Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Smart Virus / Malware / Rootkit NOT letting me run NOTHING


  • Please log in to reply

#1
koddie

koddie

    New Member

  • Member
  • Pip
  • 5 posts

Today I powered on a PC I was NOT using for about 10 months (with some IMPORTANT data).

​After I logged my default administrator user:

1. My AV was not loading and something was strange. NO FREE SPACE on NON of my HDs.

So I deleted some BIG DATA and now I had a few GBs free on any of them. RESTARTED. 

 

 

2. NOW the big PROBLEM arrived:

The Avast! antivirus is still NOT loading.... AND:
I CAN NOT RUN BIG PART OF the EXE files (includes explorer.exe, msconfig.exe, regedit.exe, mbam.exe [Malwarebytes] )

 

Every time I try to open a file I get:

"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

 

Most of the important options on Windows (for example "Add or remove user accounts") are NOT working, although I'm logged on the administrator. 

 

 

I did some Google, I saw some suggestions, I tried:

TDSSKiller.exe , FixTDSS.exe , HitmanPro_x64.exe , msert.exe  [Microsoft Safety Scanner]

Could NOT run any of them. All give me the same problem ( "Windows cannot access the specified....." )

 

 

I tried the "trick" to rename to "iexplore.exe" - NOT working.

 

Although, the REAL Internet Explorer is working, also Windows Media Player and a few other useless applications. 
Avast is not loading as I said but it is showed at the Windows Task Manager - Processes - as loaded ( "AvastUI.exe *32 )

 

 

F8 on startup isn't doing nothing so I can not run SAFE MODE and I couldn't "force" to load safe mode as msconfig.exe is not working.

 

My machine is - 

Windows 7 Pro, SP 1, 64,  Legal Copy ("activated"), with "AVAST! Free Antivirus" installed. 


  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,002 posts
  • MVP
1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Check both boxes and then click Start.
You will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check, but don't restart yet.
 
Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs.  Right click on System and Clear Log, Clear. Repeat for Application. Reboot. The disk check will run and will probably take an hour or more to finish.
 
 
Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator.  Then type (with an Enter after each line).
 
sfc /scannow
 
(SPACE after sfc.  This will check your critical system files. Does this finish without complaint?  IF it says it couldn't fix everything then:
 
Copy the next two lines:
 
findstr  /c:"[SR]"  \windows\logs\cbs\cbs.log  >  \windows\logs\cbs\junk.txt 
notepad \windows\logs\cbs\junk.txt 
 
Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue.  Right click and Paste or Edit then Paste and the copied line should appear.
Hit Enter if notepad does not open.  Copy and paste the text from notepad into a reply.  Close nOtepad.  Close the Command Window.
 
 
1. Please download the Event Viewer Tool by Vino Rosso
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:
 
* System
4. Under 'Select type to list', select:
* Error
* Warning
 
 
Then use the 'Number of events' as follows:
 
 
1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.
 
 
Please post the Output log in your next reply then repeat but select Application.

  • 0

#3
koddie

koddie

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts

Thanks R.

 

Check Now is not loading.

 

"Manage" also not  ("Explorer.EXE - Windows cannot...")

 

 


All give me the same error as before:

"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

 

 

I could still load IE, Firefox, Chrome, Media Player, VLC, Office, and basic apps like that though.

 

 

Also, on C: Harddrive  I had 3GB free yesterday, now I got 700mb free, somehow this malware is filling my HD with Unknown sh*t.


  • 0

#4
koddie

koddie

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts

I managed to run Farbar Recovery Scan Tool from the Advanced Boot Options (before Windows loading) & Command Prompt

[I could probably run more tools that way]

 

Here is the log:


Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-01-2015
Ran by SYSTEM on MININT-KOPGG3N on 29-01-2015 19:47:36
Running from h:\
Platform: Windows 7 Professional (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [444904 2012-09-19] (Adobe Systems Incorporated)
HKLM\...\Run: [COMODO Internet Security] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [1612504 2013-11-11] (COMODO)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe [3477640 2012-09-23] (Adobe Systems Inc.)
HKLM-x32\...\Run: [KiesTrayAgent] => C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe [311152 2013-11-05] (Samsung Electronics Co., Ltd.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [3767096 2014-03-01] (AVAST Software)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM\...\RunOnce: [*CA] => [X]
HKU\Default\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\Default User\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\Eitan2012\...\Run: [AdobeBridge] => [X]
HKU\Eitan2012\...\Run: [KiesPreload] => C:\Program Files (x86)\Samsung\Kies\Kies.exe [1564528 2013-11-05] (Samsung)
HKU\Eitan2012\...\Run: [KiesAirMessage] => C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe -startup
HKU\Eitan2012\...\Run: [Google Update] => C:\Users\Eitan2012\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2012-02-22] (Google Inc.)
HKU\Eitan2012\...\Run: [OfficeSyncProcess] => C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE [720064 2013-04-21] (Microsoft Corporation)
HKU\Eitan2012\...\Run: [] => C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [845168 2013-11-05] (Samsung)
HKU\UpdatusUser\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
Startup: C:\Users\Eitan2012\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft SharePoint Workspace.lnk
ShortcutTarget: Microsoft SharePoint Workspace.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE (Microsoft Corporation)

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-03-01] (AVAST Software)
S2 CLPSLauncher; C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe [70352 2014-02-27] (Comodo Security Solutions, Inc.)
S2 cmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [6254152 2013-10-19] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [164056 2013-09-24] (COMODO)
S2 DragonUpdater; C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe [2135232 2014-01-28] ()
S2 GeekBuddyRSP; C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe [2327248 2014-02-27] (Comodo Security Solutions, Inc.)
S3 Samsung UPD Service2; C:\Windows\System32\SUPDSvc2.exe [165456 2011-12-01] (Samsung Electronics)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 61883; C:\Windows\System32\DRIVERS\61883.sys [60288 2009-07-13] (Microsoft Corporation)
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [78648 2014-03-01] (AVAST Software)
S1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [92544 2013-11-01] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2013-11-01] ()
S1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1038072 2014-03-01] (AVAST Software)
S1 aswSP; C:\Windows\system32\drivers\aswSP.sys [421704 2014-03-01] (AVAST Software)
S3 aswStm; C:\Windows\system32\drivers\aswStm.sys [80184 2014-03-01] (AVAST Software)
S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [207904 2014-03-01] ()
S3 bbcap; C:\Windows\System32\DRIVERS\bbcap.sys [4608 2013-09-27] (Windows (R) Codename Longhorn DDK provider)
S1 CFRMD; C:\Windows\System32\DRIVERS\CFRMD.sys [37976 2014-06-25] (Windows (R) Win 7 DDK provider)
S1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [23168 2013-09-24] (COMODO)
S1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [709144 2013-11-14] (COMODO)
S1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [48872 2013-09-24] (COMODO)
S3 GDPkIcpt; C:\Windows\system32\drivers\PktIcpt.sys [62368 2013-02-03] (G Data Software AG)
S1 HMD; C:\Windows\System32\DRIVERS\hmd.sys [14888 2013-10-06] ()
S1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [96800 2013-09-24] (COMODO)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-29 19:47 - 2015-01-29 19:47 - 00000000 ____D () C:\FRST
2015-01-28 11:53 - 2015-01-28 11:53 - 00000000 ____D () C:\Users\Eitan2012\Desktop\OK
2015-01-28 10:19 - 2015-01-28 08:09 - 129880312 _____ (Microsoft Corporation) C:\Users\Eitan2012\Desktop\msert.exe
2015-01-28 09:46 - 2015-01-11 15:08 - 11225840 _____ (SurfRight B.V.) C:\Users\Eitan2012\Desktop\HitmanPro_x64.exe
2015-01-28 09:46 - 2014-12-02 10:11 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Eitan2012\Desktop\mbam-setup-2.0.4.1028.exe
2015-01-28 09:40 - 2012-11-01 02:28 - 01931088 _____ (Symantec Corporation) C:\Users\Eitan2012\Desktop\FixTDSS.exe
2015-01-28 09:20 - 2015-01-28 10:18 - 00000000 ____D () C:\tsdk77

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-29 09:21 - 2012-02-23 02:19 - 01610489 _____ () C:\Windows\WindowsUpdate.log
2015-01-29 09:13 - 2013-09-27 13:25 - 00000031 _____ () C:\Windows\System32\bbcap.err
2015-01-29 08:33 - 2012-02-22 17:08 - 00000954 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3787592331-2260381968-2455151431-1001UA.job
2015-01-29 08:29 - 2012-02-22 18:27 - 00000928 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-28 20:15 - 2012-02-22 16:58 - 00000000 ____D () C:\users\Eitan2012
2015-01-28 20:14 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\registration
2015-01-28 13:33 - 2012-02-22 17:08 - 00000902 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3787592331-2260381968-2455151431-1001Core.job
2015-01-28 12:58 - 2012-03-26 03:47 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-01-28 11:55 - 2009-07-13 21:13 - 00782470 _____ () C:\Windows\System32\PerfStringBackup.INI
2015-01-28 11:53 - 2013-09-29 13:54 - 00000000 ____D () C:\Users\Eitan2012\AppData\Roaming\Dropbox
2015-01-28 09:30 - 2012-02-22 18:27 - 00000924 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-28 09:27 - 2009-07-13 20:45 - 00014848 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-28 09:27 - 2009-07-13 20:45 - 00014848 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-28 09:23 - 2012-02-22 18:27 - 00003924 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-01-28 09:23 - 2012-02-22 18:27 - 00003672 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-01-28 09:16 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-28 09:16 - 2009-07-13 20:51 - 00048730 _____ () C:\Windows\setupact.log

Some content of TEMP:
====================
C:\Users\Eitan2012\AppData\Local\Temp\bbcap.dll
C:\Users\Eitan2012\AppData\Local\Temp\bbchlp.dll
C:\Users\Eitan2012\AppData\Local\Temp\FlashBackDriverInstaller.exe
C:\Users\Eitan2012\AppData\Local\Temp\install_flashplayer11x32_mssd_aaa_aih (1).exe
C:\Users\Eitan2012\AppData\Local\Temp\install_flashplayer11x32_mssd_aaa_aih (1)_1.exe
C:\Users\Eitan2012\AppData\Local\Temp\install_flashplayer11x32_mssd_aaa_aih(1).exe
C:\Users\Eitan2012\AppData\Local\Temp\install_flashplayer11x32_mssd_aaa_aih(1)_1.exe
C:\Users\Eitan2012\AppData\Local\Temp\install_flashplayer11x32_mssd_aaa_aih(1)_2.exe
C:\Users\Eitan2012\AppData\Local\Temp\vlc-2.1.1-win64.exe


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points  =========================

Restore point made on: 2014-07-06 08:00:32
Restore point made on: 2014-07-13 08:00:32
Restore point made on: 2014-07-20 08:00:34
Restore point made on: 2014-07-27 08:00:32
Restore point made on: 2014-08-03 08:00:32

==================== Memory info =========================== 

Percentage of memory in use: 14%
Total physical RAM: 4094.49 MB
Available physical RAM: 3493.88 MB
Total Pagefile: 4092.64 MB
Available Pagefile: 3482.05 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:97.56 GB) (Free:0.47 GB) NTFS
Drive e: (New Volume) (Fixed) (Total:368.1 GB) (Free:12.72 GB) NTFS
Drive g: (Eitan 1TB) (Fixed) (Total:931.51 GB) (Free:10.93 GB) NTFS
Drive h: (EITANDOK) (Fixed) (Total:7.26 GB) (Free:6.6 GB) exFAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: E46E09D5)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=97.6 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=368.1 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 931.5 GB) (Disk ID: DF855275)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=42)

========================================================
Disk: 2 (Size: 7.5 GB) (Disk ID: DC3E5EC0)

Partition: GPT Partition Type.
Partition 2: (Not Active) - (Size=7.3 GB) - (Type=07 NTFS)


LastRegBack: 2015-01-28 12:32

==================== End Of Log ============================

Edited by koddie, 29 January 2015 - 02:14 PM.

  • 0

#5
koddie

koddie

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts

BTW yesterday after I deleted some big data I had over 3GB free on C: , look now "0.47 GB" free.

 


  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,002 posts
  • MVP

Does 

 

chkdsk /f 

 

or 

 

chkdsk /r

 

work in the Advanced Recovery Option Command Prompt?

 

 

 

How big is the drive?  Who makes it?  Part number?  (You should be able to get the part number from BIOS/CMOS setup 

 

Did you create the E: drive?  Do the sizes of each partition seem normal?

 

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: E46E09D5)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=97.6 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=368.1 GB) - (Type=07 NTFS)

 

Drive c: () (Fixed) (Total:97.56 GB) (Free:0.47 GB) NTFS

Drive e: (New Volume) (Fixed) (Total:368.1 GB) (Free:12.72 GB) NTFS

 

 

 

IF you right click on a file that won't start and select Properties then Security then click on your login name does it says you should have Full Control?

  • 0

#7
koddie

koddie

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts

I created the E drive a while ago.

 

Partitions size seems fine.

Can't do chkdsk /f or chkdsk /r, it saying:

X:\windows\system32>chkdsk /f
The type of the file system is NTFS.
Cannot lock current drive.
Windows cannot run disk checking on this volume because it is write protected.


  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,002 posts
  • MVP

Try 

chkdsk C: /f 

If you don't tell it the drive then it tries to do the one you are on.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP