Useless Warrior

http://www.greenguysboard.com/board/...94&postcount=8

RIF

HUH? what I posted was log analysers, so he could copy/paste his log into them and see what they mean - easier than waiting for Linkster

[Useless]

Quote:

Originally Posted by N J

HUH? what I posted was log analysers, so he could copy/paste his log into them and see what they mean - easier than waiting for Linkster

Oh, my bad. You have my sincerest apologies. I thought you were resuggesting hijackthis eventhough you were the first person to suggest using it. I'm glad I didn't respond with my normal "Read the fucking thread before you post". Then I'd look even dumber. (though I do have a lot of practice)

[N J]

hehe, no hard feelings

[ronnie]

I had the NT Auth thing before, while back. There was a pretty easy fix if I remember right, seems it was a MS patch. Google it, thats how I found the fix.

ronnie

[binxgook]

Thanks for the help guys

[binxgook]

Think I finally managed to get things fixed up right. It's taken about a week now but I think my pc is probably running better than it ever has. Thanks for the all the advice guys