Blocked from running Spybot or any other malware remover

[ryodin]

I don't know why I didn't get a notification of your reply until this morning. So, sorry for the delayed response.

I've tried several reboots, and have downloaded the updates both from the sys tray and the shutdown menu multiple times. And yet, when the machine reboots, the updates show up again. As I mentioned before, it seems to be stuck on downloading the August update of the Malicious Software Removal tool. When I go to the MS updates site, it lists the tool as being the only update I need to install, yet the file to download is listed as being "0 bytes" in size. According to that site, I've downloaded this update successfully every single day since the patch was released. Sometimes multiple times in one day.

Typically when I install the update, the status screen shows the file being downloaded and installed, followed by a message saying "installed successful." Then the install shield in my sys tray disappears, as well as the one in my shut-down menu. However, around 30 seconds later the shield icon reappears in both locations asking to download and install the exact same file again.

Something strange is going on here. Originally I thought some piece of malware was blocking the updates from installing, which is why I came here to this forum for help. But now I'm not so sure that this is the case. Not for this particular issue, at least.

--Ryodin

 

[redcar92]

Greetings Ryodin,

MS has a Windows Fixit Center here http://support.microsoft.com/fixit/ that has .Automatically diagnose and fix common problems with Windows Update After page opens, Step 1 Click on Windows then Step 3 scroll down to and click on Automatically diagnose and fix common problems with Windows Update
You use EI to download and run the tool. Follow on screen instructions. Lets see if that helps.

 

[ryodin]

Okay, I will give this a try when I get home from work later today and reply here when I'm done.

Thanks a lot, redcar!

--Ryodin

 

[redcar92]

:bigthumb: No problem, my pleasure.

 

[ryodin]

Okay, I tried the solution you linked to and ran the tool successfully. According to that, the problem was detected and fixed. But of course, lo and behold it was not. I'm still getting the same shield icon in both locations. I ran the installation in the hopes that this might be the last time since the problem was supposed to be fixed . . . but no such luck. The icons appeared again regardless.

I then restarted my PC, went back to the Windows troubleshooting site, ran the tool again, and rebooted my PC one last time after it was done running. And still the problem persists.

I think I should just hide this particular update, except I don't know how to do so.

Anyway, here is a copy of the report that was generated when I ran the tool.

=========================================================

Windows Update Publisher details

Issues found
Windows Update components must be repairedWindows Update components must be repaired
One or more Windows Update components are configured incorrectly Fixed
Repair Windows Update components Succeeded

Issues checked
Default Windows Update data locations have changedDefault Windows Update data locations have changed
The location where Windows Update stores data has changed and must be repaired Checked

Issues found Detection details

6 Windows Update components must be repaired Fixed

One or more Windows Update components are configured incorrectly
Repair Windows Update components Succeeded

Repairing Windows Update components frequently resolves common Windows Update errors


Issues checked Detection details

6 Default Windows Update data locations have changed Checked

The location where Windows Update stores data has changed and must be repaired
Repair default Windows Update locations Not Run

Change Windows Update locations to Windows default settings


Detection details

Collection information
Computer Name: D139KB41
Windows Version: 5.1
Architecture: x86
Time: 8/30/2011 6:53:53 PM

Publisher details

Windows Update
Resolve problems that prevent you from updating Windows.
Package Version: 4.0.2.20110411
Publisher: Microsoft Corporation

=========================================================


--Ryodin

 

[redcar92]

Greetings Ryodin,

I am afraid that we have run to end of our resources in the malware removal forum with your update problem but your logs do look clean. When done here you should post your problem here or here as SaferNetworking does not have Windows OS support.

What about those files on your desktop that won't delete?

 

[ryodin]

Thanks, redcar. I came to the same conclusion myself. I'll try the links you've provided.

As for the files, they are .exe files including a Spybot S&D program that cannot be deleted from the "Program Files" folder on my C: drive.

Here are the paths/locations for those files:

C:\Documents and Settings\David Batista\Desktop\msert.exe
C:\Documents and Settings\David Batista\Desktop\OTL.exe
C:\Documents and Settings\David Batista\Desktop\OTL2\OTL.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe


--Ryodin

 

[redcar92]

Greetings Ryodin,

Have you tried uninstalling Spybot S&D?

Run OTL.exe
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

:OTL
:Services
:Reg
:Files
C:\Documents and Settings\David Batista\Desktop\msert.exe
:Commands
[emptytemp]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Then post a new OTL log (don't check the boxes beside LOP Check or Purity this time)

Here is a little program that can remove almost any other program.
http://www.revouninstaller.com/revo_uninst...e_download.html

We will get OTL when we cleanup our tools.

 

[ryodin]

Yes, I ran the uninstall for Spybot first, but it could not get rid of the folder in the "Program Files" folder on my C: drive. The uninstall only removed Spybot from my desktop and Start --> Programs menu. A manual delete of the folder on the C: drive results in an error message saying that either my disk is too full or I do not have access to the file in question. This, of course, makes it impossible for me to re-install Spybot since it needs to overwrite that file and the error prevents it from doing so.

As for your other suggestions, I'll try those when I get home from work tonight.

Thanks a lot!


--Ryodin

 

[ryodin]

Okay, I ran OTL to remove that msert.exe file -- and it worked! Now if only I could use this to remove those corrupt OTL.exe files, too! :

Here is the log:

==========================================================
All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Documents and Settings\David Batista\Desktop\msert.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes

User: All Users

User: David Batista
->Temp folder emptied: 4808676 bytes
->Temporary Internet Files folder emptied: 148547900 bytes
->Java cache emptied: 118722743 bytes
->Flash cache emptied: 9290915 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 111826 bytes
->Flash cache emptied: 4864 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Owner

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 39097 bytes
%systemroot%\System32 .tmp files removed: 7379985 bytes
%systemroot%\System32\dllcache .tmp files removed: 474112 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 185364 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33726 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 276.00 mb


OTL by OldTimer - Version 3.2.26.7 log created on 08312011_184922

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_6c.dat not found!

Registry entries deleted on Reboot...

==========================================================


I'll try using the program you linked to in order to remove the other files shortly.


--Ryodin

 

[ryodin]

Okay, I downloaded Revo Uninstaller. Unfortunately, it does not list SpyBot under the list of installed programs on my machine. Yet the file is clearly there in my "Program Files" folder on the C: drive.


--Ryodin

 

[redcar92]

Greetings Ryodin,
One more thing.

Boot to Safe Mode and delete them. If no joy:
How to set, view, change, or remove file and folder permissions in Windows XP
(Pro/Home)
http://support.microsoft.com/kb/308419

HOW TO: Take Ownership of a File or Folder in Windows XP (Pro/Home)
http://support.microsoft.com/default...b;en-us;308421

How to set, view, change, or remove special permissions for files and folders in
Windows XP -
http://support.microsoft.com/default...b;en-us;308419

Let me know results please.

 

[ryodin]

The reboot in Safe Mode didn't do the job. So I clicked on the first link and couldn't quite follow what the instructions were asking me to do. The Security Tab it speaks of doesn't appear in my folder properties, and I couldn't find the check box I need to uncheck to gain access to the tab.

The other two links didn't work for me. I think it has something to do with the ellipses in the URL.

All I want to do is get rid of the faulty OTL files from my desktop. I've already figured a workaround the Spybot problem by renaming the folder in my Program Files. After that, I was able to install a fresh copy of Spybot and run a scan last night.


--Ryodin

 

[redcar92]

Greetings Ryodin,

Your Java appears to be down level.
Navigate to Control Panel Add Remove Programs.
Highlight each Java item listed then Remove or Uninstall.
Visit this site to down load and install the latest Java.

Now to clean up our tools.
The following will implement some cleanup procedures as well as reset System Restore points:

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• See this Link for programs that need to be disabled and instruction on how to disable them.
• Remember to re-enable them when we're done.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Next
The following will remove OTL, exehelper, TDSSKiller, & GMER. Let me know about the problem folder after running the following.
Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

Next
To remove Hijackthis do the following:

• Click Start → Control Panel → Add or Remove Programs
• Click on Hijackthis
• Click on Remove
• When done close all windows.
• Navigate to C:\Program files\Trend Micro
• Delete the Hijackthis folder.
• Close all windows.

On your desktop find RKill.exe/com/scr, right click and click on delete.

On your desktop find aswMBR.exe, right click and click on delete. Do the same for aswMBR.txt

On your desktop find Maxlook.exe, right click and click on delete.

On your desktop find Dial-a-fix.exe, right click and click on delete.

You should keep Malwarebytes and ESET. Updated and run them on a regular basis to keep your pc malware free.

At Last
From the look of your logs are finally, All Clean and the machine seems to be performing as it should. You know how much work and effort you've had to put into getting it back into working order, so hopefully you can impress upon the others who use this machine, to be more careful.

For the future safety of this machine and your data, try to ensure they sit down and read the following threads: (it won't take them very long)

Cracked/Illegal Software

Perils of P2P File Sharing

Think Prevention

If there aren't any more problems, we have some final housekeeping to tend to now.

To help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

* Microsoft Windows Update - http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

* SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
o SpywareBlaster is a preventative program. It sets flags in the registry to prevent the running of a specific list of bad spyware related ActiveX controls. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

* WOT, Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
o Green to go
o Yellow for caution
o Red to stop
WOT has an addon available for both Firefox and IE.


* Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

If the OTL2 folder won't remove, let me know there may be one or two more tricks we can try.
Please post any more questions or issues please let me know.

 

[ryodin]

I was able to remove everything from off your list except for that OTL.exe file which is in the OTL2 folder. I forgot to mention that I had yet another bad OTL.exe file in another folder: C:\Documents and Settings\David Batista\Desktop\Logs\OTL.exe

The faulty OTL.exe on my desktop, the newer "good" version of OTL, exehelper, TDSSKiller, and GMER were all removed, however.

So, as of now, the only files I cannot delete are the 2 OTL's and the Spybot.

I will look into all the suggested links and preventative programs tomorrow and over the weekend.

Thanks, redcar! And let me know what last remaining solutions I might have at my disposal for removing those files.

:thanks:


--Ryodin

 

[ryodin]

One more thing. You asked me to keep Malwarebytes and ESET, but I don't believe I have these. Where can I get them?


--Ryodin

 

[redcar92]

Greetings Ryodin,
Let's go after OTL2 first, if it works we will do the rest.
Press the WinKey + R to open a run box, then copy/paste the following single-line command into the Run box and click OK:
cmd /c del /f/a/q “C:\Documents and Settings\David Batista\Desktop\OTL2\*.* /s”

Press the WinKey + R to open a run box, then copy/paste the following single-line command into the Run box and click OK:
cmd /c rd /s/q “C:\Documents and Settings\David Batista\Desktop\OTL2”

Let me know if this works, if so we can do the others.

Next
Please download Malwarebytes' Anti-Malware from Here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


Next
Please use Internet Explorer to download and run the following scan: Eset Online Scanner

• Place a check mark in the box YES, I accept the Terms Of Use
• Click the Start button.
• Now click the Install button.
• Click Start. The scanner engine will initialize and update.
• Do Not place a check mark in the box beside Remove found threats.
• Click the Scan button. The scan will now run, please be patient.
• When the scan finishes if there are any infections you will see a List of found threats.
• Click Export to text file
• Copy and paste the contents of the C:\Program Files\ESET\log.txt into your next reply.
• If no threats are found there will be no list, this is good, just tell me that no threats were found.

Logs to post:

• mabam.txt
• results of ESET scan
• results of run command

 

[ryodin]

Thank you, thank you, thank you! : That seemed to do the trick! Both corrupted files of OTL are gone now. There are no more. The only suspect file left is the Spybot one.

I'll download and run Malwarebytes and Eset next, and paste the logs in a follow-up reply.

--Ryodin

 

[ryodin]

Here is the log from the MBAM scan:

=========================================================
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7640

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/3/2011 1:24:21 AM
mbam-log-2011-09-03 (01-24-21).txt

Scan type: Quick scan
Objects scanned: 193765
Time elapsed: 11 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{B0E43034-50F5-1F84-8098-824B44F2DBC3} (Adware.Admedia) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
=========================================================


--Ryodin

 

[ryodin]

Finally finished running the ESET scan. No threats were found! :rockon:

--Ryodin