PDA

View Full Version : What are the steps to efficiently scan & remove viruses & spyware?


MMAUY
01-28-2008, 07:57 PM
How do you do this and what are the steps?
I am trying to learn as much as I can.

Are there any common viruses/spyware, that most infected computers get?

What do you do when a infection disguised as a anti virus/anti spyware, keeps popping up and cannot be un-installed? Ive tried spy doctor, ccleaner, hijackthis, AVG,ad-aware but it just does not go away. Im ready to re-format.

gunslinger
01-28-2008, 08:34 PM
I had this problem a while back with a customers pc. I tried everything you tried and still got the pop up at the lower right telling me that the computer was infected and I needed to install their "special software". This is what I did to get rid of this:

first run spybot s&d in safe mode after thats done:
Be carefull here
Open regedit (start run regedit press enter)
expand the branches untill you are at this location
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\cmdservice
Hilight cmdservice rightclick choose delete in the context menue

If you have trouble deleting a key. Then click once on the key name to highlight it and Rightclick > Permissions.
Then make sure you are Administrator and give yourself Full Control of that key. place a check next to allow full control (if its not there already)
You might need to click advanced and place a check next to [x] inherit from parent the permissions that apply to child objects.
Click Apply then ok untill your back at the suspect service key , right click and delete the key, Close the registry editor when done.

Do the same for this key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\c mdService

This fixed it for me.

nonchalant
01-29-2008, 12:28 PM
For the viruses I'd run Kaspersky. They have a free trial version on their website. For the spyware I'd run Advanced windows care and Windows Defender (both free).

If all that fails I'd format and be done with it. Some of this crap is just impossible to remove and its getting worse.

Or you could try www.aec.cz (http://www.aec.cz)

Laptop Repair
06-19-2009, 07:22 AM
For viruses get any of the good antivirus software and for spyware get spyware doctor rest of the work software will do.... so enjoy:)

SuperStuff
08-13-2009, 09:32 PM
I use an old version of AVG's Anti-Rootkit to remove a virus like this. They no longer upgrade the Anti-Rootkit software because it is part of the paid versions of AVG. A combination of virus removal tools are needed in one's arsenal to remove them.

greggh
08-14-2009, 04:30 PM
You can get 99% of them by hand with no scanners. Scanners should not be used as a crutch. They should be used at the end to finish the job by scanning for all the random junk that doesnt matter and getting rid of it.

NYJimbo
08-14-2009, 04:41 PM
I use an old version of AVG's Anti-Rootkit to remove a virus like this. They no longer upgrade the Anti-Rootkit software because it is part of the paid versions of AVG. A combination of virus removal tools are needed in one's arsenal to remove them.

You use an outdated and no longer updated anti-rootkit program to remove new rootkits ?. :confused:

sys-eng
08-15-2009, 12:12 AM
For viruses get any of the good antivirus software and for spyware get spyware doctor rest of the work software will do.... so enjoy:)


Finally!! Now I know how those "techs" advertise that they remove viruses and all sorts of infections for $40 or less. :rolleyes:

Cambridge PC Support
12-31-2009, 07:52 PM
strip unnecessary startup items with CCleaner
remove temp files to speed scan process
MalwareBytes AntiMalware
then Spybot S&D
then online Trend HouseCall

Catch
01-02-2010, 09:16 PM
Since I'm trying to differentiate myself from the big box stores, I rarely wipe and reinstall (unless the person has practically nothing on their computer).

My clients usually are having problems because they not only click on the wrong things, they (1) have no antivirus or let it expire or (2) are having problems because they're running too many AV/malware programs. As part of the cleanup process, I usually have to uninstall a few programs.

I make sure that the hidden files are viewable, then almost always run ccleaner, malwarebytes, and Hijack This. (I usually forget to do this, but I've read that it's good to enable all programs in startup/msconfig.)

Then, depending on what it is, I try fixes specific to the problem (googled):

Two good sites for such fixes are Bleeping Computer and MajorGeeks.

For example, I got the following from Bleeping Computer on how to remove
Windows Police Pro that's worked very well for me:

[unable to post URL!]

Sometimes removal tools, such as Combofix (which I understand is no longer available), are the only things that do the trick--not to mention fix damage to Windows/connectivity problems. (FYI: Combofix can be dangerous, if you're in a hurry . . . )

I finish with an online scan (usually either Bitdefender or Symantec) in safe mode to be sure I got everything, and then toggle system restore to wipe out old restore points that might harbor bugs.

The before I give the computer back, I make sure they have some kind of protection, even if it's only AVG free.

This probably isn't as efficient a system as the other answers, but I rarely get a call back to fix the same problems.

iisjman07
01-02-2010, 10:45 PM
Phase 1:
I run a quick scan of the system32 directory with DrWeb to cure any infected drivers (bastard rootkits) (ETA 5-10 mins)
Use tools on the avast BART cd to:
-Scan for viruses using avast! (ETA XX mins (depends on ammount of files,etc))
-Remove temp files (ETA 1min)
-Remove infected registry autostarts/drivers/services/etc (ETA 1min)

Phase 2:
Next I do manual removal from the host operating system which involves:
-Suspending/killing/removing infected process' with Process Explorer (ETA 1min)
-Run a couple of passes of HiJackThis on the machine removing anything bad (ETA 2 mins)

Phase 3:
Now I run a spyware scanner:
-Quick scan with MalwareBytes or SUPERantispyware if MBAM won't load (ETA 10 mins)

Phase 4:
Restart and make any finishing touches (change IE home page, reset wallpaper, flush system restore, remove registry restrictions, etc) (ETA 5 mins)

I don't always do it in this order, sometimes I skip unnecessary bits out.


What do you do when a infection disguised as a anti virus/anti spyware, keeps popping up and cannot be un-installed? Ive tried spy doctor, ccleaner, hijackthis, AVG,ad-aware but it just does not go away. Im ready to re-format.

These infections are all based on pretty much the same thing, they're mostly variants. Therefore it is difficult for the antivirus vendors to keep up, so it's a good idea to brush up on manual removal. Good programs to use are: Process Explorer (by SysInternals), Autoruns (by SysInternals) and HiJackThis (by Trend Micro), however you'll need to learn how to use them effectively.

layoric
01-02-2010, 11:42 PM
I generally remove the offending drive from their system, hook it to my scanning system, then throw many scanners at it. Eliminates MANY problems due to their system, and is much quicker and more efficient.

Layoric

joemessman
01-04-2010, 08:55 PM
If you remove the drive and hook to another PC and scan ,you still have to hook back to original PC to remove remaining malware when booted into Windows. Some malware has to be running to remove.

iisjman07
01-04-2010, 09:45 PM
If you remove the drive and hook to another PC and scan ,you still have to hook back to original PC to remove remaining malware when booted into Windows. Some malware has to be running to remove.

True, but usually (if done well) the left over infections will not actually pose much (if any) threat. Things like redundant registry keys pointing to files that don't exist or services that can no longer start without their files. This is usually fixed with a quick scan of the registry

Catch
01-05-2010, 01:13 AM
Layoric: Never thought to slave drives routinely to scan for viruses. I only do that on my worst cases (and learned the hard way that you have to delete any files in quarantine before you remove the drive).

What do you scan with? (Since you said "many" what are the top 5 or so?)

iisjman07: Sounds lean and mean. I'm going to try your way on an infected computer I'm getting tomorrow.

You said."Good programs to use are: Process Explorer (by SysInternals), Autoruns (by SysInternals) and HiJackThis (by Trend Micro), however you'll need to learn how to use them effectively."

Autoruns is amazing. Very familiar with HJT. Any tips/website to help me learn to use Process Explorer effectively? Found this video:

microsoft.com/emea/spotlight/sessionh.aspx?videoid=359

Catch
01-05-2010, 02:14 AM
avast BART is $300.00? Holy <expletive deleted>.

onetech4all
01-13-2010, 08:52 PM
First of all, have a backup of the hard drive.
Secondly, hook it up externally to your tech laptop or desktop, if you are at your garage/shop/home, scan it with 2-3 antiviruses, some spyware/malware removal software tool (e.g. Malwarebytes, etc).
I found in several cases that this last step eradicates about 70% of "crapware" on the computer, maybe more.

Hook up the hard drive to the computer it came from and do some more scanning for "crapware" on it.

It's not an easy process, time consuming and expensive.

If really bad cases, forget the whole removal, backup the stuff you need and wipe it clean. Before you put your stuff back on it, install an Antivirus first.

lgtechcomputers
01-16-2010, 04:12 AM
I generally remove the offending drive from their system, hook it to my scanning system, then throw many scanners at it. Eliminates MANY problems due to their system, and is much quicker and more efficient.

Layoric

This is a great way to deal with stubborn infections or systems that are very unstable.

I usually boot in safe mode and run "Malwarebytes Antimalware". However other difficult infections might take several passes.

I cannot post URLs yet but do a search on Elite Killer and look for John's Malware Guide. I have read it several times and sometimes come back to consult. I think it is a great resource.

Cambridge PC Support
01-16-2010, 02:29 PM
I generally remove the offending drive from their system, hook it to my scanning system, then throw many scanners at it. Eliminates MANY problems due to their system, and is much quicker and more efficient.

Layoric

me too if it's a really slow PC :)

Cambridge PC Support
01-16-2010, 02:31 PM
Phase 1:
I run a quick scan of the system32 directory with DrWeb to cure any infected drivers (bastard rootkits)

anyone else use this? any good?

NickCat11
01-16-2010, 07:27 PM
anyone else use this? any good?

Yes, it's a must to have in your toolkit.

trapped
01-17-2010, 03:57 AM
I started out slaving and doing scans, but I found that it took to long and too often they wouldn't find the rootkit. All I do now is boot off a UBCD4WIN cd and remove everything manually. Reboot and then run a MBAM scan. This will fix 95% of the current rogue antivirus viruses in under 30 minutes.

ZenMike
01-17-2010, 04:09 PM
I usually boot in safe mode and run "Malwarebytes Antimalware".

I heard an interview with the MalwareByte's guy a while ago and he said it's intended to, and runs best, *not* in Safe Mode. He said it takes advantage of (relies on) some of the same technologies as the malware to do the cleanup.

I understand the concerns, I'm just passing along what he said. I want to say it was on Mike Tech Podcast, but I'm not 100% sure.

daeemann
02-18-2010, 09:49 AM
I usually don't slave the drive to run the antivirus software. Usually it takes longer. You run the antivirus when the computer is slaved. But so many viruses are left once you boot the computer back up. I've tested it before. You ran the exact same antivirus program when you had the hard drive slaved, and all of a sudden it starts finding so many viruses. It makes slaving the drive almost pointless.

The only time I slave the drive is in the worst case scenario, where windows won't even boot up.

Usually I ran Superantispyware doing a full scan, then malwarebytes at quick scan, hijackthis, based on the log file I might use smitfraudfix or combofix. Then I check msconfig, and use autoruns, ccleaner to remove temp files, then disable and renable systemrestore, then i use ccleaner again to remove unnecessary registry entries, but i keep backing up the registry first.

karatechops4u
02-18-2010, 05:37 PM
the Elite Killer guide is excellent. I've been looking for an in depth guide just like it, thanks to wayliff for the suggestion!

sandvtech
02-18-2010, 05:56 PM
Hello to all, I was readining the post here trying to learn more about how people were handling removing malware and viruses to get better at it and wanted to add to the discussion.

I usually start by booting to see how bad the computer is. If the desktop is showing, I try to install malwarebytes and do a manual update. If it installs, I go ahead and install Superantispyware and manually update it. If it doesnt install i run rkill and try again. Check to see if the customer has antivirus on pc and if not, i install an extra copy of nod32 I have. I enable all folders to be seen. Install ccleaner and clean all temp files and run a scan with mbytes and super and reboot. When pc comes back up, make sure I have latested updates on everything and run a scan with dr web. Usually run scans w/ mbytes and superantispyware until they find no traces of malware. Then usually run a scan w/ Housecall online scanner. Dont deal much w/ HJT or Autoruns becauce dont know how to use them, but if anybody has any sugestions how to learn them, it would be nice to learn. I then uninstall my tools and antivirus and install at least a free copy if they dont buy a copy from me and clean the registry using ccleaner and run a chkdsk. I am now starting to add Threatfire to my list of installations.

If desktop does not show, I try Rkill and if that doesnt work, I boot to safemode and try it from there, and just start w/ mbytes and when pc reboots i can usally get to my regular starting point.

For those computer that are lock up or to bogged down, I usually remove the drive, hook it to my laptop and run a set of scans and reinstall the drive or use a boot disk and that usually get me where I can do what needs to be done.

This has seemed to all work real well for me, but recently I have one pc that was showing clean with everything I scanned it with and someone looked at a HJT log and said I was still infected.

Im looking to learn so if anyone has better ways please let me know.

lgtechcomputers
02-20-2010, 01:19 AM
I heard an interview with the MalwareByte's guy a while ago and he said it's intended to, and runs best, *not* in Safe Mode. He said it takes advantage of (relies on) some of the same technologies as the malware to do the cleanup.

I understand the concerns, I'm just passing along what he said. I want to say it was on Mike Tech Podcast, but I'm not 100% sure.

Thanks for the info! I'll keep it in mind.
I have been succesful doing it like that but maybe I could have done better.

lgtechcomputers
02-20-2010, 01:30 AM
the Elite Killer guide is excellent. I've been looking for an in depth guide just like it, thanks to wayliff for the suggestion!

Yes it is awesome - I come back to refresh from time to time..

kagman
02-20-2010, 01:45 AM
What bothers me is that some techs are only taking a few minutes to find and get rid of viruses/ etc etc... This is a time consuming process. One must remove the files we think are problem/bad but thats only part of the battle. Seems that a majority of us are on the right track. Scan Scan and Scan. Dont rely one just one program. You need to use several programs that have worked for you in the past. Hey this can take hours and hours but in the end its about doing a job you can be proud of. Then there is the joy of seeing the computer work and giving it back to its user. :)


--Jose--

Xander
02-20-2010, 02:35 AM
For the viruses I'd run Kaspersky. They have a free trial version on their website. For the spyware I'd run Advanced windows care and Windows Defender (both free).

If all that fails I'd format and be done with it. Some of this crap is just impossible to remove and its getting worse.

Or you could try www.aec.cz (http://www.aec.cz)
I'd avoid IObit's Advanced Windows Care at all costs. Use MalwareByte's Antimalware .... it's from them that IObit steals their database from anyway.

Then, once MBAM does its work, let SuperAntiSpyware get its back.

Back in the old days, Spybot & Adaware were the team to deal with. Nowadays, it's MBAM & SAS.

ideal-pc
03-15-2010, 01:48 AM
I use a combination depending on the infection, one of the most common these days seems to be the pesky fake antivirus stuff. If I can get into Safe mode I use combo fix & roguekill first, then mop up with a rescue CD such as F-secure rescue (yes it's slow but very good!)

Once the system is up & running again clean up & delete the renamed infected files & run a scan with Malwarebytes or Superantispyware just to be on the safe side. Not had a re-infection yet with this process, well not through a fault of my own anyway! Customer who don't update antivirus or insist on free ones, oh yeah! :D

sys-eng
03-26-2011, 08:10 PM
What bothers me is that some techs are only taking a few minutes to find and get rid of viruses/ etc etc... This is a time consuming process. One must remove the files we think are problem/bad but thats only part of the battle. Seems that a majority of us are on the right track. Scan Scan and Scan. Dont rely one just one program. You need to use several programs that have worked for you in the past. Hey this can take hours and hours but in the end its about doing a job you can be proud of. Then there is the joy of seeing the computer work and giving it back to its user. :)
--Jose--

It is very very rare that I get one that can be repaired in a few minutes.
I try to restore the system back to proper working order which seems to be very rare. Most of the infections that come to me are associated with rogue security programs which have also let in numerous other infections. The time-consuming part is after removing the infections there is often much more work to be done such as:

* repair windows update
* repair web browsers
* repair the e-mail application (calendar, notifications, server connection)
* restore address books if possible
* verify that Microsoft Office programs work (save locations, default templates, etc.)
* restore desktop icons if possible
* repair favorites/bookmarks association to web browsers
* repair QuickBooks links to files and server
* repair drawing programs (Autodesk, SmartDraw, CADPro, TurboCAD, etc.)
* repair photo editors' relationship to jpeg and raw files
* reinstall JAVA and discover which programs require special JRE's
* repair security permissions for God knows how many files
* reinstall itunes (infections often damage files used by itunes)
* reinstall wireless keyboard and mouse

- - Disinfecting the computer was the easy part.

onkyo
03-27-2011, 05:35 PM
Everyone had great suggestions, I think another thing that needs to be pointed out is to make sure and check for updates on;
Java, Flash, Adobe Reader and of course windows


"NOT Helpful"
You can get 99% of them by hand with no scanners. Scanners should not be used as a crutch. They should be used at the end to finish the job by scanning for all the random junk that doesnt matter and getting rid of it.

"Helpful"
Since I'm trying to differentiate myself from the big box stores, I rarely wipe and reinstall (unless the person has practically nothing on their computer).

My clients usually are having problems because they not only click on the wrong things, they (1) have no antivirus or let it expire or (2) are having problems because they're running too many AV/malware programs. As part of the cleanup process, I usually have to uninstall a few programs.

I make sure that the hidden files are viewable, then almost always run ccleaner, malwarebytes, and Hijack This. (I usually forget to do this, but I've read that it's good to enable all programs in startup/msconfig.)

Then, depending on what it is, I try fixes specific to the problem (googled):

Two good sites for such fixes are Bleeping Computer and MajorGeeks.

For example, I got the following from Bleeping Computer on how to remove
Windows Police Pro that's worked very well for me:

[unable to post URL!]

Sometimes removal tools, such as Combofix (which I understand is no longer available), are the only things that do the trick--not to mention fix damage to Windows/connectivity problems. (FYI: Combofix can be dangerous, if you're in a hurry . . . )

I finish with an online scan (usually either Bitdefender or Symantec) in safe mode to be sure I got everything, and then toggle system restore to wipe out old restore points that might harbor bugs.

The before I give the computer back, I make sure they have some kind of protection, even if it's only AVG free.

This probably isn't as efficient a system as the other answers, but I rarely get a call back to fix the same problems.

Xander
03-27-2011, 06:40 PM
Everyone had great suggestions, I think another thing that needs to be pointed out is to make sure and check for updates on;
Java, Flash, Adobe Reader and of course windows


"NOT Helpful"


"Helpful"
Penalizing a perfectly good post as "Not Helpful" without qualifying that statement is in poor sport, new guy (Edit: Aug 2010 but 10 whole posts!)

There was nothing at all wrong with what he said. Your "helpful" post was just more 'spoonfeedy' than the other one. If it was helpful because he named a couple of really well known sites... you need to get out more. Any google search on a piece of rogueware will net you those two in the first page; there should be nothing new about them.

To cite Greggh as being unhelpful for no reason at all? Not cool. In fact, it sways me to use the Rep system here.

Edit: You might also consider contributing to a thread rather than just rating it.

sys-eng
03-27-2011, 07:33 PM
Ditto what eHousecalls.ca said.

If you rely totally on scanners, then you are in trouble when one of these rogue security programs blocks your scanner. Then you scan the drive remotely only to find out that the scanner missed three installers that rebirth the infection on the next reboot or the seventh reboot. The scanners miss the installers because they are self-morphing changing their hash numbers and certificates.

And when was the last time a scanner replaced damaged files for Windows, MS Office, Adobe, QuickBooks, etc.?

studiot
03-27-2011, 09:44 PM
then disable and renable systemrestore

Only one reference to this. It should be writ larger.

I notice several posters recording MBAM finishing in around 10 minutes.

When I get around to using MBAM as a sweeper upper after the tussle with the main culprit has been won I am never suprised to see the first red number an hour and a half into a scan.

And tussle is often the word to gain initial control of the machine.

I do find, however that most of the fake AVs have a delay so if you can get your stuff started right after boot you can zap them, before they get fully armoured.

Xander
03-27-2011, 09:58 PM
I notice several posters recording MBAM finishing in around 10 minutes.They must be running Quick scans. I've only seen 10 minute Full scans on the rarely-seen, brand new, hotfast varieties.
I do find, however that most of the fake AVs have a delay so if you can get your stuff started right after boot you can zap them, before they get fully armoured.Really? I don't think I've ever seen one with a "go ahead and delete me" delay. Most kick in well before the desktop loads.

studiot
03-27-2011, 10:37 PM
For instance I removed a fake AVG ransom virus last week that took about 2 minutes to 'come on'. The Dell quad core W7 was no slouch BTW.

And for those that like Mcaffee this little bugger had taken over the Mc console reporting to Windows that Mc was alive, well and up to date, even though Mc services were not actually running since it had disabled them.
The client had actually just completed a Mc 'scan' - reported clean before calling me in.

Perhaps a better title to this thread would have been about methods of gaining original control, since the sweepup that follows is pretty mundane if time consuming.

I also echo comments about putting other damage right again after virus removal.

We have discussed all this before here and the methods haven't altered.

MyITGuyOnLI
04-23-2011, 03:29 PM
To get rid of those nasty 'Rouge Anti-Virus Programs', I will (if possible) do a Ctrl-Alt-Del to bring up the Task Monitor and see if I can determine which process is the offending one. I try to track that down via, msconfig, regedit and windows explorer if it gives me the path. I remove all mentions of it, reboot into Safe Mode and run Malwarebytes.

Granted this doesn't always work, but it is where I start.

There is also a new one that I have seen recently that when you open IE8 it automatically runs this program. They just keep making it more interesting for us to find them!

Martyn
04-23-2011, 04:10 PM
To get rid of those nasty 'Rouge Anti-Virus Programs', I will (if possible) do a Ctrl-Alt-Del to bring up the Task Monitor and see if I can determine which process is the offending one. I try to track that down via, msconfig, regedit and windows explorer if it gives me the path. I remove all mentions of it, reboot into Safe Mode and run Malwarebytes.

Granted this doesn't always work, but it is where I start.

There is also a new one that I have seen recently that when you open IE8 it automatically runs this program. They just keep making it more interesting for us to find them!

Just boot into Safe Mode and go from there.

frase
04-26-2011, 02:26 AM
This is my general run through

If I can target the process when system starts, I stop it from process manager then hunt the file down manually - they are generally only located in specific areas ie; TEMP, sys32 etc

msconfig - check for irregular entries and remove
Delete items from the C:\Documents and Settings\USER\Start Menu\ folder

regedit -Check in the registry 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run and RunOnce entries - delete any irregular entries

Check the TEMP & Internet folders and clean all files out.

Check HOSTS file in regards to browser hijacks - and IE or FF settings and set to default.

After I do all this manually then I normally run a software application to make sure, such as SUPERAntiSpyware
:D

Eureka
04-26-2011, 01:25 PM
This is my general run through

If I can target the process when system starts, I stop it from process manager then hunt the file down manually - they are generally only located in specific areas ie; TEMP, sys32 etc

msconfig - check for irregular entries and remove
Delete items from the C:\Documents and Settings\USER\Start Menu\ folder

regedit -Check in the registry 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run and RunOnce entries - delete any irregular entries

Check the TEMP & Internet folders and clean all files out.

Check HOSTS file in regards to browser hijacks - and IE or FF settings and set to default.

After I do all this manually then I normally run a software application to make sure, such as SUPERAntiSpyware

Since you use that manual procedure, maybe you should check a tool that I created and am sharing with everyone on TN: UVK (http://www.carifred.com/uvk). It will allow you to do everything you said in a few seconds and lots of other fixes.

frase
04-27-2011, 12:12 PM
Will check it out, thanks Eureka

Im still a stickler for rechecking entries manually though, damn OCD hehe :)

FoolishTech
05-02-2011, 06:16 PM
Well, to be correct I used to mostly do it manually, but now I use a program that I wrote which I call D7 to AID me in doing the bulk of the malware removal. All the program does (other than absolutely everything) is allow me to quickly and easily view all the appropriate registry locations "manually" with whitelisting/blacklisting functionality and a few automated tasks as well.

Depending on the severity of the infection (or of course whether I am working remotely or not,) sometimes I start the malware removal with D7 on the system live, sometimes use D7 in offline mode via a network bootable Windows PE 2 based environment, if the machine is modern enough to be capable of booting to our network, or if not I attach it to a "tech bench" machine designed for scanning/removal.

I planned to post about D7 sooner or later anyway. If anyone is interested I have posted a new thread here (http://www.technibble.com/forums/showthread.php?p=212145#post212145).

Aside from D7, for infected file detection on an offline hard drive, on my "tech bench" computer I have Microsoft Security Essentials with realtime protection enabled (though I never actually run a scan with it) but instead I run a command line scan with Kaspersky's SOS tool which they made available to partners at one time (and I scan %systemroot%\System32 directory only if I'm in a hurry) so that when Kaspersky SOS scans each file, both it and MSSE (in real time) get their chance to find the virus.

As side note for those interested, it's been like 6 months since I've seen Kaspersky detect one that MSSE didn't catch first. I only still run Kaspersky due to the ability to do command line scans so I can automate the scans the way I like.

I will say this about MSSE though, I'm not happy with it's disinfection, I've seen it fail or screw up the file a number of times, so if it detects a legitimate file as being infected with an actual virus, rather than relying on MSSE to "disinfect" it I'm a fan of just replacing the file with a known good copy. For this reason I keep a copy of the Windows directories of fresh installs (and fairly patched/updated installs, I should add) on my network and will replace a file on an infected machine from that stash in a flash.

When I'm done with the "offline" portion of my scans, then I prepare for any live scans/removal. First I almost always just go ahead and boot to a CD and do a bootrec /fixmbr (vista/7) or fixmbr (xp) before I boot the system live to fix any MBR infection.

Then usually I boot the system, run D7 again which in turn runs Kaspersky TDSS killer (because that's a popular infection for me these days,) and occasionally a few other tools maybe a quick scan with GMER (never a full), and maybe Combofix if it's an XP box.

Worthy of note and I haven't seen it mentioned elsewhere here, I almost always run the obscure and not really malware related Driverview from Nirsoft because even though it isn't intended as a malware detection tool, it _always_ finds KLMD.SYS and other such rootkit like junk - although removal of said junk usually means I need to go back to the offline method, but at least Driverview lets me know when it's present.

For cleaning up the leftovers on the live system, I might run Malwarebytes and an app called Hitman Pro, though sometimes I skip them if I'm pressed for time, and they mostly only find cookies after I'm done with D7 anyway.

Finally if time permits, I will follow up with the client's own installed anti-virus package, whatever it may be, to ensure it doesn't find anything leftover and that it works properly.

layoric
05-04-2011, 07:39 PM
If you remove the drive and hook to another PC and scan ,you still have to hook back to original PC to remove remaining malware when booted into Windows. Some malware has to be running to remove.

The file is still there, never came across that problem.

This might have been inferred that I just slave, scan, call it a day. NO! That's the FIRST step, next after the MULTIPLE scans slaved, reconnect to host (system) and scan and observe. Several reboots, testing for suspicious behavior. THEN it's done.

Virus removals are my most time consuming service, as it sometimes involves system repairs (OS) as well.

red12049
05-05-2011, 02:02 AM
In our shop, we usually hit an infected machine with combofix as the first attack. Since combofix will no longer run with AVG installed, we've taken to running the AVG uninstaller, frequently in safe mode.

With a lot of the newer scareware, running the AVG tool also removes the start point for the malware, making clean up a walk in the park. Haven't analyzed why yet, but it works. :)

Rick

dragon2011
05-05-2011, 03:10 AM
How do you do this and what are the steps?
I am trying to learn as much as I can.

Are there any common viruses/spyware, that most infected computers get?

What do you do when a infection disguised as a anti virus/anti spyware, keeps popping up and cannot be un-installed? Ive tried spy doctor, ccleaner, hijackthis, AVG,ad-aware but it just does not go away. Im ready to re-format.

you can try to do safe mode with networking, then you run kaspersky, malwarebytes, panda and G-data :-). hope it will help you out.

colonydata
05-05-2011, 04:08 PM
Normally i will do a quick visual inspection, to get the lay of the land. then i shut it off and use a av live cd, in the past it has been avg, but ive been kicking the tires on a couple lately. that normally doesn't get everything, but it thins things out enough to make things easier to work on.

then i will normally run a mbam full scan and hijack this, combofix if its need

get the onboard AV back up and running, and run a scan with that. verify that it is running with the eicar test string.

then i go through and check things like the hosts file, proxy settings etc, and generally just look for things that do not look right.

then generally i will run a registry cleaner like ccleaner to make sure i didnt miss anything in the registry.

make sure windows and the onboard av are up to date and run one more scan just to verify.

praondevou
05-08-2011, 04:42 AM
a good software is using CCcleaner and Microsoft Essentials.

I had Bitdefender too, but it takes a lot of CPU power.

FoolishTech
05-08-2011, 08:52 PM
msconfig - check for irregular entries and remove


I had the argument with a coworker the other day about msconfig's usefulness. He says it's worthless, I say yes it is as a malware fighting tool, however...

My theory behind using MSCONFIG is solely for removing non-malicious startup applications that the customer may actually need - but I just *think* they don't need them.

That way if the customer calls back wanting to know why that (what I thought of as irritating and unnecessary) startup app isn't running, (e.g. some crappy photo uploader software that runs every time you plug in a flash drive...) I can simply have them fire up msconfig and place it back into Normal Startup, and not have to worry about going through the list with them to find that one item, or having them adding back malware related entries and having file not found errors on startup.

Just my 2c on msconfig.

Xander
05-08-2011, 08:59 PM
My theory behind using MSCONFIG is solely for removing non-malicious startup applications that the customer may actually need - but I just *think* they don't need them.
I can simply have them fire up msconfig and place it back into Normal Startup, and not have to worry about going through the list with them to find that one item, or having them adding back malware related entries and having file not found errors on startup. That's, actually, a pretty good way of handing those. Noted.