Blocked from running Spybot or any other malware remover

[ryodin]

Hi,

First off, I'm using Windows XP, and have run all the necessary updates to the best of my knowledge promptly and accurately.

I am being blocked from running Spybot, so I cannot even create a log to submit here. I will try my best to explain the problem as best I can figure it out, but please bear in mind that I am not very technical literate when it comes to such matters.

If anyone can help, I would sincerely appreciate it.

Now, I first started noticing something was amiss when the latest Microsoft Windows auto update came through several days ago. I saw the little icon in my system tray, and I clicked on it, and then installed the update. Afterwards, I was told to restart my PC. I did so. However, now I constantly see the Windows Updater icon in my system tray as if there is an update, even when I have already run the update.

I looked into just what it was that Windows wanted me to update, and I found that it is the "Windows Malicious Software Removal Tool - August 2011 (KB890830)". Except, it's listed as having "0 bytes". I don't know if that important or not, but I'm making notice of it here just the same. I since downloaded this file over and over, but it still won't disappear.

Furthermore, now whenever I shut my PC down for the day, I notice the little Windows install shield promising to install the update before shutting my PC down. I let it do this each time, and each time it is still there the next time I shut my PC down.

In addition to this, I might add, my McAfee Security Center has been unable to run a scan for two weeks now. Whenever I try to run one, I get an error code.

Realizing that I might be infected with some kind of malware, I went to all my usual steps. I tried HijackThis first. I ran the updates on it first, then tried to open the program. I receive a message saying that Windows could not gain access to this particular file.

I tried Spybot S&D next, but the same thing occurred. I uninstalled Spybot and downloaded a more up to date version from Safer Networking, but again I was told that Windows could not access this file after the program was installed.

Lastly, I tried Ad-Aware, but . . . you get the picture.

I even went to Microsoft's Windows site and manually downloaded the Malicious Software Removal tool, which succeeded in getting the installer onto my desktop. But after installing the tool and running it, halfway through the quick scan the process suddenly shut down.

I received a message from my Firewall saying that it blocked a program from accessing the web. This happened again when I tried to run it from MS online directly.

I'm afraid I'm fresh out of ideas!

I even went to Safer Networking and purchased the bootable CD, but that could take many days to arrive and I don't even know if that is the right step to take in combating whatever this problem might be.

I don't know if anyone can help me, but I hope so. I'm at my wit's end! I apologize for the rather long post, but I figured it was best to be as thorough as possible.

Thanks!

Sincerely,

Ryodin

[redcar92]

Hello Ryodin and welcome to Safer-Networking Form.
I'm RedCar92 and my name is Bill, I'll be glad to help you with your computer problems.

• Please observe these rules while we work:

• Read the entire procedure
• It is important to perform ALL actions in sequence.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Stick with me till you're given the all clear. Malware removal can be stressful but we will clean it.
• Remember, absence of symptoms does not mean the infection is all gone.
• Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise, this will be a team effort.
This may cause a delay, but I will do my best to keep it as short as possible.

Please bear with me, I will post back to you as soon as I can.

IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperative and could require a full reinstall of your OS, losing all your programs and data.

Stay with this topic until I give you the all clean post.

[ryodin]

Hi Bill,

Thank you so much for the speedy reply. I will do as you suggest and wait until you can get back to me. I understand this may take some time, but I'm in it for the long haul.

If it helps any, I will include below the message window that pops up whenever I try to run a malware removal program (SpyBot, Ad-Aware, etc.):

"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

Again, this happens anytime I try to open and/or run an anti-malware tool. I don't experience this problem with any other programs on my PC, however.

Thanks again!

--Ryodin

[redcar92]

Thanks Ryodin, I will be back asap.

[redcar92]

Greetings ryodin,
I feel your pain, so let's get started,

First
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Next

• Please download aswMBR ( 511KB ) to your desktop.
• Double click the aswMBR.exe icon to run it
• Click the Scan button to start the scan
• On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Next

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Under Custom Scan paste this in
  
  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  eNetHook.dll
  ahcix86.sys
  KR10N.sys
  nvstor32.sys
  ahcix86s.sys
  nvrd32.sys
  symmpi.sys
  adp3132.sys
  /md5stop
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %systemroot%\System32\config\*.sav
  CREATERESTOREPOINT
  
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
  • You may need two posts to fit them both in.

Logs to post:

• aswMBR.txt
• OTL.txt
• Extras.txt

[ryodin]

Bill,

Sorry for the late reply. I've been having trouble running these steps you outlined above. As I mentioned before, whatever it is that's infecting my PC seems to be blocking attempts to run .exe files I try to open. With this in mind, I decided against saving "exeHelper" and "aswMBR" to my desktop. I opted instead to press "run" instead of "save" and run them off the host site directly.

This worked for the above two .exe files, but not for the third: OTL. When I tried to run OTL from the website, I was told that I could not do so and would have to save it first. So I did so. I was able to open OTL and implement all the steps you outlined, up to and including pasting the "Custom Scan" list. Once I did this, I clicked the "Run Scan" button. The program immediately closed and would not respond. Upon attempting to open OTL a second time, I received that familiar message: "Windows cannot access the specified device, path, or file . . ." as I mentioned earlier in this thread.

Additionally, I'm not even allowed to remove the OTL .exe from my desktop. When I tried to delete it, I'm told that I am not allowed to.

So, unfortunately, I cannot post any logs from OTL. I do, however, have logs from exeHelper and aswMBR. Since you did not ask me to post the log from the exeHelper scan, I will instead only paste the aswMBR one below.

However, before I do so, I would like to point out that it seems the aswMBR scan did not completely cycle through. It found a bunch of errors, but then appeared to stall out near the end. Or perhaps it was already at the end of the scan? I can't tell because there was no message or anything telling me that the scan had been completed. To me it appears like as if it simply stopped scanning beyond a certain point. So after 30 minutes of waiting, I finally hit the "save log" button and generated a report.

Maybe you can make sense of it. Here is a copy of the log:

========================aswMBR.txt=========================

11:07:09.250 Disk 0 Vendor: ST3120026AS 8.05 Size: 114440MB BusType: 3
11:07:11.312 Disk 0 MBR read successfully
11:07:11.312 Disk 0 MBR scan
11:07:12.515 Disk 0 Windows XP default MBR code
11:07:12.531 Disk 0 scanning sectors +234372285
11:07:12.781 Disk 0 scanning C:\WINDOWS\system32\drivers
11:08:59.218 File: C:\WINDOWS\system32\drivers\serial.sys **INFECTED** Win32:Sirefef-H [Rtk]
11:09:14.109 Service scanning
11:09:20.656 Modules scanning
11:09:32.093 Module: C:\WINDOWS\System32\DRIVERS\serial.sys **SUSPICIOUS**
11:10:02.218 Disk 0 trace - called modules:
11:10:02.250 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a5247c0]<<
11:10:02.625 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a699ab8]
11:10:02.625 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> [0x8a512e48]
11:10:02.625 \Driver\00000696[0x8a5bcb60] -> IRP_MJ_CREATE -> 0x8a5247c0
11:10:07.375 AVAST engine scan C:\WINDOWS
11:11:33.968 AVAST engine scan C:\WINDOWS\system32
11:20:46.812 AVAST engine scan C:\WINDOWS\system32\drivers
11:21:36.875 File: C:\WINDOWS\system32\drivers\serial.sys **INFECTED** Win32:Sirefef-H [Rtk]
11:21:59.125 AVAST engine scan C:\Documents and Settings\David Batista
11:55:38.031 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\David Batista\Desktop\Logs\MBR.dat"
11:55:38.031 The log file has been saved successfully to "C:\Documents and Settings\David Batista\Desktop\Logs\aswMBR.txt"

=========================================================

I would also like to mention that I do own another, more up-to-date PC, running Windows 7. I also own a flash thumb drive. I'm only making you aware of this in case we might be able to use that to fix my infected PC.

Thanks for the help again!

-Ryodin

[redcar92]

Hello Ryodin
Exehelper.com is a com file, reboot and try saving as requested and running again.
Then try OTL again please. Let me know results, there are other ways to skin this cat you know.

[ryodin]

Bill,

I'm running aswMBR again, because I feel that it did not finish through that first scan I posted the log for. As of right now, it's been running for almost 4 hours, and I don't think it's done yet. What I thought was a stall was just in fact a very long scan segment. So the log I posted above was incomplete.

I'm going to let this run for as long as it takes. This means it might be many hours before I can try the new suggestions you mentioned above.

Or do you think I should stop the aswMBR process altogether and try to do what you suggest?

Also, because I have already downloaded and saved OTL to my desktop, I seem to be unable to download it again. The file is refusing to be replaced by the newer copy, and I'm not being allowed to delete it. And as you know now, I'm being denied from opening OTL on my desktop, too. So I'm damned if I don't and damned if I do here.

What can I do?

--Ryodin

[redcar92]

Hello Ryodin,
aswmbr log looks like it finished to me. It usually doesn't take more than 10min to run. You can kill it if you wish. I will get back to you soon with another action plan.

[ryodin]

P.S. -- I downloaded to my destop and ran exeHelper.com. So here are the two logs, seemingly identical, that resulted from both attempts. The first one I tried in the morning as soon as I got your message, and which was generated from an online direct run only:


exeHelper by Raktor
Build 20100414
Run at 10:56:21 on 08/20/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...


The second one was generated just now after I saved the program and ran it:

exeHelper by Raktor
Build 20100414
Run at 16:09:30 on 08/20/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--


Curiously enough, after I ran it the second time, suddenly my McAfee Security Center went haywire. I keep getting pop up windows telling me that my Firewall is turned off. When I turn it back on, it shuts back down again. And then it comes on by itself a few seconds later, only to shut down once more again a few seconds after that. It keeps doing this until I restart the computer. I'm still running aswMBR, though, so I don't want to reboot my PC at this moment. I'll just leave the Firewall running haywire until the scan is done.