dBug is a tiny utility that essentially serves the same purpose as KillEmAll, to neutralize malware that prevents you from running anti-malware tools, while taking a far different approach and working much faster. dBug 1.1 can also be run from a WinPE environment, serving the same purpose as utils like HitmanPro Kickstarter.
dBug does NOT locate or remove malware. It merely provides you with the opportunity to run anti-malware tools or manually find and remove the malware.
dBug removes Windows auto-start entries and restricts executables from running in common malware hiding places, then it restarts Windows. The idea is that the malware cannot load after a restart, and from there you can use removal tools or processes to locate and remove the malware.
- When malware has taken over Windows, run dBug as many times as it takes for it to restart Windows. Once Windows begins a restart, you know that dBug has done its job.
- Once Windows has restarted, the malware should not be running and you have the opportunity to use removal tools and processes. Locate and remove the malware.
- With the malware removed, run dBug_Undo.cmd in order to undo the changes made by dBug.exe so other legitimate applications have the opportunity to function normally.
- NOTE: In v2.0 the dBug_Undo.cmd file will be created by dBug.exe, just before it reboots the system after applying its modifications. For this reason unless you are comfortable with knowing how to run dBug’s undo feature, you should not currently attempt to run dBug.exe from write protected media, paths where the current user has no write permissions, or directly from the .zip file itself.
- The manual command to undo the dBug modifications is to run the dBug.exe with a command line parameter of “/u” (no quotes of course) ex: dBug.exe /u
WinPE/Offline Usage: (Available in v1.1)
- Prepare a WinPE disk or flash drive if you do not have one already. Consult the guide here: http://www.foolishit.com/tech-info/creating-a-winpe-5-1-bootable/
- Load your WinPE disk/flash drive with the dBug files, and run dBug_WinPE.cmd.
- Select the target drive letter containing the Windows partition the infection is located on. If using a Win8.1SE build (linked to in step 1) this is typically C: drive.
- Next you will receive a shutdown prompt, select yes and do NOT load the WinPE build this time, boot straight into Windows, which should start with NO RUNNING MALWARE.
- Remove the malware causing the issue with standard tools.
- Finally run dBug_Undo.cmd from the dBug_[random] directory in order to undo the changes made by dBug.exe so other legitimate applications have the opportunity to function normally.
Tips & Tricks:
- Rename the “dBug.exe” file to a critical Windows executable file name, such as “svchost.exe” “winlogon.exe” or “explorer.exe” before usage. Naming it as a critical Windows executable will sometimes fool the malware into allowing it to run initially, giving it enough time to make its modifications and perform the restart. Note you will need to rename it back before using (or alter the names inside) the dBug_Undo.cmd and dBug_WinPE.cmd files to use those properly.
- Untested with remote access tools!!! Use at your own risk in a remote scenario!
Freeware. Completely free for personal and commercial use.
- 2.0 – Complete re-write. Operates FASTER. Prevents MUCH MORE.
- 1.2.1 – Minor bug fix.
- 1.2 – Added a reminder prompt on startup when dBug is ‘active’ (meaning that you still need to run dBug_Undo.cmd to finish.)
- 1.1 – Added a WinPE mode so dBug can run from a WinPE environment and make its modifications to Windows prior to booting into that copy of Windows, so that the malware never executes to begin with.
Join us for live tech chat, product questions, support, and technical training right here!
Both Foolish IT customers and non-customers alike are welcome to discuss anything Foolish!
d7x (Alpha) September Update for d7II subscribers – Latest update includes a NEW d7x Remote Deployment Tool (d7II SFX Mini), a NEW Config Mgmt Portal, and more for testing! This latest d7x Alpha “TestBuild” replaces the “d7IIx Alpha” versions opened...