Author Topic: Work-around when MBAM does not start due to a rootkit....  (Read 10758 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32691
  • malware fighter
Work-around when MBAM does not start due to a rootkit....
« on: December 24, 2009, 07:45:24 PM »
Hi malware fighters,

If you have the above situation, you are in a predicament. It is not good when we have to depend only on one program to eliminate for instance Combo-script, and if that is retracted?
Some of these infections will as you mentioned not allow you to run MBAM. However, renaming MBAM usually will resolve that issue.

If you're still having issues even after renaming it, then I have had success with the following method:

NOTE: You need a clean machine to preform the following task. Download, install, and update Malwarebytes' Anti-Malware: http://www.besttechie.net/mbam/mbam-setup.exe

1. Create a folder on your desktop called Fix and put the mbam-setup.exe file in there
2. Open notepad and copy the following text into it exactly as written, then save the file as prep.bat in the Fix folder (make sure you select the drop downbox when saving the file that says "Save as type" and select "All Files"):
Code: [Select]
copy "%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref" "%cd%" ren "%cd%\mbam-setup.exe" 12setup.exe
3. Double click the prep.bat file you just created, the setup file should now be renamed and you should now have a file called rules.ref in the folder with it.
4. Create another batch file called install.bat and save it in the same folder:
Code: [Select]
copy rules.ref "%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware"
ren "%systemdrive%\Program Files\Malwarebytes' Anti-Malware\mbam.exe" mscan.exe
"%systemdrive%\Program Files\Malwarebytes' Anti-Malware\mscan.exe" /quickscan
DO NOT EXECUTE INSTALL.BAT YET - IT WILL BE USED ON THE INFECTED MACHINE LATER

5. Copy the folder you created containing the setup file, the rules.ref file and the 2 batch files to a flash drive or writable CD and copy the folder to the desktop of the infected computer. Once it's there, run 12setup.exe and after the installation is complete, double click on the second batch file you made called install.bat. Malwarebytes' should now run and scan your computer for infections. Once the scan completes, remove any infections it finds and reboot if necessary.

This should work pretty flawlessly according to the source of this work-around BT admin
Let us know how it works,

polonus


Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Alan|Cvette

  • Full Member
  • ***
  • Posts: 114
  • Wisdom, is all the strength you need in life.
    • The-Vette-Garage
Re: Work-around when MBAM does not start due to a rootkit....
« Reply #1 on: December 24, 2009, 07:52:13 PM »
Thank you polonus!

I sure wish there was a forum category for things like this so they could be sticky'd.

Merry Christmas.
SYSTEM = Windows Vista x64 / Intel DC 2.60Ghz / 11GB RAM / WD 640GB HD.
SECURITY = Avast! IS + Comodo Firewall + WinPatrol + HostsMan + NortonUAC + WOT & Browser Defender & Finjan.
ON-DEMAND = A-Squared + Hitman Pro + MBam + Dr.Web + SAS + ClamWin + Webroot + NSS.

Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3060
Re: Work-around when MBAM does not start due to a rootkit....
« Reply #2 on: December 24, 2009, 07:54:41 PM »
yes alan I too think the same way..

sir pol, why don't put all these work arounds, tutorials, tips(what ever you wanna call them..) into one thread? they will be easily accessible. I would love to see them in one thread.

thoughts?

nmb

Offline CharleyO

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7085
  • Be alert for error code - ID 10T
Re: Work-around when MBAM does not start due to a rootkit....
« Reply #3 on: December 24, 2009, 08:14:32 PM »
***

Good idea, nmb.   :)

What do you think about doing that, Polonus?

( Well, at least think about doing that from now on as it would be a tough search finding some of your older tutorials & tips. )


***
Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32691
  • malware fighter
Re: Work-around when MBAM does not start due to a rootkit....
« Reply #4 on: December 24, 2009, 08:25:59 PM »
Hi CharleyO, nmb and Alan !Cvette,

Well, my good forum friends, I have put the link here: http://forum.avast.com/index.php?topic=37542.15
More to follow there, I think it is an appropriate place..

Hi Charley, your threat thread should also be given sticky status, I vote for that else people will not find it easy...but the issues there should also be put independently so the forum users will notice what they think is interesting...and they're is also the weird forum animal  ;D that does not like stickies like foo-bars,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3060
Re: Work-around when MBAM does not start due to a rootkit....
« Reply #5 on: December 24, 2009, 08:37:31 PM »
I think that false positive sticky can be removed now.. what say friends?

nmb

Offline ardvark

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1512
  • John 3:16 (I'm not an "avast! evangelist")
Re: Work-around when MBAM does not start due to a rootkit....
« Reply #6 on: December 24, 2009, 10:53:47 PM »
Thank you polonus!

I sure wish there was a forum category for things like this so they could be sticky'd.

Merry Christmas.

Hi...

Yes, and this post by Polonus should definately be included! :)

May God bless you :)

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: Work-around when MBAM does not start due to a rootkit....
« Reply #7 on: December 25, 2009, 12:54:00 AM »
When I see valuable tips like this, I've started keeping them using notepad or wordpad in a folder titled "how to".
I've also started keeping screenshots that are often used in this folder.
Makes helping out a bit more streamlined, and saves the sometimes legthy process of trying to find a thread that might be pretty old by the time I need to use it, even if remembered.

Going to start pinning the URL of where I found it to the top of each notepad file.
Seems to work.
WindowsXP Home SP3,Avast Free 5.1.889,Windows Firewall, Autorun Eater,Firefox w/Noscript+ /Adblock+/Better Privacy, IE8 all zones except MS Update set to "untrusted" settings,MVPS Host file.SecuniaPSI.

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 44128
  • 60 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Work-around when MBAM does not start due to a rootkit....
« Reply #8 on: December 25, 2009, 05:53:36 PM »
Stickies aren't needed if you make frequent entries into one post.
When something new is added, it rises back to the top right under the current stickies. :)

If you have to many stickies, you'll eventually wind up starting new things on page 2 or 3 depending
on how many items you tag as stickies.
Free avast! Security Seminar: http://bit.ly/2N1eaR2  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 10 Pro v1909 64bit, 24 Gig Ram, 1TB SSD, AvastOmni 20.7.xxx, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32691
  • malware fighter
Re: Work-around when MBAM does not start due to a rootkit....
« Reply #9 on: December 25, 2009, 06:06:11 PM »
Hi bob3160,

I considered that and used an existing one and changed the description accordingly,

Damian
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 44128
  • 60 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Work-around when MBAM does not start due to a rootkit....
« Reply #10 on: December 25, 2009, 06:31:15 PM »
That'll work. :)
Free avast! Security Seminar: http://bit.ly/2N1eaR2  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 10 Pro v1909 64bit, 24 Gig Ram, 1TB SSD, AvastOmni 20.7.xxx, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq

Offline Rednose

  • Pirate Party Member
  • Avast Überevangelist
  • Massive Poster
  • *****
  • Posts: 3665
  • Bits of Freedom : https://www.bof.nl
    • Nederlandstalig Avast! forum
Re: Work-around when MBAM does not start due to a rootkit....
« Reply #11 on: December 25, 2009, 06:44:35 PM »
Thnx polonus :)

Greetz, Red.
OS: Win 10 / Debian / Tails / iOS
Real Time: Avast Premium Security
VPN: NordVPN ( NordLynx ) with Cybersec

Offline Chris Thomas

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1936
  • Christian Geek - aka 'born again' Geek
Re: Work-around when MBAM does not start due to a rootkit....
« Reply #12 on: December 26, 2009, 07:20:24 AM »
I think this problem has been fixed in Version: 1.42

I am not sure but I think so

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: Work-around when MBAM does not start due to a rootkit....
« Reply #13 on: December 26, 2009, 07:59:50 AM »
I think this problem has been fixed in Version: 1.42

I am not sure but I think so
Why would you think that?
I believe the issue is more to do what settings the malware has made to the computer, rather than any deficiency in MBAM.
WindowsXP Home SP3,Avast Free 5.1.889,Windows Firewall, Autorun Eater,Firefox w/Noscript+ /Adblock+/Better Privacy, IE8 all zones except MS Update set to "untrusted" settings,MVPS Host file.SecuniaPSI.

Offline Chris Thomas

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1936
  • Christian Geek - aka 'born again' Geek
Re: Work-around when MBAM does not start due to a rootkit....
« Reply #14 on: December 26, 2009, 08:55:22 AM »
Recent Changes

(FIXED) Minor issue during reboot after malware cleanup.
(FIXED) Various errors during scan.
(FIXED) Improved multiple heuristics.
(FIXED) Minor issue while removing items from ignore list.
(ADDED) Internet Explorer version included in scan logs.
(ADDED) Protection logs now show on Logs tab.
(ADDED) Ability to ignore blocked IP addresses permanently.
(ADDED) 64-bit compatibility for context menu.