General av and anti-malware discussion

[MilesAhead]

General discussion of ins and outs of MBAM and other popular anti-malware, anti-spyware, av utilities etc..

[IainB]

Prompted by the discussion that led to this post - You like science fiction, don't you? Of course you do! (where the issue of malware/adware on eBook-related websites was raised) - I got off my backside and posted: Malwarebytes FREE and PRO - Mini-Review (as at 2012-10-30). - which I had been meaning to do for some time now.

Hope this helps or is of use.

[TaoPhoenix]

General discussion of ins and outs of MBAM and other popular anti-malware, anti-spyware, av utilities etc..

-MilesAhead (October 29, 2012, 10:57 PM)

What is MBAM?

[rgdot]

General discussion of ins and outs of MBAM and other popular anti-malware, anti-spyware, av utilities etc..

-MilesAhead (October 29, 2012, 10:57 PM)

What is MBAM?

-TaoPhoenix (October 30, 2012, 07:49 AM)

Malwarebytes Anti-Malware

[MilesAhead]

I've started using ClamWin as a supplemental scanner.

So far the only real annoyance is it seems to think there's an email somewhere hidden in my Thunderbird inbox with a spoofed domain.  It can't pin down which one. This leads to  a lot of futile delete/compact/rescan cycles.  MBAM shows it clean. It's likely a false positive. But I'd say it's useless for scanning Thunderbird folders. I searched ClamWin forums. It's been reported frequently. The main advice seems to be, if it was reported all along it's probably a false positive. If it's a new issue then you may need to hunt down the offending email. But that could take a full work week.

[MilesAhead]

Guess  if it's not a hijack the thrill is gone.

[IainB]

I don't find hijacks really that much of a thrill. It can take hours to clean up all the files and hooks from a PC that has been infected with a trojan/hijack.
The best way I have found of cleaning up a PC infected with a trojan/hijack is to use Malwarebytes.    
The best way I have found to avoid/reduce the risk of getting a PC infected by a trojan/hijack is to use both a virus checker and Malwarebytes PRO together. They are complementary.

The virus package I have used (since it came out for free) is Micrsoft Security Essentials.    

[MilesAhead]

The pun didn't even occur to me. I meant the hijack of the SciFi thread. Once it was on its own topic, the malware thread petered out is my point.

[IainB]

Oh, I see. I wondered why you wrote what you did.
Yes, this malware thread did seem to have petered out - that's why I made the comment, just to help things along a bit.
The subject is not necessarily likely to be all that interesting to too many people. Probably the time when people are most likely to get really interested in malware discussions is when they actually have an active case to be concerned with on their own, or someone else's PC.
For example, I recently had a major problem with one of my laptops (the one my daughter uses), and it seemed like it might have been a trojan/hijack or something, but the virus and malware protection setup on the laptop was identical to what is on my main laptop, and I couldn't see how it could have been infected with anything - given the security blanket I had implemented.

I scoured all the forums and ran tests on the laptop every which way. Over an elapsed period of 4 or 5 weeks, I spent hours and hours investigating the problem, but to no avail, until I happened on a post on a forum where someone had documented the exact same problem, and he had discovered a fix for it in a web posting.
The causal problem was apparently a corrupted system file, in an area that you would not have intuitively expected to be associated with the problem. I still don't know how the corruption could have been caused though (incomplete root cause analysis).
Most people would probably have given up trying to figure it out and re-installed Windows, but I dislike such an approach, and in any event saw no need to dicsombobulate myself with a re-install and all that that implies. I happen to prefer identifying the problem, the cause and fixing it. Anyhow, I eventually got there, but cannot stop the problem from recurring because I still do not know how it might have happened in the first place. That's a result of an incomplete root cause analysis.
Actually, I might make write a separate discussion about this, as it potentially could be tremendously useful to someone who finds themselves with the same problem in future.

[barney]

Not to change focus from AV & anti-malware, but IainB brings up an interesting - and ofttimes intrusive - point.

I recently installed XAMPP on an eight (8 ) GB USB stick.  But every time I tried to run it, it complained that the path to MySQL was wrong.  Hm-m-m ... MySQL, Apache, & PHP had been removed from that machine.  Did I have something that had been hijacking my MySQL data?  Spent a couple of days with MBAM, Comodo, a couple of other malware and keylog sniffers, all to no avail.  Then I loaded regedit to search for mention of MySQL.  That mention was massive!  I spend a good hour ferreting out references to MySQL, then pondering whether to delete a particular reference - not all of them were directly related.  For example, more than a few were for Open Office - a program that has not been on that particular machine for a good six (6) months.

After the registry surgery, the portable XAMPP install worked just fine.

The thing here is that what appeared to be a malware manifestation was naught - naught  ? - more than a couple of very sloppy uninstalls.  The files had been removed from the hard drive, but references had not been removed from the registry.  So I was getting hints of infestation, but MBAM, nor any other detector of evil, could never have found it.

(Before someone tells me to use Revo/Comodo/Geek uninstallers ... I did  .  But those can do a good job only on the installs they've audited.)

Just a passing thought, that even if it quacks like a duck and waddles like a duck, it may not be a duck.

[MilesAhead]

Sometimes I'll use CCleaner to root out dead registry settings. It worked so well for so long I took it for granted. I didn't save the .reg backup. Then I got a CCleaner update with a bug.  I think I bailed out of the mess by using my ERUNT backup.  But now I use the .reg backup, ERUNT and make sure I have a recent restore point before cleaning out the crap.

With file type associations in the registry it used to be that the file type was owned by the last app that registered it. If you uninstalled the app you were left with a "hole" in the associations.  Seems the kludge to get around it was having a User Level association and a global association.  When you uninstall an associated app it fills the hole with the global setting. Not exactly perfect.

[IainB]

...I use the .reg backup, ERUNT and make sure I have a recent restore point before cleaning out the crap...

-MilesAhead (November 02, 2012, 06:26 PM)

Yes, I typically run ERUNT (option ticked to save all subhives) typically once a day, and make a daily restore point. I also try to ensure a restore point after any major update or prog. install.

I only became more rigorous in the use of ERUNT after the experience I described above.    

These sorts of precautions could be very useful in recovering from some kind of "corrupted" file/registry entry, or malware infestation - so you could (say) blindly do a restore, and forget about doing a root cause analysis.
If the changes to the laptop software/system occurred in a process that was in statistical control, then such an approach might be valid, but the process is not in statistical control and therefore it is no more than just a pragmatic and expedient shortcut to take such an approach. We remain ignorant as to root cause, afterwards.

[MilesAhead]

If you shut down your PC every day then the Autobackup program that comes with ERUNT is handy. Someplace I found a string for the target line that keeps one week of rotating backups.  On the 8th day the oldest backup is deleted. It's cool because once you get through the first week the disk space usage you carry is close to constant.

Even if you never shut down you can run it manually. Once the day flips over it will run. If you forget and run it again it just quits with no action.

[tomos]

I used use ERUNT on XP - but according to the FAQs page, it will only work if uac is off, so I never bothered with it on Win7

http://www.larsheder...ine.de/erunt/faq.htm

[IainB]

I used use ERUNT on XP - but according to the FAQs page, it will only work if uac is off...

-tomos (November 03, 2012, 11:28 AM)

I didn't know that. I have switched UNC off anyway.

On the subject of malware:

If you are interested in how hijack trojans and botnets can be built, there's a really interesting blog post at the Malwarebyes blog: Citadel: a cyber-criminal’s ultimate weapon?
It describes how to set up and operate CITADEL - a "crimekit" (a tool to develop and implement a cybercriminal botnet) - to do things such as, for example infect other PCs and gather data or launch hijack trojans.
It then covers how MBAM blocks a lot of these nasties, but makes the point that user caution is still advisable, as the technology is becoming increasingly sophisticated. Apparently things like Webinject phishing popups cannot always be detected/blocked, though I think your browser might be able to do something to block spurious third party popups.

-IainB (November 05, 2012, 10:23 PM)

[erikts]

Malwarebytes Anti-Rootkit Beta is out (ghacks.net)

Anti-Rootkit is a portable application that you can execute from any location which makes it ideal as part of a repair and troubleshooting tools collection. The program triggers an UAC prompt on execution which you need to accept. The disclaimer display information about the beta, including that the copy of the product will expire on December 10, 2012 automatically.

[flamerz]

this is a very interesting article:

http://www.techsuppo...-world.htm?page=0,24

[Stoic Joker]

this is a very interesting article:

http://www.techsuppo...-world.htm?page=0,24

-flamerz (November 28, 2012, 05:26 AM)

(In case it gets missed) Here's a link posted in the comments for that article: Antivirus software so ineffective it's a waste of money, report suggests