TrojanC-05 Continual Crash Poweroff
- Thread starter ASB2012
- Start date
cannot access documents & settings
I was looking for a file and went to
Computer>C:
The documents & settings folder is now a 'shortcut' and when I try to select it it says "access denied"
I looked at properties and there are NO permissions listed at all. I tried to add full control for admin and again, "access denied"
It didn't used to be like this. I used to be able to select the Documents & Settings folder and see all files within.
I was looking for a file and went to
Computer>C:
The documents & settings folder is now a 'shortcut' and when I try to select it it says "access denied"
I looked at properties and there are NO permissions listed at all. I tried to add full control for admin and again, "access denied"
It didn't used to be like this. I used to be able to select the Documents & Settings folder and see all files within.
Other files not accessible
In fact, now I see that I'm denied access to:
users>alicia
cookies
local settings
my documents
print hood
recent
send to
start menu
templates
and all these files show a 'shortcut' arrow whereas before it was a regular file icon. I used to be able to go to these files, to 'cookies' for example and delete all cookies. Now I'm denied access?
IDK what is going on with all of this?
In fact, now I see that I'm denied access to:
users>alicia
cookies
local settings
my documents
print hood
recent
send to
start menu
templates
and all these files show a 'shortcut' arrow whereas before it was a regular file icon. I used to be able to go to these files, to 'cookies' for example and delete all cookies. Now I'm denied access?
IDK what is going on with all of this?
I think that the infection Spybot identified has removed your permissions to various files/folders. Junction will show us what files have been modified so we can fix them. Please do not alter any more files as it will interfere with Junctions findings.
If you cannot get Junction to produce a log, try using the instructions below.
Also, please do not attach the logs I request, paste them into the post.
Click Start > All Programs > Accessories > Run
Copy and paste the contents of the codebox below into the run box.
(Do Not include Code:) Then click OK:[/list]
If you cannot get Junction to produce a log, try using the instructions below.
Also, please do not attach the logs I request, paste them into the post.
Click Start > All Programs > Accessories > Run
Copy and paste the contents of the codebox below into the run box.
(Do Not include Code:) Then click OK:[/list]
Code:
cmd /c junction -s c:\ >log.txt&log.txt&del log.txt- A command window will open and the system will be scanned. (Click Agree to the prompt)
- Please be patient & wait untill a log file opens in notepad.
- Copy and paste the contents of that file in your next reply.
Tried again
Will paste into reply from now on. Sorry. Thought some of the logs were so long that I was supposed to attach.
Tried to do as suggested in your post above.
The black box flashed and went away.
There was nothing to "agree" to, just a "run" to select
There's no indication anything is happening. After pasting the string in the run box, and selected "OK" nothing happened
How do I know if the scan is actually running?
Will paste into reply from now on. Sorry. Thought some of the logs were so long that I was supposed to attach.
Tried to do as suggested in your post above.
The black box flashed and went away.
There was nothing to "agree" to, just a "run" to select
There's no indication anything is happening. After pasting the string in the run box, and selected "OK" nothing happened
How do I know if the scan is actually running?
Windows Defender
I also noted that Windows Defender definition updates were revised/updated on March 12, 2012.
This was about on the day my problems started.
It runs in 'real time' and updates daily. I don't know if it is possible to 'rollback' the WD updates, but would this be something to consider?
I also noted that Windows Defender definition updates were revised/updated on March 12, 2012.
This was about on the day my problems started.
It runs in 'real time' and updates daily. I don't know if it is possible to 'rollback' the WD updates, but would this be something to consider?
Hi ASB2012,
You may have contracted the latest version of the TDL rootkit. This infection can only be properly detected by looking at your computer's disk configuration from an external bootable environment.
If this is the infection, we will be able to deal with the other issues once it has been removed.
Next
Next
Next
.... and it is this window that I need you to take a screen shot of, so that I can see whether you have a TDL4 infection or not.
To take a screenshot in Puppy ....
With the GParted window open ...
This will save a file screenshot1.jpeg into the USB drive.
Next
You may have contracted the latest version of the TDL rootkit. This infection can only be properly detected by looking at your computer's disk configuration from an external bootable environment.
If this is the infection, we will be able to deal with the other issues once it has been removed.
- Download and save a copy of the latest Puppy ISO file
- Download and save a copy of Unetbootin for Windows.
- Insert an empty formatted USB drive into a USB port on the computer that's being used to create the bootable USB.
- Launch Unetbootin ....
- Ensure that Disk Image is selected.
- Using the browse button ... browse to and select the Puppy ISO file.
- Ensure that Type: is set to USB Drive and that the Drive: letter corresponds to the USB drive. (it must not under any circumstances be set to your main drive (C:\))
- Click OK
- Unetbootin will now copy the Puppy files to the USB and make it a bootable device.
Next
- Insert your USB into the computer and Boot into Puppy.
- When fully booted you should see a Desktop similar to the one below.
Next
- Click on each of the drive items found in the bottom left corner to mount them (when mounted they will have a red cross next to them). In this example SDA is the hard drive and has 3 partitions, SDB is the USB drive that Puppy was loaded from.
Next
- Launch GParted Menu > System > GParted partition manager, when launched the following box will open ....
- Click to select All Drives then click Okay
- GParted will scan the computer and then display a window similar to this ....
.... and it is this window that I need you to take a screen shot of, so that I can see whether you have a TDL4 infection or not.
To take a screenshot in Puppy ....
With the GParted window open ...
- Click menu > Graphic > mtPaint-snapshot screen capture
- A small window will open ....
- Click Capture Now
- Click OK
- The mtPaint program will open ....
- Click File > Save
- Double click on ../
- Double click on mnt/
- Double click on sdb1/
- Set File Format to JPEG
- Enter screenshot1 into the text box
- Click OK
This will save a file screenshot1.jpeg into the USB drive.
Next
- Click menu > shutdown > power off computer
- If prompted to save the session click on No
- Puppy will now close down.
- Remove the USB drive and boot into normal Windows.
- Insert the USB drive again and please post me the screenshot you took whilst in Puppy (you'll have to host it somewhere like Photobucket or Image Shack and post the link).
BOOTMGR is Missing
I followed instructions to the 't'
Changed Boot to USB
When inserted USB and attempted restart I received the message that
BOOTMGR is missing
Press CTRL ALT DEL to restart
When pressed CTRL ALT DEL nothing would happen.
Did it matter what type file the USB was formatted?
Should the empty USB drive be formatted using NTFS, FAT32 or just which?
Thanks
I followed instructions to the 't'
Changed Boot to USB
When inserted USB and attempted restart I received the message that
BOOTMGR is missing
Press CTRL ALT DEL to restart
When pressed CTRL ALT DEL nothing would happen.
Did it matter what type file the USB was formatted?
Should the empty USB drive be formatted using NTFS, FAT32 or just which?
Thanks
Puppy Screenshot
I figured it may be awhile until you came back here, so I reformatted USB with FAT32, followed instructions again and everything seemed to work as you instructed.
Here is the screenshot on photobucket.
http://s1158.photobucket.com/albums/p618/PBASB2012/?action=view¤t=screenshot1.jpg
Also from my usb drive/desktop, just in case
View attachment 9349
Thanks
I figured it may be awhile until you came back here, so I reformatted USB with FAT32, followed instructions again and everything seemed to work as you instructed.
Here is the screenshot on photobucket.
http://s1158.photobucket.com/albums/p618/PBASB2012/?action=view¤t=screenshot1.jpg
Also from my usb drive/desktop, just in case
View attachment 9349
Thanks
Hi,
Good work getting the screenshot! Unfortunately it did not reveal anything that would indicate an infection.
I still think that there are permission errors on the computer. I've tried running the Junction batch file on my computer and it works fine.
It takes a few minutes to produce the log. Can you follow the instructions again and see if you can get it to produce a log.
Junction instructions
Good work getting the screenshot! Unfortunately it did not reveal anything that would indicate an infection.
I still think that there are permission errors on the computer. I've tried running the Junction batch file on my computer and it works fine.
It takes a few minutes to produce the log. Can you follow the instructions again and see if you can get it to produce a log.
Junction instructions
Tried Junction.
When I paste the string in the box and hit 'enter' the black box immediately flashes and disappears.
The string you supplied which I pasted was
cmd /c junction -s c:\ >log.txt&log.txt&del log.txt
again, it flashes (so quick you cannot read anything on it) and disappears.
When I paste the string in the box and hit 'enter' the black box immediately flashes and disappears.
The string you supplied which I pasted was
cmd /c junction -s c:\ >log.txt&log.txt&del log.txt
again, it flashes (so quick you cannot read anything on it) and disappears.
This is the correct set of instructions as previously posted http://forums.spybot.info/showpost.php?p=423449&postcount=39
This is the one that should work for your OS.
This is the one that should work for your OS.
Can't get this to work
It tells me that there is already a file in the destination directory named eula.txt dated 7-28-2006 and asks if I want to
copy and replace (which is what I did before)
dont copy [no files changed. leave 3-26-12 file in destination folder???]
keep both files [new one will be eula(2).txt]
It also asks the same replace question for the file junction.exe dated 9-7-2010.
Should I hunt for these files and delete them and then download junction fresh?
And as instructed, these files go to Windows folder, and NOT any windows subfolder, is that correct?
It tells me that there is already a file in the destination directory named eula.txt dated 7-28-2006 and asks if I want to
copy and replace (which is what I did before)
dont copy [no files changed. leave 3-26-12 file in destination folder???]
keep both files [new one will be eula(2).txt]
It also asks the same replace question for the file junction.exe dated 9-7-2010.
Should I hunt for these files and delete them and then download junction fresh?
And as instructed, these files go to Windows folder, and NOT any windows subfolder, is that correct?
Search for Eula Files
I did a search for eula.txt and came up with a LOT of them (just searched, didn't change or delete any of them). There are about 65 files assoc with 'eula', some of which are:
eula.txt (type: txt, Opens with Notepad)
C:\Program Files (x86)\MSECache\ExPdfXps\1033
Created: Friday, October 27, 2006, 6:31:08 PM
Modified: Friday, October 27, 2006, 6:31:08 PM
Accessed: Wednesday, March 21, 2012, 5:19:06 PM
Eula.txt
Text Document
Modified: 7/28/2006 9:32 AM
Location: (Archive Root Directory)
Method: Deflated
CRC-32: 46A7FB70
Size 7KB, Compressed 4KB
Eula.txt (Type txt, Opens with Notepad)
Location: C:\Windows
Created: Friday, 5Friday, July 28, 2006, 9:32:44 AM
Modified: Today, March 26, 2012, 44 minutes ago
Accessed: Friday, July 28, 2006, 9:32:44 AM
message says "this file came from another computer and might be
blocked to help protect this computer"
Eula.txt (0 bytes)
Origin: $RISQ38X.zip
Deleted: Today, March 26, 2012, 6:45:31 PM
IDK how this could be. the deleted time is 4 miniutes ago and I didn't
delete anything.
Eula.txt (0 byte)
Origin: $RASFTQC.zip
Deleted: Today, March 26, 2012, 6:47:49 PM
IDK how this could be. the deleted time is 2 miniutes ago and I didn't
delete anything.
There are a lot of other eula files under various names in the folder:
C:\Users\Alicia\New Folder\Phone SD\mediamove for Lexar Media.app\Contents\Resources\Java\resources\license
And also a lot of this type file:
FL_eula-exp_txt_amd64_[various 3 letter code] 3243236F.....
I did a search for eula.txt and came up with a LOT of them (just searched, didn't change or delete any of them). There are about 65 files assoc with 'eula', some of which are:
eula.txt (type: txt, Opens with Notepad)
C:\Program Files (x86)\MSECache\ExPdfXps\1033
Created: Friday, October 27, 2006, 6:31:08 PM
Modified: Friday, October 27, 2006, 6:31:08 PM
Accessed: Wednesday, March 21, 2012, 5:19:06 PM
Eula.txt
Text Document
Modified: 7/28/2006 9:32 AM
Location: (Archive Root Directory)
Method: Deflated
CRC-32: 46A7FB70
Size 7KB, Compressed 4KB
Eula.txt (Type txt, Opens with Notepad)
Location: C:\Windows
Created: Friday, 5Friday, July 28, 2006, 9:32:44 AM
Modified: Today, March 26, 2012, 44 minutes ago
Accessed: Friday, July 28, 2006, 9:32:44 AM
message says "this file came from another computer and might be
blocked to help protect this computer"
Eula.txt (0 bytes)
Origin: $RISQ38X.zip
Deleted: Today, March 26, 2012, 6:45:31 PM
IDK how this could be. the deleted time is 4 miniutes ago and I didn't
delete anything.
Eula.txt (0 byte)
Origin: $RASFTQC.zip
Deleted: Today, March 26, 2012, 6:47:49 PM
IDK how this could be. the deleted time is 2 miniutes ago and I didn't
delete anything.
There are a lot of other eula files under various names in the folder:
C:\Users\Alicia\New Folder\Phone SD\mediamove for Lexar Media.app\Contents\Resources\Java\resources\license
And also a lot of this type file:
FL_eula-exp_txt_amd64_[various 3 letter code] 3243236F.....