| View previous topic :: View next topic |
| Author |
Message |
kls85
I post too much
 Reputation: 22
Joined: 18 Jul 2008
Posts: 2757
Location: Under ur bed
|
 Posted: Fri Sep 24, 2010 2:19 pm Post subject: Access denied: possible malware infection? Help |
 |
|
After spending a few days of trying every solution possible, I've finally given up and decided to perform a reformat.
But I'm just curious if anyone of you had encounter this before and would like to know any method you guys have performed with success?
A few days ago a friend of my had a perfect working system and all of a sudden, tons of malware started to infect his machine. It got up to the point where nothing works, screen blanks out and a force restart was required.
After the machine restarted, a bsod occur saying winlogon is corrupted.
-Tried heading to safemode = no help
-Tried safemode with networking = does not work
-Tried safemode with command prompt = no help either
-Tried Last known good configuration = still don't work
I then had to do was perform a repair install of the entire OS.
After the OS installation is complete, Windows boots up and I was able to head into his desktop and finally perform a proper malware scan.
I fired up Malwarebytes Anti-Malware, did a update, and select Quick Scan.
The program will run about 3 seconds and close off. After the program close off, and I try to run again, it will say something alone this line
| Code: | | "Windows cannot access the specific path, device or file. You may not have the appropriate permission to access this item". |
I reinstall Malwarebytes Anti-malware, the program opens up, did the same thing as before and again... it closes off after 3 seconds of use along with that same error when I tried to reopen it.
Now that Malwarebytes does not work, I tried the other following programs
Spybot Search and Destroy: same thing happens
HijackThis: same results
Super Anti-Spyware: no luck
Then I've remember to rename the program with random characters hoping the actual malware itself will think the program I wanted to run is also a malware, but failed as when I tried to rename it, it says "access denied".
Feeling defeated but not out yet, I've headed into safemode with networking. And login in as Administrator.
In safemode, I've tried all of the programs and still the same thing.
I've then tried a Combofix and finally it began update and scan.
When the scan finished it deleted 2 random entries which looked suspicious and rebooted. Once that's done and the system head back into normal mode, again I've fired up Malwarebytes Anti-Malware and hoping it will work this time, but does not!
Up next, I've headed back into safemode (just regular safemode this time) did the following
-Reinstall Malarebytes, and open up task manager.
I've notice the CPU is running at 100% full load which was odd as I've haven't even start the scan yet.
Took a look at the process list and notice malwarebytes is using 50% and this svchost.exe is using 50% as well.
Now another idea just popped up. I've headed back into normal mode.
This time rename Malwarebytes into svchost.exe and finally it began to scan. After the scan finished it found the culprit svchost.exe, removed and rebooted.
As the system is rebooting, I've crossed my fingers hoping it's all solved, but it was not the case as the problem still remains...
Now I know that for any scanner to work I has to rename it as "svchost.exe".
For each of the programs I've tried and so forth. all came up with nothing, but the only "svchost.exe" infections it finds is the program I purposely renamed.
Just thought is there any way to use CE to see what the heck is going on?
_________________
|
|
| Back to top |
|
 |
hcavolsdsadgadsg
I'm a spammer
![]() Reputation: 26
Joined: 11 Jun 2007
Posts: 5801
|
| Posted: Fri Sep 24, 2010 4:50 pm Post subject: |
|
|
I've pretty much always managed to clear out almost everything once I get into safe mode, though I had an interesting one once where trying to get into safe mode would effectively crash and restart the computer while a regular boot wouldn't.
You could try the system internals stuff if you want to see what's going on.
But yeah, just reformat and get it over with.
|
|
| Back to top |
|
|
Cryoma
Member of the Year
![]() Reputation: 198
Joined: 14 Jan 2009
Posts: 1819
|
| Posted: Fri Sep 24, 2010 4:59 pm Post subject: |
|
|
Back up important files, reformat.
It will save you hours of frustrating hair pulling.
|
|
| Back to top |
|
|
shitposter
Newbie cheater
 Reputation: 5
Joined: 12 Nov 2008
Posts: 13
|
| Posted: Fri Sep 24, 2010 5:15 pm Post subject: |
|
|
| Cryoma wrote: | Back up important files, reformat.
It will save you hours of frustrating hair pulling. |
Some viruses spread through all your files in a matter of minutes.
|
|
| Back to top |
|
|
Notepad
Grandmaster Cheater
![]() Reputation: 9
Joined: 26 Dec 2007
Posts: 722
Location: New Zealand
|
| Posted: Fri Sep 24, 2010 8:50 pm Post subject: |
|
|
I'd personally boot up UBCD4Win and give it a scan with the AVs and Anti-Malware/Spyware programs it has.
Once scanning is finished you should be clear of all virus'.
|
|
| Back to top |
|
|
Cryoma
Member of the Year
![]() Reputation: 198
Joined: 14 Jan 2009
Posts: 1819
|
| Posted: Fri Sep 24, 2010 10:00 pm Post subject: |
|
|
| xTremist wrote: | | Cryoma wrote: | Back up important files, reformat.
It will save you hours of frustrating hair pulling. |
Some viruses spread through all your files in a matter of minutes. |
Right so just back up word documents, music, movies, stuff that can't be replaced.
|
|
| Back to top |
|
|
AhMunRa
Grandmaster Cheater Supreme
![]() Reputation: 27
Joined: 06 Aug 2010
Posts: 1117
|
| Posted: Sat Sep 25, 2010 9:07 am Post subject: |
|
|
For the record you could fix an infected winlogon file from repair console. It's as simple as copying the new one from the disk into the directory.
Winlogon no matter what you do will always run the viral code. If you try to hard power off, Winlogon is still sent the power off sig and will rewrite the file to disk before power off. I have fought this kind of malware before. It actually hooks into the logon process to detect power off/on the code if I'm correct doesn't even have an exe written to disk, it all stays resident in memory until shutdown, then it writes and creates the reg keys to startup once shutdown. Safe mode won't rid you of it because Winlogon is used in safe mode as well.
_________________
<Wiccaan> Bah that was supposed to say 'not saying its dead' lol. Fixing >.> |
|
| Back to top |
|
|
kls85
I post too much
Reputation: 22
Joined: 18 Jul 2008
Posts: 2757
Location: Under ur bed
|
| Posted: Sat Sep 25, 2010 7:22 pm Post subject: |
|
|
-All AV, malware, rootkit software I've tried shows the system is clean.
-Fixing the winlogon through recovery console was the very first thing I did, but that didn't fix the bsod, thus I have to perform a repair install.
The entire OS including the Administrator is controlled by that infection and I've checked online for solutions, there are some who had this problem which a HJT log shows it, for the system I was working on, it's a clean (fake) bill of health.
_________________
|
|
| Back to top |
|
|
AhMunRa
Grandmaster Cheater Supreme
![]() Reputation: 27
Joined: 06 Aug 2010
Posts: 1117
|
| Posted: Sat Sep 25, 2010 7:58 pm Post subject: |
|
|
For an infection this deep I would not try an in place reinstall. Complete format and reinstall would be the safest solution. If you wish to save your data create a Linux boot disk and back up your data from linux to CD or shared folder before you perform the format.
_________________
<Wiccaan> Bah that was supposed to say 'not saying its dead' lol. Fixing >.> |
|
| Back to top |
|
|
kls85
I post too much
Reputation: 22
Joined: 18 Jul 2008
Posts: 2757
Location: Under ur bed
|
| Posted: Sun Sep 26, 2010 12:39 am Post subject: |
|
|
Since the OS can't be accessed, there is no way to tell how deep that infection was. Also it's very rare to actually get infected like that as most of the time you can get rid of these pests by a simple scan.
And as stated in my starter post, I had perform a reformat which of course means to wipe out the entire OS and start from scratch.
But it's better off to figure it out (you get to learn a thing or two) rather than take the easy* way.
*format at a last restore when all methods has failed
_________________
|
|
| Back to top |
|
|
AhMunRa
Grandmaster Cheater Supreme
![]() Reputation: 27
Joined: 06 Aug 2010
Posts: 1117
|
| Posted: Sun Sep 26, 2010 7:32 am Post subject: |
|
|
That's the way to do it. Glad you got it sorted out. Would be nice if you knew where you got it from though.
_________________
<Wiccaan> Bah that was supposed to say 'not saying its dead' lol. Fixing >.> |
|
| Back to top |
|
|
kls85
I post too much
Reputation: 22
Joined: 18 Jul 2008
Posts: 2757
Location: Under ur bed
|
| Posted: Sun Sep 26, 2010 10:53 am Post subject: |
|
|
It's not my system, but my friend told me all of a sudden he saw a bunch of popups and then his desktop turn black with a message smack in the center that says "Your system is infected with spyware, blah, blah, blah".
Now those lots of time and it's rare you see those these days since they happen often in the past.
Now you get those fake AV which tells the uninformed to buy it and they fool for it.
Heard of Nortel Antivirus? 
http://www.spywarevoid.com/remove-nortel-antivirus-nortel-anti-virus-removal-help.html
_________________
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
