Solved Cant get N0D32 antivirus, Malwarebytes to RUN

Eset Nod32 antivirus v.4.0
August 28, 2011 at 23:13:56
Specs: Windows XP service pack 3, AMD Athlon 64 3000+ 2GHz / 1GB
Hi can someone please help me, a friend was using computer to read e-mails, they couldnt remember password for their account so they downloaded a password program and ran it now my computer isnt working properly. My anti-virus (NOD32) and malwarebytes wont work i keep getting message "windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item" Also in my task manager a new system process is there called 2957826186:1965536079.exe it wont let me end process. I have also tried a system restore nothing works! I have the web address/link to .exe file which my friend (came in, messed up my computer and went home! ) used. Been trying to fix it for nearly 5 hours now, can someone Please HELP! i am running out of ideas

See More: Cant get N0D32 antivirus, Malwarebytes to RUN

Report •

#1
August 29, 2011 at 04:00:39
Firstly, what did you learn about allowing others to download and execute binaries on your machine? :)

Secondly, you've either got a second (and possibly third, fourth etc) infection that's protecting the first (Robin hood and Friar Tuck - http://www.vintage-computer.com/vcf... ), or more likely, you've been rootkit'd, given the stats I see daily, it's likely to be a variant of TDL or TDSS.

I suggest you firstly download and run this:

http://www.gmer.net/
(Use the "Download EXE" button)

It will let you know what nefarious activity is occuring on your machine, once it returns it's results, post them back here for further assistance.


Report •

#2
August 29, 2011 at 08:34:43
hi tried to use tool at http://www.gmer.net/ what exactly do you do? every time i have tried to scan it runs for so long then terminates itself !

Report •

#3
August 29, 2011 at 12:27:43
✔ Best Answer
nina-11,

It appears as if you are infected with a Rootkit. The file you reference is an ADS file (Alternate Data Stream), and it will stop most malware removal programs in their tracks.

Since GMER doesn't work, try the following tool, it will also give information on what is going on:

Please download DDS from one of these locations:
http://download.bleepingcomputer.co...
http://download.bleepingcomputer.co...


Save it to your Desktop

Double-click the dds file to run it

When done, DDS opens two logs:
-DDS.txt
-Attach.txt

Save both reports to your Desktop.

Since these reports are large, please go to the Uploading website:
http://uploading.com/files/upload/

In: Select files to upload, click 'Browse', and 'Look in' the Desktop.
Select the DDS.txt, and click on 'Open'
You will see the following:
Your file has been uploaded successfully: (Name and size of the file)

Please copy the 'Download link'.

Do the same uploading for the Attach.txt.

Please copy the 'Download link', for each report, and provide them in your reply.

Once the reports are available, we can determine what else needs to be done to get rid of this malware.

Thanks!

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

Related Solutions

#4
August 29, 2011 at 16:56:54
Hi, thanks for your reply here is the two link you require, http://uploading.com/files/7f6bde93... and http://uploading.com/files/ba12acem... , i hope they make more sense to you than they do to me ! and once again thank you for your help.

Report •

#5
August 29, 2011 at 21:05:49
nina-11,

Please do the following:

Step 1:

Please download DummyCreator.zip
http://download.bleepingcomputer.co...

[*]Right-click the zip file, and select: Extract all…
[*]Follow the prompts to extract

[*]Open the new folder that appears on the Desktop
[*]Double-click DummyCreator/DummyMaker to run the tool.

[*]Now, copy/paste the following text into the blank area:

C:\WINDOWS\2957826186

[*]Press the ‘Create’ button.

[*]Save the content of the ‘Result.txt’ to your Desktop, to post along with the report of the next tool.


Step 2:

Important: Restart the computer!


Step 3:

Please remove any previous download of TDSSKiller (if you have used it before) and download the latest version of TDSSKiller.zip:
http://support.kaspersky.com/downlo...

[*]Right-click and select: ‘Extract all…’
[*]Follow the prompts to extract

[*]Open the new folder that appears on the Desktop
[*]Double-click TDSSKiller.exe to run the program

[*]Now click: 'Start Scan'

[*]When done, a list of detected objects with their description is produced.

[*]The tool automatically selects an action (Cure or Delete) for malicious objects.

[*]The tool prompts the user to select an action to apply to suspicious objects (‘Skip‘, by default). Let the option to ’Skip’ as it is, and click 'Continue'

[*]Let the tool reboot if needed, but post back if the tool needed a reboot!

[*]Click 'Continue'

[*]Click on ‘Report‘, and a text file opens.

(A log is also produced at the root drive which is typically C:\
For example, C:\TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt)

[*]Please post the TDSSKiller report in your reply.


You need to post:
[*]The Dummy Creator ‘Result.txt’
[*]The ‘TDSSKiller’ report
[*]Whether a reboot was required by TDSSKiller

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#6
August 29, 2011 at 23:54:00
Hi, here is the result from Dummy creator. http://uploading.com/files/ec1f94e2... The TDSSKIller when i first ran it found 1 malicious object and i chose 'skip' until i re-read your post and selected 'cure' here is the link to txt file http://uploading.com/files/c6458dmd... it required a reboot. After reboot i ran TDSSKiller again to get log report (didnt realize where the report was at first) and it found another malicious object, i have done 'skip' just now until i get your advice here is that report http://uploading.com/files/4m5516e8... dont want to do anything until i have your advice (scared to press cure, when i dont know what i am doing) and just to let you know System process 2957826186:1965536079.exe is no longer in my task manager, thank you. i await your reply with thanks.

Report •

#7
August 30, 2011 at 06:06:21
You are doing good, nina-11!!

Thanks for the reports.


Please download ComboFix:
http://download.bleepingcomputer.co...

Save ComboFix.exe to your Desktop!!


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of CF.

Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link: http://www.bleepingcomputer.com/for...


XP - Double-click on ComboFix.exe to run the program.

Follow the prompts.

XP users (only) - Please install the 'Recovery Console' if presented with the option.

Click on ‘Yes‘, to continue scanning for malware.

When finished, CF produces a report.

Since this report can also be large, please go to the ‘Uploading’ website:
http://uploading.com/files/upload/

In: Select files to upload, click 'Browse', and 'Look in' the Desktop.
Select the ComboFix report, and click on 'Open'
You will see the following:
“Your file has been uploaded successfully: (Name and size of the file)”

Please copy the 'Download link', and provide it in your reply.

Notes:

1.Do not mouse-click the ComboFix window while it is running.
This action may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.

3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#8
August 30, 2011 at 09:03:03
Hi just a couple of questions before i procede my NOD32 anti-virus has not started up since this happened even after a restart it trys to but i get an Error communicating with kernel, and it isnt a process in my task manager, does that mean it's disabled? All i have for protection is Windows firewall and a trial version of Malwarebytes Anti-Malware Pro (which keeps blocking incoming and outgoing connections that look like ip addresses, even though its doing that it wont let me 'Check for Updates' or 'Start Scanner'), 'Enable Protection', 'Website Blocking', and 'Start With Windows' are all ticked. I did have the free version but it stopped working and when i tried to run it i got the message "windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item" Do i have to disable Windows firewall? and Malwarebytes? Sorry for all the questions but i dont really know what i'm doing, also see attached info i don't know if it's of any help http://uploading.com/files/d975m58d... should i do a restart before running the above tool? Will wait for a reply before i follow the above steps, also i have been reading other posts etc. will running the above tool prevent my computer from re-connecting to the internet (just worried as i have no other way to get back on the internet if anything goes wrong) once again thank you very much.

Report •

#9
August 30, 2011 at 10:37:37
nina-11,

See if you can turn off the Microsoft Safety Scasnner. It has no' real-time always on component', so the only time it runs is when you start a scan until the scan completes. Maybe you can manually shut it off.

The explanation and symptoms you are describing are characteristic of the Rootkit that got hold of your computer. It is called ZeroAccess Rootkit.

Please, do not run any other programs on your own, it may make things worse instead of better.

Follow the instructions above, run ComboFix, and upload its log. It can cripple the Rootkit, and then we can do some more work to get you back to square one.

Hang in there. I do understand the frustration caused by all this. Hope whoever got this junk on your computer does not touch it ever again.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#10
August 30, 2011 at 13:34:22
Hi, sorry to bother you again, just getting ready to run ComboFix, I know in your above instructions CF disconnects your machine from the internet (and the internet is automatically restored before CF completes its run) Therefore Is it safe to Have Windows Firewall and Malwarebytes Disabled (so that it dosent interfere with CF) Before/After Running And Stay Connected to Internet? Its just that every few minutes/seconds i keep getting Malwarebyte popping up that its Blocked a Potentially Malicious Website ip address (58.218.199.227 for example) and Windows Firewall pops up now and then (Windows Security Alert, Do you want to Keep blocking this program? Keep Blocking, Unblock, Ask me Later) If that wasn't happening i wouldn't be so concerned, i don't want to make it worse. So basicly my question is do i stay connected to Internet while i disable all protection to run CF? Thanks once again.

Report •

#11
August 30, 2011 at 14:47:57
nina-11,

Download ComboFix to the Desktop.

Temporarily disable Malwarrebytes'.

Close all programs that are open on your Desktop.

Double-click ComboFix (CF), and run the program.

Try it that way, and allow CF to run.

Right after you get done with CF, enable Malwarebytes'.

Once ComboFix gets rid of some of the pestering malware, you may not have all these problems.

On the following:
CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run.

If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If, by some chance, you no longer have access to your Internet connection after running ComboFix, here is some info on what to do:
http://www.bleepingcomputer.com/com...

Go to the section titled: 'Manually Restoring the Internet Connection', and follow those instructions.

Print the information, if you like, and you will then have it handy.

You will do OK.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#12
August 30, 2011 at 18:12:33
Hi, aaflac44, please help disabled Malwarebytes and started CF, a message popped up "Warning!!" CF has detected the following real time scanner(s) to be active: Antivirus: ESET NOD32 Antivirus 4.0, Please disable these scanners before clicking 'OK'. My problem is I know there was no instances of it in the task manager and the last few times when my computer was booting up it tried to come on but as i said before it would end up terminating itself saying "Error communicating with kernel", even if i tried to start it manually same message. It used to show up in task manager as egui.exe and ekrn.exe one as a system file the other as a user, but its not there anymore. How do i disable something thats not there? Please help the CF windows still sitting open waiting for me to press OK, but i cant until i disable NOD, Had to quickly restart Malwarebytes again in the meantime, Any suggestions ? Thanks again!
Just had an idea went to 'start', 'run' and 'open' typed 'msconfig' and in the 'Startup' of the System Config. Utility i have noticed a ticked 'egui' as a Startup Item (Command "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice )
Location HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run I have also noticed 2 other ticked items that have nothing written in the startup and command line just blank but for location 1 has HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and the other HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run What could they be?

Report •

#13
August 30, 2011 at 19:12:26
first boot in another OS.. if u dont have another OS just boot using virtual box.. in that OS search for the EXE file and delete all the occurance.. enable also system files in the search...

<<LEOPARDBOY>>


Report •

#14
August 30, 2011 at 19:36:58
Hi, leopardboy, my knowledge of computers is limited and i have absolutely no idea what you are talking, sorry, As you can see aaflac44 was taking me through the problem step by step so i would rather wait for his reply if he's still availiable, thanks anyway.

Report •

#15
August 30, 2011 at 21:13:06
Hi, aaflac44, please help disabled Malwarebytes and started CF, a message popped up "Warning!!" CF has detected the following real time scanner(s) to be active: Antivirus: ESET NOD32 Antivirus 4.0, Please disable these scanners before clicking 'OK'. My problem is I know there was no instances of it in the task manager and the last few times when my computer was booting up it tried to come on but as i said before it would end up terminating itself saying "Error communicating with kernel", even if i tried to start it manually same message. It used to show up in task manager as egui.exe and ekrn.exe one as a system file the other as a user, but its not there anymore. How do i disable something thats not there? Please help the CF windows still sitting open waiting for me to press OK, but i cant until i disable NOD, Had to quickly restart Malwarebytes again in the meantime, Any suggestions ? Thanks again!
Just had an idea went to 'start', 'run' and 'open' typed 'msconfig' and in the 'Startup' of the System Config. Utility i have noticed a ticked 'egui' as a Startup Item (Command "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice )
Location HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run I have also noticed 2 other ticked items that have nothing written in the startup and command line just blank but for location 1 has HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and the other HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run What could they be?


Report •

#16
August 30, 2011 at 21:30:26
nina-11,

Sorry for the delay.

Uncheck the ESET NOD32 Antivirus entry you found in MSConfig, and try to run ComboFix. It may work.

If not, see if one of these methods works for you:

Option 1:
Go to Start > Control Panel > Add/Remove Programs
Find: ESET NOD32 Antivirus
Select: Uninstall
Restart the computer.

After restarting, confirm that you can see hidden files and folders by clicking:
Start > Control Panel > Folder Options > View and select: Show hidden files and folders option.

Click Start > My Computer, and then navigate to and delete the following folders:

-C:\Program Files\ESET
-C:\Documents and Settings\All Users\Application Data\ESET
-C:\Documents and Settings\%USER%\Application Data\ESET


Option 2:
Download and run the NOD32 Removal Tool:
http://www.nod32.nl/download/tool/n...
When done, restart your computer.

Try running CF after doing one of these.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#17
September 1, 2011 at 08:07:50
Any progress here?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#18
September 30, 2011 at 13:02:13
http://uploading.com/files/756m5fb7...
http://uploading.com/files/b53c54ae...

Hi, i am send you the reports, i cant run ESET SMART SECURITY.

"please, helpME"
THANKS,

mickel11


Report •

#19
September 30, 2011 at 18:21:43
mickel11,

There is evidence in the reports that your system is infected with a Rootkit.

Please start your own topic in this forum as soon as possible, and label it:
Rootkit, attn: aaflac44

Once you jdo, I will be glad to assist you with the problem.

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#20
October 1, 2011 at 09:04:54
Ok, thanks, and going to start mi own topic

Report •

#21
October 1, 2011 at 12:44:26
mickel11,

Did you post in this forum:
http://www.computing.net/forum/secu...

If so, I do not see it...

Make sure you keep your same name.

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

Ask Question