Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix indicates "ACCESS DENIED" to certain folders. Now what?


  • This topic is locked This topic is locked
5 replies to this topic

#1 Numenor

Numenor

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 07 August 2013 - 05:30 PM

Ran Combofix recently and received several notifications that access was denied at several stages. Here are the details:
 
 /wow section - STAGE 8
Access is denied.

 /wow section - STAGE 25
Access is denied.

 /wow section - STAGE 50
Access is denied.
SED: can't read temp4601: No such file or directory
Access is denied.

 
Also Combofix told me that the Netlogon.dll was infected. here is the detail for that:
 
Infected copy of c:\windows\system32\netlogon.dll was found and disinfected
Restored copy from - c:\windows\erdnt\cache\netlogon.dll

 
I am NOT a Combofix expert and seek an experts opinion on what to do to correct the above denied entries. Help would be appreciated...
 
Numenor

Edit: Moved topic from Am I infected? What do I do? to the more appropriate forum, due to the inclusion of ComboFix issues in the topic. ~ Animal

 

~ Animal, please tell me which forum you moved my question to? I can not seem to located it. It would have been helpful if you simply stated which forum it was moved to...Thanks very much - Numenor


Edited by Numenor, 08 August 2013 - 01:14 PM.


BC AdBot (Login to Remove)

 


#2 Numenor

Numenor
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 14 August 2013 - 04:36 PM

Here is the additional information the administrator needed: (DDS and Attach logs).

 

I have the original Windows CD/DVD

Attached Files



#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:40 AM

Posted 15 August 2013 - 06:33 AM

Hi,

do you have the combofix log? It should be under C:\combofix.txt.

Why did you run ComboFix? Do you think you're infected?

regards
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 Numenor

Numenor
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 15 August 2013 - 11:57 AM

Hi Myrti:

 

The combofix log is attached.

 

Occasionally, I have other users, unfortunately, using this computer. As a rule, I always run a malware and combofix check after another user has been on this computer.

 

As the log will show you, the ntlogon.dll fle was infected.

 

Other than that, I did not see anything else that seemed to be at odds in the combofix log, other than the fact that it reported the "ACCESS DENIED" entries at the various stages. In the past it has NEVER done that, so some changes have taken place!

 

I have not been able to locate any /WOW (Windows on Windows translator) folder as indicated in the message posted, even afer I enable the viewing of system files.

 

I am concerned, that because the access is now denied to combofix, that there is still something lurking on this computer.

 

Any ideas now Myrti?

 

Thanks,

Numenor

Attached Files



#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:40 AM

Posted 15 August 2013 - 12:07 PM

Hi,

 

/wow section is an internal message from combofix, it does not imply that CF is looking for a wow section or anything. It's due to a lack of permissions, this can come from running without elevated permissions but also, for example, from anti virus programs blocking the access for combofix. It's not too unusual and it doesn't imply something's wrong with your PC.

 

netlogon.dll was corrupted, but given that it is the only file, it's more likely this was caused by a force shutdown than malware. To me these logs look clean. But the OS somewhat disabled.

 

regards

myrti


Edited by myrti, 15 August 2013 - 12:07 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:40 AM

Posted 09 April 2014 - 09:04 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users