Cannot Create Process Alert

About every 10 - 15 mins I get a small square pop up that says "Cannot Create Process" Is this something to be concerned about or is it just extremely annoying. I run VISTA.

Hello, and welcome to GeekPolice.

Please note the following information about the malware forum:

• Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer.
  
• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  
• If you have already asked for help somewhere, please post the link to the topic you were helped.
  
• We try our best to reply quickly, but for any reason we do not reply in two days, do one of two things:
  
  Reply to this topic with the word BUMP, or
  see this topic.
  
  
• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

---

We need to do some diagnostics to get started.

1. Please download and run RKill.

Download mirror 1 - Download mirror 2 - Download mirror 3

• Save it to your Desktop.
  
• Double click the RKill desktop icon.
  
• It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
  
• Please post its log in your next reply.
  
• After it has run successfully, delete RKill.

Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until instructed further to do so.

2. Download MBRCheck to your desktop.

• Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
  
• It will show a black screen with some data on it.
  
• A report called MBRcheckxxxx.txt will be on your desktop
  
• Open this report and post its content in your next reply.

3. Please download Cheetah-Anti-Rogue by me, and save to your Desktop.

• Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
  
• Double-click on Cheetah-Anti-Rogue.cmd to start.
  
• It will finish quickly and launch a log.
  
• Post the contents of it in your next reply.

4. In your next reply, please post the following logs for my review:

• MBRCheck log (2)
• Cheetah log (3)

Thanks!

sorry i did not get an email alerting me of your response. i will try this now. :smile2:

ok

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Deb on 07/29/2010 at 14:55:57.


Processes terminated by Rkill or while it was running:


C:\Users\Deb\Desktop\rkill.com


Rkill completed on 07/29/2010 at 14:56:03.


MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0

\\.\D: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

298 GB \\.\PhysicalDrive0 Unknown MBR code





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Cheetah-Anti-Rogue v1.5.1
by DragonMaster Jay

Microsoft Windows [Version 6.0.6002]
Date: 07/29/2010 - Time: 14:59:21 - Arch.: x86


-- Malware removal tools check --
Trend Micro HijackThis 2.0.3
Malwarebytes' Anti-Malware


-- Known infection --



Extra message: Detection only.


EOF

Run MBRCheck.exe

• Run MBRCheck.exe
  
• Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  
• Please push the 'Y' key and then press Enter
  
• When program ask you Enter your choice: enter 2 and press the Enter key
  
• Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  
• Enter 0 and press the Enter key.
  
• The program will show Available MBR codes:, followed by a list of operating systems. Please enter the number for Windows Vista, and then press Enter.
  
• When asked Do you want to fix the MBR code? type in YES and press enter
  
• Restart your PC.

Once done, please post a new MBRCheck log.

Via my iPOD: did what you said. After restarting now I can't get my computer to load. I get a black screen that says I need a disk or something then tells me to press enter to continue startup and I get another black screen. They shift between each other. What happened. This is the 2nd time one of the techs here have changed my system where I can't log on. What can I do if I cNt get past the black screens to fix anything?

Seems like the MBR fix failed with MBRCheck.

If the MBR is damaged, the BIOS cannot locate and start the operating system. When your BIOS begins its check, but detects a damaged MBR or boot sector, you may see a message such as Invalid partition table, Error loading operating system, or Missing operating system. However, a simple fix of the MBR from a recovery mode will do the trick on getting the operating system started again.

With that said, do you have your Vista disc?

No. We are getting ready to move & everything is packed. I've never had to have any of my software available to fix these little glit he's in the past so I did not leave it out. Is there anything I can do without the disk to get my system to boot?

Since your OS cannot boot at all, the disc is definitely needed.

So basically you're saying, you've screwed up my computer & there's nothing I can do because I don't have a disk available to me that I've NEVER had to have accesible before. Aren't you guys supposed to make sure that the things you have us download are operational and bug free? Now I have a system that is in worse shape than it was before I came here. The whole purpose of this site is to help people with PC problems, not make them worse and then all we get is a "whoops, sorry."

Allow me to explain more.

The master boot record is a section of computer code that the BIOS loads and executes to start the boot process. When this code executes it transfers a control to the boot program stored on the boot (active) partition to load the operating system.

In other words, this code is important for your computer to boot, and not normally locked or protected. This makes it possible for malware writers (the bad guys) to write over that code, and put their own code in there. Although the computer would still boot, it would also load that code the malware author inserted in.

However, there are certain devices that may protect the MBR, and if the MBR gets damaged, the devices can cut access to the MBR, making it hard to re-write it.

When the fix for MBRCheck executed, it was blocked from fully re-writing the MBR code, causing the computer to no longer boot.

What we need is a recovery disc to help get it to boot.

What I was saying, is that the safest way to re-write the MBR is to use the Vista disc. However, this does not make it impossible for it to boot up again without the Vista disc.

Now, what we need to do is a little workaround, aka the hard way...in order to get the MBR re-written safely.

We can use this: The Ultimate Boot CD, which is a Windows Recovery Environment made to run special utilities and fix the Operating System...

Download the program to burn it, and read the instructions here: http://www.isoimageburner.com/

Download the ISO file for UBCD from here: http://ubcd.mirror.fusa.be/ubcd502.iso

The ISO for UBCD will be burnt using the ISO Image Burner.

Let me know when you have the CD ready, so we may continue fixing your computer.

Sounds like a great idea but you forgot something....I can't get into my system TO download anything, because of the fix tool you told me to use. How do you suggest we "workaround THIS the hard way."

You will need to somehow do it on another computer, or else we cannot move from this point.

Here's the problem with that. The reason my computer crashed is because of something I downloaded from this site that you recommended in the first place. Now you want me to use someone "elses" computer to download something from this site that you are recommending once again...can I use yours?

Hello DebC,

Malware writers make their infections destructive, especially during the removal process. And it is beyond our control that this kind of things to happen from time to time.

Unfortunately, you were infected with a certain type of malware that puts your computer it is now in the process of attempting to remove the malware.

The malware was in fact the trigger for the problem you're experiencing now, not the tool we used. It was the tool or there would be no other option.

We can try to use your recovery partition. What is the brand of computer you're using?

I run Vista but have no access to my disk as we are preparing to move. It was suggested that I download some things here to make a disk but I can't get into my system.

Ok, what is the brand of your computer? We can try to use your recovery partition.

HP G60-441 US Notebook PC.

On the black screen that I get it does say, "If you do not have this disk (the Windows Installation Disk), contact your system administrator or computer manufacturer for assistance.

File: \Windows\system32\winload.exe
Status: OxcOOOOOOe
Info: The selected entry could not be loaded because the application is missing or corrupt.

Hello,

1. Power on the computer
2. Press F10 repeatedly when you see the HP or Compaq logo.
2. When the recovery screen appears, press Next and then Yes to perform a non-destructive recovery.
3. To perform a destructive recovery, click Advanced and then Yes. (data will be wiped out)
4. After the recovery is finished, the laptop will reboot.

Hey Dr. Thanks for trying to help me. I did as you said, & after pressing F10 all I got was a two tone blue screen with an option to "Exit Save Changes. [Yes]. [No]. At the top of the screen, reading left to right says: Main - Security - Diagnostic - System Configuration - Exit. Rev. 3.5

What does this mean. There was no NEXT option. Thank you.

Hello,

Does the blue screen come with an error code? It usually looks like 0x000008E.

What happens if you try to access the recovery partition again?

I tried it again and it does the same thing. Doesn't seem to have an error code that I can tell on the blue screen. On the black screen under Status, it says 0xc000000e. Does that help? I wish there was a way for me to take a screen shit of the Blue Screen so you could see what it says.

Hello,

This infection has really screwed up the system. It can't even boot into the recovery partition. I'm afraid the recovery disc is the last option.

You're running Vista 32 bit right? You may order one from HP here and also keep it for future use:

https://warp2.external.hp.com/driver/dr_country_select.asp?Product=515690-002&lang=en&cc=us

Doc, sometimes the Recovery Partition cannot be access if the MBR is damaged.

Remember, the MBR is the table which gives instruction to the hard disk on where each partition is. If the MBR is corrupted, then the partition is probably not accessible.