Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

CD Rom won't start


  • Please log in to reply

#166
wannabe1

wannabe1

    Tech Staff

  • Technician
  • 16,645 posts
I can't think of a reason for it only searching the Windows folder.

Go back to folder view and remove the tick from "Hidden files and folders"...apply the change and search the E: drive again for boot.ini. In discussing this with other techs, this suggestion has appeared to work.

When you took ownership of the files, did you select the option to include all subdirectories (folders)?
  • 0

Advertisements


#167
Susan9700

Susan9700

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 191 posts
When you took ownership of the files what is this? i don't know what that means...sorry

ok, when you say 'remove the tick' what you mean is uncheck the 'hidden files to seen files'? so now you want them back to hidden, correct? or do you want them to be seen? i'm getting confused, because right now we click the View tab to make hidden files seen files (or whatever the proper language is).
  • 0

#168
wannabe1

wannabe1

    Tech Staff

  • Technician
  • 16,645 posts
Yes, we want to hide them and then search for boot.ini again.

In this post I suggested that you take ownership of the files and provided a link to the Microsoft instructions for doing this. Did you ever actually take ownership?

Edited by wannabe1, 09 December 2006 - 06:47 PM.

  • 0

#169
wannabe1

wannabe1

    Tech Staff

  • Technician
  • 16,645 posts
Sorry...forgot the link... :whistling:

This Post
  • 0

#170
Susan9700

Susan9700

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 191 posts
uuummmmm...no

i just read the article now, don't yell at me!

i don't understand it, do i have to go into Safe Mode to do this and i don't understand Admistrative stuff.

To take ownership of a file, follow these steps: 1. Right-click the file that you want to take ownership of, and then click Properties.
2. Click the Security tab, and then click OK on the Security message (if one appears).
3. Click Advanced, and then click the Owner tab.
4. In the Name list, click Administrator, or click the Administrators group, and then click OK.

The administrator or the Administrators group now owns the file. To change the permissions on the files and folders under this folder, go to step 5.
5. Click Add.
6. In the Enter the object names to select (examples) list, type the user or group account that you want to give access to the file. For example, type Administrator.
7. Click OK.
8. In the Group or user names list, click the account that you want, and then select the check boxes of the permissions that you want to assign that user.
9. When you are finished assigning permissions, click OK.

i tried this on the Dede file and there is no tab called Security, there is only General, Sharing and Customize.
and is the Dede file the only one i need to 'take ownership' off, because since we can see hidden files, there is now a file called Default User...do i "need to take ownership" of that as well, or just the files that i am denied access to?

don't hate me, i still appreciate your help...........susan :whistling:
  • 0

#171
Susan9700

Susan9700

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 191 posts
hi wannabe1,

i don't mean to sound ungrateful...but i'm quickly going downhill here (i'm getting sicker)...i think it might be the flu, not sure....

but if you could post instructions on how to do that 'take ownership' thing, i have to go lay down now (or i think i'll die) but i promise to come back after resting some and do whatever you tell me to do...

just can't even type right now...everything hurts. and i can't sit here anymore, i need my bed....

many many many thanks.

sickly sue
  • 0

#172
wannabe1

wannabe1

    Tech Staff

  • Technician
  • 16,645 posts
Print the Microsoft instructions out as you will not have internet access while in Safe Mode.

You'll need to do this in safe mode to have the "Security" tab in the properties window. We can do this as many times as we need to, but let's start with the original target...the Dede folder. When you do this, there will be a checkbox in the dialog window to "Include all subdirectories"...be sure this is checked so that we get all the files.

To boot into Safe Mode, restart the machine and begin tapping on the F8 key. You will get a menu of advanced boot options. Use the arrow keys to select "Safe Mode" and press "Enter"...it will load some files and then take you to Safe Mode (click yes to the window telling you you're in Safe Mode). Sign in to the Administrator account...if you are asked for a password, just press "Enter".

Then take ownership of the files you want to recover following the Microsoft article. If we can recover the data, we can get a little tougher on the laptop drive and try to fire it up.

Not having ownership of those files was most likely the whole reason we couldn't recover them.
  • 0

#173
Susan9700

Susan9700

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 191 posts
"if i am asked a password"...does this mean my daughter's password? because she gave it to me, so i do know it....or should i just press enter....just got up from resting for a min. and thought i'd ask before i do! i think it's just late and i ran around too much and now i'm paying for it...i just feel so bad (for me and you!)
thanks!

wiull copy the info, know how to use safe mode and knew i'd have to print instructions...will do later, i think..
  • 0

#174
wannabe1

wannabe1

    Tech Staff

  • Technician
  • 16,645 posts
Just press "Enter" unless you have set an Admin password...you'd know if you have.

Did you have any luck finding the boot.ini file after hiding it again? You won't be able to see it, but search should find it.

Take your time, Susan. I'm here everyday...we can do just a little at a time and still get the job done. :whistling:
  • 0

#175
Susan9700

Susan9700

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 191 posts
no...no file after i made them hidden...sorry

will do the safe mode "takeover" or whatever it's called in 'bout an hour...my son's been using the computer, so i'll go rest some more. i'll post whatever happens and hopefully be up early to follow further instructions...but Sundays are football days and i must watch my New England Patriots beat the Miami Dolphins!!!!!!!!!!!!!!!!

i'll post.

susan
  • 0

Advertisements


#176
wannabe1

wannabe1

    Tech Staff

  • Technician
  • 16,645 posts
I'm starting to think that missing boot.ini file is the problem. Work at taking ownership of the files and then we'll see if we can put a boot.ini on there.

We may be able to start the laptop or at least get it to recognize the operating system once we do that.
  • 0

#177
Susan9700

Susan9700

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 191 posts
I TOOK OWNERSHIP!!! i can now see all the Dede files, yea, hooray!

however, still no boot.ini

only boot.ini.backup (in blue font)

will wait for the next step...which i'm guessing is about the boot.ini....since you mentioned it in your reply. but i'm happy.

susan

ps....those microsoft help articles need to be rewritten 1) because their directions are wrong and 2) so normal non-computer geeks, like me can understand them.
  • 0

#178
Susan9700

Susan9700

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 191 posts
don't know if this has anything to do with our problems, but just for the heck of it i ran the E drive thru my anti virus program and it found one:

E:\WINDOWS\system32\pjffbbb Win32/Startpage.FZ

when i looked it up on the anti virus page it gave me the following information:

Description

Startpage is a large family of trojans that are used to change a user's Internet Explorer homepage and default search page. Generally, these trojans accomplish this by making changes to the registry and the hosts file. These trojans have been seen in the wild and used by businesses with unethical marketing practices in order to increase the flow of traffic to their web sites.


Method of Infection
Win32.Startpage.FZ is dropped and launched by Win32.DlMersting variants as a randomly named .DLL into the %System% directory. Win32.Startpage.FZ may also drop a local copy of a custom 'Search Page' in the %Temp% directory named sp.html.

It installs itself as a Browser Helper Object by making the following additions to the registry. The filename and CLSID values are random and are used for example only.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C4B51C1A-A650-4D29-BCF8-5F860AE42DFD}
HKCR\CLSID\{C4B51C1A-A650-4D29-BCF8-5F860AE42DFD}\InProcServer32\(Default)="%System%\knfoba.dll"
HKCR\CLSID\{C4B51C1A-A650-4D29-BCF8-5F860AE42DFD}\InProcServer32\ThreadingModel=Apartment

Win32.Startpage.FZ also installs itself as a permanent pluggable MIME filter; this allows it to display an alternative page of the writer's choice in stead of the default 'about:blank' (which normally displays as an empty page):

HKCR\PROTOCOLS\Filter\text/html\CLSID={C4B51C1A-A650-4D29-BCF8-5F860AE42DFD}
HKCR\PROTOCOLS\Filter\text/plain\CLSID={C4B51C1A-A650-4D29-BCF8-5F860AE42DFD}

Return to top



Payload

Modifies System Settings
Win32.Startpage.FZ makes the following registry modifications:

HKCU\Software\Microsoft\Internet Explorer\Main\HOMEOldSP="about:blank"
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page="about:blank"
HKCU\Software\Microsoft\Internet Explorer\Main\Use Custom Search URL=1
HKCU\Software\Microsoft\Internet Explorer\Main\Use Search Asst="no"

HKLM\Software\Microsoft\Internet Explorer\Main\HOMEOldSP="about:blank"
HKLM\Software\Microsoft\Internet Explorer\Main\Start Page="about:blank"
HKLM\Software\Microsoft\Internet Explorer\Main\Use Custom Search URL=1
HKLM\Software\Microsoft\Internet Explorer\Main\Use Search Asst="no"

One of the following registry modification styles is used (depending on which minor variant of Win32.Startpage.FZ is affecting the machine):

HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar=file://%Temp%\sp.html
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page=file://%Temp%\sp.html
HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant=file://%Temp%\sp.html

HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar=file://%Temp%\sp.html
HKLM\Software\Microsoft\Internet Explorer\Main\Search Page=file://%Temp%\sp.html
HKLM\Software\Microsoft\Internet Explorer\Search\SearchAssistant=file://%Temp%\sp.html

OR

HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar="res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%6b%6e%66%6f%62%61%2e%64%6c%6c/%73%70%2e%68%74%6d%6c"
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page="res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%6b%6e%66%6f%62%61%2e%64%6c%6c/%73%70%2e%68%74%6d%6c"
HKCU\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant="res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%6b%6e%66%6f%62%61%2e%64%6c%6c/%73%70%2e%68%74%6d%6c"

HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar="res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%6b%6e%66%6f%62%61%2e%64%6c%6c/%73%70%2e%68%74%6d%6c"
HKLM\Software\Microsoft\Internet Explorer\Main\Search Page="res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%6b%6e%66%6f%62%61%2e%64%6c%6c/%73%70%2e%68%74%6d%6c"
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant="res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%6b%6e%66%6f%62%61%2e%64%6c%6c/%73%70%2e%68%74%6d%6c"

The encoded res:// protocol points to Win32.Startpage.FZ. The above example equates to res://C:\WINDOWS\System32\knfoba.dll/sp.html

Win32.Startpage also checks the 'hosts' file on a user's system to determine if specific domains have been redirected. The exact list varies between each variant, but has been known to include the following domain substrings:

windows-data.info
ak47.be
channels.at
refer.cn
look-up.tv
count.cc
searchx.cc
google.com
yahoo.com
msn.com
netscape.com
ieautosearch

If a redirection is found, it is simply removed by commenting out the appropriate line in the 'hosts' file. The read-only attribute is also set.

Depending on the variant, Win32.Startpage.FZ may also attempt to patch a system API call. By making use of its own simple disassembly engine, it writes directly into wininet.dll to patch the API InternetConnectA. It redirects this API to code within its own DLL.

Some variants may modify the following registry value:

HKCU\software\microsoft\Internet Explorer\Main\Search Bar = res://%Temp%\se.dll/sp.html

so that a search page "sp.html" is displayed in the Internet Explorer search bar.

Some Startpage.FZ variants may also drop the file "se.dll" into the user's %Temp% folder. This file is detected as Win32.Startpage.NS. Please see elsewhere in our encyclopedia for further information on this related trojan.

While CA Antivirus solutions will remove a Startpage infection, they will not restore a user's individual Internet Explorer settings to their pre-infection state (as Internet Explorer settings may vary from user to user).

Analysis by Scott Molenkamp and Paul Taylor


do i have to do anything to fix this...anti virus said it 'cleaned' the virus.

does this have anything to do with her laptop or why the System Config error came up in the first place? or does it even have anything to do with why we can't find the boot.ini????

leaving you with some work to do! see you in the morning, i hope, it's after $am already!

susan
  • 0

#179
wannabe1

wannabe1

    Tech Staff

  • Technician
  • 16,645 posts

I TOOK OWNERSHIP!!! i can now see all the Dede files, yea, hooray!

Great!!!!! Now either get her files moved to your HDD or put them on cd's so we know they are safe.

Download the attached file and save it to your desktop. Right click on it and choose "Extract All". Follow the Wizard and when you are given the opportunity to choose where to extract it to (one of the first few dialog windows), type E: and continue. Should it tell you the file already exists and do you want to replace it with this one, say "Yes".

Do you have the XP cd for your machine?

Once the laptop is running again, you should visit the Malware forum and have the experts there help you clean it up. What you have found so far may only be the tip of the iceburg, but that particular infection shouldn't have caused the boot failure...at least not by itself.

Attached Files


  • 0

#180
Susan9700

Susan9700

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 191 posts
ok, so i have some work ahead of me, which i can do while watching the football game. i also need to save her pictures too, not just her documents and i can see why she was overreacing...her whole portfolio is on this laptop.

don't know a thing about virus, i just let my anti virus program stop them, find them and clean/quarentee them. you think i'm bad here, wait till they see me in the malware forum!

plus i think we'll be fixing my computer after all this..a black screen came up last night, after i came out of Safe Mode and said something like 'there's something wrong with your hard drive, contact mfg. press enter to continue' and i did and i can get on, but i didnt' have the note before.

will do on the zip file. working on 4 hrs sleep and still sick.

i'll post back later when all is done. you want me to copy all her files that she wants, in the event that we don't get this up and running/or lose data along the way, correct?

thank you.

susan
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP