PDA

View Full Version : Viruses that stop Malwarebytes' last step


RegEdit
06-14-2010, 08:23 AM
The newest thing that viruses do is after Malwarebytes scans and detects viruses, then you click "next" and the program closes, never giving you the opportunity to remove them. Is there a common fix for this OR do you have to try using an AV Rescue CD?

Thedog
06-14-2010, 08:24 AM
The newest thing that viruses do is after Malwarebytes scans and detects viruses, then you click "next" and the program closes, never giving you the opportunity to remove them. Is there a common fix for this OR do you have to try using an AV Rescue CD?

Try using combofix instead. Since it is a "no install" software you can download the file combofix and just rename it to anything and run it, for example HPUPDATE.exe or whatever. Another way would be to look at the things MBAM found and manually remove them.

RegEdit
06-14-2010, 08:45 AM
There's got to be a registry fix, a file association fix... something. I really wish I knew what was shutting down the program. One of the viruses prompts the user to uninstall Malwarebytes, so the authors have specifically targeting it.

Interestingly I was able to install and run SuperAntiSpyware, then remove the malware it found no problem. SuperAntiSpyware only found about 1/10th the malware that Malwarebytes found though.

UPDATE: Malwarebytes worked in safe mode.

Just curious... Can CombFix run in Safe Mode if there's no other choice?

iisjman07
06-14-2010, 10:50 AM
I ran into this problem a while back and somehow the malware even stopped malwarebytes' removing the infections (like you say) even when I renamed mbam.exe. If I ever run into trouble removing something from inside the OS I just stop and slave the drive in another pc; it saves time usually.

red12049
06-14-2010, 11:02 AM
There's got to be a registry fix, a file association fix... something. I really wish I knew what was shutting down the program. One of the viruses prompts the user to uninstall Malwarebytes, so the authors have specifically targeting it.

Interestingly I was able to install and run SuperAntiSpyware, then remove the malware it found no problem. SuperAntiSpyware only found about 1/10th the malware that Malwarebytes found though.

UPDATE: Malwarebytes worked in safe mode.

Just curious... Can CombFix run in Safe Mode if there's no other choice?

Combofix will run in safe mode, if the virus doesn't prevent Windows from starting in safe mode. Many bugs do.

What I've found to be VERY effective and quick is to boot to the UBCD4WIN, and use registry restore to go back to before the virus infected the machine. When that is done and you reboot into Windows, the virus/rogue doesn't start, and you can use your tools to clean it much easier.

If the virus has removed the system restore points, then EZPCFIX to pull out the starting entries.

Rick

Hercomputers
06-14-2010, 01:00 PM
After Malwarebytes detects and finds the virus, all the files show up in box with a green check mark in front it. There is a button at the bottom to the left that says 'Remove Selected' you choose this, you are prompted to reboot the computer to complete the removal and that should take care it. I
actually had to do this last nite on a old desktop I working on and it after the reboot, those infected entries were gone.

And about Combo Fix, it can run in safe mode.

Galdorf
06-14-2010, 01:13 PM
I have seen this one twice it disables booting into safemode when you run malwarebytes it allows you to scan all the way but when you go to remove it terminates the program, it will not allow you to run combofix it deletes the batch files it creates.
It has 2 rootkits tdss rustock variant and aleuron variant with 4 watchers and uses the new tdss exploit so both are undetectable unless you boot from cd or slave to another machine.
This one is nasty to remove best to slave it and run av,asquared,malwarebytes on it don't waste time trying to clean it while in the OS both rootkits hide each other rootkit scanners find nothing i tried them ALL 30 different ones.
It even prevents autoruns from deleting or changing anything even if you run rkill or returner in the infected OS this thing is a nightmare to remove.

Xander
06-14-2010, 03:44 PM
Why not open MBAM's log file and remove what it found manually then?
At that point, it's done all the hard work for you.

vdub12
06-14-2010, 06:40 PM
There's got to be a registry fix, a file association fix... something. I really wish I knew what was shutting down the program. One of the viruses prompts the user to uninstall Malwarebytes, so the authors have specifically targeting it.

Interestingly I was able to install and run SuperAntiSpyware, then remove the malware it found no problem. SuperAntiSpyware only found about 1/10th the malware that Malwarebytes found though.

UPDATE: Malwarebytes worked in safe mode.

Just curious... Can CombFix run in Safe Mode if there's no other choice?

Why are so many people dependent on scanners. Its so much faster just removing the virus manually. Why wait an hour or more for a scanner to finish if you can identify the virus and remove it.

Xander
06-14-2010, 08:50 PM
Interestingly I was able to install and run SuperAntiSpywareAny reason you're not running the portable version? Once you've bought the Tech's License, it's legit to run it (or the full version for that matter) on any customer's system as part of your cleanup.

RegEdit
06-14-2010, 09:07 PM
If I ever run into trouble removing something from inside the OS I just stop and slave the drive in another pc; it saves time usually.
The only problem with slaving is that Malwarebytes is NOT designed to be run like that. If you slave the problem C drive to another computer running MWB, then often it renders the computer unbootable after removing the malware.

If you have 500 viruses detected then copying down the log file and manually deleting with a Bart PE CD could be difficult to say the least, unless I"m looking for the "2 rootkits tdss rustock variant and aleuron variant with 4 watchers".

Fortunately this thing doesn't seem to target other AV software. If you can knock it down to 10's of items detected then the manual method seems a little more doable.

bagellad
06-16-2010, 06:34 AM
There is a post from a user named Gregg who's virus removal is about perfect, but i have developed a couple tricks for getting around these viruses..


try removing the rootkits in the driver folder with a boot cd first

or

Try opening up malware bytes then crashing iexplorer.exe or whatever so the task bar and gone etc. then it seems to run without interference.

RegEdit
06-16-2010, 06:54 AM
Try opening up malware bytes then crashing iexplorer.exe or whatever so the task bar and gone etc. then it seems to run without interference.
You mean using process explorer or task manager to pause the explorer process will somehow halt the rootkits so that Malwarebytes will work?