Monthly Archives: March 2012

Getting malware, or even having to support end users with malware “bites”/”sucks.” Removing malicious software (malware) can be a big job, particularly if the malware has done more than affect the network stack. One quick trick we use is to reboot to safe mode without networking because the target of a lot of malware is the network stack itself. Once networking is activated a lot of malware springs into action. Unfortunately there’s just some nasty software out there that pops up even in safe mode without networking. This is where software like Malware Bytes comes in handy (more on this in a second).

Once in safe mode we typically run msconfig and disable all startup programs and any suspicious services we’re unsure of (two tabs between programs and services). Next we install Malware Bytes. Obviously we cannot update Malware Bytes without the network stack so the next step is running a simple scan without updated signatures.

The number of malware infections Malware Bytes found on one system

One of the things we love about Malware Bytes is that is tends to have a good detection rate for real infections. Some anti-malware solutions find everything under the sun including every single tracking cookie. When you’re trying to track down serious malware infections it’s a pain to have to go through every cookie to see if it’s wanted or not.

Malware Bytes doesn’t have a perfect detection rate for all the malware out there, but it does a very good job against most spyware.

Another plus to Malware Bytes is that it seems to work well with different anti-virus software. Whether you’re using AVG, Avast, or some other anti-virus solution, Malware Bytes seems to play well.

Malware Bytes is a spyware/malware solution that works great against a lot of web-implemented spyware, but it doesn’t really tackle viruses. That said, combined with Avast we found Malware Bytes sometimes triggered Avast into finding some Trojan. We’d run a Malware Bytes scan with Avast simply installed on the system and when Malware Bytes came across a Trojan up would pop Avast and allow us to clean the trojan.

This combination hasn’t worked in all cases which is why we look to msconfig to help stop certain services and known malware. Things to look for in msconfig are executable file names that are numeric, like 5780298.exe. We write suspicious services and filenames down and sometimes track them through the Windows registry (be careful not to corrupt your registry).

Actual infections found by Malware Bytes

If Malware Bytes still isn’t able to remove everything we’ll reboot to normal mode and try to update Malware Bytes then run with updated signatures.

One other strategy is to check your TCP/IP network settings. Sometimes malware will modify those settings. Be sure to check the advanced networking settings and malware sometimes does strange things like pointing to certain proxy servers.

When systems are still infected we sometimes point people to Trojan Remover, which isn’t free, but has a trial that works for a bit.