Jump to content

Avast hijack destroys Malwarebytes


Recommended Posts

Hi Team,

I have a problem where I suspected my computer had a worm called "winit.exe" (as opposed to wininit.exe which is a MS program as I understand it) this was detected several times by AVG but never by Malwarebytes. the AVG notification advised it had quarantined the file winit.exe because it was infected with a "backdoor32-something or other" virus. When this had come up several times I decided to go hunting for it.

I started my computer in safe mode and searched for and found the file and deleted it. one of the "experts" I found suggested I download Malwarebytes, Superantispyware (which I was already using along with AVG) Spybot Search& Destroy, Spyhunter  and Avast and run each of them in turn in safe mode to detect and remove any potential treats. I began downloading Avast from the Avast.com website. A short way into the download my screen glitched and a Windows dialogue box came up with the message "Windows has detected a network change" I immediately disconnected from the net and shut down the computer. 

When I started up again there was a dialogue box with the message "Avast is installing - do not urn off your computer" Knowing the download had not completed when I shut down, I immediately disconnected and shut down again. I tried again. Same thing. Te only way I could boot the computer without this coming up was to boot without the computer connected to the internet.

Once I had done this, I identified that Avast was showing in the menu if I right-clicked on a file in windows explorer, but the files were not evident in the program files directory. Finally I reconnected to the net and downloaded the avastclear.exe program from the Avast website. By this time thea vast download had completed and the file folder was visible in the Program files directory. I used the avastclear program to uninstall Avast from my system.

I then set about trying to make sure I had no threats on my system detectable by the software I already had installed. I ran AVG and SuperantiSpyware which came up clear, but when I ran CCleaner, it showed all the MBAM files as having residuals of a program that had been removed. the desktop shortcut for Malwarebytes was showing a generic icon and the program would not run. Subsequently I had quite some difficulty in uninstalling the broken program (text file attached as requested) and had then to get help from a fiend who knows more about this than I do to assist me to remove the file folders from the directory before reinstalling a new version of Malwarebytes.

However I cannot run the newly installed program!  When I attempt to run it I get a warning that says "Unable to start - Unable to connect to the service" Upon looking this up in the forums, it appears to suggest this is tied to The F-Secure software program which is not installed on my computer. I also note that the program will not respond to the desktop shortcut. I must go the exe file in the Malwarebytes folder to get it to respond, but then the warning I described comes up.

Can you help with this please??

mb-clean-results.txt

Link to post
Share on other sites

Hello JoffOS and welcome to Malwarebytes,

Continue with the following:

If you do not have Malwarebytes installed do the following:

Download Malwarebytes version 3 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

When the install completes or Malwarebytes is already installed do the following:

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes deal with any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Report tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....

 

Link to post
Share on other sites

Hi Kevin,

Thank you so much for getting back to me. Unfortunately, I have been unable to run a scan with Malwarebytes as you have requested. As I said in my original message, even though Malwarebytes  appeared to successfully install on my computer it will not respond from the desktop icon, nor from clicking on the .exe program file from the Program files/Malwarebytes/Anti-Malware folder. When I attempt either of these actions, there is a pause before a dialogue box appears with the Malwarebytes logo and message "Unable to start - Unable to connect to the service" (See attached screenshot)

I attempted to resolve this by uninstalling the program I downloaded recently and reinstalling a new program from the link you provided, but the result was the same.

I am unsure if I should proceed with the second part of your advice which is to download and run the Farbar Recovery Scan Tool without having successfully completed the reinstallation and running a scan with Malwarebytes first. Looking forward to your further advice. Thanks again..

2018-05-15 10_50_48-Greenshot.png

Link to post
Share on other sites

Hi Kevin,

I've done some further digging around and using the AVG Boot-time scanner I have identified that my computer was infected with several files it described as "decompression bombs" and "Win64:Evo-gen" files which were tagged as 'suspicious". All of these have been quarantined. Subsequently I uninstalled and reinstalled Malwarebytes, but there is no change to the information I provided above, it still comes up with  the "Unable to start...." dialogue box.

Is it possible that the Avast software was a victim of the compression bombs? and is that the problem with Malwarebytes now? Although I don't understand how my original Malwarebytes was destroyed, because the version I had already installed and kept updated appeared to be working ok despite not having identified any of the threats I have subsequently identified using AVG. Having said that, this was the first time I had run the AVG boot-time scanner. Previously I had only run the standard scans and the USB scans on externally connected drives.

Link to post
Share on other sites

Hello JoffOS,

There is no obvious Malware or infection showing in your logs. Run the following:

Download Portable Windows Repair (all in one) from one of the following:

www.tweaking.com/files/setups/tweaking.com_windows_repair_aio.zip

http://www.majorgeeks.com/mg/getmirror/tweaking_com_windows_repair_portable,1.html

https://www.bleepingcomputer.com/download/windows-repair-all-in-one/

Unzip the contents into a newly created folder on your desktop.

Boot your system to Safe mode, instructions here: https://support.microsoft.com/en-gb/help/12376/windows-10-start-your-pc-in-safe-mode

Open the Tweaking.com folder, run the tool by right click on Repair_Windows (icon with red briefcase) select "Run as Administrator"

From the main GUI do the following:

Select Tab 5 to make Registry backup, use the recommended option...

user posted image

When complete select "Repairs" tab, from there select "Open Repairs" tab..

From that window select the default option and checkmarck "Select All" box. When ready select "Start Repairs" tab....

user posted image

When complete re-boot your system, see if there is any improvement...

Logs are saved to the Tweaking.com folder on your Desktop, the one to post is _Windows_Repair_Log.txt

Next,

Totally Remove Malwarebytes from your system:

Download the latest version of MB-Clean by clicking this link: https://downloads.malwarebytes.com/file/mb_clean save to your Desktop, or a folder of your choice.
 
  • Close all open applications
  • Double-click and run mb-clean.exe
  • A prompt with an option to clean up the system will appear:


Yes - will proceed with backing up the license key (Malwarebytes 3.x only) and initiating the cleanup process. (Recommended)
No - will exit the utility

Once the cleanup process is completed, a prompt will appear:

Yes – will proceed and post reboot you will be prompted to continue with the downloading, installation and activation of latest version of Malwarebytes 3.x (Recommended)
No – will exit the utility and you will not be prompted (post reboot) to download, reinstall and re-activate (Not Recommended)

We recommend rebooting immediately. Additionally, stopping at this step is not recommended and will most likely not resolve your issue(s).

Upon reboot, a prompt will appear:

Yes - will download, install and activate the latest version of Malwarebytes 3.x (Recommended)
No - will exit the utility and the cleanup process is complete...

A log file ("mb-clean-results.txt") will be on your desktop

Next,

Open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Protection Scroll to and make sure the following are selected:
    Scan for Rootkits
    Scan within Archives
     
  • Scroll further to Potential Threat Protection make sure the following are set as follows:
    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
     
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.


To get the log from Malwarebytes do the following:
 
  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Thanks,

Kevin..
Link to post
Share on other sites

Hi Kevin,

have followed your instructions up to running the Tweaking.com Windows Repair program in safe mode. The scan commenced last evening here and has been running overnight. It is now up to 11 hours 39 minutes and has a Memory Used reading of ~574MB. Is this normal?? And if so, how long is a scan supposed to take? Also is it safe to interrupt a scan?

Link to post
Share on other sites

Yes it is safe to interrupt the scan, the time you are quoting is very excessive... Boot your system back to Normal mode.

Next,

Select the Windows key and X key together, from the winx menu select "Command Prompt (Admin)"

At the prompt type or copy/paste :- DISM /Online /Cleanup-Image /CheckHealth then hit the enter key. What results do you get..?

Thanks,

Kevin

Link to post
Share on other sites

Hi Kevin,

I have been doing some reading on the tweaking.com forums and it appears this issue of hanging during a scan is quite common.

i have attempted a reboot and triggered the attached error "WR Tray Icon" I cancelled out and did a second attempt which started in normal mode. However the Winx menu doesn't seem to offer the item "Command Prompt (Admin)" as you suggest. (See screenshot ) and I'm now unable to go further. 

image.jpeg

image.jpeg

Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.