Solved

Macafee keeps Deleting Combofix

Posted on 2010-08-27
30
660 Views
Last Modified: 2012-05-10
Experts -

I've been working on a PC here, it has macafee, and obviously has some rootkit activity going on. I ran Malwarebytes to the point of no result, but the problem keeps comming back, i'm sure its a rootkit. I normally use combofix, the problem is, macafee keeps deleting it each time i run it. I cannot find a way to disable macafee and allow it to run, any ideas?
0
Comment
Question by:STS-Tech
  • 12
  • 11
  • 3
  • +2
30 Comments
 
LVL 18

Expert Comment

by:Cluskitt
ID: 33541492
In the AV options, there is always an exclude list. Just create a new folder, add it to the exclude list, then copy combofix there.

Alternately, you could simply stop AV services and run combofix. You could also simply run in safe mode and do the same.
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 33541523
Clus - I've tried safe mode, and disabling the services via msconfig, but mcafee will still start. I'm looking for a way to exclude files and folder, but i can't find any option for this in mcafee
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 33541586
Safe mode shouldn't load AV. Safe mode only loads essential drivers and services. Sounds to me like you have McAfee infected. In your case, I would probably use a Live CD.
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 33541597
Not to be bothersome, but every computer i've worked on with macafee, norton, and kaspersky loads the anti-virus is safe mode.

I think i will need to uninstall mcafee
0
 
LVL 2

Expert Comment

by:zsaurabh
ID: 33541601
Go to servies.msc and stop the Mcafee services then run Combofix
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 33541629
disabling services did not work, i cannot disable real time scan service, which could be the problem
0
 
LVL 2

Expert Comment

by:zsaurabh
ID: 33541659
Check the registry...

HKEY_LOCAL_MACHINE\SOFTWARE\McAfee  
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McAfeeFramework
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McShield

see if you have permissions on these folders

Give permission to yourself and Stop/pause the Mcafee services
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 33541735
Ok well i removed mcafee, and the file is still being deleted, i've renamed, redownlaoded, ran malwarebytes, rkill, smitfraud fix, but combo fix jsut keeps getting deleted, any ideas?
0
 
LVL 2

Expert Comment

by:zsaurabh
ID: 33541747
Do you have any other Antivirus running?
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 33541762
Most likely, your rootkit is what's deleting the file. A live CD would be your best option (or a rescue CD).
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 33541765
No i do not
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 33541768
Or removing the hard drive and plugging it to another PC as a slave.
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 33541774
Clus - any good ideas for a rescue cd? I know i have an ultimate boot cd somewhere around here that has avira rescue
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 33541805
If you have a good AV in a nearby computer, use that one.
We use CA eTrust in our company. I, myself, have always been a bit partial to Nod32. It's your choice, really. But, for this, don't go with a free version. They're not worth it for cleaning infections. They're just reasonable in preventing them.
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 33541816
ok i'll run a KAV scan on it after my GMER scan finishes
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 18

Expert Comment

by:Cluskitt
ID: 33541834
Alternatively, you could use a Linux CD, like I suggested, then run ComboFix on WINE. Or run a Windows live CD.
0
 
LVL 30

Expert Comment

by:flubbster
ID: 33541893
0
 
LVL 22

Expert Comment

by:optoma
ID: 33542718
Run TdssKiller and Hitmanpro.
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://www.surfright.nl/en/hitmanpro

Also try Combofix  again but rename it prior to saving it to desktop
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 33542902
GMER found a bad service, i was unable to delete it so i disabled it so i could delete it next go around. When i rebooted GMER found nothing. I tried running combo fix and it was still deleted. I then tried to use the KAV rescue CD which would not boot. Next i tried AVIRA, it just finished and found no results. Any other ideas? I can still slave it and run KAV on the drive, but atm i have another drive hooked up to that PC.

Any other ideas?
0
 
LVL 30

Expert Comment

by:flubbster
ID: 33542974
Open the registry and navigate to here:

HKey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Scroll down through that key and look for any entries that have combofix. If found, delete them. If you like, select the entry and look on the right side of the screen to see what the entry is set for. If it exists, I bet it is deleting it on execution. Entries in this key remap applications to another function, redirect them, or can delete them as you are seeing.
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 33543016
If you had found out the infection name, it would be a good idea to run a removal tool for it. Other than that, however, I don't think you need to do anything more. Your system seems to be clean, though I would rerun Malware Bytes, just to be sure.
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 33543138
Flub - I see nothing for combo fix in that area.

Clus - I wish i had written it down, dumbass mistake. I feel that something has to be afecting it still to keep deleting combo fix as soon as it runs.
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 33543186
Did you try changing the exe name, as suggested?
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 33543201
Yes, i did multiple times, that was my first method to troubleshoot.
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 33543215
Is this the only exe this happens with? Have you tried the exact same file in another PC? Or scan the file in another PC?
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 33543224
Also, what if you try to download it from their site and run that one?
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 33543270
Yes it is the only EXE, mbam is fine, smit fraud fix, gmer, rkill, anything i throw at it is fine, just combo fix. I'll try a new exe and report back
0
 
LVL 2

Author Comment

by:STS-Tech
ID: 33543317
WEll guess what? It worked! I downloaded it, renamed it, and it ran. Its running now, i received a popup though, from DATA EXECUTION PREVENTION, it says it closed the program, but combo fix is still running, any ideas?
0
 
LVL 18

Accepted Solution

by:
Cluskitt earned 500 total points
ID: 33543334
Ah, so that is your problem. DEP is seeing combofix as a threat. Check this: http://support.microsoft.com/kb/875352
0
 
LVL 22

Expert Comment

by:optoma
ID: 33543467
Post CFs log when completed. No harm to run the other scanners
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Batch Script is not working at schedule in WIN 7 6 86
Yahoo Email – Adds and Tracking 21 123
Ransome Ware Question 10 138
Windows Defender Accessing Excluded Drives 5 29
If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now