Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Access Denied, Can't even turn off computer


  • This topic is locked This topic is locked
2 replies to this topic

#1 Erinctherinc

Erinctherinc

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 05 June 2016 - 02:24 PM

I've recently scanned my computer with GMER. At the middle of scanning, "Access Denied" alert popped up. I couldn't delete files, close GMER, can't even turn off the computer. (I pressed off button for a long time, it didn't work as well) Finally, i switched off wifi and plugged recharge cable off, waited laptop to run out of energy.

 

Today, I scanned again in safe mode, it said access denied again but it just affected GMER. I also tried scanning with MBAR, Dr. Web Cure it, Norton antivirus and Norton Bootable Recovery (with a usb stick) They didn't find anything.

 

I don't know what infected my computer, i am suspicious that it is a rootkit because sometimes, my computer uses more RAM that it is shown in the task manager.

 

Thank you for your help by now.

 

Farbar scans --->Attached File  FRST.txt   35.2KB   10 downloadsAttached File  Addition.txt   31.42KB   4 downloads

 

Rogue Killer scan ---> Attached File  rogue killer.txt   3.16KB   3 downloads, (just found 2 PUPs)

 

HijackThis scan ---> Attached File  hijackthis.log   11.59KB   0 downloads, (Couldn't scan Hosts file)

 

GMER log ---> Attached File  GMER_results.txt   46.27KB   1 downloads



BC AdBot (Login to Remove)

 


#2 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:12:28 AM

Posted 09 June 2016 - 01:58 AM

Hi Erinctherinc,

Welcome to BleepingComputer. My name is dbrisendine and I'll be helping you with this problem. Before I get into the removal of malware / correction of your problem, I need you to be aware of the following:
  • Please read all of my response through at least once before attempting to follow the procedures described.I would recommend printing them out, if you can, as you can check off each step as you complete it. Also, as some of the cleaning may be done in Safe Mode and there will be no internet connection then, you will find that having the steps printed for reference speeds the cleaning process along. If there's anything you don't understand or isn't totally clear to you, please come back to me for clarification before you start those steps.
  • All of the assistants and staff at BleepingComputer are here on a volunteer basis; please respect our time given to the cause of helping others.If you are going to be away for more than 4 days, please let me know here. (I will do the same for you.) We do realize that 'life happens' and situations arise unexpectedly; we just ask that you keep us up to date.
  • Malware removal is a complex, multiple step process; please stay with me on this thread (don't start another thread) until I declare that your logs are clean and you are good to go. The absence of apparent issues does not mean your system is clean; I will tell you when everything looks good for you to go and help you remove the tools we have used.
  • If any of the security programs on your system should give any warnings about the software tools I ask you to download and use, please do not be alarmed.All of the tools I will have you use are safe to use (as instructed) and malware free.
  • While we strive to disrupt your system as little as possible, things happen.If you can, it would be best to back up your personal files now (if you do not already have a backup). You can store these on a CD/DVD, USB drive or stick, anywhere but on your same system. This will save you from possible anguish later if something unforeseen happens.
  • Please do not run any other tools or scanners than what I ask you to.Some of the openly available software made for malware removal can make changes to your system that interfere with the cleaning of the malware, or even destroy your system. I will use only what the situation calls for and direct you in the proper use of that software.
  • Please do not attach any log files to your replies unless I specifically ask you.Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.


    - Save ALL Tools to your Desktop-

    All the tools that I will have you download should be placed on the desktop unless otherwise stated. If you are familiar with how to save files to the desktop then you can skip this step.

    Since you are continuing with this step then I assume you are unfamiliar with saving files to your desktop. As a result it's easiest if you configure your browser(s) to download any tools to the desktop by default. Please use the appropriate instructions below depending on the browser you are using.
    Chrome.JPGGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser.Settings.JPG Choose Settings. at the bottom of the screen click the
    "Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.
    Firefox.JPGMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Settings.JPG Choose Options. In the downloads section, click the Browse button, click on the Desktop folder
    and the click the "Select Folder" button. Click OK to get out of the Options menu.
    IE.jpgInternet Explorer - Click the Tools menu in the upper right-corner of the browser. Tools.JPG Select View downloads. Select the Options link in the lower left of the window. Click Browse and
    select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
    NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

Let's get started....

GMER has not been updated for Win10. Please do not run it on this system as it will hang.


Open notepad by pressing the Windows Key + R key, typing notepad in the Run box and pressing Enter. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt


Start
CreateRestorePoint:
CloseProcesses:
HKLM\...\Winlogon: [Userinit] C:\WINDOWS\SysWOW64\userinit.exe,
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File
SearchScopes: HKU\.DEFAULT -> DefaultScope {8C3078A0-9AAB-4371-85D1-656CA8E46EE8} URL = hxxps://yandex.com.tr/search/?text={searchTerms}&clid=2233630
SearchScopes: HKU\.DEFAULT -> {8C3078A0-9AAB-4371-85D1-656CA8E46EE8} URL = hxxps://yandex.com.tr/search/?text={searchTerms}&clid=2233630
SearchScopes: HKU\S-1-5-21-2923017251-4010059973-1054017501-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://yandex.com.tr/search/?win=206&clid=1989274-001&text={searchTerms}
SearchScopes: HKU\S-1-5-21-2923017251-4010059973-1054017501-1001 -> 0D012E1E6A2C0A675CB6F3CF2C91279C URL = hxxp://video.yandex.com.tr/#search?win=206&clid=1989274-001&text={searchTerms}
SearchScopes: HKU\S-1-5-21-2923017251-4010059973-1054017501-1001 -> 979A393E561E83E54CDF5097B9D3AD0F URL = hxxp://haber.yandex.com.tr/search/?rpt=nnews2&grhow=clutop&win=206&clid=1989274-001&text={searchTerms}
SearchScopes: HKU\S-1-5-21-2923017251-4010059973-1054017501-1001 -> F725B15642DC0BE42A6A1D762F5E8484 URL = hxxp://gorsel.yandex.com.tr/search/?win=206&clid=1989274-001&text={searchTerms}
SearchScopes: HKU\S-1-5-21-2923017251-4010059973-1054017501-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://yandex.com.tr/search/?win=206&clid=1989274-001&text={searchTerms}
SearchScopes: HKU\S-1-5-21-2923017251-4010059973-1054017501-1001 -> {3BD44F0E-0596-4008-AEE0-45D47E3A8F0E} URL = hxxp://pandasecurity.mystart.com/results.php?pr=vmn&gen=ms&id=pandasecuritytb&v=4_3&idate=2016-03-24&ent=ch_675&q={searchTerms}
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\ssv.dll => No File
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\jp2ssv.dll => No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [No File]
CHR DefaultSearchURL: Default -> hxxp://pandasecurity.mystart.com/results.php?searchsource=omnibar&pr=vmn&id=pandasecuritytb&v=2_3&ent=ds_671&q={searchTerms}
CHR Extension: (Chrome Web Ma?azas? Ödemeleri) - C:\Users\ahmet\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-05]
CHR Extension: (Browsec VPN - Privacy and Security Online) - C:\Users\ahmet\AppData\Local\Google\Chrome\User Data\Default\Extensions\omghfjlpggmjjaagoclmmobgdodcjboh [2016-05-20]
OPR StartupUrls: "hxxp://www.yandex.com.tr/?win=206&clid=1989273-001"
U3 awkdrpod; C:\Users\ahmet\AppData\Local\Temp\awkdrpod.sys [56584 2016-06-04] (GMER) [File not signed]
C:\Users\ahmet\AppData\Local\Temp\awkdrpod.sys
2015-12-31 19:04 - 2015-12-31 19:04 - 0019535 _____ () C:\ProgramData\empty.ico
S3 panda_url_filteringd; C:\Program Files\Panda Security URL Filtering\panda_url_filteringd.sys [51288 2014-03-19] (Visicom Media Inc.)
C:\Program Files\Panda Security URL Filtering
Task: {605C40DF-A0E8-4D98-8786-8844DC825C2C} - \{F460E7B1-5705-4D59-8E2E-BA3D20B9DECC} -> No File <==== ATTENTION
ShortcutWithArgument: C:\Users\ahmet\AppData\Local\Microsoft\Windows\Application Shortcuts\Chrome\Yandex.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yandex.com.tr/?win=206&clid=1989284-001
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end


NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Start FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..." and press the Fix button just once and wait.

Press%20the%20FIX%20button_zpsdd5zi3mt.p

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

How is your system running now?

unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#3 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:12:28 AM

Posted 07 July 2016 - 12:01 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users