Avast WEBforum
Other => General Topics => Topic started by: Busymama62 on March 24, 2014, 07:03:10 PM
-
I don't know if there could be a virus involved or not. The Avast Forum has helped us a number of times and here I am again...
This is our daughters computer. It is a Compaq Presario CQ56 Windows 7 Home Premium. She knows it is on it's last leg so to speak but wants to get the photos and other data off of the computer. Upon booting today when we tried to logon we get the following message...The user profile service failed the logon. User profile cannot be loaded. We went to Microsoft and followed the directions for booting in Safe mode and then going into user settings and then "Create another account" Except the problem is when we click create another account nothing happens.
Can anyone help us out? Thank you!
-
To backup the data you could use OTLPE on a CD and then use a USB to transfer data
Please print these instruction out so that you know what you are doing
•Download OTLPENet.exe (http://oldtimer.geekstogo.com/OTLPENet.exe) to your desktop
•Ensure that you have a blank CD in the drive
•Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
•Reboot your system using the boot CD you just created and an XP style desktop will be opened.
-
Thank you! Have the OTLPENet.exe downloading now and will burn to cd.
-
I have the CD ready. When she gets back we she will get out the external hard drive which attaches by USB and we will give this a try.
Do I just right click and delete to remove from my computer?
Thanks!
-
Yes that will remove it from the desktop, if you like I can check out the system to see if there is an easy solution :)
-
Yes we will do that. The main thing she wants to do right now is get everything she can off the laptop and onto her external hard drive. Hopefully we will do that tomorrow. I had a class that I attend on Monday nights and had to leave and she didn't want to try things by herself. Once she has everything off that she wants off and we don't have to worry about loosing things I will let you know and we can get the process started. Thanks a Bunch!!!
-
No problem let me know when you are ready, I will monitor this thread
-
Sorry for the delay. She and I both have been supper busy and now a virus is making its round around the house. I must be doing something wrong, I have tried twice to reboot her laptop with the OTLPENet.exe cd in the cd drive and it is still booting in Windows 7 and is not accepting the password.
I must be doing something wrong.
Thanks for your help!
-
Do you have the computer set to boot from CD ?
Note : If you do not know how to set your computer to boot from CDfollow the steps here (http://www.hiren.info/pages/bios-boot-cdrom)
-
Thank you! Upon trying this I got a Blue Screen stating the following...."A problem has been detected and windows has been shut down to prevent damage to your computer.
If this is the first time you've seen this stop error screen, restart your computer. IF this screen appears again, follow these steps:
Check for viruses on your computer. Remove any newly installed hard drive or hard drive controllers. Check your hard drive to make sure it is properly configured and terminated. Run CHKDSK ?F to check for hard drive corruption, and then restart your computer.
Technical information:
*** STOP: 0x0000007B (0xF78DA528, 0xc0000034, 0x00000000, 0x00000000)
For now leaving the laptop running with this screen up.
Thanks!
-
That is indicating an inaccessible boot device, from safe mode can you access command prompt at all
-
Let me try. First do I just push the power button to shut down and close the Blue Screen?
-
Yes shut down and see if you can access the command prompt on the safe mode menu
-
I chose Safe mode with command prompt and have the black Safe Mode screen a box at the top that says Administrator: cmd.exe and some writing in the box looks like pretty standard info at the top of the box, then says...
C:\Windows\system32>
-
Excellent at the command prompt type the following
chkdsk c: /r
Allow it to complete and try a reboot
-
This is the response it gave...
The type of the file system is NFTS>
Cannot lock the current drive.
Chkdsk cannot run because the volume is in use by another process. Would you like to schedule this volume to be checked the next time the system restarts? <Y/N>
-
Select yes and then reboot the computer
-
Thank you! Going to show more of my ignorance here, of course part of it is I don't want to mess up. I choose yes so now how do I restart from Command Prompt?
-
Once you have pressed yes then type exit
Once done reboot using the power key :)
-
Anything I should watch for while it does the disk ck or just let it do its thing? So far it is on stage 3 of 6 and I guess everything is showing ok right now.
-
Yes just let it do its thing, and let it reboot on completion. Let me know if it allows access, if not we will look at something else
-
Nope did not allow access. Still getting the message The User Profile Services service failed the logon. User profile cannot be loaded.
-
OK moving on..
At the command prompt type the following :
net user administrator /active:yes
Then try a reboot and you should be offered an additional Admin account.
Log in using that
Let me know if that works
-
I now have an administrator account. Now to just figure out how to access her photos and data in the original account. Thank you so much!
-
OK what you need to do now is create a normal administrator account (you are using the hidden system one at the moment)
Details here http://www.bleepingcomputer.com/tutorials/create-new-user-account-in-windows-vista-7/
Then once the new account has been created copy all the old user data to this one. http://support.microsoft.com/kb/811151
You may need to take ownership, if so let me know and I will give a reg tweak to enable that by a right click option
-
New Administrator account created. I have not been asked to set a password yet. As far as copying the data, when I go to User Accounts my only choices are Create a password for your account, Change your picture, Change your account name, Change your account type, Manage another account and Change User Account Control settings. On the left hand side of the window is Control Panel Home, Manage your credentials, Create a password rest disk, Link online IDs, Configure advanced user profile properties and Change my environment variables.
As the following instructs state to use the Advanced tab, I do not see an Advanced tab.
Create a new user profile on the domain computer
Log on as the Administrator or as a user with administrator credentials.
Click Start, and then click Control Panel.
Click User Accounts.
Click the Advanced tab, and then click Advanced.
In the left pane, click the Users folder.
On the Action menu, click New User.
Enter the appropriate user information, and then click Create.
As the following instructions state, there is not a Pick a task.
Create a new user profile on the workgroup computer
Log on as the Administrator or as a user with administrator credentials.
Click Start, and then click Control Panel.
Click User Accounts.
Under Pick a task, click Create a new account.
Type a name for the user information, and then click Next.
Click an account type, and then click Create Account.
Thank you!
-
Would the difference be that the operation system is Windows 7 not XP?
-
My apologies I am sure I got the windows 7 steps :-[
As you now have the new admin account
http://windows.microsoft.com/en-us/windows/fix-corrupted-user-profile#1TC=windows-7
-
Thank you! So far so good. I do have a question the instructions say
Select all of the files and folders in this folder, except the following files:
Ntuser.dat
Ntuser.dat.log
Ntuser.ini
I do not see those listed at all. Do I need to open each folder and move things individually or can I just highlight the 12 folders and transfer that way? The names of the folders are...AppData, Desktop, Downloads, Favorites, Links, My Documents, My Music, My Pictures, My Videos, Saved Games, Searches and Tracing.
-
Select them all and when it gets to these files :
Ntuser.dat
Ntuser.dat.log
Ntuser.ini
it will ask whether you want to overwrite, answer NO. As those files are the cause of the problem
-
Well, I did not get asked about either of those, the folders transferred but they are all empty. Her AVG automatically found some items that is supposedly removed. Would that have removed actually photos etc?
-
No where were the photos stored, can she recollect ?
-
I think I just found them!!!! I decided to click on Users then Owner which is her profile and I found photos!!! Going to ask her if this is all of them.
-
You may be able to keep the computer up and running, copy all the data to the new user profile (as well as backing it up). Then try it for a while and see if it works
-
In the process of transferring to the External Hard Drive. She has never done a back up!!!! Said she doesn't know what that means! We have all the photos and documents transferred. Transferring Videos now, then will check the folder for other items and transfer those as well. Once we get everything off of the laptop and on to the External Hard Drive, she says we can do what ever we need to do. I really want to uninstall McAfee and AVG and install Avast and MalewareBytes. Those are the programs I am familiar with and really love. Do I need to remove the old User profile that is no longer accessible? If so how do I do that? We are supposed to be having some major storms tonight and when they come in, we completely shut down our computers and unplug them. Better safe than sorry! Oh, by the way, my daughter said she wishes you were near by instead of another Country because she would give you a big hug. Our granddaughter is just 4 and there are many many many months of photos and videos you helped us to save.
Thank you very much!
-
Well now that I think I have all files transferred, I am unable to eject the External Hard Drive from the computer. She wanted me to eject it so as to not risk loosing any of the data that was transferred. For the life of me I cannot figure out what program is open that is still using it. Any ideas?
-
Well now that I think I have all files transferred, I am unable to eject the External Hard Drive from the computer. She wanted me to eject it so as to not risk loosing any of the data that was transferred. For the life of me I cannot figure out what program is open that is still using it. Any ideas?
You could simply power down the Computer in the normal way.
Once the computer has turned off, it will be safe to remove the External Drive. :)
-
That is what I was thinking about doing but wanted another opinion. Any chance some of the files are still transferring even though it looks like they are completed?
-
Avast Full Scan found two items and was not able to repair them so moved them both to chest. A boot time scan was needed to finish the clean up and some program would not let it do so. What I decided to do since I can't leave the laptop running all night because of the storms that are coming in. I have scheduled a Boot time scan the next time we boot.
The two items that were found were...
win32:Adware-AZL (ADW)
win32:Notre
Now I am wondering if I need to do a virus scan of her external hard drive.
Thanks again!
-
Once you are sure you have everything transferred then just delete the corrupt account http://windows.microsoft.com/en-gb/windows7/delete-a-user-account
One hug accepted :)
Powering down the computer will enable you to remove the external drive safely
For imaging the drives I use Macrium reflect and it works like a charm, I had to use it yesterday and I was back up and running in 15 minutes from start to finish http://www.macrium.com/reflectfree.aspx
I can look at the computer for you to determine what malware is present and remove it
Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to your Desktop.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
- Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will produce a log called FRST.txt in the same directory the tool is run from.
- Please copy and paste log back here.
- The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.
-
I need to let her confirm that everything is on her External Hard Drive. Is it normal for a External Hard drive to make noise when transferring data? Or is that a sign of one that is so old it is about done all it will do? I have the system doing the Avast Boot Scan right now. It just got to late last night and then the storms moved in.
Showing my ignorance here, what does imaging the drives mean? Is it a form of backup? If so where is the data stored?
Yes we want you to look at the computer to determine what else might be there and what else we should do. I figure that after the Boot Scan is completed that I need to go ahead and update her MalewareBytes and run a scan. I discovered yesterday that she actually had MalewareBytes so either she or her ex-husband listened to me on that one.
Hopefully she can ck for the files today. She doesn't go in to work till this afternoon but is out running errands right now.
Thanks again!
-
A disc image is basically a copy of your entire disc drive that you save onto an external USB drive (or a very large USB flash drive)
Some backup programs only back up user files; boot information and files locked by the operating system, such as those in use at the time of the backup, may not be saved on some operating systems. A disk image contains all files, faithfully replicating all data
Then if all goes to hell in a handbasket you can restore the entire drive back to the state it was in when you imaged it
-
Wow! I like that! Will have to do that myself. Thanks!!!
Well, I thought they listened to me. When I opened MalewareBytes it was 805 days since the last update!!!! Did an update and the scan has been going for a little over 4 minutes and has already found 11 items!
My daughter says she may not have time today to ck to see if we got all the files she is wanting so will have to wait on her before removing the corrupt account. I am assuming we need to wait till we get that account removed to proceed with any of the other procedures.
Thanks again!
-
Nope we can continue even with it on there
-
The MalewareBytes is now finished. I am attaching the log files one before removal of 85 items and one after removal. It hits me now I probably should have done virus scans before transferring her files. Guess I need to hook her External Hard Drive and scan it with both Avast and MalewareBytes.
I have not done the Farbar Recovery Scan Tool Yet. Will down load after I send this message.
Well when attaching I notice I only have one log saved. I don't know what happened.
-
The Farbar has two results. Both are attached.
-
There appear to be the remnants of some bad infections there, so I would like to check out the MBR as well for an inactive TDSS
Download the attached Fixlist.txt to the same location as FRST
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Download the latest version of TDSSKiller from here (http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe) and save it to your Desktop.
- Doubleclick on TDSSKiller.exe to run the application
(https://dl.dropbox.com/u/73555776/tdss%20start.JPG)
- Then click on Change parameters.
(https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG)
- Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.
- Click the Start Scan button.
- If a suspicious object is detected, the default action will be Skip, click on Continue.
(https://dl.dropbox.com/u/73555776/tdss%20threat.JPG)
- If malicious objects are found, they will show in the Scan results and offer three (3) options.
- Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
- Get the report by selecting Reports
(https://dl.dropbox.com/u/73555776/tdss%20report.JPG)
- Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please attach its contents on your next reply.
-
I think that was the wrong file. Well having trouble getting it to where I can attach it. working on it.
-
Trying this again!
-
There should be a fix.log with FRST could you attach that, as you attached my fixlist :)
Once the TDSSKiller has run could you let me know how the computer is behaving please
-
I am totally confused either it wasn't there a few minutes ago before the restart or I just totally missed it.
-
Not a problem :) It killed what I wanted
-
Part of my trouble is when downloading in Chrome it saves everything to a download folder. I don't know how to send to the desktop. Is running TDSSKiller from the downloads folder ok?
-
Yes it should run OK from there
I will be going off line shortly so I will (hopefully) finalise all this tomorrow
-
I realize that we are on different time zones. I think I will wait till tomorrow am here to run the TDSSKiller that way if I have questions or an issue you might be online. I do appreciate all of your help. Have a nice evening, night whatever the case may be.
-
I'm baack :)
-
Good Morning! Is Arnold Swartzenager at your house today?
I fixing to run the TDSSKiller
-
Well, This is surprising 0 objects found.
-
Nope, it was just that I wanted a double check :)
OK the big question ... How is the beast behaving ?
-
Thanks! I would say the best is misbehavinga little. It is running rather slow at times. I did just remove the remenants of a trial PC Tune Up product that kept popping up. I know that there are updates waiting to be downloaded and installed so that may or may not help. I also know that her ex-husband is a big "gamer" and I figure there are things on here from those games that can be removed but not sure how to figure that out. Also, I figure it probably needs a defrag.
What I can do to try and test it out is instead of doing my online stuff with my desk top today to use her laptop and I will tell her to do the same.
Using it is the only true way to test it out.
-
That's the way, I would reckon that there is also a lot of temporary junk on the system. I will clean that out with this small programme and then tidy away all the tools
Clear Cache/Temp Files
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
- Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- It will close all programs when run, so make sure you have saved all your work before you begin.
- Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
- Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
THEN
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Download and run Delfix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix)
(https://dl.dropboxusercontent.com/u/73555776/delfix.JPG)
: Keep Java Updated :
WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article (http://www.forbes.com/sites/eliseackerman/2013/01/11/us-department-of-homeland-security-calls-on-computer-users-to-disable-java/) and this article (http://www.nbcnews.com/technology/technolog/us-warns-java-software-security-concerns-escalate-1B7938755).
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser (http://www.geekstogo.com/2600/how-to-disable-java-in-your-web-browser/) and How to unplug Java from the browser (http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/))
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent (http://www.foolishit.com/vb6-projects/cryptoprevent/) install this programme to lock down and prevent crypto ransome ware
(https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read this little guide Best security practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/)Keep safe :wave:
-
Will start this later this evening. Had to make a trip to the Chiropractor and now taking food to someone thats wife has been in the hospital for over a month. Thank you! Will update you later.
-
No problem, in your own time. I am in no rush :)
-
I know Essexboy is not online right now, but I am hoping that one of you are online. I started the TFC at 8:03 and it is still running and it is now 9:07. It says that it is Emptying RecycleBin. Do not interrupt. I have not doubt that this laptop is full of stuff needing to be removed and I am assuming I just let it keep on doing it's thing.
I guess my question is does this scan take a long time from time to time?
Thanks!
-
I guess my question is does this scan take a long time from time to time?
It can, patience. :)
-
Dependant on how much junk there is it can take a while, also the boot may appear to stop for a while as it does the deep clean
-
Hmmmm, It is now 7:30 am, almost been 12 hours and it apparently is still Emptying RecycleBin. Maybe by the time we get back from Worship it will have progressed some.
To give you an idea of how much junk....."Windows Temp folder emptied 1177188531 Bytes I don't know if it will hurt anything to scroll up while it is doing the test and give you any more info or not.
Thanks!
-
Essex covered what I said.
-
Aye that is a while, stop TFC by closing it then reboot
-
I can't click to exit. the pointer is just spinning.
-
OK use the shutdown button
-
Forced the shut down and am now booted up again. Sorry for the delay, we had lunch with friends.
Do I go ahead and let windows update now or should I wait?
Thanks!
-
No problem :)
Yes complete the updates and then defrag the drive on completion. Let me know how the system is on completion
-
Will do those items and then the Delfix. Just remembered I haven't done it yet.
Thanks!!!
-
Do the delfix prior to defrag as that will remove all tools :)
-
ok. That makes sense. Thanks!
-
Downloading the CryptoPrevent now. The DeFrag took awhile so it probably really needed it.
Would it be a good idea to download the CryptoPrevent on our other systems also?
Will use the laptop for a few days and report in.
Thanks a bunch!!!
-
Well, I spoke to soon. I don't see a download link and I learned the hard way a long time ago not to click unless absolutist certain.
Thanks!
-
Well, I spoke to soon. I don't see a download link and I learned the hard way a long time ago not to click unless absolutist certain.
Thanks!
Prevent CryptoLocker from installing http://www.foolishit.com/vb6-projects/cryptoprevent/ (http://www.foolishit.com/vb6-projects/cryptoprevent/)
-
The download link is right at the bottom of the page, use the installer
-
Direct Download link for CryptoPrevent so you don't have to search...
http://www.foolishit.com/download/cryptoprevent/