Virus blocks safe mode but not regular mode

[RegEdit]

Viruses keep preventing all of the R-Kill files from launching, so I tried to boot in safe mode to run R-Kill and malwarebytes but it's a no go. It's strange because these viruses allow regular mode. I'm gonna use a BitDefender boot CD. Nevertheless I was wondering if there's a simple tweek that anyone knows about that might allow me to boot in safe mode. ?

 

[NYJimbo]

Why did you boot into safe mode if regular was ok ?

ps- its always nice if you can post more specifics.

 

[Xander]

What programs does it allow to run? Try renaming rkill (etc) to "iexplore.exe" or "explorer.exe".

 

[RegEdit]

Why did you boot into safe mode if regular was ok ?

Malwarebytes wont' launch. R-Kill (all 4) won't launch. Process Explorer, Msconfig and AutoRuns won't launch.

Firefox works. Explorer works.

 

[Xander]

Malwarebytes wont' launch. R-Kill (all 4) won't launch. Process Explorer, Msconfig and AutoRuns won't launch.

Firefox works. Explorer works.

They won't launch, even if they're renamed?

Can you rename RKILL.exe to Firefox.exe?

 

[vdub12]

All I have to say is ditch the scanners and find whats causing the problem and remove it manually.

Scanners are to techs like building codes are to contractors. Use your knowledge to remove the virus and use the scanners once the system is running right to make sure you have covered all bases.

 

[RegEdit]

Can you rename RKILL.exe to Firefox.exe?

Yeah that worked! Nice trick there.

All I have to say is ditch the scanners and find whats causing the problem and remove it manually.

Scanners are to techs like building codes are to contractors. Use your knowledge to remove the virus and use the scanners once the system is running right to make sure you have covered all bases.

Why make it hard on yourself? Use AV software first if possible. Sometimes you can disable malware just enough to run MWB with process explorer or autoruns. I also use process explorer and autoruns as a final search for viruses when I think they're all gone. This is the process recommended by a Microsoft guru. I'd post the video link to one of his seminars if I could find it.

 

[red12049]

Yeah that worked! Nice trick there.


Why make it hard on yourself? Use AV software first if possible. Sometimes you can disable malware just enough to run MWB with process explorer or autoruns. I also use process explorer and autoruns as a final search for viruses when I think they're all gone. This is the process recommended by a Microsoft guru. I'd post the video link to one of his seminars if I could find it.

The objective in our shop, like most, is to get the machine back to the customer in proper operating condition, as quickly as possible consistent with goal number one. We try to turn everything we can around within twenty four hours.

When we check a machine in, we usually ask when the customer first noticed the symptoms. When we start on the machine, if it gives any indication of blocking anything, we will boot to UCBD4WIN, and use Registry Restore Wizard to roll the registry back to before the customer noticed the problem. Takes just a few minutes, prevents the bad stuff from starting, and makes things much smoother.

We know how to remove stuff manually, but except for the occasional boost to our ego, I'd rather have a happy customer, and be paid for the job. Makes paying the bills much easier.

Rick

 

[vdub12]

The average virus or malware scan takes at least a half hour to an hour. Manually removing most modern viruses can take about 10 minutes.

I don't know how an ego boost has anything to do with it. I personally don't think we should rely on scans to remove viruses. I think the scans should be used in addition to the real work of removing the bad stuff. Rolling the registry back is even worse because any changes made to the system in that time will also be rolled back.

Most modern viruses make the scanners unusable anyway so the time spent scanning can be completely wasted anyway and manual removal might be the only option, so why not start with it. Its not hard to view the systems startup entry's and find the problem process or processes. Once disabled its only a mater of deleting the affected files and then fixing whatever changes those processes made. Most of that can be handled by practicing virus removal on a VM and creating scripts and reg files to repair damage caused by the virus.

I personally spend a lot of time infecting a test VM with viruses that I see in the field. Because of this I have gotten the removal to most popular ones down to about 10 minutes.

I have always thought that this knowledge is what separates us from the kid down the street. I personally clean viruses off computers all the time that already have these scanners installed. In most cases its because the customer or the kid down the street has already tried this avenue of repair and could not fix it.

 

[RegEdit]

Its not hard to view the systems startup entries

What do you use? Doug Knox's xp_emergencyutil to create usable msconfig?
Or the freeware WhatInStartup?
Or enable boot logging?

 

[vdub12]

What do you use? Doug Knox's xp_emergencyutil to create usable msconfig?
Or the freeware WhatInStartup?
Or enable boot logging?

There is all kinds of options.

My first resource is autoruns. Sometimes viruses block it so I just rename the executable. If that does not work you have a number of registry editors. You can even remote edit the registry from ubcd4win. I like to kill all startup items when I first start. That will get rid of itunes, hp drivers, norton, avg, and everything else that slows the computer down as well as the virus itself. Once You get there you can easily sift though the startup and find the problem child. Once you find it note its location and delete the startup entry. Then do a search for files created on the same day as the virus. Note there locations and the rest is elementary. At this point I try and convince the customer to use MSE and if they agree then I wipe the old AV and load MSE and restart all the startup idem that I disabled before, excluding unnecessary items. Finally I try and up sell a memory upgrade if the system can use it and thats it.

As a side note never leave an infected file on the system. I have seen many techs delete the startup entry but then leave the infection alone. You have to try and find not only the infection but also what system files it may have modified. Once you do that then replace the modified files and remove the infection. The last thing you need is the customers AV program finding the virus a day later and an angry customer calling wanting to know where there computer is infected again.

 

[red12049]

The average virus or malware scan takes at least a half hour to an hour. Manually removing most modern viruses can take about 10 minutes.

I don't know how an ego boost has anything to do with it. I personally don't think we should rely on scans to remove viruses. I think the scans should be used in addition to the real work of removing the bad stuff. Rolling the registry back is even worse because any changes made to the system in that time will also be rolled back.

Most modern viruses make the scanners unusable anyway so the time spent scanning can be completely wasted anyway and manual removal might be the only option, so why not start with it. Its not hard to view the systems startup entry's and find the problem process or processes. Once disabled its only a mater of deleting the affected files and then fixing whatever changes those processes made. Most of that can be handled by practicing virus removal on a VM and creating scripts and reg files to repair damage caused by the virus.

I personally spend a lot of time infecting a test VM with viruses that I see in the field. Because of this I have gotten the removal to most popular ones down to about 10 minutes.

I have always thought that this knowledge is what separates us from the kid down the street. I personally clean viruses off computers all the time that already have these scanners installed. In most cases its because the customer or the kid down the street has already tried this avenue of repair and could not fix it.

Vdub,

I own a pretty high volume repair shop/retail store. Including myself, there are between 2 and four techs, five and half days a week. I work at least ten hours a day, the techs work between eight and nine. To be honest, I don't have time or energy to play with infecting VM's. I've done it, but I don't want to keep doing it every time a new variant comes out.

Yes, rolling the registry back undoes recent changes. That includes the bad changes. The machine is usually unusable, or nearly so, so what is the difference? We ensure that Windows is updated before the machine leaves, as well as all vulnerable software, so, in most cases, undoing recent changes is a good thing.

FWIW, we've been in business here for fifteen years, twelve of them in the same location. There is plenty of competition. The city we are located in has about six thousand people, the county about thirty thousand. Most of our customers are residential, some business. With those demographics, you simply don't build a business of this size, in this industry without a good reputation, without knowing what you are doing.

Boiled down, I simply offered a quick and easy way to do what you are doing, and enable better work flow. You, and everyone else here, are free to use it or not, as you see fit.

Rick

 

[vdub12]

Vdub,

I own a pretty high volume repair shop/retail store. Including myself, there are between 2 and four techs, five and half days a week. I work at least ten hours a day, the techs work between eight and nine. To be honest, I don't have time or energy to play with infecting VM's. I've done it, but I don't want to keep doing it every time a new variant comes out.

Yes, rolling the registry back undoes recent changes. That includes the bad changes. The machine is usually unusable, or nearly so, so what is the difference? We ensure that Windows is updated before the machine leaves, as well as all vulnerable software, so, in most cases, undoing recent changes is a good thing.

FWIW, we've been in business here for fifteen years, twelve of them in the same location. There is plenty of competition. The city we are located in has about six thousand people, the county about thirty thousand. Most of our customers are residential, some business. With those demographics, you simply don't build a business of this size, in this industry without a good reputation, without knowing what you are doing.

Boiled down, I simply offered a quick and easy way to do what you are doing, and enable better work flow. You, and everyone else here, are free to use it or not, as you see fit.

Rick

I completely see your point of view. However, I still disagree. I use to use the scanners and all that stuff and it would take hours to clean a computer. Now I can remove most viruses in a mater of 10 to 20 minutes and then move on to the next system. I would say 99% of the viruses currently out there look way worse then they really are. Most of them are a single file causing all the problems. Why not just identify the offending file and nuke it. Thats my point in a nut shell.

 

[Xander]

Can you rename RKILL.exe to Firefox.exe?

Yeah that worked! Nice trick there. Yeah that worked! Nice trick there.

I can't remember the last time a virus wouldn't let me run IE.
If nothing else, you can usually name just about anything iexplore and it'll run.

 

[red12049]

I completely see your point of view. However, I still disagree. I use to use the scanners and all that stuff and it would take hours to clean a computer. Now I can remove most viruses in a mater of 10 to 20 minutes and then move on to the next system. I would say 99% of the viruses currently out there look way worse then they really are. Most of them are a single file causing all the problems. Why not just identify the offending file and nuke it. Thats my point in a nut shell.

If the machines you service only have minimal infections, that works. Typically, we don't get a machine until the customer simply can't use it anymore. They are usually full of every kind of infection there is. Rogues, root kits, the full gamut. I've had more than one machine where the rogue antivirus not only blocked the legitimate AV, but was also fighting with other rogues on the system, was rather funny to watch.

IIRC, a few posts above, you said you ran scanners at the end of the job. In the post I just quoted, you said you were typically done in ten to twenty minutes. If you're not scanning, how do you have any assurance that you've gotten everything, including adware, suspect toolbars, etc.?

We typically spend several hours on an infected computer. After removing infections, we update everything, clean it (both physically and software), give it a tuneup, and finally, a good defrag. If it needs a hardware upgrade (ram, almost full hdd, etc.) we'll call and recommend. This results in a clean machine that almost always runs better than it has in a long time, and most importantly, a very happy customer.

Rick

 

[RegEdit]

Yeah at the very least you have to assume that there are lots of viruses on there otherwise, if cutting corners, you may be playing Russian roulette with the security of the customer's private data, etc. I use multiple scanners (MWB, SuperAntiSPyware, plus either Security Essentials or whatever AV is already installed on the machine) and manually look with Process Explorer and AutoRuns for stuff that may have been missed.

Once you start a long scan then you can work on other stuff until it's done, so it's not really much extra time of YOURS spent; It just delays how long it will take for the customer to get their machine back.

Let the AV scanners do as much of the dirty work as possible.