Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox won't run and Windows Updates won't install.


  • This topic is locked This topic is locked
26 replies to this topic

#16 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:37 AM

Posted 01 December 2009 - 04:29 AM

First of all, a question, is your copy of Windows XP legit?

If so, please try following the steps here

If you are not sure on how to do that or if you have any problems, let me know :(

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


BC AdBot (Login to Remove)

 


#17 leobacko

leobacko
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 01 December 2009 - 07:33 PM

Yes, my copy of Windows is Genuine.

I followed the steps. I ran the validation tool, which confirmed it's a genuine copy. Then rebooted and tried the updates and still failed.

Here is the validation log.

Diagnostic Report (1.9.0011.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0

Cached Validation Code: N/A
Windows Product Key: *****-*****-RVF66-GP7VM-8CFT3
Windows Product Key Hash: tJB30tZY737ZFJYewUg2SpzsCb0=
Windows Product ID: 76487-OEM-2211906-00825
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010100.3.0.med
ID: {0C16AEBF-6053-4272-831D-51A0D17808E0}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.7.69.2
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.7.18.5
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 108 Invalid VLK
Microsoft Office Professional Edition 2003 - 108 Invalid VLK
Microsoft Office Small Business Edition 2003 - 104 Unknown PID
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 77F760FE-153-80070002_7E90FEE8-175-80070002_025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_B4D0AA8B-920-80070057

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{0C16AEBF-6053-4272-831D-51A0D17808E0}</UGUID><Version>1.9.0011.0</Version><OS>5.1.2600.2.00010100.3.0.med</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-8CFT3</PKey><PID>76487-OEM-2211906-00825</PID><PIDType>2</PIDType><SID>S-1-5-21-1306458269-4206639498-1545073516</SID><SYSTEM><Manufacturer>Dell Inc. </Manufacturer><Model>Dell DXP061 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc. </Manufacturer><Version>2.4.2 </Version><SMBIOSVersion major="2" minor="3"/><Date>20070330000000.000000+000</Date><SLPBIOS>Dell System,Dell Computer,Dell System,Dell System</SLPBIOS></BIOS><HWID>6E07393F01841D7A</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Dell Dimension DXP061</name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.7.18.5"/><File Name="WgaLogon.dll" Version="1.7.18.5"/></GANotification></MachineData><Software><Office><Result>108</Result><Products><Product GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>108</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>30416B37D43D00</Val><Hash>NXUmgTdiyLsTTPdX4nmcvCMXeTg=</Hash><Pid>73931-640-6732136-57348</Pid><PidType>14</PidType></Product><Product GUID="{91CA0409-6000-11D3-8CFE-0150048383C9}"><LegitResult>104</LegitResult><Name>Microsoft Office Small Business Edition 2003</Name><Ver>11</Ver><PidType>0</PidType></Product></Products><Applications><App Id="15" Version="11" Result="108"/><App Id="16" Version="11" Result="108"/><App Id="18" Version="11" Result="108"/><App Id="19" Version="11" Result="108"/><App Id="1A" Version="11" Result="108"/><App Id="1B" Version="11" Result="108"/><App Id="44" Version="11" Result="108"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1A93D:Dell Inc|1A93D:Microsoft Corporation
Marker string from OEMBIOS.DAT: Dell System,Dell Computer,Dell System,Dell System

OEM Activation 2.0 Data-->
N/A

#18 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:37 AM

Posted 02 December 2009 - 09:04 AM

Re-run Dial-a-fix and click the Flush Software distribution button.

Please see if this changes anything.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#19 leobacko

leobacko
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 03 December 2009 - 12:45 PM

Tried that. No change.

I really think that it must be missing dlls or dlls that need to be registered, but i don't know enough about it. I found some more suggestions regarding the Update Error, some that suggest certain dlls to reregister. Didn't want to try it out untill you ran out of ideas. I'll have to send you the links when I get back home. At work right now.

#20 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:37 AM

Posted 03 December 2009 - 01:50 PM

Okay, you can post those links.

As for re-registering and checking the dll's, thats basically what Dial-a-fix does.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#21 leobacko

leobacko
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 05 December 2009 - 08:10 PM

Here are the links to the two suggestions I found for error 0x80070005:

http://www.p2plife.com/forums/Updates_fail...0005-t1819.html

http://www.vistaheads.com/forums/microsoft...0x80070005.html

Let me know if you think they are safe or helpful. Thanks.

#22 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:37 AM

Posted 06 December 2009 - 06:27 AM

Basically, Dial-a-fix does what is described in the first link, of course you can try it also manually.

The second link explains how to re-set registry permissions. You can try it, but since you edit certain registry entries, it would be wise to back up your registry first.

BACKUP THE REGISTRY
---------------------------
Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#23 leobacko

leobacko
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 07 December 2009 - 10:25 PM

Well, tried both of those options and nothing worked. WTH is preventing these updates? Thanks for the help.

#24 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:37 AM

Posted 08 December 2009 - 04:08 AM

Hello leobacko,

Although I don't see any malware left, lets doublecheck with another scan that this is not malware related somehow.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

SUPERANTISPYWARE
-----------------------------
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
In your next reply, please include the following:
  • SUPERAntiSpyware scan log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#25 leobacko

leobacko
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 08 December 2009 - 09:43 PM

I'm not sure if this matters, but before starting all of this troubleshooting with you guys, I changed the password of the user I use to login. The password used to be "backo". I noticed that the things from the log are all backo@xxxx.

I don't know if I should be changing other things elsewhere?


Here is the latest log from SuperAntispyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/08/2009 at 07:44 PM

Application Version : 4.30.1004

Core Rules Database Version : 4349
Trace Rules Database Version: 2197

Scan type : Complete Scan
Total Scan Time : 01:06:47

Memory items scanned : 645
Memory threats detected : 0
Registry items scanned : 6145
Registry threats detected : 0
File items scanned : 76377
File threats detected : 12

Adware.Tracking Cookie
C:\Documents and Settings\Backo\Cookies\backo@hitbox[2].txt
C:\Documents and Settings\Backo\Cookies\backo@microsoftwga.112.2o7[1].txt
C:\Documents and Settings\Backo\Cookies\backo@ehg-eset.hitbox[2].txt
C:\Documents and Settings\Backo\Cookies\backo@kontera[2].txt
C:\Documents and Settings\Backo\Cookies\backo@microsoftinternetexplorer.112.2o7[1].txt
C:\Documents and Settings\Backo\Cookies\backo@ads.sun[2].txt
C:\Documents and Settings\Backo\Cookies\backo@atdmt[2].txt
C:\Documents and Settings\Backo\Cookies\backo@collective-media[1].txt
C:\Documents and Settings\Backo\Cookies\backo@statcounter[1].txt
C:\Documents and Settings\Backo\Cookies\backo@ehg-corusentertainment.hitbox[1].txt
C:\Documents and Settings\Backo\Cookies\backo@apmebf[1].txt
C:\Documents and Settings\Backo\Cookies\backo@microsoftwindows.112.2o7[1].txt

#26 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:37 AM

Posted 09 December 2009 - 03:45 PM

Hello leobacko,

The cookies SAS detect contain "backo" as being your username (which I also see in the logs you posted). Nothing wrong with that.

The update issue is not likely malware related, I would recommend you to post in the XP forum about this.

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:
  • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
  • Delete DDS, GMER (this is a random named file) and RootRepeal.
Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.
Some more links you might find of interest:
Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#27 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:37 AM

Posted 14 December 2009 - 03:46 PM

This topic is now closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users