Malwarebytes site no longer accepts donations

[RayLopez99]

They used to have a PayPal button for donations, but they got rid of
it. I was going to throw a small donation their way. They do help
people remove viruses on their forum, though nowadays if you backup
religiously, rather than removing viruses you can simply reinstall
your HD from an earlier HD image.

RL

 

[RayLopez99]

ray, malwarebytes doesnt attack or delete viruses

Is this one of those academic debates over what is a virus? I guess a
computer virus replicates itself repeatedly inside a PC, unlike a worm
or malware, which is a Singleton?

RL

 

[FromTheRafters]

ray, malwarebytes doesnt attack or delete viruses

It does detect *some* viruses.

 

[FromTheRafters]

Is this one of those academic debates over what is a virus?

It could be, but I don't think 'sal' was really trying to spark a
debate. I think 'sal' just wanted to point out that MBAM doesn't
properly address the subset of malware known a the "virus". You would
need an antivirus program for that.

I guess a computer virus replicates itself repeatedly
inside a PC, unlike a worm or malware, which is a Singleton?

Partially correct. There are many distinctions being made, and not all
of them are really definitive.

Malware is the umbrella term for all malicious software. Contrary to
what most if not all malware experts will tell you, the "virus" is not
necessarily malicious, so viruses are not truly a subset of malware (the
same can be said of spyware and adware).

One good distinction exists between the replicating malware (worm or
virus) and the trojan. Replicating malware can self-distribute itself
where the trojan needs to be distributed by another entity.

 

[David H. Lipman]

It does detect *some* viruses.

Yes. However it can't "disinfect" a file that has code injected into it and it won't do
anything boot sector infectors like "NYB". It can only delete an infected file.
Therefore it only may detect virus droppers. Files specifically intended to start a viral
infection.

 

[ASCII]

One good distinction exists between the replicating malware (worm or
virus) and the trojan. Replicating malware can self-distribute itself
where the trojan needs to be distributed by another entity.

As 'trojan' is a vector of distribution, it doesn't need anything.
Maybe if you mung the terminology often enough
some newbie will adopt it as if it had some relevance.
Just look at the (for the most part successful) campaign the distilled spirits
cartel waged to try and separate drugs from alcohol (a drug).

 

[RayLopez99]

RayLopez99 wrote:

Malware is the umbrella term for all malicious software. Contrary to
what most if not all malware experts will tell you, the "virus" is not
necessarily malicious, so viruses are not truly a subset of malware (the
same can be said of spyware and adware).

One good distinction exists between the replicating malware (worm or
virus) and the trojan. Replicating malware can self-distribute itself
where the trojan needs to be distributed by another entity.

I see. Since you seem to be knowledgeable in this field, I'd say as
knowledgeable as David H. Lipman but you have not yet killfiled me, as
perhaps he has, I ask you Mr. Rafters: what if I have MBAM (that's
the acronym for the Malwarebytes offering) installed, the free
version, then it removes one of those scareware trojan/ viruses (the
ones that falsely say you have been infected and look like Microsoft
Security Essentials (MSE)), but then later, when I run a Linux-based
standalone Kaspersky "rescue CD" it finds traces of the scareware
trojan? Does that mean MBAM has failed? Seems that way to me. But it
did detect and remove in real-time the threat it seems (or neutralized
it, since it went away, and it had even changed the background color
of my desktop) but then on a complete rescue CD scan (which took the
better part of the day) Kaspersky found traces of Java files that had
the very same scareware. I'll try again another complete scan
tomorrow to make sure this scareware is not something that somehow
mutates and stays undeletable ("replicating malware" to use your
phrase). BTW MSE failed to detect the scareware on a complete system
scan: bad for Microsoft.

Also your opinion on this "standalone" rescue CD* offering below,
which for $10 seems fine and it runs Windows Pre-Installation rather
than Linux as the base OS, which seems to me to get "closer to your
machine" if you are running Windows 7 as I am. I get the same free
from Kaspersky but I like a belt-and-suspenders approach to malware
detection and removal. BTW if I find that there's still malware
tomorrow, I will just bite the bullet and install a previous HD image
file from last week when I think my system was clean.

Thank you.

RL

* http://www.pcmag.com/article2/0,2817,2384916,00.asp#fbid=myAt2e7FxiR

 

[FromTheRafters]

As 'trojan' is a vector of distribution, it doesn't need anything.

A trojan is not a vector of distribution. Viruses use the same vector
that trojans do, they usually present themselves in exactly the same
way. The difference is that they replicate and place their replicant
where it results in yet another trojanized program. If a trojan
replicates recursively in this manner it is termed a virus or worm
instead. The term trojan remains for non-replicating malware.

Maybe if you mung the terminology often enough
some newbie will adopt it as if it had some relevance.
Just look at the (for the most part successful) campaign the distilled spirits
cartel waged to try and separate drugs from alcohol (a drug).

I hear what you're saying, but that's not what's happening here. There
is much misunderstanding around as is demonstrated by your comment. A
vector is a path, a trojan is not a path. Sure, trojans usually are seen
to take a certain path, but that does not make that path a "trojan
vector" exclusively.

 

[FromTheRafters]

I see. Since you seem to be knowledgeable in this field, I'd say as
knowledgeable as David H. Lipman but you have not yet killfiled me, as
perhaps he has,

I'd say he is more knowledgeable than I am about malware. I don't think
he has killfiled you, he probably just ignores you the old fashioned
way. )

I ask you Mr. Rafters: what if I have MBAM (that's

the acronym for the Malwarebytes offering) installed, the free
version, then it removes one of those scareware trojan/ viruses (the
ones that falsely say you have been infected and look like Microsoft
Security Essentials (MSE)), but then later, when I run a Linux-based
standalone Kaspersky "rescue CD" it finds traces of the scareware
trojan? Does that mean MBAM has failed?

It might be that MBAM is more concerned with stopping the malware from
working than it is to remove all remnants. You would have to ask them
about that. Kaspersky OTOH is concerned with reversing modifications to
files as a result of an infestation or viral infection.

Seems that way to me. But it

did detect and remove in real-time the threat it seems (or neutralized
it, since it went away, and it had even changed the background color
of my desktop) but then on a complete rescue CD scan (which took the
better part of the day) Kaspersky found traces of Java files that had
the very same scareware. I'll try again another complete scan
tomorrow to make sure this scareware is not something that somehow
mutates and stays undeletable ("replicating malware" to use your
phrase).

Replication should not be confused with persistence although they can be
related.

BTW MSE failed to detect the scareware on a complete system
scan: bad for Microsoft.

It evidently has no problem detecting and dealing with Chrome though. )

Also your opinion on this "standalone" rescue CD* offering below,
which for $10 seems fine and it runs Windows Pre-Installation rather
than Linux as the base OS, which seems to me to get "closer to your
machine" if you are running Windows 7 as I am.

Yeah, I noticed that not all rescue CD offerings were Linux based. It
makes me wonder though how Windows PE deals with reserved words and
illegal characters in paths and filenames.

I get the same free from Kaspersky but I like a belt-and-suspenders > approach to malware> detection and removal.

Good idea, if one doesn't work, perhaps the other will.

[...]

 

[ASCII]

A trojan is not a vector of distribution. Viruses use the same vector
that trojans do, they usually present themselves in exactly the same
way. The difference is that they replicate and place their replicant
where it results in yet another trojanized program. If a trojan
replicates recursively in this manner it is termed a virus or worm
instead. The term trojan remains for non-replicating malware.


I hear what you're saying, but that's not what's happening here. There
is much misunderstanding around as is demonstrated by your comment. A
vector is a path, a trojan is not a path. Sure, trojans usually are seen
to take a certain path, but that does not make that path a "trojan
vector" exclusively.

To me it seems you're confusing the vessel (trojan)
with the load (malware or other)
Maybe I should have said 'carrier' instead of 'vector'?
Hey, call anything whatever you like,
I'm just too caught up in the past.

 

[ASCII]

A trojan is not a vector of distribution.

I'd say blatant trickery could be called a vector,
or at least an enabler.

 

[David H. Lipman]

I see. Since you seem to be knowledgeable in this field, I'd say as
knowledgeable as David H. Lipman but you have not yet killfiled me, as
perhaps he has,

I'd say he is more knowledgeable than I am about malware. I don't think he has killfiled
you, he probably just ignores you the old fashioned way. )

I ask you Mr. Rafters: what if I have MBAM (that's

the acronym for the Malwarebytes offering) installed, the free
version, then it removes one of those scareware trojan/ viruses (the
ones that falsely say you have been infected and look like Microsoft
Security Essentials (MSE)), but then later, when I run a Linux-based
standalone Kaspersky "rescue CD" it finds traces of the scareware
trojan? Does that mean MBAM has failed?

It might be that MBAM is more concerned with stopping the malware from working than it
is to remove all remnants. You would have to ask them about that. Kaspersky OTOH is
concerned with reversing modifications to files as a result of an infestation or viral
infection.

Seems that way to me. But it

did detect and remove in real-time the threat it seems (or neutralized
it, since it went away, and it had even changed the background color
of my desktop) but then on a complete rescue CD scan (which took the
better part of the day) Kaspersky found traces of Java files that had
the very same scareware. I'll try again another complete scan
tomorrow to make sure this scareware is not something that somehow
mutates and stays undeletable ("replicating malware" to use your
phrase).

Replication should not be confused with persistence although they can be related.

BTW MSE failed to detect the scareware on a complete system
scan: bad for Microsoft.

It evidently has no problem detecting and dealing with Chrome though. )

Also your opinion on this "standalone" rescue CD* offering below,
which for $10 seems fine and it runs Windows Pre-Installation rather
than Linux as the base OS, which seems to me to get "closer to your
machine" if you are running Windows 7 as I am.

Yeah, I noticed that not all rescue CD offerings were Linux based. It makes me wonder
though how Windows PE deals with reserved words and illegal characters in paths and
filenames.

I get the same free from Kaspersky but I like a belt-and-suspenders > approach to
malware> detection and removal.

Good idea, if one doesn't work, perhaps the other will.

[...]

I see you replied you RL.

It all depends upon what those "remnants" are.

If the malicious binaries have been removed but a Registry or Path location remains, they
may be considered a remnant of the original infection but by themselves, are not a
problem.

There is also the possibility of a remnant file but the loading methodology has been
removed such as a HKLM / HKCU Run for a DLL or EXE. The Registry entry was removed but
the file wasn't. Now the file is orphaned and without it loading it is a remnant and not
part of an active infection.

 

[ASCII]

There is also the possibility of a remnant file but the loading methodology has been
removed such as a HKLM / HKCU Run for a DLL or EXE. The Registry entry was removed but
the file wasn't. Now the file is orphaned and without it loading it is a remnant and not
part of an active infection.

You might get some of those pesky 'file not found'
boxes on startup that you have to click away

 

[David H. Lipman]

You might get some of those pesky 'file not found'
boxes on startup that you have to click away

If it is a HKLM / HKCU Run for a malicious.DLL using RUNDLL32 and the malicious.DLL has
been removed, yes.
If the Registry entry was removed but the file wasn't, no.

 

[ASCII]

If it is a HKLM / HKCU Run for a malicious.DLL using RUNDLL32 and the malicious.DLL has
been removed, yes.
If the Registry entry was removed but the file wasn't, no.

Correct

Whenever I've gotten such an alert,
I had to crawl the registry to remove the dead value.

 

[FromTheRafters]

To me it seems you're confusing the vessel (trojan)
with the load (malware or other)
Maybe I should have said 'carrier' instead of 'vector'?

That works for me, but a trojan is not a carrier of malware - it is the
malware itself. As an analogy, consider a virus (bacteriophage) and a
mosquito. The virus (code) is injected into the bacterial cell and many
copies escape when the host cell ruptures. This is how it "spreads" to
new cells. It then gets "distributed" to new creatures using the
mosquito vector.

The mosquito is the carrier from host organism to host organism, but the
phage is the (code) carrier from host cell to host cell.

Whether it can replicate or not, it is still presented as a normal cell
to the host organism - which gets more than it bargained for. This 'more
than it bargained for' is the essence of 'trojan' in that a trojan does
something 'other than or in addition to' what is expected, and that
'thing' that it does is or would be unwanted if the host had known about
it beforehand.

Hey, call anything whatever you like,
I'm just too caught up in the past.

Well, I usually have a reason for calling things what I do. If it flies
in the face of what is generally accepted, I am happy to explain my
reasoning. Anyone can feel free to believe differently if they so
desire; I just took your comment as a query for more information instead
of just a dig at me. )

 

[FromTheRafters]

I'd say blatant trickery could be called a vector,
or at least an enabler.

....or a method.

If someone uses a software vulnerability exploit and replaces "ntldr"
with some "ntldr+keylogger+something.else" trojan, it is still a *trojan
even though you never even got the chance to be fooled by it. It *still*
does something 'in addition to or instead of' what is wanted.

I guess it is more about the Greek soldiers inside the horse these days
than it is about the way it is presented as a gift to the city of Troy.

*Unless it replicates, in which case it is either a worm or a virus.

 

[FromTheRafters]

RayLopez99 wrote:

ray, malwarebytes doesnt attack or delete viruses

Is this one of those academic debates over what is a virus?

Malware is the umbrella term for all malicious software. Contrary to
what most if not all malware experts will tell you, the "virus" is not
necessarily malicious, so viruses are not truly a subset of malware (the
same can be said of spyware and adware).

One good distinction exists between the replicating malware (worm or
virus) and the trojan. Replicating malware can self-distribute itself
where the trojan needs to be distributed by another entity.

I see. Since you seem to be knowledgeable in this field, I'd say as
knowledgeable as David H. Lipman but you have not yet killfiled me, as
perhaps he has,

I'd say he is more knowledgeable than I am about malware. I don't think he has killfiled
you, he probably just ignores you the old fashioned way. )

I ask you Mr. Rafters: what if I have MBAM (that's

the acronym for the Malwarebytes offering) installed, the free
version, then it removes one of those scareware trojan/ viruses (the
ones that falsely say you have been infected and look like Microsoft
Security Essentials (MSE)), but then later, when I run a Linux-based
standalone Kaspersky "rescue CD" it finds traces of the scareware
trojan? Does that mean MBAM has failed?

It might be that MBAM is more concerned with stopping the malware from working than it
is to remove all remnants. You would have to ask them about that. Kaspersky OTOH is
concerned with reversing modifications to files as a result of an infestation or viral
infection.

Seems that way to me. But it

did detect and remove in real-time the threat it seems (or neutralized
it, since it went away, and it had even changed the background color
of my desktop) but then on a complete rescue CD scan (which took the
better part of the day) Kaspersky found traces of Java files that had
the very same scareware. I'll try again another complete scan
tomorrow to make sure this scareware is not something that somehow
mutates and stays undeletable ("replicating malware" to use your
phrase).

Replication should not be confused with persistence although they can be related.

BTW MSE failed to detect the scareware on a complete system
scan: bad for Microsoft.

It evidently has no problem detecting and dealing with Chrome though. )

Also your opinion on this "standalone" rescue CD* offering below,
which for $10 seems fine and it runs Windows Pre-Installation rather
than Linux as the base OS, which seems to me to get "closer to your
machine" if you are running Windows 7 as I am.

Yeah, I noticed that not all rescue CD offerings were Linux based. It makes me wonder
though how Windows PE deals with reserved words and illegal characters in paths and
filenames.

I get the same free from Kaspersky but I like a belt-and-suspenders> approach to
malware> detection and removal.

Good idea, if one doesn't work, perhaps the other will.

[...]

I see you replied you RL.

Yeah, he hasn't irritated me lately. ;o)

It all depends upon what those "remnants" are.

If the malicious binaries have been removed but a Registry or Path location remains, they
may be considered a remnant of the original infection but by themselves, are not a
problem.

There is also the possibility of a remnant file but the loading methodology has been
removed such as a HKLM / HKCU Run for a DLL or EXE. The Registry entry was removed but
the file wasn't. Now the file is orphaned and without it loading it is a remnant and not
part of an active infection.

I suspected something along those lines, thanks for responding.

 

[RayLopez99]

From: "FromTheRafters" <[email protected]>

I'd say he is more knowledgeable than I am about malware. I don't thinkhe has killfiled
you, he probably just ignores you the old fashioned way. )

  I ask you Mr. Rafters:  what if I have MBAM (that's

It might be that MBAM is more concerned with stopping the malware from working than it
is to remove all remnants. You would have to ask them about that. Kaspersky OTOH is
concerned with reversing modifications to files as a result of an infestation or viral
infection.

  Seems that way to me.  But it

Replication should not be confused with persistence although they can be related.

It evidently has no problem detecting and dealing with Chrome though. )

Yeah, I noticed that not all rescue CD offerings were Linux based. It makes me wonder
though how Windows PE deals with reserved words and illegal characters in paths and
filenames.

Good idea, if one doesn't work, perhaps the other will.

[...]

I see you replied you RL.

It all depends upon what those "remnants" are.

If the malicious binaries have been removed but a Registry or Path location remains, they
may be considered a remnant of the original infection but by themselves, are not a
problem.

There is also the possibility of a remnant file but the loading methodology has been
removed such as a HKLM / HKCU Run for a DLL or EXE.  The Registry entrywas removed but
the file wasn't.  Now the file is orphaned and without it loading it isa remnant and not
part of an active infection.

I see. This makes sense. I do believe that MBAM got rid of the
"active"portions of the malware removed, which, as you seem to imply,
is a registry entry but the library or executable file (.DLL or .EXE)
remained, and this is what Kaspersky reacted to. Another possibility:
perhaps MBAM 'archived' or "quarantined" or somehow stored the malware
(under the "Quarantine" option), but Kaspersky saw this archive as a
threat (since it's not clear to me how antivirus programs archive
stuff anyway--I would think they would password protect the file so it
cannot be read by another antivirus program, but I could be wrong).

BTW, here was the malware caught by MBAM, and neutralized, and then
Kaspersky totally eradicated (all traces) of it:http://
www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Fakeav
(and associated other files)

Thanks for your time.

RL

 

[Dustin]

It does detect *some* viruses.

Yes, in initial form only. Once it's infected something, likely hood of
detection is near zero. Hence, Malwarebytes recommends antivirus to be
run along side her.