infection will not allow Malwarebytes to Run

I have an infected laptop where I installed Malwarebytes. However it will not update or run a scan. Can someone help me? Thanks.

Try it in safe mode.

Chameleon Gets Malwarebytes Anti-Malware Installed and Running https://www.malwarebytes.org/chameleon/

Usage Download Chameleon from the link above. Unzip the contents to a folder in a convenient location. Follow the instructions in the included CHM Help File or, if the help file will not open, simply try to run the files by double-clicking on them one by one until one of them remains open, then follow the onscreen instructions

Hi kevinelms,

As Pondus mentioned, Chameleon tehnology is smart enough to fraud even a new malware. MBAM should be able to run via Cham. techniques.

In any case, post here both FRST logs and I shall take a peek.

I tried all 13 scenarios running Chameleon and it still could not run the MB update. The program just keeps crashing. I ran the Chameleon in Windows 7 Safe Mode. Please let me know how I should proceed. Thank you.

as magna86 said download and run FRST (Farbar Recovery Scan Tool ) and attach the two diagnostic logs

attached the 2 logs.

Hello,

Go to the programs and features (you can access there from the control panel) and just attempt to uninstall the following:

  • Ask Toolbar Updater
  • Mezaa
  • Optimizer Pro v3.2

In any case we need to proceed with forcing removal. Your system has adware installed but this adware acts as a real nasty malware.

While script for FRST tool (FixList) working on your board, disable any security software you have. Same goes for ComboFix.

Let’s start …

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start File: C:\Windows\hh.exe File: C:\Users\jmauceri\AppData\Local\ArcadeParlor\versioncheck.exe File: C:\ProgramData\UserProfileMigrationService.exe CloseProcesses: HKLM-x32\...\Run: [Mezaa Tray] => C:\Program Files (x86)\Mezaa\MezaaTray.exe [83176 2014-07-23] (Mezaa) HKU\S-1-5-21-2152592382-2502910713-3807479249-1002\...\Run: [Optimizer Pro] => C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank URLSearchHook: HKCU - (No Name) - {00000000-6E41-4FD3-8538-502F5495E5FC} - No File SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKCU - {095013B9-9DB0-4F50-9208-DB28D91D1B9C} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=14EB822B-CB13-4B10-9825-8E6827E5D9AE&apn_sauid=7CE3150A-8966-470F-8A2C-2B4808AC0049 BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File Handler: intu-help-qb7 - {5A03BD9D-766D-47A6-8E87-CD90F60BE245} - No File Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - No File Winsock: Catalog9 01 C:\Windows\SysWOW64\MZA.dll [357608] (MZA) Winsock: Catalog9 02 C:\Windows\SysWOW64\MZA.dll [357608] (MZA) Winsock: Catalog9 03 C:\Windows\SysWOW64\MZA.dll [357608] (MZA) Winsock: Catalog9 04 C:\Windows\SysWOW64\MZA.dll [357608] (MZA) Winsock: Catalog9 16 C:\Windows\SysWOW64\MZA.dll [357608] (MZA) Winsock: Catalog9-x64 01 C:\Windows\system32\MZA64.dll [464104] (MZA) Winsock: Catalog9-x64 02 C:\Windows\system32\MZA64.dll [464104] (MZA) Winsock: Catalog9-x64 03 C:\Windows\system32\MZA64.dll [464104] (MZA) Winsock: Catalog9-x64 04 C:\Windows\system32\MZA64.dll [464104] (MZA) Winsock: Catalog9-x64 16 C:\Windows\system32\MZA64.dll [464104] (MZA) R2 70e6ca8c; c:\Program Files (x86)\Optimizer Pro\OptProCrash.dll [3649616 2014-09-22] () Hosts: Task: {1EA2B8A7-E5E3-48BC-8812-03E85E4C3938} - System32\Tasks\Optimizer Pro Schedule => C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe <==== ATTENTION AlternateDataStreams: C:\ProgramData\TEMP:FD9CE1F3 EmptyTemp: C:\Program Files (x86)\Optimizer Pro C:\Program Files (x86)\Mezaa End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

.

  1. Please download ComboFix by sUBs (
    http://www.mcshield.net/personal/magna86/Images/IconComboFix.png
    ) from here and save it to your Desktop.
    [i]If you are unsure how ComboFix works, read this guide.

  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:
• Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.


  1. Run ComboFix. Then, on disclaimer window, click I Agree! button.

[i][size=7pt]- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
  • If malware is detected, ComboFix will begin with its removal, and may need to restart Windows.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]

  1. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt)
    => Attach log report (ComboFix.txt) back to topic.

ComboFix shall also create addition log (typical location: C:\Qoobox\ComboFix-quarantined-files.txt)
=> Please attach that report (ComboFix-quarantined-files.txt) as well.

Ask Toolbar Updater would not let me uninstall. It said I needed Administrator privileges even though I was logged in with Administrator rights.
The other 2 uninstalled successfully.

Attached are the 3 log files you asked after running the fixes.

Also, it seems ComboFix removed the VPN software we use to connect to our server (OpenVPN). I can seem to reinstall it either. It says “key not valid for use in specified state”.

An update on the OpenVPN. I found a fix by uninstalling a Microsoft security update. Then it installed fine. Let me know when you have had a chance to look at the logs. Thank you for all your help.


c:\program files (x86)\OpenVPN Technologies\OpenVPN Client\core\ovpntray.exe

You would seem to be correct… The question is why? OpenVPN seems to have a decent reputation.

Do me a favour… go to the following location : C:\Qoobox\Quarantine\C\Program Files (x86)\OpenVPN Technologies\OpenVPN Client\core\ovpntray.exe.vir

Rename the file from .vir to .exe and go to www.virustotal.com. Upload the file, and scan it. Post back the results.

Results say 0/55 detections. Probably harmless it says.

Hi,

I will restore the FP later. Do not make any changes while analysist and cleaning is in progress.

Could you please re-run ComboFix one more time as you did before and post me the fresh ComboFix.txt logreport. I need to check something …

Do you know if this will remove the VPN software again?

Yes it probably will. If you installed VPN again, instead fresh ComboFix log I shall need fresh FRST.txt logreprot.

Does this mean that I do not have to restore deleted FP (VPN related file)?