"Windows cannot load the locally stored profile..."

gnolan

Hi,

Got a HP Compaq 6820s (XP SP2) here and i'm either getting the above message at the login screen, or the laptop freezes; not allowing to click on the user to login with. I can login with safe mode as an admin or into the desired profile.

Unfortunately i don't really know what to do after that. Hoping someone has an idea of where to go from here. Thanks

EDIT: Not even sure if this is the right forum, apologies if not

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:46, on 05/05/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.alot.com/?client_id=51B915A001CA50B40112DD2C&install_time=19-10-2009:05:04&src_id=11099&camp_id=350&tb_version=2.5.6.471
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.alot.com/sidebar?pr=asst&client_id=51B915A001CA50B40112DD2C&src_id=11099&camp_id=350&tb_version=2.5.6.471
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.alot.com/web?q=&pr=auto&client_id=51B915A001CA50B40112DD2C&src_id=11099&camp_id=350&tb_version=2.5.6.471
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_15\bin\npjpi142_15.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_15\bin\npjpi142_15.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: WindowsKDD (winkdd) - Unknown owner - C:\WINDOWS\system32\winkdd.exe (file missing)

--
End of file - 7662 bytes

Doylers

Throw in a recovery disk and see what happens. Your still on xp? move up to windows 7, visit >>> http://forums.mydigitallife.info/forums/16-Windows-7
to see info about windows 7.

ASJ112

Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them
  
  Click me
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

gnolan

ASJ112, thanks for the reply, but i have since solved the problem on techguy.org, cheers

Doylers

You should thank him some more, his links all contained viruses, and not common a one most anti-virus programmes wouldn't pick it up.

gnolan

Doylers wrote: »

You should thank him some more, his links all contained viruses, and not common a one most anti-virus programmes wouldn't pick it up.

What and who are you talking about?

Doylers

ASJ112 posted a programme to help you fix your pc. I downloaded the file he linked because I had a feeling it was a virus and I was correct he tried to get you to download one. I have a masters in computer forensics specialising in security. I know what im talking about.

ASJ112

Sadly you don't Doylers

Would be nice if you did your research before making the claims you did. I've been helping out here and elsewhere removing malware for years, as am sure plenty of people will testify to.

I reported both your posts insulting me, they are so off the mark. I suggest you read this

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

ComboFix is a malware removal tool, it is bigger than HijackThis ( you probably don't know what this is either ). It gets around a million downloads a month, and is the main tool used for removing malware in the community.


If you look at any malware removal site, like techguy.org, you will see it being used in pretty much every post. I've said my bit. If you think what I posted was a virus then please report me as its clearly against the rules.

Doylers

ASJ112 wrote: »

Sadly you don't Doylers

Would be nice if you did your research before making the claims you did. I've been helping out here and elsewhere removing malware for years, as am sure plenty of people will testify to.

I reported both your posts insulting me, they are so off the mark. I suggest you read this

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

ComboFix is a malware removal tool, it is bigger than HijackThis ( you probably don't know what this is either ). It gets around a million downloads a month, and is the main tool used for removing malware in the community.


If you look at any malware removal site, like techguy.org, you will see it being used in pretty much every post. I've said my bit. If you think what I posted was a virus then please report me as its clearly against the rules.

My goal here is not to insult you or anyone, its simply to present the facts I have found. I will post the result along with the hash values of the file to check authenticity. Regardless of its downloads per month the fact remains that it can do what its designed to do which is fix a problem but also do malicious harm to a computer.

ASJ112

but also do malicious harm to a computer.

You shouldn't use such vague generic comments. Please tell me what harm it does to a computer. You don't know what you are talking about, and are only relying on false positives from shoddy anti-virus companies. You have no idea what combofix does and are only relying on what rubbish AV's say. If you study computer forensics then analyze the contents of the .exe file and report all the "damage" it does. Present some actual facts and details.

My goal here is not to insult you or anyone, its simply to present the facts

You haven't presented any facts. All you have done is insult me and the developer of the tool, and every helper who uses it. Where are your facts ? All I see is an uninformed opinion. For a tool that gets a million downloads per month, don't you think people would be complaining if it had a virus ?


Plenty of malware removal tools get flagged by anti-virus companies, especially from the average ones. To quote Quietman7, one of the admins at BC

http://www.bleepingcomputer.com/forums/topic202133.html

Certain embedded files that are part of legitimate programs or specialized fix tools such as Combofix may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted program", or even "malware (virus/trojan)" when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, registry fixes and malware strings it contains.

Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. When flagged by an anti-virus, it's because the program includes some features or additional files that can potentially be used for malicious purposes. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "False Positive".

If we were to follow your reasoning, then MalwareBytes is a virus, and not actually the most successful malware removal program out there at the moment. It has been flagged falsely as a virus by anti-virus programs before, clearly its a mistake

http://www.virustotal.com/analisis/a2afdc033da366ca6d82554c83b5778352718fb3aa54b10d4f7eaef0bbee4288-1268654863

and

File Download_mbam-setup.exe received on 04.20.2008 10:00:20 (CET)
Antivirus Version Last Update Result
DrWeb 4.44.0.09170 2008.04.19 Adware.Winfixer
Kaspersky 7.0.0.125 2008.04.20 not-a-virus:Downloader.Win32.WinFixer.fs
Norman 5.80.02 2008.04.18 W32/DLoader.GBVM
TheHacker 6.2.92.285 2008.04.19 Aplicacion/Keylogger.a
VirusBuster 4.3.26:9 2008.04.19 Adware.WinFixer.AH

Additional information
File size: 128368 bytes
MD5...: 1a24617ee2180905b4d0daeb9b7d5135
SHA1..: 3f31f250eb984e72c0895c73ce54562373e1a862
SHA256: f4db5904e5948392adee9dd60db83c6b9ad4fa1d50da52ec59699b6ba8805882



Its more embarrassing that you actually trust McAfee, which is easily the worst anti-virus program out there.


I suggest you actually research things before you come in here making wild claims with no research or facts. I've been helping here for a long time.


I just looked at the virustotal results again. Wow you are actually going to trust such rubbish anti-virus programs as : Jiangmin, PCTools, and VBA32....

Also what is your point about the hash values. All you have done is list them....Do you even know what you are supposed to do with hash values ?

aidan_walsh

Doylers, the tools that are used here are not viruses in themselves, but may be flagged as viruses because of information they need to have in order to be able to recognise viruses.