Unable to run HiJackThis, ComboFix, MBAM, AntiSpyware, and others

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by texasmug, Oct 14, 2010.

  1. texasmug

    texasmug Private E-2

    Helping a friend remove malware from their system. Using Kasperksy Rescue Disk I was able to remove some infections, but not all. Whenever I try to run HiJackThis (or the analyse in MGtools), AntiSpyware, MABM, GMER, or others they start to scan and then immediately shut down. When I try to open again I get the "Windows cannot access the specified file" message. I've redownloaded fresh versions of these and tried all in Safe Mode, as well, with the same results.

    I've also attempted to use ComboFix and ended up unistalling AVG Free 9 since I was unable to stop the scanner. ComboFix tried to run, but then popped up with multiple "Access is denied." messages when it started scanning.

    I assume the computer has some kind of rootkit that appears to be residing in the memory that is causing these programs to shut down.

    I should also mention that I've attemted to uninstall the older versions of Java that exist, but get an error abour Windows Installer not being installed even when running in normal mode, not safe mode. Windows Installer is setup to Automatically load in the services, but does not start and i get an Access is Denied error when attempting to manually start it.

    There's more detail that I could go in to that I've tried, but I assume this is sufficient for now. I have attached the MGlogs for review.

    Thank you very much in advance for you assistance!
     

    Attached Files:

    texasmug, Oct 14, 2010
    #1
  2. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Welcome to MajorGeeks.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click and choose Run as Administrator


    You only need to get one of them to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    1. Rkill.exe
    2. Rkill.com
    3. Rkill.scr
    4. Rkill.pif
    Once you've gotten one of them to run then try to immediately run the following.

    Now download and Run exeHelper from Raktor
    • Please download exeHelper to your desktop.
    • Double-click on exeHelper.com to run the fix.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file named log.txt will be created in the directory where you ran exeHelper.com
    • Attach the log.txt file to your next message.
    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    Now run this: Using Malwarebytes Anti-Malware

    Now run this: Using MGtools

    Now you need to attach (See: HOW TO: Attach Items To Your Post ) the below logs created while running the above scans
    • exeHelper log
    • Malwarebytes Anti-Malware log
    • MGlogs.zip - normally it is C:\MGlogs.zip - only attach this log from MGtools.exe DO NOT attach any logs seen in the MGtools folder.
     
    dr.moriarty, Oct 14, 2010
    #2
  3. texasmug

    texasmug Private E-2

    Thank you very much! I have done as you instructed. All was well until I went to run Malwarebytes Anti-Malware. It installed and updated with no problems. But as soon as I started the Quick Scan it immediately shut off 3 seconds into the scan and wouldn't let me back into the program. So I started from the beginning again this time thinking if I was faster at it, it may help. :) I didn't allow Anti-Malware to update this time though. But got the same result, the program shuts down after 3 seconds into the scan.

    I cannot find a log for Anti-Malware. I have attached the other two logs requested.
     

    Attached Files:

    texasmug, Oct 15, 2010
    #3
  4. texasmug

    texasmug Private E-2

    I also wanted to add that when I run Rkill, it kills \\.\globalroot\Device\svchost.exe\svchost.exe per the log. But I can run it again immediately and it kills it again. Which seems to indicate that it restarts on it's own immediately or Rkill is not really killing the process.

    I can run SAS (using Alternate Start) for short while then it shuts down before it completes. But in the "Memory Items" it finds Trojan.Dropper/SVCHost-Fake and if I pause the scan before it shuts down I can go to the next step and under details it shows that it's runningas 2 items in the same location as Rkill states, one a file and one a memory prossess. SAS acts like it removes it when I choose to repair and tells me to reboot. But it's back when I restart.
     
    texasmug, Oct 15, 2010
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    While you are waiting on Dr.M, let's have you do this:

    Please use add/remove programs to uninstall:
    Java 2 Runtime Environment, SE v1.4.2_03
    Java 2 Runtime Environment, SE v1.4.2_06
    Java(TM) 6 Update 18
    Java(TM) 6 Update 2

    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract+ avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now download and install:
    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip
     
    TimW, Oct 15, 2010
    #5
  6. texasmug

    texasmug Private E-2

    I'm currently unable to uninstall the older versions of Java as Windows Installer is not loading. I'm working on that issue though. But I wanted to let you know that I made major progress late Friday of last week. I downloaded and ran RootRepeal. It showed me that a driver in the System32 folder was running, but not registered with Windows API. So I renamed that driver file, rebooted, and viola, I was able able to run all the programs without interuption. So it appears the rootkit (or whatever it was) was residing in that particular driver file and loading when windows loaded. There's still junk on the system, but SAS, MBAM, ComboFix, HiJackThis are all being run to remove them. I will post updated logs for you to review by the end of the day.
     
    texasmug, Oct 18, 2010
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know. I will be here. :)
     
    TimW, Oct 18, 2010
    #7
  8. texasmug

    texasmug Private E-2

    All right...got the Windows Installer issue fixed. Was able to uninstall all the old Java installations and then install the latest release. Cleaned up a lot of other adware, spyware, trojans, etc. after I was able to run MBAM, SAS, Spybot S&D, and clear up a few entries with HiJackThis. All are reporting that nothing else is detected.

    I'm also now current on all Windows Updates and have installed avast!Antivirus. Using ClearCloud for the DNS now to help prevent future infection, as well.

    I've attached my latest MGlogs for your review. Let me know if you see anything else or have any further recommendations.
     

    Attached Files:

    texasmug, Oct 18, 2010
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It is nice to end the day on an up note. Your logs are clean. All you need to do is run CCleaner and empty out your temp folders.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:




    Support MajorGeeks with Geek Wear!
     
    TimW, Oct 18, 2010
    #9
  10. texasmug

    texasmug Private E-2

    Thanks a lot for your assistance! It's much appreciated.
     
    texasmug, Oct 18, 2010
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome. Safe surfing. :)
     
    TimW, Oct 19, 2010
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds