TomW

I have an old Gateway Pentium 4 computer running XP SP3 that I use to send / receive email. In the last two weeks, I noticed the system would display a black screen when I started Internet Explorer 8 or Outlook Express 6. Rebooting helped sometimes. I researched the issue and found information that the user account might be corrupted so I tried using the Administrator account and also creating a new account, both of which worked initially but now I get the black screen in all user accounts but only when loading IE or OE. All other programs work normally. I suspected a hardware issue but if it is hardware, why would it only manifest in IE or OE? I also tried two system restores but the black screen behavior continues. I was using Avast when this behavior manifested irself. I am glad to follow the procedure here for requesting help but wanted to inquire first to get some feedback before requesting help. Thank you.

Installed 41 updates in Windows Update, rebooted, updated / ran Malwarebytes and got a "no malware found" dialog. My neighbor should be very pleased with our efforts to repair his computer. Thank you for helping and I hope this thread may be useful to someone else. (I was able to uninstall combofix with start/run/combofix /uninstall; how do I uninstall farbar, roguekiller, & wus_Fix.exe?)

Maniac- I appreciate your help and courtesy but must tell you I "violated the rules" when I did not hear from you yesterday. Specifically, I downloaded and tried to run Spybot but got an error saying "this application has failed to start because wtsapi32.dll was not found". So I retrieved a copy of wtsapi32.dll from c:\windows\servicepackfiles\i386 and put it in c:\windows\system32. Spybot then ran fine and found 82 "low threat" tracking items (which I did not delete). I then tried Chameleon and was suprised that it also ran and found 3 items which I did delete then rebooted and noticed the computer seemed "faster". I then tried Windows Update and was again surprised that Windows Update worked and presented 47 updates (which I have not yet done). So, if an apology is in order for what I did, then I apologize. Should we continue with our effots and run Repair_Windows.exe or just do the 47 Windows Updates and, if no further issues appear, consider the mission "accomplished"? Tom

Here are the two reports. RogueKiller V8.6.5 [Aug 5 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : Dell [Admin rights] Mode : Scan -- Date : 08/17/2013 10:16:33 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 3 ¤¤¤ [HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: ST340016A +++++ --- User --- [MBR] 5512ec6cd3addea38f44f1e4b3683781 [bSP] 6a485f659bdaa1fb04c52d495460461e : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 38154 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[0]_S_08172013_101633.txt >> Farbar Service Scanner Version: 17-08-2013 Ran by Dell (administrator) on 17-08-2013 at 10:21:53 Running from "C:\Documents and Settings\Dell\Desktop" Microsoft Windows XP Home Edition Service Pack 3 (X86) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo.com is accessible. Windows Firewall: ============= Firewall Disabled Policy: ================== System Restore: ============ System Restore Disabled Policy: ======================== Security Center: ============ Windows Update: ============ Windows Autoupdate Disabled Policy: ============================ File Check: ======== C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit C:\WINDOWS\system32\netman.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\srsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit C:\WINDOWS\system32\wscsvc.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\wuauserv.dll => MD5 is legit C:\WINDOWS\system32\qmgr.dll => MD5 is legit C:\WINDOWS\system32\es.dll => MD5 is legit C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit C:\WINDOWS\system32\svchost.exe => MD5 is legit C:\WINDOWS\system32\rpcss.dll => MD5 is legit C:\WINDOWS\system32\services.exe => MD5 is legit Extra List: ======= Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) 0x0700000005000000010000000200000003000000040000000600000007000000 IpSec Tag value is correct. **** End of log ****

Bleepingcomputer.com refers me to "the author's website" which is laden with adware. Is there another download link or should I try the link at MajorGeek?

I clicked the RogueKiller link in your post above and was taken to a French? website that referred me to an "english version" page which did offer to download RogueKiller but only if I accepted other ad-laden utilities in the download. Sorry, I do not want any more adware / malware. How about me downloading RogueKiller from http://www.majorgeeks.com/files/details/roguekiller.html?

I rebooted, went to Windows Update (still took 4 minutes for the Windows Update site to load), clicked the Express button, got the "files need to be registered" window, clicked "register", and got the "Registering 100%..." window which just stays on the screen.

My other neighbor brought me a Windows XP Home 2002 CD. I put it in the CD-Rom drive and ran SFC /scannow. SFC presented a dialog entitled "Windows File Protection" and said "Please wait while Windows verifies that all protected Windows files are intact and in their original versions." SFC completed (it was accessing the CD-Rom drive during the process) then I removed the Windows XP Home 2002 CD, rebooted, and went to the windows update site. After clicking the "custom" button, I got the "files need to be registered" window, clicked "register" and got another window saying "Registering: 100%...". The system seems to have stalled at the "Registering: 100%..." window (been at that window for about 10 minutes now). Should I close the browser and run WUS_Fix.exe again?

Certainly reinstalling will resolve the issue but my neighbor did not get the original Windows XP Home CD when he bought the computer so I do not have the Windows XP Home CD to use either with SFC or to reinstall the OS. Another of my neighbors has two Windows XP Home CDs from old computers - would one of them work to run SFC on this machine or must we have the Windows XP Home CD that came with this machine? Too many variables here.

Good suggestion as I had reached the point of running SFC before posting to this forum but did not pursue it because of (1) not having the Windows XP Installation CD, and (2) suspecting malware on the machine. Since I do not have the Windows XP Installation CD, it seems that copying the files from c:\windows\driver cache\i386 to a folder named c:\i386 then editing the registry to change SourcePath to c:\ before running SFC is the best alternative at this time. However, the present version of XP Home on the machine has SP3 and I am not sure if the files from c:\windows\driver cache\i386 are the original files or were they updated when service pack 3 was applied? Will SFC be looking for files in c:\i386 that are the "original install files" or will SFC be seeking files that have been updated by SP3? I have downloaded and extracted SP3 and it has an i386 folder. Should I use the i386 folder from the SP3 extraction to make the c:\i386 folder for SFC to find or use the files from c:\windows\driver cache\i386 to make the c:\i386 folder? Thank you.

I tried method 1 (Register the windows update files) as described in article 956703 then tried to access the windows update site. It took 4 minutes to access the windows update site then another 2 minutes to get to the "Files required are missing" screen. I then tried method 2 and got a popup for Microsoft Fixit which I tried to run and got a dialog that I needed .NET framework so I downloaded and installed Microsoft .NET framework 3.5 service pack 1 then ran Microsoft fixit for windows update and got a dialog that "we detected some problems with your system. However, we were unable to successfully apply all of the fixes." I tried to send the troubleshooter information to Microsoft four times but it failed. I then tried the windows update agent solution but it appears the computer already has the windows update agent installed as it can access the windows update site (but it takes 4 minutes to access the site). What is the next step? Thank you.

I downloaded wus_fix.exe to the desktop and ran it. A dos window opened then closed immediately. I rebooted the computer and tried to reach the windows update site. It took almost 4 minutes for the windows update site to appear onscreen after I clicked windows update on the tools menu in internet explorer. I clicked custom on the windows update page and it took two minutes for a page to appear saying "Files required to use Windows Update are no longer registered on your computer". I selected the "register or reinstall the files" option and got a page saying "the website has encountered a problem and cannot display the page you are trying to view".

I tried again to access windows update. The computer seems to "slow down" but does open the windows update site in about 4 to 5 minutes. I select the "custom" button and it takes about 3 to 4 minutes for the next window to open which says "Files required to use windows updates are no longer registered on installed on your computer. To continue, (1) register or reinstall the files, or (2) let me read more." I select (1), a window opens momentarily saying the files are being downloaded, then that window closes and another window opens saying "The website has encountered a problem and cannot display the page you are trying to view." Microsoft has a link on this page to a forum relating to windows update issues. I checked the forum and a user that is getting the "files required are no longer registered" error is told by a microsoft MVP that this is due to malware. Help please. Thank you.

I turned off system restore, waited about five minutes, then turned on system restore. What do you wish me to do to see "how things are"? Thank you. Tom

Though the second scan with the Eset Online Scanner appeared to have stalled, I followed your advice to "be patient" and the scan eventually completed after finding one threat (see the exported text file below): C:\System Volume Information\_restore{AF35803B-2934-4F02-B059-BB4DC83BB185}\RP1237\A0130851.exe a variant of Win32/Bundled.Toolbar.Ask.D application cleaned by deleting - quarantined What is the next step? Thank you. Tom