Odd mention in regedit and msconfig - weird startup msg

[kam31uf]

Has anyone ever seen anything like this in a msconfig startup list before?

%systemroot%\system32\dumprep 0 -k

I've had some troubles and I have never seen anything like that ever listed there. I found it in the registry as well.

This leads me to the other part: When I start up I get a msg about the CD recording software and how windows has disabled the driver. Then I get a windows installer box popping up, then a norton 2005 window pops up saying it cant repait must install and reinstall. once I click ok to that the installer box disappears.

Next the explanation box opens for the cd recording software msg.

I installed adaptec easy cd creator, plextormgr 2000, etc. before finding out that the plextormgr 2000 part of the cd recording software bundle wasnt compatible. I have since been to their website and followed their directions to the T as to removing it.

ANy thoughts?

 

[cbmudd]

dumprep 0 -k is a microsoft error report thing. Go to this web site for msconfig things. It is very usefull.

http://www.sysinfo.org/startuplist.php

The cd recording software error is a service pack 2 issue.
Try reinstalling the latest version of the software. Go to the homepage of the software and look for service pack 2 fixes or updates.......

 

[kam31uf]

ok that dumprep thing is for a memory dump, I can disable it, what is it and do I need it?

 

[bcastner]

dumprep 0 -k is a microsoft error report thing. Go to this web site for msconfig things. It is very usefull."

Actually, the syntax should be:
dumprep 0 -u

What it looks like to me is that you have an infection with a variant of Sasser (as a guess, Sasser.E), but have the MS security patches to disable its full effects. The line you see in the RUN key of the registry is intended to hide the LSASS error box from appearing on the screen.

Do both the Trend Micro and Panda online scans:

http://www.mvps.org/sramesh2k/Scanners.htm

Finish by running HijackThis! 1.99 (in a new folder your create) and removing any remaining RUN key entries such as you reported above.

http://www.spywareinfo.com/~merijn/downloads.html

 

[kam31uf]

no its dumprep 0 -k
I went to the website CBMUDD mentioned, its actually

http://www.sysinfo.org/startuplist.html

and it lists the error I mentioned and the one you mentioned. But it doesnt mention anything about a variant of the Sasser worm.

 

[bcastner]

My point was that if[/] it was a legitimate dumprep instruction, it would not have "-k" as its directive, but "-u"

So clearly something introduced this without your consent.
The most likely case is an infection with a Sasser variant in which you have the MS security Hotfixes applied to render it relatively inactive.

I invite other opinions. But I frankly believe you have Sasser.E, and are Hotfixed.

Follow my advice above the clean your RUN keys.

 

[kam31uf]

Would this have been caught by a complete virus scan with Norton 2005?

 

[bcastner]

Not in my experience.

 

[kam31uf]

OK I will try these things tonight at home. Question though, not to sound impertinent, but what's the point of anti virus if it doesnt catch that stuff?

 

[bcastner]

It is only as good as the definition database. And please note that many Antivirus products make no claim about detecting and removing other non-viral malware.

This is a war. There are constant morphs of existing malwares, and constant introduction of new ones.

It is not coincidental that the level of these new malware introductions are co-ordinated with the new inaguaration of President Bush. The AV and Anti-spyware and Anti-trojan folks have been working overtime.

 

[linney]

Half the XP population would have the Dumprep 0 -k reference in MsConfig (including me) it is solely related to memory dump settings and I would suggest not a result of virus infection.

To be honest, I have not seen Dumprep 0 -u on any of my systems and guess that the -k or -u must relate to some computer settings.

The MsConfig entry can be unchecked or removed from the Registry quite safely but will return after the next system crash.

Bill might have us believe we are all infected with some virus but that would seem unlikely.

dumprep 0 -k or dumprep 0 -u

http://www.google.com/search?source...s+-+you+can+disable+these+by+-+right+clicking

Used in connection with memory dumps - you can disable these by - right clicking on My Computer, selecting Properties and then the Advanced tab. Click on the Settings button in 'Startup and Recovery'. In the bottom pane - under 'Write debugging information' - click on the down arrow and then select 'None' - OK your way out.


kernelfaultcheck

Used in connection with memory dumps - you can disable these by - right clicking on My Computer, selecting Properties and then the Advanced tab. Click on the Settings button in 'Startup and Recovery'. In the bottom pane - under 'Write debugging information' - click on the down arrow and then select 'None' - OK your way out.


So I would suggest that the -k refers to KernelFaultCheck and the -u refers to UserFaultCheck.


HOWEVER, kam31uf, the fact that your own virus software is playing up I fully agree with Bill that you should thoroughly check your machine out.

Removing adware & spyware
faq608-4650

 

[kam31uf]

I did just have a crash since installing a new HD and that makes more sense to me since I just got the computer working and didnt have that listed prior to the crash. I also havent been able to use the internet since it crashed, so that also makes more sense.

As for Anti virus I have an updated virus list from Nortona dn ran it last night, nothing found. I also keep the firewall up.

 

[linney]

If you are having multiple problems the Event Viewer is a good place to check.

Don't just rely on one virus scanners opinion either.

 

[kam31uf]

What is the Event Viewer? Im not having any problems really this just started becasue i wanted to know what that line was in the startup list.

 

[linney]

To get further information about any error look in your Event viewer.

Look in the System or Application folder. You can get to the Event Viewer via right click My Computer icon and select Manage.

Any errors logged in the Event Viewer can be expanded by double clicking on the error line.

Take any event error I.D. number and search for it on these sites.

http://www.eventid.net/events.asp

http://www.microsoft.com/technet/support/ee/search.aspx

Also check any "Information" line that mentions "savedump" and you should find reference to "recovered from a bug check". This is the Stop Error that caused your problem.

You can also turn off "automatically restart after an error" so it will just halt at the fault and display the full Stop Error and blue screen.

Right-click My Computer, and then click Properties .
On the Advanced tab, click Settings under Startup and Recovery .
Click to clear the Automatically restart check box under System failure , and then click OK . The error message on a blue screen should remain on the screen so you can record the error information.