7 replies to this topic

[BostonDriver]

Hi,

Is it have Malwarebytes Anti-Malware scan a disk other than the one which I boot from?

I have an infected disk which I could remove and put into another system. Is it possible to scan this disk, the registry etc. for infections?

If so, can someone point me to a guide on how to do it?

Thanks

[Jacktivity]

Hi BostonDriver, and Welcome to Malwarebytes.org

If you are unable to run MBAM on an infected drive, we do have some additional steps you can try:

Procedures to help resolve issues preventing MBAM from running

• MBAM won't run (Fix) - Windows Police Pro
  
• MBAM won't run (Fix) - SystemSecurity
  
• MBAM won't run (Fix) - Total-Security (FakeAlert)
  
• MBAM won't run (Fix) - av360 (Fakealert)
  
• MBAM won't install or will not run - CLB Rootkit driver=TDSS/Seneka/GAOPDX/UAC

To answer your question, you could slave the infected drive to a clean machine which already has MBAM installed and then run a full scan on the infected drive. When you select perform a full scan and then press scan, it opens a dialog box where you can select which drives to scan. I'm afraid though, that this type of scan is likely to be ineffective, due the nature of the way MBAM works. It is not a typical file scanner like an AV, nor will it open and scan the remote registry. The infections on the remote drive will not be live at that point. MBAM works best on live infections. See this post for more information on full scan vs quick scan. You would be better suited with a full AV scan instead. Many of the AV companies, including Avira, provide free bootable ISO images for this purpose.

[GT500]

Jacktivity said:

To answer your question, you could slave the infected drive to a clean machine which already has MBAM installed and then run a full scan on the infected drive. ...

Be careful doing this though. System File Protection will not be in place for a drive that you are not booted from, and there is a greater chance for false positives, as well as a greater chance of false negatives (aka. malware that the scan missed).

If you prefer to do this on your own, then I recommend using a bootable CD to disinfect the machine, and then see if it cleaned it up enough to run MBAM. I usually recommend the Avira AntiVir Rescue System.

[BostonDriver]

Thanks to you both.

I knew that a full scan gave the ability to look at the selected drives. As you suspected, my goal is to look at the e.g. registry of that drive however.

Right now mbam.exe was removed from the system by the virus. I'll take a look at Avira to see if I can get to the point where mbam can at least run.

I'll try renaming mbame.exe (from a working system) to something else first then run it. I read that has worked for others.

[BostonDriver]

BostonDriver, on Oct 12 2009, 04:54 PM, said:

I'll try renaming mbame.exe (from a working system) to something else first then run it. I read that has worked for others.

renaming mbam-setup.exe didn't help. However, renaming mabm.exe did. It found 7 objects pretty much off the bat. Scan is still running.

McAfee (which ran while I went to work for the day), found 6 trojans, 5 were quarantined and the 6th was set for "scan after restart"

I've burned Avira CD, and have an (~6 month) old ubcd4win handy as well, just in case.

[BostonDriver]

Jacktivity, on Oct 12 2009, 03:24 PM, said:

If you are unable to run MBAM on an infected drive, we do have some additional steps you can try:

Procedures to help resolve issues preventing MBAM from running

• MBAM won't run (Fix) - Windows Police Pro
  
• MBAM won't run (Fix) - SystemSecurity
  
• MBAM won't run (Fix) - Total-Security (FakeAlert)
  
• MBAM won't run (Fix) - av360 (Fakealert)
  
• MBAM won't install or will not run - CLB Rootkit driver=TDSS/Seneka/GAOPDX/UAC

As the mbam scan continues, McAfee is starting to report the same trojans, none look like the above. The prefix in each name is
"Artems"


I bore you with this only since I didn't see "Artems" in the list above. FYI only.

If the scan doesn't get them all, I'll move to a more proper area of the forum to ask for help.

[GT500]

BostonDriver said:

I bore you with this only since I didn't see "Artems" in the list above. FYI only.

I think when McAfee lists 'Artems' in the name of the detection, that means the signature came from Artemis, which I would believe is McAfee's new heuristics engine.

[BostonDriver]

GT500, on Oct 13 2009, 12:58 PM, said:

I think when McAfee lists 'Artems' in the name of the detection, that means the signature came from Artemis, which I would believe is McAfee's new heuristics engine.

Thanks.

Given that my original question on what mbam can do re non-booted disk has been answered, I've moved to this thread in the Malware Removal - HijackThis Logs section to discuss my problem(s).