Re: Logon and logoff



Information sent.
Thanks,
Ken.

"nass" <nass@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:875BC88F-165D-4B3E-A89F-6C0FE684EBBE@xxxxxxxxxxxxxxxx


"Ken" wrote:

Ok, maybe no attachments? Then here's the event log info (four entries)
The
"access denied" looks suspicious. That is part of the virus software, I
believe.


Event Type: Error
Event Source: WMPNetworkSvc
Event Category: None
Event ID: 14325
Date: 9/27/2008
Time: 1:13:17 PM
User: N/A
Computer: KGPLACE
Description:
Service 'WMPNetworkSvc' did not start correctly because QueryService
encountered error '0x80004002'. In Windows Media Player, turn off media
sharing, and then turn it back on.

When you try use Windows Media Player 11 to play a digital rights
management
(DRM)-protected media file, the media may not play

http://support.microsoft.com/kb/925705/en-us
<Q>
After enabling Media Sharing, if I open Media Player and select LIBRARY->
MEDIA SHARING, it displays a dialog box saying "Media sharing is currently
disabled, either because the sharing service is not running or your
firewall
settings have changed. To restart sharing, you must first confirm your
sharing settings."

I have enabled all WMP sharing-related firewall rules, and when
investigating the service, I found what I explained above.
</Q
Open a command run and type in
services.msc click [Ok] and see if the following services have been
started
on your XP machine:
SSPD Discovery Service
Universal Plug and Play Device Host
Windows Media Player Network Sharing Service


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 9/27/2008
Time: 1:13:34 PM
User: NT AUTHORITY\SYSTEM
Computer: KGPLACE
Description:
DCOM got error "Access is denied. " attempting to start the service
PcScnSrv
with arguments "" in order to run the server:
{C820A3A7-4408-4509-A9D9-EE47C1FE1486}

Check PC-Cillin Spyware Control Service is Enabled or the application is
working okay.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FROM APPLICATION EVENT LOG:

Event Type: Error
Event Source: WinMgmt
Event Category: None
Event ID: 28
Date: 9/27/2008
Time: 1:13:16 PM
User: N/A
Computer: KGPLACE
Description:
WinMgmt could not initialize the core parts. This could be due to a badly
installed version of WinMgmt, WinMgmt repository upgrade failure,
insufficient disk space or insufficient memory.

<Q>
Hello Bob,

Thank you for using newsgroup!

From your post, it appears that the WMI installation of this computer is
corrupt. Please try to reset the WMI installation using the following
procedure:

1. Stop the WINMGMT (Windows Management Instrumentation) service.
2. Move all the files under the WBEM Repository directory (located in the
\%Windir%\System32\WBEM directory) to a temp folder. In fact we can delete
the files here as well. Moving the files is just a backup for the files
here.
3. Restart the WINMGMT (Windows Management Instrumentation) service.
4. If the files in the WBEM Repository directory are not created by
restarting the WMI service, restart the computer and these files should be
created.

Thanks & Regards,

Ken Zhao

Microsoft Online Support
</Q>
<Q>
Sorry Ken,

I deleted the wrong folder.
You clearly said \%Windir%\System32\WBEM, but I did \%Windir%\WBEM. I put
the files back and deleted the correct files this time.

To be clear, this is what I finally did.
1. net stop WINMGMT
2. Restored C:\WINDOWS\WBEM\msfeeds.mof
3. Restored C:\WINDOWS\WBEM\msfeedsbs.mof
4. Deleted C:\WINDOWS\system32\wbem\Repository\$WinMgmt.CFG
5. Deleted the five files in folder C:\WINDOWS\system32\wbem\Repository\FS
6. Register all DLLS in %SystemRoot%\System32\wbem by doing the following
from the cmd prompt:
a) cd C:\WINDOWS\system32\wbem
b) for /f %s in ('dir /b *.dll') do regsvr32 /s %s
7. Restarted system.

Result is I no longer get the WinMgmt Event ID: 28 error. THANKS!
</Q>

Event ID 28 - WMI Service Availability
http://technet2.microsoft.com/windowsserver2008/en/library/88d81dc6-93a0-417f-bbdc-369758ebd15f1033.mspx?mfr=true
http://www.eventid.net/display.asp?eventid=28&eventno=1320&source=WinMgmt&phase=1

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Event Type: Error
Event Source: SecurityCenter
Event Category: None
Event ID: 1802
Date: 9/27/2008
Time: 1:13:16 PM
User: N/A
Computer: KGPLACE
Description:
The Windows Security Center Service was unable to establish event queries
with WMI to monitor third party AntiVirus and Firewall.

The error about MS Security Center not being able to track or recognize
your
anti-virus, check that the Firewall service for TrendMicro
is Enabled Auto and working in the Services control panel.
~~~~~~~~~~~~~~~~~~~~~~~
Can you please run through these cleaning steps and if you wish send me
your
Hijackthis log. I will be interested to see if your Audit is messed up and
if
there is any kind of rootkit/Zlob infection!
Also can you tell us:
- How much Disk space on this machine
- How much RAM installed
- Do you have a Firewall and your AV subscription is current

How to Identify a Damaged User Profile and Create a New Profile:
http://support.microsoft.com/kb/811151

1... Click start >> Control Panel >> Double Click Network and Internet
Connections >> Double click Internet Options, on the IE Properties window
you will see these Options:
General | Security | Privacy | Content | Connections | Programs
| Advanced .

Click on General Tab (1st Tab on the left) and you will see a Button
called
[ Clear History ..] click on it to clear your History caches, then click
on
[Delete Files..] to delete Internet Files created over the time, click on
[
Delete Cookies...] to delete your cookies left by visiting websites.

= Then try to Disable the Add-Ons on your Browser somehow installed on
your
browser, On how to disable the Add-ons follow this:
Click on Programs Tab and then click the Manage Add-Ons Button there
Disable
the None/Not Verified Plug-ins/Add-ons ( you need to Renable them
one-by-one
later and see which is the culprit or you can send them here in your next
post) and click [OK] to confirm your Changes.
How to manage Add-Ons:
http://support.microsoft.com/kb/883256

Click on Advanced Tab and scroll down under the browsing option and
uncheck
this box:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) and click Apply
then OK to close your IE Properties.
Scan for malware from here:
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html

http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
http://onecare.live.com/standard/en-gb/default.htm
Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (offline scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Comodo BOClean : Anti-Malware Version 4.27
http://www.comodo.com/boclean/boclean.html
Download Hijackthis and send me the log.
(http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)
my address is : to_you_ross(at remove this and repalce with the
obvious)yahoo.co.uk
( _ is underscore)
HTH.
nass
---
http://www.nasstec.co.uk





"nass" <nass@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:75E9815E-42A3-4B36-8BB6-330864E9BAB4@xxxxxxxxxxxxxxxx


"Ken" wrote:

Need some help, please.
After a windows update and reboot, I can log in but it quickly logs me
out -- no chance at all. I can start in SAFE mode and log in OK. Virus
software is up-to-date, and other scans do not help (but can only run
in
safe mode).
Any ideas?
Ken

It looks to me a hardware/software issue, try to start the machine with
the
basics device like Monitor, mouse, keyboard and disconnect any extra
External
devices and see if that will help.

Do you get any error message?
Please send us your Error messages by following the steps below:
Open a Notepad, customize or minimize to the taskbar as you will need
it
later for this step to copy the error message on it.
Open a run command and type in:
eventvwr.msc click [OK] you will get the Event viewer control Panel.
click on each of these:
Application
System
Security
Look in the right Pane/window for error message with red (X) or Yellow
exclamation mark /!\ , double click each one to get more info about the
causer.
On the Event error properties message you will see:
Up Arrow
Down arrow
Two pages
Click on the two pages to copy the error message then bring up the
Notepad
you opened earlier and right click on the first line and select Paste
from
the list, this will paste the error message on a Notepad.
Please don't duplicate the error message one of each kind will be
sufficient.
HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/kb/308427/en-us

Please we need just the error messages with Red (X) and don't repeat
the
error, just one of each kind and post them back in your next post.

HTH,
nass
---
http://www.nasstec.co.uk






.



Relevant Pages

  • Re: Logon and logoff
    ... Event Type: Error ... In Windows Media Player, turn off media ... After enabling Media Sharing, if I open Media Player and select LIBRARY-> ... later for this step to copy the error message on it. ...
    (microsoft.public.windowsxp.help_and_support)
  • RE: Two problems
    ... Look in the right Pane/window for error message with red or Yellow ... Event Source: Application Error ... Computer: HPLAPTOP ... Event Type: Warning ...
    (microsoft.public.windowsxp.help_and_support)
  • RE: Two problems
    ... "nass" wrote: ... Look in the right Pane/window for error message with red or Yellow ... Computer: HPLAPTOP ... Event Type: Warning ...
    (microsoft.public.windowsxp.help_and_support)
  • RE: Two problems
    ... Look in the right Pane/window for error message with red or Yellow ... Event Source: Application Error ... Computer: HPLAPTOP ... Event Type: Warning ...
    (microsoft.public.windowsxp.help_and_support)
  • RE: Two problems
    ... "nass" wrote: ... Look in the right Pane/window for error message with red or Yellow ... Computer: HPLAPTOP ... Event Type: Warning ...
    (microsoft.public.windowsxp.help_and_support)