Page 2 of 11 FirstFirst 123456 ... LastLast
Results 11 to 20 of 106

Thread: Blocked from running Spybot or any other malware remover

  1. #11
    Member
    Join Date
    Aug 2011
    Location
    New York City
    Posts
    61

    Default

    Bill,

    Okay, well here is the 2nd aswMBR log. Because I let it run a lot longer this time, I noticed there is a 5th error being reported now. The original log only showed 4 error lines in red. So I'm copying the log of the second scan below just in case:


    aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
    Run date: 2011-08-20 12:12:33
    -----------------------------
    12:12:33.015 OS Version: Windows 5.1.2600 Service Pack 3
    12:12:33.015 Number of processors: 1 586 0x209
    12:12:33.015 ComputerName: D139KB41 UserName:
    12:12:57.375 Initialize success
    12:13:30.765 AVAST engine defs: 11082000
    12:13:58.062 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
    12:13:58.062 Disk 0 Vendor: ST3120026AS 8.05 Size: 114440MB BusType: 3
    12:14:00.093 Disk 0 MBR read successfully
    12:14:00.093 Disk 0 MBR scan
    12:14:00.250 Disk 0 Windows XP default MBR code
    12:14:00.296 Disk 0 scanning sectors +234372285
    12:14:00.390 Disk 0 scanning C:\WINDOWS\system32\drivers
    12:14:42.187 File: C:\WINDOWS\system32\drivers\serial.sys **INFECTED** Win32:Sirefef-H [Rtk]
    12:14:55.015 Service scanning
    12:15:08.468 Modules scanning
    12:15:11.656 Module: C:\WINDOWS\System32\DRIVERS\serial.sys **SUSPICIOUS**
    12:15:16.546 Disk 0 trace - called modules:
    12:15:16.562 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a5297c0]<<
    12:15:16.937 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a699ab8]
    12:15:16.937 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> [0x8a4d5030]
    12:15:16.937 \Driver\00000711[0x8a5b68e8] -> IRP_MJ_CREATE -> 0x8a5297c0
    12:15:20.281 AVAST engine scan C:\WINDOWS
    12:15:51.140 AVAST engine scan C:\WINDOWS\system32
    12:20:40.171 AVAST engine scan C:\WINDOWS\system32\drivers
    12:20:56.921 File: C:\WINDOWS\system32\drivers\serial.sys **INFECTED** Win32:Sirefef-H [Rtk]
    12:21:04.156 AVAST engine scan C:\Documents and Settings\David Batista
    16:19:41.163 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\David Batista\Desktop\Logs\MBR.dat"
    16:19:41.663 The log file has been saved successfully to "C:\Documents and Settings\David Batista\Desktop\Logs\aswMBR2.txt"


    --Ryodin (aka David Batista)

  2. #12
    Senior Member
    Join Date
    Aug 2010
    Location
    Near Atlanta, GA
    Posts
    189

    Default

    OK Ryodin,
    Let's try it this way please.

    Print out these instructions as we may need to close every window that is open later in the fix.
    It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

    Do not reboot your computer after running rkill as the malware programs will start again.

    Please download and run one of the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
    There are 3 different versions. If one of them won't run then download and try to run the other one.

    You only need to get one of them to run, not all of them.
    1. rkill.exe
    2. rkill.com
    3. rkill.scr
    Do not reboot your computer after running rkill as the malware programs will start again.
    Remember, RKill must be run each time your PC is booted until exe files will run with out it.

    Next
    Please read carefully and follow these steps.
    • Download TDSSKiller and save it to your Desktop.
    • Extract its contents to your desktop.
    • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

    • If an infected file is detected, the default action will be Cure, click on Continue.


    • If a suspicious file is detected, the default action will be Skip, click on Continue.

    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file in your next post.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file in your next post.


    Next
    If that works then OTL again please

    Logs to post:
    • TDSKiller.txt
    • OTL.txt

  3. #13
    Member
    Join Date
    Aug 2011
    Location
    New York City
    Posts
    61

    Default

    Okay, I was able to download rkill.exe to the desktop of my infected PC. I then ran it and it seemed to have eliminated a piece of malware. I saved the log of that, and then moved on to the next step.

    Next I downloaded and extracted TDSSKiller to the infected PC, I was able to run that process as well. However, the program said it found no infections. None at all.

    So, at a loss for what to do next, I tried running OTL again. Now remember, I cannot run the OTL file I previously downloaded. It ran the first time, and then the window suddenly vanished and nothing happened.

    So, I had to download OTL anew. Mind you, the previous two downloads are still on my PC, but after failing twice they now refuse to open again or to be sent to the trash bin. This means that I cannot download OTL anew without first choosing a different location other than my desktop. If I don't, the download tries to replace the existing copy of the program and then fails to do so because of some kind of conflict.

    So, that all being said now, I went and downloaded a fresh copy of OTL and saved it to a new folder on my desktop. I opened OTL, and selected all the steps I'm supposed to select. I then copied and pasted the info you gave me under "Custom Scan", and hit the "Run Scan" button.

    Immediately the OTL window vanished, and I'm left staring at the screen now wondering what to do next. It's been 20 minutes now, and nothing has popped up. I know if I try to open OTL again, I will get that access denied message once more. So I won't do that.

    I'm writing this message from my Netbook now, because I don't want to touch the infected PC or reboot it until I hear back from you.

    Sorry this is being so difficult. If you would like me to paste copies of the rkill and tdsskiller logs, let me know.

    --Ryodin

  4. #14
    Member
    Join Date
    Aug 2011
    Location
    New York City
    Posts
    61

    Default

    Bill,

    I'm just going to go ahead and paste the rkill log in the interim, for whatever it's worth. Here it is:

    ========================================================
    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 08/20/2011 at 17:09:00.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:

    \\.\globalroot\Device\svchost.exe\svchost.exe
    C:\Documents and Settings\David Batista\Application Data\Dropbox\bin\Dropbox.exe


    Rkill completed on 08/20/2011 at 17:09:09.
    =======================================================



    The rkill program seemed to have killed something related to my Dropbox folder. I find this interesting because, come to think of it, my Dropbox folder has been acting screwy for a long while. Say, for the past 2 to 3 months or so. Since this folder connects to a cloud service, should I perhaps disengage from Dropbox and remove the folder?

    I have Dropbox on my Netbook as well, but have never experienced any problems with the Netbook. It could be that this is because my infected desktop PC is running on Windows XP, whereas my Netbook is running on Windows 7. Don't know if any of this matters, but figured I'd put it out there.

    Thanks again for all the wonderful help! I hope we can get to the bottom of this.

    --Ryodin

    P.S. -- I have not rebooted my PC yet since running rkill.

  5. #15
    Senior Member
    Join Date
    Aug 2010
    Location
    Near Atlanta, GA
    Posts
    189

    Default

    I am not seeing anything wrong with dropbox.exe. You can reboot your pc anytime you wish, just rerun rkill after booting.
    Back soon.

  6. #16
    Senior Member
    Join Date
    Aug 2010
    Location
    Near Atlanta, GA
    Posts
    189

    Default

    Greetings Ryodin,
    This one is a bit stubborn. Let's go at it from this direction.

    ***Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.***
    Download Combofix from any of the links below and save it to your desktop.

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • See this Link for programs that need to be disabled and instruction on how to disable them.
    • Remember to re-enable them when we're done.

    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    *If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

  7. #17
    Member
    Join Date
    Aug 2011
    Location
    New York City
    Posts
    61

    Default

    Bill,

    I was away from the PC for a bit, sorry about the delay. I'm writing this from my Netbook, which is not infected. Right now ComboFix is running on the infected machine. In the meantime I wanted you to know that I received a message from ComboFix saying that it detected an infection of "Rootkit.ZeroAccess." ComboFix then went on to call it a "particularly difficult infection."

    I was told to be patient and to let ComboFix run its course. Also, that if I should lose Internet access at anytime, to wait for ComboFix to run completely and automatically reboot the machine. That should fix it. If not, to run ComboFix one more time.

    I checked, and sure enough I no longer had Internet access.

    ComboFix just finished its run and confirmed that I did indeed have a rootkit infection. It has now rebooted my PC and now I'm waiting. I'll post back in a little while when I can.

    --Ryodin

  8. #18
    Senior Member
    Join Date
    Aug 2010
    Location
    Near Atlanta, GA
    Posts
    189

    Default

    No problem post back when you can.

  9. #19
    Member
    Join Date
    Aug 2011
    Location
    New York City
    Posts
    61

    Default

    Okay, I'm starting to get worried now.

    My PC rebooted and immediately upon startup ComboFix continued running. It started listing each stage as it completed. Sometime around Stage 30, I received a pop-up window stating that "PEV.exe encountered a problem and needs to close."

    I have no idea what PEV.exe is, but I hope it doesn't cause a problem.

    ComboFix continued to run after this. It completed Stage 50, then it started deleting a bunch of files.

    However, now it seems to have stalled. ComboFix has been on the same line now for 35 minutes. Nothing's changed in all that time. Every now and then an hour glass shows up, then vanishes. And the cursor in the ComboFix window is still blinking.

    What should I do? None of my desktop icons are showing, and I can't access any other area of my PC. The only thing on the screen right now is this ComboFix window. I'm afraid if I shut the machine down in the middle of the process I won't be able to start it up again.

    Until I hear back from you, I'll let it continue to run.

    --Ryodin

  10. #20
    Senior Member
    Join Date
    Aug 2010
    Location
    Near Atlanta, GA
    Posts
    189

    Default

    It is almost 11:00 so let it go tonight. Sometimes CF takes quite a while, I have seen over half hour on a clean machine. If you are a night owl stop it in 2 hrs. The fact that it completed stage 50 is good, and deleting files is also good. It found a nasty rootkit and is trying to deal with it now. Some times it will stall.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •