shanenin Posted September 21, 2008 Report Share Posted September 21, 2008 I found the following technique helpful for removing some infections. I ran MBAM(one of my favorite programs) today on a computer. It found 51 infected items, these were a mixture of registry entries, files, and in particular 3 files running in memory. Every time(I think I tried it twice) I used the quarantine feature and rebooted all the items would return. I then ran a quick scan with MBAM a third time. It found the same 51 entries. I just used it to find the files that were running in memory, but I did not choose to quarantine them. I just took note of the files, then closed the program. I then rebooted the system with a live cd, I used BartPE. Any live cd with ntfs write support would work, for example, most modern Linux distos. I then deleted the three files that wee flagged as running in memory. I then booted Windows, then ran MBAM one more time. It found all the same entries except for the files I deleted with BartPE. This time I let MBAM quarantine all the items it found. They were deleted with success, meaning they did not come back. I assumed the items that were running in memory were somehow defeating the deleting process that MBAM used and then repopulated the system with malware. Since I deleted them while they were dormant(windows was not booted), they were defenseless. I did not try, but I wonder if delete on reboot would have worked as well. I wish I would have tried that first. Next time I will experiment with some different deleting options.edit added later//If anyone is interested the files that were running in memory were all in c:\windows\system32 and were called proxy.dll, svchost.dll, and the third was mmchost.dll. since mmshost was a layered service provider, I had to run LSP-Fix to repair my network.Even though MBAM seemed to have trouble(no program is perfect) removing some files on one computer, it has the best detection and removal out of any anti malware program I use. I recommend it to all my clients. Quote Link to post Share on other sites
TheTerrorist_75 Posted September 21, 2008 Report Share Posted September 21, 2008 I go for the delete on reboot whenever files are found in memory. MBAM hasn't failed me yet with that option. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.