Safe Mode Recommendations for ComboFix & MBAM

Safe Mode Scans for ComboFix & MBAMQuestion:

All,
(New version of the old question http://www.experts-exchange.com/Q_24860646.html)

The intent of this string is to provide mutual support for the proper use of ComboFix & MBAM applications.

We frequently see the mistake of suggesting "Safe Mode" as a starting point for these tools and we need to do what we can to stop that recommendation.

Both products are created for "Normal Mode" operation and they are more effective when it is done so.

I fully realize that there are times when a system will only boot to Safe Mode, so obviously that is how you have to do it - in that situation.

To summarize:
The developers of both products recommend "Normal Mode" to run the programs they created. That should be the only STARTING recommendation we make on this site.

When you see someone making this recommendation, please ask them to join us here. It will help avoid cluttering real questions with a lot of back and forth about procedures.
(The short URL for this string is: http://www.experts-exchange.com/Q_26896002.html)

A good reference from the MBAM Member Forum - a good discussion about how MBAM works and why "Normal Mode" is recommended:

http://forums.malwarebytes.org/index.php?showtopic=17334&pid=88995&start=&st=#entry88995

NOTE FOR THOSE WHO KEEP MISSING THE POINT:
At no point have I ever hinted at saying your should NEVER run either program in "Safe Mode". There are times when we need to try every damn trick in the book to fix a problem - or even throw the book out the window.

Thank you,

rpggamergirl
younghv
Zone Advisors
Virus & Spyware
THE RECOMMENDED "CF" POST (please give attribution to rpggamergirl when using)

Please download ComboFix by sUBs:(and attach the resulting log) http://download.bleepingcomputer.com/sUBs/ComboFix.exe
(If it doesn't run, re-download and rename before saving to your desktop - use the "Save As"  function) 
 
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and
Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by
 pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix. 
 
Note:
Do not mouse-click ComboFix's window while it is running. That may cause it to stall. 
CF disconnects your machine from the internet. The connection is automatically restored before CF
 completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine. 
  
If needed, here's the ComboFix tutorial which includes the installation of the Recovery Console:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When finished with the question, don't forget this:
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field: 

ComboFix /Uninstall

Open in new window

Recent comment from rpggamergirl

"Here's my .02 with regards CF and MBAM.
Many people believe that running CF or MBAM from Safe Mode is better, but that's not true because
 CF and MBAM are optimized to run from Normal mode, that's where they work best. Running in Safe
 Mode is only necessary if users have trouble loading Windows in normal mode, or in special cases
 where CF or MBAM just won't run successfully in normal mode.

Yes, ComboFix doesn't like it when AVG or CA Internet Security Suite is installed in the system so
 the user must uninstall this first before running CF.
Sometimes even when AVG is already uninstalled but its folder is still present CF may still
 complain so the AVG folder needs to be deleted.

ComboFix also pops up alert if an AVG entry in the WMI is present (you can remove its entry
 following the steps in one of my articles) or you can just ignore it and ComboFix will still run.

ComboFix in Windows 2003 Server:
We should not be recommending CF to be run in systems other than those CF is designed for.
CF will run in 2003 Standard Server but doing that is a big risk to take... Things have gone wrong
 when CF is run in the systems it is designed for, so how much likely things could go wrong if we
 disregard the author's instructions?

sUBs doesn't even want users using ComboFix without a Helper who is trained to use the tool."

Open in new window

LVL 38
younghvAsked:
Who is Participating?
 
rpggamergirlCommented:
"Has the author publicly posted that these tools are not to be used?"

These tools are not really public tools, they were created to aid the Helpers in malware removals in antimalware forums.
The authors of those tools are volunteers and they stopped developing them when they had enough. Sometimes they just stopped updating their tools and disappeared from antimalware forums.
Like for example the SDFix tool which was an excellent tool for removing SDBot/IRCBot, it had updates nearly everyday, then the author just disappeared without a word.

SDFix  -- last update 6th November 2009
Smitrem -- Last updated 11/12/2006
SmitfraudFix -- last update 11 June 2009
RougeScanFix -- Last update 22-March-2008
FixWareout  -- last update Sept 2005, author has withdrawn FixWareout.
VundoFix v7  -- last update 22 June 2008  
CWSShredder -- Since it's changed hands it wasn't effective anymore against CWS, we then used ABout:Buster which was excellent removal tool for all variants of CWS. CWS hasn't been seen for a long time.

AboutBuster -- last update 21 May 2006... AboutBuster tool is gone, the Author is now developing MalwareBytes.
From the author: "Please refrain from using AboutBuster. The application is now obsolete. The infection does not exist. I have changed AboutBuster into a SCANNING UTILITY ONLY. There were concerns with to many false positives."
0
 
kentcomputersCommented:
Thank you.  Could you give me a quick explanation of how not uninstalling Combofix is a great disservice?  I know it leaves the scripts there in the Combofix folder, and the quarantine in Qoobox.  But from what I can tell it seems like nothing is actively running.  I'm curious!
0
 
younghvAuthor Commented:
@kentcomputers,
If you think about it, you shouldn't leave any of the tools you've installed on the computer when you give it back to the customer - unless you intend them to be a permanent part of the system security. I install Malwarebytes Pro for trouble-shooting on every system I touch, and it stays.

One of the concerns about some tools is that often main-stream AV programs will tag some of the files (possibly through heuristics) as being "malware"

Also, the simple act of installing anything means that you have modified system files AND the registry.

Details about ComboFix should never be discussed in public forums, but you can find legitimate training sites where you can learn more.

Note the last line in the second "Code" box above.

I realize that it is very common for everyone to think it is OK to say "Run ComboFix" and the cure-all for malware, but the simple fact is that it is not the first choice - and if you aren't trained in its proper use, you should not be doing it at all (per the developer).
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
*** Hopeleonie ***IT ManagerCommented:
Younghv & rpggamergirl great article!
0
 
rpggamergirlCommented:
younghv had explained why it needs to be uninstalled.



"I know it leaves the scripts there in the Combofix folder"

plus, there it is...
0
 
*** Hopeleonie ***IT ManagerCommented:
Hi rpggamergirl

welcome back, so nice to see you again! :-)
0
 
rpggamergirlCommented:
Hi hopeleonie,

Thanks, it's nice to see you too, :)
0
 
younghvAuthor Commented:
From:
http://www.experts-exchange.com/Q_26917962.html?cid=748#a35342801
(Neat Trick!)

To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /Uninstall

Or simply rename ComboFix.exe to Uninstall.exe and double click it.

Thank you for using Experts-Exchange!
0
 
younghvAuthor Commented:
For xmlmagician,
Your "Safe Mode" recommendation here: http://www.experts-exchange.com/Q_26942591.html is why I posted a link to this discussion.

When you post suggestions in the Virus & Malware Zones, please make sure that they are in accordance with the actual recommendations from the developers.
0
 
ReN501Commented:
ok i see your point younghv, as per developer i've read besfore , my comments where related to real world working, and always will be . all i was getting at was those 2 tools malware bytes and combo fix will install and update happily in safe mode , and that safe mode with networking startups dont load posible spyware/virus dlls etc ( except for registry entries ) which does help in the removal process as this prevents a large number of malicious stuff loading.
0
 
younghvAuthor Commented:
ReN501,

I am always at a loss when people want to dispute what I say - using that "real world" expression and am never quite sure what they mean.

I also live and work in the "real world". My current work is about 80% malware repair and I see these problems every day on my workbenches. I have been living and working in the IT world since 1973 and am thoroughly convinced that the right way to use any application is in accordance with the instructions from those who wrote it.

Recommendations for the proper use of Malwarebytes and ComboFix will always comply with developers guidance and all comments to the contrary will be deleted.

0
 
ReN501Commented:
ok kewl np , i to have been in IT for a long period , comming upto 20 years now , i also work on machine everyday on tech benches and see +20 machines a week with such issues , all i'm trying to get at is the methods used in "normal mode" do not 100% of the time remove the issue, in my experience safe mode with networking is by far the more thorough way to get rid of spyware. many many times i've personally used the normal mode and safemode with networking , and found the later to 100% of the time be the more reliable , hence why i commented as such.
0
 
younghvAuthor Commented:
Heh!
I've been working on a new Article titled "My Way", but can't get the words just right.

I fully understand that each of us has developed our own way of fixing these problems, but we need to balance 'our way' of doing things with what we recommend our Members do.

If we go off the reservation with a suggestion and the Asker gets in trouble, it makes it a lot harder to get their system back up and running.

As long as we have followed the developer's recommendations, they will help us resolve any unforeseen problems.
0
 
ReN501Commented:
indeed , totally agree , i might have misunderstood the reason these post are here , i meant no disrespect in offering my opinion , if indeed this is incorrect i do apolagize , as you are the expert in the area i am happy to go with your explaination, i was just trying to give the customer all posible avanues to try....
0
 
younghvAuthor Commented:
Without question, there are times when we have no recourse but to try any off-the-wall idea we can think of. When the basics haven't worked, most of us will start down the road less travelled and try to figure something out.

I need to change the formatting of my last paragraph in the original post so that it stands out more clearly:

"At no point have I ever hinted at saying your should NEVER run either program in "Safe Mode". There are times when we need to try every damn trick in the book to fix a problem - or even throw the book out the window."
0
 
rpggamergirlCommented:
The 'safe mode' way was what usually worked in the past... where it was better to scan the system while malware were not active, but the Developers have caught up with new techniques to fight malware/viruses when these are active(in normal mode). They now designed their tools to run from normal mode where malware are active.

There are cases where Mbam needs to be installed in safe mode with networking and update it but still run  run the scan in normal mode. There are cases where normal mode is not possible so safe mode is the only option.
These tools are optimized to run from normal mode, it's in normal mode where these tools are most potent.
0
 
phototropicCommented:
Please take a look at this question:

http://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/Q_26952506.html

The accepted answer is very vague and generalised. It states "...create a boot CD (put combofix on it)..."  No links.  No instructions.

Has anyone ever sucessfully created a boot disk which will allow Combofix to run from the disk on the original pc's os?
0
 
younghvAuthor Commented:
pt - that is a new one on me.
I've posted asking for confirmation and will defer to rpg on the mechanics of that.
Depending on her response, we may re-open that question and take other actions.
0
 
phototropicCommented:
OK.  Thanks for your help with that.

I think that as non-specific, untargeted advice goes, "...create a boot cd and put Combofix on it..." must set some sort of benchmark!!!    

No links.  No instructions. Hugely generalised, non-specific, untargeted macro advice.  Recommending a proceedure which is, as far as I know, entirely impossible...
0
 
younghvAuthor Commented:
Concur - and it is one of the toughest things on EE we all deal with -- especially when comments such as that get selected as "Solutions" - Yikes!

When I see that kind of stuff, I try to go into neutral mode and just post a request from clarification from the Expert. Usually, it is a brand new member who just doesn't understand EE, but sometimes it is one of these long-term Google Monkeys who don't have a clue, but plop down the same (worthless) advice repeatedly.
0
 
phototropicCommented:
Re; the following question:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_26988024.html#a35501783

@RouterRat,

If the developer of Combofix says do not download from www.combofix whatever, I think we should do as he says.

The link you posted is specifically mentioned in Combofix's disclaimer notice.  I think it is irresponsible to direct askers to any other sites than than the ones the developer designates.
0
 
younghvAuthor Commented:
@phototropic,
Thanks for the head's up.
I'm subscribed over there and will try to help that new Expert.
0
 
phototropicCommented:
Please do.  He is now duplicating my posts and must be confusing the asker.
0
 
younghvAuthor Commented:
@pt -
Modus_Operandi and I are both monitoring that question.
We will delete any inappropriate comments and you can just focus on getting her problem solved.
Hold on - this could be a long ride.
0
 
rpggamergirlCommented:
ComboFix shouldn't be run in that environment.... bad enough to run it in safe mode; what'll it be like outside of Windows, if it even runs.
0
 
rpggamergirlCommented:
http://www.experts-exchange.com/Q_27024809.html#a35735715

Due to CF "Uninstall" comment posted on the above link, I need to post this.

Please note:
If you only want to get an updated version of ComboFix during the course of the cleanup, you need to just delete the existing combofix.exe - DO NOT uninstall it... do not use the Uninstall command.
0
 
younghvAuthor Commented:
All - I've started noticing some new Experts in Virus & Spyware with the old "Safe Mode" recommendations.

Anyone seeing this should feel free to invite these folks over here where we can all lend a hand in helping them see the light and the truth (and the truth shall set you free).
Vic
0
 
TimPeerCommented:
Vic,
What are the new recommendations?
0
 
younghvAuthor Commented:
Hi Tim,

Good quesiton.

Go ahead and read on through the various comments posted (including my original post) to get a flavor for how this has evolved.

Special note should be paid to the comment from rpggamergirl here: http:#a35407164

She does a great job of explaining the evolution of the tools that the good guys have been developing.
0
 
johnb6767Commented:
I think that instead of saying that Safe Mode shouldnt be used, is that it should be used as a last resort.....
0
 
younghvAuthor Commented:
From the original post:

"NOTE FOR THOSE WHO KEEP MISSING THE POINT:
At no point have I ever hinted at saying your should NEVER run either program in "Safe Mode". There are times when we need to try every damn trick in the book to fix a problem - or even throw the book out the window."

And here: http:#a35407115
And here: http:#a35407164
0
 
johnb6767Commented:
From my comment....

"I think that instead of saying that Safe Mode shouldnt be used, is that it should be used as a last resort..... "

All I am suggesting is that we shouldnt blast people for saying not to use it in Safe Mode, but PLEASE use Regular Mode first, and then use it in Safe Mode only if the other methods fail.....

0
 
younghvAuthor Commented:
@johnb6767,
Would you please try reading my response to you again - and then read the posts I've linked to?

Your last comment doesn't make any sense - based on what I have repeatedly posted here in this thread.
0
 
johnb6767Commented:
I have re read those, and it does make sense. Some people have stated in several threads, to try them in Safe Mode, and the responses are "No Dont Do that!!!!"

Not Try Regular Mode first..... But "No"....

Thats all I am trying to point out.....
0
 
younghvAuthor Commented:
I still don't understand what you're trying to say.
Do you have a link to a question where this happened?

With virtually all current variants of malware, the reasons for ONLY using Normal Mode have been explained repeatedly. Therefore recommendations for Safe Mode will (rightfully) either be corrected or deleted - as will recommendations for using outdated tools such as:

SDFix
Smitrem
SmitfraudFix
RougeScanFix
FixWareout
AboutBuster
CWSShredder
VundoFix

0
 
johnb6767Commented:
Has the author publicly posted that these tools are not to be used?

Please provide links if so, and I will not post them any longer. We post utils that are freely available, and when one doesnt work, we try another. Thats what they are there for......

And I will try and find links to where this has happened....

Look Vic, I am not trying to start a war here.

"Therefore recommendations for Safe Mode will (rightfully) either be corrected or deleted "

Those comments should NEVER be deleted.... Corrected to suggest using Regular Mode first, fine.... But you cannot delete a comment that "Safe Mode might work", when someone posts it (recommending as a last resort), when all else fails, as it DOES work sometimes... Thats not right..... Should it be recommended to use Regular Mode first? Sure, thats not the point. But the fact is, that it DOES work in Safe Mode. And a comment should NEVER be deleted to that effect.. Corrected? Sure....

I hope I have explained this fully.....
0
 
younghvAuthor Commented:
Real glad you're not trying to start a war.

We can continue this in a "Private Discussion" (http://www.experts-exchange.com/help.jsp#hs=31&hi=427) or here.

One of the things you are demonstrating by your insistence that it is OK to recommend out-dated scanners is that you simply don't understand the potential for system damage by using them.

You also need to understand that every action taken (and post made) by a Zone Advisor is subject to review by the Moderators and Site Administrators.

The decisions we make about what will or will not be deleted/modified is not up to you - and comments are never actually "deleted". They are merely masked from public view, to allow them to be reinstated if a ZA makes a mistake.

I'm done for the night, but will be back tomorrow.
0
 
phototropicCommented:
Not sure how the "out-of-date-applications" argument got mixed up with the "safe-mode-slaved-drive" argument, but I think it is important to make this clear.  

There are many sites which turn up after Googling a malware variant which recommend out-dated tools.  There have been quite a number of experts posting suggestions to use these tools recently on ee.  Doing so would be at best useless, and at worst dangerous.

"...Has the author publicly posted that these tools are not to be used?..."  Doesn't make any difference...if a tool has not been updated in years, it cannot help to remove current infections.  The following tools should not be recommended under any circumstances:

SDFix - both the Andymanchesta and bleeping computer download sites are dead.  The only place you'll find this is on P2P sites.  Great tool in 2008, not much use now;

SmitfraudFix - last updated June 26th, 2009. No longer available from Siri's site, but still offered by Majorgeeks; Softpedia; etc. The Bleeping Computer link is dead;

Smitrem - last updated Feb 17, 2009...still freely available;

RogueScanFix - last updated 22-March-2008;

FixWareout - last updated sometime in 2007;

AboutBuster - last updated 1 May 2007;

CWSShredder -  last updated 15 Nov 2005; This app is number 4 in Filehippo's top ten anti- spyware  downloads!!!

VundoFix - last updated Oct 15, 2007;

NoLop - still around on P2P sites;

LopSD - still around on P2P sites;

Also still being promoted:

AVG Anti-Spyware 7.5.1.43 - long since disappeared;

Rogue Remover - still listed, but ceased to exist years ago;

AVG AntiRootkit - last updated April 11th, 2007;  however, this tool and Combofix were recommended by an article writing expert on Tech Republic just a couple of months ago!!!

The only solution to this is to keep your ear to the ground and be aware of what is in use and what is not.  Hitman Pro was hugely popular as a recommendation on ee, but is now verboten.  The fight against malware is constantly changing and you ignore that fact at your peril.
0
 
younghvAuthor Commented:
@phototropic,
Thank you for doing the detailed research.
I got up this morning and started working on it, but got involved in some other stuff.

Sad to say that so many of these top-notch malware fighters (the creators of the above tools) have simply disappeared and are no longer involved in helping us.
0
 
phototropicCommented:
True, but new names come along to replace them.  Personally, I don't know how someone with the required skills can find the time to produce an app and then monitor its use and produce updates, and receive no recompense, apart from the odd donation.

I don't have the skills to do it myself, but if I did...where would I find the time?

Kudos to all those who DO find the time.
0
 
younghvAuthor Commented:
A quick note about your 'other sites' comments.

I try to keep involved in some other forums (notably Malwarebytes), but are some real losers out there.

In the vast majority of instances, the EE Experts are up to date and posting solid advice, but there are some sites out there that just make me shudder.
0
 
TimPeerCommented:
Thermoduric thank you for your comments on what is arguably a controversial subject. As a subscriber of EE, rely on advise from your pool of experts and appreciate your recommendation related to rpggamergirl  & younghv.

Thanks again for intervening and look forward to continued advise from your team of experts.
0
 
younghvAuthor Commented:
Posting.
0
 
9660kelCommented:
A quick question, I noticed that hitman pro was commented as "verbotten" and I'm wondering why?

Not that I intend to recommend it at the moment, but if there is something wrong or too many false positives, it's in my current tool kit, and that matters.
0
 
younghvAuthor Commented:
9660kel,
Thank you for asking.

For most of this year HitmanPro has been plagued with causing unexpected BSOD's - which is too bad. It was/is a very commonly used tool.

Comment copied from earlier post by 'rpggamergirl':
I would not use HitmanPro, too risky, it's not that good for removing infections specially when system files are patched.
Since last year there has been many reported unbootable PCs after scanning with HitmanPro.

These below are just in one forum.
 
Posted 24 November 2011  
Ran Hitman Pro 3.5 now Windows won't boot
http://www.geekstogo.com/forum/topic/310549-ran-hitman-pro-35-now-windows-wont-boot/


Posted 21 November 2011
Hitman Pro 3.5....Can't Boot. Please HELP!
http://www.geekstogo.com/forum/topic/310433-hitman-pro-35cant-boot-please-help/


Posted 14 November 2011  
Hitman Pro killed my OS...
http://www.geekstogo.com/forum/topic/310084-hitman-pro-killed-my-os/


Posted 08 November 2011
Used Hitman pro 3.5 to remove google redirect virus and now computer won't boot.
http://www.geekstogo.com/forum/topic/309834-used-hitman-pro-35-to-remove-google-redirect-virus-and-now-computer-wont-start/ 
0
 
9660kelCommented:
That blows, sounds like false positives.

I recently dumped spyware terminator for bad behavior, not a really popular tool, but it had decent heuristics with a spyware emphasis.

That wasn't a false positive issue though, it was a shift in the software to basically adware, and it was annoying as well as disruptive to the machine.

As far as Norton/Symantec, any security software so out of touch that it is used as a direct entry vector for exploits, just isn't worth running. Between the system loading and the low detection rate, I wouldn't run Norton if they gave it to me.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.