What's your infected machine "attack strategy"?

Sorry if this is in the wrong forum, it felt the best fit..

OK, assuming you want to avoid reinstalling Windows, what's your approach to cleaning up infected machines? Personally (and any feedback appreciated..!):

• Ensure the machine has no network connection active
• Insert read-only CD of tools
• Uninstall any obviously nefarious software showing in add/remove
• Strip down the start up applications in msconfig, and reboot (allowing for more resources to make the clean up less frustrating!)
• Scan with malwarebytes and clean
• Connect the machine to a network, and scan with hitmanpro
• Install ESET instead of their out-of-sub McAffee (usually the case, and I have many ESET ESS licences)
• Scan with ESET
• Finish up with CCleaner

Anyone do it differently, using HijackThis for example?

 

Be prepared to ask for assistance
https://www.wilderssecurity.com/showpost.php?p=1533481&postcount=3

 

Restore with fixboot command from Windows cd the original MBR.

 

I solve pretty much every problem by going to /appdata/ and deleting any folder I don't immediately recognize.

 

Dr. Web CureIt
AVZ antiviral toolkit
Emsisoft emergency kit
Superantispyware
Tdssiller
F-secure easyclean
Bytehero
Norton power eraser
Remotedll

And if everything fails, I just restore a clean image.

 

Nowadays I will only reimage the OS+progs partition and fix the MBR.
Using a plethora of AV/AM scanners, rebooting, running bootable CD/USB tools and digging for hours doesn't offer me any fun anymore.
Having a clean box in <20/30 minutes works best in my case.

Question though, have you really ever encountered 'obviously nefarious software showing in add/remove'?

 

I was refering to programs known to be/have adware - common ones being iMesh, MySearch Toolbars etc.

 

Right, there are still folks who install toolbars of course.
http://www.dowling.edu/mydowling/tech/images/bb-TooManyToolbars.jpg

 

Do you guys use bootrec /fixmbr and bootrec /fixboot in every cases or just in some particular situations?

 

I don't have much experience at all with cleaning infected PC's, but here are some ideas on what I might do.

If Malware (Ransomware) has you are locked out of Windows, I would boot up with the Kaspersky Rescue Disk 10. Then open the Terminal, type "windowsunlocker" and then press Enter. Close the Terminal. The "windowsunlocker" command is supposed to unlock a Windows Operating System that has been locked by Ransomware.

Maybe update the Kaspersky Rescue Disk 10 and run a scan with the default settings. It appears that the default selected items to scan may be related to Rootkits so the scan should be quite quick. If you like, do a Full scan with the Kaspersky Rescue Disk 10. The Full scan may take a while to complete.

If time permits, you may want to scan with the Dr.Web LiveCD and/or the Avira Rescue System CD.

Run scans (Preferably in Windows "Safe Mode") with one or more of the following:

1. Malwarebytes AntiMalware
2. Dr.Web CureIt (Skip this one if you already scanned with the Dr.Web LiveCD.)
3. Emsisoft Emergency Kit
4. SuperAntiSpyware Portable

 

I agree with Cudni get some professional help from one of the malware cleaning forums to make sure it's cleaned properly by experts!

TH

 

I always choose to reformat the whole disk and install clean OS.

 

Finish up with CCleaner
Somepeople start with ccleaner

 

I agree, there are a lot of them and they really help a lot of people. I used to read such forums a while back for fun.

 

Routine System Partition "Imaging" is the best Strategy. You will never again have to "struggle" with Malware cleaning.

 

I usually take this steps when removing malware:
1. Start CCleaner and remove all internet and system temporary files.
2. Scan computer with boot CD's (Avira and Kapsersky) and remove everything they find.
3. Log into windows and disable and enable system restore. That way I remove possibly infected restore points.
4. Check autostarts with Autoruns and disable all unnecessary and suspicious items.
5. Restart and scan computer with MBAM and Hitmanpro.
6. Install AV (usually Avast), update it and scan computer with it.
7. Run Gmer to see if there are any rootkit activities.
8. If all this doesn't solve the problem I reinstall the system. After install and update I install imaging software and backup new system.

This procedure worked great for me in last years. I didn't have to clean machine for a while now. It looks like people are getting more careful when using computer.

 

I agree as well here. I often see "unclassified people" (sorry if this seems harsh) cleaning machines resulting in doing more harm then good.
Not to say some make it more tricky by running tons of anti-whatever-malware progs. on their machines.

 

I've never been infected with malware, but if I was, I'd probably do a fresh reinstall...

 

Quote: "An ounce of prevention is worth more than a pound of cure."

That being said, I recommend imaging a clean OS with the MBR. If not, reinstall the OS. One can never be sure that all the infection/damage is corrected by so-called cleanup tools. In many cases, products like Hitman Pro and Malwarebytes can delete most of the malware. However, malware that changes integral parts of the OS cannot be cleaned without crippling the OS or some of it's features.

Personally, I use Image for Windows, Avast Internet Security, and Shadow Defender on constantly.

There! Take that malware! Mmmmwwwaaahhaahhaahhaa

 

Bingo. I use boot-to-restore products like Returnil, Deep Freeze, and Drive Vaccine and therefore have no problems that can't be fixed with a simple reboot. As TheKid7 said, routine imaging is also important in case you just want to start fresh with a "perfect image" without the need to reinstall Windows.

 

@ mattfrog

My strategy is the sledge hammer or preferably Linux, that's it. .

Thanks.

 

Malware infection! What better excuse for wipe and load?

I love my Windows disk!

 

I agree prevention is best using KIS, Zemana, OPENDNS, Plus daily image taken daily by Acronis True Image.

 

sorry for been a noob. i've thought about such products before and found them not suitable for user like me who changes their windows setup all the time.

am i wrong in thinking that these softwares simply revert your windows back to exactly how it was and removed any changes upon reboot? who uses a computer with contents that never changed i must be missing something. can someone enlighten me please?

 

you can exclude a Drive from Protection to save your Docs in it