Jump to content

No malware scanning software will run, Chameleon will not run


Recommended Posts

I got infected yesterday, and immediately was not able to run any malware scanning programs to fix it, with an error of, "The requested resource is in use."  I noticed several programs and services running, like dataup.exe, and a few others that were the names of normal programs w/a few letters off... I do not remember all of them.  Through initial troubleshooting, I was able to find a program that would run called RogueKiller.  That definitely found threats and fixed some, including after a restart, but they either reinstalled themselves, or were not actually removed.

I ended up booting to safe mode to take a wrecking ball to any files that I didn't immediately recognize around the timestamp or after when I was infected, along with specific registry edits to get rid of the programs that I knew were bad, or kept popping up as files added around the time of infection.  Yeah, I should have recorded these, but I did not. 

While still in safe mode, I was able to install and run CCleaner, AusLogistics Registry Cleaner, and Malwarebytes (but the definition was from 2/17 of this year).

After restarting to normal mode, the main programs that I noticed previously popping up no longer did, so I definitely got a good chunk of it.  RogueKiller was still able to run, but it found nothing.   Through more searching, I found a list of programs that were supposed to help kill whatever it was that was blocking the malware scanners from running, but that did not help.  They successfully executed, but I still could not run the malware scanning programs.  I've included the log file here: Rkill.txt

I then found information on running Malwarebytes' Chameleon program.  None of the programs worked, but all attempts had 2 things in common:

  • Failed to copy the master conf file
  • Many many "failed to create directory" attempts, though they did create a lot of directories... almost 3,000

At this point, I'm running out of options, so I figured I would open up a thread.

Thanks!

Edited by Phrozt
Link to post
Share on other sites

Hello Phrozt and welcome to Malwarebytes,

There is a new infection on your system, the infection has a protection driver that causes the issues you`ve mentioned... I want you to try MBAR, if it runs successfully post the produced logs...

Please download Malwarebytes Anti-Rootkit from here
 
  • Unzip the contents to a folder in a convenient location. (recommend the desktop)
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

Thank you,

Kevin...

Link to post
Share on other sites

I appreciate that you got back to me so soon, and I apologize not being able to carry out the steps Sunday or Monday... had ridiculous amount of work to do.

I was able to follow all of your directions, mbar did find 4 bits of malware, and after a fix + restart, the system came back clean!  I can now run Malwarebytes, ccleaner and others!!  You did it!

Just for any interest, here are the files you wanted to see.  Thank you so much for your help!

Link to post
Share on other sites

Hello Phrozt.

Yes MBAR has dealt with the protctive rootkit, we still need to run FRST to see if there are any remnants of the infection still on your PC. The following scan is purely diagnostic...

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.

Let me see those two logs in your next reply...

Thank you,

Kevin...

 

Link to post
Share on other sites

Thanks for those logs, continue with the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Download and install Malwarebytes from Here: https://www.malwarebytes.com/mwb-download/thankyou/

When complete Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan Scan within Archives are both on.... Leave all other settings to default..

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...

Next,

Download AdwCleaner by Xplode onto your Desktop.
 
  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.


Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Let me see those logs, also tell me if there are any remaining issues or concerns...

Thank you,

Kevin...

 

fixlist.txt

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.