View Full Version : Spybot (and others) won't load
Lytspeed
2008-05-23, 21:26
Gurus,
I've been fighting a spyware infection of some kind for the past couple of days, but I cannot run Spybot, HiJack This, or ComboFix on the machine. In addition, Symantec Antivirus has not updated since January. The machine is currently disconnected from the network, and even in Safe Mode, something prevents any of these programs from running.
Task Manager shows a brief bump in processing time for explorer.exe when I attempt to run Spybot, so I suspect that the infected DLL may be one of the many DLLs supporting that process. (Then again, this could just be explorer.exe's normal processing while it attempts to locate the file. Thoughts?)
In regard to Spybot specifically, whatever process monitors the program renames the SpybotSD.exe, SBupdate.exe, and TeaTimer.exe files to random filenames with the extension .SCR and then marks them as hidden. This happens no matter what folder I install to.
Following the suggestions in other messages, I have run the miniremoval_coolwebsearch_smartkiller.exe tool, and it finds no trace of CWS. I have also run the CWSshredder.exe app and the problem still persists. Unfortunately, since I can't run HiJack This, I can't provide a log.
I did run the Webroot Spysweeper evaluation program, which detected "trojan-relayer-highport." I removed that manually.
Any suggestions would be greatly appreciated.
Thanks,
Stace Johnson
Hello,
In addition, Symantec Antivirus has not updated since January.
Ouch that's a long time to wait until this point. :p:
Is the network a home one or a business?
Regards. :)
Lytspeed
2008-05-24, 00:07
Hello all,
I've made some progress, and wanted to post back in hope that it will help someone else.
After renaming HiJackThis to "H.exe" I was able to run it and found a few entries that I was concerned about, namely braviax.exe and cru629.dat. I removed them using HJT and restarted in Safe Mode.
Unfortunately, both were still there, so I used HJT's "Remove File on Reboot" option to remove both files from C:\windows\system32\. Restarted in Safe Mode, but files were still in the HJT log. Thinking that Safe Mode may have prevented HJT's removal tool from running, I restarted in normal mode. Braviax was no longer in the log, but did still exist and could not be deleted because it was in use. Marked both files for deletion on reboot while in normal mode and logged in again as same user. This seemed to get rid of both files, but the Spybot renaming process was still alive.
Restarted in Safe Mode, found braviax.exe and cru629.dat in C:\Windows\System32\ in Safe Mode, but was able to delete them this time. braviax.exe and cru629.dat entries were back in the HJT log, so I deleted the entries after deleting the files. Restarted in Safe Mode, files are back and log entries are back. :thud:
Restarted in recovery console, deleted braviax and cru629 files, restarted in Safe Mode. The files are *still* there. :banghead:
Renamed ComboFix.exe to C.exe, tried running it. It said it had expired and deleted itself from the folder. Downloaded latest version of ComboFix, renamed and copied it to infected machine, ran it. It deleted a number of files (including braviax.exe and cru629.dat), restarted the machine, and generated a log. Braviax and cru629 nowhere to be found in C:\windows\system32\ or in HJT log. Mood: Cautiously Optimistic.
Restarted in Safe Mode, files still gone from C:\windows\system32\ and HJT log. Uninstalled Spybot, restarted *again* in Safe Mode to make sure files were still gone. Installed Spybot, it ran successfully, but on installation, something still renamed and hid the three principal files. Scan is running now, will post results.
Whew!
Stace
Lytspeed
2008-05-24, 00:09
Hello,
Ouch that's a long time to wait until this point. :p:
Is the network a home one or a business?
Regards. :)
Yes, this user's machine was not updating for a long period of time, unfortunately, but the spyware problem didn't become an inconvenience for him until this week.
This machine resides at a municipal government.
Thanks for the response.
Stace
Lytspeed
2008-05-24, 01:22
Scan is running now, will post results.Stace
Spybot found only one problem when I ran it: Banker. It removed Banker, and now I have restarted the machine in Safe Mode with Networking and connected it to the network. I'll download the latest Spybot defs and re-run the scan now. (I was using an Include file that was about a week old, since the machine was not on the network.)
<pause>
Okay, machine is updated to the latest Spybot defs and is running another scan in safe mode. Hopefully this one will be clean and I can make some real progress toward getting this machine back to the user.
Stace
Hello,
Yes, this user's machine was not updating for a long period of time, unfortunately, but the spyware problem didn't become an inconvenience for him until this week.
This machine resides at a municipal government.
Hello Stace,
A machine that has access to the net with an out of date anti virus program is vulnerable to exploits.
Not sure what you mean by "the spyware problem didn't become an inconvenience for him until this week."
A government machine, well I would be concerned about what information on that system could have been compromised.
Regardless, running tools such as combofix before and without expert analysis is dangerous. More than one user has had to do a reinstall of their operating system because they used tools willy nilly. At the least Windows could become unstable.
FYI:
Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22)
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Do NOT run 'fixes' before helpers have analyzed HJT/KAV scans (http://forums.spybot.info/showthread.php?t=16806)
Corporate/Business Licensing (http://forums.spybot.info/showthread.php?t=16402)
Best regards. :)
Lytspeed
2008-05-24, 02:41
A machine that has access to the net with an out of date anti virus program is vulnerable to exploits.
Well yes, that's clearly the case. If I had known about it before, I would have taken care of it immediately. Unfortunately, the user didn't tell me, and the antivirus server was not set up to notify me when clients were out of date. (It is now.)
Not sure what you mean by "the spyware problem didn't become an inconvenience for him until this week."
The user knew he had spyware problems, but they were not significant enough to slow his machine down or become annoying until this week.
A government machine, well I would be concerned about what information on that system could have been compromised.
Yes, that is a concern. Fortunately, this user does not have access to overly sensitive information. This is a good argument for getting enterprise spyware protection, though.
Regardless, running tools such as combofix before and without expert analysis is dangerous. More than one user has had to do a reinstall of their operating system because they used tools willy nilly. At the least Windows could become unstable.
Thank you for your concern, and I understand why you are posting the criticism. But with all due respect, I'm not a neophyte. I have been troubleshooting spyware problems since they began, and have run tools like combofix successfully numerous times. I just thought that it would be good to get this information in a thread so it can benefit other users, since I couldn't find any information detailing how to identify and remove this particular bug online.
I'll update the thread when I continue this next week.
Thanks,
Stace
Hello,
I have been troubleshooting spyware problems since they began, and have run tools like combofix successfully numerous times. I just thought that it would be good to get this information in a thread so it can benefit other users, since I couldn't find any information detailing how to identify and remove this particular bug online.
I'll update the thread when I continue this next week.
This forum is for Spybot-S&D support. Not for the discussion of unrelated tools and fixes, or for members to give malware removal advice to other members. We have a separate forum manned by trained volunteers for such.
Our helpers in that forum are in constant touch with the developers of the free tools used in fixes, many developers do not wish for their tools to be used outside of such an environment.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
There is always risk involved in installing and removing any software. Even a fix that time has shown to be useful to thousands of users, can present problems to a few or be found to have a bug in development. "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
If you wish to discuss or ask questions regarding Spybot-S&D then please continue in this forum for the support of our product.
Otherwise please post for assistance in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22)
Have a nice weekend. :)