Antivirus Live Infection
in [Windows Viruses]
|
Prev: Hard drive filling up??
Next: additional guard
From: Buck Rogers on 7 Dec 2009 20:35 Hello All, I have a customer whose computer is infected with Anitvirus Live. I've googled and found many references about it. I've reviewed the removal instructions at bleepingcomputers.com, downloaded Mbam, rkill, and combofix, and have printed out the removal instructions. However, the dang thing won't let me execute any programs........exe, com, bat or whatever.........Normal or Safe Mode. I can't run taskmgr, regedit, or msconfig. What must I do to allow me to run the removal programs. I've renamed them, to no avail. Your help is appreciated. Regards, Buck
From: "FromTheRafters" erratic on 7 Dec 2009 21:11 "Buck Rogers" <buck(a)rogers.com> wrote in message news:ilarh55n1uq0qi28dlp449kmb13tvuamhq(a)4ax.com... > Hello All, > > I have a customer whose computer is infected with Anitvirus Live. > > I've googled and found many references about it. I've reviewed the > removal instructions at bleepingcomputers.com, downloaded Mbam, rkill, > and combofix, and have printed out the removal instructions. > > However, the dang thing won't let me execute any programs........exe, > com, bat or whatever.........Normal or Safe Mode. I can't run > taskmgr, regedit, or msconfig. > > What must I do to allow me to run the removal programs. I've renamed > them, to no avail. > > Your help is appreciated. Whenever booting to "Safe Mode" fails to prevent malware from running, the next thing to try is booting from an alternative source. Some computers can boot from a USB device (BIOS support enabled in the CMOS Setup). Others from optical drives. Run your antimalware (malware removal) applications from there. Some OSes provide a bootable recovery console that can be helpful also.
From: Buck Rogers on 7 Dec 2009 22:06 On Mon, 7 Dec 2009 21:11:24 -0500, "FromTheRafters" <erratic @nomail.afraid.org> wrote: >"Buck Rogers" <buck(a)rogers.com> wrote in message >news:ilarh55n1uq0qi28dlp449kmb13tvuamhq(a)4ax.com... >> Hello All, >> >> I have a customer whose computer is infected with Anitvirus Live. >> >> I've googled and found many references about it. I've reviewed the >> removal instructions at bleepingcomputers.com, downloaded Mbam, rkill, >> and combofix, and have printed out the removal instructions. >> >> However, the dang thing won't let me execute any programs........exe, >> com, bat or whatever.........Normal or Safe Mode. I can't run >> taskmgr, regedit, or msconfig. >> >> What must I do to allow me to run the removal programs. I've renamed >> them, to no avail. >> >> Your help is appreciated. > >Whenever booting to "Safe Mode" fails to prevent malware from running, >the next thing to try is booting from an alternative source. > >Some computers can boot from a USB device (BIOS support enabled in the >CMOS Setup). Others from optical drives. Run your antimalware (malware >removal) applications from there. Some OSes provide a bootable recovery >console that can be helpful also. > FromTheRafters, Thanks for the input. Good suggestion. Question: Would Mbam or Combofix quash the crapware if I took the HD out and slaved it to another computer? That is, would the programs look at the registry, etc. of, and clean up the slave? If so, that seems to be the best solution for me, as trhe computer will not boot to a USB device. Regards and thanks again for the input. Buck
From: David H. Lipman on 8 Dec 2009 06:24 From: "Buck Rogers" <buck(a)rogers.com> | Question: Would Mbam or Combofix quash the crapware if I took the HD | out and slaved it to another computer? That is, would the programs | look at the registry, etc. of, and clean up the slave? If so, that | seems to be the best solution for me, as trhe computer will not boot | to a USB device. | Regards and thanks again for the input. | Buck MBAM - yes. If you boot of the Recovery Console or if you place the drive in a surrogate PC you can remove the offending EXE files, replace the drive in the affected PC and fully scan with MBAM and other software such as Gmer. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: "FromTheRafters" erratic on 8 Dec 2009 07:40
"Buck Rogers" <buck(a)rogers.com> wrote in message news:4agrh5d6qe546q5idogoibbut79ff70t1f(a)4ax.com... > On Mon, 7 Dec 2009 21:11:24 -0500, "FromTheRafters" <erratic > @nomail.afraid.org> wrote: > >>"Buck Rogers" <buck(a)rogers.com> wrote in message >>news:ilarh55n1uq0qi28dlp449kmb13tvuamhq(a)4ax.com... >>> Hello All, >>> >>> I have a customer whose computer is infected with Anitvirus Live. >>> >>> I've googled and found many references about it. I've reviewed the >>> removal instructions at bleepingcomputers.com, downloaded Mbam, >>> rkill, >>> and combofix, and have printed out the removal instructions. >>> >>> However, the dang thing won't let me execute any >>> programs........exe, >>> com, bat or whatever.........Normal or Safe Mode. I can't run >>> taskmgr, regedit, or msconfig. >>> >>> What must I do to allow me to run the removal programs. I've >>> renamed >>> them, to no avail. >>> >>> Your help is appreciated. >> >>Whenever booting to "Safe Mode" fails to prevent malware from running, >>the next thing to try is booting from an alternative source. >> >>Some computers can boot from a USB device (BIOS support enabled in the >>CMOS Setup). Others from optical drives. Run your antimalware (malware >>removal) applications from there. Some OSes provide a bootable >>recovery >>console that can be helpful also. >> > > FromTheRafters, > > Thanks for the input. Good suggestion. > > Question: Would Mbam or Combofix quash the crapware if I took the HD > out and slaved it to another computer? If slaving the drive on another computer is easier for you - yes, you can clean the drive of detectable malware that way. > That is, would the programs look at the registry, etc. of, and clean > up the slave? No, you would still have to clean up the registry after bringing the 'cleaned' drive back to the "victim" computer. Depending on what method(s) the malware used to defeat the execution of executables, you may still not be able to run them easily if you boot from the affected drive. > If so, that seems to be the best solution for me, as trhe computer > will not boot to a USB device. No bootable CD either? You should suggest strongly to your customer to remedy this situation (and make backups). Maybe you could download a 'regfix' file to the victim drive while you are still hosting the drive on the 'good' computer. I've had some success with fixing the 'exefile' borked registry by renaming the 'regfix.reg' (or exefix.reg) file as the malware filename so that an attempt to run any exe (com,bat, or scr) actually invokes and imports the regfile. I haven't tried this since I moved from Win98 to XP though - so it might not work as I remember it. A lot depends on your level of expertise - good luck. |