139d2e78.exe again

[PeterJ]

Bad news I'm afraid.

I deleted all recent tools and logs, did a disk clean, created a new restore point and deleted the old ones, and finally did a defrag. Then I followed the instructions on the Microsoft website, created a new account for myself and then tried

3.Locate the C:\Documents and Settings\Old_Username folder, where C is the drive on which Windows XP is installed, and Old_Username is the name of the profile you want to copy user data from.

..and the respohnswe was   "C:\Documents and Settings\Pete is not accessible. Access denied" ! 
There seems, then, to be no way to get at the files in my old account (although 'Properties' says there no files or folders in my profile anyway). Is this the end of the road?

Pete

[Corrine]

See if this helps:  "Access is Denied" error message when you try to open a folder.

An alternate option to try is a very nice recovery Linux LiveCD called Trinity Rescue Kit.  It can be used to retrieve files from dead/dying/infected computers, and to also do some virus scanning as well as removing passwords, etc.  You can get it from here:  Trinity Rescue Kit.

[PeterJ]

Hi Corinne. I tried your 1st suggestion - and it worked!! I can now see my docs again,(Which is a big. relief. I didn't tell you this before but I lost my backup copies when I was trying to create a boot disk a couple of days ago and inserted the wrong USB stick and wiped them! Doh. )

Theituation now is that using my wife's account  (called 'All of us' because the kids used to use it too) I can see in My Computer a folder called "All of us's Documents" and another called "Pete's Documents".

However when I try to access my account/profile called 'Pete' there's no change - I still get the  "139d2e78.exe  is not recognised..." message and can't get in. Can I delete that account now and create a new one for myself? Can I then transfer "Pete's Documents'" into it?

Pete

[Corrine]

Yipes, Pete!  I can just about imagine what you yelled at the computer when you used the wrong USB stick. 

I thought you already created the new account for yourself?  It is from that new account that you want to follow the Microsoft instructions to copy the files and folders (except the 3 listed in the Microsoft instructions) from "Pete's Documents" over to your new account.  After you have completed that and are certain you have all the files copied over and a new backup to replace the backup you lost, then you can delete the old account.  I wouldn't advise deleting the old account before that.

[PeterJ]

Oops , I forgot to back to 'How to copy data from a corrupted user profile to a new profile in Windows XP' after getting past the 'Access is denied' problem.

OK, I've now created a new User profile called 'Pete2'  but get stuck at "6.Locate the C:\Documents and Settings\New_Username folder, where C is the drive on which Windows XP is installed, and New_Username is the name of the user profile that you created in the "Create a New User Profile" section."

I can't see 'Pete2'  in Windows Explorer C:\Documents and Settings, even after restart. (But it does show as an option on the welcome screen on starting up.)

I can see the 'All of us' profile, and 'Pete' (my corrupt one ) and also  'All Users' and 'Default User' and 'TEMP.PETER'
(also NetworkService and LocalService).  Pete2 doesn't show up after a restart either.

One other thing - I can't see a file called  'ntuser.ini' in 'Pete'.   I see
ntuser (DAT file according to Properties)
ntuser (Configuration settings according to Properties)
ntuser.bak
ntuser.dat (text file)
ntuser.tmp

[Corrine]

When logged in as "All of us", did you show hidden folders?

In Windows Explorer, click Tools, click Folder Options, click the View tab, click Show hidden files and folders, click to clear the Hide protected operating system files check box, and then click OK.

[PeterJ]

Yes, and I just tried it again but nothing's changed.

Pete

[Corrine]

Hi, Pete.

I'm not ignoring you -- I'm looking to find out what the problem is.  I'm also wondering where the "TEMP.PETER" came from.  If I don't find anything, you may need to try Trinity Rescue in order to see if it can find your files so you can back them up.

[PeterJ]

That's OK Corinne. I thought that might be the case.

There's been some progress in that I can now see Pete2 in C:\Documents and Settings   (Perhaps because on start up this time I actually logged into Pete2 for the first time?)

I have copied across all the files and folders from Pete according to the MS instructions.  However if I log in to Pete2 none of it seems to have much effect.   None of my personalised Desktop folders or IE Favourites for example.  And the My Documents folder only contains My Music and My Pictures folders and both are empty.

Oh, and TEMP.PETE is still showing in C:\Documents and Settings.

Looking on the bright side, I can access my personal docs now, which is very useful because I'm doing a job application and need to refer to my CV and previous applcations I've written - something that was not possible a few days ago (since I wiped my backup   :D )

I'm sorry this is turning into such a marathon. I'm so grateful for your patience and perservance.

Pete

[Corrine]

Hi, Pete.

I've asked the team if anyone has any suggestions or sees something we are missing.

[PeterJ]

Hi Corinne.
Do you or any of colleagues have any further suggestions?
Maybe I should try again to move my docs across to my new profile?

Pete

[Corrine]

Hi, Pete.  Yes, we've been having a discussion behind the scenes.

1.  A main concern is that you were not able to do a boot scan (e.g. Windows Defender Offline).  I take it you reviewed the Windows Defender Offline: frequently asked questions.  The reason I ask is because there is another boot scan option (Hitman Pro) which has also had some success but if you couldn't run either of the other two options, it seems a waste of time to put you through that exercise, unless you're willing to give it a go.

2.  We have seen where Emsisoft has been successful lately.  It can't hurt to give it a try:

Download and save the Emsisoft Anti-Malware setup program to your desktop from here:  http://www.emsisoft.com/en/software/antimalware/download/

Note:  This is a large file so please be patient.  After the download has been completed, please do the following:

• Double-click on the EmsisoftAntiMalwareSetup.exe icon to start the program. If Windows Smart Screen issues an alert, please allow it to run anyway.
  
• If there is an alert about safe mode, please click on the Yes button to continue.  Select the language you wish to use and press the OK button.
  
• On the "Licensing" screen, select the "Freeware mode" link located below the "I have a license" box.
  
• Make any selections you wish on the screen about Emsisoft's Anti-Malware network and click Next.
  
• Be patient while the definitions are updated.
  
• Click on the Clean computer now button.
  
• At the display a screen asking what type of scan you would like to perform, select the Deep Scan option and then click on the Scan button.
  
• Please be patient while Emsisoft Anti-Malware scans your computer as this will take some time.
  
• When the scan has finished, click on the Quarantine Selected Objects button.
  
• Restart your computer into the normal Windows mode.

3.  I also provided the option of the Trinity Rescue Kit which can be used to retrieve files from dead/dying/infected computers, and to also do some virus scanning as well as removing passwords, etc.  It is available from here:  Trinity Rescue Kit.

4.  Since you can now access your files, it was suggested simply copying them to a CD or large memory stick; then deleting all accounts relating to Pete. Reboot, defrag and then create a new account. Once the new account is established copy the files back off the CD/memory stick.  You could do that or simply try again to move your documents to your new profile.

[PeterJ]

Thanks Corinne.

I copied all the docs in  C:\Documents and Settings\Pete to a USB stick, and from there into C:\Documents and Settings\Pete2.  Most went across Ok this time , except for Nethood, Printhood, Privacie, Recent and Send to.  However, the great new is I do now have a new account that works!! 

I then, for added reassurance ran Emsisoft Anti-Malware withe following results. One of these items is desacribed as a "Trojan Downloader"  Maybe that's the one that's caused all the problems?

Pete

Emsisoft Anti-Malware - Version 7.0
quarantine log

Date   Source   Event   Behavior/Infection
02/07/2013 02:00:03   Key: HKEY_USERS\S-1-5-21-1757981266-299502267-725345543-1003\SOFTWARE\IMESH   Moved to quarantine   Trace.Registry.IMesh (A)
02/07/2013 02:00:10   Value: HKEY_USERS\S-1-5-21-1757981266-299502267-725345543-1003\SOFTWARE\IMESH -> LASTOPENFILEDIR   Moved to quarantine   Trace.Registry.IMesh (A)
02/07/2013 01:59:55   Key: HKEY_USERS\S-1-5-21-1757981266-299502267-725345543-1005\SOFTWARE\NOADWARE3   Moved to quarantine   Trace.Registry.NoAdware (A)
02/07/2013 02:00:10   Value: HKEY_USERS\S-1-5-21-1757981266-299502267-725345543-1003\SOFTWARE\IMESH -> LASTOPENFILEDIR   Moved to quarantine   Trace.Registry.IMesh (A)
02/07/2013 02:00:03   Key: HKEY_USERS\S-1-5-21-1757981266-299502267-725345543-1003\SOFTWARE\IMESH   Moved to quarantine   Trace.Registry.IMesh (A)
02/07/2013 01:59:55   Key: HKEY_USERS\S-1-5-21-1757981266-299502267-725345543-1005\SOFTWARE\NOADWARE3   Moved to quarantine   Trace.Registry.NoAdware (A)
02/07/2013 01:59:38   C:\Program Files\LimeWire\riding j sean.mp3   Moved to quarantine   Trojan.Wimad.Gen.1 (B)
02/07/2013 01:59:29   C:\Program Files\LimeWire\my boy lollipop.mp3   Moved to quarantine   Trojan.Wimad.Gen.1 (B)
02/07/2013 01:59:20   C:\Program Files\LimeWire\mrs robinson siomin garfunkel.mp3   Moved to quarantine   Trojan.Wimad.Gen.1 (B)
02/07/2013 01:59:12   C:\Program Files\LimeWire\eez wizz pulp.mp3   Moved to quarantine   Trojan.Wimad.Gen.1 (B)
02/07/2013 01:59:03   C:\Program Files\LimeWire\Bob Dylan - Romance In Durango.mp3   Moved to quarantine   Trojan.Wimad.Gen.1 (B)
02/07/2013 01:58:54   C:\RECYCLER\S-1-5-21-1757981266-299502267-725345543-1005\Dc20\Sun\Java\Deployment\cache\6.0\48\625f7870-72308af9   Moved to quarantine   Exploit.Java.CVE-2012-1723.M (B)
02/07/2013 01:58:46   C:\RECYCLER\S-1-5-21-1757981266-299502267-725345543-1005\Dc20\Sun\Java\Deployment\cache\6.0\60\13661cfc-717411a9   Moved to quarantine   Exploit.Java.CVE.H (B)
02/07/2013 01:58:38   C:\RECYCLER\S-1-5-21-1757981266-299502267-725345543-1005\Dc20\Sun\Java\Deployment\cache\6.0\61\2f7f79fd-2ec4292c   Moved to quarantine   Trojan.Downloader.Java.OpenConnection.AU (B)
02/07/2013 01:58:30   C:\RECYCLER\S-1-5-21-1757981266-299502267-725345543-1005\Dc20\Sun\Java\Deployment\cache\6.0\8\28b67fc8-180bfb0f   Moved to quarantine   Exploit.JPEJ (B)
02/07/2013 01:58:20   C:\RECYCLER\S-1-5-21-1757981266-299502267-725345543-1005\Dc20\Sun\Java\Deployment\cache\6.0\61\3b660cfd-3cb64e66   Moved to quarantine   Exploit.JPEJ (B)

[Corrine]

Hi, Pete. 

The "trojan downloader" Emsisoft found was in the recycle bin.  The other files that were quarantined were older files from what appears to be infected files your children downloaded using Limewire, which appears to have been removed from your computer since it hasn't shown up in the logs until now.  If I've missed it and it is still installed, I strongly advise removing it!

It appears as though you are good to go.  Good luck with the job application and don't forget to add a link to the Basing House blog to our thread in the Lounge!

Please refer to the Safe Computing Practices and other recommendations in this updated copy of "So how did I get infected in the first place?".

[PeterJ]

Thank you so much Corinne. I don't know what I've done without your excellent advice. 

One thing I am determined to do after this experience is get a proper backup system in place. If you know of a good inexpensive or free one then please let me know.

Best wishes,

Pete  (one VERY satisfied customer!)