Security

Malware scanners: MBAM is best of breed

TechRepublic members have been asking about malware scanners. Which ones work? Are they safe to download? I'd like to share what I consider my favorite scanner and why I like it.

As I see it, there are three axioms when it comes to malware removal:

  1. Malware coders will be ahead of the curve at all times.
  2. Malware is not important until it causes a problem.
  3. Just because a malware removal tool worked once, doesn't mean it will work again.

That sounds discouraging, doesn't it? Well, I'm happy to say that I've found a product that's become my malware fighter du jour. Malwarebytes' Anti-Malware (MBAM) is the scanner that keeps malware off my computers and the one that I immediately use when trying to wrestle malware from unknown computers.

MBAM the total package

A few months ago, several members made mention of a program called MBAM and how well it worked at finding malware. I'm sure glad I paid attention, because it's a great scanner. By far, MBAM has the best success rate of the many scanners I've tried. MBAM comes in either the free version or the full version. The Malwarebytes Web site mentions that the full version has the following added features:

"The Real-time Protection Module uses our advanced heuristic scanning technology which monitors your system to keep it safe and secure. In addition, we have implemented a threats center, which will allow you to keep up to date with the latest malware threats. Activating the full version unlocks real-time protection, scheduled scanning, and scheduled updating."

The free version has met my needs completely, since it's a specific tool that I'm using to remove malware. Still for only $24.95 US, the added benefit of the full version of MBAM running on a computer in the background may be a good way to get some peace of mind.

Simple to use

MBAM has a very simple user interface that even makes sense to me.

mbam1.JPG

While researching MBAM, I ran across a very useful tip from Samuel Dean on the WebWorkersDaily Web site. The following quote is from his "Malwarebytes' Anti-Malware Ferrets Out the Hidden Gunk" blog post:

"One piece of advice before you run this program: Go into any browsers you have loaded on your system and delete any saved temporary Internet files (available through the Tools menu of the popular browsers). The reason is that Malwarebytes' Anti-Malware does a highly thorough scan of your files even if you choose its Quick Scan choice instead of Full Scan."

It does make a difference, especially on some of the monster hard drives that are now being used.

Remember the third axiom

I consider MBAM the heavy hitter of all general-purpose malware scanners. Still, I've seen MBAM miss malware, in particular rootkits. To help in that regard, I wrote an article "Rootkits: Is Removing Them Even Possible?" which featured many qualified rootkit detection and removal applications. If hard pressed, I'd recommend GMER as my first choice for detecting rootkits.

Final thoughts

I continually hope for a magical application that once installed on a computer will give the user assurance that all is good. It's not quite there yet, and on many occasions more than one program or even an operating system reload will be required. For example, I'd like you to check out Swatkat's blog post "Zlob Fake Codec Rootkit Removal Procedure," where both GMER and MBAM were required.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic's Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!

About

Information is my field...Writing is my passion...Coupling the two is my mission.

170 comments
AnsuGisalas
AnsuGisalas

I am just now waiting for my first MBAM scan to complete... in the very recent past I've tried Zonealarm Extreme's scan, Avast's scan and Prevx' scan, and all have come out clean. But a minute into this scan MBAM tells me of five infected objects. Very interesting. I'll keep you up to date on how it proceeds. Update:Whew, turned out to be five counts of "broken.opencommand": five registry keys for batfile, comfile, piffile, scrfile and regfile, all of which point to NOTEPAD.EXE %1, instead of what MBAM expected. I assume I'm safe, or?

grimalkin9999
grimalkin9999

Will MBAM (free version) remove my Win32.Zafi.b worm???

Quirkly
Quirkly

Here is a screenshot of dependency walker tracking my attempt to run MBAM. In this case I got an error message. I have also gotten an "all clean" from MBAM, essentially a false negative. http://img25.imageshack.us/img25/7139/trojanfakesoutmbamyg6.jpg Please note that the error message is called up from a dll called imageres.dll. In the frame below, note how the image is adjusted to match the screen settings. Other images of my trojan (?) at work are on this site also. Dependency Walker is the only app that has shown my problem--not how to fix it but at least it confirms the fact that something is happening. When your client keeps telling you something is wrong with their computer but your tools say the computer is clean, consider running dependency walker to see if you are being exploited by the infection also. Quirks

rigo12
rigo12

I think MBAM is a great program, but recently it failed to detect a hijacked machine by Antivirus 2009, a rogue program developed by Russians. So after trying with different anti-spyware programs I was surprised and impressed by another freebie: Super AntiSpyware, which it managed to clean out Antivirus 2009 completely off the infected laptop.

jlhollin
jlhollin

But I have to make it. I think you mean du jour, meaning your favorite anti-malware scanner of the moment. De jure means the opposite - one mandated by law and not affected by actual current practice. Sorry....

blue_smirnoff
blue_smirnoff

Unless you don't use the internet or never download any files, you can't afford to not use and active malware scanner, your leaving yourself wide open otherwise and it may be ok for a while, but eventually you'll pickup a rootkit and then it'll all be over for you. I've tried many of the Anti-Malware programs and have come to really like SuperAntiSpyware (once you get past the name !) and SpywareDetector, the 1st has the best active scanning I've seen yet (and has very good repair and recovery options for if anything did get through); the 2nd is a superb and very fast scanning engine, finding many files that other scanners have missed, it also has a decent active protection, neither are free, but both are well worth the small price tag (about $25, SAS also has a nice lifetime subscription offer (cost me $9 more). At the end of the day all of these come down to personal preference and experience and what is a good product one year may be a dog the next (look at Norton/Symantec !) and unfortunately comparrison reviews can never cover more than a few products out of hundreds available, but it's always good to hear a solid recommendation, I'll give MBAM a look. For general checking of my PC (done weekly or after anything suspect), I use HiJackThis, an excellent freeware program showing everything that is run on your system; ProcessExplorer free from SysInternals (now owned br Microsoft) and Radix Anti-Rootkit (a free rootkit scanner). One program can never be trusted to do the whole job, I'd recommend having 2 or 3 to compliment each other, only testing will show you which combinations work well however.

megamanx
megamanx

From the tests that I made on my pc A-squared beats MalwareBytes, but like you said, "Just because it works good, doesn't mean others won't be able to catch up or surpass anytime."

tjspence
tjspence

Excellent tool for removing rogue fake program AntivirusPro 2009.

BALTHOR
BALTHOR

Is it in software?Is it in the websites?Is it in an OS?

TaDaH
TaDaH

My McAfee was popping up the other day and said it couldn't remove something I'd picked up, only quarantine it. I kind of made me angry after I researched it a bit because it was something that had been around for a year or so. I researched a few malware removal tools and decided on MBAM. Not only did it handle the "tough" one that McAfee couldn't, it found about 4 others that McAfee didn't find! I got a call the other evening from a friend who was having similar problems and recommended they try MBAM. I haven't heard any feedback yet but, I'm certain it took care of their problems as well.

Randolph_67
Randolph_67

Absolutely, this scanner removes Micro 2009, Xp AV 2008, and lots more of malware. It's simple to use and to update. When scanning with MBAM is done, I use a2-free edition from Emsisoft. When all that is done, verify startup programs with Autoruns from sysinternal. Gets the job done every time!

garibaldi69@
garibaldi69@

In my company we run Citrix with only 6 users having a desktop computer and the rest using thin clients. In the past I was always running Adaware, Spybot etc. weekly on the servers to clean up "some" of the users bad browsing. When we upgraded to the new servers I installed Symantec Endpoint 11 on them (without the firewall option) and so far all has been well. I now run a monthly scan with updated software and nothing out of the ordinary. Now I get calls about a popup that says it blocked a program from installing or running and when I go to their desk it is Symantec blocking a drive by download. I run it in real time, full scan mode, all files all the time, and the perfomance hit is negligible with only 50 people logged into the Citrix Server. However I do have a few outside users running Mcaffe, Cough*!garbage!@#Cough) that gets hit constantly with all kinds of stuff. I never heard of MBAM but will give it a try. Also I don't think you can ever really get rid of all bits of spyware/Malware without a full wipe and reinstall (Not just a reinstall). My 25cents

Michael Kassner
Michael Kassner

First, I'd like to comment that if anyone knows, Jacky does. Second, I have been using MBAM since it was in beta and I've yet to have it negatively affect any computer that I've installed it on. That said, I wouldn't be adverse to at least suggest trying it.

Jacky Howe
Jacky Howe

should be able to remove the Win32.Zafi.b worm.

Michael Kassner
Michael Kassner

I knew of dependency walker, but had not heard of any real experiences with it. Thanks to the both of you for subscribing to it. I will definitely add it to my tools.

seanferd
seanferd

http://www.greatis.com/vista/DLL/i/imageres.dll.htm It seems that these can corrupt this file. The file is just a repository of shell icons. If something is calling an icon not in the file... I love dependency walker. Of course, any malware scanner can be fooled as long as it is loaded in the targeted operating system. It is best to boot from write-protected removable media to scan a possibley infected OS.

pgit
pgit

It was that "antivirus 2009" that prompted me to find mbam, which was the only thing that cleaned it up for me. (numerous machines) You might be dealing with one of the variants that looks for mbam-setup" and disallows it's running. I've come across this a few times. Simply rename the set up file to anything, I usually just delete the dash ("-") and it runs fine. I've also changed the default install folder for good measure, but I'm not aware this part is necessary. BTW I have also seen where after installing mbam would not update. I asume this is a function of malware also. What I've done is either update manually by downloading the files to a USB drive and installing, or booted safe mode with networking. In both cases a system that wouldn't update mbam updated fine and found/eliminated the cause.

Michael Kassner
Michael Kassner

I really appreciate it when I learn something like this. I was torn as to which spelling to use. My problem, I think was that I used the Wiki definition instead of a real source. Thank you for pointing it out to me.

JCitizen
JCitizen

Good post blue smirnoff - sounds like my general tactic. I've yet to test the real time SASpyware function yet, to see how much it impacts system resources on older PCs. The bulk of my clientele still use older designs, even if they all have 1Gb+ of RAM!

Michael Kassner
Michael Kassner

About SuperAntiSpyware from other members and I am for sure looking into it. Not sure if you knew this, but MBAM does have active scanning if you purchase the full version. Have you put MBAM and SuperAntiSpyware head to head perchance? I'd love to hear about any results. I also use HiJackThis, but get a bit spooked as to what is exactly what in the log file. I feel as I know enough to be dangerous and that's it.

Michael Kassner
Michael Kassner

I see that A-squared has almost double the downloads on Download.com, which says something to be sure. Can you give us a lttle bit more detail as to why you like it better? I for one am interested to learn more about your tests.

Michael Kassner
Michael Kassner

That works against that piece of malware. I know a lot of people that are thankful for that, including me.

bennie3327
bennie3327

I encountered AV 2009 last week after Googling some newspaper articles. It popped up right after reading one of the articles. Mind you, I am not sure if I inadvertantly clicked on something in a right-side column or not as I was reading the information to a colleague at the time. Kudos to Tech Republic users for alerting me to Malwarebytes last week. It solved my problem. Now after reading through this particular string of comments I believe it has resolved problems for many other users. I am going to investigate GMer, as well.

The Scummy One
The Scummy One

they are called e-Gremlins. Nasty e-Beasts that constantly are there to mess with everything and cause issues. They originated in Lightning Bolts, however the Government transferred them into the wild. They now reside on every electrical outlet, computer, toaster, light bulb, etc. the world over. These nasty beasts are here to stay, and they do not take kindly to threats, however, the right ones can make them behave for a short time at least. They are responsible for 99.999999% of all problems with any/all electrical devices. I am currently working on a plan to integrate myself into the computer with an e-rifle to scare the cr@p outta them and make them leave my area of control alone.

Michael Kassner
Michael Kassner

I am finding in the comments that AV applications aren't doing so well when considering already installed malware. The questions then becomes is the AV application missing the malware at the initial point of infestation as well?

Michael Kassner
Michael Kassner

Thanks Randolph, I'm not familiar with A2-free, but I intend to check it out.

Michael Kassner
Michael Kassner

Interesting about EndPoint 11. I'm just about ready to deploy it at one of my clients. They have been a bit hesitant to migrate. Have you had any issues with it or the Control manager? Let us know what you think about MBAM if and when you use it. I'm always looking for comments good and bad about scanners.

Michael Jay
Michael Jay

It is a zombie thread, but a good one, MBAM has gotten me out of few nasty spots from time to time, nice to remind people, just in case the missed it the first time around. A fine tool.

Jacky Howe
Jacky Howe

the only problems that I have faced recently is having to rename MBAM. willcomp calls it morphing and it will get blocked by the Virus, Malware if you don't rename it.

Michael Kassner
Michael Kassner

That's a good list. As much as I'm at that site, I missed that.

Quirkly
Quirkly

Third party themes/icons? Probably, just not by me. There are so many remote-ing, delayed restore, system control files in the sys32 folder that I cannot keep up, nor can I delete them. I do not own them, nor can I change the ownership. Yeah dependency walker is wonderful. DW is recommended by computer forensic types but I cannot get any of the mainstream AV types (to whom I paid money) to appreciate what it is saying. I agree about booting from the other media--I cannot get it to boot off a CD, says it will but does not as the corrupted files are loaded, not those from the CD. I change the BIOS, it changes it back before I can do anything. I have lost track of the clean installs, low level formats, etc. Nothing seems to touch it. I am really at a loss. Please let me know if you have any ideas. Thanks for looking at my post.

jemorris
jemorris

I had a couple of computers that wouldn't update their different AV products and found one of the Vundu root-kit variants. Used the removal tool I downloaded from Grisoft's site. Didn't think about renaming the MBAM install file. duh...

megamanx
megamanx

The real-time protection is only included for the paid version A-squared also, so it's rather you guys go for alternatives like Spybot and Ad-aware with real-time. I might give the 2 (A-squared and MBAM) once again, but as of yet, no malware. I really can't be sure though. On some times when my computer has malware, AVAST! (both thorough and boot-time scan) and A-squared were great in removing many things, but HijackThis picked up the rest that the 2 proggies couldn't.

megamanx
megamanx

Just giving out a note that on the scans that I have done with many scanners including; MalwareBytes, Ad-aware, Super Anti-spyware, Spybot, etc, A-squared picked up stuff that they couldn't find. But I have said before that even though it was good then, it might not be as good as MalwareBytes now. I spread the word to many friends and friends do the same to theirs, so this might help that more download trend. I can't give any more data on that because the scans I performed were in '05 to see which I rather have as my main program in spyware.

Michael Kassner
Michael Kassner

Also thanks for sharing your experience. Perchance do you remember what MBAM said it found?

JCitizen
JCitizen

You put BALTHOR to shame! :p

seanferd
seanferd

Why hasn't HAL 9000 taken care of this already?

seanferd
seanferd

it was in the government torrent. :0 Mostly it's in storage (HDD, flash drives), but it does get around.

DHCDBD
DHCDBD

of today attacks the AV. It does not completely disable the AV but only renders it ineffective against the particular threat. Makes no sense to give yourself away by completely disabling the tool that you are using to lull a false sense of security.

JCitizen
JCitizen

A-squared was my backup long term deep scanner. I use Adaware Pro and MBAM as lightweight blockers, but for monthly or midnight scans A-squared was the one for me. It would even find remnants and trace files, and registry problems after a malware fight. Only thing is, it recently quit updating after a MS update; so I downloaded Superantispyware as a substitute. Things have been so clean lately, I don't find anything from any of the utilities I use; BUT MBAM is always popping up telling me it is blocking some IP or malware download some where. So I suspect it keeps MOST problems at bay, as a daily lightweight solution, for too-late cleanup A2 or SASware is the answer. Superantispyware is always offering cheap 9 dollar real time protection, but haven't got a chance to try it yet on a client.

JCitizen
JCitizen

utility/scanner. It is quick and light on resources, and doesn't conflict with other good AV utilities. Also, I think Brian Krebs or some other heavyweight said it actually removes obsolete definitions from its database so it can remain quick and nimble! A2 is too expensive to buy for real time protection, if my memory serves me correctly. I has some false positive issues, but quarantining solves this. It is a great backup and midnight scanner, as it takes forever to update and scan, although, I must admit it really isn't that bad since I have 1 terabyte of storage to scan. I am just too busy to use it any other time, and as of this Sept 09, I'm not sure it has been fixed since the last MS update which disabled its update ability.

Michael Kassner
Michael Kassner

Any info helps and I appreciate you taking time to respond. Malware acts so inconsistently, that any additional data points make all of us that much wiser.

bennie3327
bennie3327

Sorry, I do not. I have slept a couple of nights since then. It did find 3 items though.

Michael Kassner
Michael Kassner

I forget about that aspect more often than I should. Minimal footprints.