What do you do when a virus is blocking all the antivirus programs in safe mode?

bagellad

bagellad

Member
Reaction score
1
Location
Kingston, Ontario
Had a protection system infected windows xp machine today and was trying to get malware bytes on, I renamed the exe but it didn't help. It kept blocking the install from loading. Eventually I ran combo fix which cleared her up (new version is out btw). But I was wondering if there was a better way around this.

Also, i did close all the startups that i thought looked suspicious.
 
Take out the hard drive, mount it on a linux-based PC and manually delete the virus entries. That's what I usually do...although our experienced members here probably have a much easier way of doing this.
 
Nope thats pretty much what I do as well. Slave it to my workbench PC and have at it with any number of anti virus tools until I either fix it or wipe it and do a clean reinstall.
 
Why don't you try the EICAR Test on your anti-virus program without the hard drive plugged in to see if it's your system. I doubt some russian hacker is going to go to the extent of creating a virus that affects(effects?) both windows and linux.
 
bagellad said:
Had a protection system infected windows xp machine today and was trying to get malware bytes on, I renamed the exe but it didn't help. It kept blocking the install from loading. Eventually I ran combo fix which cleared her up (new version is out btw). But I was wondering if there was a better way around this.

Also, i did close all the startups that i thought looked suspicious.
Click to expand...

A recent batch of viruses are now killing off antivirus/antimalware programs AFTER they have started and only once they get to a certain point.

A program like GMER or SYSPROT will help find them.

Like I said before, we are in a whole new world of viruses now. You really need to reinvent your virus cleaning methods or you will end up like some others who have to resort to nuke and pave for everything.
 
Damn Russians. (I can say that because I'm part Russian. I still feel racist for saying it though :P)

But seriously, this is news to me. I've stumbled onto some really nasty viruses that do that. But nothing my linux partition + manual file deleting couldn't handle so far. And if I did ever bump into something like that I would try to figure out a way to deny anything from running off of anything OTHER than my primary hard drive. Also, thanks for the programs- these will help me for the future. All this talk about super-viruses got me worried now.
 
JosephLeo said:
Damn Russians. (I can say that because I'm part Russian. I still feel racist for saying it though :P)

But seriously, this is news to me. I've stumbled onto some really nasty viruses that do that. But nothing my linux partition + manual file deleting couldn't handle so far. And if I did ever bump into something like that I would try to figure out a way to deny anything from running off of anything OTHER than my primary hard drive. Also, thanks for the programs- these will help me for the future. All this talk about super-viruses got me worried now.
Click to expand...

Well it really is mostly coming out of Russia. Virus/Rootkit creation seems to be a valid industry in that country.

As to super-viruses, think about this, the worse they get the less chance that "Joe SixPack" will be able to fix it themselves. If you are "THE GUY" to go to on these kind of viruses, and dont need to do a nuke and pave, you stand to make nice money as most of the other lesser techs will not have your skills.
 
While that's true, this is sort of like the doctor dilemma. Doctors live off of other people's sickness. He's waiting for people to get sick so that (S)he can make money. The same goes to Pharmaceutical's.

It's almost as if we should be rooting for the viruses, even though they are completely destroying peoples computers along with their precious data by the millions. I wouldn't be surprised if Best Buy, as well as other big pc tech companies actually had connections to the people who create viruses in order to make an extra buck. I sure as hell would think it's quite possible at the very least.
 
JosephLeo said:
Take out the hard drive, mount it on a linux-based PC and manually delete the virus entries. That's what I usually do...although our experienced members here probably have a much easier way of doing this.
Click to expand...
It's much easier & quicker to boot from an eternal boot environment such a Ultimate Boot CD for Windows. From there you can edit startup entries, registry entries and copy over system files directly from the boot CD if need be. Of course if you want to use Linux then you can also similarly use a Linux Live CD for much the same procedure.

Plugging an infected hard disk into your own system will risk getting your own system infected, CDs are read only so you keep the virus code contained.
 
Nozza said:
Avira do an AV bootdisk which they update regularly. Seems to work pretty well for some of these situations.
Click to expand...
Dr Web is also very good, I used it once to remove a Virut infection, but overall I still prefer the Preboot Environment as mentioned above. I like to see what's happened, not just entrust it to scanning software.
 
To me the options are

1. Boot CD with current AV scan definitions and engine
2. Boot to a working system with working and up to date AV w/ infected drive slaved
3. Run specific utilities designed for this type situation/infection
4. Nuke & Pave

These are in my order of preference but only #4 should always be your last option the others you can take your pick of which you prefer.
 
Blues said:
To me the options are

1. Boot CD with current AV scan definitions and engine
2. Boot to a working system with working and up to date AV w/ infected drive slaved
3. Run specific utilities designed for this type situation/infection
4. Nuke & Pave

These are in my order of preference but only #4 should always be your last option the others you can take your pick of which you prefer.
Click to expand...

100% correct.

Boot CD, windows pe environment prefered with registry tools. Linux cd will work.
 
Now once you got in with the boot cd. Would you be able to run a program like Malware bytes to help remove the stuff? Or would you need to look the infection up manually and remove it? For instance I looked up the info for protection system, but they seemed to have moved some of the files and registry enteries when I looked for it in the registry.
 
To me the options are
Click to expand...


There are further options, some of which are more cumbersome. But they may be worth considering when you don't have the other tools available for some reason, or they just don't work.

I think a good tech needs to be able to wrest control of the computer from any program, including malware. Then she can attack new variants before AV tools are released.

Two ways to try this are:

To boot from an alternative OS, either by installing a second copy of Windows or using some form of boot media and to perform a manual SR by substituting older hives. In principal you can kill anything this way by going back to the original install hive set.

To use the CLI to reboot to a minimal driver set, which will not include the virus.

Edit

The problem with running scanners on a slaved drive is that many malware 'apps?' can be present but not active. They are only active on a boot drive.
 
Last edited:
studiot:

There are ways besides N&P but often much more time consuming with less certainty that you got the nasties.

I agree slaved is not best but I believe it should be tried before N&P after all that is just a plug up and scan you don't have to actively watch it.

I avoid SR related fix often becuase I have yet to get one fixed as everytime if I clean the virus I have a whole new set of issues but I guess it is worth trying before N&P
 
bagellad said:
Now once you got in with the boot cd. Would you be able to run a program like Malware bytes to help remove the stuff? Or would you need to look the infection up manually and remove it? For instance I looked up the info for protection system, but they seemed to have moved some of the files and registry enteries when I looked for it in the registry.
Click to expand...

boot and use avira from ubcd4win cd, update and scan then reboot, install a renamed malwarebytes, scan, if clean run sfc. Malwarebytes works best if run in normal mode. If still a mess use GMER or other root kit fixes
 
@ell

if clean run sfc
Click to expand...

Talking of time, how long does it take to run SFC?

What do you do about files that may have been updated ( eg in service packs) since the original installation.

Do you attend the scan as it pauses every time it wants to ask a question.

@Blues,
A manual system restore, back say 1 month before the owner gained the problem virus, should take more than 5 minutes.
After this you should be able to boot to a system that can be cleaned by the latest version of a database based scanner in the normal way. This is because the reversion removes the calling links in from the registry.
If you like you can then even promote the system forwards again as the files called are now gone so the links will fail and can be themselves cleaned.
I don't usually do this second SR, just tell the customer he will have to reinstall any programs he installed in the last month, or I can do it for an extra fee.

You didn't comment on the CLI method, which enables the the repair to be carried out on a restricted version of the original machine, through media based cleaners.
 
Last edited:
studiot said:
@ell



Talking of time, how long does it take to run SFC?

What do you do about files that may have been updated ( eg in service packs) since the original installation.

Do you attend the scan as it pauses every time it wants to ask a question.

@Blues,
A manual system restore, back say 1 month before the owner gained the problem virus, should take more than 5 minutes.
After this you should be able to boot to a system that can be cleaned by the latest version of a database based scanner in the normal way. This is because the reversion removes the calling links in from the registry.
If you like you can then even promote the system forwards again as the files called are now gone so the links will fail and can be themselves cleaned.
I don't usually do this, just tell the customer he will have to reinstall any programs he installed in the last month, or I can do it for an extra fee.

You didn't comment on the CLI method, which enables the the repair to be carried out on a restricted version of the original machine, through media based cleaners.
Click to expand...

I run sfc incase the removals screwed with windows, just put your windows cd in first then it won't stop, I'm not sure how long it takes cuz I usually go off on something else, maybe 30-45 minutes.
 
You must log in or register to reply here.

Similar threads

YeOldeStonecat
"The Free Antivirus Thread"
3 4 5
Replies
87
Views
18K
Xander
Xander
K
  • Locked
Trojan wrecked OS, a Blue Screen on boot, now computer unresponsive
Replies
2
Views
1K
Encrypted Existence
Encrypted Existence
N
Here is a frustrating one...
Replies
5
Views
1K
B Trevathan
B
T
A good Software List..must see!!
Replies
11
Views
7K
nesrinamb
N
Appletax
A Malware Removal Guide
2 3
Replies
56
Views
27K
glennd
glennd
Back
Top