Version 1.31 (December 3rd, 2008)

1. (FIXED) Minor issues with heuristics and false detections.
2. (FIXED) Improved activation license key checking.
3. (FIXED) Removal on reboot now uses RunOnce registry key.
4. (ADDED) Support for Ukrainian language.
5. (ADDED) Heuristics for newer infections.

http://www.malwarebytes.org


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org

Hey Dustin......I had put this latest version on here yesterday. Today
it won't update.....saying I am not connected to the internet or check
my firewall, etc. My XP firewall is on and I am connected via cable.
Is this a bug in the program??

Cheers...Heather

"Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
news:Xns9B6B3D97688D6HHI2948AJD832@69.16.185.247...
> Version 1.31 (December 3rd, 2008)
>
> 1. (FIXED) Minor issues with heuristics and false detections.
> 2. (FIXED) Improved activation license key checking.
> 3. (FIXED) Removal on reboot now uses RunOnce registry key.
> 4. (ADDED) Support for Ukrainian language.
> 5. (ADDED) Heuristics for newer infections.
>
> http://www.malwarebytes.org
>
>
> --
> Regards,
> Dustin Cook
> Malware Researcher
> MalwareBytes - http://www.malwarebytes.org
>
>

CANCEL!! It is now updating as usual. Dunno what happened
there.....just a minor glitch on my end I suppose.

Heather

"Heather" <no.one@home.invalid> wrote in message
news:ghbtl6$okd$1@news.motzarella.org...
> Hey Dustin......I had put this latest version on here yesterday.
> Today it won't update.....saying I am not connected to the internet or
> check my firewall, etc. My XP firewall is on and I am connected via
> cable. Is this a bug in the program??
>
> Cheers...Heather
>
> "Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
> news:Xns9B6B3D97688D6HHI2948AJD832@69.16.185.247...
>> Version 1.31 (December 3rd, 2008)
>>
>> 1. (FIXED) Minor issues with heuristics and false detections.
>> 2. (FIXED) Improved activation license key checking.
>> 3. (FIXED) Removal on reboot now uses RunOnce registry key.
>> 4. (ADDED) Support for Ukrainian language.
>> 5. (ADDED) Heuristics for newer infections.
>>
>> http://www.malwarebytes.org
>>
>>
>> --
>> Regards,
>> Dustin Cook
>> Malware Researcher
>> MalwareBytes - http://www.malwarebytes.org
>>
>>
>
>

"Heather" <no.one@home.invalid> wrote:

>> "Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
>> news:Xns9B6B3D97688D6HHI2948AJD832@69.16.185.247...
>>> Version 1.31 (December 3rd, 2008)
>>>
>>> 1. (FIXED) Minor issues with heuristics and false detections.
>>> 2. (FIXED) Improved activation license key checking.
>>> 3. (FIXED) Removal on reboot now uses RunOnce registry key.
>>> 4. (ADDED) Support for Ukrainian language.
>>> 5. (ADDED) Heuristics for newer infections.
>>>
>>> http://www.malwarebytes.org

>"Heather" <no.one@home.invalid> wrote in message
>news:ghbtl6$okd$1@news.motzarella.org...
>> Hey Dustin......I had put this latest version on here yesterday.
>> Today it won't update.....saying I am not connected to the internet or
>> check my firewall, etc. My XP firewall is on and I am connected via
>> cable. Is this a bug in the program??
>>
>> Cheers...Heather
>>

>CANCEL!! It is now updating as usual. Dunno what happened
>there.....just a minor glitch on my end I suppose.
>
>Heather

[Top posting corrected.]

Heather old girl, I had the same thing today. If you select
Malwarebytes,org as the Proxy server (in the drop-down on the main
page), no problem updating.

Cheers,
Larry

"Heather" <no.one@home.invalid> wrote in news:ghbtl6$okd$1
@news.motzarella.org:

> Hey Dustin......I had put this latest version on here yesterday. Today
> it won't update.....saying I am not connected to the internet or check
> my firewall, etc. My XP firewall is on and I am connected via cable.
> Is this a bug in the program??

Hmm, is the XP firewall the only firewall you have up? And if you switch the
update site, will it connect then?


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org

Dustin Cook wrote:
> "Heather" <no.one@home.invalid> wrote in news:ghbtl6$okd$1
> @news.motzarella.org:
>
>> Hey Dustin......I had put this latest version on here yesterday.
>> Today it won't update.....saying I am not connected to the internet
>> or check my firewall, etc. My XP firewall is on and I am connected
>> via cable. Is this a bug in the program??
>
> Hmm, is the XP firewall the only firewall you have up? And if you
> switch the update site, will it connect then?

Dustin,
When I did the update to version 1.31 (just by clicking on Update and the
new version was installed automatically), it also told me it could not find
a connection to the Internet.
I tried it again later and it worked just fine. I believe it was the
'default' update mirror that caused the initial problem.
Very minor problem overall.
Great program.
Buffalo
PS: It updated ver 1.30 to ver 1.31 .

"Larry Sabo" <larry_sabo@hotmail.com> wrote in message
news:73ajj4d530lri8h89cs5p92pmtadrs8mvj@4ax.com...
>
>>"Heather" <no.one@home.invalid> wrote in message
>>news:ghbtl6$okd$1@news.motzarella.org...
>>> Hey Dustin......I had put this latest version on here yesterday.
>>> Today it won't update.....saying I am not connected to the internet
>>> or
>>> check my firewall, etc. My XP firewall is on and I am connected via
>>> cable. Is this a bug in the program??
>>>
>>> Cheers...Heather
>>>
>
>>CANCEL!! It is now updating as usual. Dunno what happened
>>there.....just a minor glitch on my end I suppose.
>>
>>Heather
>
> [Top posting corrected.]
>
> Heather old girl, I had the same thing today. If you select
> Malwarebytes,org as the Proxy server (in the drop-down on the main
> page), no problem updating.

*Old Girl*??? Smack!! (G) Anyway, I checked and it was set to
Malwarebytes.org. Thanks, Old Phart......and you know I prefer to top
post, grin.

Cheers.....Heather
>
> Cheers,
> Larry

"Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
news:Xns9B6BBA0EF45DHHI2948AJD832@69.16.185.247...
> "Heather" <no.one@home.invalid> wrote in news:ghbtl6$okd$1
> @news.motzarella.org:
>
>> Hey Dustin......I had put this latest version on here yesterday.
>> Today
>> it won't update.....saying I am not connected to the internet or
>> check
>> my firewall, etc. My XP firewall is on and I am connected via cable.
>> Is this a bug in the program??
>
> Hmm, is the XP firewall the only firewall you have up? And if you
> switch the
> update site, will it connect then?

Yes to both, son. And it is working now. Seems to have been a
temporary glitch.

Best.....Heather
>
>
> --
> Regards,
> Dustin Cook
> Malware Researcher
> MalwareBytes - http://www.malwarebytes.org
>
>

Heather wrote:

>"Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
>news:Xns9B6BBA0EF45DHHI2948AJD832@69.16.185.247...
<snip>

>Yes to both, son.

Is it true that Dustin was put up for adoption because he was a
colicky baby? ;-)

"Buffalo" <Eric@nada.com.invalid> wrote in
news:ghckcb$l68$1@news.motzarella.org:

> Dustin Cook wrote:
>> "Heather" <no.one@home.invalid> wrote in news:ghbtl6$okd$1
>> @news.motzarella.org:
>>
>>> Hey Dustin......I had put this latest version on here yesterday.
>>> Today it won't update.....saying I am not connected to the internet
>>> or check my firewall, etc. My XP firewall is on and I am connected
>>> via cable. Is this a bug in the program??
>>
>> Hmm, is the XP firewall the only firewall you have up? And if you
>> switch the update site, will it connect then?
>
> Dustin,
> When I did the update to version 1.31 (just by clicking on Update and
> the new version was installed automatically), it also told me it could
> not find a connection to the Internet.
> I tried it again later and it worked just fine. I believe it was the
> 'default' update mirror that caused the initial problem.

The updater doesn't currently have a default setting. It's chosen
randomly. This may be changing in the future, however.

I believe the issue was on the server side. MBAM's wording of this
particular situation is the problem. We are looking into changing that
message in a later build. Sorry for any confusion it may cause.



--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org

"Heather" <no.one@home.invalid> wrote in news:ghcsdi$jge$1
@news.motzarella.org:

> "Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
> news:Xns9B6BBA0EF45DHHI2948AJD832@69.16.185.247...
>> "Heather" <no.one@home.invalid> wrote in news:ghbtl6$okd$1
>> @news.motzarella.org:
>>
>>> Hey Dustin......I had put this latest version on here yesterday.
>>> Today
>>> it won't update.....saying I am not connected to the internet or
>>> check
>>> my firewall, etc. My XP firewall is on and I am connected via cable.
>>> Is this a bug in the program??
>>
>> Hmm, is the XP firewall the only firewall you have up? And if you
>> switch the
>> update site, will it connect then?
>
> Yes to both, son. And it is working now. Seems to have been a
> temporary glitch.

Aye. one of the definition servers didn't answer the phone when MBAM dialed
it. LOL!


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org

Andy Walker <awalker@nspank.invalid> wrote in news:493b0349.103566093
@news.webtv.com:

> Heather wrote:
>
>>"Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
>>news:Xns9B6BBA0EF45DHHI2948AJD832@69.16.185.247...
> <snip>
>
>>Yes to both, son.
>
> Is it true that Dustin was put up for adoption because he was a
> colicky baby? ;-)
>

Good Morning Andy.


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org

"Heather" <no.one@home.invalid> wrote:

>
>"Larry Sabo" <larry_sabo@hotmail.com> wrote in message
>news:73ajj4d530lri8h89cs5p92pmtadrs8mvj@4ax.com...
>>
>>>"Heather" <no.one@home.invalid> wrote in message
>>>news:ghbtl6$okd$1@news.motzarella.org...
[snip]
>>>Heather
>>
>> [Top posting corrected.]
>>
>> Heather old girl, I had the same thing today. If you select
>> Malwarebytes,org as the Proxy server (in the drop-down on the main
>> page), no problem updating.
>
>*Old Girl*??? Smack!! (G) Anyway, I checked and it was set to
>Malwarebytes.org. Thanks, Old Phart......and you know I prefer to top
>post, grin.
>
>Cheers.....Heather

Hahaha. It was a test, to see your if you're still able to sit up
unassisted for 3 minutes or more, aware of your surroundings,
responding to external stimulus, etc. :-)

Larry

"Andy Walker" <awalker@nspank.invalid> wrote in message
news:493b0349.103566093@news.webtv.com...
> Heather wrote:
>
>>"Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
>>news:Xns9B6BBA0EF45DHHI2948AJD832@69.16.185.247...
> <snip>
>
>>Yes to both, son.
>
> Is it true that Dustin was put up for adoption because he was a
> colicky baby? ;-)

Nah, he was a "perfect baby"......just ask his Mum, lol.

"Heather" <no.one@home.invalid> wrote in news:ghej0o$irp$1
@news.motzarella.org:

> "Andy Walker" <awalker@nspank.invalid> wrote in message
> news:493b0349.103566093@news.webtv.com...
>> Heather wrote:
>>
>>>"Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
>>>news:Xns9B6BBA0EF45DHHI2948AJD832@69.16.185.247...
>> <snip>
>>
>>>Yes to both, son.
>>
>> Is it true that Dustin was put up for adoption because he was a
>> colicky baby? ;-)
>
> Nah, he was a "perfect baby"......just ask his Mum, lol.

Oh... No, she wouldn't lie for me...
Nice joke btw. :)


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org

"Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
news:Xns9B6B3D97688D6HHI2948AJD832@69.16.185.247...

Hey Dustin,

Do you have any insight to this posters problem?:

"Just found something out about Malwarebytes that I don't like,
and maybe it can be fixed. It's a minor annoyance, but it is an
annoyance,
nonetheless. It seems that if you don't leave I.E., or I assume O.E.,
or
WMP in an online state when they were last used, Malwarebytes can't
access
the Internet. However, if I open I.E., go online with it, then close
it,
then I can hit the Update button and get a connection to the update
site.
I've looked for an "Ignore offline state", or something like it, and the
only thing I can find related to I.E. is terminating it before removal.
I
don't use I.E. I hate I.E. I use Firefox, because it doesn't give a
rip
what state that online/offline "switch" is flipped. If it can't
connect, it
can't connect. Neither Ad-Aware nor Spybot cared one way or another,
either. Got any ideas, or am I just going to have to put up with this?"

TIA,
-jen

That's an interesting bug. I was able to duplicate it by selecting in IE to
work offline. Also if you go to settings in MBAM and select terminate IE
before removal it will toggle IE back online and you will then be able to
update. Should be a simple fix, just have MBAM use Explorer to update
instead of Internet Explorer.



--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/




"jen" <jen@example.com> wrote in message
news:ypd0l.6576$M01.1142@bignews3.bellsouth.net...
> "Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
> news:Xns9B6B3D97688D6HHI2948AJD832@69.16.185.247...
>
> Hey Dustin,
>
> Do you have any insight to this posters problem?:
>
> "Just found something out about Malwarebytes that I don't like,
> and maybe it can be fixed. It's a minor annoyance, but it is an
> annoyance,
> nonetheless. It seems that if you don't leave I.E., or I assume O.E., or
> WMP in an online state when they were last used, Malwarebytes can't access
> the Internet. However, if I open I.E., go online with it, then close it,
> then I can hit the Update button and get a connection to the update site.
> I've looked for an "Ignore offline state", or something like it, and the
> only thing I can find related to I.E. is terminating it before removal. I
> don't use I.E. I hate I.E. I use Firefox, because it doesn't give a rip
> what state that online/offline "switch" is flipped. If it can't connect,
> it
> can't connect. Neither Ad-Aware nor Spybot cared one way or another,
> either. Got any ideas, or am I just going to have to put up with this?"
>
> TIA,
> -jen
>
>
>
>

"jen" <jen@example.com> wrote in
news:ypd0l.6576$M01.1142@bignews3.bellsouth.net:

> "Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
> news:Xns9B6B3D97688D6HHI2948AJD832@69.16.185.247...
>
> Hey Dustin,
>
> Do you have any insight to this posters problem?:

Yep. Our updater is really an Internet Explorer window; so if IE is
toggled to offline, so is our updater.

Also, if IE is configured to use a proxy and it's not operational for
some reason, our updater will fail.

I have requested this be changed in a future release so that we are not
dependant on Internet Explorer for anything... However, that's still a
ways away.

So, the jest of it is this: If Internet Explorer won't surf, our updater
won't run.

The other applications mentioned aren't simply asking internet explorer
to access the net, so they don't care what it's specific settings are.


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org

"The Real Truth MVP" <not@real.atall> wrote in
news:ghs10k$qtp$1@news.motzarella.org:

> That's an interesting bug. I was able to duplicate it by selecting in
> IE to work offline. Also if you go to settings in MBAM and select
> terminate IE before removal it will toggle IE back online and you will
> then be able to update. Should be a simple fix, just have MBAM use
> Explorer to update instead of Internet Explorer.

It's not a bug.

We use Internet Explorer for the updating. If you have configured internet
explorer for offline mode, well; our updater is offline then too.



--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org

"Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
news:Xns9B73BB5CECA4EHHI2948AJD832@69.16.185.247...
> "jen" <jen@example.com> wrote in
> news:ypd0l.6576$M01.1142@bignews3.bellsouth.net:
>
>> "Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
>> news:Xns9B6B3D97688D6HHI2948AJD832@69.16.185.247...
>>
>> Hey Dustin,
>>
>> Do you have any insight to this posters problem?:
>
> Yep. Our updater is really an Internet Explorer window; so if IE is
> toggled to offline, so is our updater.
>
> Also, if IE is configured to use a proxy and it's not operational for
> some reason, our updater will fail.
>
> I have requested this be changed in a future release so that we are
> not
> dependant on Internet Explorer for anything... However, that's still a
> ways away.
>
> So, the jest of it is this: If Internet Explorer won't surf, our
> updater
> won't run.
>
> The other applications mentioned aren't simply asking internet
> explorer
> to access the net, so they don't care what it's specific settings are.

Thanks a million, Dustin!

-jen

jen wrote:

>Thanks a million, Dustin!
>
>-jen

Which is it; Jen or Dustin?

--
Andy - who is playing off the comma, which would normally proceed the
name of the "Thanker"... ;-)

Dustin Cook, my dear, dear friend, there was this time, oh, 12/13/2008
5:23 PM or thereabouts, when you let the following craziness loose on
Usenet:
> "jen" <jen@example.com> wrote in
> news:ypd0l.6576$M01.1142@bignews3.bellsouth.net:
>
>> "Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
>> news:Xns9B6B3D97688D6HHI2948AJD832@69.16.185.247...
>>
>> Hey Dustin,
>>
>> Do you have any insight to this posters problem?:
>
> Yep. Our updater is really an Internet Explorer window; so if IE is
> toggled to offline, so is our updater.
>
> Also, if IE is configured to use a proxy and it's not operational for
> some reason, our updater will fail.
>
> I have requested this be changed in a future release so that we are not
> dependant on Internet Explorer for anything... However, that's still a
> ways away.
>
> So, the jest of it is this: If Internet Explorer won't surf, our updater
> won't run.
>
> The other applications mentioned aren't simply asking internet explorer
> to access the net, so they don't care what it's specific settings are.
>
>

Can't for the life of me think of why you'd make your updater dependent
on IE instead of just grabbing the default.

Surely you don't need anything IE-specific to send definition updates?

Cool that you've requested the change, but it should be the smallest of
tweaks to the code (assuming, again, that your updating service isn't
*dependent* on IE for some reason).

By the way, certain variants of the AV2008/AV2009 bug are now blocking
MalwareBytes from being installed on infected machines. Normal
workarounds (changing the name of the installation file, trying to
install in Safe Mode, etc) seem ineffective. I'm sure you're aware of
this already, but thought I'd mention it.

Cheers.

"Kyle T. Jones" <KBfoMe@realdomain.net> wrote in
news:gi8ijr$tko$1@news.motzarella.org:

> Dustin Cook, my dear, dear friend, there was this time, oh, 12/13/2008
> 5:23 PM or thereabouts, when you let the following craziness loose on
> Usenet:
>> "jen" <jen@example.com> wrote in
>> news:ypd0l.6576$M01.1142@bignews3.bellsouth.net:
>>
>>> "Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
>>> news:Xns9B6B3D97688D6HHI2948AJD832@69.16.185.247...
>>>
>>> Hey Dustin,
>>>
>>> Do you have any insight to this posters problem?:
>>
>> Yep. Our updater is really an Internet Explorer window; so if IE is
>> toggled to offline, so is our updater.
>>
>> Also, if IE is configured to use a proxy and it's not operational for
>> some reason, our updater will fail.
>>
>> I have requested this be changed in a future release so that we are
>> not dependant on Internet Explorer for anything... However, that's
>> still a ways away.
>>
>> So, the jest of it is this: If Internet Explorer won't surf, our
>> updater won't run.
>>
>> The other applications mentioned aren't simply asking internet
>> explorer to access the net, so they don't care what it's specific
>> settings are.
>>
>>
>
> Can't for the life of me think of why you'd make your updater
> dependent on IE instead of just grabbing the default.

That's a question I will have to forward along to Marcin. I don't develop
the windows code. :)

> Surely you don't need anything IE-specific to send definition updates?

Oh, no. A simple http GET works.

> By the way, certain variants of the AV2008/AV2009 bug are now blocking
> MalwareBytes from being installed on infected machines. Normal
> workarounds (changing the name of the installation file, trying to
> install in Safe Mode, etc) seem ineffective. I'm sure you're aware of
> this already, but thought I'd mention it.

We are aware of this. It's actually a TDSS rootkit variant that typically
gets installed along with AV2008/2009 that is blocking us. Once the
driver is disabled however, we own it pretty quick.


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org

M.L. <me@privacy.invalid> wrote in
news:kuohk4p1usr3b92rq7fdsehasgkn0pojrh@4ax.com:

>>> By the way, certain variants of the AV2008/AV2009 bug are now
>>> blocking MalwareBytes from being installed on infected machines.
>>> Normal workarounds (changing the name of the installation file,
>>> trying to install in Safe Mode, etc) seem ineffective. I'm sure
>>> you're aware of this already, but thought I'd mention it.
>>
>>We are aware of this. It's actually a TDSS rootkit variant that
>>typically gets installed along with AV2008/2009 that is blocking us.
>>Once the driver is disabled however, we own it pretty quick.
>
> How would one disable the rootkit driver?

There are several methods of disabling it. It's a system level driver, so
depending on the version, you can ask windows to unload it. I'm sorry
about the evasive answering, but I really can't go into details.

A handy cd that can usually disable the rootkit for you:

http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html

Use that cd first, then you can take advantage of MBAM and various other
utilities of it's nature.





--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org

buddy b, my dear, dear friend, there was this time, oh, 12/17/2008 2:52
AM or thereabouts, when you let the following craziness loose on Usenet:
> On Tue, 16 Dec 2008 09:48:08 -0600, "Kyle T. Jones"
> <KBfoMe@realdomain.net> wrote:
>
>> By the way, certain variants of the AV2008/AV2009 bug are now blocking
>> MalwareBytes from being installed on infected machines. Normal
>> workarounds (changing the name of the installation file, trying to
>> install in Safe Mode, etc) seem ineffective. I'm sure you're aware of
>> this already, but thought I'd mention it.
>
> True of other malware,too.
> Regards
> buddy b


Absolutely.

Cheers.

M.L. <me@privacy.invalid> wrote in
news:o6tjk41bbfuljaookfkosko830la5r8jlv@4ax.com:

>>>>> By the way, certain variants of the AV2008/AV2009 bug are now
>>>>> blocking MalwareBytes from being installed on infected machines.
>>>>> Normal workarounds (changing the name of the installation file,
>>>>> trying to install in Safe Mode, etc) seem ineffective. I'm sure
>>>>> you're aware of this already, but thought I'd mention it.
>>>>
>>>>We are aware of this. It's actually a TDSS rootkit variant that
>>>>typically gets installed along with AV2008/2009 that is blocking us.
>>>>Once the driver is disabled however, we own it pretty quick.
>>>
>>> How would one disable the rootkit driver?
>>
>>There are several methods of disabling it. It's a system level driver,
>>so depending on the version, you can ask windows to unload it. I'm
>>sorry about the evasive answering, but I really can't go into details.
>>
>>A handy cd that can usually disable the rootkit for you:
>>
>>http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html
>>
>>Use that cd first, then you can take advantage of MBAM and various
>>other utilities of it's nature.
>
> Thanks for your prompt reply. I already have that CD, so know I know
> when to use it to its advantage.

They update it constantly. It's most advised to use the newest you
possibly can. :)


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org

On Thu, 18 Dec 2008 23:02:41 GMT, Dustin Cook <bughunter.dustin@gmail.com>
wrote:

>M.L. <me@privacy.invalid> wrote in
>news:o6tjk41bbfuljaookfkosko830la5r8jlv@4ax.com:
>
>>>>>> By the way, certain variants of the AV2008/AV2009 bug are now
>>>>>> blocking MalwareBytes from being installed on infected machines.
>>>>>> Normal workarounds (changing the name of the installation file,
>>>>>> trying to install in Safe Mode, etc) seem ineffective. I'm sure
>>>>>> you're aware of this already, but thought I'd mention it.
>>>>>
>>>>>We are aware of this. It's actually a TDSS rootkit variant that
>>>>>typically gets installed along with AV2008/2009 that is blocking us.
>>>>>Once the driver is disabled however, we own it pretty quick.
>>>>
>>>> How would one disable the rootkit driver?
>>>
>>>There are several methods of disabling it. It's a system level driver,
>>>so depending on the version, you can ask windows to unload it. I'm
>>>sorry about the evasive answering, but I really can't go into details.
>>>
>>>A handy cd that can usually disable the rootkit for you:
>>>
>>>http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html
>>>
>>>Use that cd first, then you can take advantage of MBAM and various
>>>other utilities of it's nature.
>>
>> Thanks for your prompt reply. I already have that CD, so know I know
>> when to use it to its advantage.
>
>They update it constantly. It's most advised to use the newest you
>possibly can. :)

Another option would be to use the F-Secure rescue CD that will download
the latest signatures when it is booted so you don't have to keep
downloading a new CD image to get up_to_date protection. The obvious
drawback is that it requires an internet connection to do this, but most
people are already connected and the F-Secure rescue CD does a pretty good
job of identifying and using the connection.

http://www.f-secure.com/linux-weblog/2008/11/25/rescuecd-301-released/