Spyware and HJT Scans Are Aborted

[Blade81]

Hi,

You still have to update your vulnerable Adobe Reader to version 8.1.6. Please do so.

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the Open box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r



Clear your trash and junk folders in Mozilla email client. Also, check email messages in your inbox and delete suspicious looking ones.


Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Users\Henry\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\77c3a532-27c52790

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log. How's the system running?

 

[landmark]

OK, I've updated Adobe Reader.

I'm attaching the Win32kDiag log and the Combo fix log.

My system is running pretty good overall. Since I got the infection, when I was using Internet Explorer, I would get spammy pop up ads from time to time, so I stopped using it. I haven't tried again since we've been working on this problem.

I still can't delete RootRepeal from my desktop. I have a feeling if I tried to run a full scan of Spybot, Anti-Malware Bytes, or HijackThis, I would have the same problem as before of the scan shutting down early. But I haven't tried it recently.

My printer isn't working properly. When I try to print a document, the print job shows up in the print manager but then is quickly deleted and nothing prints. I'm not sure if this problem is related to the infection, but it started happening at around the same time.

 

[Blade81]

I still can't delete RootRepeal from my desktop. I have a feeling if I tried to run a full scan of Spybot, Anti-Malware Bytes, or HijackThis, I would have the same problem as before of the scan shutting down early. But I haven't tried it recently.

Download this and drag'n'drop RootRepeal exe file to it. See if you're able to delete the file after that.

My printer isn't working properly. When I try to print a document, the print job shows up in the print manager but then is quickly deleted and nothing prints. I'm not sure if this problem is related to the infection, but it started happening at around the same time.

Have you tried to remove the printer and add it back?

 

[landmark]

Things are going well. I was able to reinstall my printer and delete root repeal.

I reinstalled MBAM and was able to do a complete scan.

Do you think we have completely removed the infection?

I tried to reinstall Spybot S&D, however, and got a variety of errors. Should I uninstall it first? What settings should I choose during the unistallation process?

 

[Blade81]

Hi,

Uninstall Spybot by removing all of it. Then see how reinstall goes. We'll see further steps after that

 

[landmark]

During the SpybotSD installation process, I got a "read only" error about some element. I hit retry a few times and then clicked ignore.

The rest of the installation process seemed to go OK, but when I tried to run Spybot, I got the error: "unable to execute file SpypotSD."

Also, it said: "CreateProcess failed; code 5. Access is denied."

The Tea Timer seemed to reinstall OK, however.

 

[Blade81]

Hi,

Uninstall Spybot and try to reinstall once more. This time note down the errors during the installation process (if any received).

 

[landmark]

Will do.

 

[landmark]

I uninstalled Spybot, restarted my computer, and tried to install it again.

First, I got an inquiry about the Spybot folder already exisiting and if I'd like to install to it anyway. I clicked Yes.

During the installation process I got the error:

c:\Program Files\Spybot Search & Destroy\SpybotSD.exe
This existing file is marked as read only.
Click Retry to remove the read-only attribute and try again, Ignore to skip, or Abort to cancel installation.

I tried Retry a few times but I'd get the same error. So I did ignore. The program seemed to install OK, but when I try to run it, I get the error as written in my earlier post.

 

[Blade81]

Hi,

Did the folder disappear when you uninstalled?


Please uninstall again. Then follow this set of instructions:

1. Please download OTM by OldTimer and save it to your desktop.
2. Double click the OTM icon on your desktop.
3. Paste the following code under the Paste Fix Here area. Do not include the word
   Code
   .
   

   :Files
   c:\Program Files\Spybot Search & Destroy

4. Push the large MoveIt button.
5. OTM may ask to reboot the machine. Please do so if asked.
6. Copy/Paste the contents under the Results line here in your next reply.
7. If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Is Spybot folder still there?

 

[landmark]

I uninstalled, restarted, and followed your instructions.

Attached is the log from OTM.

The Spybot folder is still there in c:\Program Files.

In the Spybot folder are the files:

SDWinSec.exe
TeaTimer.exe
advcheck.dll

 

[Blade81]

Are you able to delete the folder in safe mode?

 

[landmark]

How would I do that?

 

[Blade81]

Hi,

Please find instructions for how to reboot into safe mode here.

 

[landmark]

Once I get Windows into safe mode, do you recommend that I simply drag the folder to the recycle bin? Then do I empty the bin?

 

[Blade81]

Yes. Try that.

 

[landmark]

I couldn't delete the folder in Safe Mode. The error message said I needed permission to do it.

 

[Blade81]

Hi,

Navigate to Spybot folder, and right click it. Select Properties from the context menu.
Click the Security tab, click the Advanced button, and click the Owner tab.
In the Name list under "Change owner to," click Administrators. To take over ownership of everything within a folder, check the box that says Replace owner on subcontainers and objects.

See if you're able to delete Spybot folder after that.

 

[landmark]

Adminstrators already was listed as owner. I played around with these settings (switching owner to the current user and switching back) but I got the same error message. I still can't delete the folder.

Currently the owner is administrators again.

 

[Blade81]

Hi,

Run ComboFix with this script (create it as earlier) in safe mode:

Folder::
c:\Program Files\Spybot Search & Destroy

Post back the results.