Solved Have virus but can't run antivirus programs

October 4, 2011 at 17:10:02
Specs: Windows XP
I must have gotten a virus or trojan or something. The first thing I noticed was searches from Google, then Yahoo being redirected. Then I noticed that McAfee was deleted. I tried to run Malwarebytes and it crapped out after a few seconds. I tried Kaspersky, AVG, Avast, TDSSKiller, Spybot, SuperAntiSpyware, etc and all died on the vine. After they run once, I have to reinstall them to try it again (clicking on them says that Windows cannot access the specified device, ... appropriate permissions.

See More: Have virus but cant run antivirus programs

Report •


✔ Best Answer
October 6, 2011 at 20:32:45
Freebird,

Let's search for any remnants by doing the scan that follows.

You will need to use Internet Explorer for this scan, since the scanner is implemented as an ActiveX control.

However, compatibility with other browsers (Firefox, Opera, Netscape, etc.) was added if you agree to the installation of the ESET Smart Installer, an application which will install and launch ESET Online Scanner in a new browser window.

Please download the ESET Online Scanner:
http://www.eset.com/us/online-scanner

Press the 'ESET Online Scanner' download button
[*]In the prompt that appears, check 'Yes' to Accept Terms of Use, and click the 'Start' button
[*]Allow the ActiveX to download, and click: Install
http://www.eset.com/us/online-scann...
[*]Click: Start
[*]Make sure that the option 'Remove found threats' is >unticked/unchecked<.
[*]Click: Scan, and wait for the scan to finish
[*]If any threats are found, click the 'List of found threats', then click 'Export to text file...'
[*]Save the file to your Desktop as: 'ESET Scan'.

Please provide the contents of 'ESET Scan' in your reply.

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals



#1
October 4, 2011 at 18:17:27
Freebird_wr,

In order to take a better look at what is going on with your system, and find what may be causing the malware issue you are having, please follow the instructions below.
Will be glad to assist you after the information is provided.


Please download DDS from one of these locations:
http://download.bleepingcomputer.co...
http://download.bleepingcomputer.co...

Save to the Desktop.

Double-click DDS to run it.

When done, DDS opens two logs:
-DDS.txt (Opens on the Desktop)
-Attach.txt (Is minimized - will show on the TaskBar)

Save both reports to your Desktop.

Since these reports can be quite large, please go to the ‘Uploading’ website:
http://uploading.com/files/upload/

In: Select files to upload, click 'Browse', and 'Look in' the Desktop.
Select the DDS.txt report, and click on 'Open'
You will see the following:
“Your file has been uploaded successfully: (Name and size of the file)”

Please copy the 'Download link', and provide it in your reply.

Do the same with the Attach.txt.

Thanks.


~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#2
October 4, 2011 at 19:05:10
http://uploading.com/files/eee18123...
http://uploading.com/files/eb5b1654...

I had to run DDS in Safe Mode since it also crapped out in normal mode. Not sure if it is going to give you everything you need.

Yesterday, I had a process running called 1751371140:2066914455.exe. There was no way to stop that process either. I deleted a few telltale files (c_xxxxx.nls). Now, I get an error when it tries to run at bootup.


Report •

#3
October 4, 2011 at 19:44:29
Freebird_wr,

The information provided shows the characteristics of the ZeroAccess Rootkit.


First, let's take care of this file:
C:\WINDOWS\1751371140:2066914455.exe

It throws a wrench in the works, and programs will not run successfully...

Please download DummyCreator.zip
http://download.bleepingcomputer.co...

Unzip the folder:
Right-click and select: Extract all…
Follow the prompts to extract

Open the new folder that appears on the Desktop:
XP: Double-click DummyCreator (aka: DummyMaker) to run the tool.

Now, copy/paste the following into the blank area:

C:\WINDOWS\1751371140

Press the Create button.

Save the content of the Result.txt to your Desktop, and post it in your reply.

(It is a short report.)

Next, restart the computer!


Please do not run any malware removal programs while we are in the process of making malware repairs. Doing so may just make matters worse, and that, you do not want!

Thanks!

BTW, what error do you get at boot-up?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

Related Solutions

#4
October 4, 2011 at 19:47:10
Try run Malwarebytes in Safe Mode if you haven't already. Many times the malware hasn't started in Safe Mode. Since DDS would running in Safe Mode, maybe Malwarebytes will also. Hopefully it will take care of your problems and you won't have to proceed any further.

When in safe mode, try look for and delete the file C:\WINDOWS\1751371140:2066914455.exe. If you find it and can't delete it then try rename it by right clicking and selecting "rename". (left clicking incorrectly can execute the program). Rename it to something like "deleteme.txt" but make sure to use a .txt extension so it can't be executed any longer.
It's possible that this file is hidden - so you may have to show hidden files by opening a windows explorer window (click on My Computer), select Tools/Folder Options, click on the "View" tab, under "Hidden files and folders" select "Show hidden files and folders", uncheck "Hide extensions for known file types". If you uncheck "Hide protected operating system files" make sure to check it again when you are done so you don't accidentally delete a file you see which could be important.

If you aren't able to run Malwarebytes, but are able to rename this file then restart the computer back into safe mode and try run Malwarebytes again. It's possible you may have to reinstall it if the installation got corrupted by the malware.

If you still can't run Malwarebytes at this point, you may have to look for malicious software elsewhere.

Malicious software often hides in
C:\Documents and Settings\your-login-name\Local Settings\Temp
C:\Documents and Settings\your-login-name\Local Settings\Application Data
C:\Documents and Settings\your-login-name\Application Data
Look for a .exe in the Application Data directory itself not. You don't need to look in all the subdirectories which are created by the software you've installed.
Usually most of the files in the Temp directory can be deleted. There will be some which you can't delete because they are being used by the operating system. There should not be any .exe files being used in here. If there are, they could be malware. Try rename them if you can't delete them.


Report •

#5
October 5, 2011 at 04:40:20
DummyCreator by Farbar
Ran by Scott xxxxx(administrator) on 05-10-2011 at 07:02:36
**************************************************************

C:\WINDOWS\1751371140 [05-10-2011 07:02:36]

== End of log ==

I think I took care of this file (no error on startup). There is a file in my temp directory that is unnamed but can't be deleted or renamed. It is the only one in the temp directory that I could not delete.

I have run Malwarebytes (and others) in Safe Mode with the same results.


Report •

#6
October 5, 2011 at 06:20:24
Freebird_wr,

That is the result we want. However, there is no need for you to attempt file removals. The program you are about to run will take care of them.

Let's press on...

Please do the following running ComboFix first, and TDSSKiller next. If ComboFix does not run, press on to run TDSSKiller:


If you have ComboFix (CF) already on your Desktop, please remove it. Download an updated version:
http://download.bleepingcomputer.co...

Save ComboFix.exe to your Desktop!!<--

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications. They may interfere with the running of CF.
Information on disabling these programs is available here:
http://www.bleepingcomputer.com/for...


Double-click on 'ComboFix.exe' to run the program.

For XP, if given the option to install the Recovery Console, please do so!

Click on 'Yes', to continue scanning for malware.

When finished, CF produces a report.

Please provide a copy of the C:\ComboFix.txt in your reply by uploading it to Megaupload:
http://www.megaupload.com/

Click: Browse
Select a file to upload
Upload ComboFix
To the right of 'Send', enter a file description: ComboFix
Click 'Send'
Copy the link provided, and post it in your reply.


Notes:

1. Do not mouse-click the ComboFix window while it is running.
This action may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.

3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Now, please remove any previous download of TDSSKiller (if used) and download the latest version:
http://support.kaspersky.com/downlo...


Execute the file:
XP: Double-click tdsskiller.exe to run the program
Windows 7: Right-click and select: Run as Administrator

Press the button: Start Scan

The tool scans and detects two object types:
'Malicious' (where the malware has been identified)
'Suspicious' (where the malware cannot be identified)

When the scan is over, the tool outputs a list of detected objects (Malicious or Suspicious) with their description.

It automatically selects an action ('Cure' or 'Delete') for 'Malicious' objects. Leave the setting as it is.

It also prompts the User to select an action to apply to 'Suspicious' objects ('Skip', by default). Leave the setting as it is.

After clicking 'Next/Continue', the tool applies the selected actions.

A Reboot Required prompt may appear after a disinfection. Please reboot.

By default, the tool outputs its log to the system disk root folder (the disk with the Windows operating system, normally C:\.

Logs have a name like:
C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

Please post the TDSSKiller log in your reply, by uploading it also.

Need to see the following uploads in your reply:
**The 'ComboFix log'
**The 'TDSSKiller' log

Also need to know whether TDSSKiller needed a reboot!

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#7
October 5, 2011 at 19:31:09
http://www.megaupload.com/?d=QSZNSTDN (ComboFix)
http://www.megaupload.com/?d=OY6XR35E (TDSSKiller)

Reboot required.

Tried to click on TDSSKiller again (since TDSSKiller icon was deleted) and it again said that "Windows cannot access the specified device...You may not have appropriate permissions..."


Report •

#8
October 5, 2011 at 20:15:55
Thanks for uploading the reports.

Let's scan the system with a special tool and see if the ZeroAccess RootKit blocked and locked any programs or system files by altering their permissions.

Please download Junction.zip:
http://download.sysinternals.com/Fi...

Save it, and >unzip< it:
Right-click the file and select: Extract all...
Follow the prompts.

Next, place the junction.exe file in the Windows directory (C:\Windows)!!
(No need to run the file.)

Go to Start > Run (Windows key > 'R'), and copy/paste the following command in the Open box and click OK:
cmd /c junction -s >log.txt&log.txt

A command window opens and scans the system.

Next, a log file opens in Notepad.

Please copy the contents of the log.txt produced, and post it in your reply.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#9
October 6, 2011 at 03:42:27

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

..
Failed to open \\?\C:\Documents and Settings\Scott xxxxx\Desktop\TDSSKiller.exe: Access is denied.

Failed to open \\?\C:\Documents and Settings\Scott xxxxx\Desktop\HIJACK\Trend Micro\HiJackThis\HiJackThis.exe: Access is denied.


.

...

Failed to open \\?\C:\Documents and Settings\Scott xxxxx\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db: Access is denied.

Failed to open \\?\C:\Documents and Settings\Scott xxxxx\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db.shadow: Access is denied.


...

...

...

...

...

...

...

...

...

...

...

..
Failed to open \\?\C:\Documents and Settings\Scott xxxxx\My Documents\HJT\HijackThis.exe: Access is denied.


.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

..No reparse points found.


Report •

#10
October 6, 2011 at 12:39:29
Freebird_wr,


Please download GrantPerms.zip:
http://download.bleepingcomputer.co...
Save it to your Desktop.
Unzip the file:
-Right-click and select: Extract all...
Follow the prompts.

Depending on the system run GrantPerms.exe or GrantPerms64.exe (64-bits)

Copy and paste the following text to the blank area:

C:\Documents and Settings\Scott xxxxx\Desktop\TDSSKiller.exe
C:\Documents and Settings\Scott xxxxx\Desktop\HIJACK\Trend Micro\HiJackThis\HiJackThis.exe
C:\Documents and Settings\Scott xxxxx\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db
C:\Documents and Settings\Scott xxxxx\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db.shadow
C:\Documents and Settings\Scott xxxxx\My Documents\HJT\HijackThis.exe


Click: Unlock

When done, click: "OK"

Click ‘List Permissions’ and post the result Perms.txt in your reply.
(A copy of 'Perms.txt' is saved in the same directory where the tool is run.)


~~~~
Now, assuming that ComboFix and TDSSKiller are saved to the Desktop...

Start the computer in: Safe Mode with Command Prompt
(Restart the PC and tap F8 until the 'Options Menu' shows
Select: Safe Mode with Command Prompt)


At the prompt, copy/paste each of the following commands in the box below, one at a time, pressing 'Enter' after each:


cd "%userprofile%\desktop"

combofix.exe /e /g everyone:f

addie.com


If it runs, stay in Safe Mode with Command Prompt, and do the same thing for TDSSKiller:


cd "%userprofile%\desktop"

cacls tdsskiller.exe /e /g everyone:f

tdsskiller.exe


Now, try running ComboFix per previous instructions.
If it does not run, is it giving an error message or any indication of why it does not run?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#11
Report •

#12
October 6, 2011 at 17:43:53
Freebird_wr,

How is it going?

On your original post you mentioned having problems such as:
1. Searches from Google, then Yahoo being redirected.
2. McAfee deleted
3. Malwarebytes, Kaspersky, AVG, Avast, TDSSKiller, Spybot, SuperAntiSpyware, etc., all died on the vine.
4. Clicking on (programs) results in: ' Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.'

Are any of these problems still present?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#13
October 6, 2011 at 19:42:21
Search engine redirects are gone. I did not reinstall McAfee because I really didn't like it in the first place. I installed AVG free until I can find a better antivirus program. All of the antivirus programs run, which was the most important thing. Thanks.

The only problem I had was that Firefox would not run. I could click it all day long and it would never show up in Windows Task Manager processes. I finally reinstalled it and it worked. However, it took ages to load. Other programs take much longer to load also.


Report •

#14
October 6, 2011 at 20:32:45
✔ Best Answer
Freebird,

Let's search for any remnants by doing the scan that follows.

You will need to use Internet Explorer for this scan, since the scanner is implemented as an ActiveX control.

However, compatibility with other browsers (Firefox, Opera, Netscape, etc.) was added if you agree to the installation of the ESET Smart Installer, an application which will install and launch ESET Online Scanner in a new browser window.

Please download the ESET Online Scanner:
http://www.eset.com/us/online-scanner

Press the 'ESET Online Scanner' download button
[*]In the prompt that appears, check 'Yes' to Accept Terms of Use, and click the 'Start' button
[*]Allow the ActiveX to download, and click: Install
http://www.eset.com/us/online-scann...
[*]Click: Start
[*]Make sure that the option 'Remove found threats' is >unticked/unchecked<.
[*]Click: Scan, and wait for the scan to finish
[*]If any threats are found, click the 'List of found threats', then click 'Export to text file...'
[*]Save the file to your Desktop as: 'ESET Scan'.

Please provide the contents of 'ESET Scan' in your reply.

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •


Ask Question