Friday, February 17, 2012

Malwarebytes Chameleon Works Great

I’ve been a fan of Malwarebytes for years. It’s always been one of the most effective tools against badware on the market. In fact, many other more expensive “security suites”, upper level technical support have been known to remote into a users machine, and install Malwarebytes to rid it of infections the antivirus was unable to get rid of. I’m not mentioning names (Symantec, Adaware), but actually I applaud tech support for doing what it takes to clean a machine.

The good news is Malwarebytes has gotten even better. In the past I’d always rename Malwarebytes as well as other security programs when installing them on an infected machines. The reason is simple, many malware programs will prevent any code that might interfere with it’s nefarious purpose from running, especially Malwarebytes! Now Malwarebytes includes a great new feature, “Chameleon”. Chameleon provides a long list of alternative exe’s to run when your machine is already infected and the virus is preventing Malwarebytes from being started from the standard executable.

To access Chameleon you need the latest version of Malwarebytes, available at http://www.malwarebytes .org. Go to the program in your start menu, right click on Malwarebytes and click on “Open File Location”. Chameleon will be visible, double click on Chameleon and a list of alternative installers appears. Double click on any of them and a command line appears asking you to “click any key to run”,  once started the command line tells you it’s “killing known malicious processes please wait”then it launches the Malwarebytes update which runs automatically. Once updated Malwarebytes launches and does a quick scan. This is usually enough to get your foot in the door so to speak. Then you can continue to run (multiple) full scans with Malwarebytes and your other favorite tools to finish the clean-up.

chameleon

Running Malwarebytes from a USB drive as a portable app isn’t supported at this time but I’m working on that…

So for now to use Chameleon, you need Malwarebytes already installed on your computer. Malwarebytes is a free program but a paid version is available for a lifetime single fee of 24.95 USD and they often offer generous discounts on their paid version if your patient.

Friday, September 10, 2010

Disaster emphasizes the need for Offsite Backup

Right now I’m sitting at home watching the television coverage of a fire storm going on about 25 miles north of me. Hundreds of people  became homeless within minutes of a huge explosion from a natural gas line. The fire has destroyed at least 54 homes an damaged another 124 more. This horrible tragedy which at this time has taken at least one persons life, proves one very important lesson for computer users.

Those houses were so violently consumed many people literally had to run out their front door with only the clothes on their back to save themselves. They certainly had no time to grab their computers or external hard drives, there simply was no time. So adding to the tragedy, many people affected in this no doubt also lost all their digital pictures, their business records, or their doctoral dissertation.  At this time no doubt data is the last thing on their minds, but once the fire is out and they begin to piece their lives together, the loss of pictures of their house and family outings or other precious memories will end up being just another burden to deal with.

So how could this additional loss be avoided, offsite backup. Backing up your most precious or valuable data to “the cloud” is no longer an option. This tragedy has convinced me that  the external hard drive next to your computer is little better than not having any backup, should a huge fire or natural disaster occur. Backing up to a cloud based service can be remarkably easy, an automated system used by a commercial program such as Carbonite  can be very simple.  Others like Amazons S3 require other programs to move the data to safety.

There a few free programs that will work, although the amount of storage is often limited. Mozy, Dropbox, and Windows Skydrive all offer free online storage. While free sounds good be careful, early on in the cloud storage era there were several free online backup services which disappeared suddenly leaving their clients unable to get data they thought was safe. It’s definitely best to stick with established names, like Dropbox or Amazon and maybe pay a little to backup your most precious memories or documents.

Don’t have high speed internet, then take several external hard drives and rotate one to an offsite location that’s a ways off. Weekly change the drive out so no drive is more than a week out of date. While this method works, its often the type of thing people do for a while but then tend to slack off after time. This is why I feel the set it and forget it of an automated backup online is the best.

Additional links: http://mozy.com/home, https://www.jungledisk.com/personal/, http://www.dropbox.com/, http://windowslive.com/Online/SkyDrive, https://one.ubuntu.com/, http://www.carbonite.com/

Wednesday, July 7, 2010

My Latest Malware kit

Over the the years I’ve found malware getting harder to defeat every time I try to disinfect a machine. A few years ago running AVG antivirus and Spybot Search and Destroy, pretty much did the job. But in the last 2 years or so I’ve had to refine my techniques as malware became more prevalent and harder to remove.  It seems organized criminals are now the driving force behind most of the “quality “ malware out there. There’s big bucks out there to be made stealing peoples identities, or turning their computers into spambots.

Last year I blogged about turning away from my old reliable programs and how I had adopted some new tools for doing automated cleanups. This year I’ve picked up some new tools, largely in response to what I was seeing when trying to clean up some really horribly infected machines.

My tools are similar to what I was using last year,Malwarebytes and Superantispyware   are still my favorite tools. Only one change there really, Superantispyware now is my primary malware tool. I was getting consistently better results with Super and it was removing many issues that Malwarebytes could find but not remove. Superantispyware also comes in a portable version, I keep a copy on a thumb drive for emergencies. For an antivirus I’m using Microsoft Security Essentials, its free, lightweight and effective which meets all my requirements. For a paid antivirus I like NOD32 from Eset, NOD32 is the best AV in my opinion and I will install it on users computers who are prone to getting infected. http://www.eset.com/. NOD32 is reasonably priced and if you’re going to pay for an AV, this is the way to go. http://www.superantispyware.com/ , http://www.malwarebytes.org/

These tools are going to do a great job of protecting most peoples computers if they are reasonably competent online. If a computer comes to me that’s really badly infected, I’ll first run Kaspersky rescue boot CD. Kaspersky Rescue CD is a Linux based Live CD that runs the Kaspersky antivirus prior to trying to boot into Windows. This can be very time consuming, in one case it took 27 hours and Kaspersky found over 1500 infections, but afterwards I was able to boot into Windows and run my regular tools which found another 150+ after 3 reboots and scans. But in the end the machine was clean.

Another program I use as a second opinion is called Hitman Pro.http://www.surfright.nl/en/hitmanpro  Hitman Pro is cloud based scanner that uses Esets cloud based scan as well as 3 others to double check your computer after a cleanup. I just started using Hitman Pro, but so far I’m very impressed. Lastly I use Process Explorer and Autoruns from Sysinternals, now a Microsoft property. Learning to use the Sysinternal tools takes time, but its time well spent for anyone who wants to get serious about knowing what goes on, on their computer. http://technet.microsoft.com/en-us/sysinternals/default.aspx

Saturday, May 1, 2010

Palm saved by HP at the last minute

Well I may not exactly be competition for Engadget but I'm just ecstatic that HP has stepped up and bought Palm. Palm has been a great and innovative company since their inception and I would have hated to see them go away. The new Palm operating system has never gotten the popularity it deserved. The WebOS works great, it multitasks and just elegantly goes about its business doing things most mobile operating systems cant.
I admit I'm a bit biassed I own a Pre, I use it on the Verizon network and unlike the At&T network I don't have to drive for a half hour to get a signal. But best of all is the WiFi Hotspot application. To me its the one app "to rule them all and in the darkness bind them"(Sorry JRR).
So keep your 150,000 fart apps on the "Jesus phone", I'll take my Pre and now thanks to HP I'll soon have fart apps to buy on the Pre.

Monday, April 5, 2010

Another Day in the Trenches: killing XP Antivirus 2010

I hate rouge antivirus programs. They seem to be getting more numerous and harder to get rid of all the time. Case in point: At work I noticed a shared computer suddenly popped up a Window announcing to me it was doing a scan and that I was infected with over 4,000 trojans and other forms of malware. Nice try I thought, so I used Control Alt Delete to start task manager and I closed Internet Explorer and all running processes involved. Fortunately it was a limited user account that was infected, and that turned out to be a important factor in removing it. I immediately ran Malwarebytes from that user and found a number of infections including the rogue antivirus product I was afflicted with.
These cretins that come up with this crap can’t even come up with something creative, we’ve seen XP Antivirus for a few years now, each year they just tack on a year to make it look current. Sad thing is I’m sure somewhere out there is someone who renews this crap every year, imagine paying yearly to be infected, oh right we already do that it’s called McAfee, but don’t get me started.

Well back to the task at hand: I rebooted the machine and logged into an administrator account. And updated Malwarebytes and ran it again... and found more junk, actually the same junk. Malwarebytes found it but could not kill it. Next I downloaded Superantispyware, a great application that I always run at home but wasn’t on the work machine. The first thing I do now after I download a anti-malware application is rename the installer, I do this because I often find the malware knows to prevent anti-malware from installing, okay these guys aren’t creative but they re getting smarter To rename a file, right click on the file and select rename and type anything.exe and install the program. Superantispyware did its thing and found a ton of additional files. I removed the infected files and rebooted again, and ran both my programs again. I still found junk! I repeated the sequence two more times until nothing was found. I then ran a scan in all user accounts to confirm “the kill”. So far so good, until I went into the user account where the infection had started, now whenever I tried to launch any program from the desktop I’d get the “Choose what Program you want to use to Open this File” message. This means I had to fix file associations and a great site with XP file association fixes is. //www.dougknox.com/xp/file_assoc.htm I used the .exe file association fix and it worked great. The last thing I did was to run Process Explorer, and Autoruns from Syinternals, these utilities give a great in depth look at what is currently running and starting on your machine at boot-up. Finding nothing suspicious I deemed the computer clean for now.
So a few lessons I learned on that one: Don’t use IE this was caused by a flaw in Internet Explorer I believed it was just fixed this week. Second running as a limited user is still far safer than running as an administrator, even though its trivial to elevate to administrator level, most malware seldom does, and this makes cleaning an infected PC much easier. Next running your cleanup tools multiple times and rebooting after each scan is the only way to give the anti-malware tools a chance against the bad guys.
http://www.malwarebytes.org/
http://www.superantispyware.com/

Thursday, March 25, 2010

Principles of Security:Keeping it Simple

Computing on the Windows platform today can be very rewarding .The problem with Windows applications is that as Microsoft has made improvements in patching security holes in Windows, the Black Hat hackers have begun to focus on third party applications to exploit the platform. Recent highly publicized exploits on the Adobe Acrobat PDF reader have been the tip of the iceberg. According to Secunia creators of PSI a security tool that scans your PC  for out of date software, half their users had 66 or more programs on their PC's. Once all the programs and patches were tabulated it totaled over "75 patch incidents annually". per average PC. "That averages out to a patch every 4.9 days." (Source InfoWorld Security Central http://www.infoworld.com/d/security-central/typical-windows-user-patches-every-5-days-630?source=IFWNLE_nlt_firstlook_2010-03-04InfoWorld)
This obviously puts the average user at risk. Many people do well just to keep their Windows OS patched much less check more than once a week for patches to their other applications. This leads to the crux of my point, keep it simple. Don't download every application you see or hear about. Pick a core of useful applications that allow you to use your computer in the way you need and stop! Your computer is a tool that can be very useful, so treat it seriously. You still can have fun with your computer, but you don't need 5 different media players, choose one and stick with it. If you find one you prefer uninstall the old one first. Many people use old out of date programs because they don't like the "feature creep" of many newer applications. This is a mistake, keep what programs you have up to date, this especially true with PDF readers, browsers, email clients, and media players. Keeping your flash player up to date is extremely important, Adobe Flash is a major exploit vector and I frequently run with it disabled.
Trying new applications can however be fun and rewarding, the best way to try new applications though is in a virtual machine. Using a program like Virtual Box from Oracle Systems is a great way to safely try new applications without committing yourself to a new program or loading your hard drive with a ton of unnecessary applications that need to be constantly updated. And lastly run Secunia’s free PSI it will help you keep your applications up to date and add another layer of security to your computer.http://download.cnet.com/1770-20_4-0.html?query=Secunia+Personal+Software+Inspector&searchtype=downloads

Saturday, January 23, 2010

Kaspersky Rescue Disk

You find your computer getting slower and slower to boot, and when it finally does boot it's so slow everything runs at a crawl. So you try running the antivirus you have and just get a message that says the definitions are out of date and you can't connect to the update server. Or you may find an annoying pop-up coming up every time you boot telling you PC Antivirus has found 70,278 infections and for $49.99 they will remove them for you. Well my friend, you are hosed! Your machine is so badly infected that you have to try desperate measures. At this point you can try pulling your hard drive out of the machine and putting it in another mounting it as a slave and using your other machine to try to clean it.

Another way to get this thing up and running is to try some kind of bootable rescue disk to clean it. Bootable rescue disks are bootable CD's/DVD's that contain small operating systems with some preinstalled tools contained for repairing your computer. When you turn on your computer hit F10 or F12, select your CD/DVD drive and your computer boots into an operating system contained on that CD. There are a lot of great rescue disks out there, the problem is most are very complicated and some take forever to boot. I found one great exception to this though. Kaspersky labs creator of the very capable Kaspersky Antivirus line of products has built a great free bootable rescue CD that is simple to use. Unlike many other bootable rescue disks it has one purpose, to clean your system. To create a Kaspersky Rescue Disk, download the ISO image from this link http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/ then burn the image to a CD. Depending on what operating system you are using you may need to download a CD burning program if you don't already have one. If you are running Windows 7 it has a built in, burning program that's simple to use and works great. If you are running XP or Vista, I like Image Burn http://www.cdburnerxp.se/ or CD BurnerXP http://www.cdburnerxp.se/ both do a great job of burning .ISO images and are free.

Once you have your rescue CD built, start your infected machine pushing F12/F10 to get it to the boot selection screen. Boot to the CD Rom drive as I stated earlier and relax, although faster than most rescue disks it's hardly fast. Follow the prompts and when it boots into the Kaspersky Rescue system you first need to update the virus definitions. Once updated do a scan, and go read the newspaper or get some coffee, it takes a while. Once it completes the scan go ahead and let it remove or quarantine all the files it has found. I've never had it delete anything that caused the machine it was fixing not to boot. But of course before you do anything like this, BACK UP YOUR DATA!!!!! But you already did that so proceed. Do the scan, remove the junk and log off Kaspersky. Just turning off your computer with the power button won't hurt anything when you are running a rescue CD.

The reason rescue CD's are so effective, is you're not trying to disinfect a computer with an infected OS. When you boot to the hard drive of an infected machine, you're playing on the bad guy's home turf. They control the machine and in many cases they've hidden the infected files so your antivirus can't see them. The rescue CD can scan your boot sector, and you hard drives from the outside looking in. The malware doesn't have a chance to hide if it's not running. It's become the first step I now use when I'm dealing with an infected machine. There are other rescue disks out there and many are very complicated and take a very long time. The Kaspersky Rescue Disk is the fastest and easiest I've found to clean an infected machine enough to allow me to boot back into Windows and complete the process by adding my favorite automated antimalware tools to keep the system clean going forward.