Strange dialog box (unknown characters) BEFORE Windows logon screen .. any help?

[Curtis Newton]

Not really sure what else to do. I have run Drweb AV, McAfee AV and
TrendMicro AV along with anti-spyware from ewido, spybot, xoftspy and
adware. The PC is clean and working good, except for one annoying
thing.

When the computer first boots up (before the screen that has the login
icons), a dialog box comes up and at the top of the box, it is some
type of foreign characters (I am assuming it is Chinese characters).
Inside the actual dialog box is one character (it looks like a small
box). The only option is to hit 'OK'. Once you hit 'OK', the computer
takes you to the login screen and from there the computer works great.

Upon reboot, it starts all over.

Here is a link to the picture:

http://img127.imageshack.us/img127/8854/odear5xe.jpg


Here is the Logfile of HijackThis v1.99.1
Scan saved at 4:05:28 PM, on 8/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common
Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1156433473\ee\AOLSoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T
Series\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T
Series\bin\HPOVDX05.EXE
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://register.hp.com/servlet/WebReg.serv...11AA&LF=red
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88}
- C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network
Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common
Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common
Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common
Files\AOL\1156433473\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows
Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program
Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP OfficeJet T Series Startup.lnk = C:\Program
Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan
Control) - http://download.ewido.net/ewidoOnlineScan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online -
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service
(LightScribeService) - Unknown owner - c:\Program Files\Common
Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network
Associates, Inc. - C:\Program Files\Network Associates\Common
Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network
Associates, Inc. - C:\Program Files\Network
Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) -
Network Associates, Inc. - C:\Program Files\Network
Associates\VirusScan\VsTskMgr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) -
America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

 

[Robert Gault]

Not really sure what else to do. I have run Drweb AV, McAfee AV and
TrendMicro AV along with anti-spyware from ewido, spybot, xoftspy and
adware. The PC is clean and working good, except for one annoying
thing.
<snip>

Use the F8 key to halt the computer before the OS starts. Select boot
logging with confirmation of each step. Clearly something is loading
that is not working correctly. Prevent everything from loading except
system files. If that fixes the problem, it should not take very long to
find the specific software causing the "problem."

 

[WTC]

When the computer first boots up (before the screen that has the login
icons), a dialog box comes up and at the top of the box, it is some
type of foreign characters (I am assuming it is Chinese characters).
Inside the actual dialog box is one character (it looks like a small
box). The only option is to hit 'OK'. Once you hit 'OK', the computer
takes you to the login screen and from there the computer works great.

Upon reboot, it starts all over.

Here is a link to the picture:

http://img127.imageshack.us/img127/8854/odear5xe.jpg

Are you using Windows XP Pro??

If you are then go to: Control Panel > Administrative Tools > Local Security
Policy > Security Options. Now Double-click "Interactive logon: Message text
for users attempting to log on" and ensure there is nothing in the Text box
field. Do the same for "Interactive logon: "Message title for users
attempting to log on".

If you are using XP Home or Pro then edit the registry at this location:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
Delete "legalnoticecaption" and "legalnoticetext".

Restart computer and see if this box disappears.

 

[Curtis Newton]

When the computer first boots up (before the screen that has the login
icons), a dialog box comes up and at the top of the box, it is some
type of foreign characters (I am assuming it is Chinese characters).
Inside the actual dialog box is one character (it looks like a small
box). The only option is to hit 'OK'. Once you hit 'OK', the computer
takes you to the login screen and from there the computer works great.

Upon reboot, it starts all over.

Here is a link to the picture:

http://img127.imageshack.us/img127/8854/odear5xe.jpg

Are you using Windows XP Pro??

If you are then go to: Control Panel > Administrative Tools > Local Security
Policy > Security Options. Now Double-click "Interactive logon: Message text
for users attempting to log on" and ensure there is nothing in the Text box
field. Do the same for "Interactive logon: "Message title for users
attempting to log on".

If you are using XP Home or Pro then edit the registry at this location:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
Delete "legalnoticecaption" and "legalnoticetext".

Restart computer and see if this box disappears.

I will give that a shot, thanks for the reply.

 

[Curtis Newton]

When the computer first boots up (before the screen that has the login
icons), a dialog box comes up and at the top of the box, it is some
type of foreign characters (I am assuming it is Chinese characters).
Inside the actual dialog box is one character (it looks like a small
box). The only option is to hit 'OK'. Once you hit 'OK', the computer
takes you to the login screen and from there the computer works great.

Here is a link to the picture:

http://img127.imageshack.us/img127/8854/odear5xe.jpg

Are you using Windows XP Pro??

If you are using XP Home or Pro then edit the registry at this location:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
Delete "legalnoticecaption" and "legalnoticetext".

Restart computer and see if this box disappears.

XP Home and there wasn't either entry in the registry. Very strange I
am thinking.

I haven't tried to step through on the boot process ... if I were to
do a bootlog (is that still an option), will that show me any unusual
activity on bootup???

Thanks.

 

[WTC]

When the computer first boots up (before the screen that has the login
icons), a dialog box comes up and at the top of the box, it is some
type of foreign characters (I am assuming it is Chinese characters).
Inside the actual dialog box is one character (it looks like a small
box). The only option is to hit 'OK'. Once you hit 'OK', the computer
takes you to the login screen and from there the computer works great.

Here is a link to the picture:

http://img127.imageshack.us/img127/8854/odear5xe.jpg

Are you using Windows XP Pro??

If you are using XP Home or Pro then edit the registry at this location:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
Delete "legalnoticecaption" and "legalnoticetext".

Restart computer and see if this box disappears.

XP Home and there wasn't either entry in the registry. Very strange I
am thinking.

I haven't tried to step through on the boot process ... if I were to
do a bootlog (is that still an option), will that show me any unusual
activity on bootup???

Thanks.

Curtis, could you export this part of the registry and email to me?



[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]



Right-click "Winlogon" and select EXPORT. Name the file Winlogon.reg to your
Desktop. Then rename Winlogon.reg to Winlogon.TXT. Then email me the file.
Thanks.

 

[Curtis Newton]

XP Home and there wasn't either entry in the registry. Very strange I
am thinking.

I haven't tried to step through on the boot process ... if I were to
do a bootlog (is that still an option), will that show me any unusual
activity on bootup???

Thanks.

Curtis, could you export this part of the registry and email to me?



[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]



Right-click "Winlogon" and select EXPORT. Name the file Winlogon.reg to your
Desktop. Then rename Winlogon.reg to Winlogon.TXT. Then email me the file.
Thanks.

Sure will. I won't be able to get back to the computer until next
week, but I will do it then,

Thanks again for your assistance!

 

[Curtis Newton]

Curtis, could you export this part of the registry and email to me?



[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]



Right-click "Winlogon" and select EXPORT. Name the file Winlogon.reg to your
Desktop. Then rename Winlogon.reg to Winlogon.TXT. Then email me the file.
Thanks.

I emailed the file to you ... thanks again. Hopefully, you got it
okay.

 

[WTC]

Curtis, could you export this part of the registry and email to me?



[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]



Right-click "Winlogon" and select EXPORT. Name the file Winlogon.reg to
your
Desktop. Then rename Winlogon.reg to Winlogon.TXT. Then email me the file.
Thanks.

I emailed the file to you ... thanks again. Hopefully, you got it
okay.

Curtis, I do not see anything here that is causing the problem in the file
you sent me.

Could you please scan the registry for these two items (without the quotes)
and write down the locations to email me (if there is any values please let
me know as well).


"LegalNoticeCaption"
"LegalNoticeText"

To scan the registry, open the Edit menu and select Find.


Also download Autoruns from Sysinternal. Run the "autoruns.exe" file after
extracting from the ZIP file.

http://www.sysinternals.com/Utilities/Autoruns.html

If you could send the start up files for the Everything tab, it would be a
great help.

Here is how to do this:

1. Run autoruns.exe
2. Click on the Everything tab (may take some time to scan, once you see
"Ready" in the left bottom corner, then you are ready to save a file).
3. Under the FILE menu select "Save As..." to save the file to desktop. Call
this file "everything.txt".
4. Click on the Winlogon tab.
5. Maximize the Autoruns window.
6. Take a screen shot of the Autorun Window. (Use "ALT + Print Screen"
keyboard combination to capture a screen shot). Open up MS Paint and paste
the screen shot by selecting the Edit menu then selecting Paste.
7. Save the file to desktop.

So you should have 2 files to send now.

Also when you are in Autoruns, look around for anything that mentions "File
not found". If you find an entry then highlight and right-click to select
DELETE.