PDA

View Full Version : Can't remove Old S&D files to reinstall Spybot



ARCHellraiser
2009-09-23, 14:21
Have been working with ken545 your Security Expert for the past week and we finally have my system working. The last step was to uninstall spybot and reinstall because very time i tried to start it I would get this Error:

"Windows Cannot Access the specified deice,path or file.
You may not have the appropriate permissions to access the item"

as instructed I uninstalled it and I always check to see if everything was removed and I found 3 files that i cannot remove..See attached screen shot.

He then advised me to post here.

Not very comfortable with S&D off line...:sad:
please advise.

Thanks
HR

flyngunr
2009-09-24, 07:40
I have the same problem. I just got infected with something that disabled my McAfee VS, Spybot S&D and Malwarebtes' Anti-Malware. It also disabled my internet connection in normal mode.
I'm normally pretty good at finding and fixing siple infections, but this one had me puzzled (I ended up paying McAfee techs $98 to fix it remotely).
Anyway, after disenfecting, I ununstalled Spybot and downloaded a fresh copy.
When I went to install, it wouldn't let me because of a file in the C:\Program Files\Spybot - Search & Destroy folder called C:windows\program files\spybot S&D.exe (or similar).
I tried to delete and shred the C:\Program Files\Spybot - Search & Destroy folder but it is marked as read only and would not let me delete it. I get the same message you are getting!
Anyone help?

spybotsandra
2009-09-24, 11:07
Hello,

Sounds like you are infected with a Rootkit.
For more informations please have a look at this link (http://forums.spybot.info/showthread.php?t=50194).

Best regards
Sandra
Team Spybot

ARCHellraiser
2009-09-24, 14:16
Morning Sandra,
YES I was infected with the "Rootkit" bug and it took over a week of work from
Your Teammate ken545 Spybot Security Expert to clean it up and has released me today to work with This team to get rid of these 3 files..

I have done all steps as listed they cannot be deleted or renamed.
I'v tried in both standard and safe mode and get the same Error.

"Windows Cannot Access the specified deice,path or file.
You may not have the appropriate permissions to access the item"

Ken545 has again instructed me to follow this team instructions on removing and reinstalling S&D.
Please advise Next step.

Thanks
HR

spybotsandra
2009-09-24, 14:22
Hello,

Did you have a look at your taskmanager if there is anything running from Spybot? If you see the SpybotSD.exe there you can kill the process.

Are you logged in as admin or only as user with admin rights?

Have you tried to delete the whole folder and not the single files?

Best regards
Sandra
Team Spybot

ARCHellraiser
2009-09-25, 03:21
Hello,

Did you have a look at your taskmanager if there is anything running from Spybot?
NO checked before and just checked again
If you see the SpybotSD.exe there you can kill the process.

Are you logged in as admin or only as user with admin rights?
as Admin

Have you tried to delete the whole folder and not the single files?
Yes and get the same error as above

Best regards
Sandra
Team Spybot

some other things you should know

* removed application S&D by control panel "add & remove Programs"
it said could not remove all files.

*Checked properties of each file have 'Read only" and "Hidden" checked and
Hidden is Grayed out. If I uncheck the "read only" box and hit apply i get this error.
"An Error occurred applying attributes to this file Access is Denied" same for the folder "Skybot -Search and Destroy

*verified folder options "show hidden files" is checked

The malware that had (been removed) infected my system Changed and locked these files so i cound not run this program..

* when you click on theSpybotSD.exe you get this error:
"Windows Cannot Access the specified deice,path or file.
You may not have the appropriate permissions to access the item"

So how do we fix what the nasty little Bug did..:flame:

spybotsandra
2009-09-25, 12:24
Hello,

I am sorry, but then I do not think that your system is clean.
Did you try to download a fresh installation of Spybot and copy it over the existing file?

Best regards
Sandra
Team Spybot

NatGarrison
2009-09-25, 17:10
I am having same problem with a clients computer. The properties box for the SpybotSD.exe file is different than normal application programs. Instead of the normal "General", "Version", "Compatibility", "Digital Signatures", and "Summary" tabs the dialogue box has "General", "Program", "Fonts", "Memory", "Screen", "Miscellaneous", "Compatibility", and "Security" tabs like the .pif shortcut files that are required to run DOS applications under Windows. I was able to successfully delete the old SpybotSD.exe file and the directory by using bootable CD-ROM disk. Before deleting the program and it's directory I couldn't re-load Spybot. After deleting, I was able to load a new copy, but it will not run with the: "Windows Cannot Access the specified deice, path or file.
You may not have the appropriate permissions to access the item" error message.

ARCHellraiser
2009-09-25, 19:08
I have forward this back to the Malware Removal Team that was working
with me this week, they are working on it.

epepep
2009-09-26, 02:26
When you go into the properties of "spybotsd.exe" the security group is fake: it is called "everyone". You have to remove that group, and find and add "Administrators", at which point you can change the access, and "spybotsd.exe" will run, FOR A LITTLE WHILE. Then it bombs out, and when you check the properties of "spybotsd.exe" the security group has been changed back to the fake"everyone".

If you boot into safe mode, you can go to c:\program files\spybot search & destroy using a DOS (Command) prompt, although this is HARD to do!

c:
cd\program files
cd spy [hit the tab key, then enter]

anyway, then you
attrib /? to see the command line options for the attribute command
attrib -r -a -s -h *.*

this will unhide the various files, confirm by
dir spy*.* /a

you can then
del spybotsd.exe

this will finally clear the "spybotsd.exe" file from the directory, at which point to can copy a new version.

UNFORTUNATELY, it runs at first, then bombs out, then -- you guessed it:
you return to "spybotsd.exe" and the security group is again the fake "everyone" !!

So there has to be a background program running that detects when something in Spybot is running and immediately kills it and sets up all the access permissions to the fake "everyone"

ARCHellraiser
2009-09-26, 20:36
HI !!

Just wanted to let you know that work with ken545 Spybot Security Expert we were able to safely Remove using Combfix
the 3 locked files.:yahoo:

Spybot installed and running fine

Thanks for your help..

HR

epepep
2009-09-29, 13:16
Spybot Teatimer.exe registry monitor would not run, just like everything else. The security settings (Vista) were set to the fake "everyone" again. I deleted "everyone" and added "Administrators" and started Teatimer.exe. I set it to "paranoid" mode. Sure enough, there was immediately a registry "hit" that was trying to change an obscure key. I denied. I reset Security on Spybotsd.exe in the same manner and then was able to open it. It finally ran! It spotted a "win32" trojan and some other stuff which I deleted. When I rebooted, Teatimer notified me of several new registry entries, which were Deletions of the changes by Spybot -- I denied them all. At this point Malwarebytes and AVG antivirus ran properly, after I unistalled them and rebooted and ran a Spybot scan first, right before the reinstall. As a safety measure, I unplugged my internet connection, except when the updates were downloading, then immediately unplugged and performed the scans.

This took me 4 days of tinkering -- the first virus / malware I've ever had since 1986 -- that wasn't caught immediately by the anti-virus program resident in memory.

dkperez
2009-09-30, 05:51
I"m not sure what to add here, except that I'm STILL having the same problem. I've now got FOUR Spybot installations, all with the directories renamed because I can't delete the files, and can't reinstall over the originals. The .exe are set RHSA and I can't delete them from XP Pro, Vista, or Safe Mode.

Has there been any progress finding a way to prevent whatever this is from clobbering Spybot and causing it to fail?

I've got a ComboFix log if that'll help.

So, where are things?

dkperez
2009-09-30, 06:13
Oh, and how do I control the teatimer settings? I'd like to set it to "paranoid" and see with it turns up......

drragostea
2009-10-01, 02:48
dkperez, you can always start by right clicking on the Teatimer icon in the Windows Taskbar.

dkperez
2009-10-02, 16:31
I don't have any teatimer icon in the taskbar. Or in the system tray. Nor do I have any process running in the task manager that is obviously a teatimer. I thought at installation I told the teatimer to run, but how do I determine if that's true?

Zenobia
2009-10-02, 23:07
You could open Spybot,click Mode->Advanced Mode->Tools->Resident.Is there a checkmark beside Resident "Teatimer"?

Were you able to clear the other problems you were having before,besides your current problem uninstalling Spybot? :)
http://forums.spybot.info/showthread.php?p=333235#post333235

dkperez
2009-10-04, 03:42
Nope..... Advanced mode and checking/unchecking the box did NOT start teatimer..... Nothing did.

I finally had to find the file in the directory and start it manually. I also noticed I'm not the first person to encounter this problem, where teatimer won't start even from advanced mode..... What's going on?

As far as the other problem.... It's fixed for the moment, but I had to use ComboFix to do it..... It still makes a total mess of Spybot and Hijack This. Neither works when the problem occurs, neither can be uninstalled and/or reinstalled, and so on....

Be nice to get a solution that'll keep whatever's out there from clobbering Spybot...

Zenobia
2009-10-04, 05:15
Where you are still having problems with Hijackthis and Spybot,I suggest asking for help in Malware Removal,just to doublecheck that the problems are all gone.

Please read this first:
http://forums.spybot.info/showthread.php?t=288

If the infection prevents HJT from running, please start a topic anyway and make note of the situation.

Malware Removal:
http://forums.spybot.info/forumdisplay.php?f=22

If you do post in malware removal,tell your helper about your problems removing SpybotSD.exe,etc.,because they'll be able to help you with that. :)

Zenobia
2009-10-04, 05:22
I see now you were able to get the Spybot files deleted:
http://forums.spybot.info/showthread.php?t=52236

Still,you might want to consider getting checked out,just to be sure. :)