Discussion on:
View:
Show:
At one facility, I'm doing the exact same thing and the users are more than helpful. They like running it, almost in hope of catching something.
I'm much interested in this tool. I have a serious email problem - I keep getting email from my email address with all sorts of crap from enlargement to sick entertainment advertisements and I can't seem to get rid of it. I use Symantec Corporate 10, CA anti spam, Spy Bot and Adaware and scan every day. I've also downloaded and tried GMER but I don't know how to interpret the report. Will MBAM help me locate ths problem?
Alas, mbam and similar will discover the goo in your system, but it can't finger or eliminate the source.
And when it comes to spoofing email addresses, there's little you can do except try to set a mail filter to screen it out and hope for the best.
And when it comes to spoofing email addresses, there's little you can do except try to set a mail filter to screen it out and hope for the best.
I'd like to add one more comment if I may. If you are in fact receiving e-mail that has your e-mail addr as the from, you should be able to setup a rule blocking that addr as you aren't to worried about receiving e-mail from yourself.
One of my mates got me onto MBAM. It doesn't just do Malware it also finds Virus's and its one of teh very few apps that can get rid of the Vundo Virus with just one scan
Highly recommend it to anyone with Malware problems
Highly recommend it to anyone with Malware problems
I feel the same way. Have you checked out SuperAntiSpyware, perchance?
It is the only tool that I have found that removes this so called Anti Virus 2009. It is great!
I've used MBAM to remove AV2009 from many PC's in the company with no problems... until yesterday. MBAM removed the installation of the program and PC scans clean, yet IE is hijacked and AV2009 has an ActiveX type control emulating the gold IE security bar at the top of web pages, saying that the web page (yahoo at the moment) may be infected and to click to scan PC.
I have not had an opportunity to completely dissect the PC... has anyone else seen this behavior?
I have not had an opportunity to completely dissect the PC... has anyone else seen this behavior?
I've heard that there's another variant out. Maybe MBAM doesn't have that particular signature.
I recently had to use MBAM to kill AV2009 with the ActiveX control issue. The most recent MBAM update ought to do the job, it worked for me.
Had the exact results with MBAM. I was called in as the next tier on this and had suspected it was because the prior tried an IE upgrade from 6 to 7 to fix it before coming to get me.
Going to rebuild and move on.
The most aggravating part of this is there would be no way this POC would have gotten through our Content filtering. It was sneakernetted in
Going to rebuild and move on.
The most aggravating part of this is there would be no way this POC would have gotten through our Content filtering. It was sneakernetted in
You probably already have it fixed, but I ran into one of the Vundu variants that installs as a root kit. If you can get any AV to install it will remove the AV2009 but as soon as you connect to the web outside of a good firewall with malware filtering it will reinstall. NAV has a tool that will supposedly remove the root-kit, but in my case didn't even find it.
Found a specific tool that worked on Grisofts site (AVG).
Found a specific tool that worked on Grisofts site (AVG).
I installed Avast, did all updates, then scheduled the boot time scan and NO MORE ANTIVIRUS 2009!!!!!!
Great work, mang. Great minds think alike. AVAST! and Boot-time scan = Good combo.
I use MBAM all the time, just before I run my AV. I too recommend MBAM and I'm about try GMER in conjuction with MBAM just to see how many rootkits I really do have. Great post always informative and insightful keep'em comin'
Jim,
Please let us know what you find out. I'm very interested in which one works and which one doesn't. Also have you tried SuperAntiSpyware? I looking at it and another member mentioned that it's pretty good.
Please let us know what you find out. I'm very interested in which one works and which one doesn't. Also have you tried SuperAntiSpyware? I looking at it and another member mentioned that it's pretty good.
but even it has flaws. I would imagine it finds pretty much all user land kits, and many older kernel kits, but not sure how it does on newer kernel kits. Cant hurt though =)
It will reset your hosts file to a default setting fyi, if you use it to "blacklist" sites like the Spybot immunize feature does.
It will reset your hosts file to a default setting fyi, if you use it to "blacklist" sites like the Spybot immunize feature does.
TR seems to give GMER quite a bit of press but how do we know it is safe? Could it be planting rootkits in the name of removing them. The site is vague and an email to the author has not been returned. I need a little more comfort with the author and motives of my malware / rootkit removers before deciding to include them as part of my aresnal.
I have been using it for quite awhile and it's been recommended by experts such as Dr. Jose Nazario. He was the expert that answered questions in this article:
http://blogs.techrepublic.com.com/10things/?p=448
Also, your point is one of my concerns and I just completed and article mentioning the methods that I use:
http://blogs.techrepublic.com.com/networking/?p=801
I'll also try and get more information for you about GMER.
http://blogs.techrepublic.com.com/10things/?p=448
Also, your point is one of my concerns and I just completed and article mentioning the methods that I use:
http://blogs.techrepublic.com.com/networking/?p=801
I'll also try and get more information for you about GMER.
is icesword. Its by a Chinese coder, and has a lot of versatility, though nothing is automated. The question, once again, is can it be trusted. Also, the english translation is only on the main program and not the helper service, which would be nice.
I have heard mixed reviews about it. Have you used it? How do you like it. JCitizen and I have talked about it before. I've still haven't tried it yet.
Yeah, I have used icesword. Not sure I trust it yet though. I need to use it more before I pass judgment. Though on several computers it has caused a hard lock. Both were infected, so it could have been a reaction to icesword and the trojan?
ATM I would have to say it has potential, but it's flakey in conjunction with some infections and or hardware. The English translation leaves a lot to be desired, and so far there is no translation for the helper program, which looks to be a large slice of the meat of the program.
ATM I would have to say it has potential, but it's flakey in conjunction with some infections and or hardware. The English translation leaves a lot to be desired, and so far there is no translation for the helper program, which looks to be a large slice of the meat of the program.
Concern me as to which ones to trust and which could be bad stuff.
I, too like MBAM. I have recently used it on several machines for a client and he now says that profiles for a couple of users have disappeared. Windows server 2003. Anyone seen this?
P.S. to jimdrvr99. How long have you lived in Smithers?
P.S. to jimdrvr99. How long have you lived in Smithers?
Could you get more details? Does the log still exist?
From what I've pieced together, when the profile tried to load a removed trojan it stopped right there and login would not continue. I have since re-imaged the machine and created a new user account and all is well.
Thanks.
Thanks.
We've been using MBAM for a while now as an after the fact scanner, and I've tested the realtime protection recently as well. I'm extremely impressed with the lack of overhead the program needs; all other realtime scanners caused my workstation to slow down to an intolerable level, particularly because I also require an additional corporate-level anti-virus scanner to be running as well. Right now, I have Symantec EndPoint Protection (without the firewall option installed)and MBAM realtime protection running, and my system is running perfectly, no performance hit.
Thanks, Cindy
Knowing that Symantec EndPoint (I assume ver 11) is compatible with MBAM is a piece of information I sure can use.
Knowing that Symantec EndPoint (I assume ver 11) is compatible with MBAM is a piece of information I sure can use.
Right on Target!!!
In the past few months, I have had to address many Rogueware infections (AV2008-9, AntiSpyware 2008-9, System Security, etc). Some of these infections were only a day or two old, and some had been on the computer for weeks. In some cases, the user had unsuspectingly purchased the software because there messages look so "official".
While researching solutions, I found Malwarebytes. MBAM has helped me clean every one of the infections!!!
The only problem I had was that some of the Malware infections block the installation and execution of MBAM. To fix this problem, I only had to rename the installation package before installing and then rename the MBAM.exe file before execution (I'm partial to Fred.exe).
Fight the good fight!
In the past few months, I have had to address many Rogueware infections (AV2008-9, AntiSpyware 2008-9, System Security, etc). Some of these infections were only a day or two old, and some had been on the computer for weeks. In some cases, the user had unsuspectingly purchased the software because there messages look so "official".
While researching solutions, I found Malwarebytes. MBAM has helped me clean every one of the infections!!!
The only problem I had was that some of the Malware infections block the installation and execution of MBAM. To fix this problem, I only had to rename the installation package before installing and then rename the MBAM.exe file before execution (I'm partial to Fred.exe).
Fight the good fight!
I always keep that in the back of my mind as well. It's tough when a malware scanner gets popular. Have you tried SuperAntiSpyware?
HijackThis!, Combofix, SpyBot installer, and SDfix can all be renamed to run successfully. In some cases you need to rename the .exe as well (Spybot for example).
Issue I've had with renaming the MBAM executable is if it needs to scan and clean after a reboot. I've had it fail because it was still looking for MBAM.exe, not "Fred.exe"
I just had an Ahh Dah moment as I think you just explained why I was having an issue a while ago.
but I just can't resist! I believe you are supposed to rename it to standard after you finish installing it.
Most malware only try to obfuscate the installation not the final execution for scanning.
Most malware only try to obfuscate the installation not the final execution for scanning.
At what point do you feel that all the malware is gone? Is it even possible to determine or quantify that?
You can never be sure you got it all, and, given the lack of proper training for most users, it's almost sure to come back if you do kill the current infestation. Worse than fire ants.
online scans when I think that I am close to removeing everything and after I have ran GMer. That is the decider for me and sometimes something will get picked up. When the online scans are finished I concentrate on the Antivirus that was installed and either reinstall or fix it or install an Antivirus that is more robust. I deal in the private sector mainly these days.
Spybot has been improved and the best way to run it is from a USB stick in Safe Mode. That is what I normally start with after a HijackThis scan. While Spybot is running I will reseach the HJT log file to see what I am up against. You can't always do this at a clients house so you have to improvise.
Official Hijack This Tutorial: http://forums.majorgeeks.com/showthread.php?t=38752
If there is a simle fix I will follow the removal instructions. Lately I have been running MalwareBytes anyway as it seems to pick up on most of the crap. So far I have been lucky, HJT, Spybot, MalwareBytes, and now GMer with a couple of online scans have seen me through.
So to answer your question when I have exhausted my artillery and the online scans are clean I tell the client that it is under control at the moment. I haven't had any recurrences of abnormal behaviour as yet. Touch wood.
Spybot has been improved and the best way to run it is from a USB stick in Safe Mode. That is what I normally start with after a HijackThis scan. While Spybot is running I will reseach the HJT log file to see what I am up against. You can't always do this at a clients house so you have to improvise.
Official Hijack This Tutorial: http://forums.majorgeeks.com/showthread.php?t=38752
If there is a simle fix I will follow the removal instructions. Lately I have been running MalwareBytes anyway as it seems to pick up on most of the crap. So far I have been lucky, HJT, Spybot, MalwareBytes, and now GMer with a couple of online scans have seen me through.
So to answer your question when I have exhausted my artillery and the online scans are clean I tell the client that it is under control at the moment. I haven't had any recurrences of abnormal behaviour as yet. Touch wood.
My perspective is similar to the both of yours. I'm on a quest to try and quantify when enough is enough. I shudder when thinking about how much time and money is being spent in this nonproductive yet vital pursuit.
Thanks for the HiJackThis tutorial. I really like HiJackThis, but I don't use it enough to know exactly what I'm looking at when reading the results.
Thanks for the HiJackThis tutorial. I really like HiJackThis, but I don't use it enough to know exactly what I'm looking at when reading the results.
to a text file for quick retrieval. It took me six hours to remove Vundo a couple of years ago. It would have been a lot quicker if the System hadn't been so sick and it was also an onsite business System. The client wasn't overly concerned about the cost it was the Data that he was concerned with.
But it still does take a lot of time to determine what the infection is and then plan your removal strategy. That is not including the time it takes to update your AV removal tools as they will require updateing before you get onsite. Setting up your Notebook for internet access at the clients premises can be fun sometimes as well.
It is a lot quicker if the infected System is able to be brought into my workshop.
But it still does take a lot of time to determine what the infection is and then plan your removal strategy. That is not including the time it takes to update your AV removal tools as they will require updateing before you get onsite. Setting up your Notebook for internet access at the clients premises can be fun sometimes as well.
It is a lot quicker if the infected System is able to be brought into my workshop.
That's why if and when I lose my company Sprint data card, I'll more than likely buy my own. Having 3G Internet anywhere really spoils you. At least it's a tax write-off so far.
1. First is the discovery and attempted removal.
2. If removal is perceived as successful; scan again.
3. If discovered threat is serious; un-hide all file attributes and turn off system restore.(backup first of course)
4. Update and reboot to scan in safemode. Using ALL available utilities that can scan in safemode. Most of the best work in safemode, but not all.
5. Reboot and do a complete clean with every tool in CCleaner! Registry too. Then reboot again.
6. Then I do a GMER scan, and if I were to find something, even if I remove it; all bets are off - I recommend nuking it and using lowlevel formatting when I suspect hidden kernel rootkits. I always use the manufacturers utilities for the make of the hard drive to get the geometry right. Then I don't let Windows change it on reinstall.
I have paid for 1st tier support to check my results on this and NO - I repeat NO ONE has ever found an infection afterward.
This has a great cost as you can imagine, but it gives me great satisfaction my methods are not madness!
A good outbound IDS firewall will show infections before the AV/AS has a chance to update the definition. This is why I use an extreme blended defense. Very little system resources are used, despite most of them being freebees.
Symantec and other experts use simple file structure searches in a preliminary look for undefined malware; VRQ is used next by Norton workers; other may use highjackthis by Trend Micro, or even MS sysinternals process explorer.
Most clients don't want to pay to do a nuke and reinstall. I always apprise them of the dangers. I have machines that have NEVER been reinstalled despite being honeypot net-mine detectors for years. My old DELL is still running since 2004 with no hiccups.
I've never seen evidence my personal ID or various other important factors have been breached. The fact is when you already have a deep defenses on the PC, the malware can never get a good foothold on your data. So even if a remnant is left, it will get picked up by the next A-squared update or Superantispyware, or even a good CCleaner file and registry cleaning!
I have enough confidence that I alone can take the risk; but I always recommend nuking the hard drive for my clients - however I give them the whole cost analysis too - for comparison.
Afterward never forget to re-hide the files and turn system restore back on!!!
2. If removal is perceived as successful; scan again.
3. If discovered threat is serious; un-hide all file attributes and turn off system restore.(backup first of course)
4. Update and reboot to scan in safemode. Using ALL available utilities that can scan in safemode. Most of the best work in safemode, but not all.
5. Reboot and do a complete clean with every tool in CCleaner! Registry too. Then reboot again.
6. Then I do a GMER scan, and if I were to find something, even if I remove it; all bets are off - I recommend nuking it and using lowlevel formatting when I suspect hidden kernel rootkits. I always use the manufacturers utilities for the make of the hard drive to get the geometry right. Then I don't let Windows change it on reinstall.
I have paid for 1st tier support to check my results on this and NO - I repeat NO ONE has ever found an infection afterward.
This has a great cost as you can imagine, but it gives me great satisfaction my methods are not madness!
A good outbound IDS firewall will show infections before the AV/AS has a chance to update the definition. This is why I use an extreme blended defense. Very little system resources are used, despite most of them being freebees.
Symantec and other experts use simple file structure searches in a preliminary look for undefined malware; VRQ is used next by Norton workers; other may use highjackthis by Trend Micro, or even MS sysinternals process explorer.
Most clients don't want to pay to do a nuke and reinstall. I always apprise them of the dangers. I have machines that have NEVER been reinstalled despite being honeypot net-mine detectors for years. My old DELL is still running since 2004 with no hiccups.
I've never seen evidence my personal ID or various other important factors have been breached. The fact is when you already have a deep defenses on the PC, the malware can never get a good foothold on your data. So even if a remnant is left, it will get picked up by the next A-squared update or Superantispyware, or even a good CCleaner file and registry cleaning!
I have enough confidence that I alone can take the risk; but I always recommend nuking the hard drive for my clients - however I give them the whole cost analysis too - for comparison.
Afterward never forget to re-hide the files and turn system restore back on!!!
Yes, I am using MBAM right now on an AV09 infection. Seems to be a good addition to any toolkit
I'll have to take your word on that, it don't run on my systems since they don't have windows on them.
edit to add:
by my definition, it fails to qualify for best, since it only runs on one os.
edit to add:
by my definition, it fails to qualify for best, since it only runs on one os.
So you have an ongoing break fix client. They have the security software you recommend (Trend in my case). Even keep windows patched...
but they get vundo. And they have to call you and get a bill for you to clean the machine.
what do you tell them to
a) help them avoid the problem in the future
b) justify the time / money they spent having you install security software and keep the machine patched
c) help them (and me at least) understand that if there's soooo many tools out there to defend from Vundo (and others), why can't we keep it off the machine to start with?
And yeah, I love MalwareBytes and Superspyware even more... do you pay them for real time protection? On top of something like Trend? instead of?
thanks!
but they get vundo. And they have to call you and get a bill for you to clean the machine.
what do you tell them to
a) help them avoid the problem in the future
b) justify the time / money they spent having you install security software and keep the machine patched
c) help them (and me at least) understand that if there's soooo many tools out there to defend from Vundo (and others), why can't we keep it off the machine to start with?
And yeah, I love MalwareBytes and Superspyware even more... do you pay them for real time protection? On top of something like Trend? instead of?
thanks!
I only have one client silly enough to use windows.
he likes avg, and never gets infected with it running.
he likes avg, and never gets infected with it running.
we have Symantec Endpoint Protection -- so we get hit with plenty -- lol
whether its Antivirus 09 or vundu, dont matter, they all get a pass with Symantec
whether its Antivirus 09 or vundu, dont matter, they all get a pass with Symantec
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
