Learn about Computer Security and Interact with Security Experts > Other Security Products

Portable Malwarebytes Anti-Malware & SUPERAntiSpyware HowTo

(1/3) > >>

Surely (or hopefully ;) at least) I am not the only one interested in running the "Malwarebytes Anti-Malware" and "SUPERAntiSpyware" on demand scanners from a USB-Stick for portable anti-malware capabilities.
No dedicated portable versions of both tools exist so far (except for some questionable hacked versions one might find by googling, but I would strongly advise against the usage of these). Also there are no proper tutorials on how to acheive this functionality yet (at least I found none). So I decided to find out on my own, and I'd like to share my results with you in this place.

Preliminary remarks:

* I will supply you with the following information: What do both applications need to run and what traces do they leave on a "host" system.
* I will give you a short guide on how to run them from a USB-Stick and how to clean up behind you.
* This will really just be a "quick and dirty guide", using batch files for automation, just to give you a general idea. Everybody is welcome to create some other more advanced and neat solution (eg. by using AutoIt).
* You might find the following Links to the original Forums of both Applications and some tests helpful:
Malwarebytes Anti-Malware Forums; Posts: [Making Malwarebytes Portable ?] [Portable version???]
SUPERAntiSpyware Forums; Posts: [Downloading SAS to USB device] [Portable version?]
remove-malware.com: Step-By-Step Malware Removal Guide (Q1 2009); using free software only
remove-malware.com: Malware Removal And Detection Techniques
remove-malware.com [at] youtube: Malwarebytes Anti-Malware (Free) video review (09-2008, Part 1 of 3)
remove-malware.com [at] youtube: SUPERAntiSpyware (Free) video review (09-2008, Part 1 of 5)

SUPERAntiSpyware Portable
SUPERAntiSpyware already is "portable" in the broader sense that it is sufficient to copy the application folder to any location you like (USB-stick) and run it from there. Anyhow I'll give you some additional info.

SUPERAntiSpyware execution behavior:

* Necessary directories are created automatically:
%ALLUSERSPROFILE%\Application Data\SUPERAntiSpyware.com\
%ALLUSERSPROFILE%\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\
%USERPROFILE%\Application Data\SUPERAntiSpyware.com\
%USERPROFILE%\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\
%USERPROFILE%\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\
%USERPROFILE%\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\
%USERPROFILE%\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\
* Necessary files (definitions) are created upon update:
%USERPROFILE%\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLIST.BIN
%USERPROFILE%\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLIST.DB
%USERPROFILE%\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLIST.ZIP
%USERPROFILE%\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
(Further files like logs are created during operation)
* Settings are saved in registry (HKCU\Software\SUPERAntiSpyware.com)!
Making SUPERAntiSpyware portable:
A standard procedure you might know from other apps:

* Install
* Copy application directory to any location you like
* Uninstall
* Run "SUPERAntiSpyware.exe" from the copied application directory(There are no uninstall files to delete because they use windows installer)

Traces left on host system and how to clean up:
The definition files in %USERPROFILE% are about 25MB in size, something that should be cleaned up in my opinion (it seems that nothing is saved in %ALLUSERSPROFILE%). Settings in registry should also be removed.
For complete clean-up:

* DELETE: "%ALLUSERSPROFILE%\Application Data\SUPERAntiSpyware.com"
* DELETE: "%USERPROFILE%\Application Data\SUPERAntiSpyware.com"
* DELETE: HKCU\Software\SUPERAntiSpyware.com
Batch to automate clean-up:
(WinXP cmd only! Use DELTREE in DOS instead of RMDIR.)

--- Code: ---RMDIR /S /Q "%ALLUSERSPROFILE%\Application Data\SUPERAntiSpyware.com"
RMDIR /S /Q "%USERPROFILE%\Application Data\SUPERAntiSpyware.com"
REG DELETE HKCU\Software\SUPERAntiSpyware.com /f
--- End code ---

Malwarebytes Anti-Malware Portable
To make Malwarebytes' Anti-Malware portable is more difficult, as it does NOT run from a USB-Stick by just copying the application directory! Two system files (mbam.sys & mbamswissarmy.sys), two registered libraries (mbamext.dll & ssubtmr6.dll) and one registered ActiveX control (vbalsgrid6.ocx) are mandatory!

Malwarebytes Anti-Malware execution behavior:

* Three objects have to be registered: mbamext.dll, ssubtmr6.dll and vbalsgrid6.ocx
To do so, use the command regsvr32.exe "path\file" (use switch "\s" for 'silent')
(The files are located in the application directory)
* Two system files have to exist:
(These files are copied there during install and you have to take them with you)
* Necessary directories are created automatically:
%ALLUSERSPROFILE%\Application Data\Malwarebytes\
%ALLUSERSPROFILE%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\
%USERPROFILE%\Application Data\Malwarebytes\
%USERPROFILE%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\
%USERPROFILE%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\
%USERPROFILE%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\
* Necessary files (definitions) are created upon update:
%ALLUSERSPROFILE%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\ignore.dat
%ALLUSERSPROFILE%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\news.txt
%ALLUSERSPROFILE%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref
(Further files like logs are created during operation)
* Settings are saved in registry (HKCU\Software\Malwarebytes' Anti-Malware)
Making Malwarebytes Anti-Malware portable:

* Install
* Copy application directory to any location you like
* Copy mbam.sys & mbamswissarmy.sys from "C:\WINDOWS\system32\drivers\" anywhere you like, to take them with you (eg. the copied application directory)
* Uninstall
* Remove the uninstall files (unins000.dat, .exe & .msg) from the copied application directory if you like
* Take the application directory anywhere you like
* On the host machine copy mbam.sys & mbamswissarmy.sys to "C:\WINDOWS\system32\drivers\"
* On the host machine run:
regsvr32.exe "DRIVE:\PATH\mbamext.dll"
regsvr32.exe "DRIVE:\PATH\\ssubtmr6.dll"
regsvr32.exe "DRIVE:\PATH\\vbalsgrid6.ocx"
(You will be notified about registration success (or errors), use switch "/s" for silent registration.)
(You need admin rights for registration to succeed. Do this from an admin account or with elevated rights)
* Run "mbam.exe" from the application directory (not mbamgui.exe)
Batch to automate the necessary preparation on the host machine:
(Assuming that all mentioned files, including the batch, are located in the same directory)

--- Code: ---COPY "%CD%\mbam.sys" "C:\WINDOWS\system32\drivers\mbam.sys"
COPY "%CD%\mbamswissarmy.sys" "C:\WINDOWS\system32\drivers\mbamswissarmy.sys"
regsvr32.exe "%CD%\vbalsgrid6.ocx"
regsvr32.exe "%CD%\ssubtmr6.dll"
regsvr32.exe "%CD%\mbamext.dll"
--- End code ---
(Remember: Administrative rights needed. Use switch "/s" for silent registration)

Traces left on host system and how to clean up:
Malwarebytes' definition files, logs etc. are quite small (below 2MB) wich is small enough, but the system files and settings in registry should be removed anyway and the registered objects should be unregistered in any case!
This leaves us for complete clean-up with:

* DELETE: "%ALLUSERSPROFILE%\Application Data\Malwarebytes"
* DELETE: "%USERPROFILE%\Application Data\Malwarebytes"
* DELETE: "C:\WINDOWS\system32\drivers\mbam.sys"
* DELETE: "C:\WINDOWS\system32\drivers\mbamswissarmy.sys"
* DELETE: HKCU\Software\Malwarebytes' Anti-Malware
* UNREGISTER: regsvr32.exe /u "DRIVE:\PATH\vbalsgrid6.ocx"
* UNREGISTER: regsvr32.exe /u "DRIVE:\PATH\ssubtmr6.dll"
* UNREGISTER: regsvr32.exe /u "DRIVE:\PATH\mbamext.dll"
Batch to automate clean-up:
(Assuming that the batch is located in the same directory as the registered objects. WinXP cmd only! Use DELTREE in DOS instead of RMDIR.)

--- Code: ---RMDIR /S /Q "%ALLUSERSPROFILE%\Application Data\Malwarebytes"
RMDIR /S /Q "%USERPROFILE%\Application Data\Malwarebytes"
DEL "C:\WINDOWS\system32\drivers\mbam.sys"
DEL "C:\WINDOWS\system32\drivers\mbamswissarmy.sys"
REG DELETE HKCU\Software\Malwarebytes' Anti-Malware /f
regsvr32.exe /u "%CD%\vbalsgrid6.ocx"
regsvr32.exe /u "%CD%\ssubtmr6.dll"
regsvr32.exe /u "%CD%\mbamext.dll"
--- End code ---
(Remember: Administrative rights needed. Use switch "/s" for silent unregistration)

Additional remarks:

* As mentioned, you need administrative rights at least for objects (un)registration, but you should do any malware scanning and cleaning from an administrative account or at least with elevated rights anyway!
* For both applications there is cleaning done in the "Application Data" directory. Unfortunately the name of this directory is language dependent (it is named differently in some - but not any - non-english Windows locales), eg. in german (as for me), it is called "Anwendungsdaten". You have to change this in the batch files if you are executing them such a system.
In the case of the %USERPROFILE%, the "%USERPROFILE%\Application Data\" directory can be addressed directly by the %APPDATA% variable, but this does not hold for %ALLUSERSPROFILE%. There is no way to address %ALLUSERSPROFILE%\Application Data\ directly in a batch file (at least none i know about).

That's it! I wish you successfull cleaning... ;)

Final words:

* Everyone who also is a member of the SUPERAntiSpyware or Malwarebytes' Anti-Malware community: please spread the word! I just did not want to create YAFFA (Yet Another F...antastic Forum Account) to the tons I already have for just a single post. Otherwise i might have posted there on my own.
* I am by no means in any way connected to the pages i linked above, neither SUPERAntiSpyware or Malwarebytes' Anti-Malware, nor remove-malware.com (which surely has some nice video reviews, also of Comodo Internet Security, but i think most frequent users here know Matt's site)!
* Please excuse any mistake in my english, as I am not a native speaker.

I'm taking a shot at it, I started with Superantispyware (newest version)  I'm using windows 7 version 7057, I can't even get it to install normally,(even in compatibility mode) let alone making it portable.  I'm guessing part of the problem is some of the software I have installed too.  Well,  In a few days I'm off to try malwarebytes to convert it portable.  I think I'll be playing with UPX packer too!!

P.S. I eventually get back to superantispyware, but it will be on a vista machine.  I'll never give up :)

right now, I'm kind of stuck on malwarebytes :'(
but the good news superantispyware beta 4.26.100 will work with windows 7 7057.  I finally got it portable

My portable superantispyware is setuped as followed

%AppData%           <----folder
%ProgramFilesDir%   <---folder
TEMP                      <---folder   
deupx.dll                <--app ext.
msvcr71.dll             <--app ext.
Registry.rw.lck         <--lck file
Registry.rw.tvr        <--tvr file
Registry.rw.backup  <--backup file
SUPERAntiSpyware  <--execute file from program (1788kb)

While everything works fine including updates :BNC, The real-time protection isn't working ???

malwarebytes, here I come :o

I now got malwarebytes paritly done, but it needs a lot more work and no real-time protection and doesn't update.  I'm definiantly going to be using a upx packer with this, maybe not with superantispyware.  I hope I can finish this project by the end of this weekend coming up

Doesn't anybody else think portable malwarebytes and/or superantispyware is a good idea ???  It can't be just me and leeloo.  It really not that hard, superantispyware is the easier of the two

Hi leeloo

I've made you WinRAR SFX files for this programs with .cmd commands that use your scripts. They have the latest defs for using on PC without internet and the defs are updateable.

Lets me know how it's working .

Link :
<a href='http://www.sendspace.com/file/l1r39j'>http://www.sendspace.com/file/l1r39j[/url]


[0] Message Index

[#] Next page

Go to full version
Seo4Smf 2.0 © SmfMod.Com Smf Destek