Help various problems

Hi I hope someone can help me. After being infected with various malware and help with clean up from the malware forum I have started to experience some problems. I cleaned up the pc and started to go through the list I was given and I got to stage 9 of "how to protect yourself from Malware" when I encountered a seris of problems after a reboot.

There was no desktop, no programs just a black screen with the tool bar across the bottom. I had an error message saying "host process for windows has stopped working. And another saying C:\Windows\System32\config\systemprofile\ desktop is not accessible.

I tried to install live essentials 2011 updates, there was a problem with that so tried to reboot into safe mode. Couldn't do that, just a black screen. I shut down the computer and rebooted, got the desktop back, programs and internet access but got a message saying "IP Helper has stopped working" I now have a window with the host process for windows has stopped working again.

Please help many thanks

 

Greetings, Emma133.

I glanced at your Malware Forum posts - I'll study them some more, but for now there are a couple of things I'd like you to try:

1. Do you have a Windows Vista disk? If so, please run a System File Check if possible - if you are unfamiliar with this procedure, a quick tutorial is located here.

2. Create a new Administrator Profile and try to log into Windows as that new profile, see if your symptoms change.

Did the machine suddenly develop these symptoms, or did they exhibit immediately after some software or Windows Update installation?

 

Hi Caliban thank you for taking the time to reply and look at my posts.

The system did not come with a disk, but I am certain I was asked to make one when I first bought the computer I will have a good look for it.

The account I use to log on is the adminstrator account.

The system was fine after malware removal, and after installing the free av. I installed a free firewall and got to stage 9 of this page http://forums.majorgeeks.com/showthread.php?t=44525 when the pc did a reboot and then the problems started immediately.

 

System file check log as requested.

Message said windows resource protection found corrupt files but was unable to fix some of them.

I did not need the disk to run this

Many thanks

 

Sorry I can't upload the file because it exceeds the limit

 

Hi Emma, try copying the log to your Desktop and zipping it (right-click the log and select Send to > Compressed folder), you can then attach the zip file.

 

Good morning.

1. Please do as satrow suggests.

2. I realize you have an Adminstrator account - what I'd like for you to try is to create a new, separate Adminstrator account with full privileges and log in with that account to see if your symptoms change.

3. You do not need the Windows disk to run SFC, but the disk is needed to repair any corrupt files the scan finds (ergo, the "unable to fix" message). If you can locate your installation disk, try running the SFC scan again with the disk inserted into your optical drive.

 

Hi many thanks for both replys and sorry for being so uncomputer savvy i'm not as clued up as i'd like!!!

I had tried to winrar the file to upload but it didn't work. I have now attached the file, many thanks for the know how.

I will go and try to create a new administrator account right now.

The only discs I have are recovery discs 1, 2 and 3 which I was asked to make when I first purchased the computer.

Many thanks

Emma

 

Made new administrator account and logged on hung on a black screen, so have restarted and booted into safe mode.

 

Mhm, I only see 2x "settings.ini" components Windows Sidebar being flagged up:

Code:

2011-04-30 07:32:49, Info                  CSI    000001ca [SR] Beginning Verify and Repair transaction
2011-04-30 07:32:49, Info                  CSI    000001cc [SR] Cannot repair member file [l:24{12}]"settings.ini" of Microsoft-Windows-Sidebar, Version = 6.0.6002.18005, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2011-04-30 07:32:49, Info                  CSI    000001ce [SR] Cannot repair member file [l:24{12}]"settings.ini" of Microsoft-Windows-Sidebar, Version = 6.0.6002.18005, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2011-04-30 07:32:49, Info                  CSI    000001cf [SR] This component was referenced by [l:158{79}]"Package_16_for_KB948465~31bf3856ad364e35~x86~~6.0.1.18005.948465-49_neutral_GDR"
2011-04-30 07:32:49, Info                  CSI    000001d1 [SR] Repair complete

I think it's a common scenario and can safely be ignored, according to MSFT. I'd say that gives the Windows Protected files a clean bill of health. I'll have a think about this and hope Caliban has something up his sleeve

 

Emma, could you drill down to C:\Windows\System32\config\systemprofile\ and right-click on ntuser.dat > Properties > and check that Read only is unchecked then go to the Security tab and make a screenshot of it to attach here, please? Check whether System and Adminstrators both have the same permissions ticked too?

 

Thank you for taking the time to help me to solve this.

The read only is unchecked. Snapshot is attached. System and admin have the same permissions.

Thanks

 

Good morning.

Can't see your screenshot - don't know if it's the size, or if these old eyes are just not functioning properly. Just have to take your word for it.

Questions: from your Malware Forum procedure, you successfully installed the latest Java update and uninstalled any older versions. Were there any glitches during these actions?

And, the next step (disabling Autoruns) involves a installing series of patches and registry edits listed here - were these completed successfully?

 

Sorry about the size lol I don't know why its so small I will try and make it bigger and reattach.

Java was updated and I could not find any older versions to uninstall. No glitches during that.

The disabling autoruns I went to the update for windows vista, and the site said Your system does not need this update so I did not complete that.

Thank you for your time.

 

Tips:
Emma - select the area you want to save then right-click on it and select 'crop' then you should be able to save only the part that's needed.
Caliban - I middle-click all attachments to open them in a background tab, if they're still too small, Ctr++ usually fixes it.

Oh yes, the attachment looks like the normal properties tab that I'd expect to see.

 

Copy - I was just being lazy.

Emma, I'm still having trouble deciding which way to go with this thing. I'm reading that the machine was working well until you reached a point in the malware protection procedure. Is this correct? If so, is there any way you can pinpoint exactly when the first issue(s) presented?

 

Ok i'm going to try and remember step by step what I did.

I followed all the instructions for removal and reset the system restore. I then went on to the thread How to protect yourself from malware. I installed windows updates that were needed and installed Antivir Personal addition and did a reboot. I then installed comodo firewall but did not do a reboot. I downloaded and ran CCleaner, and then downloaded and ran Spyware blaster. I checked the settings for the Active X security settings and changed if needed (most if not all were set correctly). Java was already updated and I could not find any older versions to uninstall. I don't think I followed the disabling autoruns as the system said I did not need that update. However having just clicked it up again it has started to download and I get a KB950582 Setup Error - The version of windows you have installed does not match the update you are trying to install. After that I rebooted the system and then the problems started.

Hope this is helpful

Thanks

Emma

 

I'm wondering if this is indicative of anything:

Did you only run the main tab of CCleaner on default settings? Did you also run the Registry section?

 

[I was given the option to reboot now or later for the firewall which I chose later - I know I should have rebooted straight away. The CCleaner I ran only the default settings and only the basic cleaner tab not the registry.

 

Ok, provided any temp. setup files set to be loaded at boot by ComodoFW had a Modified date of less than 24 hours previously, running CCleaner shouldn't have caused any problems there.

 

That, too, could be a source - we all know how these things can sometimes break a machine. You don't happen to have a System Restore point prior to the updates that you can roll back to, do you?

Nothing to lose by running CCleaner's Registry cleaner at this point - possible that it could fix something we're missing. Doubtful, but it may be worth a shot.

Is the machine working well other than the host process window?

And, since you have your restoration disks, have you backed up/salvaged any important data that you wish to save? You can probably sense what I'm leading to with that angle.

 

I have just tried a system restore. I chose the first available restore point which was directly after the malware clean up and before the malware prevention tasks. It has allowed me to log on in normal mode but said my administor account was unavailable and has logged me on a temporary account. I havn't yet run the registry cleaner I am going to double check everything is backed up first tomorrow.

It is hard to say whether all is working well as I can only usually log on in safe mode which is very slow and limited.

Thank you for your help it is much appreciated.

 

We keep going back to that admin account thingy - something funky is going on with that, I think.

Unless someone (satrow, sach2, anyone) can come up with a better plan, I'm leaning towards uninstalling everything you installed during the malware prevention procedure. If the machine runs normally at that point, then you can slowly move forward with the process, try to find the culprit. If not, you may be looking at a Windows reinstall.

 

I'm with Caliban on this; it's something that we'd probably both like to get our hands on - trying to troubleshoot something over a forum when there doesn't seem to be any reliable fix published anywhere, or a replication method so that we could find a method of reversing the effects, is just frustration all round.

So, I vote to remove all recent installations too (or just check your backup data is safe then wipe/reinstall).



<I wonder why development of UPHClean was halted? In earlier Windows versions, it was a useful tool for some profile problems.>

 

Ok thank you very much for your help.

I have switched on and logged on this morning - with my normal admin account and it has let me on with no error messages - seems a bit tempremental. I will make sure everything is backed up later and try to uninstall everything then reinstall.

 

I've noticed you recommend a registry cleaner a few times already... I'd like to know your logic, as these things can only REMOVE registry entries (they can't correct wrong entries or add missing entries). I've never seen a reason to use a registry cleaner. The registry doesn't take much space on a hard drive, and "cleaning" it doesn't affect performance in the least.

 

Just grasping at straws, I guess.