Problems Installing SP2

[AndyManchesta]

Hi again

I received a email of someone who was infected with a
trojan startpage Variant (svcnt.exe,shdocsv.dll) .We
managed to clean everything up easily enough using hijack
this and cmd screen but i noticed he didnt have service
pack 2 installed ,I advised him now things are clean it
would be good to upgrade to SP2 but he said he keeps
having repeated problems with this.

His log is now clean except for CDILLA but he has
installed this and uses the program plus its also got a
file in his drivers folder so im not sure if this is
effecting him downloading SP2

Ive not seen this problem upgrading before but i told him
id post it on here to try get some feedback

This his the reply he sent :

----------------------------------------------------------

I have tried to update my computer several times to
Service Pack 2. I first tried updating "live" online. I
then tried downloading the software from Microsoft.com
and tried installing it offline. I then had Microsoft
send me the software upgrade on CD and tried installing it
from the CD.In each case the installation begins, but
then freezes when it gets to the updating of the
registry. I think my next step might be to reformat my
hard drive and reinstall the operating system
from scratch. Any thoughts on the subject?

----------------------------------------------------------

Id like to think there is a alternative to reinstalling
his OS as his Hijack Log id now clear but ive not come
accross this before so thought im best posting his
comments to see if anyone knows what might be causing
this ?

Thanks Andy

 

[Bill Sanderson]

It has been a good long time since I did any troubleshooting of SP2
issues--I don't think I ever ran into any myself directly.

One of the public XP groups would be the best bet--probably "general"--I
suspect.

Has he also done clean scans with a competent antivirus?

I believe there's a log file on the SP2 install attempts which somebody who
is familiar with it might make sense out of--but I don't even have the name
handy--I believe I blew mine away when my disk space hit zero a few times
: )

 

[AndyManchesta]

Thanks Bill

Sorry I thought i posted this in 'Online Community',I
just realised when looking for it that its posted here.I
only received the email late last night (UK Time) so
thought id post on here before i went off .

I believe he has at least run Trends Housecall but i will
have to confirm this with him,Im the same I've never had
this problem when installing SP2 so i wasnt sure of the
solution

I will try find out where the error log is produced and
see if he can post the contents on here,Maybe the general
Newsgroup as you suggest,Apart from CDilla which i think
is unrelated i cannot see any problem with the Hijack
This Log he sent besides the Trojan entries which were
deleted.Maybe something has corrupted his install in
someway so i'll see if he can run the system file checker
(SFC /SCANNOW) then try upgrading to SP2

it would be a shame if he had to reinstall but its hard
to know whats causing it at this stage.

Thanks for the advise Bill I will repost or ask him to
post here if he can locate the error log

Regards

Andy

 

[Tom Emmelot]

Hello Andy,

see lots of trouble with other software and CDILLA, so the
install of SP2 also?

Regards >*< TOM >*<

AndyManchesta schreef:

 

[AndyManc]

Hi Tom

Sorry i didnt fully understand the question ,If you think
CDilla may be connected to his problems then i will try
find abit more out about CDilla ,I pointed out to him he
had CDilla but I also said i didnt see it as much of a
threat if he had downloaded this himself and uses the
program ,

Ive never come across CDilla myself so i didnt want to
say if its malicious or genuine But could see it was
running as a service and also had a file in the drivers
folder my focus was just on the Trojan which had files in
a few areas.

I really do not know anything about CDilla except spybot
has a default setting to ignore it but i will check up on
that and see if it is a threat

This was the 2 entries :

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: C-DillaCdaC11BA - Macrovision -
C:\WINDOWS\System32\drivers\CDAC11BA.EXE

I will check on CDilla,As you know ive got abit of time
off now after the accident i had at work at least for the
next week anyway so i've got spare time to mess around on
the pc which is a nice change

I'll repost if i get any news on the cause of this
problem upgrading to SP2.

Thanks Tom

Regards Andy

 

[AndyManchesta]

I think there is still issues on this pc because I got a
reply saying the scans from trend micro are cancelling
before they finish,maybe CDilla isnt helping but im not
sure if this is the only problem but its not clear by
reviewing the Hijack Logs what this might be. ive replied
with some links from MS and the address to ask MS for
assistance plus have posted Trends damage clean up tool
and various on line scanners plus other suggestions about
running the system file checker so im sure now its
looking like malware related problems it shouldnt take
too long to clean and then hopefully he can upgrade to
SP2

Thanks Tom & Bill for the suggestions ive told the user
ive posted his problem on here so hopefully if its not
cleared up he will post a reply to make it clear what
steps he has taken to make finding the solution easier.


The links i posted were these:

To request help from MS about install problems :

https://support.microsoft.com/oas/default.aspx?
med=chat&prid=8101&trl=so&enty=pidless&gprid=273354&enval=
8101&ln=en-gb&x=7&y=10&as=1

Info Topics regarding SP2 :

http://support.microsoft.com/kb/885523

http://support.microsoft.com/kb/837783/

http://support.microsoft.com/kb/885626



Regards

Andy

 

[Bill Sanderson]

The log for the service pack install will have a name that relates it to the
service pack--and it will be very long.

I'd recommend just posting the last (some reasonable number) lines.

 

[Bill Sanderson]

Good links.

I think this customer is probably a candidate for direct help from the free
PSS support line.

SP2 is a security patch in my view, anyway--and he's had virus and spyware
issues--so he may want to go that route--if anyone can help him get SP2 on
there in the least -cost way, they should be able to.

US and canada: 1-866-pcsafety

Rest of the world: Call the local Microsoft office, subsidiary, or paid
support phone number, and ask for the free support for virus or security
patch issues.

 

[AndyManc]

Thankyou Bill

He is in the US i forgot all about this number so i
appreciate you posting this, i will have to save it so i
remember for next time,I will forward your posts to him
if thats ok just incase he doesnt visit this newsgroup as
im sure they will help him .

Regards

Andy

 

[Steve Moss]

While PSS will hopefully be able to sort your customer out, if he has a
registry issue (it sounds feasible, in which case it may be difficult
to troubleshoot) then it may well be worth while him running a registry
clean and optimisation before trying once more to install SP2. There
are a number of tools available for this purpose, but Registry Mechanic
5.0 comes to mind - you will find this at www.pctools.com.

 

[OldBoy]

Hi Tom

Sorry i didnt fully understand the question ,If you think
CDilla may be connected to his problems then i will try
find abit more out about CDilla ,I pointed out to him he
had CDilla but I also said i didnt see it as much of a
threat if he had downloaded this himself and uses the
program ,

Ive never come across CDilla myself so i didnt want to
say if its malicious or genuine But could see it was
running as a service and also had a file in the drivers
folder my focus was just on the Trojan which had files in
a few areas.

I really do not know anything about CDilla except spybot
has a default setting to ignore it but i will check up on
that and see if it is a threat

This was the 2 entries :

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: C-DillaCdaC11BA - Macrovision -
C:\WINDOWS\System32\drivers\CDAC11BA.EXE

I will check on CDilla,As you know ive got abit of time
off now after the accident i had at work at least for the
next week anyway so i've got spare time to mess around on
the pc which is a nice change

I'll repost if i get any news on the cause of this
problem upgrading to SP2.

As I recall (vaguely!) CDilla uses some 16-bit executable.
Why not simply remove or uninstall CDilla and install SP2?
....
I just found this: http://www.pinwire.com/article67.html

Jan

 

[Bill Sanderson]

That's fine.

 

[AndyManchesta]

Thanks Jan

Ive already said the same as you to him after receiving
Tom's reply ,if after trying other online scanners the
problem is still there then remove CDilla and if he wants
to use it then reinstall it again after he upgrades

This is why i posted it as ive never used CDilla so was
hoping people like yourself would have better experience
with it as i didnt want to leave the user (Paul) with
problems,Ive sent him the posts off here so he can get
shared views on whats causing him problems and hopefully
when he gets time he will be able to find the solution
easy enough .


Regards Andy

 

[AndyManc]

Thanks Steve ,

I will forward all these posts to his email incase he
doesnt make it to the newsgroups to read them.Its hard to
help sometimes through emails and to know whats causing
the problem so i thought posting it on here would be the
best move as i know there's alot of experienced helpers
on here and im sure with all these views he should be
able to clear the fault.

Thanks for posting Steve


Regards

Andy

 

[Ron Chamberlin]

Andy,
I would also go to the MS Site, and grab the TVMedia cleaner and the July
Malicious Software Detection Tool.


Ron Chamberlin
MS-MVP

 

[Bill Sanderson]

I opened my mouth too quickly in a chat today and learned something about
the Malicious Software Removal tool.

This was the monthly security chat, and there was a gentleman hogging the
bandwidth, so to speak. He asked about whether the Malicious Software Tools
cumulative nature was going to lead it into conflict with Microsoft
Antivirus (that's the name they used.)

I replied that the MSRT wasn't cumulative.

Matt Braverman replied that it IS cumulative.

I didn't know that!

I had thought that this tool was a bit like Stinger--targeted each month
toward a small number of hot bugs. In fact, it keeps covering more bugs.
And it includes one complete family of rootkits, and parts of another (which
isn't listed in the support pages because not all variants are removed.)

So--this tool is more useful than I had realized as a toolkit item.

--

 

[AndyManchesta]

Thanks Ron

Sorry i've just noticed you added a reply to this,There
isnt anything obvious in the Hijack log and i did check
each entry 1 by 1 to be sure, there was afew supect files
but these were related to the trojan and i gave
instruction how to remove them all using the cmd
screen,first by taking away any hidden or read only
status then deleting the files ,He replied that it worked
great and he now has his homepage back but ive not
contacted him since,Ive forwarded all the views from here
to him and said if he has any issues or problems then
contact me again anytime.

I will send your comments to him because this is another
possible solution if he does have something hiding on his
system,There was tons of stuff on this pc which i could
see using the Hijack Log he sent so its possible there is
a entry that is using a genuine filename but is there for
malicious reasons,

Ive not had a updated Hijack log from him since offering
my removal advise and sending these views from here so im
hoping he found a solution.I know some poeple would write
back if things were solved but there again some people
once a solution is found then forget to reply and carry
on untill they have more problems ,

Ive obviously helped this guy before with malware issues
because after he removed the entries i told him were
connected to the trojan he said id done it again and
solved his problem but exactly when this was i cannot be
sure,Then the SP2 issue came up so i wanted to try find
him a solution which im hoping has been done with all
these views,

I will forward your comments to his email then assume
this is fixed untill i hear otherwise ,Thanks for adding
your opinion Ron,Its great to know I can receive support
through this site and hopefully i wont have to post
topics to often on here but again its great to know the
help is there if its needed

Thanks To Everyone who has offered their views on this

Best Wishes

Andy

 

[Guest]

sir, even though u cleaned the spyware it could have
caused problems already.some system files may have been
modified or deleted.try viewing system error log.or u
can try installing in safe mode.