?
Solved

Malwarebytes' installs but the mbam.exe is then silently deleted

Posted on 2010-04-01
10
Medium Priority
?
988 Views
Last Modified: 2013-11-22
Trojan and backdoor problems on XP sp3 machine....have run multiple tools
XP Registry keeps restoring several registry keys....of most concern is the hklm\software\microsoft\windows\currentVersion\run\
kuruwezame Reg_SZ rundll32.exe "vumefesa.dll",s
 and
hklm\software\microsoft\windows\kakuzaro  ths one is a key
contains deralepi and dezozigu as Reg_Binary
cannot find the process that continues to replace these values in registry

used killbox to remove the vumefesa.dll


Multiple Trojan.Vundo and TDSS.SMG backdoor.tideserv!inf spywareQuake to name a few..... were found by different tools
As some are removed by some of the utilities run...ccleaner...combofix...smitfraudfix...trendmicro's housecall...still cannot get malwarebytes to run does install but will not run

Selective Startup unselecting System.INI, Win.ini, Load system Services...CANNOT unselect load startup items (greyed out) and the only startup item continues to be the rundll32.exe "vumefesa.dll",s

PC has Symantec EndPoint v11...mostly worthless lately, trying to resolve without rebuilding the OS and application config
rundll32.exe "vumefesa.dll",s
0
Comment
Question by:FL4TJM
  • 2
  • 2
  • 2
  • +4
10 Comments
 

Expert Comment

by:ERAU-Infrastructure
ID: 29377822
I know this sounds obvious, but did you do the following before running all the clean-up tools...

- Get a full backup of infected system.
- Disable system restore
- Enable the viewing of Hidden & System Files
- Manually empty C:\Temp folder of everything
- Clear your browser cache
- Boot in safemode /without networking to run ALL tools

I have found if you miss even one of these steps, the likelihood of getting all the bugs off with the tools will be slim to none.
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 29377960
If you have not yet run any of your antimalware/antivirus utilities in Safe Mode please do so.
Some malware/viruses disable antimalware suites if they are downloaded with their default names.
Please attempt to download (through browser, USB drive, etc.) malwarebytes again. However, do not accept the default download name. It should be renamed prior to saving and installing on your system.
Example: Default Malwarebytes download name=MBam.exe
Save this file as MB.123
Once saved to your system, rename to MB.exe and attempt to install, update and then scan.
0
 
LVL 7

Accepted Solution

by:
sirocco87 earned 1000 total points
ID: 29380498
Use rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com) to kill enough malware processes so that you can get Super Anti Spyware portable to run (http://www.superantispyware.com/portablescanner.html). The beauty of this tool is that it has a unique file name which helps it escape detection. You might want to go into preferences and quickly tweak a few settings e.g. let it scan every file type and not just .exe files. If you have time, do a full system scan, reboot and then try malwarebytes.  
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
LVL 30

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 200 total points
ID: 29383601
You might want to take the relatively easy step of booting from CD.  This bypasses your operating system completely.  If you don't already have a boot CD with tools (I strongly recommend UBCD/UBCD4Win).  You can get prebuilt ones from the link below or instructions on how to build a UBCD from the article below.

article on UBCD: http://www.experts-exchange.com/articles/Storage/Misc/Creating-a-bootable-CD-USB.html

Free downloads of prebuilts: http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/
0
 

Author Comment

by:FL4TJM
ID: 29385557
In reply to the 4 posts (thanks for the prompt suggestions:
ERAU----yes sorry did not make it clear, did disable system restore, restart safe mode log in as admin.....view changes were another source of concern....it kept reverting back to hide extensions and icons even though I changed and applied to all folders....dumped temp from each user profile folder and windows, cleared all from IE temp and cache as starting point
David Howard----yes renaming the mbam-setup.exe allowed it to install but after install MBytes does not start....removed all registry references and tried to install to different locations as well...seems to defend well against MalwareBytes'
SIROCCO87---used rkill and killed everything it found, SuperAntiSPyware would not run either...errors out as soon as attempting to install....SAS and MBAM would not run at all
TZUCKER---booted from OEM XP CD and removed the files in C\win\sys32 with  yesterdays date stamp which helped but from there cannot run scanning tool directly....took drive out of computer and connected to another PC; scanning the problem drive as secondary drive  in that PC now and will check on it in AM

Thanks for all the suggestions will update in morning....done for the day
0
 
LVL 7

Expert Comment

by:sirocco87
ID: 29385815
Did you run SAS after running rkill?
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 800 total points
ID: 29401073
You need to rename mbam.exe to something else after installation also.

If still won't run, download the exeHelper and also the TDSSKiller.. then run Combofix and attach the log.
Check this article for the download links and if having problem running .exes:
http://www.experts-exchange.com/articles/Software/Internet_Email/Anti-Virus/CAN%27T-RUN-EXES-IN-AN-INFECTED-SYSTEM.html
By the way, System Restore should've been left intact till the system is stable or clean. It gives no advantage(only disadvantage) deleting those restore points prior to cleanup.

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 29401379
I see you've already run ComboFix... can you please attach/post the log. ComboFix doesn't automatically delete all bad files, sometimes we need to use its script function to remove the infections.
0
 
LVL 10

Expert Comment

by:c_a_n_o_n
ID: 29475016
If your system is infected with a pest, malware, trojan, or virus your system will behave unexpectedly.  The best method to attempt resolution is to completely rule out the operating system by bypassing it.  To do so, you will need a rescue CD.  There are several that are out there, you might be able to create one, there are instructions and sites that can assist with that.  But the easiest way is to use a product that is FREE, and I have used successfully for several of my clients and on many workstations.

BitDefender (FREE Downloadable Rescue CD).  Available Here.
http://download.bitdefender.com/rescue_cd/

Instructions on the product.
http://www.bitdefender.com/KB417-en--Using-the-BitDefender-Rescue-CD.html

Hope this helps.

PS.  This may sound like a "canned" response, it just might be.  However, it is the easiest and most effective method to resolve a situation like this.
0
 

Author Closing Comment

by:FL4TJM
ID: 31710359
The solution was found using multiple tools, some of which I had others that were added here..I had already pulled the drive and put it into another PC, then ran the MalwareBytes and SAS....this found and removed most of the trojans, backdoors, rootkit files....some of which were system files and ALL of the .EXE file items listed in the system startup had been infected, removed those and extracted needed systemfiles from CD or by download from MS...reinstalled some of the other programs after all clean (I hope)....(as a side note when drive was in original PC a couple of the directories showed multiple instances of same file name---new one to me...eg: AcroTray.exe and acrotray.exe in same directory) with the culprit files remove safe mode with selective startup worked and allowed me to use some of the Expert suggestions as below:

 sirocco87 suggestion to use the SAS portable got most of the remnants that I was not finding...I had tried to use the SAS but NOT the Portable after running rkill...that found and removed multiple remaining but not all

 rpggamergirl's suggestion to use the TDSKiller then Combofix (again) seemed to finish the job...btw excellent link to very good KB article

 tzucker's suggestion would have saved me a bunck of time and I now have cut boot CD from his link and will test that and try to use some of the scanners while booted from the CD media.....

Thanks to all who contributed and helped me get this one back up and running....

Side note/rant:
the Malware/Virus/Rootkits are getting out of control and does not seem to be single product that can stop them all nor any single utility that cleans them all...Symantec, McAfee, CA, AVG, Kaspersky what good is paying any of these companies for products that do not fully protect...have seen periods over last 20yrs that threats were ahead of protection vendors but lately it has been tough
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question