Hello my fellow Technibblers,

We have all dealt with viruses, spyware, and many other nasties since the days of Nt 4.0 (if you were dealing with viruses before then, then I bow to your knowledge). I have read alot of the posts in this forum and there are many different ways in which many of us handle malware, either before (proactive) or after (reactive) infection.

So, given the following two scenarios, what steps, software, and complaints do you have for each:

Scenario #1:

You have a brand new computer out of the box, how do you handle (steps, software, and your personal complaints) proper Anti-Virus and Spyware Protection (or Malware in general)?

Scenario #2:

A customer has been infected by multiple malware, how do you handle (steps, software, and your personal complaints) proper mitigation, cleanup, and future protection?

#1

At the moment for a new computer I'm recomending Norton for most of my customers. Either that or Panda. Maybe tell them about Spybot as well and let them know to run a scan from time to time.

#2

If someone has a bad infection then I boot normally (if poissible) then run combofix and that tends to deal with a lot of bits and pieces. Then after that a spybot, CCleaner and then a scan using there AV. If there AV is out of date or no good then we install Panda and run a full scan. Job done (in most cases anyway) :)

Then we always recomend sorting out the AV be it update, registar, or but a semi-decent one.

Ok, here's my two cents...

Scenario #1:
Run PC Decrapifier and take off all the trial software you know they don't need. I usually take off the trial antivirus programs too. Personally, I hate McAfee anything. Based on the amount of memory, I try to find a free AV program that doesn't hog up memory resources (which are starting to become rare) I usually go with AVG or Comodo AV. If Windows Defender is installed, I usually configure it for a daily scan and to delete or quarantine anything it finds.

Scenario #2:
Boot up straight to Safe Mode

In regedit, go to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run

Delete any entries that aren't legit programs (use google as reference)
Reboot to normal mode
Go to Add/Remove Programs or Vista equivalent
Uninstall any spyware programs (if possible)
Delete Internet and temp files (or use cleanup tool)
Download your favorite AV and spyware removal tools (via Firefox if IE is down)
Install and update them (do not run yet)
Reboot to safe mode
Run programs to remove infections
Reboot to Normal
Look for and remove leftover files, shortcuts, and folders on Desktop, Startup folder, Program Files, Local Data folders.
Run AV/Spyware app a second time if needed.

I'm sure I left out a detail or two, but this just a quick summary..hope this helps.

Disclaimer: individual results may vary

1) I have a 'security pack' that I offer to install for my clients, which includes AVG, spybot and malwarebytes. The best thing is they can all be silently installed and updated from the command line, so I just run a pre-made batch file and come back in 20 minutes!

2) I boot into UBCD4WIN and download DrWeb CureIT. I run a scan of C:\WINDOWS\ and C:\Program Files\ to determine if there is any 'virut' or similar style infections (DrWeb can cure most of them). If there are then a full scan is needed.
I then load up Avira, update and run a full scan (very quick scanner+high detections), remove anything found.
I then boot into normal mode and run the batch file which I mentioned above, which backs up the registry + hives, random neccasserry system files, drivers, then runs CCleaner, removes old restore points, runs Hitman Pro (G Data,Nod32,AntiVir,PrevX,a-squared), installs AVG, runs a quick scan, runs a Webroot quick scan, runs a mbam quick scan, generates an ESET SysInspector log, and does some more stuff. I then run 'regedit' and remove any policies on the system. I know it sounds like alot, but it is unnattended, so I can pretty much just double click the autorun for my cd and come back later.

Hi jbutler9

Virus-Removal. - Typically I boot into safe mode, run CCLEANER, remove any registry entries, close any unneeded exe's running in task manager Install malware bytes, an antivirus.. usually avg although i use to use avira. Then I run those.

Then log on and see what has survived then I google them and usually remove them manually or ask the customer if they have anything important then run combo fix if its malware (since i heard it screws up the computer about 1 in 100).

That being said if I have been sitting there for more then an hour or so and still battling with the viruses not making much head way I typically suggest a windows reinstall, due to it being better value for the customer. (Most could use it anyway, I roll my first hour into the install price).

Most seem to have focused on an already-infected PC and I'm sure all listed methods work satisfactorily, but back to the original 2-part question:

Scenario 1: New PC. I definitely agree with PCFIXR's De-Crapifier advice. A lot of OEMs are getting better about how much junk they load up a new PC with, and some are still bad (are you listening, Sony and HP?). Get rid of all the bloatware, silly games, trialware and embedded installers (icons or startmenu programs that install things like Encarta, ICQ, Money, Quicken New User Edition, etc.) If the customer wants any of those, you or they can install them from the latest install media or webstore download. If it's a business PC, I'm much more agressive with removing non-business-related software or features (i.e., MSN Messenger, Internet Games, built-in wallpaper patterns, MSN, etc.) After you're done nuking all the unnecessary crap, run CCleaner and clean out all the leftover registry entries. Glary Utilities can help too. I just did a PC and when I used Glary Utilities to compact the registry after getting rid of all the crap, I ended up with a registry that was 16% smaller! Also, if it's a business PC and it came with a modem, I yank it or disable it in CMOS, and if I know they're not going to have an LPT printer or any serial devices, I disable the parallel port and the serial ports in CMOS.

After you've got the PC cleaned up (you can do a lot of this while the computer is off-line), install all the Microsoft security patches and updates, then get your security software installed and updated. Then install any programs, features and software that the client wants and get all the latest updates for them (Office, Quicken, QuickBooks and so on).

With new PCs, you usually don't have to worry about out-of-date BIOS or drivers, but it's a good idea to check the manufacturers support website to see if there are any "Urgent" updates that might apply.

Scenario 2: Old PC, Already Infected. Kind of depends on how bad the infection is and what the customer or someone else has already done to try to fix it themselves (often making things worse), but in general, here's what I do:

Back up all customer data immediately
Capture or note all product & activation keys
Collect Software Installation CDs from the customer if possible
Turn off System Restore
Keep the computer "offline" during the initial cleanup phase
Run CCleaner (stand-alone version from a USB stick). Clear out all Temp directories and Temporary Internet Files for every user account
Disable all startup items; delete any that you know are related to the infection
Copy the latest version of Combo-Fix to the root drive and put a shortcut to it in the All Users->Program Files->Start Menu->Startup directory
Reboot and let Combo-Fix do it's thing. Remove the startup shortcut after the first run.
Repair any services, registry items or policies that may have been modified or disabled by the infection
Check the HOSTS file for bogus entries and delete any found.
Run HiJackThis & repair any known bad entries it finds. Keep doing this until you get a clean log. If you need help, post your HijackThis logs on a HiJackThis forum for analysis and help.
Boot back into normal mode and run the customers antivirus/antispyware programs, which should now be working again.
Connect to the Internet, download and apply antivirus and antispyware updates, then run them again after they're updated.
If the customer didn't have any security software, or it was waaay outdated, remove and replace with whatever you recommend. Repeat the previous 2 steps.
Once the PC is clean, re-enable System Restore and any normal startup items you temporarily disabled.
Give the PC back to the customer with your bill and have a short chat about what they can do to prevent future infections.


If it's a massive infection, you and the customer may be better off with a full reformat and reinstall. In this case, the backup and information you preserved earlier will come in very handy.

@Doctor Micro

Have you thought of creating a batch file to do your combofix process ? Utilizing the 'runonce' command ?
Could save you some time..