Malwarebytes' installs but the mbam.exe is then silently deleted

Trojan and backdoor problems on XP sp3 machine....have run multiple tools
XP Registry keeps restoring several registry keys....of most concern is the hklm\software\microsoft\windows\currentVersion\run\
kuruwezame Reg_SZ rundll32.exe "vumefesa.dll",s
 and
hklm\software\microsoft\windows\kakuzaro  ths one is a key
contains deralepi and dezozigu as Reg_Binary
cannot find the process that continues to replace these values in registry

used killbox to remove the vumefesa.dll


Multiple Trojan.Vundo and TDSS.SMG backdoor.tideserv!inf spywareQuake to name a few..... were found by different tools
As some are removed by some of the utilities run...ccleaner...combofix...smitfraudfix...trendmicro's housecall...still cannot get malwarebytes to run does install but will not run

Selective Startup unselecting System.INI, Win.ini, Load system Services...CANNOT unselect load startup items (greyed out) and the only startup item continues to be the rundll32.exe "vumefesa.dll",s

PC has Symantec EndPoint v11...mostly worthless lately, trying to resolve without rebuilding the OS and application config
rundll32.exe "vumefesa.dll",s
FL4TJMAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ERAU-InfrastructureCommented:
I know this sounds obvious, but did you do the following before running all the clean-up tools...

- Get a full backup of infected system.
- Disable system restore
- Enable the viewing of Hidden & System Files
- Manually empty C:\Temp folder of everything
- Clear your browser cache
- Boot in safemode /without networking to run ALL tools

I have found if you miss even one of these steps, the likelihood of getting all the bugs off with the tools will be slim to none.
0
David-HowardCommented:
If you have not yet run any of your antimalware/antivirus utilities in Safe Mode please do so.
Some malware/viruses disable antimalware suites if they are downloaded with their default names.
Please attempt to download (through browser, USB drive, etc.) malwarebytes again. However, do not accept the default download name. It should be renamed prior to saving and installing on your system.
Example: Default Malwarebytes download name=MBam.exe
Save this file as MB.123
Once saved to your system, rename to MB.exe and attempt to install, update and then scan.
0
sirocco87Commented:
Use rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com) to kill enough malware processes so that you can get Super Anti Spyware portable to run (http://www.superantispyware.com/portablescanner.html). The beauty of this tool is that it has a unique file name which helps it escape detection. You might want to go into preferences and quickly tweak a few settings e.g. let it scan every file type and not just .exe files. If you have time, do a full system scan, reboot and then try malwarebytes.  
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Thomas Zucker-ScharffSolution GuideCommented:
You might want to take the relatively easy step of booting from CD.  This bypasses your operating system completely.  If you don't already have a boot CD with tools (I strongly recommend UBCD/UBCD4Win).  You can get prebuilt ones from the link below or instructions on how to build a UBCD from the article below.

article on UBCD: http://www.experts-exchange.com/articles/Storage/Misc/Creating-a-bootable-CD-USB.html

Free downloads of prebuilts: http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/
0
FL4TJMAuthor Commented:
In reply to the 4 posts (thanks for the prompt suggestions:
ERAU----yes sorry did not make it clear, did disable system restore, restart safe mode log in as admin.....view changes were another source of concern....it kept reverting back to hide extensions and icons even though I changed and applied to all folders....dumped temp from each user profile folder and windows, cleared all from IE temp and cache as starting point
David Howard----yes renaming the mbam-setup.exe allowed it to install but after install MBytes does not start....removed all registry references and tried to install to different locations as well...seems to defend well against MalwareBytes'
SIROCCO87---used rkill and killed everything it found, SuperAntiSPyware would not run either...errors out as soon as attempting to install....SAS and MBAM would not run at all
TZUCKER---booted from OEM XP CD and removed the files in C\win\sys32 with  yesterdays date stamp which helped but from there cannot run scanning tool directly....took drive out of computer and connected to another PC; scanning the problem drive as secondary drive  in that PC now and will check on it in AM

Thanks for all the suggestions will update in morning....done for the day
0
sirocco87Commented:
Did you run SAS after running rkill?
0
rpggamergirlCommented:
You need to rename mbam.exe to something else after installation also.

If still won't run, download the exeHelper and also the TDSSKiller.. then run Combofix and attach the log.
Check this article for the download links and if having problem running .exes:
http://www.experts-exchange.com/articles/Software/Internet_Email/Anti-Virus/CAN%27T-RUN-EXES-IN-AN-INFECTED-SYSTEM.html
By the way, System Restore should've been left intact till the system is stable or clean. It gives no advantage(only disadvantage) deleting those restore points prior to cleanup.

0
rpggamergirlCommented:
I see you've already run ComboFix... can you please attach/post the log. ComboFix doesn't automatically delete all bad files, sometimes we need to use its script function to remove the infections.
0
c_a_n_o_nCommented:
If your system is infected with a pest, malware, trojan, or virus your system will behave unexpectedly.  The best method to attempt resolution is to completely rule out the operating system by bypassing it.  To do so, you will need a rescue CD.  There are several that are out there, you might be able to create one, there are instructions and sites that can assist with that.  But the easiest way is to use a product that is FREE, and I have used successfully for several of my clients and on many workstations.

BitDefender (FREE Downloadable Rescue CD).  Available Here.
http://download.bitdefender.com/rescue_cd/

Instructions on the product.
http://www.bitdefender.com/KB417-en--Using-the-BitDefender-Rescue-CD.html

Hope this helps.

PS.  This may sound like a "canned" response, it just might be.  However, it is the easiest and most effective method to resolve a situation like this.
0
FL4TJMAuthor Commented:
The solution was found using multiple tools, some of which I had others that were added here..I had already pulled the drive and put it into another PC, then ran the MalwareBytes and SAS....this found and removed most of the trojans, backdoors, rootkit files....some of which were system files and ALL of the .EXE file items listed in the system startup had been infected, removed those and extracted needed systemfiles from CD or by download from MS...reinstalled some of the other programs after all clean (I hope)....(as a side note when drive was in original PC a couple of the directories showed multiple instances of same file name---new one to me...eg: AcroTray.exe and acrotray.exe in same directory) with the culprit files remove safe mode with selective startup worked and allowed me to use some of the Expert suggestions as below:

 sirocco87 suggestion to use the SAS portable got most of the remnants that I was not finding...I had tried to use the SAS but NOT the Portable after running rkill...that found and removed multiple remaining but not all

 rpggamergirl's suggestion to use the TDSKiller then Combofix (again) seemed to finish the job...btw excellent link to very good KB article

 tzucker's suggestion would have saved me a bunck of time and I now have cut boot CD from his link and will test that and try to use some of the scanners while booted from the CD media.....

Thanks to all who contributed and helped me get this one back up and running....

Side note/rant:
the Malware/Virus/Rootkits are getting out of control and does not seem to be single product that can stop them all nor any single utility that cleans them all...Symantec, McAfee, CA, AVG, Kaspersky what good is paying any of these companies for products that do not fully protect...have seen periods over last 20yrs that threats were ahead of protection vendors but lately it has been tough
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.