Jump to content

What should I do in these situations?


Recommended Posts

1. The user is unable to install Malwarebytes because of an infection

2. The user was able to install MBAM but he is unable to run the program because of an infection

Thanks! ;)

Normally renaming the executables allows them to run for the malware removal, but obviously when you change the name of mbam.exe it needs to be changed back after cleanup, or the shortcuts will be broken.

If that doesn't help, then I go through HijackThis or ComboFix and see if I can get the removal started without MBAM. Sometimes you can kill the load point for the trojan that's keeping MBAM from running, or ComboFix will delete it and solve the problem. Note that ComboFix should only be run on Windows XP, and only under the supervision of someone who knows ComboFix, and can walk the user through any issues they may have after using it.

Link to post
Share on other sites

  • Staff

Haven't gotten that far yet unfortunately. Have you tried Combofix with Vista yet? Just curious, because I seem to recall that I saw some semi-official instructions on one of the tech forums (might have been bleepingcomputer, but not sure) that you could use it with Vista (at least 32 bit).

edit: just found this on MG:

http://forums.majorgeeks.com/showthread.php?t=151000

http://forums.majorgeeks.com/showthread.php?t=139681

the first link says it should work in 32 bit and the second is the official instructions on running their recommended cleanup tools (including Combofix and how to make it work in Vista).

Link to post
Share on other sites

Haven't gotten that far yet unfortunately. Have you tried Combofix with Vista yet? Just curious, because I seem to recall that I saw some semi-official instructions on one of the tech forums (might have been bleepingcomputer, but not sure) that you could use it with Vista (at least 32 bit).

I've seen people use it on Vista without problems, but my understanding is that it's developed on XP for XP and is not supported on Vista, so I see no reason to even bother trying it on Vista.

Link to post
Share on other sites

  • Staff

Yeah, it's developed for XP, but as with most software, just as long as you're running 32 bit it works just fine. Whether it's supported or not is another issue all together. I'd just make sure the user makes a fresh restore point if possible and has their Vista install disc handy as it can be used to do an offline system restore should things go badly.

Link to post
Share on other sites

Yeah...Unfortunately ComboFix and The Avenger doesn't work on Windows Vista x64 and they will probably not work with Vista x64 and Windows Sev7n x64 in the future. :)

The Avenger is fully compatible with 32-bit Windows Vista, XP, and 2000. Please do not attempt to use it on any other operating system. There are no plans to build a 64-bit version of The Avenger because of Microsoft's decision to require digital signatures for 64-bit Vista kernel code.
Link to post
Share on other sites

Thankfully, due to MS's design of 64 bit Vista, infections are seldom (if ever) able to be quite as tenacious and emedded as they are in 32 bit reducing, if not eliminating the need for such tools.

I agree...

Only one note => Windows Vista x64 is still vulnerable to technology that uses hardware virtualization to install undetectable malware on a computer running the OS.(Yeah Blue Pill, SubVirt and the others => Virtual Machine Rootkits were blocked in Vista RC2)...but this is only the beginning...

Yesterday i was changed may CPU (E2180) to (E8400) and will try Hypesight Rootkit Detector that require VT-x Virtualization

Link to post
Share on other sites

Yeah, it's developed for XP, but as with most software, just as long as you're running 32 bit it works just fine. Whether it's supported or not is another issue all together. I'd just make sure the user makes a fresh restore point if possible and has their Vista install disc handy as it can be used to do an offline system restore should things go badly.

While it runs, it could always remove something it shouldn't, or screw something up while it's removing.

Link to post
Share on other sites

  • Staff
I agree...

Only one note => Windows Vista x64 is still vulnerable to technology that uses hardware virtualization to install undetectable malware on a computer running the OS.(Yeah Blue Pill, SubVirt and the others => Virtual Machine Rootkits were blocked in Vista RC2)...but this is only the beginning...

Yesterday i was changed may CPU (E2180) to (E8400) and will try Hypesight Rootkit Detector that require VT-x Virtualization

Yeah, I remember back when Intel first talked about introducing VT in the end user market (during the 900 series of Pentium D's as I recall), and I was worried about it then (long before Vista was even released). I believe it's possible to disable VT in the bios with most boards, but I'm not sure. I hope so, because I have no use for it and eventually I will build a new system (I have an old Pentium D 830 right now).

Link to post
Share on other sites

  • 2 weeks later...
Yeah, I remember back when Intel first talked about introducing VT in the end user market (during the 900 series of Pentium D's as I recall), and I was worried about it then (long before Vista was even released). I believe it's possible to disable VT in the bios with most boards, but I'm not sure. I hope so, because I have no use for it and eventually I will build a new system (I have an old Pentium D 830 right now).

What do you think about this:

ZomBIe rootkit (not detected by many) ;)

The full story: ;)

http://forum.sysinternals.com/forum_posts.asp?TID=13773

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.