Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Deleted the rogue AV system security manually after running combofix, all windows services became disabled


  • Please log in to reply
6 replies to this topic

#1 Imhilion

Imhilion

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 17 May 2009 - 12:01 PM

I know it was foolish of me to forget to back up the registry and to run combofix without supervision, but for some reason (I suspect rootkit activity due to the fact SS was not detected by Hijackthis or Combofix), all windows services have become disabled and I get an svchost error upon startup. "The instruction at 0x00666a33 referenced at 0x0000000c. The memory cannot be "read". The afflicted computer is currently without internet access.

BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:03 AM

Posted 17 May 2009 - 01:23 PM

Your specific version / edition of Windows ?
humh... What "SS" are you referring to?
Can you start Windows and get to a point where the Taskbar is visible & useable ?
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 Imhilion

Imhilion
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 17 May 2009 - 01:45 PM

version 5.1 (build 2600.xpsp_sp2_rtm.040803-2158 : Service Pack 2)

By SS i was referring to the system security fake anti-malware. And yes I can load windows, it's just I have a grand total of 14 processes loading at startup and any windows services-related processes cannot be activated. Regedit, MS-DOS, etc are all accessible, SFC, control panel, system restore, Networks and connections etc are not

I can transfer files between computers via flash drive/floppy though >.>

Edited by Imhilion, 17 May 2009 - 02:16 PM.


#4 Imhilion

Imhilion
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 17 May 2009 - 02:20 PM

One more thing, malwarebytes has never worked on this computer, and I can't update SAS (outdated definitions) due to windows installer not functioning

#5 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:03 AM

Posted 17 May 2009 - 02:30 PM

If you have a mirror image backup of the system or a backup of the Windows drive, then restore that so you can have a decent working system.
If you have neither, and have nothing of consequence on the system, a wipe and clean install of Windows would be a consideration.

If you have irreplacable documents/files, you should copy them onto removable media first.

Otherwise, depending on whether it is one rogue or not, and if you can be patient, make a detailed post with reports at
See Preparation Guide For Use Before Using Hijackthis and other Malware Removal Tools
Be very aware the sub-forum is extremely busy and you'll have to wait your turn.

P.S. You may try renaming mbam.exe to some other unique name, and then starting it, you may get MBAM to start, and if so, then do a Full scan, and let it remove what it find.

Edited by Maurice Naggar, 17 May 2009 - 02:37 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#6 Imhilion

Imhilion
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 17 May 2009 - 03:14 PM

I've attempted to rename MBAM before to no avail. Is there no way to repair the damage without resorting to reformatting?

#7 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:03 AM

Posted 17 May 2009 - 03:40 PM

You'll have to start a new topic in the Malware-HijackThis forum
see the link in my last reply.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users