Malware that kills AM scanners

Discussion in 'other anti-malware software' started by Victek, Jan 18, 2009.

Thread Status:
Not open for further replies.
  1. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,123
    Location:
    USA
    Lately, when cleaning up computers I've been coming across a new type of malware that either kills the installation or prevents anti-malware scanners from running. Specifically, I like to use MBAM and SuperAntiSpyware for the heavy lifting and both of these programs have been rendered useless. Even if I can get them installed they will not run in either normal mode or SAFE mode. I've tried renaming the executables, but this doesn't help. Any thoughts about how to deal with this? So far I've just moved on to Plan B, which is save the data and format the drive, but if there's a methodology to beat these bugs I'd like to know about it.
     
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    no there is not cause malware writers are very complicated always come
    with some thing new to attack antivirus/antispywares/antimalwareso_Othe best solution save data and format fresh from scratch and start thinking that prevention is better than the cure;)
    note:sorry if i was rude:)
     
    Last edited: Jan 18, 2009
  3. EliteKiller

    EliteKiller Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    1,138
    Location:
    TX
    I clean a lot of infected pc's and rarely have to reinstall an OS from scratch.

    Typically when TDSServ, Seneka, and other nasty malware blocks MBAM, SAS, Combofix, and other reputable tools from running I whip out the good Dr. (Web). After the Dr. removes some infections I'll "show hidden devices" in the device mgr. and disable/uninstall rogue drivers. Afterwards the aforementioned tools will typically start working properly. The Avira rescue CD also works well, however be sure to download a fresh copy before using it.
     
  4. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    My own preferred method is to boot from a BartPe cd (Ubcd4Win).This gives you an environment from which to run the included AM tools (Avira,Kaspersky,SAS,A2,Dr Web...) that is isolated from the infected system.It's a very effective method of removing deeply embedded malware and the only reliable way to remove rootkits without a reinstallation.
     
  5. egghead

    egghead Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    443
    Location:
    The Netherlands
    I have made a rule in SSM that protects all my security software from termination.
     
  6. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Sorry if this is a dumb question, but is there an easy or straightforward way to know which drivers are rogue? Or do you just look at all of them and view their system properties to make a decision? I'm thinking a typical PC might have several dozen drivers, and the average user probably wouldn't have the foggiest which were valid or not.
    (Actually, the average user perhaps wouldn't even know what a driver is...)
     
  7. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,123
    Location:
    USA
    I've been using a BartPE rescue disk for data recovery, but not for disinfection. I have UBCD4Win and need to experiment with it to see if it will be a good "field" tool. I'm often under tight time constraints which is not optimal for malware cleaning. Sometimes it's faster to just grab the data and wipe the system. But when I can take the system home and not worry about how long the scans take I like to give cleaning a chance. There is some small satisfaction in beating malware :)
     
  8. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    I know what you mean there,time is always an issue.I learned a long time ago that while cleaning a system of malware is personally satisfying it's not always the best use of available time.As for UBCD4Win,if I was only allowed one tool for repairing systems it'd be that one for sure,indispensible to me.There's so much more to it than just malware scanners,it comes with a load of very useful stuff.;)
     
  9. Mosqu

    Mosqu Registered Member

    Joined:
    Nov 21, 2008
    Posts:
    69
    Location:
    Germany
    I really would like to know, if Prevx Edge would be strong enough. Maybe their support would give you a one-week license to try...
     
  10. Max Zorin

    Max Zorin Former Poster

    Joined:
    Nov 3, 2008
    Posts:
    103
    Its my experience that they are very helpful. They are active here in Wilders - drop them a message and Im sure they will oblige.
     
  11. Durad

    Durad Registered Member

    Joined:
    Aug 13, 2005
    Posts:
    591
    Location:
    Canada
    TDSServ rootkit probably, I had several infections with this malware lately.

    Just download SDFIX unpackit and copy to C drive by using Linux live CD than boot into safe mode, it usually does not load GUI however you can get task manager by clicking ctrl-alt-del, go to File, New Task and run RunThis.bat it will start SDFIX and after that you can run SAS or CounterSpy, these 2 remove this rootkit easy.
     
  12. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hi Victek123

    then reading your posts, ubcd4win would serve you well with the sas plug-in. There are others but how about building and personalising your own livecd.

    Talking about malware that kills there was one around when sas was taking off (cannot recall the name atm) that prevented sas and others from updating, killed off av and then put the relevant dummy icon in the notification area - very annoying :)
     
  13. tawd1992

    tawd1992 Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    43
    I'm done playing games trying to get anti-malware programs to run. Seems like most of the heavily infected pc's I work on all disable downloading/installing any of the popular anti-malware programs. I just boot from UBCD4WIN & run Superantispyware & Antivir.

    The Avira Rescue CD as previously mentioned is very good & the Kaspersky Rescue CD is another good tool to have. The Kaspersky Rescue CD is updatable also.
     
Loading...
Thread Status:
Not open for further replies.