Why Malwarebytes, SUPERAntiSpyware is popular?

Correct, and the same goes for SAS.

 

I presume a2 is the same as A-Squared ?

I've tried the online scan a number of times.

I've never found anything but fairly benign cookies !

So I tend to use that scan less and less ...

 

a2=A-Squared

 

Another review with SAS and MBAM included.
Seems only spyware/adware modules were tested so don't know why some full fledged AV's were included.

Antimalware Review

 

Wow, Spybot S&D beats MBAM and SAS? And Kaspersky didn't catch anything at all?

 

Throw in some smitfraud/zlob/vundo variants and I'm sure SAS and MBAM would easily top the lot.

 

Pretty hard to believe to that test. If they were all cookies, I'd believe it, but in that form no. And if they had really tested Kaspersky it could have got such a low score only if all categories weren't checked in the Threats.

 

ok. kaspersk, avira, panda ... etc. cant it find and remove?

 

Take a walk through a few HJT forums and you might be surprised at just how bad the majority of the AVs are at dealing with all components of the above mentioned infections . Vundo also has some major removal issues .

We added special install pattern heuristics just to deal with zlob and vundo to add a 0day security blanket . Vundo has multiple families and each family can have as many as 6 unique MD5 dlls per infection and then multiple copies of each with multiple load points on most of them . In most cases vundo cant be removed without either a file header breaker or early load DOR driver . The 04 version of vundo seems to be the one that most AVs fail to detect . To give you an idea on just how bad it is here is an install log (HJT and autoruns) of current vundo , this is from a single loader :

O2 - BHO: {f105e3b9-4b0d-e1fa-c894-34a4039d0930} - {0390d930-4a43-498c-af1e-d0b49b3e501f} - C:\WINDOWS\System32\tbtxop.dll
O2 - BHO: (no name) - {4824CC50-B14C-4A9B-B1E3-43833714D7B3} - C:\WINDOWS\System32\wvUlljiF.dll
O2 - BHO: (no name) - {A35FAAD5-C33C-4367-8F5F-26FECE8FEA48} - C:\WINDOWS\System32\nwvvloyd.dll
O2 - BHO: (no name) - {A9C85C2B-B1D2-4B29-9BC9-21AE6764A59E} - C:\WINDOWS\System32\lewuseze.dll
O2 - BHO: (no name) - {DB80FF64-932A-4C4B-A502-66D1F2E9B0BE} - C:\WINDOWS\System32\qOiFYoPH.dll
O4 - HKLM\..\Run: [vogemufopu] Rundll32.exe "C:\WINDOWS\System32\sakabuji.dll",s
O4 - HKLM\..\Run: [2004813e] rundll32.exe "C:\WINDOWS\System32\mrhkfqey.dll",b
O4 - HKLM\..\Run: [BM2337b2a2] Rundll32.exe "C:\WINDOWS\System32\oicbovya.dll",s
O4 - HKUS\S-1-5-20\..\Run: [vogemufopu] Rundll32.exe "C:\WINDOWS\System32\sakabuji.dll",s (User 'NETWORK SERVICE')
O20 - AppInit_DLLs: C:\WINDOWS\System32\nipavuyo.dll
O20 - Winlogon Notify: qOiFYoPH - C:\WINDOWS\SYSTEM32\qOiFYoPH.dll
------------------------------------------------------------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ 2004813e c:\windows\system32\qqakpicx.dll
+ BM2337b2a2 c:\windows\system32\oicbovya.dll
+ vogemufopu c:\windows\system32\sakabuji.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
+ qoifyoph.dll c:\windows\system32\qoifyoph.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
+ {190c4d98-e1c7-42d7-be74-86233ab50401} c:\windows\system32\yoxcbh.dll
+ {4824CC50-B14C-4A9B-B1E3-43833714D7B3} c:\windows\system32\wvulljif.dll
+ {A35FAAD5-C33C-4367-8F5F-26FECE8FEA48} c:\windows\system32\nwvvloyd.dll
+ {A9C85C2B-B1D2-4B29-9BC9-21AE6764A59E} c:\windows\system32\lewuseze.dll
+ {DB80FF64-932A-4C4B-A502-66D1F2E9B0BE} c:\windows\system32\qoifyoph.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
+ C:\WINDOWS\System32\nipavuyo.dll c:\windows\system32\nipavuyo.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ qOiFYoPH c:\windows\system32\qoifyoph.dll

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
+ C:\WINDOWS\System32\wvUlljiF c:\windows\system32\wvulljif.dll

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
+ C:\WINDOWS\System32\nipavuyo.dll c:\windows\system32\nipavuyo.dll

Many of those parts can regenerate or redownload what a scanner might find so its all or none in most cases .

 

Almost forgot , vundo exploits any scanner that has a long scan time and lacks scan file create hooks as well as the way the scanner reboots the system . If you dont reboot the right way vundo can make new files and new load points . If you look at HJT logs you can see multiple cases where vundo is detected , removed but still there on reboot but with new file names . All of these cases involves one or both or the exploits I mentioned above . The speed of MBAM's quick scan and the way it removes malware bypasses these vundo tricks .

 

hello nosirrah,
is there any plans for a portable version of malwarebytes antimalware?
i help cleans systems and a portable version would be helpful.

 

Yes but that will likely be when 2.0 comes out as the way MBAM will be rewritten will be far easier to make portable .

In front of 2.0 are 6 major projects , all of which will make MBAM far better than it is now . Of the 6 4 of them are for MBAM pro only and cant be postponed for a portable version .

Once the team grows extra projects like this will come at a faster rate but for now its malware stomping first and foremost .

 

Well just picking out one of thoes brands alone for highlighting my take on things....The mighty Kaspersky which i hold with great reguard!

A search of their support forums for "Trojan.Win32.Monderc.gen" which is their generic flag for Vundo family yields the following results.
http://forum.kaspersky.com/index.ph...t_type=topics&highlite=Trojan\.Win32\.Monderc


In all cases Kaspersky is unable to clean the active Vundo infection that it detects component parts of

So after running AVZ+ComboFix then in most cases the support experts their call for the use of SAS or MBAM depending on which expert it is to finish off the removal of the Vundo infection

So in away of course most of the AV's have high detection rates but clean up rates versus some of the more entrenched infections is not as high

 

Ade is right on the money when it comes to what we spend our time perfecting , what the AVs are bad at .

I found this thread at Mcafee's forum , it sums the situation up nicely :

http://forums.mcafeehelp.com/showthread.php?t=222639&highlight=mbam

Seems SAS gets a nod in that thread as well as it should and it ties this thread up nicely .

Taking a bit more of a look it seems that Mcafee is using MBAM quite often in their forums .

 

VERY interesting. Thank you for these details. I learned something from them.

Your technical expertise is showing through!

I have the free version of MBAM, & do a weekly on-demand scan with it.

My real-time security stuff is OnlineArmor-paid & Threatfire-free & Avira-premium. Also, I do all my surfing with Sandboxie. Therefore, I do not feel the need to have MBAM running in real-time.

Are there any features in the paid version of MBAM (OTHER than a real-time scanner) which are not available in the free version of MBAM?? I sincerely hope so, because I want to pay for MBAM, but not if it has no added features to justify my doing so.

 

Malware IP blocking is in beta (NOT like a hosts file) , advanced protection mod is in beta and we are talking about HIPS and system file backup/check/restore . Early research indicates that IP blocking will have a huge impact on what malware even has any chance at all of getting into a MBAM protected system .

Over time more and more features will be added and it will continue to get better . For now though blocking of what we can detect is what you get with MBAM pro .

At some point we will likely start asking for input on what advanced protection is desired by more advanced users .

 

Please take a look at Threatfire's "wizard" for setting user-defined rules. It's good, but only allows accept, or quarantine or kill -- no provision for "block." Also, there is no provision for importing rules developed by others. Even so, it is a very powerful tool.

Therefore-- Here's my suggestion for an item in MBAM's future "advanced protection" -- That MBAM include a module for making user-defined rules. If MBAM goes this route, I hope its "user rules" module will have the ability to easily import rules developed by others.

Now THAT's somethiing I would readily pay for!

 

Article

 

From the article:

This is very misleading. It implies that it installs without user action.

From a link in the article:

http://www.symantec.com/security_response/writeup.jsp?docid=2008-071613-4343-99&tabid=2

While much attention and accolades are doled out to the various products that remove this rogue application, more attention should be given to the problem of why a user would consent to install it in the first place.

---

 

You tell me why.

Most of the PC's I clean up have these types of rogue apps installed and when asked why it was installed in the first place the usual answer is "The site I was visiting told me I was infected" or "I kept getting popups telling me I was infected and I needed to download said app to clean up".

 

People's ignorance.

I don't use this word in a critical sense, just a statement of fact. People aren't aware of these devious methods. They haven't gotten basic security instruction, which would alert them to these popups.

Now, we can't wave a magic wand and immediately transform everyone into security-conscious people, but we can help those in our own sphere of influence.

In another thread, https://www.wilderssecurity.com/showthread.php?p=1296003#post1296003

I suggested that we can make a collection of screen shots of these window popups and use them to demonstrate to others how these exploits work. This reinforces the policies we should teach, such as not to respond to a popup message saying the computer is infected.

Screenshots of emails, or websites with links, that trick the user into going to a malicious website:

http://www.sophos.com/pressoffice/news/articles/2008/08/facebook.html

OK, but I've found that the visual aid is more helpful to the less technically-knowledgeable person than just giving them a list of "Dont's."


----

 

Symantec is being misleading , I have seen this rogue (as well as many other rogues of the same family) install on their own . Multiple exploits are installing malware that goes and gets this as well as other rogues of the same family .

Even the smallest amount of HJT forums research would reveal many hundreds of cases where the victim says things like "AntiVirusXP2008 installed itself on my computer and now I cant remove it" .

VAC (one of the many infections Symantec is not that great at dealing with)will install this rogue without user interaction and while VAC is 75% the time installed through a user running a fake codec there are many exploit born infections that get VAC as well .

The info on this rogue Symantec gives is very far from accurate , for example the "random name" it list many times is not random at all .

 

Can you give a URL, or post the code from one of those sites?

I've looked at every site where the URL has been available and have yet to see one install by remote code execution.

thanks,


----
rich

 

Since this thread is monitored by Malwarebytes apparently ,
could the paid-for version with realtime protection coexist with McAfee Virusscan Plus 2008, Counterspy 2.5.1043, Spy Sweeper 5.5.7 on Windows XP ? (all three with realtime protection)
I wouldn't mind configuring the software, as long as it's not too arcane.

 

I wouldn't give too much credit to such statements. People often don't know what they click or what they download. Or they don't remember that they clicked OK on a popup. A happy clicker or an uneducated person will tell you the install "just happened", but forget the clicks they made to get to it. Or they get confused and think that the "online scan" (see Windows anti virus 2009 for example) are part of the installed malware.

I myself did a mistake a few days ago, and thought a websit automatically started a download, but I had forgotten I had firefox configured to do that