Choosing programs

Hi. I am new to the forum but have been using MBAM for years. My question is - with all of these available programs - adv, mbam, combofix, etc. how do you know which ones to use? I see that there is a lot of overlap when it comes to these programs (eg Mbam will detect adware as well as Virus) but I'm sure I could be using them as a suite of tools in a much more effective manner. Could someone here let me know what workflow they use and in what order? I am just looking for a couple if programs I could run on a user machine and be sure that it is clean. Thank you in advance.

First let me start by saying that ComboFix was never meant to be used as a general purpose malware scanner like Malwarebytes' Anti-Malware, Zemana AntiMalware, SuperAntispyware, AdwCleaner, etc which scan individual drives, different folders, the registry, etc on a computer for malware. If you have not already done so, please read ComboFix usage, Questions, Help? - Look here.

When compared to other security tools the advantage of Malwarebytes Anti-Malware is that it uses a proprietary low level driver similar to some anti-rootkit (ARK) scanners to locate hidden files and special techniques which enable it to detect a wide spectrum of threats including active rootkits, zero-day malware and malware in the wild. Malwarebytes is designed to be a much more comprehensive scanner than other tools and the new scanning engine in version 2.0 has some enhancements to deal with current threats that the old version did not have...but performs the same way whether using the Free or Premium version. Proprietary scan sections include "Pre-Scan Operations" and "Heuristic Analysis" which at times can be resource intensive leading to a false impression that the scanner is hanging or unresponsive. All scans require loading various databases which alone can take some time to complete.

Malwarebytes Anti-Malware's technology in the Premimum version includes a real-time Protection Module that runs at startup to prevent the installation of most new malware, stopping malware distribution at the source. This technology dynamically blocks malware sites & servers, prevents the execution of malware, proactively monitors every process and helps stop malicious processes before they can infect your computer. Anti-virus software is inherently reactive...meaning it usually finds malware after a computer has been infected. Keep in mind that this feature does not guarantee something will not slip through as no product can detect and prevent every type of malware. The database that defines the heuristics is updated as often as there is something to add to it. Also keep in mind that Malwarebytes Anti-Malware is not meant to be a replacement for antivirus software...it does not act as a real-time protection scanner for every file like an anti-virus program so it is intended to be a supplement, not a substitute.

Malwarebytes is designed to detect and remove malware effectively by checking memory and looking at the most prevalent places and known launch points (Memory Objects, Startup Objects, Registry Objects, and File system Objects) for active malware infections. The THREAT SCAN also detects any running malicious files regardless of its location so even if the malware is running from a location not checked by the file system portion of the scan, the THREAT SCAN would still detect it. This check includes not only running processes, but also loaded modules such as .DLLs injected into other processes. Malwarebytes uses advanced heuristics scanning that bypasses polymorphic blackhat packers & encryption, MD5, check memory (loaded .exes and .dlls), unique strings, autostart load points and hotspots (everywhere current malware is known to load from) and multiple other proprietary malware checks which are not discussed in public to safeguard the program from malware writers who would use that information for nefarious purposes. Malwarebytes free includes the same detection and removal capabilities as the Premium version but does not include any features or benfits provided by the real-time real-time Protection Module.

Advanced Heuristics Engine (Shuriken) enables a second method of heuristic analysis to Malwarebytes detection techniques. Shuriken is a supplementary concealed weapon used for detecting newer mutations of infections that have not been added to Malwarebytes' threat database. This feature is turned on by default under the 'Detection and Protection' Option section. However, heuristic analysis is built-in and always employed when a scan is performed...even when this option is not selected. Therefore, disabling this setting will not completely remove heuristic analyzing. Enabling the self-protection module controls whether Malwarebytes creates a safe zone to prevent malicious manipulation of the program and its components.

In addition to malicious software detection and removal, Malwarebytes Anti-Malware also detects and deals with two classes of non-malware...these are Potentially Unwanted Programs (PUPs) and Potentially Unwanted Modifcations (PUM)s. The default setting for detected PUPs is to "Warn user about detections". Malwarebytes will not automatically remove these detections unless you reconfigure (change) the default Non-Malware Protection settings to "Treat detections as malware". Malwarebytes has an aggressive PUP Policy and has been in the forefront to educate product users and blog readers.

For more specific information, please refer to:

• Malwarebytes Anti-Malware Premium: What it does & How it works
• Malwarebytes Anti-Malware 2.0 Advanced Settings
• Malwarebytes Anti-Malware 2.0 Users Guide
• BleepingComputer Review: Malwarebytes Anti-Malware

Malicious Website Blocking (IP Protection) is part of the Protection Module and works after it is enabled. When attempting to go to a potential malicious website, Malwarebytes will block the attempt and provide an alert. An outgoing IP alert indicates that a process on your system tried to access a malicious IP and was prevented from loading content onto your system. A browser is not required to be running for an alert to occur...just an active Internet connection with processes running. IP alerts are also triggered by banner ads appearing on websites since in some case these ads are malicious. Notification that an outgoing IP address has been blocked does not necessarily mean the computer is infected. Some legitimate programs on your computer (i.e. iTunes, Instant Messenger client, SKYPE, P2P software, web browsers) have access to the Internet and that action can trigger an IP alert if it tried to access a malicious IP address.

IP Protection is also designed to block incoming connections (communications) it determines to be malicious and you did not request from entering your computer. it determines to be malicious. Hackers use "port scanning", a popular reconnaissance technique, to search for vulnerable computers with open ports using IP addresses or a group of random IP address ranges so they can break in and install malicious programs. Botnets and Zombie computers scour the net, randomly scanning a block of IP addresses, searching for for vulnerable ports (commonly probed ports) and make repeated attempts to access them.

AdwCleaner is a portable adware cleaner created by Xplode (a BC Security Colleague) that is designed to search for and remove many potentially unwanted programs (PUPs), adware, toolbars, browser hijackers, browser extensions, add-ons/plug-ins, browser helper objects (BHOs) and other junkware as well as related services, registry entries (values, keys), files, folders and potentially unwanted extensions.

JRT (Junkware Removal Tool) is a non-interactive batch program (command line tool) created by thisisu (a member of the BC Malware Response Team) that is designed to search for and remove many potentially unwanted programs (PUPs), adware, toolbars, browser hijackers, browser extensions, add-ons/plug-ins, browser helper objects (BHOs) and other junkware. JRT will remove all traces of these types of programs which includes related services, registry entries (values, keys), files, folders and potentially unwanted extensions. JRT will also restore some default settings for Internet Explorer, Mozilla FireFox and Google Chrome. JRT automatically removes whatever it finds...there are no options to skip or ignore detections and no option to backup/restore removed items. Before using the tool, if JRT detects an active Internet connection, it will download the latest copy and relaunch itself automatically.

In June 2015, Malwarebytes announced the hiring of thisisu, and the acquisition of Junkware Removal Tool. JRT will be integrated within Malwarebytes Anti-Malware but the stand-alone program will remain intact for those who wish to use it without Malwarebytes.

• MalwareBytes acquires Junkware Removal Tool to take a stronger stance at PUPs
• Malwarebytes Acquires Junkware Removal Tool

Thank you for the sticky response. I have read that post before and understand what you are conveying. I suppose my original post was not clear or specific enough, so I apologize.

What I am after is for someone to help me gather a simple set of three or so tools that I can use to troubleshoot users' machines when we haven't got a clue just what they have.

(FYI we run Symantec AV)

 

Currently, if we discover a machine is acting strangely, our practice is as follows:

 

Boot into safe mode

Run Rkill

Run MBAM (Free)

 

I realize that I am missing detecting a lot of nasty stuff by only doing this.

So, what else does people use for general purpose scanning and removal?

 

To put a finer point on it, I am looking for a response similar to this: MBAM - malware, TDDS Killer- Rootkit, Sophos - AV, etc.

I just don't know which ones are the most effective. Thank you.

RKill and MBAM (Free) would be the first steps to start with but there is no need to boot in safe mode.

Why use safe mode? The Windows operating system protects files when they are being accessed by an application or a program. Malware writers create programs that can insert itself and hide in these protected areas when the files are being used. Using safe mode reduces the number of modules requesting files to only essentials which make your computer functional. This in turn reduces the number of hiding places for malware, making it easier to find and delete the offending files when performing scans with anti-virus and anti-malware tools. In many cases, performing your scans in safe mode speeds up the scanning process. Scanning in safe mode was a recommended course of action years ago with many security scanners. This was before malware writers began to employ more sophisticated techniques to counter removal efforts in that mode and before we had programs like Malwarebytes which work effectively in normal mode.

Why not use safe mode? Some security tools like anti-rootkit scanners (ARKs) and scanning programs with anti-rootkit technology use special drivers which are required for the scanning and removal process. These tools are designed to work in normal mode because the drivers will not load in safe mode which lessens the scan's effectiveness. Other security tools are optimized to run from normal mode where they are most effective. For example, scanning with Malwarebytes Anti-Malware in safe or normal mode will work but removal functions are not as powerful in safe mode. Malwarebytes is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, Malwarebytes loses some effectiveness for detection and removal when used in safe mode because the program includes a special driver which does not work in safe mode. For optimal removal, normal mode is recommended so it does not limit the abilities of such tools.

Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. If the malware is not related to a running process (i.e. malicious .dll) it probably will not make a difference performing a scan in normal or safe mode. A hidden piece of malware such as a rootkit which protects other malicious files and registry keys from deletion may not be detected in either mode without the use of special tools. Additionally, if the scanner you're using does not include definitions for the malware, then they may not detect or remove it regardless of what mode is used. If you're dealing with zero-day malware it's unlikely your anti-virus is going to detect anything. However, programs like Malwarebytes can detect zero-day malware and is one reason they are recommended to supplement your anti-virus software. Also keep in mind that there are various types of malware infections which target the safeboot keyset so booting into safe mode is not always possible.

Generally I recommend performing a scan in normal mode unless that mode does not work or the tool is specifically intended for use in safe mode.

I would then follow those scans with AdwCleaner and JRT but there is no definitive specific order to run your security tools or which ones to use.

TDSSKiller Rootkit Removal Utility is a specialized fix tool created by Kaspersky specifically for TDSS rootkit infections so it only checks those locations (i.e. infected/patched/forged files in the Windows drivers folder and the Master Boot Record) the rootkit is commonly found. TDSSKiller is a stand-alone application (supporting both 32-bit/64-bit OS) available in .exe or zipped versions so no installation is necessary. Like ComboFix...TDSKiller was never meant to be used as a general purpose malware scanner.

Of course there are many other security tools which can be used. See this List of Free Scan & Disinfection Tools to supplement your anti-virus or get a second opinion

From that list, I would recommend any (or a combination) of the first seven, especially these...Emsisoft AntiMalware, Emsisoft Free Emergency Kit, Zemana AntiMalware and the Kaspersky Virus Removal Tool.

You can also supplement your anti-virus or get a second opinion by performing an Online Virus Scan. ESET is one of the more effective online scanners.