I have a customer whose computer is infected with Anitvirus Live.
I've googled and found many references about it. I've reviewed the
removal instructions at bleepingcomputers.com, downloaded Mbam, rkill,
and combofix, and have printed out the removal instructions.
However, the dang thing won't let me execute any programs........exe,
com, bat or whatever.........Normal or Safe Mode. I can't run
taskmgr, regedit, or msconfig.
What must I do to allow me to run the removal programs. I've renamed
them, to no avail.
Your help is appreciated.
Regards,
Buck
Whenever booting to "Safe Mode" fails to prevent malware from running,
the next thing to try is booting from an alternative source.
Some computers can boot from a USB device (BIOS support enabled in the
CMOS Setup). Others from optical drives. Run your antimalware (malware
removal) applications from there. Some OSes provide a bootable recovery
console that can be helpful also.
FromTheRafters,
Thanks for the input. Good suggestion.
Question: Would Mbam or Combofix quash the crapware if I took the HD
out and slaved it to another computer? That is, would the programs
look at the registry, etc. of, and clean up the slave? If so, that
seems to be the best solution for me, as trhe computer will not boot
to a USB device.
Regards and thanks again for the input.
Buck
| Question: Would Mbam or Combofix quash the crapware if I took the HD
| out and slaved it to another computer? That is, would the programs
| look at the registry, etc. of, and clean up the slave? If so, that
| seems to be the best solution for me, as trhe computer will not boot
| to a USB device.
| Regards and thanks again for the input.
| Buck
MBAM - yes.
If you boot of the Recovery Console or if you place the drive in a surrogate PC you can
remove the offending EXE files, replace the drive in the affected PC and fully scan with
MBAM and other software such as Gmer.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
If slaving the drive on another computer is easier for you - yes, you
can clean the drive of detectable malware that way.
> That is, would the programs look at the registry, etc. of, and clean
> up the slave?
No, you would still have to clean up the registry after bringing the
'cleaned' drive back to the "victim" computer. Depending on what
method(s) the malware used to defeat the execution of executables, you
may still not be able to run them easily if you boot from the affected
drive.
> If so, that seems to be the best solution for me, as trhe computer
> will not boot to a USB device.
No bootable CD either? You should suggest strongly to your customer to
remedy this situation (and make backups).
Maybe you could download a 'regfix' file to the victim drive while you
are still hosting the drive on the 'good' computer.
I've had some success with fixing the 'exefile' borked registry by
renaming the 'regfix.reg' (or exefix.reg) file as the malware filename
so that an attempt to run any exe (com,bat, or scr) actually invokes and
imports the regfile. I haven't tried this since I moved from Win98 to XP
though - so it might not work as I remember it.
A lot depends on your level of expertise - good luck.
>From: "Buck Rogers" <bu...@rogers.com>
>
>
>| Question: Would Mbam or Combofix quash the crapware if I took the HD
>| out and slaved it to another computer? That is, would the programs
>| look at the registry, etc. of, and clean up the slave? If so, that
>| seems to be the best solution for me, as trhe computer will not boot
>| to a USB device.
>
>| Regards and thanks again for the input.
>
>| Buck
>
>
>MBAM - yes.
>
>If you boot of the Recovery Console or if you place the drive in a surrogate PC you can
>remove the offending EXE files, replace the drive in the affected PC and fully scan with
>MBAM and other software such as Gmer.
Mr. Lipman,
Thanks for the input. I'll start the slave process this afternoon.
I'll get back with my results.
Regards,
Buck
FromTheRafters,
Thanks for the additional input. I'll start the slave process this
afternoon to see if I can get on top of this thing enough to at least
let me run an executable once I put it back in the original machine.
I'll get back with the results.
Regards,
Buck
| Mr. Lipman,
| Thanks for the input. I'll start the slave process this afternoon.
| I'll get back with my results.
| Regards,
| Buck
Please... Just Dave or David :-)
Hello All,
Just want to update you on my customer's infected computer.
Put the HD in a surrogate machine, deleted the (random)sysguard.exe
files, plus some other junk.
Replaced it in the computer, booted up, ran Mbam, Combofix, installed
Avira and ran a scan. Found a bunch of crap and deleted it.
All seems to be good now.
Thanks for all the help and suggestions.
Regards,
Buck
I am having this same issue, Would LOVE some help if anyone could.
I have this damn antivirus live infection, I found step by step
instructions on how to remove said virus. Basically it tells me to run
two removal tools, which I have transfered to the infected laptop's
desktop.
Issue is that the computer will not allow me to open any files, giving
me a message that this application can not be executed because it is a
virius.
I do not have the knowledge to take out the HD and slave it too another
machine. Is there anyway I can get this removal tool to open?
My only other option is best buy said for $200 they would reinstall
windows and I can start fresh. I dont really want to spend $200 the
computer is only 2 months old and cost me $1100.
Just sucks being able to find a solution but can not run the software
to fix the problem. I can not reinstall windows myself because my
computer never came with the disks I was supposed to make them myself,
never got around to it. Smart move on my part.
Any thoughts? Thanks
--
Tiestosteele
------------------------------------------------------------------------
Tiestosteele's Profile: http://forums.techarena.in/members/163919.htm
View this thread: http://forums.techarena.in/security-virus/1279655.htm
"Tiestosteele" <Tiestoste...@DoNotSpam.com> wrote in message
news:Tiestoste...@DoNotSpam.com...
| Hello,
| I am having this same issue, Would LOVE some help if anyone could.
To start...
DROP that POS front-end to Usenet called techarena.in and DIRECTLY access the Microsoft
news groups via the following NEWS URL...
news://msnews.microsoft.com/microsoft.public.security.virus
Then start your OWN thread and we will assist you with YOUR problem.
Ah, perhaps you are unfamiliar with India [if, in fact this party lives
there or otherwise in the region]... they have computer Cafe`s which, at
times, limit access to various access points and services. Perhaps this
party is using the REQUIRED access to work on a family computer or
otherwise. Others use the newer cell/high speed though it is costly and
also limited [curious? ask one of them or check the plans..].
Others find these issues via one of the search engines on the
*archival* sites/services and post in the apparent appropriate
thread/discussion.
Another potential reason for usage is the translation,,, do you
understand and write Hindi?
The point? Perhaps it might be best to layoff harassing and
brow-beating these portal users and deal with their issues... it is a
new world, we should be glad anyone still posts questions here in Usenet
rather than in one of the numerous private forums or like.
>
> news://msnews.microsoft.com/microsoft.public.security.virus
>
> Then start your OWN thread and we will assist you with YOUR problem.
>
--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
| On 12/14/2009 04:09 PM, David H. Lipman wrote:
>> From: "Tiestosteele" <Tiestoste...@DoNotSpam.com>
>> | Hello,
>> | I am having this same issue, Would LOVE some help if anyone could.
>> To start...
>> DROP that POS front-end to Usenet called techarena.in and DIRECTLY access the
>> Microsoft
>> news groups via the following NEWS URL...
| Ah, perhaps you are unfamiliar with India [if, in fact this party lives
| there or otherwise in the region]... they have computer Cafe`s which, at
| times, limit access to various access points and services. Perhaps this
| party is using the REQUIRED access to work on a family computer or
| otherwise. Others use the newer cell/high speed though it is costly and
| also limited [curious? ask one of them or check the plans..].
| Others find these issues via one of the search engines on the
| *archival* sites/services and post in the apparent appropriate
| thread/discussion.
| Another potential reason for usage is the translation,,, do you
| understand and write Hindi?
| The point? Perhaps it might be best to layoff harassing and
| brow-beating these portal users and deal with their issues... it is a
| new world, we should be glad anyone still posts questions here in Usenet
| rather than in one of the numerous private forums or like.
Sorry. That's too bad. If they speak or write Hindi, they can contact Quickheal for anti
malware support.
F**K techarena.in and its Usenet gateway !
Well ,that's an extreme reaction, which I'm not sure has any basis for.
It isn't that these portals are the number one spammer's haven or
anything remotely like that:
http://www.projecthoneypot.org/1_billionth_spam_message_stats.php
Proceed along these lines, taking issue with the method of access, and
the death warrant for the groups is assured.
--
kml_thinktank
------------------------------------------------------------------------
kml_thinktank's Profile: http://forums.techarena.in/members/169331.htm
[...]
Care to provide a URL?
| i found a solution to almost any problem regarding regedit and taskmanager hijacking
| from antivirus scareware, i googled the antivirus 2010 one day and was looking through
| the results and came to a you tube result, the only one with you tube result actually,
| there i found florida pc nerds walkthrough, in his tutorial he gives you a site to get
| enable regedit and enable task manager programs that run themselves after one click.
| heres what i do, run rkill.exe to stop and close malware that is active, dont touch the
| alert boxes till you see that rkill has run, then run it one more time for good
| measure, takes like 5 seconds, it will dump extra files onto the desktop, send those to
| recycle bin, manually go into recycle bin and delete them one at a time. next, run the
| regedit enable tool from florida pc nerds site or google the you tube antivirus
| 2010(works for all the like viruses as well) download the enablers and run them both,
| now you should have control of both again and now its time to run malwarebytes and when
| its done(might be awhile) you should be good to go, i left the enable tools on the
| desktop with rkill and mbam and super antispyware, as well as spyware doctor setup.
| when you get hit again(if) run rkill, then enablers, then mbam and whatever else after
| that doesnt matter cause it should be fixed after that. if you leave those on your
| desktop, you can easilly fix hijacked task manager and enable regedit again with no
| worries.......also go into windows folder look for prefetch folder and temp folder and
| wipethe inside both clean and empty it all to the trash bin for deletion, leave the
| folders there but just select everything inside for delete, this is where some viruses
| hide 75% of the time, and 25% of the time its inside a restore point under hkey local
| machine in regedit.... -- kml_thinktank
TechArena.in is a leech of Usenet and fakes that it provides forums when they are
actually Usenet news groups and uses the vBulletin USENET gateway. In this case it is a
news group within the Microsoft.* hierarchy and can be directly accessed via the Microsoft
news server; MSNews.Microsoft.Com using a news client via TCP port 119.
Users of TechArena.in are strongly ENCOURAGED to drop the TechArena.in leech of
Usenet and access "this" News Group directly with the following News URL...
news://msnews.microsoft.com/microsoft.public.security.virus
David didn't ask for any URLs, I did. Why do you respond to him?
Thanks for showing me where the 'reg' and 'inf' files you were talking
about could be found.
...still can't find rkill anywhere, but there are killers that ship with
Windows (taskkill.exe for tasks and tskill.exe for terminal services)
Thanks.
"Buck Rogers" wrote:
> .
>
"David H. Lipman" wrote:
> .
>
"Buck Rogers" wrote:
> .
>
>> However, the dang thing won't let me execute any programs........exe,
>> com, bat or whatever.........Normal or Safe Mode. I can't run
>> taskmgr, regedit, or msconfig.
You have to load an OS from a disk, NOT from the hard drive, and then remove
the offending files, which are usually easy to find because the dates are very
recent.