Jump to content

Recommended Posts

So, I've got several clients that I've recommended a combination of NIS and Malwarebytes to solve all their heartache, and so far, it's been pretty good so far. However, now I've got a Win8.1 PC infected with this snap.do crap, and Malwarebytes doesn't even recognize the problem. This crapware has been in the wild for 2 years, and my client wants to know why she spent money on a piece of software that won't even stop malware that's at least 2 years old.

 

I can explain away zero-day attacks, like the Crypto-series. What I can't explain away is this software hijacking her computer that shows up in the Add/Remove programs, that Malwarebytes is blind to. Apparently, Spyhunter is capable of dealing with it: it certainly sees all the pieces of it, and even sees pieces of stuff that Malwarebytes left behind in it's "cleaning" process. Can someone detail to me the reason that Malwarebytes is not capable of dealing with this crap?

Link to post
Share on other sites

Thanks, but sorry, that's not my question. I'm not asking for assistance cleaning the computer: I did that when I purchased a full license for the client, and that failed. The computer will get a factory restore, just to ensure that it is clean and ready to use again. My question was, why does Malwarebytes, the software, not recognize or (un)successfully remove the malware snap.do, which has been around for years

Link to post
Share on other sites

Hi:

 

 

Until AdvancedSetup returns,

 

Generally, MBAM targets zero-hour and zero-day threats that are currently in circulation in the wild, and that are less than 3-months-old (give or take).

It is designed to provide layered protection alongside an AV.

Older threats would be something better handled by a standard AV.

So, I presume that if you are referring to a snap.do variant that is older than a few months, it's possible that it would not be in the MBAM database.

Some of this is explained here: https://forums.malwarebytes.org/index.php?/topic/31067-purpose-of-this-forum/

For more info, you might wish to pose your specific question about that particular detection for the Research Team, in the Research Center of the forum?

 

Also, as your post suggests that you are a computer tech or repair business, your MBAM Business license entitles you to free, one-on-support from the dedicated Business Support Team. :)

You may wish to open a ticket with them here: Contact Business Support

 

Just a few suggestions,

Link to post
Share on other sites

Someone who actually read my post, thanks :) I've got a ticket open, but they still hadn't replied when I started this post, although I did finally receive a response a few minutes ago. 

 

The snap.do junk has been around for at least two years, but there are updated versions on a regular basis. I'm not sure exactly how old this variant is, but I may poke the research section to see if they have any input. I did find at one point, a post where someone indicated using MBAM to completely remove an earlier incarnation, but more recent posts result in manual removal directions, and using additional software to actually clean the infection, with MBAM as an afterthought of "Oh yes! Don't forget to scan with MBAM to ensure you're really clean!!" What a crock. If MBAM was doing its job, I wouldn't be working on the machine at all. That's like telling someone to physically scrub a plate with comet, run it thru the dishwasher, and then to "Make sure to wipe it down with a paper towel to make sure it's really clean!!"

 

Thanks again for the response. 

Link to post
Share on other sites

Not all items are caught by MBAM. I remember a post where it was explained what it takes to be added to the database but cant find it the moment. But most items like snapdo are user installed because they don't read while installing software. I would recommend installing Unchecky on all the computers you assist with. http://unchecky.com/

 

Regards, a fellow tech.

 

Its always better to secure the device between the keyboard and the chair.

Link to post
Share on other sites

Not all items are caught by MBAM. I remember a post where it was explained what it takes to be added to the database but cant find it the moment.

Not sure if this is the sticky you had in mind?

 

 

And more information about PUPs >>here<<.

 

Its always better to secure the device between the keyboard and the chair.

ROTFL!

True!

So, true!

Prevention of PEBCAK/PICNIC Syndrome! :D

 

Cheers,

 

 

Link to post
Share on other sites
Not sure if this is the sticky you had in mind?

 

No it was miekiemoes explaining in a post to a user  whose program was blocked the checklist they go by when they list a program. Think i "might" have that thread saved at work.

 
Link to post
Share on other sites

Lol yes, true. *sigh* unfortunately, some of the crapware companies have gotten very good at hiding their "optional" areas, and even some of my sharper clients have gotten tagged on occasion. I'd been trying to strip this out manually, but I'm not positive I got it all out. I did finally get a reply from my ticket, and he pointed to a couple of areas I missed when clearing chrome and firefox, so I'll check those... of course, he also told me that google liked to bundle conduit with Chrome installs, so I have to take some of it with a grain of salt... <_<

Anyway, will update here when I can get back to the laptop, hopefully with positive results. Thanks for the replies. 

Link to post
Share on other sites
  • Root Admin

I'm not sure about Snap.do as I don't work in Research but many items do not qualify as an infection and some also don't qualify for PUP. Generally speaking the AdwCleaner is a reasonably safe tool to run but I would always make sure you have a registry backup ERUNT can do that for you or even a new System Restore Point (but due to failures I don't trust SR to always work, ERUNT does). The AdwCleaner tool is by an individual that does not have the same possible legal repercussions either so they remove many items that larger vendors don't remove due to possible legal actions.
 
JAVA = #1 method (IMHO) of infecting a computer. If at all possible remove it and never use it. If a site says it needs it double check with someone or find another similar site that does not require Java.
Adobe Flash is similar but not as bad. Keep up to date at all times, be aware of many fake Adobe updaters out there too.
 
Reset browsers back to factory defaults if at all possible (or at least go through the options and remove questionable items). The Google and now Firefox sync some find to be an awesome feature but once it is infected even if you remove the infection the Google / Firefox sync will put it right back onto the computer. So sync disable and cleaning is now required
 
 
Please visit each of the following sites and lets reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings

Firefox
Click on Help / Troubleshooting Information then click on the Reset Firefox button.

Chrome
Start by disabling Sync
How To Delete Your Google Chrome Browser Sync Data
Chrome - Reset browser settings
If that fails then Uninstall Google Chrome and do not reinstall until sure the system is clean.

 

 

No product can find and remove all threats but I would say that we typically do a better job at it than most other products.

 

Thanks

Link to post
Share on other sites

Thanks to the volunteers who responded here with helpful references and recommendations. I managed (apparently, anyway) to get this mess removed through a combination of ADW, FRST, Adware-Removal-Tool, and RevoUninstaller. So far, it's not showing any recurrence , and I'm keeping a tight eye on it. I was able to get the additional chrome directories wiped, and will most likely reinstall chrome later this week. 

 

Your statement about legal actions kinda bothers me. At one point, MBAM was the software of choice for removals, even for snap.do (as evidenced here : http://www.im-infected.com/hijacker/search-snap-do-hijacker.html, where their "Procedure 2" said simply, download MBAM, Update, scan and be clean). The fact that MBAM no longer targets snap.do indicates that a PUP software company threatened legal action, and you guys caved. This is not a case for the Research team, as MBAM used to cover it, but now doesn't, by choice. As for the "individual" company not being as concerned about legal action as MBAM, I refer you to SpyHunter of  EnigmaSoftwareGroup, who's been around since 2003. they seem to have no problem recognizing the software and removing it. They are the ones now with the "Download, update, scan and be clean" notes about snap.do. 

 

I had a client bring another laptop in yesterday infected with Tuvaro (http://www.bleepingcomputer.com/forums/t/528423/tuvaro-www-searchnet-redirect-in-chrome-ff-ie/) that I didn't see after running MBAM, which ran a completely clean scan the second time. After calling the user, and determining her real issue (her initial note just said "problems with the laptop"), I realized I'd run on another PUP/web hijacker that MBAM ignores, and since I know it sees Conduit (another popular web hijacker), I can't help but conclude that MBAM has caved on this one too.

 

I'm not sure about Snap.do as I don't work in Research but many items do not qualify as an infection and some also don't qualify for PUP. Generally speaking the AdwCleaner is a reasonably safe tool to run but I would always make sure you have a registry backup ERUNT can do that for you or even a new System Restore Point (but due to failures I don't trust SR to always work, ERUNT does). The AdwCleaner tool is by an individual that does not have the same possible legal repercussions either so they remove many items that larger vendors don't remove due to possible legal actions.

 

....

 

No product can find and remove all threats but I would say that we typically do a better job at it than most other products.

 

Thanks

 

For your last statement, having worked in the industry for around 20 years now, I am well aware of how rapidly the software protection racket is changing. I've been on the front of a virus wave, sending files and registry entries directly to McAfee, helping develop a .dat file to issue for prevention and cleaning, and 
I know that the only way the protection companies are able to hold the receding front that they do, is sheer force of will. MBAM has been a staple of my cleaning routine for years now, and something that I referred many clients, friends, and family to, because I believed that statement. Now, I believe that statement is not quite as accurate as it used to be. The problem is, it's not because the tide of Malware/Crapware/Junkware is slowly overwhelming, it's because MBAM is voluntarily surrendering ground. 

 

Thanks again to the volunteers who posted up here with advice and input. Appreciate it, guys.

Link to post
Share on other sites

Hi:

 

You're most welcome. I'm glad I could help.

 

However, I think you may have misconstrued what AdvancedSetup said?

He did not say that MBAM does not detect snap.do (sorry for the double-negative).

He said that he does not work in the Research Department and so, probably doesn't keep track on a daily basis of the many 1000s of malware variants in the database.

It is true that MBAM focuses on malware "in the wild" now, not on old variants -- the latter is the job of your AV, with its much larger database.

MBAM is a specialized tool to provide layered, complementary protection alongside a robust AV -- it's not a substitute for one.

As for the legalities & technicalities of PUPs <-> malware nomenclature, I will defer to the experts.

However, as AdvancedSetup pointed out, if a piece of software comes with a EULA and requires the user to somehow make a choice to install it, then that application probably won't be classified as "malware" unless it behaves truly maliciously.  It may be crapware, junkware, adware, bloatware, foistware, but it may not be "malware" in the strict sense.

But, as I said, that's for the lawyers and experts. ;)

And no piece of security software can protect from himself/herself the user who is "determined" to get infected through unsafe computing practices. ;)

 

Well, in any event, I'm glad you got the computer straightened out.

 

Take care,

Link to post
Share on other sites

Actually, I said that MBAM doesn't detect snap.do. As evidenced by me repeatedly running scans, expecting a different result each time (common misquote on the definition of insanity, eh? :) ). 

Hi:

 

You're most welcome. I'm glad I could help.

 

However, I think you may have misconstrued what AdvancedSetup said?

He did not say that MBAM does not detect snap.do (sorry for the double-negative).

 

.....

 

And no piece of security software can protect from himself/herself the user who is "determined" to get infected through unsafe computing practices. ;)

 

Well, in any event, I'm glad you got the computer straightened out.

 

Take care,

 

And for your last? Oh god yeah... I've even been one of those users. "Yeah, yeah, just install, %$## it!!  .....   Ahhhh CRAP.... well, there goes tonight's sleep...." 

thanks again :)

Link to post
Share on other sites

If you have a fresh malware sample that MBAM does not currently detect, please feel free to submit it to the Research Team.

 

Instructions to expedite the process are here:

https://forums.malwarebytes.org/index.php?/topic/66190-malware-hunters-please-read/

https://forums.malwarebytes.org/index.php?/topic/31067-purpose-of-this-forum/

 

The Research Center forum is here:

https://forums.malwarebytes.org/index.php?/forum/51-newest-malware-threats/

 

Cheers,

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.