how to remove spyware without safe mode?

May 23, 2011 at 10:32:14
Specs: Windows XP
Hi, I seem to have a nasty fake-antivirus calling its-self 'Malware Protection'. It is preventing me running any programmes from my computer such as malwarebytes, task manager, combofix, Regedit.exe and so on. The only thing I seem to be able to run is McAfee - which doesn't get it. It also prevents me from opening in safe mode: the computer shuts down as windows is opening every time I do this. Anyone know how to deal with this?

See More: how to remove spyware without safe mode?

May 23, 2011 at 10:35:13
by the way - does anyone know if it is possible for me to run malwarebytes from another computer if I remove my hard drive and connect it via usb? would this risk infecting another machine?

Report •

May 23, 2011 at 15:31:26

Before going through the trouble of removing your hard drive, see if you can download the following program: SASSafeRun
(SuperAntiSpyware (SAS) SafeRun)

If the file does not download, copy/paste the following >>without the brackets<< to the address bar of your browser:

If you still cannot download it to the infected computer, use a clean computer, and then download and save the program to a USB flash drive.

Plug in your USB flash drive in the infected computer, and double-click SASSafeRun.COM. It is a SAS portable launcher.

When SuperAntiSpyware opens, do the following:
Click on Preferences
Click: Repairs tab
Scroll down and select Repair broken SafeBoot key
Click Perform Repair and follow the prompts.

When done, start SuperAntiSpyware again, select:
Scan your computer > Perform a Complete Scan

Once again, on the main screen, click on the Preferences button.
Click on the Statistics/Logs tab
Double-click on the most current log.

Please provide the SuperAntiSpyware log in your reply so we can see where we are at, and plan any additional removal strategy, if necessary.

Report •

May 23, 2011 at 23:07:51
Thanks for your reply,
I cannot run anything from my computer because it is blocked. So I can download SAS saferun onto a usb easily enough on a different computer, but when I try and run it it does not work / is closed down instantly with the popup message:
"shstat.exe is infected by W32/Blaster.worm Please activate Malware Protection to protect your computer"
apart from the name of the executable, this is the same message I get from trying to run anything, including task manager etc. I am pretty sure that W32/Blaster is not the problem - it is "Malware Protection".
Any ideas?

Report •

Related Solutions

May 24, 2011 at 05:38:40
Looks as if we need to get a ‘hold’ of that computer before Malware Protection does. We can do so with a bootable LiveCD that runs a scan before Windows shows up.

If you have a clean computer to burn an .ISO image to a CD, and wish to give this try, this is what you need to do:

DrWeb Live CD Instructions: (Emergency Rescue CD)

Step 1: Download the ISO and burn to a CD:
Dr.Web LiveCD ISO image needs to download to a computer that is not infected:
Select: drweb-livecd-600.iso

Save to the Desktop

Make sure the CD burner program used burns ISO images to a CD!
Proceed with burning the ISO image.

InfraRecorder works well for this task:

Install the InfraRecorder program
Insert a blank disk in your CD burner, and open the program
Click: Actions on the top bar
Then click: Burn Image
Locate the DR Web drweb-livecd-600.iso, double click it, and follow the onscreen prompts.

Step 2: Prepare to boot from LiveCD:
Make sure the infected computer can boot from the CD
When the computer starts, pay close attention to the initial screen for the key used to access the BIOS (Setup).
Some of the keys used to grant access to the BIOS set up menu are: F1, F2, F10 or DEL

If, for example, the key is F2, press the key until the BIOS screen shows up.
Go to the Boot tab, and make the appropriate changes to boot from CD
Save the changes!!
Before exiting the BIOS, insert the LiveCD in the appropriate drive.
Exit the BIOS, and the computer starts.

Step 3: DrWeb LiveCD loads...
To launch the Graphic User Interface version of Dr.Web LiveCD, select Dr.
Web-LiveCD (Default).

When you boot Dr.Web LiveCD in default (GUI) mode, Dr.Web Control Center for Linux will be started automatically.

At the Dr.Web Control Center for Linux, select: Scanner

At the main window of the scanner, place a check on the drive(s) to scan.

After selecting the drive(s), press: Start

The process may take a while…

Step 4: Scan Results
Scan results are shown as a table in the bottom of the Scanner main window. There you can find information on infected and suspicious objects found during the scan: their location, their reasons to be included into the current selection and actions performed by the program over these objects.

Below the report field is a row of buttons where you can select the desired action for every object in the list: Cure or Delete. (Delete is NOT recommended!)
The Cure action is not available for archives, containers, and mail files.

To learn more about using Dr.Web LiveCD, consult the program HELP feature.

DrWebLiveCD Manual (English):

Other info:

Report •

Ask Question