My laptop running Windows XP Home was crashing all the time after installing flash media player. I tried using system restore but halfway through the laptop froze and tried to reboot. Now when I turn on the computer it comes to an error message on a blue screen:

STOP: c0000135 {unable to locate component}  
This application has failed to start because winsrv was not found.  
Re-installing the application may fix this problem.

I only received Easy Recovery CD's with the laptop and it wants to reformat my hard drive to fix it. I've important business files on the C: drive and can't afford to do this. I don’t know how to make a CD boot disk because my laptop only has a CD drive.

Help,

Chad Snow, Alexandra, VIC

If you downloaded Macromedia Flash Player from Macromedia’s website, it’s highly unlikely your problem has originated from there. I’d suspect that it’s merely a coincidence.

The Stop: error you’re experiencing is one which is most often related to one of a number of Spyware infestations, such as T.V. Media, Litmus Trojan, or similar. It’s quite probable that you’ve picked up an infestation from Web browsing or other internet-related activities, and possibly even tried manual deletion of files or run a Spyware removal tool which hasn’t been fully successful in removing the intruder. ‘winsrv’ is used by a number of quite nasty intruders, and the crash you’ve experienced while trying to use System Restore has obviously worsened the situation considerably.

AdAware should successfully remove T.V. Media, and manual removal instructions for Litmus Trojan can be found at ‘Dedicated 2-Spyware’ But those are only a couple of the possible intruders which could be causing the problem, so here is a list of general procedures to follow to clean up your system and get it going again. You’ll need to boot into ‘Safe Mode’ to get things working for starters. If your system is unable to do so, you’ll need to begin by attempting an ‘In-place upgrade’ of Windows, as mentioned below. You’ll also need some utility programs to use, so it’d be best to download them and copy them to CD first, on a working PC.

• AdAware
• Spybot Search & Destroy
• Trojan Remover
• Stinger
• Hijackthis

Optional:

• Spy Sweeper This is a commercial program rather than a free download. It’s very good, but as we always advise, you should not limit yourself to only one Spyware removal tool.

Ensure that you download the latest versions of the utility tools, rather than relying on older versions you may already have. These utilities should be continually updated! You may use a different tool for detecting and removing Trojans, and a different general purpose broad virus/Trojan tool as well, should you prefer another. I’ve used Trojan Remover and Stinger simply because those are the ones I personally prefer. Always use at least two Spyware removal tools.

When you’re ready, start the laptop and press <F8> before the Windows logo screen displays to access the option to boot into ‘Safe Mode’. Do so, uninstall any older versions of the programs you may have, then…..

• Install and run AdAware. Allow it to remove every instance of Spyware it finds. “Setting up and using AdAware”
• Reboot into ‘Safe Mode’ again and install and run Spybot. Allow it to remove every instance of Spyware it finds. “Using Spybot”
• Reboot and see if your system will boot into Windows normally. If not, reboot into ‘Safe Mode’ again and run Trojan Remover. Repeat the process using Stinger.

After you’ve used Stinger shut down the system completely rather than rebooting. Wait a minute and then power up again to see if the system boots into Windows normally. If not, there is only really one more procedure I can advise you to follow:

Perform an ‘In-Place Upgrade’ of Windows to repair the installation. Those people whose PC's come with a Windows XP installation CD can follow the procedure in “How to perform an In-Place Upgrade of Windows XP”. As your laptop is accompanied only by a ‘Recovery CD’ you will need to determine the correct procedure to follow. Read the product documentation thoroughly, and don’t hesitate to contact the Support Section of the laptop manufacturer’s website to request instructions for the procedure. There WILL BE A WAY to do it!

Note: If you are unable to successfully boot into ‘Safe mode’, you will need to attempt an In-place Upgrade as your first step to recovery of your system. If you have ‘File Encryption’ enabled on your data files and folders, you will need to disable the feature BEFORE you perform an ‘In-place upgrade’. “How to remove File Encryption in Windows XP”

The final tool I’d like to mention is HijackThis. Originally designed as a means of detecting and dealing with Browser hijacks, the tool is a very powerful one indeed, and should be used ONLY IN CONSULTATION WITH AN EXPERIENCED ANALYST. Only the most experienced and advanced PC users should attempt to use HijackThis to make changes to their system themselves. Beginners to Intermediate users should use it only to generate a logfile of
activity on their systems, and then follow expert advice to make necessary changes with it.

The tool will be rather useless if you cannot boot into Windows normally, because it relies on having all the ‘normal programs and processes loading at startup on your system, and that does not occur when you boot into Safe Mode. It can be very useful for persistent problems which defy the efforts of more ‘standard’ tools, and it can also be useful for cleaning up remaining traces of infestations which the more standard tools have failed to remove. Here’s what to do with it:

• Create a separate folder on your hard drive for HijackThis. Place it in the Root directory of the drive so you can easily locate it when necessary. (For example, start up Windows Explorer and open the C: drive. Create a new folder
• Unzip the download into the folder.
• Click on Start, Run and type msconfig then click OK
• On the Startup tab, ensure that ALL ENTRIES ARE TICKED. Reboot.
• Go to your HijackThis folder, run the program by double-clicking on it, and use it to ‘Scan’. When the scan is complete, copy/paste the log into a Notepad text file, for later use.
• Visit one of the many user forums found on the internet which encourage people to post HijackThis logs. There will be experienced people there who will advise you which entries to check for ‘Fixing’, and what steps to take for other reported problems which HijackThis cannot ‘fix’ itself. Remember, though, that the people contributing assistance on such Internet Forums are volunteers, and that there is no guarantee the person offering assistance is actually an ‘Expert’. Read the advice, have a look around the forum to check for comments which indicate that the person offering advice has actually been helpful to others, and then proceed to follow the advice once you’ve reassured yourself.

Suitable Internet Forums would include the ‘Security’ forum section at DaniWeb the ‘Malware removal’ section at Spyware Info forum and the ‘HijackThis’ forum section at ComputerCops Forum DO NOT SEND HIJACKTHIS LOGS TO HELPSTATION! We are not set up to examine them in detail. Use the program only as a last resort, when more ‘normal’ methods have failed. A guide to the various entries reported by the program can be found here and Advanced users might like to make use of it themselves, identifying entries and looking up removal methods for various items.

The tools and procedures described above should be enough to clean even the nastiest of spyware/malware intrusions. It may be enough to get your laptop working again and booting normally into Windows. If not, you could follow one of these alternatives to recover your important data files, prior to formatting and reinstalling:

• Remove the hard drive from the laptop, pop it into a USB external drive enclosure and copy the data files on it to a different PC. Save them to CD for later use.
• Take your laptop to a data recovery service to have the necessary data retrieved for you. This is a quite expensive course of action, and you’ll need to inform the service of just what it is you want recovered.

Those procedures should be enough to either get the system working again, or recover the important data. They are applicable more widely than simply for Chad’s particular problem, and suitable for use as a general strategy whenever the error message indicates a probable spyware related cause. They are NOT suitable for use where the error message indicates a probable hardware malfunction or hardware installation problem.

In closing, I’d also like to mention this:

Chad’s instance of this error message and problem occurred prior to the distribution of Windows XP Service Pack 2. Since the date of the Service Pack’s release, quite a few Windows XP users have experienced an installation failure for the Service Pack, and resultant system behaviour which is almost identical to that Chad has experienced, with the same error message. The behaviour most likely results from the presence of T.V. Media on the system.

To correct the problem in this circumstance, the procedures outlined in Knowledge Base Article 885523should be followed, and if people have problems successfully following the procedures, the various suggestions in this Anet Forum Discussion might be useful.

And one final point of interest:

Chad mentioned the matter of a bootable CD. If you head to www.bootdisk.com you’ll find all sorts of interesting things when you look around, including CD ‘.ISO’ images from which you can burn a bootable CD which will enable you to access files in NTFS drive partitions and on CD's. That capability could come in handy if you need to run a DOS utility and you only have a blank CD to put it on!

Further Reading for situations where the system will not start in either normal or Safe mode:

“How to configure System Failure and Recovery Options in Windows”

“How to start the System Restore tool at a Command Prompt in Windows XP”

Cheers,

Terry O'Shanassy