Solved

Macafee keeps Deleting Combofix

Posted on 2010-08-27
30
659 Views
Last Modified: 2012-05-10
Experts -

I've been working on a PC here, it has macafee, and obviously has some rootkit activity going on. I ran Malwarebytes to the point of no result, but the problem keeps comming back, i'm sure its a rootkit. I normally use combofix, the problem is, macafee keeps deleting it each time i run it. I cannot find a way to disable macafee and allow it to run, any ideas?
0
Comment
Question by:STS-Tech
  • 12
  • 11
  • 3
  • +2
30 Comments
 
LVL 18

Expert Comment

by:Cluskitt
ID: 33541492
In the AV options, there is always an exclude list. Just create a new folder, add it to the exclude list, then copy combofix there.

Alternately, you could simply stop AV services and run combofix. You could also simply run in safe mode and do the same.
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 33541523
Clus - I've tried safe mode, and disabling the services via msconfig, but mcafee will still start. I'm looking for a way to exclude files and folder, but i can't find any option for this in mcafee
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 33541586
Safe mode shouldn't load AV. Safe mode only loads essential drivers and services. Sounds to me like you have McAfee infected. In your case, I would probably use a Live CD.
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 33541597
Not to be bothersome, but every computer i've worked on with macafee, norton, and kaspersky loads the anti-virus is safe mode.

I think i will need to uninstall mcafee
0
 
LVL 2

Expert Comment

by:zsaurabh
ID: 33541601
Go to servies.msc and stop the Mcafee services then run Combofix
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 33541629
disabling services did not work, i cannot disable real time scan service, which could be the problem
0
 
LVL 2

Expert Comment

by:zsaurabh
ID: 33541659
Check the registry...

HKEY_LOCAL_MACHINE\SOFTWARE\McAfee  
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McAfeeFramework
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McShield

see if you have permissions on these folders

Give permission to yourself and Stop/pause the Mcafee services
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 33541735
Ok well i removed mcafee, and the file is still being deleted, i've renamed, redownlaoded, ran malwarebytes, rkill, smitfraud fix, but combo fix jsut keeps getting deleted, any ideas?
0
 
LVL 2

Expert Comment

by:zsaurabh
ID: 33541747
Do you have any other Antivirus running?
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 33541762
Most likely, your rootkit is what's deleting the file. A live CD would be your best option (or a rescue CD).
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 33541765
No i do not
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 33541768
Or removing the hard drive and plugging it to another PC as a slave.
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 33541774
Clus - any good ideas for a rescue cd? I know i have an ultimate boot cd somewhere around here that has avira rescue
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 33541805
If you have a good AV in a nearby computer, use that one.
We use CA eTrust in our company. I, myself, have always been a bit partial to Nod32. It's your choice, really. But, for this, don't go with a free version. They're not worth it for cleaning infections. They're just reasonable in preventing them.
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 33541816
ok i'll run a KAV scan on it after my GMER scan finishes
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 18

Expert Comment

by:Cluskitt
ID: 33541834
Alternatively, you could use a Linux CD, like I suggested, then run ComboFix on WINE. Or run a Windows live CD.
0
 
LVL 30

Expert Comment

by:flubbster
ID: 33541893
0
 
LVL 22

Expert Comment

by:optoma
ID: 33542718
Run TdssKiller and Hitmanpro.
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://www.surfright.nl/en/hitmanpro

Also try Combofix  again but rename it prior to saving it to desktop
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 33542902
GMER found a bad service, i was unable to delete it so i disabled it so i could delete it next go around. When i rebooted GMER found nothing. I tried running combo fix and it was still deleted. I then tried to use the KAV rescue CD which would not boot. Next i tried AVIRA, it just finished and found no results. Any other ideas? I can still slave it and run KAV on the drive, but atm i have another drive hooked up to that PC.

Any other ideas?
0
 
LVL 30

Expert Comment

by:flubbster
ID: 33542974
Open the registry and navigate to here:

HKey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Scroll down through that key and look for any entries that have combofix. If found, delete them. If you like, select the entry and look on the right side of the screen to see what the entry is set for. If it exists, I bet it is deleting it on execution. Entries in this key remap applications to another function, redirect them, or can delete them as you are seeing.
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 33543016
If you had found out the infection name, it would be a good idea to run a removal tool for it. Other than that, however, I don't think you need to do anything more. Your system seems to be clean, though I would rerun Malware Bytes, just to be sure.
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 33543138
Flub - I see nothing for combo fix in that area.

Clus - I wish i had written it down, dumbass mistake. I feel that something has to be afecting it still to keep deleting combo fix as soon as it runs.
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 33543186
Did you try changing the exe name, as suggested?
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 33543201
Yes, i did multiple times, that was my first method to troubleshoot.
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 33543215
Is this the only exe this happens with? Have you tried the exact same file in another PC? Or scan the file in another PC?
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 33543224
Also, what if you try to download it from their site and run that one?
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 33543270
Yes it is the only EXE, mbam is fine, smit fraud fix, gmer, rkill, anything i throw at it is fine, just combo fix. I'll try a new exe and report back
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 33543317
WEll guess what? It worked! I downloaded it, renamed it, and it ran. Its running now, i received a popup though, from DATA EXECUTION PREVENTION, it says it closed the program, but combo fix is still running, any ideas?
0
 
LVL 18

Accepted Solution

by:
Cluskitt earned 500 total points
ID: 33543334
Ah, so that is your problem. DEP is seeing combofix as a threat. Check this: http://support.microsoft.com/kb/875352
0
 
LVL 22

Expert Comment

by:optoma
ID: 33543467
Post CFs log when completed. No harm to run the other scanners
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now