5 replies to this topic

[cjard]

I ask because I had a load of trouble with one PC, installed MBAM on it, ran a full scan, cleared everything off that it found.. But it still behaves strangely. If I open IE, go to any webpage (e.g. google) and check the links, they show correctly in the status bar but clicking on them causes the browser to end up directing off to some ad site.. I see it try to load the real link.. then it redirects off to ebay, or some ad site..

So I ran another MBAM scan and didnt find anything. Installed Hitman Pro, and after half an hour it reported 261 files infected with a variety of viruses. I took a couple of the files and uploaded them to Kaspersky and was told that they were infected with viruses. I failed to get Bitdefender or Trendmicro housecall to install.. Both installers complained "use of this program requires an active internet connection" - so something is still definitely awry

Did I misunderstand MBAM's purpose? I've been recommending it to friends as a good antivirus and antimalware solution but my confidence in it has been somewhat shaken now :/

[daledoc1]

Hello and welcome, cjard:

NO, MBAM is an excellent security program, but it is NOT an antivirus.
Nor is it intended to replace one.
Rather, it is designed to provide layered, complementary protection alongside a standard, robust AV.


HTH,

daledoc1

[David H. Lipman]

cjard, on 20 October 2011 - 06:26 AM, said:

So I ran another MBAM scan and didnt find anything. Installed Hitman Pro, and after half an hour it reported 261 files infected with a variety of viruses. I took a couple of the files and uploaded them to Kaspersky and was told that they were infected with viruses. I failed to get Bitdefender or Trendmicro housecall to install.. Both installers complained "use of this program requires an active internet connection" - so something is still definitely awry

Did I misunderstand MBAM's purpose? I've been recommending it to friends as a good antivirus and antimalware solution but my confidence in it has been somewhat shaken now :/

A lot of misunderstanding stems from not knowing what comprises the many flavours of malware.

It is a common misperception that all malware are viruses. The overarching concept is called malware, not viruses. Viruses are but one subset of malware. A decade or so ago there were a lot more viruses. Today the preponderance of malware are in the form of trojans. There is a major distinction between what comprises a computer virus. That distinction is self replication. That is the ability of the malware to spread to other files and or systems by its own means. Trojans on the other hand can not self replicate and need external assistance for them to spread.

Another misperception is that cookies are malware. Not, not really. Sometimes they might have a malicious intent but they are not malware but "some" anti malware applications identify and remove cookies. There may be numerous cookies and thus a high detection count.

As daledoc1 indicated, MBAM is a complementary anti malware solution to a fully installed anti virus application.

MBAM doesn't target self replicating malware viruses (albeit on occasion it may remove a dropper known to initiate a viral infection). MBAM doesn't target malicious scripts like HTML, .JS (JavaScript), .VBS, etc. This is what a traditional anti virus application targets. However, traditional anti virus applications don't handle modifications Today's malware makes to the OS' Registry very well.

MBAM targets computer executable types of files such as .EXE, .DLL, .CPL and .SYS types as well as modifications Today's malware makes to the OS' Registry and to the OS itself and in that arena, MBAM outshines its sister applications in the anti malware industry.

So when you reported "...it reported 261 files infected with a variety of viruses..." I know that those 261 files weren't viruses as you stated "variety". If it was truly a virus then chances would be the 261 infected files of the SAME virus. This also bodes true for your submissions to Kaspersky.

To really KNOW what's going on we have to know what those 261 files were and what the other anti malware vendors called the malware. Each vendor will assign a name to to a given piece of malware or malware family and its variants. Each company has its own naming convention. This naming convention has extremely loose adoption throughout the anti malware industry so a malware detected by multiple anti malware vendors will often have a different malware name assigned to it.

For example; "Trojan.Win32.Heur.Gen"

We can break down that name into sub-classifications for what this malware was identified as.
"Trojan" - the file is a trojan, not a virus.
"Win32" - It generally affects 32bit operating systems (albeit it may affect 64bit operating systems as well)
"Heur" - This file was identified using Heuristics. Which kind of is like the saying "If it walks like a duck, squacks like a duck, then it must be a duck".
"Gen" - This a a general or generalized detection meaning a non-specific malware family association

Now contrast that with the following example of a name from a different vendor...
"Win64/Sirefef.A"
"Win64" - this malware affects a 64bit OS but not a 32bit OS
"Sirefef" - This malware is found using specific signatures and is in the family called "Sirefef"
"A" - This is the "A" variation of the "Sirefef" in contrast to what other variants may be like "Sirefef.B" and "Sirefef.C".

What does this all boil down to ?
Of those 261 files...
were any script files like .JS, .VBS and HTML ?
were any cookies ?
were any REALLY viruses ?

Hopefully I have enlightened you at least a little and not confused you even more with my information. It is intended to show you that MBAM has a niche and it its niche it it performs it intended function very well and for you to not lose confidence in MBAM until all the facts are carefully examined.

[cjard]

Hi Guys

Thanks for the info..

Yes indeed, the majority of file complaints from hitman pro are exe or dll and the ones I checked with Kaspersky were reported as virus infected.. I didn't make close note of the names and the avast! software has fairly well locked the machine down now - it's already deleted one of my web browsers (SeaMonkey) and it prevents IE from starting up so not everything on the machine is usable any more
Massively irritatingly is I can see there must be some DLLs that svchost is using that are infected, because the list of services running under this host process, though extensive, isnt anything out of the microsoft ordinary yet TCPView shows that this instance of svchost has hundreds of open TCP connections. Killing the host process makes the machine force reboot itself (the ntauthority shutdown advisory)

One of the names I remembered was Win32.Ramnit.a (or some variation) , I don't remember the others (busy day at work on another laptop). HMP listed most things as virus, some as trojan, and it's picked up a few tracking cookies too..

So, the struggle I now have is that both HMP and avast! are taking the action of deleting all the files on the system that they encounter as infected.. I can't see the avast scan results yet, but it's counted 2800 infected objects so far.. Here's to hoping that most of those aren't EXE/DLLs or it's probably going to be faster to format and reinstall than recover from jsut about every major software item having to be reinstalled

[David H. Lipman]

cjard, on 20 October 2011 - 09:27 AM, said:

Hi Guys

Thanks for the info..

Yes indeed, the majority of file complaints from hitman pro are exe or dll and the ones I checked with Kaspersky were reported as virus infected.. I didn't make close note of the names and the avast! software has fairly well locked the machine down now - it's already deleted one of my web browsers (SeaMonkey) and it prevents IE from starting up so not everything on the machine is usable any more
Massively irritatingly is I can see there must be some DLLs that svchost is using that are infected, because the list of services running under this host process, though extensive, isnt anything out of the microsoft ordinary yet TCPView shows that this instance of svchost has hundreds of open TCP connections. Killing the host process makes the machine force reboot itself (the ntauthority shutdown advisory)

One of the names I remembered was Win32.Ramnit.a (or some variation) , I don't remember the others (busy day at work on another laptop). HMP listed most things as virus, some as trojan, and it's picked up a few tracking cookies too..

So, the struggle I now have is that both HMP and avast! are taking the action of deleting all the files on the system that they encounter as infected.. I can't see the avast scan results yet, but it's counted 2800 infected objects so far.. Here's to hoping that most of those aren't EXE/DLLs or it's probably going to be faster to format and reinstall than recover from jsut about every major software item having to be reinstalled

Win32/Ramnit is a virus and there should be logs with *numereous* hits of Win32/Ramnit infected files.

You will have open a forum helper assisted removal post. There are trained and qualified personnel here may be able to help you.

Good Luck !

[Firefox]

Hello and welcome to Malwarebytes

If you think you are infected, here are the steps needed to get your computer cleaned....
Please read the following so that you can begin the cleaning process:

Don't use any temporary file cleaners unless requested - this can cause data loss and make recovery difficult

You have 3 Options that you can choose from as listed below:

• Option 1 —— Free Expert advice in the Malware Removal Forum
  
• Option 2 —— Paying customer -- Contact Support via email
  
• Option 3 —— Premium, Fee-Based Support

OPTION 1

[indent]As we don't deal with malware removal in the General Malwarebytes' Anti-Malware Forum, you need to start a topic in the
Malware Removal forum so a qualified helper can help you fix any malware related problems/infections you may have.

• Please read and follow the directions here, skipping any steps you are unable to complete.
  
• After posting your new post, make sure under options, you select Track this topic and choose Immediate Email Notification,
  so that you're alerted when someone has replied to your post.
  
  
  [indent]

NOTE: Please do not post back to (bump) your topic within the first 48 hours.
Replying to your own posts changes the post count and helpers are looking for topics with zero replies.
If you reply to your own post helpers may think that you're already being helped and thus overlook your post.

• If there is no reply from any experts after 48 hours, you can reply to the topic, asking for help again.
  Or
  
• You may send a Private Message to a Moderator asking for assistance.[/indent]

[/indent]
OPTION 2

[indent]Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org or here.[/indent]

OPTION 3

[indent]If you would like to use our Malwarebytes Premium Services, Comprehensive solutions to all your computer support needs—from installation and set-up to troubleshooting and tune-ups go to our Malwarebytes Premium Services support site.


Please be patient, someone will assist you as soon as possible.[/indent]

PS: Please use the "Add Reply" button not the Reply button when you start replying.