Anti-Spyware
--
Questions
--
Followers
Top Experts
Rootkits/Trojans
I have encountered a system that is infected (at a minimum) with the following.
Rootkit.agent/Gen
Trojan.Agent/Gen
Adware.Agent/Gen (Redirected DNS and IE searches)
Rootkit.Agent/Gen-UAC
Rootkit.Agent/Gen-NET
Trojan.Dropper-NET/TMP
Trojan.Agent/Gen-Cryptor
Trojan.Dropper/Win-NV
Each time I attempt to run any anti-malware utility I receive the following error message.
"Windows cannot access the specified device, path, or file. You may not have
the appropriate permissions to access the item."
Using a USB drive I was able to install the following.
Malwarebytes
Combofix
Superantispyware
HiJackThis
Spybot
The programs install but when launched (in Safe and Normal mode) the program window closes and the scans stop.
Combofix of all things begins to load and then just stops. I've logged on under different accounts with the same results.
HiJackThis runs as well but just as the log file is being generated the system closes the program.
I've tried running the programs from a command prompt and receive the same error message as listed above.
The system is running XP SP3.
This is a new one on me. Any thoughts?
David
Rootkit.agent/Gen
Trojan.Agent/Gen
Adware.Agent/Gen (Redirected DNS and IE searches)
Rootkit.Agent/Gen-UAC
Rootkit.Agent/Gen-NET
Trojan.Dropper-NET/TMP
Trojan.Agent/Gen-Cryptor
Trojan.Dropper/Win-NV
Each time I attempt to run any anti-malware utility I receive the following error message.
"Windows cannot access the specified device, path, or file. You may not have
the appropriate permissions to access the item."
Using a USB drive I was able to install the following.
Malwarebytes
Combofix
Superantispyware
HiJackThis
Spybot
The programs install but when launched (in Safe and Normal mode) the program window closes and the scans stop.
Combofix of all things begins to load and then just stops. I've logged on under different accounts with the same results.
HiJackThis runs as well but just as the log file is being generated the system closes the program.
I've tried running the programs from a command prompt and receive the same error message as listed above.
The system is running XP SP3.
This is a new one on me. Any thoughts?
David
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Have you tried the Sophos Anti-Rootkit tool? - http://www.sophos.com/prod
Can you run MSCONFIG? - start, run, msconfig.
If you can - go to the services tab - click on the hide all microsoft services and disable all others. Β Click on the startup tab and disable all.
Reboot and scan with your available tools.
Can you run MSCONFIG? - start, run, msconfig.
If you can - go to the services tab - click on the hide all microsoft services and disable all others. Β Click on the startup tab and disable all.
Reboot and scan with your available tools.
Rename ComboFix to CF123.exe or some other name and try to run it again. I also recommend stopping all non MS services and all Startup Items using msconfig in safe mode -- if possible. You can also rename MBAM.exe and try to run it using an alias.
I renamed all malware suites prior to installation. (Should have mentioned that.)
I ran Sophos and it detected several entries. Unfortunately the entries that it detected as "Unknown" were items such as Real Player, HiJackThis, etc.
I ran Sophos and it detected several entries. Unfortunately the entries that it detected as "Unknown" were items such as Real Player, HiJackThis, etc.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Well I never liked Real Player either!!!!
Are you any better off - or have you still got problems?
Are you any better off - or have you still got problems?
rpg should be along shortly. We'll see what words of wisdom she has.
Hi David,
There are some really nasty rootkits going around right now (along with a comeback of Virut). Take a look at the following article on MalwareBytes' website. It describes using RootRepeal and I have had some success with the method. Some I have not and have used Avira ARK to find the driver that's hiding. Until you get that you will get nowhere. Had one where Avira finally found it (I had tried GMER, RootRepeal, Sophos ARK, ect...), but the only way to remove was some pretty complicated work with AVZ (which I had some help from behind the scenes with). Nasty stuff indeed.....even Avenger would not get the driver once I found it. First time I've seen that.
http://www.malwarebytes.org/forums/index.php?showtopic=12709&st=0&p=64899&#entry64899
Hope that helps,
Dave
There are some really nasty rootkits going around right now (along with a comeback of Virut). Take a look at the following article on MalwareBytes' website. It describes using RootRepeal and I have had some success with the method. Some I have not and have used Avira ARK to find the driver that's hiding. Until you get that you will get nowhere. Had one where Avira finally found it (I had tried GMER, RootRepeal, Sophos ARK, ect...), but the only way to remove was some pretty complicated work with AVZ (which I had some help from behind the scenes with). Nasty stuff indeed.....even Avenger would not get the driver once I found it. First time I've seen that.
http://www.malwarebytes.org/forums/index.php?showtopic=12709&st=0&p=64899&#entry64899
Hope that helps,
Dave
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
<<<"I renamed all malware suites prior to installation. (Should have mentioned that.)">>>
Β
You need to rename the tools BEFORE saving to your desktop, before in contact with the infected pc.
Redownload and rename MalwareBytes, Combofix before saving the file and see if they run.
Β
You need to rename the tools BEFORE saving to your desktop, before in contact with the infected pc.
Redownload and rename MalwareBytes, Combofix before saving the file and see if they run.
Yes, RootRepeal does a good job when other tools like MBAM and Combofix won't run even after being renamed before saving.
If RootRepeal also won't run, which could mean some rogue programs are also there and blocking it, just rename it to "winlogon.exe or svchost.exe"
If RootRepeal also won't run, which could mean some rogue programs are also there and blocking it, just rename it to "winlogon.exe or svchost.exe"
I have run into situations where I had to rename mbam-setup.exe before installation and then had to rename mbam.exe after installation to get Malwarebytes to run. Β I don't know if it was necessary, but the advice I saw said to copy mbam.exe and rename the copy.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Malwarebytes, Combofix, HJT and Spybot were all renamed prior to download and the results were the same. The browser is all hijacked. I was able to get to Kaspersky and am attempting an on line scan at this time. 8:20AM PST
Don't think Kaspersky will help you too much here at this point David.
There is a new TDSS variant going around right now that is absolutely nasty. Won't let you run any fix tools. Would help to get a rootkit scan to confirm it. You will see the following entries if present.
Module Name: \systemroot\win32k.sys:1
Sysprot ARK or GMER should both run and show it.
http://sites.google.com/site/sysprotantirootkit/
http://www.gmer.net/
sUBs (cf develper) has built a tool that reportedly fixes this (at least so you can run tools). I don't want to post it unless it's confirmed. So if you run the tools and post the logs I will review.
There is a new TDSS variant going around right now that is absolutely nasty. Won't let you run any fix tools. Would help to get a rootkit scan to confirm it. You will see the following entries if present.
Module Name: \systemroot\win32k.sys:1
Sysprot ARK or GMER should both run and show it.
http://sites.google.com/site/sysprotantirootkit/
http://www.gmer.net/
sUBs (cf develper) has built a tool that reportedly fixes this (at least so you can run tools). I don't want to post it unless it's confirmed. So if you run the tools and post the logs I will review.
@IndiGenus -- good to see you around again. Thought you had abandoned us.
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
No willcomp, life has just been crazy for me. As I've been getting back into the forums I keep running into these new rootkit infections and they just totally consume time trying to research and keep up behind the scenes with the fixes. They just keep getting worse. I'm interested to see if this is one of them. I had one at G2G but the user just ended up BSOD'ing and reformated. I'm watching several other threads right now and have not seen one fixed yet, although I've heard that there has been some success.....we shall see.
It looks as if whatever this piece of malware is, it stops the programs from running. For example I loaded the SysProt AntiRootkit. After installation the program launches (like all others) and as it starts a scan I receive the following:
Failed to start service. SysProt AntiRookkit needs to be run with Admin privileges!
(I am Admin on this system).
All suites tried so far do not run in Safe Mode (same error message).
I'm inclined to nuke the system. But as usual I am very curious as to what this is and how to "fix" it.
Failed to start service. SysProt AntiRookkit needs to be run with Admin privileges!
(I am Admin on this system).
All suites tried so far do not run in Safe Mode (same error message).
I'm inclined to nuke the system. But as usual I am very curious as to what this is and how to "fix" it.
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
That's not showing it, but it may not. Did you take a look at the link I gave? Can you run that script that Katana had that user run to check the scecli.dll file? Notice there it gives no MD5 on the file.
Okay this thing is a pain. I ran the mentioned script. After that I was able to launch Malwarebytes, ComboFix and HJT and remove detected entries. Β
Log files are attached minus HJT as it was clean.
Everything seemed fine until I attempted to download (as a test) and run Superantispyware and Kaspersky. (I changed the names prior to download.)
Downloads went fine, and once I attempted to run the programs I got the same error message again concerning permissions.
So in short, same error message when I attempt to run anything other than Malwarebytes. IE has been restored and is no longer hijacked.
Β
Log files are attached minus HJT as it was clean.
Everything seemed fine until I attempted to download (as a test) and run Superantispyware and Kaspersky. (I changed the names prior to download.)
Downloads went fine, and once I attempted to run the programs I got the same error message again concerning permissions.
So in short, same error message when I attempt to run anything other than Malwarebytes. IE has been restored and is no longer hijacked.
Β
Log files.
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Huh David?
That's better. How's it running? What got you to the point of being able to run tools? Replacing the file?
Also, on MBAM. "no action taken" indicates you didn't have MBAM fix those items. You should go back and do that.
Also, on MBAM. "no action taken" indicates you didn't have MBAM fix those items. You should go back and do that.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Still some work to do with cf....
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
--------------------------
File::
c:\windows\system32\5.tmp
Driver::
MEMSWEEP2
Registry::
[-HKEY_LOCAL_MACHINE\Syste
--------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please upload the following reports/logs.
-Combofix.txt
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
--------------------------
File::
c:\windows\system32\5.tmp
Driver::
MEMSWEEP2
Registry::
[-HKEY_LOCAL_MACHINE\Syste
--------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please upload the following reports/logs.
-Combofix.txt
I ran malwarebytes again (twice, once in Safe Mode and Normal mode) and removed all items. I guess I missed it the first time due to work.
I've attached the new ComboFix log.
Combo-log.txt
I've attached the new ComboFix log.
Combo-log.txt
Looks better, how's it running? Be good to know also what step you think actually fixed it. Did you use Avenger as was done in the thread I referenced to replace the file?
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Yes, I used Avenger and the script that you mentioned. That is what allowed me to run Malwarebytes. However, I'm still getting the initial permission notification when I run SuperantiSpyware.
"Windows cannot access the specified device, path, or file. You may not have
the appropriate permissions to access the item."
I can run Combofix, Malwarebtyes, etc. Right now this is the only program that I'm testing that won't run. Earlier the on line scan from Trend Micro failed to load as well. At this time however it is running. So the only odd thing left is the failure of Superantispyware to load without erroring out. At this point though I'm willing to consider this a victory. That script worked out really well. I'll have to remember that.
"Windows cannot access the specified device, path, or file. You may not have
the appropriate permissions to access the item."
I can run Combofix, Malwarebtyes, etc. Right now this is the only program that I'm testing that won't run. Earlier the on line scan from Trend Micro failed to load as well. At this time however it is running. So the only odd thing left is the failure of Superantispyware to load without erroring out. At this point though I'm willing to consider this a victory. That script worked out really well. I'll have to remember that.
>""That script worked out really well. I'll have to remember that.""<
It's a new one. I would imagine that not too far in the future sUBs will have that incorporated into combofix somehow. Glad it worked here.
It's a new one. I would imagine that not too far in the future sUBs will have that incorporated into combofix somehow. Glad it worked here.
I'm going to go ahead and close this Indi. Thanks for all of your help and quick replies.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Great, glad it worked out and thank you for the grade/points.
Dave
Dave
Anti-Spyware
--
Questions
--
Followers
Top Experts
Spyware is software that aims to gather information about a person or organization without their knowledge and that may send such information to another entity without the consumer's consent, or that asserts control over a computer without the consumer's knowledge; it has also come to include programs that engage in various kinds of electronic fraud. Anti-spyware is software that removes or blocks that software; some common vendors include Malwarebytes, McAfee, Spybot-Search and Destroy, Ad-Aware and BitDefender.