What is HKLMU.exe
in [Windows XP]
|
Prev: diagnosing regsvr32 return code 0x8002801c (aka TYPE_E_REGISTRYACCESS)
Next: Remote Desktop Auto Maximize Window
From: ICU on 16 Oct 2009 15:30 Jose <jose_ease(a)yahoo.com> wrote in news:b17f1716-0272-41ca-a0b4-9c8c86d8b949(a)a32g2000yqm.googlegroups.com: > On Oct 16, 1:47�pm, ICU <I...(a)Nowhere.com> wrote: >> Jose <jose_e...(a)yahoo.com> wrote >> innews:c92c7409-24bf-49c8-9e03-a5e066b8f > 604(a)m38g2000yqd.googlegroups.com: >> >> >> >> >> >> > On Oct 15, 5:49�pm, ICU <I...(a)Nowhere.com> wrote: >> >> Thanks for the reply. >> >> >> Well I do have a virus program running and kept up to date and I >> >> do keep WinXP uptodate and yes the procedures sound long and >> >> complex, unfortunately a local or independant computer repair shop >> >> visit is not just not in the cards for a number of reasons. >> >> Thanks for the reply. >> >> >> ICU >> >> >> "PA Bear [MS MVP]" <PABear...(a)gmail.com> wrote >> >> innews:eKMQNbcTKHA.5052(a)TK >> > 2MSFTNGP05.phx.gbl: >> >> >> > You are seeing the effects of a hijackware infection! >> >> >> > NB: If you had no anti-virus application installed or the >> >> > subscription had expired *when the machine first got infected* >> >> > and/or your subscription has since expired and/or the machine's >> >> > not been kept fully-patched at Windows Update, don't waste your >> >> > time with any of the below: Format & reinstall Windows. �A >> >> > Repair Install will NOT help! >> >> >> > 1. See if you can download/run the MSRT manually: >> >> >http://www.microsoft.com/security/malwareremove/default.mspx >> >> >> > NB: Run the FULL scan, not the QUICK scan! �You may need to >> >> > download the MSRT on a non-infected machine, then transfer >> >> > MRT.EXE to the infected machine and rename it to SCAN.EXE before >> >> > running it. >> >> >> > 2a. WinXP => Run the Windows Live Safety Center's 'Protection' >> >> > sca > n >> >> > (only!) in Safe Mode with Networking, if need be: >> >> >http://onecare.live.com/site/en-us/center/howsafe.htm >> >> >> > 2b. Vista or Win7=> Run this scan instead: >> >> >http://onecare.live.com/site/en-us/center/whatsnew.htm >> >> >> > 3. Run a /thorough/ check for hijackware, including posting >> >> > requested logs in an appropriate forum, not here. >> >> >> > Checking for/Help with Hijackware: >> >> > �http://aumha.net/viewtopic.php?f=30&t=4075 >> >> >> > �http://mvps.org/winhelp2002/unwanted.htm >> >> > �http://inetexplorer.mvps.org/tshoot.html >> >> > �http://www.mvps.org/sramesh2k/Malware_Defence.htm >> >> > �http://www.elephantboycomputers.com/page2.html#Removing_Malware >> >> >> > **Chances are you will need to seek expert assistance in >> >> >http://spywarehammer.com/simplemachinesforum/index.php?board=10.0, >> >> >http://www.spywarewarrior.com/viewforum.php?f=5, >> >> >http://www.dslreports.com/forum/cleanup, >> >> >http://www.bluetack.co.uk/forums/index.php, >> >> >http://aumha.net/viewforum.php?f=30orother appropriate forums.** >> >> >> > If these procedures look too complex - and there is no shame in >> >> > admitting this isn't your cup of tea - take the machine to a >> >> > local, reputable and independent (i.e., not BigBoxStoreUSA) >> >> > computer repair shop. >> >> > Reduce the chances of malicious software by running some scans. >> >> > Download, install, update and do a full scan with these free >> > malware detection programs: >> >> > Malwarebytes (MBAM): �http://malwarebytes.org/ >> > SUPERAntiSpyware: (SAS): �http://www.superantispyware.com/ >> >> > These can be uninstalled later if desired. >> >> Thanks for the reply and the suggestions. >> I've downloaded both and run them, Malware found the files I already >> thought were the culprits, removed them , but I found them back >> again, so I tried a scan again, found them again and removed, >> hopefully the are gone for good now but I somehow doubt it. >> >> ICU > > Are we supposed to guess what the culprit files are and what do you do > between the time they are removed and the time they come back? > > If you remove the culprit files and visit a WWW site (or do something) > that reinfects your machine, you should not go there, or expect to be > infected when you do. I have heard there are some WWW sites that will > infect your system with just a visit. > Nope no guessing just read the subject line for the culprit file. No visiting Web sites to get reinfected, the file just reappears after a reboot. Thanks for the reply. ICU
From: Jose on 17 Oct 2009 09:29 On Oct 16, 3:30 pm, ICU <I...(a)Nowhere.com> wrote: > Jose <jose_e...(a)yahoo.com> wrote innews:b17f1716-0272-41ca-a0b4-9c8c86d8b949(a)a32g2000yqm.googlegroups.com: > > > > > > > On Oct 16, 1:47 pm, ICU <I...(a)Nowhere.com> wrote: > >> Jose <jose_e...(a)yahoo.com> wrote > >> innews:c92c7409-24bf-49c8-9e03-a5e066b8f > > 6...(a)m38g2000yqd.googlegroups.com: > > >> > On Oct 15, 5:49 pm, ICU <I...(a)Nowhere.com> wrote: > >> >> Thanks for the reply. > > >> >> Well I do have a virus program running and kept up to date and I > >> >> do keep WinXP uptodate and yes the procedures sound long and > >> >> complex, unfortunately a local or independant computer repair shop > >> >> visit is not just not in the cards for a number of reasons. > >> >> Thanks for the reply. > > >> >> ICU > > >> >> "PA Bear [MS MVP]" <PABear...(a)gmail.com> wrote > >> >> innews:eKMQNbcTKHA.5052(a)TK > >> > 2MSFTNGP05.phx.gbl: > > >> >> > You are seeing the effects of a hijackware infection! > > >> >> > NB: If you had no anti-virus application installed or the > >> >> > subscription had expired *when the machine first got infected* > >> >> > and/or your subscription has since expired and/or the machine's > >> >> > not been kept fully-patched at Windows Update, don't waste your > >> >> > time with any of the below: Format & reinstall Windows. A > >> >> > Repair Install will NOT help! > > >> >> > 1. See if you can download/run the MSRT manually: > >> >> >http://www.microsoft.com/security/malwareremove/default.mspx > > >> >> > NB: Run the FULL scan, not the QUICK scan! You may need to > >> >> > download the MSRT on a non-infected machine, then transfer > >> >> > MRT.EXE to the infected machine and rename it to SCAN.EXE before > >> >> > running it. > > >> >> > 2a. WinXP => Run the Windows Live Safety Center's 'Protection' > >> >> > sca > > n > >> >> > (only!) in Safe Mode with Networking, if need be: > >> >> >http://onecare.live.com/site/en-us/center/howsafe.htm > > >> >> > 2b. Vista or Win7=> Run this scan instead: > >> >> >http://onecare.live.com/site/en-us/center/whatsnew.htm > > >> >> > 3. Run a /thorough/ check for hijackware, including posting > >> >> > requested logs in an appropriate forum, not here. > > >> >> > Checking for/Help with Hijackware: > >> >> > http://aumha.net/viewtopic.php?f=30&t=4075 > > >> >> > http://mvps.org/winhelp2002/unwanted.htm > >> >> > http://inetexplorer.mvps.org/tshoot.html > >> >> > http://www.mvps.org/sramesh2k/Malware_Defence.htm > >> >> > http://www.elephantboycomputers.com/page2.html#Removing_Malware > > >> >> > **Chances are you will need to seek expert assistance in > >> >> >http://spywarehammer.com/simplemachinesforum/index.php?board=10.0, > >> >> >http://www.spywarewarrior.com/viewforum.php?f=5, > >> >> >http://www.dslreports.com/forum/cleanup, > >> >> >http://www.bluetack.co.uk/forums/index.php, > >> >> >http://aumha.net/viewforum.php?f=30orotherappropriate forums.** > > >> >> > If these procedures look too complex - and there is no shame in > >> >> > admitting this isn't your cup of tea - take the machine to a > >> >> > local, reputable and independent (i.e., not BigBoxStoreUSA) > >> >> > computer repair shop. > > >> > Reduce the chances of malicious software by running some scans. > > >> > Download, install, update and do a full scan with these free > >> > malware detection programs: > > >> > Malwarebytes (MBAM): http://malwarebytes.org/ > >> > SUPERAntiSpyware: (SAS): http://www.superantispyware.com/ > > >> > These can be uninstalled later if desired. > > >> Thanks for the reply and the suggestions. > >> I've downloaded both and run them, Malware found the files I already > >> thought were the culprits, removed them , but I found them back > >> again, so I tried a scan again, found them again and removed, > >> hopefully the are gone for good now but I somehow doubt it. > > >> ICU > > > Are we supposed to guess what the culprit files are and what do you do > > between the time they are removed and the time they come back? > > > If you remove the culprit files and visit a WWW site (or do something) > > that reinfects your machine, you should not go there, or expect to be > > infected when you do. I have heard there are some WWW sites that will > > infect your system with just a visit. > > Nope no guessing just read the subject line for the culprit file. > No visiting Web sites to get reinfected, the file just reappears after a > reboot. > Thanks for the reply. > > ICU I don't understand this "says something about" part: It's just a flash on the screen that says something about HKLMU.exe and that .DLL initialization failed. What is the message exactly. The file is located in Windows\System32\Driver, no other file in this folder and I can not get any identidication on this file. Are you saying the hklmu.exe is in the c:\windows\system32\drivers folder? How did you discover that? This file is also mentioned in the Prefetch foler as well. Where/how is it "mentioned" in the prefetch folder? Are you saying you have hklmu.exe in c\windows\prefetch or is it mentioned and what does mentioned mean? There should not be anything with a .exe extension in the prefetch folder - there might be some .pf files. Did you search your system for hklmu.exe and list the results. Look in the Event Log for helpful messages and post them back here: Here is a method to post the specific information about individual events. To see the Event Viewer logs, click Start, Settings, Control Panel, Administrative Tools, Event Viewer. A shortcut to Event Viewer is to click Start, Run and in the box enter: %SystemRoot%\system32\eventvwr.msc /s Click OK to launch the Event Viewer. The most interesting logs are usually the Application and System. Some logs may be almost or completely empty. Not every event it a problem, some are informational messages that things are working okay. Each event is sorted by Date and Time. Errors will have red Xs, Warnings will have yellow !s. Information messages have white is. Not every Error or Warning event means there is a serious issue. Some are excusable at startup time when Windows is booting. If you double click an event, it will open a Properties windows with more information. On the right are black up and down arrow buttons to scroll through the open events. The third button that looks like two pages on top of each other is used to copy the event details to your Windows clipboard. When you find an interesting event that occurred around the time of your issue, click the third button under the up and down arrows to copy the details and then you can paste the details (right click, Paste or CTRL-V) the detail text back here for analysis. To get a fresh start on any Event Viewer log, you can shoose to clear the log (backing up the log is offered), then reproduce your issue, then look at just the events around the time of your issue.
From: ICU on 17 Oct 2009 15:52 Jose <jose_ease(a)yahoo.com> wrote in news:673ec00b-c449-4f1f-8045-b87110f02ca2(a)j19g2000yqk.googlegroups.com: A whole lot edited here. > > I don't understand this "says something about" part: > > It's just a flash on the screen that says something about HKLMU.exe > and that .DLL initialization failed. > > What is the message exactly. It says "The Application failed to initialize because Windows is shutting down" This happens each time I shut down except if I shutdown without using any program, then it just shuts down with no flash message. > > > The file is located in Windows\System32\Driver, no other file in this > folder and I can not get any identidication on this file. > > Are you saying the hklmu.exe is in the c:\windows\system32\drivers > folder? How did you discover that? No I am saying Hklmu.exe is in the c:\windows\systems32\driver folder no "S" , the folder that is the Drivers folder is well populated. > > This file is also mentioned in the Prefetch foler as well. > > Where/how is it "mentioned" in the prefetch folder? Are you saying > you have hklmu.exe in c\windows\prefetch or is it mentioned and what > does mentioned mean? There should not be anything with a .exe > extension in the prefetch folder - there might be some .pf files. I used the word "mentioned" to indicate the file is listed in the Prefetch as a .pf file > > Did you search your system for hklmu.exe and list the results. That's how I found the file, I gotn the file name from the flash when I shutdown. RThe rest of these suggestions I haven't followed up on yet , but will do shortly. Thanks for the reply. ICU > > > Look in the Event Log for helpful messages and post them back here: > > Here is a method to post the specific information about individual > events. > > To see the Event Viewer logs, click Start, Settings, Control Panel, > Administrative Tools, Event Viewer. > > A shortcut to Event Viewer is to click Start, Run and in the box > enter: > > %SystemRoot%\system32\eventvwr.msc /s > > Click OK to launch the Event Viewer. > > The most interesting logs are usually the Application and System. > Some logs may be almost or completely empty. > Not every event it a problem, some are informational messages that > things are working okay. > > > Each event is sorted by Date and Time. Errors will have red Xs, > Warnings will have yellow !s. > Information messages have white is. Not every Error or Warning event > means there is a serious issue. > Some are excusable at startup time when Windows is booting. > > If you double click an event, it will open a Properties windows with > more information. On the right are > black up and down arrow buttons to scroll through the open events. The > third button that looks like > two pages on top of each other is used to copy the event details to > your Windows clipboard. > > When you find an interesting event that occurred around the time of > your issue, click the third button > under the up and down arrows to copy the details and then you can > paste the details (right click, Paste > or CTRL-V) the detail text back here for analysis. > > To get a fresh start on any Event Viewer log, you can shoose to clear > the log (backing up the log is offered), > then reproduce your issue, then look at just the events around the > time of your issue. >
From: Jose on 17 Oct 2009 17:11 > Are you saying the hklmu.exe is in the c:\windows\system32\drivers > folder? How did you discover that? No I am saying Hklmu.exe is in the c:\windows\systems32\driver folder no "S" , the folder that is the Drivers folder is well populated. Curious. I have never seen c:\windows\systems32\driver folder. There should be: c:\windows\system32\drivers I do not think there should be a "systems32" anything and there should be a "c:\windows\system32\drivers" folder with stuff in it, but no "driver" folder. You ran MBAM and SAS, as requested? Yes - only .pf files should be in the prefetch folder. Check/post the event log also for messages that are timestamped to coincide with your last shutdown. Please verify the spellings and paths with and be sure there are no typos (it happens), somebody else please verify me, and then we'll see if we can get you fixed up.
From: Ken Blake, MVP on 17 Oct 2009 19:15
Please ensure that the quoted text you are responding to has a > at the beginning of every line. Your message without the >s is almost impossible to understand, since I can't tell what you said and what the person you were responding to said. On Sat, 17 Oct 2009 14:11:33 -0700 (PDT), Jose <jose_ease(a)yahoo.com> wrote: > > Are you saying the hklmu.exe is in the c:\windows\system32\drivers > > folder? How did you discover that? > > > No I am saying Hklmu.exe is in the c:\windows\systems32\driver folder > no > "S" , the folder that is the Drivers folder is well populated. > > Curious. > > I have never seen > > c:\windows\systems32\driver folder. > > There should be: > > c:\windows\system32\drivers > > I do not think there should be a "systems32" anything and there should > be a "c:\windows\system32\drivers" folder with stuff in it, but no > "driver" folder. > > You ran MBAM and SAS, as requested? > > Yes - only .pf files should be in the prefetch folder. > > Check/post the event log also for messages that are timestamped to > coincide with your last shutdown. > > Please verify the spellings and paths with and be sure there are no > typos (it happens), somebody else please verify me, and then we'll see > if we can get you fixed up. -- Ken Blake, Microsoft MVP (Windows Desktop Experience) since 2003 Please Reply to the Newsgroup |