cak46

Sorry about the double....... I've found a potential winner, but I've never used the program the dude mentions. Here is the link: http://www.freetechsforum.com/forum/index.php?act=ST&f=4&t=647 About a third of the way down and a guy by the name of cbuck. Interesting proposition. EDIT: You'll need to install XP support tools, here is how: http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prmb_tol_namp.asp Here is the first tool to use. It lists dependencies for a given service. http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prmb_tol_cnxc.asp Here is the SC program detail. http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prmb_tol_cnxc.asp I can't help you with this because I do not have an install disk for xp and have not run these programs. They look straitforward from the descriptiions and cbucks post. What do you think? If you give me a day or two, I should be able to better help with this process. Let me know. In essence, what you will be doing is looking at the dependencies for lsass.exe and starting the ones that are not running and viewing information on services running and/or stopped. Can't hurt to look can it???? :)

What application is erroring out?

Sorry I've been away. Works become a real hassle because I need to get a piece of proprietary software revamped in oder to interface it with another piece of software by august 1st. What a job........ Glad I'm not programming it myself! I've rethought the advapi issue and realized I was way too punchy to be advising on it. The entries in your sec. log are correct and are most likely calling the advapi32.dll during boot to log on as a service. I'm going to have to look up some stuff......... Just tripped over this while looking for some other info. Look at sli at pyro.nets post. BTW: Try looking in c:windowssystem32 for these files first. If they are there then extract the files to a different temporary directory than he suggests since I assume you have updated your op sys. and compare the dates of the files. If they aren't there then we have found the missing object. If they are there and the dates are the same then go ahead and give this a try. Also, extract the missing ones if that's what you find when you look them up in the system32 directory. http://www.winxpforums.com/ftopic19583.html

Most likely those are the status messages. I would suspect your boot up is a bit slower with verbosity on as well. Good idea on checking your other machine for the file! Let me know how it goes. Back to work for a bit more...........

If you remember, a bit ago we set your machine to be a bit verbose on boot so we could possibly get better information from your logs. Let me see if I can find the post..... Here it is: If you selected bootlogging after hitting F8, then there should be a new log entry in the bootlog.txt for that boot. Try this to increase the amount of info put into your event logs and possibly the bootlog.txt file: Obtained from: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/Eventlog/W2KXP.NETenableverboseeventmessages.html Use reistry editor and change/add this DWORD value: go to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem See if this DWORD already exists and if not, add it by right mouse clicking on the system(folder shaped in left window) then select New DWORD then name it VerboseStatus Next, double click on the new verbosestatus entry and set it to 1 If it already existed, change the value to 1 Now, go ahead and check for this under the same key (system): An additional value called "DisableStatusMessages" forces status messages to be disabled, make sure this value does not exist or is set to "0". (DisableStatusMessages REG_DWORD 0x00000000 (0)) More instructions: http://www.techspot.com/vb/topic12413.html If you are uncomfortable with registry editing, use the alternate way in the first link to turn on verbose logging. Alway remember, backup the registry prior to editing it! Smile Edit: For various reasons........ Smile ************************ Just do the reverse of the above instructions and it should clear that up. You may want to wait until we get the error cleared up though..... No advapi.dll file? Maybe we found the object that can't be found, eh? Now the question is, what do we do about it? One of two things, I figure. Figure out which program is calling the advapi.dll file or find a copy of the legit. advapi and put it in the windowssystem32 directory and see what happens. Have you heard from MS yet? I'm swamped here tonite with take home work so will not be available much. Maybe set this aside till tomorrow? Might give ms a chance to respond, if you can let them know about the missing file as well. They have to have some type of answer or they are, as everyone suspects, useless. Sorry, been a killer day..........

Back again! HaHa My stupid. It's a logon process of sorts. Its called by a process thread and then shuts down after it is done, so you won't find it as a continuously running process. The file should be there somewhere and if it isn't, maybe the calling thread is causing the lsass object not found error? Just a thought! Good luck in your quest for the file!

I'm even more suspicious of the file now that it is not in the system32 directory. If you can't find it with TUT, try Start>Search> then advanced search and select Hidden files and folders then put in the filename. I must sign off as it is getting on near midnight here, and I don't want to miss the excitement that is my workplace in the 'morrow! :haha: Good evening!

You may not find it in the registry, if the information at the link I gave earlier is correct. It's called from within another process or script, not by a registry key.

go to My computer then browse to c:windowssystem32. I think it may be listed in that folder.

Your confusing groups and user id's. Administrator is a user id only found when you boot in safe mode. Computer administrator is a group of which your user id is a member. Groups allow a number of users to be assigned certain permissions to files, etc. so instead of assigning each user id the permission, all you have to do is assign each member you want to have the permissions given to the group. You have a fiscal dept. of 80 staff. You want them all to have access to a financial program but do not want them to have access to the Administration directory. You would create a group named fiscal, assign each member to this group, then give the group access to the fiscal program wile disallowing access to the Administration directory. Now, 5 new staff members are brought on board to work in the fiscal dept. All you have to do is add them to the Fiscal group to give them access to the financial program and preclude access to the administration directory. This isn't exactly how it would happen but in essence it makes administration of servers and large numbers of users easier to manage. This help at all?.

Smokin too much! :haha: No, not really. This api is over my head but it looks kinda suspicious. You should be ok with the anti spy/virus programs your running and that you do have an admin password on board. Only thing I'm wondering is if there is a thread, whether viral or not, executing the logon process with this program, where is the thread coming from (what program) and what is it trying to execute (since there is an object not found error). This is "highly" theoretical and would take someone who knows much more than I about the specifics of this program (advapi) to figure it out. For that matter, it could be the pdengine calling something that it needs but can't find as well...... Legitimate call by the defragger but the object being called (trying to execute) is missing. I just do not know. If we can just get rid of the advapi without thrashing your op sys in the process, then it would be worth the try. Hence the note to MR. MS. Easiest way to do it would be with your process killer, then delete the corrosponding file or using killbox and do both at the same time. I'd wait till ms responds, though........ The rule I live by is "First, do no harm". An old programmer taught me that about 10 years ago.

http://www.motobit.com/help/scptutl/cl51.htm Just found this.... might be the answer? Looks like a script object uses this program to impersonate your userid or logon another userid. Object not found could be a virus file that was removed? Just a guess......May explain the security entries in the sec. log.... again just a pure guess on my part but it makes sense to me.......... Yeah, that's pretty old. Kind of disturbing as to what the advapi program does, if the information at the above link is correct. (Administrator, with no password=free reign with this program) if I understand it's usage correctly.

:haha: Probably something like... "Well, you can disable it but we can't guarantee, won't be responsible for, and would you sign this saying we aren't because we really aren't sure that it won't have a negative impact on some of the other running processes so if you could just digitally sign the attachment on this email and send it to us and the NSA, just for backup, in case our server goes down again because of another trojan horse in an attachment of one of our other customers email which we open and run on a regular basis, just to see what they will do." BTW: Advapi

Glad you got it resolved! Sounds like a new version of the old "is it plugged in?" issue that comes up at work on occasion.

Thats about what I've run so far on the hp on the bench, not including virus specific removers. Ewido Spybot Ad-Aware TrojanHunter Stinger Hijackthis AVG-Unsuccessfully at the beginning avcleaner (AVG's answer to mcafee'sstinger) Avast F-bot (Another bot cleaner, can't remember the name) Trendmicro sysclean Killbox(process and program file killer) MS Anti-spyware MS Malicious program removal but can't find a damn thing to remove program Process View (Process viewer and allows you to stop a process) There are probably more but I can't name them right now. Good news is I'm on the last profile and only 1 search bar tried to vainly install itself. Never thought I'd say this, but sp2 is at least a good thing to protect IE settings and ms antispy to stop the reinstall and clean it out. I plan to do 1 more reboot/scan of each profile, then will declare victory after 3 or 4 weeks! Will search around some more and you may want to contact Mr. Microsoft to see what he has to say about it. NSA..... HMMMMMMM :haha: Edit: More scans used: TweakNow RegCleaner A Squared RootkitReveal CWS Shredder

Sorry about the double post: Here is the entries from your app events log at 4:36:07: 7/19/2005 4:36:41 PM PDSched Information None 0 N/A Service started 7/19/2005 4:36:07 PM PDEngine Information None 0 N/A Service started These are tied to your auto defrag program Here are the entries in your security log: 7/19/2005 4:36:07 PM Security Success Audit Privilege Use 576 NT AUTHORITYNETWORK SERVICE "Special privileges assigned to new logon: User Name: NETWORK SERVICE Domain: NT AUTHORITY Logon ID: ) Privileges: SeAuditPrivilege SeAssignPrimaryTokenPrivilege SeChangeNotifyPrivilege" 7/19/2005 4:36:07 PM Security Success Audit Logon/Logoff 528 NT AUTHORITYNETWORK SERVICE "Successful Logon: User Name: NETWORK SERVICE Domain: NT AUTHORITY Logon ID: ) Logon Type: 5 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: Logon GUID: {00000000-0000-0000-0000-000000000000}" 7/19/2005 4:36:07 PM Security Success Audit Privilege Use 576 NT AUTHORITYLOCAL SERVICE "Special privileges assigned to new logon: User Name: LOCAL SERVICE Domain: NT AUTHORITY Logon ID: ) Privileges: SeAuditPrivilege SeAssignPrimaryTokenPrivilege SeChangeNotifyPrivilege" 7/19/2005 4:36:07 PM Security Success Audit Logon/Logoff 528 NT AUTHORITYLOCAL SERVICE "Successful Logon: User Name: LOCAL SERVICE Domain: NT AUTHORITY Logon ID: () Logon Type: 5 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: Logon GUID: {00000000-0000-0000-0000-000000000000}" And here are the system evts: 7/19/2005 4:36:07 PM Application Popup Information None 26 N/A Application popup: lsass.exe - System Error : Object Name not found. I stripped out identifying features, for your computing safety I do not know for sure if this file is legit or not. Entries on ms website are lower case a while in your event logs its upper case A, same as at castlecops. I would suggest contact the ms dude and see what he has to say about it. I will do a more involved search and let you know what I find if you wish.

May have found something. Will need to do a bit more research, but here is where I am at:The lsass error occurs at 4:36:07pm in the app evt log. In the Security evt log, this program Advapi executes at the same thime. Did a look up at Castlecops, please see link: http://castlecops.com/startuplist-146.html I have to look deeper to see if this file is at all legitimate but from my soft search, the answer is no: See google search: http://www.google.com/search?q=advapi&sourceid=mozilla-search&start=0&start=0&ie=utf-8&oe=utf-8&client=firefox-a&rls=org.mozilla:en-US:official Don't do anything with it till I see if I can get a clearcut answer on that file. Back to ya soon..... Edit: Here is an interesting search result! http://www.google.com/search?q=advapi+legitimate&hl=en&hs=BJj&lr=&client=firefox-a&rls=org.mozilla:en-US:official&start=0&sa=N

Yes, but its happening right after the event log starts, so it could be something going on prior to the event log starting. Gotta go. Will try to sort thru the logs tom. evening. Good Evening!! :)

No, it's under services in your control panel way down at the bottom of the list. Sticky spacebar? I don't remember this issue. Does it delete the lines or act like a backspace key?

You can disable the ms time service if you want, since it isn't running correctly anyway. What are the service control manager errors saying? I can barely read the timestamps but it looks awfully close to the same time as lsass error. I see the applic. popups as well. I forget, You are running a router, right? Edit: My stupid, nevermind about the router question...... BTW: that error does not look like your typical microsoft error popup, to me anyway. Also, What are some of those informational SCM (Service control manager) events saying? There is a alot of them.........

Congrats on being almost famous! Look at me, I'm supposed to "Know(s) whats up" but your computer is putting me to shame :haha: :haha: Did you get my pm for the pic thing?

THX!

Yeah, mondays can be difficult! Haven't tried spyware blaster yet but may give it a one shot if I can download the whole install to cd-rom? I don't remember that particular error prior to the lsass popup. Sure, go ahead and send them along. If it's the error I think it is, it's not unusual... But we shall see......... The hP is not on the net and wo'nt be again until I get a clear scan on each profile. I've made that mistake too many times. What I fear is there is a trojan or adware/malware that updated at the same tim all of the tools updated, so it is not being found. Also, it has 4 profiles so each has to be cleaned individually. Just started another and have found abx trojan downloader along with surfsidekick (which I've found in all of them so far). I'm going to have to sign off soon, but send the info along. We'll se whats what and give 'em what for! :haha: Have a good eve! Just saw your note. Don't like the redirection either! Yup, this machine also had the 180solutions. I swear the HP has had it all..... Freeware really isn't free, is it? Thanks for the info about ms antispy...... gotta tout their site somehow 'cause they don't have enough, never enough, of the market yet! :haha: Picture this: Billy Gates back in the '70's! :haha:

If you are doing it, go thru device manager and update the driver manually by selecting floppy, or cd-rom or the directory where the install files are. Been a while since I've done this, so I will need to look up specifics if you are unsure of how to do it this way. Be doin' better if this hp I'm working on would just give up and get clean. Had ICANNEWS on it, only way I found to get rid of it was to deny the computer (System account) permissions to the .dll file. Only then was I able to get rid of it.... I think. The file I was able to get rid of mhaatext.dll, was actually protecting the running adware which consisted of three other dll's. Right now I'm scanning again with ms antispyware, the only scanner that found it. Just came up clean on that profile, now just started scanning another... Guess what, 2 adwares so far,,,,,,,,, BTW: Tired, but still kickin' How about you?

No, it doesn't work that way. Thought that you would know that. Sorry about that..... :oops: I assumed and we all know what that does..... Do you have all of the drivers for your hardware devices? (vid card, monitor, sound card, etc.) If you haven't guessed I'm going to ask you to re-install the device drivers for all of the hardware you have the drivers for. What do you think?