Portable Malwarebytes Anti-Malware & SUPERAntiSpyware HowTo

Surely (or hopefully at least) I am not the only one interested in running the “Malwarebytes Anti-Malware” and “SUPERAntiSpyware” on demand scanners from a USB-Stick for portable anti-malware capabilities.
No dedicated portable versions of both tools exist so far (except for some questionable hacked versions one might find by googling, but I would strongly advise against the usage of these). Also there are no proper tutorials on how to acheive this functionality yet (at least I found none). So I decided to find out on my own, and I’d like to share my results with you in this place.

Preliminary remarks:

• I will supply you with the following information: What do both applications need to run and what traces do they leave on a “host” system.
• I will give you a short guide on how to run them from a USB-Stick and how to clean up behind you.
• This will really just be a “quick and dirty guide”, using batch files for automation, just to give you a general idea. Everybody is welcome to create some other more advanced and neat solution (eg. by using AutoIt).
• You might find the following Links to the original Forums of both Applications and some tests helpful:
  Malwarebytes Anti-Malware Forums; Posts: [Making Malwarebytes Portable ?] [Portable version???]
  SUPERAntiSpyware Forums; Posts: [Downloading SAS to USB device] [Portable version?]
  remove-malware.com: Step-By-Step Malware Removal Guide (Q1 2009); using free software only
  remove-malware.com: Malware Removal And Detection Techniques
  remove-malware.com [at] youtube: Malwarebytes Anti-Malware (Free) video review (09-2008, Part 1 of 3)
  remove-malware.com [at] youtube: SUPERAntiSpyware (Free) video review (09-2008, Part 1 of 5)

SUPERAntiSpyware Portable
SUPERAntiSpyware already is “portable” in the broader sense that it is sufficient to copy the application folder to any location you like (USB-stick) and run it from there. Anyhow I’ll give you some additional info.

SUPERAntiSpyware execution behavior:

• Necessary directories are created automatically:
  %ALLUSERSPROFILE%\Application Data\SUPERAntiSpyware.com
  %ALLUSERSPROFILE%\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware
  %USERPROFILE%\Application Data\SUPERAntiSpyware.com
  %USERPROFILE%\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware
  %USERPROFILE%\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs
  %USERPROFILE%\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine
  %USERPROFILE%\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\
• Necessary files (definitions) are created upon update:
  %USERPROFILE%\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLIST.BIN
  %USERPROFILE%\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLIST.DB
  %USERPROFILE%\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLIST.ZIP
  %USERPROFILE%\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLISTRELATED.DB
  %USERPROFILE%\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLISTRELATED.ZIP
  %USERPROFILE%\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
  (Further files like logs are created during operation)
• Settings are saved in registry (HKCU\Software\SUPERAntiSpyware.com)!

Making SUPERAntiSpyware portable:
A standard procedure you might know from other apps:

• Install
• Copy application directory to any location you like
• Uninstall
• Run “SUPERAntiSpyware.exe” from the copied application directory

(There are no uninstall files to delete because they use windows installer)

Traces left on host system and how to clean up:
The definition files in %USERPROFILE% are about 25MB in size, something that should be cleaned up in my opinion (it seems that nothing is saved in %ALLUSERSPROFILE%). Settings in registry should also be removed.
For complete clean-up:

• DELETE: “%ALLUSERSPROFILE%\Application Data\SUPERAntiSpyware.com”
• DELETE: “%USERPROFILE%\Application Data\SUPERAntiSpyware.com”
• DELETE: HKCU\Software\SUPERAntiSpyware.com

Batch to automate clean-up:
(WinXP cmd only! Use DELTREE in DOS instead of RMDIR.)

RMDIR /S /Q "%ALLUSERSPROFILE%\Application Data\SUPERAntiSpyware.com"
RMDIR /S /Q "%USERPROFILE%\Application Data\SUPERAntiSpyware.com"
REG DELETE HKCU\Software\SUPERAntiSpyware.com /f

Malwarebytes Anti-Malware Portable
To make Malwarebytes’ Anti-Malware portable is more difficult, as it does NOT run from a USB-Stick by just copying the application directory! Two system files (mbam.sys & mbamswissarmy.sys), two registered libraries (mbamext.dll & ssubtmr6.dll) and one registered ActiveX control (vbalsgrid6.ocx) are mandatory!

Malwarebytes Anti-Malware execution behavior:

• Three objects have to be registered: mbamext.dll, ssubtmr6.dll and vbalsgrid6.ocx
  To do so, use the command regsvr32.exe “path\file” (use switch “\s” for ‘silent’)
  (The files are located in the application directory)
• Two system files have to exist:
  C:\WINDOWS\system32\drivers\mbam.sys
  C:\WINDOWS\system32\drivers\mbamswissarmy.sys
  (These files are copied there during install and you have to take them with you)
• Necessary directories are created automatically:
  %ALLUSERSPROFILE%\Application Data\Malwarebytes
  %ALLUSERSPROFILE%\Application Data\Malwarebytes\Malwarebytes’ Anti-Malware
  %USERPROFILE%\Application Data\Malwarebytes
  %USERPROFILE%\Application Data\Malwarebytes\Malwarebytes’ Anti-Malware
  %USERPROFILE%\Application Data\Malwarebytes\Malwarebytes’ Anti-Malware\Logs
  %USERPROFILE%\Application Data\Malwarebytes\Malwarebytes’ Anti-Malware\Quarantine\
• Necessary files (definitions) are created upon update:
  %ALLUSERSPROFILE%\Application Data\Malwarebytes\Malwarebytes’ Anti-Malware\ignore.dat
  %ALLUSERSPROFILE%\Application Data\Malwarebytes\Malwarebytes’ Anti-Malware\news.txt
  %ALLUSERSPROFILE%\Application Data\Malwarebytes\Malwarebytes’ Anti-Malware\rules.ref
  (Further files like logs are created during operation)
• Settings are saved in registry (HKCU\Software\Malwarebytes’ Anti-Malware)

Making Malwarebytes Anti-Malware portable:

• Install
• Copy application directory to any location you like
• Copy mbam.sys & mbamswissarmy.sys from "C:\WINDOWS\system32\drivers" anywhere you like, to take them with you (eg. the copied application directory)
• Uninstall
• Remove the uninstall files (unins000.dat, .exe & .msg) from the copied application directory if you like
• Take the application directory anywhere you like
• On the host machine copy mbam.sys & mbamswissarmy.sys to "C:\WINDOWS\system32\drivers"
• On the host machine run:
  regsvr32.exe “DRIVE:\PATH\mbamext.dll”
  regsvr32.exe “DRIVE:\PATH\ssubtmr6.dll”
  regsvr32.exe “DRIVE:\PATH\vbalsgrid6.ocx”
  (You will be notified about registration success (or errors), use switch “/s” for silent registration.)
  (You need admin rights for registration to succeed. Do this from an admin account or with elevated rights)
• Run “mbam.exe” from the application directory (not mbamgui.exe)

Batch to automate the necessary preparation on the host machine:
(Assuming that all mentioned files, including the batch, are located in the same directory)

COPY "%CD%\mbam.sys" "C:\WINDOWS\system32\drivers\mbam.sys"
COPY "%CD%\mbamswissarmy.sys" "C:\WINDOWS\system32\drivers\mbamswissarmy.sys"
regsvr32.exe "%CD%\vbalsgrid6.ocx"
regsvr32.exe "%CD%\ssubtmr6.dll"
regsvr32.exe "%CD%\mbamext.dll"

(Remember: Administrative rights needed. Use switch “/s” for silent registration)

Traces left on host system and how to clean up:
Malwarebytes’ definition files, logs etc. are quite small (below 2MB) wich is small enough, but the system files and settings in registry should be removed anyway and the registered objects should be unregistered in any case!
This leaves us for complete clean-up with:

• DELETE: “%ALLUSERSPROFILE%\Application Data\Malwarebytes”
• DELETE: “%USERPROFILE%\Application Data\Malwarebytes”
• DELETE: “C:\WINDOWS\system32\drivers\mbam.sys”
• DELETE: “C:\WINDOWS\system32\drivers\mbamswissarmy.sys”
• DELETE: HKCU\Software\Malwarebytes’ Anti-Malware
• UNREGISTER: regsvr32.exe /u “DRIVE:\PATH\vbalsgrid6.ocx”
• UNREGISTER: regsvr32.exe /u “DRIVE:\PATH\ssubtmr6.dll”
• UNREGISTER: regsvr32.exe /u “DRIVE:\PATH\mbamext.dll”

Batch to automate clean-up:
(Assuming that the batch is located in the same directory as the registered objects. WinXP cmd only! Use DELTREE in DOS instead of RMDIR.)

RMDIR /S /Q "%ALLUSERSPROFILE%\Application Data\Malwarebytes"
RMDIR /S /Q "%USERPROFILE%\Application Data\Malwarebytes"
DEL "C:\WINDOWS\system32\drivers\mbam.sys"
DEL "C:\WINDOWS\system32\drivers\mbamswissarmy.sys"
REG DELETE HKCU\Software\Malwarebytes' Anti-Malware /f
regsvr32.exe /u "%CD%\vbalsgrid6.ocx"
regsvr32.exe /u "%CD%\ssubtmr6.dll"
regsvr32.exe /u "%CD%\mbamext.dll"

(Remember: Administrative rights needed. Use switch “/s” for silent unregistration)

Additional remarks:

• As mentioned, you need administrative rights at least for objects (un)registration, but you should do any malware scanning and cleaning from an administrative account or at least with elevated rights anyway!
• For both applications there is cleaning done in the “Application Data” directory. Unfortunately the name of this directory is language dependent (it is named differently in some - but not any - non-english Windows locales), eg. in german (as for me), it is called “Anwendungsdaten”. You have to change this in the batch files if you are executing them such a system.
  In the case of the %USERPROFILE%, the "%USERPROFILE%\Application Data" directory can be addressed directly by the %APPDATA% variable, but this does not hold for %ALLUSERSPROFILE%. There is no way to address %ALLUSERSPROFILE%\Application Data\ directly in a batch file (at least none i know about).

That’s it! I wish you successfull cleaning…

Final words:

• Everyone who also is a member of the SUPERAntiSpyware or Malwarebytes’ Anti-Malware community: please spread the word! I just did not want to create YAFFA (Yet Another F…antastic Forum Account) to the tons I already have for just a single post. Otherwise i might have posted there on my own.
• I am by no means in any way connected to the pages i linked above, neither SUPERAntiSpyware or Malwarebytes’ Anti-Malware, nor remove-malware.com (which surely has some nice video reviews, also of Comodo Internet Security, but i think most frequent users here know Matt’s site)!
• Please excuse any mistake in my english, as I am not a native speaker.

leeloo

I’m taking a shot at it, I started with Superantispyware (newest version) I’m using windows 7 version 7057, I can’t even get it to install normally,(even in compatibility mode) let alone making it portable. I’m guessing part of the problem is some of the software I have installed too. Well, In a few days I’m off to try malwarebytes to convert it portable. I think I’ll be playing with UPX packer too!!

P.S. I eventually get back to superantispyware, but it will be on a vista machine. I’ll never give up

right now, I’m kind of stuck on malwarebytes
but the good news superantispyware beta 4.26.100 will work with windows 7 7057. I finally got it portable

My portable superantispyware is setuped as followed

%AppData% <----folder
%ProgramFilesDir% <—folder
TEMP <—folder
deupx.dll <–app ext.
msvcr71.dll <–app ext.
Registry.rw.lck <–lck file
Registry.rw.tvr <–tvr file
Registry.rw.backup <–backup file
SUPERAntiSpyware <–execute file from program (1788kb)

While everything works fine including updates :BNC, The real-time protection isn’t working ???

malwarebytes, here I come :o

I now got malwarebytes paritly done, but it needs a lot more work and no real-time protection and doesn’t update. I’m definiantly going to be using a upx packer with this, maybe not with superantispyware. I hope I can finish this project by the end of this weekend coming up

Doesn’t anybody else think portable malwarebytes and/or superantispyware is a good idea ??? It can’t be just me and leeloo. It really not that hard, superantispyware is the easier of the two

Hi leeloo

I’ve made you WinRAR SFX files for this programs with .cmd commands that use your scripts. They have the latest defs for using on PC without internet and the defs are updateable.

Lets me know how it’s working .

Link :
http://www.sendspace.com/file/l1r39j

Well… My aim was to deliver a method for running a copy of SAS or MBAM from an USB-stick, that could be reproduced by anyone who is interested in this functionality using the then most current software release (as long as both vendors do not deliver dedicated portable versions).
As mentioned this is no big deal for SAS anyway, as this app is quite portable on its own (in the sense of copying the application folder and running “SUPERAntiSpyware.exe”). For MBAM I just wanted to show what is necessary to run it, besides copying the app folder. The rest was additional info, that lead to an explanation on how to clean up after using the tools, so that no space or resource eating ■■■■ is left on the machine.

My aim was not to deliver a howto on creating any executables that other people should download!
As this is a security forum I would like to emphasize that downloading and executing apparently useful stuff from apparently trustworthy sources is one main reason for the spreading of malware. Therefore I would advise anyone to create his own portable version of SAS and MBAM.
This would also guarantee that you always use the current version, as portable versions are usually behind in version number.

Anyway, if someone does not like the install-copy-uninstall method and therefore would like a download that can be unzipped and run - It is possible to extract both applications from the installers:

• The current SAS Installer (v4.25.1014) can be extracted by most zip-applications!
  (Create subdirectories “Language” and “Plugins” and put .lng files into the first and the three sab_.dll’s into the second.)
• The current MBAM Installer (v1.34) can be extracted by “Universal Extractor”!
  (The extracted “{app}” folder contains the application, take the two necessary *.sys files from the “{sys}\drivers” folder. Discard the rest.)

@jay2007tech: I am not quite sure what you are trying to acheive…

• UPX sounds like you are trying to create an installer and “%ProgramFilesDir%” does not sound portable. ???
  If you are trying to create a “portable installer” read my opinion above.
• I know neither Vista nor Windows 7 (I’ll stay with XP until Win7 SP1). I’ll ignore Win7 considering its current beta status and major changes pending, but my method should work on Vista too I guess.
  But as a precaution I’ll declare my method limited to WinXP as this is the system on which I created and tested it!
• Certainly real-time protection will not work! For real-time protection always (a) service(s) and maybe (a) driver(s) have to be installed. Any real-time, background, silent and suchlike features only work when installed and not for portable applications. But what should be the purpose of using a portable (wich means removable!) application for real-time protection (which should deliver permanent protection)? If you want protection install the app on a local drive!
  Anyway, I’ll clarify another point: this HowTo is intended for on.demand scanning with the freeware editions!

@ghostza: As you might guess from my previous statements, I am not happy with a SFX.

• By providinng (and not documenting) an executable (that most users are not able to examine before execution) you demand a lot of trust! Sorry, but I would advice nobody to load and run your files without testing them in a sandboxed environment beforehand.
  Please do not get me wrong, I absolutely do not personally regard you as untrustworthy, just unknown! And as I am my own personal HIPS, I avoid anything that is not explicitly trustworthy. It is one thing if someone offers something to download on his website, describes te download in detail, publishes his address and name, probably has a good reputation and may be hold to account, or if a more or less anonymous user offers a download in a forum…
• Therefore I did not execute your SFX’s as I currently have no sandbox running.
  But I unpacked and checked them: The *.cmd files look fine and you are indeed essentially using “my scripts”. But there there is a considerable difference between your concept and my approach: While I keep the app extracted on the portable drive, your SFX’s extract it to the “Temp” folder of the host machine. Nice idea but not a portable app in the original sense.
  You should mention the differences or please avoid claiming the use of “my scripts”.
• In contrast to your statement there are no defs included!
• If you offer a download you should provide much more information:
  [>] Version number of the contained application (this download might still be online when the apps are outdated)
  [>] Version of definitions (If you include them)
  [>] Describe what the SFX’s do
  [>] Describe what the scripts do
  [>] Also provide the “source code”

leeloo

ghostza
Thank you very much

malwarebytes was starting to be a hassle for me, I thank you for perfecting it (for us noobs ) and I will use the malwarebytes version

Thank you so much

[>] Version number of the contained application (this download might still be online when the apps are outdated) = MBM : 1.35 | SAS : 4.26.1000
[>] Version of definitions (If you include them) = MBM : 1905 | SAS : 3814
[>] Describe what the SFX’s do = Both extract to c:\windows\temp and run def updates befroe running app , after app close it removes the folder in c:\windows\temp
[>] Describe what the scripts do = the same as yours + running def updates then running app then removeing folder from where it was run.
[>] Also provide the “source code” = use uniextreactor to extract .exe .

P.S. I know what you are saying. I would also not fully trust this , but will check the code first and then maybe run it. No hard feelings.

SAS defs is form “SUPERAntiSpyware - Definition Database Information” in a file called SASDEFENITIONS.exe
MBM defs is in a file MalwarebytesUpdates.exe that is a SFX from “C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes’ Anti-Malware”

Regards

You should make your script display the EULA on each run. Here’s a copy of the EULA from Malwarebytes’ Anti-Malware:

Subject to the restrictions below, you may use the Malwarebytes' Software for any legitimate purpose.

In return, we simply require that you agree:

1. Not to use this software for commercial use without proper licensing.

2. Not to remove any copyright or other notices from the Software.

3. That you are not allowed to combine or distribute the Software with other software that is licensed under terms that seek to require that the Software (or any intellectual property in it) be provided in source code form, licensed to others to allow the creation or distribution of derivative works, or distributed without charge.

4. That if you distribute the Software in source code form you do so only under this license (i.e. you must include a complete copy of this license with your distribution), and if you distribute the Software solely in object form you only do so under a license that complies with this license.

5. That you will (a) not use Malwarebytes’ name, logo, or trademarks in association with distribution of the Software or derivative works unless otherwise permitted in writing; (B) display your own valid copyright notice which must be sufficient to protect Malwarebytes’ copyright in the Software; and © indemnify, hold harmless, and defend Malwarebytes from and against any claims or lawsuits, including attorneys’ fees, that arise or result from the use or distribution of your modifications to the Software and any additional software you distribute along with the Software.

6. That if you have modified the Software or created derivative works, and you distribute such modifications or derivative works, you will cause the modified files to carry prominent notices so that recipients know that they are not receiving the original Software. Such notices must state: (a) that you have changed the Software; and (B) the date of any changes

7. That the Software comes “as is”, with no warranties. None whatsoever. This means no express, implied or statutory warranty, including without limitation, warranties of merchantability or fitness for a particular purpose or any warranty of title or non-infringement. Also, you must pass this disclaimer on whenever you distribute the Software or derivative works.

8. That neither Malwarebytes nor its suppliers will be liable for any of those types of damages known as indirect, special, consequential, or incidental related to the Software or this license, to the maximum extent the law permits, no matter what legal theory it’s based on. Also, you must pass this limitation of liability on whenever you distribute the Software or derivative works.

9. That if you sue anyone over patents that you think may apply to the Software for a person’s use of the Software, your license to the Software ends automatically.

10. That the patent rights, if any, granted in this license only apply to the Software, not to any derivative works you make.

11. That the Software is subject to U.S. export jurisdiction at the time it is licensed to you, and it may be subject to additional export or import laws in other places. You agree to comply with all such laws and regulations that may apply to the Software after delivery of the software to you.

12. That if you are an agency of the U.S. Government, (i) Software provided pursuant to a solicitation issued on or after December 1, 1995, is provided with the commercial license rights set forth in this license, and (ii) Software provided pursuant to a solicitation issued prior to December 1, 1995, is provided with “Restricted Rights” as set forth in FAR, 48 C.F.R. 52.227-14 (June 1987) or DFAR, 48 C.F.R. 252.227-7013 (Oct 1988), as applicable.

13. That your rights under this license end automatically if you breach it in any way.

14. That this license contains the only rights associated with the Software and Malwarebytes reserves all rights not expressly granted to you in this license.

15. That you have read and understood the aforementioned terms and conditions for use of the Malwarebytes product.

Great post and info, thanks leeloo. So far I’ve been using the portable version of A-squared, but will try your methods for MBAM and SAS. :-TU

Great guide! Though I use Thinapp ;D.

Many thanks to leeloo, but a correction to the Malwarebytes batch files, and some suggestions:

1. The batch file line to remove the registry entry needs quotes, i.e.
   WRONG: REG DELETE HKCU\Software\Malwarebytes’ Anti-Malware /f
   CORRECT: REG DELETE “HKCU\Software\Malwarebytes’ Anti-Malware” /f

2. The batch file lines to register and unregister the dlls can use an /s after it, so that you don’t get annoying prompts telling you that each process succeeded, i.e.
   WRONG: regsvr32.exe “%CD%\vbalsgrid6.ocx”
   CORRECT: regsvr32.exe “%CD%\vbalsgrid6.ocx” /s

3. If you want to update the definitions while running a portable Malwarebytes session, the .dat files in the ALLUSERSPROFILE/Application Data/Malwarebytes should be copied to the portable’s Program folder, and the following line added to the install batch file:

xcopy “%~dp0program*.dat” “%ALLUSERSPROFILE%\Application Data\Malwarebytes\Malwarebytes’ Anti-Malware” /Y /Q

If you don’t do this, you’ll get an error when updating that says: MBAM_ERROR_UPDATING

The clean-up batch file will remove all the above suggestions without modification. That’s it!

SuperAntispyware running on-demand only!
Thanks very much for the hints.
I’ve stopped using Super on-demand in the past due to services and drivers being auto loading at boot. Now I can come back