Removing Malware From The Inside

Running anti-spyware software inside the newly cleaned-out system produced another surprise.

One of the LAN based scanners I ran on the machine was Malwarebytes' Anti-Malware, which, as expected, found and removed a number of infections. But a couple days later, when I installed MBAM inside the newly cleaned up system, it found a lot more stuff. Could it all be due to a couple days of new "fingerprints"? I asked Marcin Kleczynski of Malwarebytes Corporation about the difference between scanning from inside vs. outside the infected copy of Windows. He said:

"For optimal results, we typically recommend that our scans be conducted from the actual infected operating system. This allows our product to maximize use of our detection algorithms and heuristics and having them work together in the native OS environment. However, we do have somebody working on a BartPE plugin development tool that shows promise. It loads the registry hive and mounts the file system to attempt to mimic the infected operating system. For best results, we will continue to recommend the installer package that we currently offer."

So, scanning from the outside is not, in and of itself, sufficient. BartPE, which Marcin mentioned, is the foundation for the Ultimate Boot CD for Windows. It too is a bootable, limited function, edition of Windows on a CD.

A similar pattern happened running SUPERAntispyware from outside and inside the infected system. Running from the inside, for example, the software found cookies that weren't detected from the outside. I asked them too about the difference between the two environments and how SUPERAntiSpyware compares/contrasts with MBAM.

According to Mike Duncan, the Director of Business Development for SUPERAntiSpyware:

"Neither SUPERAntiSpyware or MBAM currently mount the registry hives when scanning in a remote or slave drive situation. We have technology in our labs to handle this situation and will likely be providing this in a future version of SUPERAntiSpyware. We anticipate our thousands of resellers/computer repairs shops will welcome this addition as it can make cleaning a tough infection much easier."

This is great news. Both companies are working on treating the infected registry as a registry, rather than just as files, when running outside the infected system. This should be a huge step forward in removing malware.

Nick Skrepetos, the president and founder of SUPERAntiSpyware expands on the topic of scanning from inside vs. outside:

"Infections are typically divided into two categories - executable "files" and registry/folder/file "traces". The executable file is the "heart" of the infection. While the traces are part of the infection, they are not the culprits that are actually doing the harm. You can think of it this way - a bank robber his/herself would be the "executable file" and their tools would be the "traces". Essentially the "traces" (tools) would be useless without the bank robber him/herself. SUPERAntiSpyware focuses on the "heart" (executable files portion) of any infection as this is where the damage is being done.

"In practical spyware/malware removal there are several practiced methods that can be used to detect and remove spyware from an infected system. The first, which we will call "native" scanning, is a method in which you run the scanner on the infected system directly. The second, which we will call "slave" scanning, requires that you place the infected drive in a non-infected system and scan the slave drive from the non-infected system. The third, often referred to as "remote" scanning, involves using a CD or USB drive on the infected computer to run an operating system that is not active on the infected system and then scan the infected system from the CD/USB drive.

"Each method has its advantages and disadvantages. Specifically, most current anti-spyware/malware products cannot remove registry traces from a slave or remote drive. SUPERAntiSpyware has technology to handle the situation and we are looking at how to best position this for our technicians and end-users. While registry traces are not "harmful," SUPERAntiSpyware does detect traces as well, but that is not our focus.

"SUPERAntiSpyware has advanced technology to eliminate the "hard to remove" infections, and products such as MBAM work more on a "trace" oriented system and thus are a great compliment to SUPERAntiSpyware. No single product can catch everything on a given day due to the thousands of new infections released daily. Running both products together will typically yield a clean system."

The last point is very important, there is too much malware for any one product to cope with it all. If at any time you suspect an infection, multiple scans with multiple products is the best approach.

Both MalwareBytes and SUPERAntiSpyware have a similar business model. They offer manual malware removal for free, while the commercial version of each product prevents infections, auto-updates and runs scheduled scans.

One thing to like about both MalwareBytes and SUPERAntiSpyware is that the products are sold for a one-time fee. With MBAM, this is always true, with SUPERAntiSpyware, it's an extra $10. The competing commercial software that I'm aware of is rented on a yearly basis. Just last month, Symantec and McAfee " ... each agreed to pay the New York Attorney General's office $375,000 in fines to settle charges that they automatically charged customers software subscription renewal fees without their permission."