6 replies to this topic

[timekiller]

I wanted to post my recent experience with Malwarebytes and offer a couple of suggestions.

I just got through cleaning a very nasty virus off my PC. It all started when I got a bogus icon in my systray , a bogus pop-up that said my computer was infected, followed by a blue screen seconds later. After rebooting my search engine results were all redirected to spam sites. Anything that appeared to be a virus scanner, including Malwarebytes, would close immediately upon beginning a scan. The EXE that was maliciously closed was changed to “SYSTEM” as the owner and marked as unreadable and unexecutable. In the end I found that this thing has a bogus device driver to reinstall itself, and in case you find that, a Windows Scheduled task to do the same, but the task name is a GUID so it doesn’t show up in the Windows Scheduler interface. It’s the nastiest thing I’ve ever seen.

Knowing very little about dealing with this “Rootkit” problem, I decided my best approach would be to run Malwarebytes from an XP boot CD. This is where I lost my entire day. I tried for a while with the Mini XP on Hiren’s Boot CD, finally gave up on that as nothing I tried seemed to improve anything. I went to the trouble of building a full disc using “Ultimate Boot CD for Windows”, but even that took me a few hours to customize with all the required DLL’s and SYS files, plus figure out how to regsvr32 the necessary DLL’s once I was booted up. The real frustration with this exercise is that Malwarebytes doesn't give a descriptive error message when something is missing, it just reports codes like 50003 and 732,0.

Once I finally got it running it was a dream. Malwarebytes found the problem components and was able to remove them. I had to do a “SFC /SCANNOW” from Safe mode to get Vista to let me log in again which took me a while to figure out, and there was a little manual clean-up to do after the fact, but I figure this stuff is par for the course. So as for my suggestions:

What would be really helpful is if there was a known documented procedure to build a boot CD/DVD that would contain a Windows configuration sufficient to run Malwarebytes and see NTFS partitions. While perhaps not the most elegant way to deal with the problem, I find it simpler and more comforting to detach myself from the virus and do a scan from a known safe boot-up. I’d have saved 80% of the time it took me to remove this nasty virus had I not run into the difficulty I did getting Malwarebytes to run from a Boot CD.

So building on that idea, it would have been handier if Malwarebytes could scan a registry that isn’t the currently active registry. Using my approach, I was able to get Malwarebytes to remove the offending files, at which point the registry entries were rendered useless. I was then able to boot off my hard disc into safe mode and run Malwarebytes again to clean the registry. I’m worried this won’t always be possible if these viruses keep getting more sophisticated.

My only other suggestion is that there should be a way to permanently disable the IP Protection, but I see from the other forum posts that this is already being addressed, so other than adding my vote for this feature I’ll leave it at that.

In closing I do want to emphasize that I was so pleased with Malwarebytes performance that after I calmed down and rested my eyes after a grueling full day of fighting to rid myself of this virus, I happily purchased the full version. My suggestions would just make the tool that much handier to use. Thank you for an excellent piece of work in Malwarebytes Anti-Malware!

[AdvancedSetup]

Thank you for your feedback and we're happy it worked out well for you. In the future though you may want to visit here and seek assistance with such infections as we have people here that can probably help you get rid of any infection much easier than the method you went through.

Thank you for your purchase as well.

[deathtospyware]

Whenever I encounter a PC that has an infection that won't let Malwarebytes run I just rename mbam.exe to freeme.exe and it runs and cleans the machine 99% of the time.

[timekiller]

deathtospyware, on Sep 1 2009, 04:48 PM, said:

Whenever I encounter a PC that has an infection that won't let Malwarebytes run I just rename mbam.exe to freeme.exe and it runs and cleans the machine 99% of the time.

The latest TDSS virus is too smart for that, I tried it. It used some alternate method other than the file name to identify Malwarebytes, killing the process and marking the file as unexecutable.

Be weary of this latest threat, it's a nasty one!

[slinkydonkey]

timekiller, on Sep 1 2009, 11:27 PM, said:

The latest TDSS virus is too smart for that, I tried it. It used some alternate method other than the file name to identify Malwarebytes, killing the process and marking the file as unexecutable.

Be weary of this latest threat, it's a nasty one!

Hello I think I have the same virus as every application I run the virus seems to shut down the application and stop it from running again, renaming the exe file does nothing at all.

How can I resolve this Malwarebyes usualy does the job but im at a loss now please help

[marktreg]

Timekiller, what was the name of the rogue that infected your computer. Was it Security Tool or Home Antivirus 2010 or something similar? I'm just interested because I like to play around with rogue installers and try to fix them.

[AdvancedSetup]

Scan and post logs - read note at bottom in green
If you're having Malware related issues with your computer that you're unable to resolve.

• Please read and follow the instructions provided here: I'm infected - What do I do now?
  
• If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
  
• When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.

• Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  
• Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  
• Using these other tools often makes the cleanup task more difficult and time consuming.
  
• If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  
• Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  
• There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review

• NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.