13 replies to this topic

[QuizMaster]

Hello everyone.

I was wondering if MBAM can "heal" files infected with something, or can it only delete the offending file?

Thanks in advance...

[Maniac]

As far as I know MBAM may only removed detected threats.

[GT500]

I don't think it disinfects. Normally when a system file is infected, it's best to restore a backup of that file instead of trying to disinfect it, but I'm not even sure that MBAM does that. Try a forum search, and see what you find.

[londonlass]

GT500, on Feb 4 2009, 06:27 AM, said:

I don't think it disinfects. Normally when a system file is infected, it's best to restore a backup of that file instead of trying to disinfect it, but I'm not even sure that MBAM does that. Try a forum search, and see what you find.

I have noticed a couple of times reference to "restore a backup of that file". How is this done please? I know about System Restore, but are you referring to an individual file?

[GT500]

londonlass said:

I have noticed a couple of times reference to "restore a backup of that file". How is this done please? I know about System Restore, but are you referring to an individual file?

The System Restore is one way. There are also backups made when Service Packs are installed that can be restored, but I think ComboFix is the only tool I've seen that will restore them (note that ComboFix is a tool that should only be used under the direction of an expert, and not something to play around with on your own).

I don't see these backups used very often. Maybe exile360, or one of our other volunteers knows more about it.

[exile360]

If you're talking about a system file that was replaced/modified by malware and MBAM removed it, you can use the Recovery Console to restore it. A good basic tutorial can be found here: How To Restore System Files Using Recovery Console

If a file is removed by MBAM, it does create a backup and can be restored using MBAM's interface, but if the system is unbootable, there would be no way to use MBAM to restore it because it's backups are encrypted so you wouldn't be able to use an offline disc like Bart's PE/WinPE to do the job. Your only hope in that case would be the Recovery Ronsole or System Restore. In Vista, as long as you have a Vista disc to boot from you can use System Restore offline, if you're using XP you'd have to have Microsoft's ERD 2005 (AKA MS D.a.R.T.): MS Diagnostic and Recovery Toolset 30 day Trial or another tool that works similar like Avanquest's Fix-It Utilities Which has the same offline functionality for accessing System Restore points.

[londonlass]

exile360, on Feb 5 2009, 06:41 PM, said:

If you're talking about a system file that was replaced/modified by malware and MBAM removed it, you can use the Recovery Console to restore it. A good basic tutorial can be found here: How To Restore System Files Using Recovery Console

If a file is removed by MBAM, it does create a backup and can be restored using MBAM's interface, but if the system is unbootable, there would be no way to use MBAM to restore it because it's backups are encrypted so you wouldn't be able to use an offline disc like Bart's PE/WinPE to do the job. Your only hope in that case would be the Recovery Ronsole or System Restore. In Vista, as long as you have a Vista disc to boot from you can use System Restore offline, if you're using XP you'd have to have Microsoft's ERD 2005 (AKA MS D.a.R.T.): MS Diagnostic and Recovery Toolset 30 day Trial or another tool that works similar like Avanquest's Fix-It Utilities Which has the same offline functionality for accessing System Restore points.

Thanks for all of this information. I only downloaded Malwarebytes a yesterday so I am not sure what to do with it so am learning from the forum. I have only done two scans so far with MBAM and am still trying to figure out what to do with the results. I had a message of one virus which I believe was a tracking cookie. I could not get MBAM to remove this into the quarantine file and did not know whether it was safe to delete this, so I ran a Spybot Search and Destroy and a Ccleaner, then another scan with MBAM and that scan was clear, so I believe that I have removed the file. As you can see I am not sure how to use the programme.

Attached Files

•  mbam_log_2009_02_05__12_51_36_.txt   963bytes   38 downloads

[AdvancedSetup]

Hello and Welcome to Malwarebytes.org

If you're having Malware related issues with your computer that you're unable to resolve.

• Please read and follow the instructions provided here: I'm infected - What do I do now?
  
• If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
  
• When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.

• Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  
• Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  
• Using these other tools often makes the cleanup task more difficult and time consuming.
  
• If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  
• Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  
• There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review

• NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.

[exile360]

I'll give you an example of how MBAM works. I was testing some malware in my VM (Virtual Machine) and the infection was infecting all the executable files on the system with a worm. I scanned with Malwarebytes' and it picked up and removed the source of the infection, but didn't detect or delete the infected exe's (good thing as the system wouldn't function without them). I did a scan with Kaspersky and it disinfected the infected exe's without deleting them. Based on the types of threats and use of Malwarebytes' this makes perfect sense, as file infectors by definition are classic "viruses" and should be caught/removed by any antivirus worth it's salt. In case you were wondering, the trojan that was the source of the infection was detected and removed by MBAM while Kaspersky missed it. A prime example of Malwarebytes' doing it's job to fill in the gaps of what antivirus software misses.

Another note: Often with system files a backup can be recovered by using the SFC tool in Windows. Instructions on the usage of SFC can be found here: System File Checker How To's

[Raid]

QuizMaster, on Feb 3 2009, 06:31 PM, said:

Hello everyone.

I was wondering if MBAM can "heal" files infected with something, or can it only delete the offending file?

Thanks in advance...

The present version does not have the ability to try to heal anything, no. At this time, MBAM's only option is to delete the offending file and replace it with a known clean copy. At this time, we don't do any of the replacing, that's upto you. Various individuals have already posted methods that can be used to restore various specific files.

If you have any other questions, you are certainly welcome to ask anytime! One of us will be happy to assist you in any way we can.

[DaChew]

Quote

I don't see these backups used very often. Maybe exile360, or one of our other volunteers knows more about it.

My favorite tool is running windows xp as a repair disk

http://www.michaelst...pairinstall.htm

Now that SP3 has finally been released


http://www.winsupers..._slipstream.asp

these techniques are fairly simple and user friendly

Yoda said "Do or do not. There is no try."

[exile360]

Thanks for adding that Chewy. I usually neglect this method myself due to all these darn "recovery discs" the oems like to ship now instead of real OS installation CD's, but it's great when possible.

I keep the extracted i386 folder from the standalone SP3 on a flash drive for use with sfc, too bad that method doesn't work with Vista (just extracts an installer and a bunch of .cab files).

[AdvancedSetup]

Hey Ex, you may want to have those on a CDR instead of Flash drive. As you know there is Malware out there that attacks Flash drives on purpose.

[exile360]

I know, but the one I'm using is a U3 drive (I formatted the cd partition which is a read only .iso) and I put the files on there.