Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something is wrong and I don't know what. Big time help wanted.


  • Please log in to reply
17 replies to this topic

#1 hamsterdoom

hamsterdoom

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 30 June 2014 - 04:51 PM

Let me start off by saying thank you for taking the time to look into my issue. As a new member of Bleeping Computer's forums I am hopeful that I will find many individuals who are willing and able to aid me with my computer problems, and for those of you that are, I wish to express my sincerest gratitude.

Unfortunately, I don't speak computer very well. Put a block of code in front of me and I'll have no idea what to do with it. Heck, I barely have any idea what my computer specs are, let alone what to do with that information. It's all a very, very sad tale, I assure you.

Onto my issue:
Recently, just this last Saturday (Jun 28, 2014), my computer was operating just fine. I was able to watch some videos on Netflix, play some League of Legends, and signed on to Elder Scrolls Online for a minute. Nothing out of the ordinary. But the following day, Sunday (Jun 29, 2014), my computer loaded in a fashion most peculiar. Now I don't mean the boot up was wonky, but when I signed in to my profile I immediately noticed that something was wrong.
All of my desktop icons were either moved or gone and my wallpaper was reset back to the computer's default. I had had an issue like this in the past and a simple reboot of my system was enough to rectify the problem. This time, however, rebooting my computer three times yielded no results, and, much to my chagrin, I knew that to fix the problem I'd have to dig deeper. As I would come to find out, much, much deeper.
You'll probably think I'm a little on the soft-headed side when I tell you that I had no computer protection to speak of. I had AVG Free on my computer for a time, but that was well over 30 days expired. My MalwareBytes Anti-Malware had been out of date for 47 days. I was not doing much in the way of helping myself out when it came to security on my computer.
The first thing I did, though, when I knew there was trouble in River City was to update and run MalwareBytes. But during the update process I encountered an error (silly me, I didn't write down the error code). I re-installed MalwareBytes and it updated just fine. I went to run the program to start a scan but it stopped working only a few seconds in. A window popped up reading,
"MalwareBytes Anti-Malware has stopped working
A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available."
I felt a sudden surge of reassurance that everything would be okay.
After some snooping around on the web for help, I ran across a forum that mentioned something called Rkill. Running it sounded like a good idea, so I did just that, but, again, I ran into an error. "appdata doesn't exist! Rkill terminated!" and "There was a problem retrieving the necessary environment variable: appdata. Rkill has terminated!" was the only message I got. Eventually I installed my AVG 2014 (Yes, I had a valid key-code for AVG 2014 Anti-Virus, Security, and PC TuneUp lying around. No, I did not use it until just now. Yes, that's a dumb thing to do.) and was able to successfully run a scan on my computer, but the only "threat" it reported and removed was a tracking cookie. Now, I'm no computer expert, but I'm going to assume that my computer problems do not trace back to a single tracking cookie.

So I am now officially out of ideas. I just want to use my computer again. If anyone is willing to help me out, I would be super grateful. I'm sorry for the wall of text. Let me know what additional information you'll need to zero in on the problem.



BC AdBot (Login to Remove)

 


m

#2 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,938 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:04:31 PM

Posted 30 June 2014 - 05:26 PM

Hi :welcome: to BC,
 
It seems your Hard Disk can have some errors. Do you have backup copies of your files?
 
Before executing the steps bellow its recommended to copy all your critical files to a Flash Drive, External Hard Drive, etc.

Let's run a Disk Check...

  • open the Command Prompt as Administrator (Tutorial)
  • type the command:
    chkdsk /r /x C:
    Note: When it ask if you want to checked the volume next time the system restarts answer Yes
  • restart the computer

Next,

  • download ListChkdskResult
  • execute the file and accept all the windows prompts to authorize the program to run
  • Notepad will open with a report showing the chkdsk result
  • please copy & paste the log to your reply

• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#3 hamsterdoom

hamsterdoom
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 30 June 2014 - 05:44 PM

Thank you for your quick response, SleepyDude. I am currently backing up my files. I will provide an update once the process is completed.

Edit: Looks like the backup is going to take longer than anticipated. Should be finished in around 70~ hours. (-_-)
In the event the topic closes in the meantime, I will be sure to PM you to reactivate. Thanks again.


Edited by hamsterdoom, 30 June 2014 - 06:09 PM.


#4 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,938 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:04:31 PM

Posted 01 July 2014 - 03:40 AM

Hi,

 

Thank you for your quick response, SleepyDude. I am currently backing up my files. I will provide an update once the process is completed.

Edit: Looks like the backup is going to take longer than anticipated. Should be finished in around 70~ hours. (-_-)
In the event the topic closes in the meantime, I will be sure to PM you to reactivate. Thanks again.

 

Take your time. The topics outside the Malware Removal section are not closed.


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#5 hamsterdoom

hamsterdoom
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 03 July 2014 - 10:54 PM

Whew! That was quite a wait. Really getting my Netflix mileage. lol
I have done as you suggested and backed up my computer as well as performed the disk check.

The information from the Notepad doc:

 

 

ListChkdskResult by SleepyDude v0.1.7 Beta | 21-09-2013
 
------< Log generate on 7/3/2014 8:49:21 PM >------
Category: 0
Computer Name: William-PC
Event Code: 1001
Record Number: 388192
Source Name: Microsoft-Windows-Wininit
Time Written: 07-04-2014 @ 03:42:26
Event Type: Information
User: 
Message: 
 
Checking file system on C:
The type of the file system is NTFS.
Volume label is OS.
 
A disk check has been scheduled.
Windows will now check the disk.                         
  437824 file records processed.                                  
 
  2186 large file records processed.                            
 
  0 bad file records processed.                              
 
  0 EA records processed.                                    
 
  76 reparse records processed.                               
 
  547592 index entries processed.                                 
 
  0 unindexed files processed.                               
 
  437824 security descriptors processed.                          
 
Cleaning up 15488 unused index entries from index $SII of file 0x9.
Cleaning up 15488 unused index entries from index $SDH of file 0x9.
Cleaning up 15488 unused security descriptors.
CHKDSK is compacting the security descriptor stream...
  54885 data files processed.                                    
 
CHKDSK is verifying Usn Journal...
  37072496 USN bytes processed.                                     
 
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
  437808 files processed.                                         
 
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
  31521977 free clusters processed.                                 
 
Free space verification is complete.
Adding 64 bad clusters to the Bad Clusters File.
Correcting errors in the master file table's (MFT) BITMAP attribute.
Correcting errors in the Volume Bitmap.
Windows has made corrections to the file system.
 
 302083415 KB total disk space.
 175303676 KB in 225828 files.
    134788 KB in 54888 indexes.
       256 KB in bad sectors.
    557039 KB in use by the system.
     65536 KB occupied by the log file.
 126087656 KB available on disk.
 
      4096 bytes in each allocation unit.
  75520853 total allocation units on disk.
  31521914 allocation units available on disk.
 
Internal Info:
40 ae 06 00 95 48 04 00 e7 59 07 00 00 00 00 00  @....H...Y......
cc d9 00 00 4c 00 00 00 00 00 00 00 00 00 00 00  ....L...........
42 00 00 00 e2 73 97 77 b0 87 2f 00 b0 7f 2f 00  B....s.w../.../.
 
Windows has finished checking your disk.
Please wait while your computer restarts.
 
-----------------------------------------------------------------------

Not really sure what any of this means. Hope it gives you some clue as to what the problem might be. Cheers.


#6 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,938 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:04:31 PM

Posted 04 July 2014 - 04:34 AM

Hi,

 

Chkdsk corrected some things...

 

Any change on this?

 

 

All of my desktop icons were either moved or gone and my wallpaper was reset back to the computer's default.

 

Rerun Rkill and tell me if it continues to complain about appdata.


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#7 hamsterdoom

hamsterdoom
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 04 July 2014 - 01:13 PM

My desktop has remained unchanged. The icons are still either gone or in their new positions, and my wallpaper is still the computer's default.

I also tried running Rkill again but I received the same error as before. "appdata doesn't exist! Rkill terminated!"



#8 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,938 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:04:31 PM

Posted 05 July 2014 - 10:23 AM

Hi,
 
Lets take a look into the system...

Download MiniToolBox and save the file to the Desktop.
Close the browser and run the tool, check the following options:

  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
  • List Devices (Only Problems)
  • List Minidump Files
  • List Restore Points

Click on Go.

Post the resulting log in your next reply.
 
 
Please download SystemLook from one of the links below according to your OS Architecture and save it to your Desktop.
SystemLook (32-bit)
SystemLook (64-bit)

  • Double-click SystemLook/SystemLook_x64 to run it.
  • Accept the prompt Allow the program to make changes to this computer (UAC prompt)
  • Copy the content of the following codebox and Paste into the main textfield:
    :dir
    %systemdrive%\users
    
    :filefind
    ntuser.dat
    
  • Click the Look button to start the scan.
  • The scan can take some time. When finished, a notepad window will open with the results. Please post this log in your next reply.

Note: The log can be found on your Desktop entitled SystemLook.txt


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#9 hamsterdoom

hamsterdoom
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 06 July 2014 - 04:04 AM

I ran MiniToolBox and checked all the boxes you mentioned save one. For some reason 'List Restore Points was not one of the available options. Ran MiniToolBox anyway and these were the results.

---

MiniToolBox by Farbar  Version: 25-06-2014
Ran by William (administrator) on 06-07-2014 at 01:08:17
Running from "C:\Windows\System32\config\systemprofile\Desktop"
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (07/05/2014 06:03:42 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine ConvertStringSidToSid.  hr = 0x80070539.
 
 
Operation:
   OnIdentify event
   Gathering Writer Data
 
Context:
   Execution Context: Shadow Copy Optimization Writer
   Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
   Writer Name: Shadow Copy Optimization Writer
   Writer Instance ID: {332df1cb-e527-462f-9e9c-0f2901d5aa0e}
 
Error: (07/05/2014 03:48:09 PM) (Source: Perflib) (User: )
Description: PNRPsvcC:\Windows\system32\pnrpperf.dll4
 
Error: (07/05/2014 03:48:05 PM) (Source: Perflib) (User: )
Description: EmdCacheC:\Windows\system32\emdmgmt.dll4
 
Error: (07/05/2014 03:41:08 PM) (Source: Application Error) (User: )
Description: Faulting application mbam.exe, version 1.0.0.532, time stamp 0x53518532, faulting module MSVCR100.dll, version 10.0.40219.325, time stamp 0x4df2be1e, exception code 0x40000015, fault offset 0x0008d6fd,
process id 0x90c, application start time 0xmbam.exe0.
 
Error: (07/05/2014 03:38:51 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"1".
Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (07/05/2014 03:38:17 PM) (Source: profsvc) (User: William-PC)
Description: Windows cannot load the user's profile but has logged you on with the default profile for the system. 
 
 DETAIL - Access is denied.
 
Error: (07/05/2014 03:27:19 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/05/2014 03:22:34 PM) (Source: profsvc) (User: William-PC)
Description: Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, and that your network is functioning correctly. 
 
 DETAIL - The system cannot find the file specified.
 
Error: (07/05/2014 03:22:01 PM) (Source: profsvc) (User: William-PC)
Description: Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, and that your network is functioning correctly. 
 
 DETAIL - The system cannot find the file specified.
 
Error: (07/05/2014 03:21:20 PM) (Source: profsvc) (User: William-PC)
Description: Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, and that your network is functioning correctly. 
 
 DETAIL - The system cannot find the file specified.
 
 
System errors:
=============
Error: (07/05/2014 03:29:02 PM) (Source: Service Control Manager) (User: )
Description: NVIDIA Update Service Daemon%%1069
 
Error: (07/05/2014 03:29:02 PM) (Source: Service Control Manager) (User: )
Description: nvUpdatusService.\UpdatusUser%%1330
 
Error: (07/05/2014 03:28:12 PM) (Source: Service Control Manager) (User: )
Description: i8042prt
TfFsMon
TfSysMon
 
Error: (07/05/2014 03:16:09 PM) (Source: Service Control Manager) (User: )
Description: NVIDIA Update Service Daemon%%1069
 
Error: (07/05/2014 03:16:09 PM) (Source: Service Control Manager) (User: )
Description: nvUpdatusService.\UpdatusUser%%1330
 
Error: (07/05/2014 03:14:57 PM) (Source: Service Control Manager) (User: )
Description: i8042prt
TfFsMon
TfSysMon
 
Error: (07/04/2014 06:16:23 PM) (Source: Service Control Manager) (User: )
Description: NVIDIA Update Service Daemon%%1069
 
Error: (07/04/2014 06:16:23 PM) (Source: Service Control Manager) (User: )
Description: nvUpdatusService.\UpdatusUser%%1330
 
Error: (07/04/2014 06:15:17 PM) (Source: Service Control Manager) (User: )
Description: i8042prt
TfFsMon
TfSysMon
 
Error: (07/04/2014 10:03:03 AM) (Source: Service Control Manager) (User: )
Description: NVIDIA Update Service Daemon%%1069
 
 
Microsoft Office Sessions:
=========================
 
CodeIntegrity Errors:
===================================
  Date: 2014-07-05 15:28:12.516
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-07-05 15:14:57.223
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-07-04 18:15:15.538
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-07-04 10:02:23.072
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-07-03 21:02:45.830
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-07-03 21:02:45.182
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-07-03 21:02:44.548
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-07-03 21:02:43.836
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-07-03 20:43:57.094
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-07-03 00:30:58.432
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
 
========================= Devices: ================================
 
Name: Officejet 4500 G510n-z
Description: Officejet 4500 G510n-z
Class Guid: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Manufacturer: Hewlett-Packard
Service: StillCam
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
Name: Officejet 4500 G510n-z
Description: Officejet 4500 G510n-z
Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318}
Manufacturer: HP
Service: 
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
========================= Memory info: ===================================
 
Percentage of memory in use: 47%
Total physical RAM: 3069.76 MB
Available physical RAM: 1604.1 MB
Total Pagefile: 6371.77 MB
Available Pagefile: 4687.98 MB
Total Virtual: 2047.88 MB
Available Virtual: 1954.03 MB
 
========================= Partitions: =====================================
 
1 Drive c: (OS) (Fixed) (Total:288.09 GB) (Free:105.95 GB) NTFS
 
========================= Users: ========================================
 
User accounts for \\WILLIAM-PC
 
Administrator            Guest                    Mcx1                     
UpdatusUser              William                  
 
========================= Minidump Files ==================================
 
C:\Windows\Minidump\Mini060714-01.dmp
 
**** End of log ****

---

Not sure if you needed to know or not, but I ran the SystemLook 32-bit. These were the results.

---

SystemLook 30.07.11 by jpshortstuff
Log created at 01:11 on 06/07/2014 by SYSTEM
Administrator - Elevation successful
 
========== dir ==========
 
C:\users - Parameters: "(none)"
 
---Files---
desktop.ini --ahs-- 174 bytes [12:50 02/11/2006] [02:43 21/01/2008]
 
---Folders---
All Users d--hs-- [13:02 02/11/2006]
Default dr-h--- [11:18 02/11/2006]
Default User d--hs-- [13:02 02/11/2006]
Mcx1 d------ [01:57 08/01/2011]
Public dr----- [11:18 02/11/2006]
TEMP d------ [01:53 29/06/2014]
UpdatusUser d------ [00:51 05/06/2012]
 
========== filefind ==========
 
Searching for "ntuser.dat"
C:\Users\Default\NTUSER.DAT --ahs-- 262144 bytes [10:22 02/11/2006] [21:53 22/03/2013] 0DE4E538FA693D2D3B8F123799B69D40
C:\Users\Mcx1\ntuser.dat --ahs-- 524288 bytes [01:57 08/01/2011] [22:39 05/07/2014] (Unable to calculate MD5)
C:\Users\TEMP\NTUSER.DAT --ahs-- 1835008 bytes [01:53 29/06/2014] [08:21 06/07/2014] (Unable to calculate MD5)
C:\Users\UpdatusUser\ntuser.dat --ahs-- 262144 bytes [00:51 05/06/2012] [22:39 05/07/2014] (Unable to calculate MD5)
C:\Windows\ServiceProfiles\LocalService\ntuser.dat --ahs-- 262144 bytes [12:47 02/11/2006] [22:36 05/07/2014] (Unable to calculate MD5)
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat --ahs-- 262144 bytes [12:47 02/11/2006] [22:36 05/07/2014] (Unable to calculate MD5)
C:\Windows\System32\config\systemprofile\ntuser.dat --a---- 262144 bytes [12:43 02/11/2006] [06:03 15/04/2014] C2413400376328ABC002BDD41B3C954F
C:\Windows\System32\config\systemprofile\Desktop\William\ntuser.dat --ahs-- 5505024 bytes [18:38 01/12/2009] [15:23 03/07/2014] 4001209326D868E64A42DFA164264243
 
-= EOF =-


#10 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,938 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:04:31 PM

Posted 06 July 2014 - 06:33 AM

Hi,
 

I ran MiniToolBox and checked all the boxes you mentioned save one. For some reason 'List Restore Points was not one of the available options. Ran MiniToolBox anyway and these were the results.


It seems Farbar did some changes to the tool and removed the option to List the Restore Points.
 

---

Not sure if you needed to know or not, but I ran the SystemLook 32-bit. These were the results.

Ok, Thanks for the logs.

 

You have to user accounts Mcx1 and William can you tell me which is the one you use and if the other one is working properly?

 


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#11 hamsterdoom

hamsterdoom
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 06 July 2014 - 04:44 PM

I believe the User Mcx1 is a folder for Windows Media Center extensions. William is the User Profile that I use and the one I thought I was experiencing problems with. The reason I say it that way is because I can't seem to find my user profile.
(Computer\C:\Users) shows only Default (hidden), Mcx1, Public, TEMP, and UpdatusUser profiles. Manually searching for (C:\Users\William) results in an error. Which is odd because that's the Profile I sign in to when I boot my computer, and I know I've seen and accessed it plenty of times in the Users folder.

May be unrelated, but yesterday I encountered a problem when trying to log on to my profile. I received an error message that read, "The User Profile Service service failed the logon. User profile cannot be loaded." After which my computer aborted the logon attempt and placed me back at the User Selection screen. I rebooted my computer and was able to log on without incident.



#12 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,938 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:04:31 PM

Posted 06 July 2014 - 05:11 PM

Hi,

 

It seems somehow your profile is missing!

 

 

Error: (07/05/2014 03:38:17 PM) (Source: profsvc) (User: William-PC)
Description: Windows cannot load the user's profile but has logged you on with the default profile for the system. 
 
 DETAIL - Access is denied.
 
Error: (07/05/2014 03:22:34 PM) (Source: profsvc) (User: William-PC)
Description: Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, and that your network is functioning correctly. 
 
 DETAIL - The system cannot find the file specified.
 
Error: (07/05/2014 03:22:01 PM) (Source: profsvc) (User: William-PC)
Description: Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, and that your network is functioning correctly. 
 
 DETAIL - The system cannot find the file specified.

 

Most likely the system is using c:\users\temp now.

 

Try to search for some document, video, image, etc. you know that exists in your My Documents folder to see if you can find it somewhere.

 

Do you see any found.000, found.001, etc. folders at the root of the C:\ drive?


Edited by SleepyDude, 06 July 2014 - 05:12 PM.

• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#13 hamsterdoom

hamsterdoom
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 06 July 2014 - 08:22 PM

Huzzah! A small victory! (I think, lol)

Before this mess happened, I kept all of my files, folders, and otherwise in a very organized folder titled 'Master Folder' on my desktop for convenience and back-up purposes. The only other icons on my desktop were mostly game shortcuts with a sprinkling of browsers and essentials (eg. Recycle Bin, MalwareBytes, etc.), and a few frequently used Microsoft Word documents. After the Fall (the event, as I'm calling it now for dramatic purposes), I hurriedly located and pulled out my Master Folder to back it up. I immediately forgot the location I pulled the folder from. For no small amount of time now, I've been racking my brain trying to think of a single file I might have missed - anything I could use to bring me back to that location, and, as luck would have it, I finally did.

 

(C:\Windows\System32\config\systemprofile\Desktop\William)

Therein I managed to find a lot of my old stuff including my Desktop folder which had all of my old icons. I'm hoping that this is a big step in the right direction.

And, no, I'm afraid I couldn't find anything named found.000 or otherwise. Even after showing hidden files and un-hiding protected OS files.



#14 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,938 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:04:31 PM

Posted 07 July 2014 - 11:57 AM

Hi,

 

It seems your user profile got messed up big time my suggestion is to create a new user and copy your data files from the C:\Windows\System32\config\systemprofile\Desktop\William folder.


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#15 hamsterdoom

hamsterdoom
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 07 July 2014 - 02:28 PM

Would it be possible to simply place the William profile back into the (C:\Users) folder? Would that help at all or make the problem worse?

How does something like that even happen?

Also, how does the profile's disappearance cause MalwareBytes and Rkill to cease to function? Or is that unrelated?


Edited by hamsterdoom, 07 July 2014 - 02:29 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users