Can malware prevent 4 anti malware programs to run?

Discussion in 'Malware Help (A Specialist Will Reply)' started by dvk, Oct 16, 2010.

  1. dvk

    dvk Private E-2

    Friday I visited a client with a problem as described below. Next Monday I will run the anti malware check-list posted on this forum but I think I've already done the major steps. My question here is therefore, see below: could malware prevent 4 anti malware programs to run while everything looks ok (running processes, normal XP system with Norton on it, etc).

    I will post the outcome too.

    Dick

    One PC shows odd behaviour (not really specified) and seems to block websites (except a few which show, including the banking website....). DNS was rerouted to 93.188.162.244,93.188.160.54. This may have had to do with a parental control program (recently installed and uninstalled again) but Hijackthis log shows this:
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.244,93.188.160.54
    and that is connected with Zlob.DnsChanger on some places e.g. http://www.exterminate-it.com/malpedia/remove-zlob-dns-changer. Everything works again after setting DNS to auto. I checked all running processes and there seem to be no suspect processes; I disabled several which were not needed.

    To be sure I installed Malwarebytes. This program did not run however. It shows briefly in the task list and then disappeared. The system runs Norton Utitities and no further anti virus or firewall but another PC with the same configuration ran Malwarebytes without problem. I have tried the following programs, all with the same result: they do not start:

    ATF-Cleaner.exe
    mbam-setup.exe
    spybotsd162.exe
    windows-kb890830-v3.12.ex
    SUPERAntiSpyware.exe

    Only the latter one worked but it only showed Windows security Centre to be off which is a simple registry byte (and which did not solve the problem either)

    I have tried to install the programs as well in safe mode as Administrator, same result.

    Below the hijackthis.log.
    What I want to know: what could cause 4 anti-spyware programs to not start?
     
    Last edited by a moderator: Oct 16, 2010
    dvk, Oct 16, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Oct 16, 2010
    #2
  3. dvk

    dvk Private E-2

    I answer myself:Yes it can! And following your removal instructions Momday, it was (once again) Combofix which solved the issue:
    (in Dutch)
    Besmet exemplaar van c:\windows\system32\drivers\dmload.sys werd aangetroffen en gedesinfecteerd
    Hersteld exemplaar van - Kitty had a snack :p

    Incredible that all those other programs let themself kill by the malware and that a full paid full version of Norton allows this virus to install and the free Combofix program solves it!

    Thank you for this forum.

    Dick
     
    dvk, Oct 21, 2010
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are quite welcome.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:




    Support MajorGeeks with Geek Wear!
     
    TimW, Oct 21, 2010
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds