From: buttcrack of the midwest Insane since: Oct 2000
posted 10-08-2007 02:46
The situation:
AVG (updated today) ran this morning, found a Trojan installer and deleted it, but didn`t finish the scan. When finishing the scan, it gets to a temporary internet folder, and freezes at a file called 5.jpg.
I ran Adaware (updated today) which didn`t seem to notice this file,, Spybot which freezes at the same point.
When you navigate to the folder containing said file and try to open it, "explorer has generated errors and will shutdown..." Re-boot in safe mode, same result. Run a search for the file (Start>>Search) it generates errors and shuts down.
I`ve deleted cookies, and temporary internet files (although thes folders seem to have been skipped.) If you try to delete the entire folder, it warns you that it`s a system file and asks if you`re sure, then generates errors and shuts down.
I`m running Win2000 Pro SP2 on it`s own partition.
Question :
Is there a way to get rid of this piece of Sh*t without a format ?
It's not uncommon to find crap in the temp internet folder...usually it's harmless.
If you want to delete the folder shut down explorer.exe from the process tab (alt ctrl delete).
Next go to the command prompt, navigate to the folder and delete it.
restart explorer or reboot
Ok, this is what i would try.
1. Ctrl Alt Del, Windows Task Manager, Processes, explorer.exe, end process
2. From Task Manager, File New Task, type CMD to get to the command prompt
3. A CMD window will open (it might be hidden behind the task manager)
4. You should be at the documents and settings prompt - type CD Local settings
5. type CD temporary internet files - here you can delete the suspected trojan
or go up one level and remove the folder.
6. from Task Manager, File New Task, type explorer to restart explorer or reboot.
Not sure if that helps?
edit: note - you can access CMD prompt from the Run command, but for files that resist deletion you need to shut down explorer first..hence the steps above..good luck.
Bob:
Do a test run without closing explorer. Select RUN from the win 2000 start menu and type CMD.
You should see something like the pic below. From there type CD local settings (not case sensitive). My user name is set to "Y" - yours will be different obviously.
edit: rereading your post, I doubt deleting any files in the temp internet folder will fix the problem. seems the system is compromised - I would try to find another spyware remover (even an online scan) or download a trial version of Norton AV or whatever and see if you can clean the trojan out. Do you know the name of the trojan? If so, there might be free cleaners out there.
From: buttcrack of the midwest Insane since: Oct 2000
posted 10-08-2007 19:37
'Documents' is not recognised as an internal or externat command, operable program or batch file.
I searched for removers, and tried Spyware terminator and SpyHunter (which claims to be a Trojan/spyware/malware remover) and got no resuts.
No. I don`t know what it is called, only that the scans all freeze a the file called 5.jpg.
Which version of windows are you running? That will make a difference in the way the cd command works for folders with spaces in them.
Also, can you give us the exact path to the file 5.jpg? For example, it might be in the path
code:
C:\Documents and Settings\DocileBob\Local Settings\Temporary Internet Files\5.jpg
If that is where it is type
code:
cd \Documents and Settings\DocileBob\Local Settings\Temporary Internet Files
Then type 'dir 5.jpg'
If you can do that you should be able to remove the file with 'del 5.jpg'.
However, I suspect that 5.jpg is not the file causing the problem. If it is the last file you see listed when you are doing the virus scan, it is probably the next file in the list that is causing the problem.
You might try reading this thread. They mention a program called Move On Boot that you might try to see if you can delete all the files in the folder when you boot.
You also might want to download HiJack This and run it to see if it shows any nasties on your system. I'm not really good at reading the output from HiJack This, but I'll try to help if I can and I seem to remember there are others here who are very good with it. There is an option in HiJack this to delete a file at the next reboot so you might not need the link to Move on Boot.
From: buttcrack of the midwest Insane since: Oct 2000
posted 10-08-2007 23:40
SleepingWolf: I typed it like your example..
<edit> The selection in red was all that was there when the prompt opened.</edit>
hyperbole: The system is Win 2K Pro SP2. I have a log file from HiJackThis...see below.
I forgot to mention in the original post I also ran ckdsk, and it stopped at the same file.
Right click>>Explore also shuts down Explorer. Selecting the folder to delete it also shuts down explorer.
Logfile of HijackThis v1.99.1
Scan saved at 4:36:41 PM, on 10/8/2007
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Bob:
I apologize, I should have asked you to screenshot a DIR (Directory listing) from the c prompt.
Please try doing this one level at a time.
1. From the c prompt, type DIR
c:\> DIR
This will list all the files and folders at the root of your C drive/partition.
2. Now Look for something that looks like "Documents and Settings"
if you find it, type: c:\> CD Documents and Settings
this will list more files and folders...use CD (change directory) to navigate, step by step, to the internet temp folder
if instead of documents and settings, you see Documen~, then type Documen~ instead of the longer string.
the steps should be, if you are user God:
c:\> CD Documents and Settings
c:\> DIR
c:\> CD God
c:\> DIR
c:\> CD Local Settings
c:\> DIR
c:\> CD Temporary Internet Files
the DIR is not required, just there to make sure your folders don't have funky names. if the names are truncated to 8 characters, use the 8 character name instead..AFAIK win 2000 supports long file names.
hope that works.
as for the hijack log file - you are running an incredibly high number of processes at startup - not a good thing. you will need to scroll yourself through the list to see any item you don't recognize as having installed.
once you do, google the item name to see if it is a trojan. the problem with hijack this is that trojans don't identify themselves as "i'm a trojan.exe"
i looked at the log and nothing looks fishy - but a good trojan buries itself very deep.
The folder is probably hidden by default - you can make it visible from CMD but it will be easier to do from Folder View Options Show hidden files.....
From: buttcrack of the midwest Insane since: Oct 2000
posted 10-09-2007 00:58
Already done. Image is still uploading at time of posting.
It does sound like alot of processes, but my CPU usage usually runs between 2 and 7% (unless an app is demanding a big pull). Is that out of the ordinary ?
From: buttcrack of the midwest Insane since: Oct 2000
posted 10-09-2007 03:15
Ok When I get all the way to the offending folder and try to get a DIR, The Command Prompt closes.
When I go through it all again and in the Content IE5 folder DIR, try to delete the entire offending folder Command Prompt closes.
I'm starting to wonder if you have a bad sector on your disk.
Another option I would try if it were my hard drive is to download and burn a Linux Live CD and see if I could locate the problem from within Linux. The Live CD will boot to Linux from the CD without installing it to your hard drive, and will give you a way to look at the disk without starting Windows.
As you can tell, I'm starting to run out of ideas and hope that one of the other tech-people here will jump in with an idea.
place in CD drive with boot order before your hard disk
let the livecd boot up - if you get a boot: prompt, just hit ENTER
mount the relevant partition (probably something like ntfs-3g /dev/hda /mnt/windows, IIRC - there are little help prompts to hold your hand, and you can always man ntfs-3g)
go to the relevant directory (cd /mnt/windows/, then it should be sort of obvious where you are)
rm -ir fileOrDirectoryYouDontWant
cd && umount /mnt/windows
reboot, and remove CD so it will boot into Windows
From: buttcrack of the midwest Insane since: Oct 2000
posted 10-09-2007 18:23
I did get CkDsk to run and it says the disk is ok.
What would happen if I deleted the folder that contains the infected folder ? There is a .dat file in there, would it let me rebuild these folders if I can copy the .dat file, and delete the container ? They are system files, but not ones used to run the OS.
What would happen if I deleted the folder that contains the infected folder ?
Which folder are you thinking of removing? If it is a folder under Temporary Internet Files, it will do no harm at all to delete it. If your thinking of deleting Temporary Internet Files, I don't think it will hurt anything to delete it. However, if you run InterNET Explorer and it doesn't automatically recreate it, you may need to create it by hand.
Other than that there should be no side effects of deleting it.
<after thought>
Of course, deleting all of Temporary Internet Files will remove all your cookies. It will also remove any cached files used by Firefox and InterNET Explorer, but this latter is not a real issue.
</after thought>
From: buttcrack of the midwest Insane since: Oct 2000
posted 10-09-2007 19:55
THe folder that contains the problem child is called Content.IE5. It contains 5 temp folders named by nly alphanumeric strings and a .dat file.
I saved the dat file, and tried to delete the Content.IE5 folder...
It won`t let me do that, either.
<afterthought> I see in my future.....A Clean Install...</afterthought>
Try deleting it with the HiJack This delete on re-boot capability. If that doesn't work look at the link I made above to Move on Boot and see if it will delete it for you.
From: buttcrack of the midwest Insane since: Oct 2000
posted 10-10-2007 01:32
The only thing on the HiJAck list are processes and apps.
When I select either of the folders mentioned above, it shuts down Move On Boot. Doesn`t even get to the next screen where it asks me what I want to do with them.
From: buttcrack of the midwest Insane since: Oct 2000
posted 10-10-2007 18:03
OK. DL'd SystemRescueCD, burned it, and it doesn`t give me the option to boot from CD. When I try and access the CD directly, it says that it`s corrupt or unreadable.
I believe I mentioned in the first post that I rebooted in safe mode and got the same results.
You're right. You did. I thought that meant you had tried to use Windows Explorer to delete it in Safe Mode. I was wondering in my latest post if you had tried to use HiJack This or Move On Boot in Safe Mode. However, now that I think about it, if you can't access the file from Windows Explorer in Safe Mode, you would probably get the same result from the other two programs in Safe Mode.
quote: docilebob said:
OK. DL'd SystemRescueCD, burned it, and it doesn`t give me the option to boot from CD. When I try and access the CD directly, it says that it`s corrupt or unreadable.
You may need to change the settings in you BIOS so that it will look at the CD-ROM drive to see if there is bootable media there before it boot from the harddrive. It seems to me that most computers these days are set up to look at the hard drive first, and often times they are not set up to look at anything else.
Anyway, when you first turn on the computer, look for a message telling you to press Escape, or Delete, or F1 to boot into the BIOS setup. Press that key, then change the settings so that the machine will look at the CD-ROM first, before looking at the hard drive for a boot sector.
If you're going to re-install the operating system, you'll need to have the BIOS set to look at the CD-ROM drive first anyway. You can always go back later and re-set it to look at the hard drive first if you want.
If the CD is a Live CD format, Windows won't recognize the file system on the CD and will tell you it's corrupted. That probably doesn't mean anything.
From: buttcrack of the midwest Insane since: Oct 2000
posted 10-10-2007 23:19
It always spins the CD drive up first, if there`s a disc in it. It will boot from a windows CD.
OK, Thanks to all for your help. I knew if we got some of these big brains working , at the very least some interesting information would surface. I`ve learned alot in the last few days.
I`m off to back some stuff up and do a format, then ~arrrrggg~ reinstall software for a few days.
So you put the livecd in, then rebooted your computer, and it doesn't boot off the livecd?
Just get to your BIOS menu and change boot priority order like the man said. The key's 'F8' on a fair amount of boxes. Just tap 'F8' frequently when the box is rebooting. If that doesn't work, just run your fingers over all the F#/function keys (or the entire keyboard), it's bound to be one of them.
Having read all of that, I would elect the following action; if you haven't got Recovery Console installed, install it now, then boot into it and run a disk check scan:
CHKDSK /P
I have found this often turfs out problems with the file system that are not flagged under Safe Mode (or any other mode scan).
Yeah, As Petskull said, it probably would be better to backup everything you can and then do a clean install.
After you do the clean install, and before you start to copy anything from your backups, use a virus checker to scan the backups to see if anything is infected. Don't copy any infected files back onto the machine.
posted 10-08-2007 02:46
Oh, I didn't know the shut down Explorer trick. Thanks for the tip.
