Solved virus removal from within safe mode

[eduede]

I've got a reallybad virus. Laptophas MSE installed and I have malwarebytes intaller on a thumb drive but can't install it because of virus. I've booted into safe mode alternate shell. What are my options from here? Can I run scans from here? Can I install malwarebytes off my thumbdrive in hed 4un itj

 

[Mashed1316]

Hello there, eduede!

Let's see, first, you have to boot into Safe Mode with Networking for the malwarebytes to update its database, install it, update it, do a complete system scan, and the rest should be taken care of...

After the scan finishes, select the infected items, delete them, reboot your PC and you could just do another system scan, to double check that the virus is no longer infecting your PC

Cheers.

 

[Carolyn]

Try running Rkill, then run Malwarebytes

Rkill
Note: If your security software warns about Rkill, ignore & allow the download to continue.
Download RKill by Grinler from Here & save it to your Desktop.
Alternate download links:
Two
Three
Four

• Double click Rkill to run it
• A command window will open then disappear upon completion, this is normal
  • If this does not happen... delete the file, then download & use the next link provided
  • If it does not work, repeat the process & attempt to use one of the remaining links until the tool runs
• Do not reboot your machine until asked to do so. If no version of Rkill would run, please let me know
• When finished, Notepad will open with a log file, automatically saved at C:\rkill.log
• Copy/paste the contents of the rkill.log file in your next reply
• Leave Rkill on the Desktop unless instructed otherwise

Note: If you get an alert that Rkill is infected, ignore it. The alert is a fake warning given by rogue software, trying to "protect" itself from being terminated or removed. If you see such a warning, leave the warning on the screen, then run Rkill again. By not closing the warning, this sometimes allows you to bypass the malware's attempt to protect itself, so that Rkill can perform its routine.

 

[eduede]

well i accidently booted into the Safe Mode minimal (alternate shell) so everything is command line. What are the command line commands for running Malicious Software Removal Tool?

 

[Mashed1316]

I'd suggest reboot again and go into Safe Mode with Networking instead of Safe Mode with Command Line

 

[damien76]

RKill. That's a nice one. Like ComboFix? Will try that out one of these days

Encountered the "can't install Malwarebytes" before and I posted at the MBAM forums about it. They told me to rename the mbam.exe to anything other than mbam.exe. I did that and it worked. Updated manually. Pasted the rules.ref to C:\Program Data\Malwarebytes\Malwarebyte's Anti-Malware\. Just copy the rules.ref from a pc which has MBAM installed.

Or visit Manual Malwarebytes definitions download link

Seems like your problem..read here:

MBAM will not run

MBAM Command Line Parameters

Alternatives to Safe Mode scanning and removal can be found at this post. You do not need to boot to Safe Mode there just boot to cd or USB and your good to go.

But if you can try RKill that would be great.

 

[A Guy]

You might be better served burning a bootable AV disc (or 2), and cleaning from outside windows completely.

FREE Bootable AntiVirus Rescue CDs Download List

Delete all system restore points by turning off SR. If any signs of infection remain after boot scanning, and running additional scans within windows (online scanners are also a good idea: HouseCall - Free Online Virus Scan - Trend Micro USA , Free Online Virus Scan - BitDefender Online Scanner , Panda ActiveScan | Free Online Antivirus | Free Virus Disinfection - Panda Security , Free Virus Scan - Kaspersky Lab ) , a fresh install may be the best idea. A Guy

 

[jimbo45]

Hi there
I keep saying to people -- it is UTTERLY NO POINT in using an INFECTED computer to remove any VIRUS -- how can you be sure that the virus removing software itself hasn't been compromised.

Say you were drilling on an Oil Platform and the drill needed sharpening, You wouldn't use a tool which was already worn out to sharpen / renew the bit would you.

Same with Virus removal -- why trust an INFECTED computer to work properly.

The ONLY IMO safe solution is a COMPLETE restore from a KNOWN Virus free backup or a total W7 re-install.

If you have data copy that to an external HDD and run a virus check against the data ON A SEPARATE MACHINE.

AV software is just that -- should protect against getting a virus -- once you have one then ONLY a RESTORE or Re-INSTALL can be guaranteed to be 100% safe.

Forget ANY AV removal software -- once you've BEEN infected it's TOO LATE. You need to catch any virus in Real time then you can take proper action.

MSE does a reasonable job at this once you've got your computer working properly again.

Cheers
jimbo

 

[sasanet]

jimbo45,
you are apsolutley wright.
and what if he doesn't have an backup
in taht case I would downlaod kaspersky administartion kit wich enables you remotly intstalling antivirus and other components and disinfection as well as all other protection tasks from one conmputer (AK server) to another (infected client) :haha:

se more at Product Updates --> Kaspersky Administration Kit 8

chears!
sasanet.

 

[jimbo45]

Hi there
I wish NOBODY would be allowed to use a computer until they learned how important it was to take backups regularly AND ACTUALLY DO IT.

However if he doesn't have a backup then the only solution is to do a complete W7 re-install.

He could still copy DATA files (Music, documents, films, photos etc etc) to an external HDD or whatever before doing the re-install . Even with no backup program these can be copied via Windows explorer. ===> BUT VIRUS SCAN THESE ON A SEPARATE MACHINE before copying back to your computer.


As I said previously after you've re-installed W7 install MSE and then take a BACKUP before installing any software etc. This will give you a decent image to recover from in the future without having to re-install again.

Incidentally keep the OS and applications in ONE partition = W7 partition size typically around 35 - 50 GB depending on what applications are installed. Divide the rest of your disc storage up into various partitions such as DATA, scratch volumes, Multi-media etc etc.

Cheers
jimbo

 

[Golden]

Hi,

Follow Carolyn's advice and you will be OK.

Regards,
Golden

 

[Corrine]

RKill. That's a nice one. Like ComboFix? Will try that out one of these days

RKill is definitely very useful and is updated regularly. It doesn't remove anything, just stops processes that are preventing MBAM from running.

As to trying out ComboFix one of these days, doing so without guidance from someone who has been properly trained is most definitely at your own risk.

 

[eduede]

The RKill solution did the trick! Thank you to everyone who got involved in this issue.

 

[Noxiide]

Hi there
I keep saying to people -- it is UTTERLY NO POINT in using an INFECTED computer to remove any VIRUS -- how can you be sure that the virus removing software itself hasn't been compromised.

Say you were drilling on an Oil Platform and the drill needed sharpening, You wouldn't use a tool which was already worn out to sharpen / renew the bit would you.

Same with Virus removal -- why trust an INFECTED computer to work properly.

The ONLY IMO safe solution is a COMPLETE restore from a KNOWN Virus free backup or a total W7 re-install.

If you have data copy that to an external HDD and run a virus check against the data ON A SEPARATE MACHINE.

AV software is just that -- should protect against getting a virus -- once you have one then ONLY a RESTORE or Re-INSTALL can be guaranteed to be 100% safe.

Forget ANY AV removal software -- once you've BEEN infected it's TOO LATE. You need to catch any virus in Real time then you can take proper action.

MSE does a reasonable job at this once you've got your computer working properly again.

Cheers
jimbo

You don't need to revert back to an image every time you get a virus, usually, if the AV finds the virus it will get rid of all of it, and if it doesn't, then you revert back.

Plus, I don't even have Acronis True Image or any other image program, and I've heard that some virus's implant themselves into system restore points sometimes, so restoring may not work.

People don't want to reformat and clean install often, so of course they are going to try and get rid of it first with AV's.

 

[Carolyn]

eduede, please post your malwarebytes' log. We need to do some further checking to determine if your computer is clean.


ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

• Please go herehere to run the scan.
  

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

• Select the option YES, I accept the Terms of Use then click on:
  
• When prompted allow the Add-On/Active X to install.
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
• Now click on Advanced Settings and select the following:

• • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Now click on:
  
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
• Now click on:
  
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
• Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


Please post the ESET log and Malwarebtes' log as part of your next reply (no attachments please).

 

[damien76]

I was waiting for the RKill result....it was not posted. @Carolyn; Oops sorry there. What I meant was RKill (not ComboFix). Have used ComboFix previously but am not yet quite familiar with it. RKills seems similar to the DDR script at bleepingcomputer.. Think you ought to start a malware removal sub-forum here. You are in fact trained for it. damien

 

[jimbo45]

I was waiting for the RKill result....it was not posted. @Carolyn; Oops sorry there. What I meant was RKill (not ComboFix). Have used ComboFix previously but am not yet quite familiar with it. RKills seems similar to the DDR script at bleepingcomputer.. Think you ought to start a malware removal sub-forum here. You are in fact trained for it. damien

Hi there
There's ONLY TWO POSSIBLE CORRECT SOLUTIONS for Malware / Virus removal.

TOTAL OS RE-INSTALL. or

RESTORE SAFE BACKUP IMAGE -VIA A BOOT DISK - DO NOT USE THE INFECTED COMPUTER.

Your A/V software needs to prevent infection in REAL TIME. - After the fact analysis is a bit like "Monday Morning Quarter backing" in American Football. In any case by the time you've completed the analysis the stuff is already out of date as new threats can appear almost hourly. Virus and Malware detection is an ever changing target.


Using an Infected machine to do the virus removal itself is a bit like getting the Fox to guard the Chickens.

Cheers
jimbo

 

[damien76]

Oops again. Sorry Carolyn/Corrine, the previous reply I posted was meant for both of you. Was tired yesterday.

@jimbo;

I was only responding to the inquiry of the OP. Personally, I'd use a system image restore and restore my pc. I'd wipe the hard drive first and restore with MBR but that's just me.

While it seems that the better solution(and the fastest I presume) is what you suggested there are some that wants to know what hit them or what caused the sudden hiccups that broke his/her pc.

Depends on the individual actually on the course of action to take based on the guide/tips that he is given.

On the Rkill, I was curious as to it's nature and performance so I downloaded it and will test it in VirtalBox one of these days. Got curious of "these apps" when I got infected sometime 2007 or 2008 and the mod at MalwareCrypt guided me to the use of an alike app(don't remember what the name was).

AV + HIPS or additional security app should have stopped it but apparently there was a failure there so OP should be making some adjustments to his set-up.

I hope the OP will post the data here.

Cheers

 

[Corrine]

damien76, you may want to see Grinler's post about RKill here: RKill - What it does and What it Doesn't - A brief introduction to the program

 

[damien76]

Thanks Corrine