BleepingComputer.com: Why does this happen?

I have a folder in my PC which I'm 100% sure that it's a spyware. For some reasons malawarebyte doesn't detect it when I scan the folder while my PC booted from ubcd4win. Instead it only detects it when scan in normal XP mode. Why?

Scanning with MBAM in safe or normal mode will work but removal functions are not as powerful in safe mode. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, it loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work unless you boot XP normally. Additionally, scanning from a bootable disk or from safe mode prevents some types of malware from running so it may be missed during the detection process. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM.

~Blade

Blade Zephon, on Aug 25 2009, 07:18 AM, said:

How exactly does mbam driver help in detection?

MBAM used in portable mode is only supported for corporate use if I am not mistaken.

MBAM is intended to take up where an AV leaves off, it's using a driver loaded in normal mode to catch rootkits and depends upon heuristics for much of it's usefulness. Scanning from a second enviroment pretty much eliminates heuristcs.

It's database is extremely small, an AV uses large databases and can detect more types of files.

When compared to other security tools like Spybot S&D and Ad-Aware, the advantage of MBAM is that it uses a proprietary low level driver (similar to some ARK detectors) to locate hidden files and special techniques which enable it to detect a wide spectrum of threats including active rootkits.

Most anti-rootkit scanners will not work in safe mode because they utilize a driver which is required for the scanning process and that driver will not load in safe mode. Further, there are rootkit variants (haxdoor) that run in safe mode so the usual reason for running a scan in that mode does not apply.