TrojanC-05 Continual Crash Poweroff

There were 6 Microsoft Securitiy Updates on March 15th. Should I uninstall those?
Click to expand...
No, it is unlikely that these are related to your issues.

I'd like to attempt a startup repair. First you will need to create a system recovery disk.

Create System Recovery disk
  • Click on the Start button.
  • In the Search programs and files text box type recdisc and press Return.
  • The Create a System Repair Disk window should open.
  • Ensure your CD/DVD writer drive is selected and that there is a blank disk in the drive.
  • Click on the Create Disk button and allow the process to finish.


Startup Repair
  • Ensure the CD you just created is inserted and restart the computer.
  • If prompted, press any key to boot from the System recovery Disk.
  • Select your language preferences and click Next.
  • Click on Repair your computer.
  • Select your Operating System and click Next
  • Select Startup Repair from the list and click Next.

If this runs successfully please boot into normal mode and see if there are any improvements in stability.
 
The Create a System Repair Disk window should open ....BUT IT DID NOT. Nothing happened at all.
In the Windows\System32 folder there is a file called rescue.exe but when I click on it nothing happens. I looked at its properties and for users and admin it should be 'read and execute' and for a "trusted installer" there are full control permissions.

What to try?
 
What to try next

I've tried booting to safe mode directory services repair. Could do more in that mode but eventually it cut off also.
Tried to get the events log from Everest Ultimate Edition, though it was such a large file, it eventually got near the end and then hung. Copied it into word but couldn't save in safe mode.

Also tried to check system stability while in Everest Ultimate Edition but again the power cut off even while in several different safe boot modes.

Cannot get to the recdisc.exe or recover.exe by any means at least in safe mode. Still cannot boot normally without power cutting off.

When I google ISO I can see that I can download vista rescue but don't know if these are legitimate options. It appears that there are only priviledges for a 'trusted installer' to use the recdisc.exe and recover.exe. Perhaps either because I'm in safe mode or I have to take the laptop back and pay them to recover for me????

Also I cannot uninstall firefox for some reason, although I was able to uninstall the Java6 update without a problem while in directory service repair mode. The OTL still hangs when it gets to 'scanning firefox settings.' so I thought perhaps if I uninstall firefox it would work, though can't uninstall it.

Any other ideas? Appreciate your assistance and I really don't want to have to take laptop in for reinstallation. New battery and charger haven't arrived yet as expected.
 
Hi ASB2012,

I want you to download Kaspersky's rescue disk and create a bootable USB drive with it.

This will allow us to scan the computer outside of the Operating System (and hopefully whatever is causing the shutdown).

Download the following files to your Desktop.
http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/kav_rescue_10.iso
http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/rescue2usb.exe

  • Run the downloaded file rescue2usb.exe.
  • On the Kaspersky USB Rescue Disk Maker window, click Browse... and select the kav_rescue_10.iso file downloaded earlier.
  • Under the USB Medium section select your USB device from the drop-down menu.
  • Click START.
  • Wait until the process is complete.

Configure the computer to boot from USB
  • Turn off the Computer
  • Turn on the computer and repeatedly tap either the DEL or F2 keys to enter the BIOS.
  • If neither of these work you may try the following keys instead;F1, F8, F10, F11, F12.
  • Look for Boot options in the BIOS and sure that Removable Devices is top of the list.
More information http://pcsupport.about.com/od/fixtheproblem/ss/bootorderchange_3.htm


Boot to KAS Rescue
  • Restart your computer (with the USB drive inserted). After reboot, a message will appear on the screen: Press any key to enter the menu. Press any key...
  • Select English as the Language using the keyboard.
  • Press the 1 key to accept the agreement.
  • Select Kaspersky Rescue Disk. Graphic Mode

Update Anti-Virus Database
  1. In the bottom left hand corner click on the blue Start button and select Kaspersky Rescue Disk from the open menu.
  2. Select the My Update Center tab.
  3. Select Start Update
  4. If the update fails it will be due to a connection problem, either you need to enter your wireless settings or you have DHCP turned off at the router. See here for info on solving this problem.

Start Scan
  • At the Kaspersky Rescue Disk window go to the Objects Scan tab.
  • Check all the checkboxes and select Start Objects Scan.
  • If anything is found choose Skip. We will deal with it later.
  • When the scan is finished click on the Report link at the top of the screen.
  • Click on Detailed report and click Save.
  • Save the report to your USB disk and post its contents in your next reply.
 
Okay

I'll try this.
When I attempted to update Kaspersky earlier, the PC again shut off on me.
I took a look at the system stability report from Everest Ultimate Edition, but I couldn't make heads or tails out of it. It doesn't seem to recognize any fans,
but My Device manager says that the ACPI Fan is working properly.

I received the new battery and charger which I will charge up tonight and see if it helps. It may be tomorrow before I can get back with you.
Thanks for your assistance.
 
Hi ASB2012,

If the PC shut off while you were running the Kaspersky Rescue Disk, then the problem is hardware related and not malware or software.

All of the scans I have run so far have not showed any infection. The PC shutting off while running KAS Redcue disk tells me that the fault is present when Windows is not running. Therefore the problem must be hardware related.

Everest not picking up your fans may just be that it does not recognise that particular fan. Device manager will only tell you that the driver for the fan controller is working properly. It does not know if the fan is spinning or not.

If you continue to have shut down problems after replacing the battery I would start monitoring the processor's temperature, as I have seen overheating cause this issue before.

There are many tools available for this. Below are some I have used before.
http://www.almico.com/speedfan.php
http://www.techpowerup.com/realtemp/

Unless you have any more questions this topic will be closed, as I do not believe the issue relates to malware.
 
Do Not CLose Just Yet

THe laptop shut down while running the Kaspersky Daily Update.
That was prior to getting your message about the rescue disc.

I plugged in an external USB and for some reason there was an error with that.
So now I'm checking it and it takes awhile as there's a lot on it.

I was able to save the Kasp Rescue ISO to an 8GB USB drive so I will try to run that tonight or tomorrow morning.

So, let me see what happens with the rescue and then we'll know whether to close out or not. Again, I have to ask why spybot identified the TrojanC-05 if there isn't one on my machine? It found the same on PC at my mother's house (she emails me a lot) and she had been having similar issues with hangups and non-working icons, etc...

So keep open please until I check back with you sometime tomorrow.
Thank You.
 
Hi ASB2012,

No problem, I had thought you were referring to updating within the rescue disk. I wont rule out a malware problem just yet.
Again, I have to ask why spybot identified the TrojanC-05 if there isn't one on my machine?
Click to expand...
Is Spybot still detecting this trojan?

Let me know how you get on with the rescue disk and if the new battery made any difference.

diver79.
 
Today's items and OTL.txt reports

The new battery and adapter seemed to make some difference. I thought all was lovely, as the laptop stayed after opening windows normally. So then I still could not run the OTL scan without getting stuck on firefos. Also I still could not uninstall firefox. So I went to the external drive and copied earlier versions of the firefox uninstall folder. Was then able to uninstall firefox and run the OTL.exe.
I've attached those two files.
I then tried the rescue you instructed when booting from USB. THEN the laptop cut off after only 3 minutes of the runing scan. Tried again and same thing happened.
Then I went to run it in text mode rather than graphic mode. It has been running awhile and is at 41% scanning the C:/ drive. However, I don't know how to make it give a report even though I did read the command line syntax, I'm not a laptop programmer!
Please take a look at the attached OTL reports and let me know if there is anything obvious.
I will be back after the rescue finishes (or stops).
I also noticed that on the external drive there is a file named rescuecd.iso dated 7-16-11 which is just after I hd the new hard drive installed. Is there anything I can do with this file? I also have a folder called Kaspersky Restore Utility dated 10-11-11. also a file called BOOKSECT.bak from 6-22-11.
Thank You!
View attachment 9333

View attachment 9334
 
Kaspersky rescue ?

The scan via text mode finished 100% scanning C:/ though then I didn't know how to get any report. When I tried typing in command line, it started before I finished typing, so ....
I rebooted windows normally and will try running spybot to see if the TrojanC-05 shows up again.
 
Hi ASB2012,

The files on the external drive all relate to the rescue CD.

Did the command line scan give you any on screen results, did it find anything?

Also, has there been any previous infections on this machine (other than what Spybot now detects)?

I want to have a look at the status of your hard disk.

Check Hard Disk For Errors
Open an Elevated Command Prompt

You will be switching between command prompt and browser windows.

  1. Press the
    StartButtonVista.gif
    button
  2. In the Start Menu search box area type:
    cmd
  3. Right click on cmd.exe (at top of the menu)... click on Run As Administrator.
    A black screen will open. You should see the elevated command prompt open to C:\Windows\System32
    Leave it open...
  4. Go back to your browser.

    On the Browser screen
  5. Copy the following command line (including the quotes):
    chkdsk c: |find /v "percent" >> "%userprofile%\desktop\checkhd.txt"
  6. Go back to the open (black screen) command prompt.

    At the Command Prompt window.
  7. Right click on the window title "Administrator Command Prompt" area. A menu will appear.
  8. Select Edit... then choose Paste. You should see the chkdsk command string you copied, in the black window.
  9. Press Enter ... Chkdsk will now start checking your hard drive. DO NOT CLOSE the Command Prompt window!
    The Chkdsk process can take a while, depending on the size of your hard drive.
    A file named checkhd.txt will appear on your desktop while Chkdsk is running.
  10. When your hard drive light stop flashing constantly... Open the checkhd.txt file.
    You should see totals of bytes on the drive, bytes in files...etc. If you do not see these totals, Chkdsk is still running, close the file, wait a little longer.
  11. Please post the contents of the checkhd.txt file, in your next reply.
 
Did anything show up on the OTL files I had attached earlier?
I haven't had any other problems with this laptop since I had the harddrive replaced. I believe the original harddrive was hacked and copied on 5-25-11 and so I shutdown the laptop until I took it in and had the harddrive totally replaced in June 2011. Have not had any issues since then ... not until around March 12 as I said at beginning of this entire post when I updated firefox, windows, etc., and spybot found the TrojanC-05.
I was able to run spybot last night and it did not find anything this time.

Is there something in the string you posted that is wrong and making that not run? An extra space or something?

Followed your instructions. However, when I cut & pasted that command line into the black box and hit 'enter' all I got was a blinking curser. Nothing else would happen. Tried several times.

So then I typed CHKDSK after the C:\Windows\System32> prompt and the schdsk started running and placed the checkhd.txt on the desktop. However, this file didn't contain all that was listed in the black box so I copied and pasted that in a file called CHKDSK.txt and have attached both. The CHKDSK said that there were issues and I needed to run CHKDSK with /F but could only schedule that to run at restart, which I did.
Restarted laptop and this program ran but then dissappeared b4 I could read anything and I didn't know how to get a report before the laptop started up.

View attachment 9339

View attachment 9340
 
Hi ASB2012,

There are a few items that need removing from the OTL log but I do not think they would cause the issue you are having.
The chkdsk scan does not show a significant problem with the Hard drive. The error it finds is a known issue with Windows Vista. See here for more info.

I will run a fix with OTL to get rid of some files and then I want you to upload a file for analysis.

Create a System Restore Point
  • Right-click on the Computer icon and select Properties.
  • In the left pane under Tasks ... click on System protection.
    If UAC prompts for an administrator password or approval, type the password or give your "permission to continue".
  • Select the System Protection tab ...then choose Create.
  • In the System Restore dialog box, type a description for the restore point ... click Create, again.
    A window will pop up with "The Restore Point was created successfully" confirmation message.
  • Click OK ...then close the System Restore dialog.
Please leave the System Restore function "turned on" until we are finished and I give you the 'all clean' sign.
If you have successfully created a System Restore Point...we can proceed.


Run OTL Script
We need to run an OTL Fix
  • Right-click OTL.exe and select Run as Administrator.
  • Copy and Paste the following code into the
    customFix.png
    textbox. Do not include the word Code
    Code: 
    :processes
killallprocesses
:otl
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2724386
IE - HKCU\..\URLSearchHook: {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - No CLSID value found
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2724386
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0} - No CLSID value found.
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:5C321E34
:commands
[CREATERESTOREPOINT]
[REBOOT]
  • Then click the Run Fix button at the top.
  • Click
    btnOK.png
    .
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.


Online Antivirus file scan
Upload file(s) to VirusTotal (VT) for an online scan. Click here.
  • Click on the Browse button or the white box beside it. A File Upload prompt will open.
  • Copy and paste the following file and its path to upload:
    Code: 
    c:\windows\system32\plasrv.exe
  • Press Open, then Send file. The file will be uploaded for testing.
  • If there is any indication or prompt that the file has been scanned before, please proceed to have the file rescanned or reanalyzed.
  • Please wait for all the scanners to finish, then copy and paste the result into Notepad and save it to a convenient place.
  • Post the results in your next response.

Alternatively, if VirusTotal is busy or inaccessible, you may try Jotti or VirScan (VS) with similar steps.

A result from either one of the above scanners would be sufficient.
 
OTL and Online Scan

When browsing for the plasrv.exe file I got the message that "File not found" but when I went to My Computer to the windows system 32 folder I could see it. In order to scan the plasrv.exe file I had to copy it to the desktop and put that location in the browse window of the online scan. It seems that the tech who reinstalled my operating system gave full permissions ONLY to "Trusted Installer" and that all others (System, Administrators, Users) only have permissions to "read" and "read and execute" on all these files that I need in order to do any type of restore, repair, etc. I've never had anyone do that to me before!

Attached are the log/txt files for your latest requests.

View attachment 9342

View attachment 9343

View attachment 9344
 
The C:\Windows\System32 and \SysWOW64 folders are full of files but is there any reason why the C:\Windows\System folder is empty?
Seemed Odd.

What would be the name of the file used to Repair at Startup? Perhaps there is one somewhere but I cannot locate because it is once again locked to all but a trusted installer.

Thanks
 
Hi ASB2012,

Has there been any change in the PC's behaviour since running the fix? You seem to be able to run some scans in normal mode now, is this correct?

The C:\Windows\System32 and \SysWOW64 folders are full of files but is there any reason why the C:\Windows\System folder is empty?
Click to expand...
It is normal for C:\Windows\System to be empty, it is there so that older programs that reference this location can be redirected to the new C:\Windows\SYSWOW64 folder.
What would be the name of the file used to Repair at Startup?
Click to expand...
recdisc.exe is the executable to launch the startup repair disk creator. Is this what you are referring to?


The permissions issue is suspicious alright, the following tool will look for files with modified permissions which may help.

Please download Junction.zip and save it to your desktop.

  • Right click Junction.zip and choose extract all...
  • When the Compressed Folders Extraction wizard opens, click Next
  • Click Browse
  • When the "select a destination" box opens, click My Computer > Local Disk (C) > Windows > OK
  • Back at the Extraction Wizard, click Next.
  • Untick "Show Extracted Files" and click Finish
  • Copy all text in the code box (below)...to Notepad, Do not include the word Code:
    Code: 
    @ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0
  • Save it to your desktop as File name: junc.bat
  • Save as type: All Files.
    batfileicon.gif

    junc.bat<<------------- you should see this on your desktop.
  • Right click on junc.bat and select " Run as administrator " to execute it.
  • A black CMD window will flash, then disappear...this is normal.
  • A file should appear on your Desktop. Please post the contents of this file.
 
Everything is SLOW

Will get ck with you as soon I get this one done.
I checked the Kaspersky log for March 12th and there were a TON of "allowed" banners regarding Facebook Add-ons and such although I don't even use facebook. This was about the time that Mozilla said I needed to update. I've deleted Firefox.
Thought things were better as the laptop at least stays on when starting windows normally.
However, yesterday and today, EVERYTHING is extremely slow again, especially IE (I'm running IE7 as I don't trust the new ones they keep coming up with) just as it was when all of this started in middle of march. Takes forwever to open tabs in IE, or items on desktop, forever to close anything.

Also, I tried to run Kaspersky Back-Up and it stopped after 19.8GB (out of 76 or so) indicating "Write Error".

Will try and run this one= you've indicated

BTW, I checked Microsoft and many forums and read that many of the system files in Vista are given "trusted installer" permissions by default in order to keep users from messing them up. You have to jump through hoops in order to 'take ownership' of one of these files.

And yes, the restore.exe is what I want to get at but it has 'trusted installer' permissions. If I copy the file to desktop it shows 'full control' for system, administrator, etc, but when you click on it it still will not run.
 
You must log in or register to reply here.
Back
Top