Go Back   Technibble Forums > General Computers > Tech-to-Tech Computer Help

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 06-14-2010, 08:23 AM
RegEdit RegEdit is offline
 
Join Date: Feb 2010
Location: Pacific Palisades, CA
Posts: 1,723
RegEdit is on a distinguished road
Default Viruses that stop Malwarebytes' last step

The newest thing that viruses do is after Malwarebytes scans and detects viruses, then you click "next" and the program closes, never giving you the opportunity to remove them. Is there a common fix for this OR do you have to try using an AV Rescue CD?
Reply With Quote
  #2  
Old 06-14-2010, 08:24 AM
Thedog Thedog is offline
 
Join Date: Apr 2010
Posts: 361
Thedog is an unknown quantity at this point
Default

Quote:
Originally Posted by RegEdit View Post
The newest thing that viruses do is after Malwarebytes scans and detects viruses, then you click "next" and the program closes, never giving you the opportunity to remove them. Is there a common fix for this OR do you have to try using an AV Rescue CD?
Try using combofix instead. Since it is a "no install" software you can download the file combofix and just rename it to anything and run it, for example HPUPDATE.exe or whatever. Another way would be to look at the things MBAM found and manually remove them.
Reply With Quote
  #3  
Old 06-14-2010, 08:45 AM
RegEdit RegEdit is offline
 
Join Date: Feb 2010
Location: Pacific Palisades, CA
Posts: 1,723
RegEdit is on a distinguished road
Default

There's got to be a registry fix, a file association fix... something. I really wish I knew what was shutting down the program. One of the viruses prompts the user to uninstall Malwarebytes, so the authors have specifically targeting it.

Interestingly I was able to install and run SuperAntiSpyware, then remove the malware it found no problem. SuperAntiSpyware only found about 1/10th the malware that Malwarebytes found though.

UPDATE: Malwarebytes worked in safe mode.

Just curious... Can CombFix run in Safe Mode if there's no other choice?

Last edited by RegEdit; 06-14-2010 at 08:51 AM.
Reply With Quote
  #4  
Old 06-14-2010, 10:50 AM
iisjman07's Avatar
iisjman07 iisjman07 is offline
 
Join Date: Jul 2009
Location: South End Of The UK
Posts: 3,049
iisjman07 has a spectacular aura aboutiisjman07 has a spectacular aura about
Default

I ran into this problem a while back and somehow the malware even stopped malwarebytes' removing the infections (like you say) even when I renamed mbam.exe. If I ever run into trouble removing something from inside the OS I just stop and slave the drive in another pc; it saves time usually.
__________________
put that in your pipe and grep it
Reply With Quote
  #5  
Old 06-14-2010, 11:02 AM
red12049 red12049 is online now
 
Join Date: Aug 2009
Posts: 1,007
red12049 has a spectacular aura aboutred12049 has a spectacular aura about
Default

Quote:
Originally Posted by RegEdit View Post
There's got to be a registry fix, a file association fix... something. I really wish I knew what was shutting down the program. One of the viruses prompts the user to uninstall Malwarebytes, so the authors have specifically targeting it.

Interestingly I was able to install and run SuperAntiSpyware, then remove the malware it found no problem. SuperAntiSpyware only found about 1/10th the malware that Malwarebytes found though.

UPDATE: Malwarebytes worked in safe mode.

Just curious... Can CombFix run in Safe Mode if there's no other choice?
Combofix will run in safe mode, if the virus doesn't prevent Windows from starting in safe mode. Many bugs do.

What I've found to be VERY effective and quick is to boot to the UBCD4WIN, and use registry restore to go back to before the virus infected the machine. When that is done and you reboot into Windows, the virus/rogue doesn't start, and you can use your tools to clean it much easier.

If the virus has removed the system restore points, then EZPCFIX to pull out the starting entries.

Rick
Reply With Quote
  #6  
Old 06-14-2010, 01:00 PM
Hercomputers's Avatar
Hercomputers Hercomputers is offline
 
Join Date: Mar 2010
Location: Central, NJ
Posts: 561
Hercomputers is an unknown quantity at this point
Default

After Malwarebytes detects and finds the virus, all the files show up in box with a green check mark in front it. There is a button at the bottom to the left that says 'Remove Selected' you choose this, you are prompted to reboot the computer to complete the removal and that should take care it. I
actually had to do this last nite on a old desktop I working on and it after the reboot, those infected entries were gone.

And about Combo Fix, it can run in safe mode.
__________________
Renee
Her-Computer-Services!
Reply With Quote
  #7  
Old 06-14-2010, 01:13 PM
Galdorf Galdorf is offline
 
Join Date: Feb 2009
Location: Ontario, Canada
Posts: 1,671
Galdorf will become famous soon enough
Default

I have seen this one twice it disables booting into safemode when you run malwarebytes it allows you to scan all the way but when you go to remove it terminates the program, it will not allow you to run combofix it deletes the batch files it creates.
It has 2 rootkits tdss rustock variant and aleuron variant with 4 watchers and uses the new tdss exploit so both are undetectable unless you boot from cd or slave to another machine.
This one is nasty to remove best to slave it and run av,asquared,malwarebytes on it don't waste time trying to clean it while in the OS both rootkits hide each other rootkit scanners find nothing i tried them ALL 30 different ones.
It even prevents autoruns from deleting or changing anything even if you run rkill or returner in the infected OS this thing is a nightmare to remove.
Reply With Quote
  #8  
Old 06-14-2010, 03:44 PM
Xander's Avatar
Xander Xander is online now
 
Join Date: Oct 2008
Location: Niagara region, Ontario
Posts: 6,796
Xander is just really niceXander is just really niceXander is just really niceXander is just really nice
Default

Why not open MBAM's log file and remove what it found manually then?
At that point, it's done all the hard work for you.
__________________
Xander St Catharines Computer Repairs

New here? Watch this and read this. Remember, it's not our problem, it's yours so ask your questions well.
e.g. Make/Model#, Win version/SP#, BSOD 0x#. Consider posting Event Viewer logs, Autoruns exports or something.
More info means better answers and less snark.

Don't be parasitic and only pose your own questions. Help others.
Never trust a "tech" with a hotmail address.


D7 question/idea/etc? Bring it to the D7 Forums.
Reply With Quote
  #9  
Old 06-14-2010, 06:40 PM
vdub12's Avatar
vdub12 vdub12 is offline
 
Join Date: Mar 2010
Posts: 2,509
vdub12 is on a distinguished road
Default

Quote:
Originally Posted by RegEdit View Post
There's got to be a registry fix, a file association fix... something. I really wish I knew what was shutting down the program. One of the viruses prompts the user to uninstall Malwarebytes, so the authors have specifically targeting it.

Interestingly I was able to install and run SuperAntiSpyware, then remove the malware it found no problem. SuperAntiSpyware only found about 1/10th the malware that Malwarebytes found though.

UPDATE: Malwarebytes worked in safe mode.

Just curious... Can CombFix run in Safe Mode if there's no other choice?
Why are so many people dependent on scanners. Its so much faster just removing the virus manually. Why wait an hour or more for a scanner to finish if you can identify the virus and remove it.
__________________
CyberCPU Computer Repair
Reply With Quote
  #10  
Old 06-14-2010, 08:50 PM
Xander's Avatar
Xander Xander is online now
 
Join Date: Oct 2008
Location: Niagara region, Ontario
Posts: 6,796
Xander is just really niceXander is just really niceXander is just really niceXander is just really nice
Default

Quote:
Originally Posted by RegEdit View Post
Interestingly I was able to install and run SuperAntiSpyware
Any reason you're not running the portable version? Once you've bought the Tech's License, it's legit to run it (or the full version for that matter) on any customer's system as part of your cleanup.
__________________
Xander St Catharines Computer Repairs

New here? Watch this and read this. Remember, it's not our problem, it's yours so ask your questions well.
e.g. Make/Model#, Win version/SP#, BSOD 0x#. Consider posting Event Viewer logs, Autoruns exports or something.
More info means better answers and less snark.

Don't be parasitic and only pose your own questions. Help others.
Never trust a "tech" with a hotmail address.


D7 question/idea/etc? Bring it to the D7 Forums.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 05:25 AM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.