Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HP Laptop, Cannot Activate, UAC is broken


  • This topic is locked This topic is locked
11 replies to this topic

#1 CoastalData

CoastalData

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:03 PM

Posted 18 February 2017 - 12:11 PM

Hello,

 

I have a laptop running Windows 7 Home Premium, when it boots up, it says that activation has expired as if the user maybe never clicked activate? Or it may have been tampered by a virus.

 

If you run any program under a normal boot, you get some form of permission denied, no matter what, and there are never any UAC prompts, only errors that preclude them.

 

In safe mode, most programs run, but still cannot load control panel applet to change UAC settings, nor to create a new user.

 

In particular, I found that in safe mode, I was able to run the TeamViewer QuickSupport version, which is portable; then, after that, I was able to remotely upgrade that to the full version of TeamViewer, and it did successfully pop up for UAC.

 

Ultimately, I would like to upgrade this laptop to Windows 10, if possible, even if it meant changing editions of windows before the upgrade.

 

I've attached FRST.txt and Addition.txt, can you help?

 

Thanks in advance!

 

--Jon

Attached Files


Edited by Chris Cosgrove, 18 February 2017 - 05:17 PM.
Moved from BSODs to 'Virus, trojan etc. logs'


BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,403 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:03 AM

Posted 21 February 2017 - 08:58 AM

:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


:step1: Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


:step2: Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step3: Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
    If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 CoastalData

CoastalData
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:03 PM

Posted 21 February 2017 - 09:19 AM

Hi Jo! Thanks for your help!

 

Here's the results of security check, Malwarebytes is running now.

 

 Results of screen317's Security Check version 1.014 --- 12/23/15  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Security Center service is not running! This report may not be accurate! 
 Windows Firewall Enabled!  
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
 Google Chrome (56.0.2924.87) 
 Google Chrome (SetupMetrics...) 
````````Process Check: objlist.exe by Laurent````````  
 m Desktop AntiMalwarePack BleepingComputer\SecurityCheck.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  
````````````````````End of Log`````````````````````` 
 
--Jon


#4 CoastalData

CoastalData
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:03 PM

Posted 21 February 2017 - 10:03 AM

Okay, Malwarebytes completed, and said it found nothing...

 

I then ran AdwCleaner, and it also found nothing, which I thought was suspicious, so I checked the C drive, and voila! AdwCleaner had already been run, looks like the same day I got the computer. I checked with the owner, and she confirmed that her son had tried a few things unsuccessfully to get it working. Yay.

 

Because AdwCleaner did not generate an R0 file this time, I'm including c0 and s0 files.

 

 

Attached Files



#5 Jo*

Jo*

  • Malware Response Team
  • 3,403 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:03 AM

Posted 21 February 2017 - 10:13 AM

Ok, please run the pc in normal mode...

Download ComboFix from the following location:
Link

* IMPORTANT- Save ComboFix.exe to your Desktop
 

***


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link:
How to Disable your Security Programs


***


Double click on combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
Enable your antivirus!
 

***


Please download Junkware Removal Tool from HERE and save it to your desktop.
Shutdown your antivirus to avoid any potential conflicts.
Double click JRT.exe to run the tool.
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • JRT will begin to backup your registry and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, the log JRT.txt is saved on your desktop and will automatically open.
Enable your antivirus!
Post the contents of JRT.txt into your next reply.


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#6 CoastalData

CoastalData
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:03 PM

Posted 21 February 2017 - 11:59 AM

Okay, on booting up, the first prompt I get is Windows Activation, it as "The activation period has expired." It offers "Activate Now" and "Ask Me Later". 

 

At the bottom, it has 0xc004f009.

 

Next, it automatically loads Windows Media player to Recorded TV.

 

When I try to run combofix it says "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item".

 

Run as Administrator produces the same results.

 

Suggestions?

 

--Jon



#7 Jo*

Jo*

  • Malware Response Team
  • 3,403 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:03 AM

Posted 21 February 2017 - 12:11 PM


Did you buy this pc lately or do you repair it for someone else?

---

Your logs show:
 

==================== Restore Points =========================

10-01-2017 10:27:28 Windows Update
02-02-2017 15:46:59 Scheduled Checkpoint
03-02-2017 10:39:54 Removed IDT Audio
03-02-2017 15:33:48 Restore Operation
15-02-2017 14:16:06 Scheduled Checkpoint



Now we try a System Restore:

start the windows (Vista, 7 or 8 or 10) system restore and try to run system restore from there.

Select: 02-02-2017 15:46:59 Scheduled Checkpoint

Edited by Jo*, 21 February 2017 - 12:17 PM.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#8 Jo*

Jo*

  • Malware Response Team
  • 3,403 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:03 AM

Posted 25 February 2017 - 02:01 AM


Hi,

it has been several days since I sent my last set of instructions to help with your computer problem.

Please let me know if you are having problems and still need help.

Note: Thread will be closed if no response after 3 days.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#9 CoastalData

CoastalData
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:03 PM

Posted 25 February 2017 - 02:57 PM

My apologies, I had some office emergencies this week, which prevented me from working on this.

 

This is actually a vendors' laptop. I had her bring it to me because she's been having a hard time getting her work done, but more importantly, she had reported to me that she thinks that a virus has infected this and possibly other computers of hers as well.

 

She's actually reported to me that she thinks she has an active virus that is jumping from computer to computer at her office -- I'm doubtful of that, but we may want to look for any traces of something that might be able to do that.

 

Either way, we exchange USB devices that have large art pieces and such, so I am concerned about any of that getting into my offices' computers and/or network as a result of exchanging devices and files.

 

Anyhow: Looks like system restore either failed or succeeded, hard to tell which... When I came back to it, the power light was still on, but the screen was black, no flashing cursor, no hdd activity light, nothing. I tried to wake it up with control key, mouse movements, and then finally with a single press of the power button, nothing. After a few minutes of waiting, I held the power button until it was forced off. On bootup, it shows message about finishing up windows updates. I think this checkpoint was for updates, so that makes sense. It comes up, and the first thing that comes up in windows is the windows activation warning, that says "you may be a victim of counterfeit software" message. Next, on top of that loads "Winzip Driver Updater". On top of that loads what I would call "Windows Media Center". Not sure exactly what they call it in Win 7, but it comes up full screen, blocking out all of the other messages on the desktop.



#10 Jo*

Jo*

  • Malware Response Team
  • 3,403 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:03 AM

Posted 26 February 2017 - 06:30 AM

Ultimately, I would like to upgrade this laptop to Windows 10, if possible, even if it meant changing editions of windows before the upgrade.

Does the owner of the pc have backups of important files (documents, emails , pictures...)?
If not, a backup should be done before the next steps.

If restore does not work then a repair install of Windows or a clean install of Windows should be the best Option.

Then you could scan the pc for malware before updating to Win 10.

Edited by Jo*, 26 February 2017 - 06:32 AM.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#11 Jo*

Jo*

  • Malware Response Team
  • 3,403 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:03 AM

Posted 01 March 2017 - 04:53 AM

Hi,

it has been several days since I sent my last set of instructions to help with your computer problem.

Please let me know if you are having problems and still need help.

Note: Thread will be closed if no response after 3 days.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#12 Jo*

Jo*

  • Malware Response Team
  • 3,403 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:03 AM

Posted 07 March 2017 - 03:51 AM

Due to the lack of feedback, this topic is now closed.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users