1. The user is unable to install Malwarebytes because of an infection
2. The user was able to install MBAM but he is unable to run the program because of an infection

Thanks!

Normally renaming the executables allows them to run for the malware removal, but obviously when you change the name of mbam.exe it needs to be changed back after cleanup, or the shortcuts will be broken.

If that doesn't help, then I go through HijackThis or ComboFix and see if I can get the removal started without MBAM. Sometimes you can kill the load point for the trojan that's keeping MBAM from running, or ComboFix will delete it and solve the problem. Note that ComboFix should only be run on Windows XP, and only under the supervision of someone who knows ComboFix, and can walk the user through any issues they may have after using it.

Thanks.

Another scenario: what do I do next if Malwarebytes removed the active infection but there are still leftover malware files that aren't active?

Bump

You should consider joining one of the online schools for fighting Malware if you really want to learn how to do it properly.

I was in one, but I got removed from the program. I won't go to the details, though.

If you are a tech, then you may want to check out Malware Removal University. They should teach you how to use tools like ComboFix (Windows XP only though).

I'm enrolled at that very school myself.

What do they teach you to use for malware removal on Vista in place of ComboFix?

This school is real? Schools for malware? Wow... Nice. I may try this out.

Haven't gotten that far yet unfortunately. Have you tried Combofix with Vista yet? Just curious, because I seem to recall that I saw some semi-official instructions on one of the tech forums (might have been bleepingcomputer, but not sure) that you could use it with Vista (at least 32 bit).

edit: just found this on MG:
http://forums.majorgeeks.com/showthread.php?t=151000
http://forums.majorgeeks.com/showthread.php?t=139681

the first link says it should work in 32 bit and the second is the official instructions on running their recommended cleanup tools (including Combofix and how to make it work in Vista).

I've seen people use it on Vista without problems, but my understanding is that it's developed on XP for XP and is not supported on Vista, so I see no reason to even bother trying it on Vista.

Yeah, it's developed for XP, but as with most software, just as long as you're running 32 bit it works just fine. Whether it's supported or not is another issue all together. I'd just make sure the user makes a fresh restore point if possible and has their Vista install disc handy as it can be used to do an offline system restore should things go badly.

Yeah...Unfortunately ComboFix and The Avenger doesn't work on Windows Vista x64 and they will probably not work with Vista x64 and Windows Sev7n x64 in the future.

Thankfully, due to MS's design of 64 bit Vista, infections are seldom (if ever) able to be quite as tenacious and emedded as they are in 32 bit reducing, if not eliminating the need for such tools.

I agree...
Only one note => Windows Vista x64 is still vulnerable to technology that uses hardware virtualization to install undetectable malware on a computer running the OS.(Yeah Blue Pill, SubVirt and the others => Virtual Machine Rootkits were blocked in Vista RC2)...but this is only the beginning...
Yesterday i was changed may CPU (E2180) to (E8400) and will try Hypesight Rootkit Detector that require VT-x Virtualization

While it runs, it could always remove something it shouldn't, or screw something up while it's removing.

This school is real? Schools for malware? Wow... Nice. I may try this out.

Yup, they teach you how to help users online in forums like this to get their computers cleaned up.

Yeah, I remember back when Intel first talked about introducing VT in the end user market (during the 900 series of Pentium D's as I recall), and I was worried about it then (long before Vista was even released). I believe it's possible to disable VT in the bios with most boards, but I'm not sure. I hope so, because I have no use for it and eventually I will build a new system (I have an old Pentium D 830 right now).

What do you think about this:

ZomBIe rootkit (not detected by many)

The full story:

http://forum.sysinternals.com/forum_posts.asp?TID=13773

You PM'd me about this one right? Sorry it took me so long to reply. I'd love to see if any of the current anti-rootkit tools can take it out as most of the ones they mention are somewhat outdated.