Wierd bug in MBAM, or just missed malware?

Hi,

I recently posted that MBAM was IMHO far superior at removing multiple infections in real-world situations as opposed to zoo collections. Since I've been home with the flu and have too much time on my hands, I took a clean computer (XP Pro SP2) with the only resident protection (Anti-Vir) turned off and did some web surfing. I'm not a professional tester by any means. I tried to emulate the browsing behavior of some of my customers.

I got a nifty Waterfall Screen Saver for free (180 Solutions/Mirar), then I watched some cool videos (Zango). Then I noticed my computer was slowing down so I got some prorams that said they could fix it (WinAntispyware and WinFixer 2005). All were freshly downloaded and installed this afternoon. I then installed and updated MBAM Free and ran a full scan.



No malware found! I left 'em running, even! Here's a second scan with SAS Free, minutes later:



The other installed scanners all picked up on at least part of the infection. I really did not expect this at all. MBAM hasn't let me down before today. This is a recent install of XP Pro SP2 that was clean and patched when I started. I had stated that a paid version of MBAM was in my future, but I'm not quite so confident now.

If the developers are looking in, please let me know if there is anything I can do to help you troubleshoot the problem. I did clone the partition before cleanup so the situation shown should be easily repeatable.

 

They probably don't have the exact definitions for it so it can't detect the malware.

 

Must be. The update file is quite small. This is common malware, though. I'm really suprised MBAM missed WinFixer and WinAntiSpyware.

 

Any chance you can post your findings here.
http://www.malwarebytes.org/forums/index.php?showforum=41
I'd be interested in their response.

 

Done. Thanks!

 

How did you get zango to install with a single component , when I install it I get nearly 100 (which we remove) ?

How did you install winfixer (a rogue I have not removed from a client machine for more than 4 years) with only 10 components ?

How did you install an obsolete version of winantispyware with only 2 components ?


Looks like yet again I will be adding rogues that are long dead just to make people happy . This will not protect people from what trojans are currently spamming .

I will install zango and scan , how much do you want to bet their are more than 1 component ?

 

More than likely archived droppers from some time back
winfixer2005....bit of a giveaway

That said this is not fair comparison between the 2 softwares.So nothing should be read into the results.

 

Hi,

perhaps that is exactly the disadvantage being a new comer in AS/AM arena.

Newer AS/AM apparatus seldom contains archived(old timer) definitions ?

When these old timers resurface, new kid got a bite, and suddenly woke up ?

 

I just in the last week helped a friend by cleaning out their computer. It was the most infested that I had messed with. I down loaded SAS and removed over 500 Trojans, Vundo's and assorted spyware. I ran Hijackthis and cleaned out more stuff. I then down loaded Malwarebytes and ran it. It found 96 additional creatures. Now I am not saying which is the best. I really don't know. At the present time I would not give up SAS. But Malwarebytes is looking pretty good. I will run them both.

 

Have him upload the samples.

I clean a lot of infected systems, and to this day I still encounter Winfixer 200x infections. A quick search on bleepingcomputer.com lists a lot of current Winfixer related threads.

If it was installed then SAS is only detecting a fraction of the rogue files & reg entries.

An old infection is not necessarily a dead infection. sbcc is picking these infections up today by downloading free screensavers that are probably being downloaded by millions of other people.

I don't doubt it one bit.

 

While there are numerous rogues that use components of winfixer (or are close enough that string detection detects them as winfixer) the actual winfixer (as in exe called winfixer running from winfixer folder) is quite dead . There is one called winIfixer that is current though .

I cant seem to find a live URL for the old winfixer , will look a bit more .

If someone wants to know what the winfixer clowns are up to they should check out their 2008 software

http://winantispyware2008.com/

This is so new that it does not even have a live download yet . Once it does MBAM will pounce on it as I am sure SAS will do as well .

 

nosirrah wrote: How did you get zango to install with a single component , when I install it I get nearly 100 (which we remove) ?

How did you install winfixer (a rogue I have not removed from a client machine for more than 4 years) with only 10 components ?

How did you install an obsolete version of winantispyware with only 2 components ?

I got all of these infections from their parent websites except WinFixer 2005 which is hosted on Simtel. I found it by Googling. I spent maybe 20 minutes total. I remove WinFixer a few times a year. New customers who either had it floating around or got it the same way I did yesterday.

I Installed all of them using the downloaded installers. It wasn't meant as a test between MBAM and SAS. Actually, Avira and Cure-It respectively found many more components than SAS. Whatever. I see EliteKiller answered this already.

Looks like yet again I will be adding rogues that are long dead just to make people happy . This will not protect people from what trojans are currently spamming .

Don't bother. A couple of defs won't make me happy. You see, people aren't picking up rogues only through spam in my customer base. More often its a teenager trying to fix whatever he/she broke before their parents get mad. Hence the test. A kid doesn't care that it is the 2005 version. It says it is free and it claims to fix it. That's why I keep running into these programs.

I didn't realize the scope of MBAM was meant to be limited. I now understand that it has some usefulness, but only against "current" infections. Regardless of how you slice it though, stuff downloaded yesterday is still current and I will have to remove them from other infected computers.

I will install zango and scan , how much do you want to bet their are more than 1 component ?

Again, my friend, feel free. I later installed Spybot S&D and found more components for each. You are basing your assumptions on two screen shots. If I had run Cure-It next you would have seen different results. I got the answer to my question. Indirectly. For me, MBAM has a useful function but not what I intended it to do.

 

Sorry for the double post.

http://www.malwarebytes.org/forums/index.php?showtopic=4637&st=0&gopid=18407&#entry18407

Let me say it again.

No affiliation with SAS. None. I did not run MBAM first, clean it, then run it again. I did not use modified malware. I did exactly what I said I did. Nothing more or less. It is not a disinfo campaign. I got results I did not believe and posted them looking for answers. That is all.

 

MBAM is designed to remove/prevent current malware that users get infected with today . It has only existed in a form you could buy since early 2008 .

I could add detection for millions of infections that users cant get in the real world and then show a screen shot of us detection them but that is not how we do things .

I see no URLs that would allow anyone to confirm your finding BTW .



OK , let me ask more direct questions , please answer directly .

You show SAS detection 1 component of zango , why ? Did you download their adware installer and install it ?

Did you do a cleanup first ?

Why are the SAS results not expanded so we can see what was detected ?

What is that exactly ?

If its remove everything that was ever malicious , give up the search , that does not exist .

If its remove/block what will attack your computer today then it will do a good job .

Let me ask a favor of you , please install the full zango , remove none of it and then scan and remove with both SA and MBAM . I am willing to bet that neither will leave anything that has the ability to execute . There may be a trace or two but nothing that is actually malicious .

Next go and get the current new rogues directly installing :

http://xpsecuritycenter.com/
http://advancedxpdefender.com/

Test us both again , again I bet we both wipe them out .

 

NOT A COMPETITION BETWEEN YOU AND SAS.

Let that part go, please. I JUST HAPPENED TO RUN IT NEXT. NO ULTERIOR MOTIVE.

I should have run something else next instead of SAS. If I had any idea of the reaction I would have. I didn't expand it because I wasn't worried about it. I was concerned that MBAM did not find the malware.

I have used MBAM to clean very recent infections. It did a great job. You are focusing on this as some sort of "us vs. them" issue. It isn't.

Yes, I directly downloaded Zango. I surfed their site and agreed to the prompts to install their viewer.You chose to make it personal

Sorry, can't duplicate the exact URL's. I did run CCleaner prior to the scans, to reduce scanning time. Maybe that affected the results? Are there temp files that MBAM needs to see to detect the malware? If so, I better change how I use it. My browsers are set to clear the cache and history anyway. For the umpteenth time, iIt was not intended to be a professional test. I got unexpected results and posted them.

I had intended to install MBAM on infected computers to clean them up. I see that I cannot use it as a broad spectrum cleanup tool. For certain infections it appears to be without equal, such as Vundo layered with other rogues and malware, and on the first pass. Nothing else that I am aware of can do that. You deserve the praise you get. I still intend to use MBAM regularly in that role. I see now that it is useful only for the most current malware.

Based on the statements you made in your own forum, why would I now be inclined to do you a favor? You seem to be intent on exposing me as a shill or saboteur. Why would you believe anything I post? I have learned a valuable lesson, and will not post informal test results again. I will run your proposed tests when convenient, but for my edification only.

Apologies to everyone involved for the waste of time.

 

No need to apologise to anyone. The response to your innocent question has been quite revealing.

 

nosirrah: Are you really getting offended by this or what? A fraud? MBAM are not perfect. Or no program is perfect, but it sounds like you think that MBAM can take any malware. And you say also say you can get all these infections in a update, without any problem - OK, do that then. What's the problem? A lot of people get infected by these malware - not necessary to implent them, because they are old? Yeah right ...

ALSO; if you can't take it that people like SAS over MBAM, then you have nothing to do in this business. Grow up. At least act like a professional.

 

Just read the response at Malwarebytes forum to your question. Quite amazed at the overreaction to what seems on the face of it a perfectly reasonable question from a fellow member.

Previous posts from the OP have been positive with respect to MBAM. In fact many posts on this forum have been positive. I can't see the justification for this.

 

Man this is not going where I wanted it to go .

Look , I work my butt off making MBAM do very well against current malware and yes it does get under my skin when there is (at more than one forum) what looks like info that we do not remove something as easy to remove as Zango and some very old rogues .

The test results do not match at all what you would get if you actually installed these pests both in terms of what we detect and for that matter what SAS would detect .

I think I made it clear that both SAS and MBAM completely own zango and current rogues .

I only asked why there were odd test results and if the OP could retest to see what they could find .

To the best of my knowledge both MBAM and SAS take zango and all current rogues to school .

 

If I was a little too aggressive in the defence of MBAM then I am sorry , she is my baby .

I work way to many hours not to stand up when I see something that makes us look bad and from what I can see seems fishy .

 

Hi, I can sense that. But

You need to nurture your baby properly. Over feeding, expecting him/her to grow one feet a month is virtually impossible,

moreover, you and your baby are new comer in this arena. I have not witnessed any single one and his/her baby can evolve into a big figure overnight/or in very short time. You will not be an exception to this rule of dumbness(not thumb).

Slow cooking often bring about better tasting meal. 15 second deep frying french fries is always tasted as such, lasting only one minutes, nothing more.

Confrontation with your potential clients is a big no no. Giving them your full ears will help you in the long way. After all, you are in the business to assist people and meantime to earn a decent living.

Keep up your excellent work and maintain a good relationship with all(friends and foes). Just my toonie sense.

 

Good advice!

 

I remember that a few years ago SAS as a newcomer here on Wilders was almost beaten to death to an degree that i felt sorry for Nick !

As you can see now where SAS stands,it emerged victorious against all odds.

 

OK, had a little time and rolled back the partition.

Updated defs, scanned again, no detection.

After uninstallling BD 10 Free and using Revo to uninstall MBAM free, I reinstalled a fresh copy. Log:

~Log converted to attachment. - Ron~

236 detections, log prior to cleaning obviously. This was the result I expected initially. Apparently my install was corrupt in some way, or there is a compatibility issue with BD 10. Neither MBAM nor BD10 showed any error messages. Don't know, not going further with it.

It would have been preferable to receive some guidance rather than accusations. It seemed fishy to me, too. I never saw MBAM miss all the malware. That's why I posted in the first place.

 

Now that looks a lot more like what I see on my end and is what SAS will show as well .

Sorry if I was quick to assume that there was some kind of funny business .