Blocked from running Spybot or any other malware remover

Status
Not open for further replies.
R

ryodin

New member
Hi,

First off, I'm using Windows XP, and have run all the necessary updates to the best of my knowledge promptly and accurately.

I am being blocked from running Spybot, so I cannot even create a log to submit here. I will try my best to explain the problem as best I can figure it out, but please bear in mind that I am not very technical literate when it comes to such matters.

If anyone can help, I would sincerely appreciate it.

Now, I first started noticing something was amiss when the latest Microsoft Windows auto update came through several days ago. I saw the little icon in my system tray, and I clicked on it, and then installed the update. Afterwards, I was told to restart my PC. I did so. However, now I constantly see the Windows Updater icon in my system tray as if there is an update, even when I have already run the update.

I looked into just what it was that Windows wanted me to update, and I found that it is the "Windows Malicious Software Removal Tool - August 2011 (KB890830)". Except, it's listed as having "0 bytes". I don't know if that important or not, but I'm making notice of it here just the same. I since downloaded this file over and over, but it still won't disappear.

Furthermore, now whenever I shut my PC down for the day, I notice the little Windows install shield promising to install the update before shutting my PC down. I let it do this each time, and each time it is still there the next time I shut my PC down.

In addition to this, I might add, my McAfee Security Center has been unable to run a scan for two weeks now. Whenever I try to run one, I get an error code.

Realizing that I might be infected with some kind of malware, I went to all my usual steps. I tried HijackThis first. I ran the updates on it first, then tried to open the program. I receive a message saying that Windows could not gain access to this particular file.

I tried Spybot S&D next, but the same thing occurred. I uninstalled Spybot and downloaded a more up to date version from Safer Networking, but again I was told that Windows could not access this file after the program was installed.

Lastly, I tried Ad-Aware, but . . . you get the picture.

I even went to Microsoft's Windows site and manually downloaded the Malicious Software Removal tool, which succeeded in getting the installer onto my desktop. But after installing the tool and running it, halfway through the quick scan the process suddenly shut down.

I received a message from my Firewall saying that it blocked a program from accessing the web. This happened again when I tried to run it from MS online directly.

I'm afraid I'm fresh out of ideas!

I even went to Safer Networking and purchased the bootable CD, but that could take many days to arrive and I don't even know if that is the right step to take in combating whatever this problem might be.

I don't know if anyone can help me, but I hope so. I'm at my wit's end! I apologize for the rather long post, but I figured it was best to be as thorough as possible.

Thanks!

Sincerely,

Ryodin
 
Hello Ryodin and welcome to Safer-Networking Form.
I'm RedCar92 and my name is Bill, I'll be glad to help you with your computer problems.

  • Please observe these rules while we work:
  • Read the entire procedure
  • It is important to perform ALL actions in sequence.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with me till you're given the all clear. Malware removal can be stressful but we will clean it.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise, this will be a team effort.
This may cause a delay, but I will do my best to keep it as short as possible.

Please bear with me, I will post back to you as soon as I can.

IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperative and could require a full reinstall of your OS, losing all your programs and data.

Stay with this topic until I give you the all clean post.
 
Hi Bill,

Thank you so much for the speedy reply. I will do as you suggest and wait until you can get back to me. I understand this may take some time, but I'm in it for the long haul.

If it helps any, I will include below the message window that pops up whenever I try to run a malware removal program (SpyBot, Ad-Aware, etc.):

"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

Again, this happens anytime I try to open and/or run an anti-malware tool. I don't experience this problem with any other programs on my PC, however.

Thanks again!

--Ryodin
 
Greetings ryodin,
I feel your pain, so let's get started,

First
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Next
  • Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Next
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under Custom Scan paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    CREATERESTOREPOINT

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
    • You may need two posts to fit them both in.

Logs to post:
  • aswMBR.txt
  • OTL.txt
  • Extras.txt
 
Bill,

Sorry for the late reply. I've been having trouble running these steps you outlined above. As I mentioned before, whatever it is that's infecting my PC seems to be blocking attempts to run .exe files I try to open. With this in mind, I decided against saving "exeHelper" and "aswMBR" to my desktop. I opted instead to press "run" instead of "save" and run them off the host site directly.

This worked for the above two .exe files, but not for the third: OTL. When I tried to run OTL from the website, I was told that I could not do so and would have to save it first. So I did so. I was able to open OTL and implement all the steps you outlined, up to and including pasting the "Custom Scan" list. Once I did this, I clicked the "Run Scan" button. The program immediately closed and would not respond. Upon attempting to open OTL a second time, I received that familiar message: "Windows cannot access the specified device, path, or file . . ." as I mentioned earlier in this thread.

Additionally, I'm not even allowed to remove the OTL .exe from my desktop. When I tried to delete it, I'm told that I am not allowed to.

So, unfortunately, I cannot post any logs from OTL. I do, however, have logs from exeHelper and aswMBR. Since you did not ask me to post the log from the exeHelper scan, I will instead only paste the aswMBR one below.

However, before I do so, I would like to point out that it seems the aswMBR scan did not completely cycle through. It found a bunch of errors, but then appeared to stall out near the end. Or perhaps it was already at the end of the scan? I can't tell because there was no message or anything telling me that the scan had been completed. To me it appears like as if it simply stopped scanning beyond a certain point. So after 30 minutes of waiting, I finally hit the "save log" button and generated a report.

Maybe you can make sense of it. Here is a copy of the log:

========================aswMBR.txt=========================

11:07:09.250 Disk 0 Vendor: ST3120026AS 8.05 Size: 114440MB BusType: 3
11:07:11.312 Disk 0 MBR read successfully
11:07:11.312 Disk 0 MBR scan
11:07:12.515 Disk 0 Windows XP default MBR code
11:07:12.531 Disk 0 scanning sectors +234372285
11:07:12.781 Disk 0 scanning C:\WINDOWS\system32\drivers
11:08:59.218 File: C:\WINDOWS\system32\drivers\serial.sys **INFECTED** Win32:Sirefef-H [Rtk]
11:09:14.109 Service scanning
11:09:20.656 Modules scanning
11:09:32.093 Module: C:\WINDOWS\System32\DRIVERS\serial.sys **SUSPICIOUS**
11:10:02.218 Disk 0 trace - called modules:
11:10:02.250 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a5247c0]<<
11:10:02.625 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a699ab8]
11:10:02.625 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> [0x8a512e48]
11:10:02.625 \Driver\00000696[0x8a5bcb60] -> IRP_MJ_CREATE -> 0x8a5247c0
11:10:07.375 AVAST engine scan C:\WINDOWS
11:11:33.968 AVAST engine scan C:\WINDOWS\system32
11:20:46.812 AVAST engine scan C:\WINDOWS\system32\drivers
11:21:36.875 File: C:\WINDOWS\system32\drivers\serial.sys **INFECTED** Win32:Sirefef-H [Rtk]
11:21:59.125 AVAST engine scan C:\Documents and Settings\David Batista
11:55:38.031 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\David Batista\Desktop\Logs\MBR.dat"
11:55:38.031 The log file has been saved successfully to "C:\Documents and Settings\David Batista\Desktop\Logs\aswMBR.txt"

=========================================================

I would also like to mention that I do own another, more up-to-date PC, running Windows 7. I also own a flash thumb drive. I'm only making you aware of this in case we might be able to use that to fix my infected PC.

Thanks for the help again!

-Ryodin
 
Hello Ryodin
Exehelper.com is a com file, reboot and try saving as requested and running again.
Then try OTL again please. Let me know results, there are other ways to skin this cat you know.
 
Bill,

I'm running aswMBR again, because I feel that it did not finish through that first scan I posted the log for. As of right now, it's been running for almost 4 hours, and I don't think it's done yet. What I thought was a stall was just in fact a very long scan segment. So the log I posted above was incomplete.

I'm going to let this run for as long as it takes. This means it might be many hours before I can try the new suggestions you mentioned above.

Or do you think I should stop the aswMBR process altogether and try to do what you suggest?

Also, because I have already downloaded and saved OTL to my desktop, I seem to be unable to download it again. The file is refusing to be replaced by the newer copy, and I'm not being allowed to delete it. And as you know now, I'm being denied from opening OTL on my desktop, too. So I'm damned if I don't and damned if I do here.

What can I do?

--Ryodin
 
Hello Ryodin,
aswmbr log looks like it finished to me. It usually doesn't take more than 10min to run. You can kill it if you wish. I will get back to you soon with another action plan.
 
P.S. -- I downloaded to my destop and ran exeHelper.com. So here are the two logs, seemingly identical, that resulted from both attempts. The first one I tried in the morning as soon as I got your message, and which was generated from an online direct run only:


exeHelper by Raktor
Build 20100414
Run at 10:56:21 on 08/20/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...


The second one was generated just now after I saved the program and ran it:

exeHelper by Raktor
Build 20100414
Run at 16:09:30 on 08/20/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--


Curiously enough, after I ran it the second time, suddenly my McAfee Security Center went haywire. I keep getting pop up windows telling me that my Firewall is turned off. When I turn it back on, it shuts back down again. And then it comes on by itself a few seconds later, only to shut down once more again a few seconds after that. It keeps doing this until I restart the computer. I'm still running aswMBR, though, so I don't want to reboot my PC at this moment. I'll just leave the Firewall running haywire until the scan is done.
 
Bill,

Okay, well here is the 2nd aswMBR log. Because I let it run a lot longer this time, I noticed there is a 5th error being reported now. The original log only showed 4 error lines in red. So I'm copying the log of the second scan below just in case:


aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-20 12:12:33
-----------------------------
12:12:33.015 OS Version: Windows 5.1.2600 Service Pack 3
12:12:33.015 Number of processors: 1 586 0x209
12:12:33.015 ComputerName: D139KB41 UserName:
12:12:57.375 Initialize success
12:13:30.765 AVAST engine defs: 11082000
12:13:58.062 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
12:13:58.062 Disk 0 Vendor: ST3120026AS 8.05 Size: 114440MB BusType: 3
12:14:00.093 Disk 0 MBR read successfully
12:14:00.093 Disk 0 MBR scan
12:14:00.250 Disk 0 Windows XP default MBR code
12:14:00.296 Disk 0 scanning sectors +234372285
12:14:00.390 Disk 0 scanning C:\WINDOWS\system32\drivers
12:14:42.187 File: C:\WINDOWS\system32\drivers\serial.sys **INFECTED** Win32:Sirefef-H [Rtk]
12:14:55.015 Service scanning
12:15:08.468 Modules scanning
12:15:11.656 Module: C:\WINDOWS\System32\DRIVERS\serial.sys **SUSPICIOUS**
12:15:16.546 Disk 0 trace - called modules:
12:15:16.562 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a5297c0]<<
12:15:16.937 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a699ab8]
12:15:16.937 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> [0x8a4d5030]
12:15:16.937 \Driver\00000711[0x8a5b68e8] -> IRP_MJ_CREATE -> 0x8a5297c0
12:15:20.281 AVAST engine scan C:\WINDOWS
12:15:51.140 AVAST engine scan C:\WINDOWS\system32
12:20:40.171 AVAST engine scan C:\WINDOWS\system32\drivers
12:20:56.921 File: C:\WINDOWS\system32\drivers\serial.sys **INFECTED** Win32:Sirefef-H [Rtk]
12:21:04.156 AVAST engine scan C:\Documents and Settings\David Batista
16:19:41.163 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\David Batista\Desktop\Logs\MBR.dat"
16:19:41.663 The log file has been saved successfully to "C:\Documents and Settings\David Batista\Desktop\Logs\aswMBR2.txt"


--Ryodin (aka David Batista)
 
OK Ryodin,
Let's try it this way please.

Print out these instructions as we may need to close every window that is open later in the fix.
It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

Do not reboot your computer after running rkill as the malware programs will start again.

Please download and run one of the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.

You only need to get one of them to run, not all of them.
  1. rkill.exe
  2. rkill.com
  3. rkill.scr
Do not reboot your computer after running rkill as the malware programs will start again.
Remember, RKill must be run each time your PC is booted until exe files will run with out it.

Next
Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

    TDSSKiller1.png
  • If an infected file is detected, the default action will be Cure, click on Continue.

    TDSSKiller2.png

  • If a suspicious file is detected, the default action will be Skip, click on Continue.

    TDSSKiller3.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file in your next post.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file in your next post.

Next
If that works then OTL again please

Logs to post:
  • TDSKiller.txt
  • OTL.txt
 
Okay, I was able to download rkill.exe to the desktop of my infected PC. I then ran it and it seemed to have eliminated a piece of malware. I saved the log of that, and then moved on to the next step.

Next I downloaded and extracted TDSSKiller to the infected PC, I was able to run that process as well. However, the program said it found no infections. None at all.

So, at a loss for what to do next, I tried running OTL again. Now remember, I cannot run the OTL file I previously downloaded. It ran the first time, and then the window suddenly vanished and nothing happened.

So, I had to download OTL anew. Mind you, the previous two downloads are still on my PC, but after failing twice they now refuse to open again or to be sent to the trash bin. This means that I cannot download OTL anew without first choosing a different location other than my desktop. If I don't, the download tries to replace the existing copy of the program and then fails to do so because of some kind of conflict.

So, that all being said now, I went and downloaded a fresh copy of OTL and saved it to a new folder on my desktop. I opened OTL, and selected all the steps I'm supposed to select. I then copied and pasted the info you gave me under "Custom Scan", and hit the "Run Scan" button.

Immediately the OTL window vanished, and I'm left staring at the screen now wondering what to do next. It's been 20 minutes now, and nothing has popped up. I know if I try to open OTL again, I will get that access denied message once more. So I won't do that.

I'm writing this message from my Netbook now, because I don't want to touch the infected PC or reboot it until I hear back from you.

Sorry this is being so difficult. If you would like me to paste copies of the rkill and tdsskiller logs, let me know.

--Ryodin
 
Bill,

I'm just going to go ahead and paste the rkill log in the interim, for whatever it's worth. Here it is:

========================================================
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 08/20/2011 at 17:09:00.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

\\.\globalroot\Device\svchost.exe\svchost.exe
C:\Documents and Settings\David Batista\Application Data\Dropbox\bin\Dropbox.exe


Rkill completed on 08/20/2011 at 17:09:09.
=======================================================



The rkill program seemed to have killed something related to my Dropbox folder. I find this interesting because, come to think of it, my Dropbox folder has been acting screwy for a long while. Say, for the past 2 to 3 months or so. Since this folder connects to a cloud service, should I perhaps disengage from Dropbox and remove the folder?

I have Dropbox on my Netbook as well, but have never experienced any problems with the Netbook. It could be that this is because my infected desktop PC is running on Windows XP, whereas my Netbook is running on Windows 7. Don't know if any of this matters, but figured I'd put it out there.

Thanks again for all the wonderful help! I hope we can get to the bottom of this.

--Ryodin

P.S. -- I have not rebooted my PC yet since running rkill.
 
I am not seeing anything wrong with dropbox.exe. You can reboot your pc anytime you wish, just rerun rkill after booting.
Back soon.
 
Greetings Ryodin,
This one is a bit stubborn. Let's go at it from this direction.

***Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.***
Download Combofix from any of the links below and save it to your desktop.

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
 
Bill,

I was away from the PC for a bit, sorry about the delay. I'm writing this from my Netbook, which is not infected. Right now ComboFix is running on the infected machine. In the meantime I wanted you to know that I received a message from ComboFix saying that it detected an infection of "Rootkit.ZeroAccess." ComboFix then went on to call it a "particularly difficult infection."

I was told to be patient and to let ComboFix run its course. Also, that if I should lose Internet access at anytime, to wait for ComboFix to run completely and automatically reboot the machine. That should fix it. If not, to run ComboFix one more time.

I checked, and sure enough I no longer had Internet access.

ComboFix just finished its run and confirmed that I did indeed have a rootkit infection. It has now rebooted my PC and now I'm waiting. I'll post back in a little while when I can.

--Ryodin
 
Okay, I'm starting to get worried now.

My PC rebooted and immediately upon startup ComboFix continued running. It started listing each stage as it completed. Sometime around Stage 30, I received a pop-up window stating that "PEV.exe encountered a problem and needs to close."

I have no idea what PEV.exe is, but I hope it doesn't cause a problem.

ComboFix continued to run after this. It completed Stage 50, then it started deleting a bunch of files.

However, now it seems to have stalled. ComboFix has been on the same line now for 35 minutes. Nothing's changed in all that time. Every now and then an hour glass shows up, then vanishes. And the cursor in the ComboFix window is still blinking.

What should I do? None of my desktop icons are showing, and I can't access any other area of my PC. The only thing on the screen right now is this ComboFix window. I'm afraid if I shut the machine down in the middle of the process I won't be able to start it up again.

Until I hear back from you, I'll let it continue to run.

--Ryodin
 
It is almost 11:00 so let it go tonight. Sometimes CF takes quite a while, I have seen over half hour on a clean machine. If you are a night owl stop it in 2 hrs. The fact that it completed stage 50 is good, and deleting files is also good. It found a nasty rootkit and is trying to deal with it now. Some times it will stall.
 
Status
Not open for further replies.
Back
Top