Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

frequent freezing, requiring restart, and problem with Windows Installer


  • Please log in to reply
27 replies to this topic

#1 AliasJaneDoe

AliasJaneDoe

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:35 AM

Posted 21 September 2009 - 08:33 PM

My computer is freezing often, sometimes right after booting up or resuming from standby, but also randomly. Usually the mouse pointer still moves, but nothing else responds, not even ctrl-alt-del, and I'm forced to reboot.

Also, I needed to update Windows Installer, and this gives me an error about "access is denied" when I try running the update (the last two versions both did this). Running as admin in safe mode still gave this message. I was told it's likely a registry problem or malware by friends, but they didn't know how to fix it.

I'm using Windows XP Home, SP2.





Log removed per users request.

Edited by kahdah, 20 November 2009 - 07:32 AM.


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:35 AM

Posted 08 October 2009 - 07:24 AM

Hello AliasJaneDoe

Welcome to Welcome to BleepingComputer :(
=====================
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
===========
Download This file. Note its name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 AliasJaneDoe

AliasJaneDoe
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:35 AM

Posted 07 November 2009 - 12:01 PM

Hello. Sorry it took me so long to reply. I had it set to notify me by e-mail of replies and it never did. Thanks so much if you're still willing to help me.

Here are the things you asked me to do, but the last scan gave me an unknown error of some kind. I was able to save the log, but then my computer froze and I had to restart.



Removed logs

Edited by kahdah, 20 November 2009 - 07:33 AM.


#4 AliasJaneDoe

AliasJaneDoe
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:35 AM

Posted 07 November 2009 - 12:03 PM

It's still saying my Results.log is too long to post, so I'm attaching it.

#5 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:35 AM

Posted 07 November 2009 - 12:08 PM

Hi yes you are infected but you have an illegal version of Windows.
Because of this you need to get a legal copy and I cannot help you.

Plus given some of the errors in the event log you need to do a reinstall anyway to fix the issues.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#6 AliasJaneDoe

AliasJaneDoe
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:35 AM

Posted 08 November 2009 - 06:13 PM

Hi yes you are infected but you have an illegal version of Windows.
Because of this you need to get a legal copy and I cannot help you.

Plus given some of the errors in the event log you need to do a reinstall anyway to fix the issues.



Are you sure?! I was told it was legal. I guess you can't trust people on craigslist. But again, are you sure? And I looked into this a bit, and there's something called the Microsoft Genuine Advantage program. You can buy a legal copy of windows and not need to reinstall. Would that work for me? Or is a full reinstall of windows my *only* option? Because I don't have another drive to copy all my data onto, and reinstalling windows will wipe everything, won't it?

#7 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:35 AM

Posted 09 November 2009 - 07:21 AM

Are you sure?! I was told it was legal. I guess you can't trust people on craigslist. But again, are you sure? And I looked into this a bit, and there's something called the Microsoft Genuine Advantage program. You can buy a legal copy of windows and not need to reinstall. Would that work for me? Or is a full reinstall of windows my *only* option? Because I don't have another drive to copy all my data onto, and reinstalling windows will wipe everything, won't it?

Yes it is illegal I can tell by this file here :
[2008/08/18 18:34:48 | 00,005,376 | R--- | C] () -- C:\WINDOWS\System32\antiwpa.dll this file is placed on the system to bypass the Windows Genuine Validation.
Your best bet would be to call Microsoft.They would sell you a legitimate license key or check the validity of the one you have.
If they do that then come back here and we will finish the cleanup.
They can do this without a reinstall but because of some of the issues in the event log like this one:
This is why I recommend a reinstall.
[ Application Events ]
Error - 9/16/2009 1:36:15 AM | Computer Name = IRULAN-1130 | Source = Userenv | ID = 1505
Description = Windows cannot load the user's profile but has logged you on with 
the default profile for the system. DETAIL - Access is denied. 

Error - 9/16/2009 1:38:31 AM | Computer Name = IRULAN-1130 | Source = Userenv | ID = 1505
Description = Windows cannot load the user's profile but has logged you on with 
the default profile for the system. DETAIL - Access is denied. 

Error - 9/16/2009 1:38:31 AM | Computer Name = IRULAN-1130 | Source = Userenv | ID = 1505
Description = Windows cannot load the user's profile but has logged you on with 
the default profile for the system. DETAIL - Access is denied. 

Error - 9/16/2009 2:01:38 AM | Computer Name = IRULAN-1130 | Source = Userenv | ID = 1505
Description = Windows cannot load the user's profile but has logged you on with 
the default profile for the system. DETAIL - Access is denied. 

Error - 9/16/2009 2:01:38 AM | Computer Name = IRULAN-1130 | Source = Userenv | ID = 1505
Description = Windows cannot load the user's profile but has logged you on with 
the default profile for the system. DETAIL - Access is denied.

And then there is this:

Error - 9/16/2009 4:20:12 AM | Computer Name = IRULAN-1130 | Source = Windows Product Activation | ID = 1009
Description = You have not activated Windows within the grace period. To activate
Windows, contact a customer service representative by telephone.


Edited by kahdah, 09 November 2009 - 07:21 AM.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#8 AliasJaneDoe

AliasJaneDoe
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:35 AM

Posted 09 November 2009 - 10:05 PM

I'm going to call Microsoft tomorrow.

About the message, "Windows cannot load the user's profile but has logged you on with the default profile for the system," does it matter that I'm the only user on the computer? Wouldn't my profile be the default?

Is there any type of repair that can be done to a current install that might fix things? If a full reinstall is the only solution, then I need to go shop for a hard drive to move my data onto. Would my virus or whatever get copied to the new drive and reinfect me when I move my files back?

#9 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:35 AM

Posted 10 November 2009 - 07:14 AM

Yes once you activate Windows you can try to create a different user account then transfer all of you documents to it and it should be fine.
But first I would like to remove the malware once windows get's activated.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#10 AliasJaneDoe

AliasJaneDoe
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:35 AM

Posted 13 November 2009 - 09:43 PM

Okay, I should be all nice and legal now, and my disc is in the mail in case I do need to do a complete reinstall. So, what's next?

#11 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:35 AM

Posted 14 November 2009 - 06:51 AM

Ok let's see an updated log please.
  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#12 AliasJaneDoe

AliasJaneDoe
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:35 AM

Posted 14 November 2009 - 08:08 PM

Removed log.

Edited by kahdah, 20 November 2009 - 07:34 AM.


#13 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:35 AM

Posted 15 November 2009 - 12:36 PM

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    [2008/08/18 18:34:48 | 00,005,376 | R--- | C] () -- C:\WINDOWS\System32\antiwpa.dll
    O4 - HKLM..\Run: [InvisibleBrowsing] File not found
    O4 - HKLM..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe File not found
    O4 - HKLM..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe File not found
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
    SRV - (WUSB54Gv42SVC) -- File not found
    SRV - (MSIServer) -- File not found
    SRV - (Avg7UpdSvc) -- File not found
    SRV - (Avg7Alrt) -- File not found
    SRV - (AntiVirService) -- File not found
    SRV - (AntiVirScheduler) -- File not found
    SRV - (Adobe Version Cue CS3) -- File not found
    SRV - (aawservice) -- File not found
    
    
    :Commands
    [purity]
    [emptytemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.
================================Malwarebytes' Anti-Malware=================================
Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.
  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
================================Online scan=================================
* Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#14 AliasJaneDoe

AliasJaneDoe
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:35 AM

Posted 15 November 2009 - 05:04 PM

I did what you said with OTL, and it froze with the message "range check error." I restarted my computer, but my net connection had been somehow disabled and I couldn't fix it. I had to do a system restore to get it back. In your code that I pasted, there was the line "SRV - (WUSB54Gv42SVC) -- File not found" and I think "WUSB54Gv42SVC" is quite possibly my internet (I'm through a router). Did you disable it on purpose? How should I proceed from here? Continue to the next step, or repeat the OTL with different settings?

This is the log it gave me:


Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_150.dat not found!

Registry entries deleted on Reboot...

#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:35 AM

Posted 16 November 2009 - 09:30 PM

Do you still use a linksys wireless usb adapter?
The system said that the file was no longer present on the system.
Therefore that is called an orphaned registry entry and a service that is set to boot with the system for nothing.
The ones below it are all legitimate too but they are also orphans.

Please continue on with the next steps.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users