Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to run any removal tool


  • This topic is locked This topic is locked
12 replies to this topic

#1 Techguy27

Techguy27

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 AM

Posted 26 August 2009 - 03:15 PM

Hi. I have a pc that is infected with Spyware/Rootkit that I have not been able to find a solution for removing.

I have attempted to run Combofix, SDfix, Malwarebytes, RootRepeal, Hijackthis, AVG, and Autoruns.

When I try to run the .exe, the program will launch for a few seconds and then crash. When I try to reopen the program I get: “Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.” The hassle with this is that after trying to run SDfix cmd and explorer start getting the same error. I had to go in and add the SYSTEM and Admin group back to the security tab.

What I have found is that the scecli.dll file is most likely infected here. I proceeded with running Avenger with the following script:
Files to move:
C:WINDOWSsystem32scecli.dll | C:WINDOWSsystem32scecli.dll.vir
C:WINDOWSServicePackFilesi386scecli.dll | C:WINDOWSsystem32scecli.dll

This did not help me get any of the removal tools to run so I added:
Programs to launch on reboot:
C:Documents and Settings”user name”DesktoptoolsCombo-Fix.exe

This was able to get combofix to run for the first time, but it stops at Stage 48 with Access Denied.

My problem highly resembles this post: Forum Link
However, the OP does not say how he finally got combofix to run.

Any help would be appreciated. I’m not new to malware removal, but this is really kicking my butt.

I did not mention in my orginal post that I have also done the following:

I have tried to run GMER, RSIT, Win32kdiag, and Peek.bat. All have failed before completing the scan except win32kdiag. I have attached the resulting file to this post.

Thank you for taking the time to look over the file.

Attached File  win32kdiag.txt   13.28KB   17 downloads

Merged posts. ~ OB

Edited by Orange Blossom, 26 August 2009 - 11:29 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:47 AM

Posted 27 August 2009 - 07:39 AM

Hi,

Please use the following script in the Avenger:

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll


Then run Combofix after reboot (Normal run)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Techguy27

Techguy27
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 AM

Posted 27 August 2009 - 09:32 AM

I added the above script to avenger in safe mode. Rebooted. The script ran, but explorer did not load....From there I opened a command prompt and ran combo-fix.exe

Combofix loaded the green bar and closed.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:47 AM

Posted 27 August 2009 - 09:46 AM

Hi,

Can you post the log from the Avenger please?
Because this doesn't make sense.

Also, please do this from normal mode.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Techguy27

Techguy27
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 AM

Posted 27 August 2009 - 10:44 AM

I apologize for the delay in response. I had a client with a network down situation. At least that problem is solved. :thumbup2:

My undivided attention is back to resolving this issue. The first Avenger log, (the one I tried when you suggested) came up with a sucessful File Move operation. However, the second time I tried (sparked from your comment that it did not make sense) The file logevent.dll was not found. Which makes sense because I moved it with Avenger....

Moving forward from the fact that you said it didn't make sense, I decided to recopy combo-fix.exe from the cd I made and renamed it cf3.exe I ran combofix under the new name and it is currently in the process of file deletion.

/cheers I've made progress. :)

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:47 AM

Posted 27 August 2009 - 11:02 AM

Good to hear :thumbup2:

AFTER you've done this, assuming you have the latest version of win32kdiag and it's on your desktop (link here for latest win32kdiag: http://download.bleepingcomputer.com/rootr.../Win32kDiag.exe )


Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.
When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r

This will also restore permissions on the files again, because they infection you were dealing with has set "block" permissions on a lot of files. That also explains why you couldn't run Combofix afterwards, not until you replaced it again. :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Techguy27

Techguy27
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 AM

Posted 27 August 2009 - 11:25 AM

Hi. I have attached the combofix and windiag32k logs.

One thing to note, and I'm sure you'll see it in the win32k log. After combofix rebooted the pc, it came up with:
FINDSTR: cannot open c:\windows\system32\CF984.exe

Attached File  combofix.txt   50.35KB   4 downloads
Attached File  Win32kDiag.txt   21.01KB   5 downloads

Oh... I also do not have a start bar so Start->Run isn't an option just yet. And I.E. will not load at the moment either, but I have other stations to hit the forum with, so not as much of an issue.

Edited by Techguy27, 27 August 2009 - 11:27 AM.


#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:47 AM

Posted 27 August 2009 - 12:04 PM

Hi,

This looks like a pretty damaged computer.

Please delete the Combofix you've used and redownload it again. Please also read for proper instructions how to use:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please let it allow to install the Recovery console.

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Techguy27

Techguy27
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 AM

Posted 27 August 2009 - 12:42 PM

Don't I feel silly. In the time I've used combofix I never installed the RC because I have the install media. Never took note of the warning that states combofix will not attempt the fixing of serious issues without it. :thumbup2:

Attached File  ComboFix.txt   49.75KB   3 downloads

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:47 AM

Posted 27 August 2009 - 12:47 PM

Hi,

Please navigate to and delete the following files:

c:\windows\SYSTEM32\dafirulo.exe
c:\windows\SYSTEM32\kejepuha.dll

The strange part is, I'm missing the PC info on top in the log. What OS you have, what Service pack etc etc.. because it looks like your Windows got corrupted in a meanwhile, so a Windows repair install should solve this - or in case you don't have Service Pack 3 yet; it may already solve a lot as well.
A Windows repair install won't remove important data, but I suggest you backup anyway.

http://michaelstevenstech.com/XPrepairinstall.htm
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Techguy27

Techguy27
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 AM

Posted 27 August 2009 - 12:59 PM

XP Home SP3

Repair install sounds good. I had planned on needing to do one at this point, but was waiting to see what you wanted done.

Shall I start the repair then?

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:47 AM

Posted 27 August 2009 - 01:01 PM

Hi,

Yes, the repair install may be best now - because it looks like the malware already damaged too much here. In either way, backup your important data first :thumbup2:

Also, for afterwards, Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:47 AM

Posted 05 September 2009 - 05:46 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users