MBAM and HJT exit early

[RobertM]

Hi Folks,

A few months ago the laptop which my son uses for internet games became infected with a virus that was hijacking IE. I used MBAM to quickly and successfully clean it up -- thanks for that.

Last night I found that it's got a similar infection, but MBAM won't fix it this time. After poking around this forum I've tried a bunch of things with no real success. Here are the symptoms, and what I have tried so far:

OS is WinXP home SP3.

1. MBAM will install and run briefly. It begins "preparing for the scan" then suddenly exits after about 15 - 20 seconds. At that point it has scanned 0 objects and found 0 infections. I cannot restart MBAM (access denied -- or permission denied), nor can I delete the MalwareBytes program folder, but I can use the MBAM uninstall then run the MBAM setup again to get it to run again. It behaves exactly the same; early exit. I tried renaming to "Winlogon.exe" but no difference.

2. HJT will install but only runs for a very few seconds before exiting. I can't tell exactly what it is looking at (flashes by too briefly) but it might be going through the registry. Same as MBAM, access is denied after the exit. I can delete the HJT folder and re-install HJT. Again, it will exit early.

3. I tried ComboFix. It will start running, but after about 7 - 10 min I get a blue screen of death. Once I restart the machine I can run Combofix again with the same result.I tried renaming to Combo-Fix upon d/l, but no difference.

4. I tried RootRepeal. When it starts I get a message "Error - invalid PE image found". It scans for a little while 15 - 25 sec then exits. Subsequent tries give "access denied" errors. I can unzip a fresh copy of RootRepeal to the same place with the same results.

5. I tried ProcessExplorer to look for suspicious processes. Almost everything looks legit, with all of the processes that I can't identify being in the "windows/system32/" folder. There is, however, a process called "b.exe" which is there sometimes and not at other times. I believe that this is how the previous virus manifested itself, and might be causing the IE popups etc. I kill it when I see it, but it comes back after maybe 1/2 hour or so.

6. I tried removing the HD and slaving it to my desktop computer. MBAM was able to scan it fully and it found and fixed 1 infected object. But, upon reinstalling in the laptop, MBAM is still not able to run.

So, I've gotten to the point of asking for help. From what I've read It seems like it might be time for an Avenger2 script, but I won't do that until I'm told to by someone smarter than myself.

Thanks.

Bob

[miekiemoes]

Hi,

1) Please download this file

2) Place fr33.exe next to the exe file that doesn't want to run

3) Drag the exefile into fr33.exe. That shall free/unlock it.

Example how to do this (this is an example with malwarebytes exefile (mbam.exe).

You can do that with every exe file that cannot run.

Or, in case you want to know/interests you how to do this manually and take ownership of locked files, then please see here (XP/Vista) for more info. Note, on XP Home, the "Security" tab is only visible in Safe mode. In case there's no Security tab in XP Pro, then please see here (XP Pro

But not needed to do it manually if you use fr33.exe instead to "unlock" files.

Also, for combofix, please try again, but before you do, delete the C:\qoobox folder and C:\combofix folder if present.

Also delete the Combofix.exe icon on your desktop.

Then RE-download Combofix again and run it from Windows safe mode.

[RobertM]

Hi Mieke,

Thanks for the reply. When I went to implement your suggestions I found that my situation had devolved significantly. I was denied permision to Explorer.exe, so my desktop disappeared and I had to launch stuff using TaskManager. I tried running dragging Explorer.exe onto ff33.exe, as you suggested, and, while it did get to the "OK" dialogue after a little while, I still had no access. I then tried to correct the permissions manually, using the "security" tab on the file properties dialogue, but, again, no luck.

So... I decided it was time to do a reformat/reinstall. It's been a while anyway, and I think it is a good idea to do a clean build-up every year or so. I also have good backups

Anyway, thanks for your help.

Bob

[failsafeman]

OK, I am having the same original problem as the OP. I tried the fr33.exe thing and it worked in that I could now run mbam again, but then it was immediately shut down again as soon as I tried to scan. I noticed a.exe and b.exe running and ended them both via the Task Manager (successfully). However, after a while (~10 min) they show up again. I've gone through my other active processes and there's nothing else suspicious, including anything misspelled like svchast, which is incidentally the reason I originally got Malwarebytes a month or so ago. Also, any other program I try to use to scan my computer like Autoruns was given the same treatment as Malwarebytes.

Anyway, things haven't gotten anywhere near as bad as the OP describes in his second post. How do I get this crap off of my computer?

[failsafeman]

Actually scratch above problem, I was able to get it fixed using ComboFix. Anyone else having the same problem try that.

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.