Malwarebytes – Manually Update Database/Definitions

KB ID 0000629

Problem

I was called to a 2003 Server yesterday, that was riddled with malware, whatever was on there was generating a lot of network traffic, so the first thing I did was disconnect it from the network.

That’s fine, but if I wanted to use my usual ‘weapon of choice’ Malwarebytes, how was I going to get the latest database installed?

Solution

WARNING: There is a note on the Malwarebytes website that discourages this procedure, as it breaks the incremental update mechanism of Malwarebytes. They recommend that you use this utility to do the job, and that it should be updated every week (though the page currently has December 2011 as the update date!) . In my case once the machine is clean, I’ll remove Malwarebytes and install Trend Worry Free on it anyway. Either way, I prefer to know for a fact I’m using the latest database.

1. Install and update Malwarebytes on a nice clean machine (In this case, my Windows 7 laptop).

2. Find out what version of Malwarebytes you are running (on the about tab).

3. Navigate to the following location, and take a copy of the rules.ref file, i.e. put a copy on a USB thumb drive.

Windows 7 / Vista / 2008 / 2008 R2

[box]C:ProgramDataMalwarebytesMalwarebytes’ Anti-Malware[/box]

Windows XP / 2000 / 2003 / 2003 R2

[box]C:Documents and SettingsAll UsersApplication DataMalwarebytesMalwarebytes’ Anti-Malware[/box]

4. If your version is 1.60 or newer you also need to take a copy of the database.conf file that’s in the same folder, but in the configuration folder.

5. Copy the file(s) to the corresponding folder(s) on the affected machine, and paste them over the copies that exist there.

6. Then launch Malwarebytes on the affected machine, and scan with the updated database.

 

Related Articles, References, Credits, or External Links

Spyware / Malware Rogue AV and Rogue Antispyware “Scareware”

Cannot Install Malwarebytes (Already Infected) – Deploy Chameleon

Spyware / Malware Rogue AV and Rogue Antispyware “Scareware”

KB ID 0000183 

Problem

The last time I wrote any information on Spyware was a while ago. When I wrote that article the main problem was browser hijacking – while that’s still a problem more recently the trend is towards infecting your machine with “Scareware”. This is software that pretends to be either an antivirus program or an antispyware program and tells you to either install something – or perform a scan (which installs something) or forces you to buy some useless software etc.

A lot of my clients who get infected justifiably ask “Well I’ve got up to date AV and Antispy software, how did I get infected?” The simple answer is (In most cases) because you clicked the button that said “Yes” when proper text on the button should have said “Yes, please slow my machine down and infect it horribly”. Some programmers of these Scareware applications have produced some awesome professional looking programs, that would fool even the more “Technically aware” user.

The Best form of Defense is Offence (And common sense!)….

Error Reads: Windows Title: “Windows Internet ExplorerWindow Text: “This computer is under attack.They can seriously harm your private data or files, and should be healed immediately. Return to Antivir and download it secure to your PC.

Windows Internet explorer is telling you you’re infected? How would an internet Browser know you are infected? And If you actually read the text, the grammar is terribly bad (Even by my D Grade O Level Standards!) But click anything (OK, Cancel, The Red X to close the window) you will probably drag some nastiness into your PC. Also look at the URL “http://my6-antivirus-scanner.com/” Google that (that’s search for it in Google NOT type it in the address bar!) And you will see its bogus.

Here’s Another Example

Solution

I’ve got a window just like that one, what do I do?

Right Click Your Taskbar and select “Task Manager” or “Start Task Manager” > On the applications Tab select the instance of Internet Explorer > Click “End Task” > Accept any warnings > Close Task Manager. If you still worried run a full AV and Antispy scan on the machine.

 

Help! – I’ve been infected and now my machine tells me I’m infected all the time!

1. Before you do anything make sure you have a backup of anything important. (Your documents, emails, photos internet favorites, programs etc) just in case.

To Fix things you need to install some software. If you are so badly infected that you cannot install the software, or the infection you have specifically stops the removal tools from working, (some do!) Then reboot the PC, and Press F8 – and select Safe mode.

2. Install Malwarebytes, Let it update itself, then perform a scan, reboot and re scan, until it tells you there is no infection left.

3. Install SuperAntispyware, Let it update itself, then perform a scan, reboot and re scan, until it tells you there is no infection left.

4. When done, make sure you have good, up to date, Antivirus software, a personal firewall, (The Windows one is better than nothing). Then periodically run one of the above products.

Hang On! I’ve done that and its not worked (I’m still Infected).

The two products above are usually all you should need, if an infection gets past one, the other usually gets it. However in some cases the code writers will get something on your PC quicker than the good guys can defeat it, if that’s happened to you, you have a choice.

1. Consider reinstalling Windows (For everyone who has just rolled back in their seat, I charge £75.00 an hour for desktop work, it might take me 4-8 hours to clean a machine manually, how much is your PC worth?). And its the ONLY way to make sure you’ve got all remnants of nastiness away (You’re looking at about 4 hours work with a modern PC to rebuild it, patch it, and reinstall everything).

2. Roll your sleeves up and get on the internet, the chances of you being the first person infected are pretty slim. Download HijackThis and get the log it generates, posted in an online forum or check it online(Warning: Automated systems).

3. If you have tried everything then your last port of call should be COMBOFIX this is a VERY powerful tool and if used incorrectly can destroy Windows (hence why i’ts at the bottom of the list).

Gallery Of Nastiness Note: Here’s just a few – there are tons more – If you want to send me a screenshot of anymore please do so

Security Sheild (Seen 22/12/10 – Infected by an email attachment) SecurityTool Security system Protection Control Panel WinReanimator VirusHeat Virus Protect IE Defender 2.2 VirusRay AntiVirGear SpyShredder 2.1 VirusProtect Pro Windows Security Center (No It is’nt) Spyware Protect 2009 VIRUSBUSTERS Personal AntiVirus ExtraAntivirus System Antivirus 2008 IE Antivirus 3.3 Fast AntiVirus 2009

Related Articles, References, Credits, or External Links

Malwarebytes – Manually Update Database/Definitions

Windows 8 – Empty Explorer.EXE Window Opens on Boot

KB ID 0000893 

Problem

After cleaning an infected Windows 8 machine, I was faced with an empty Explorer.EXE window with just a warning triangle like this every time the PC booted.

Solution

It was being caused by a piece of junk that was left in the registry.

1. Press Windows Key+R > type regedit {Enter} > The registry editor will open.

2. Navigate to;

[box]

HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows

[/box]

3. Check the the existence of a string named ‘Load’ > If it exists, delete it and reboot to test.

Related Articles, References, Credits, or External Links

NA