Strategy to disinfect/scan infected computers?

A companion thread to
https://www.wilderssecurity.com/showthread.php?t=279793

If a computer is already infected, I would assume that it can cause the anti-malware softwares to give false negatives. What strategy do you follow for scanning other people's computers?

I'm considering making a UBCD4Win and slipstreaming these programs in, and booting from the CD.

Any easier method?

 

I frequently use Dr.web cureit and Kaspersky AVP tool to clean infected machines and both of them are fantastic.
Then i install avast and schedule a boot time scan just to check everything is ok.
However if the machine is heavily infected i think reformat is the best option.

 

I use UBCD4Win,(with additional plugins added) upon heavily infected systems,to good effect.At the least it'll get the system usable again and even if it fails you have access to a whole array of backup/imaging tools,etc to facilitate reinstallation easily.Personally I couldn't imagine being without it now it just has so many uses in system repairs.Bear in mind though that not all software functions properly within a PE so if you plan to create your own plugins expect a fair amount of trial and error.

Some of the extras I've added successfully to my disk are:

Paragon B&R
Dr web Cureit
A2 hijackfree
Easeus Data Recovery
Sophos CL AV
Minitool Partition Recovery
Easeus Partition Master

 

HITMAN PRO! MBAM! HITMAN PRO!
then install Prevx SafeOnline.

 

I clean several infected pc's on a weekly basis, and it is extremely rare for me to use a bootable "rescue" cd of any kind. Even on the heavily infect systems w/ rootkits you can get HMP to run in force breach mode. Afterwards I will typically run combofix, look at the log and remove other infections, ccleaner to take out the garbage and speed up scans, then run MBAM. Now it's time to fire up HJT and look at the log. If it's clean I'll usually install Avast or Avira, configure the settings, and run a quick scan. Now it's time to remove exploited software (java, qt, flash, etc.) and install the latest versions, windows updates, other asst'd cleanup. Secunia comes in real handy.

I like HMP so much that I have a couple of paid licenses.

 

-CCleaner
-DiskMax
----------------
-HMP
-EAM
-MBAM
----------------
-GMER
-Sophos A/R
----------------

 

My strategy is usually like this:

Preparation Step: KillProcess (2.44) + Autoruns (10.02) + Process Explorer (12.04) + Remove Fake Antivirus (1.65)

1. Kaspersky VRT (9.0.0.722) or Bootable CD, if system is severly infected
2. Dr.Web Cureit or Bootable CD, if system is severly infected
3. Malwarebytes Anti-Malware (1.46) + SUPERAntiSpyware (4.41.0.1000) Portable
4. Panda Anti-Rootkit (1.08 ) + GMER (1.0.15.15281)
5. HiJackThis (2.04)
6. CCleaner Slim 2.34.1200 + Comodo System Cleaner (2.2.335611.5) + PC De-Crapifier (2.2.5)

If system is highly infected, I backup all/important data (depends on data and its size) by using Active Boot Disk Suite (5.0.5) (also help to manually remove notorious files from other than system partitions) and reinstall OS on client computer.

 

I never disinfect.

If I get infected while using Returnil, I reboot. If problems remain or if I get infected while Returnil is not in use, I restore a clean image of the system partition (usually less than 10 minutes).

 

regardless of what some others might say, you have the basic understanding right. you need to eliminate the possibility that active malware can interfere with the removal process and you do that by eliminating the possibility that malware on the suspect drive can become active in memory in the first place - this means either booting from a rescue CD as you're suggesting, or removing the drive and attaching it to a second computer as a slave drive.

some of the time (perhaps even most of the time) you may be able to actually neutralize malware while operating in the compromise system itself, but not all of the time.

now if you want an easier method of recovery than booting clean and disinfecting, i would suggest booting clean and restoring a previously made image of the drive. that may not be feasible depending on the scenario you're dealing with (you should be able to do this for your own systems, but maybe not other people's).

 

very simple comboFix and hitman pro the pc is back to normal

 

Hitman Pro for leftover registry entries MBAM or SAS

 

And after you think it's all cleaned up:

chkdsk /r

sfc /scannow

 

The tool i really use the most is EAM command line scanner, never needed a Booting CD.
Even on the MOST infected laptop i've ever cleaned xD
It had over 400 infections of malware (Without cookies) scanned with EAM
Later used MBAM and HMP

 

http://www.techsupportalert.com/content/probably-best-free-security-list-world.htm#cleanup

Below a combat proven cleaning process for removing stubborn malware. (Start with boot cd:s to kill most resistance before going to Windows.)

1. AV boot cd - Avira/Kaspersky
2. UBCD4Win + DrWeb Cureit/Emsisoft Emergency*
3. Hitman Pro**
4. Malwarebytes antimalware
5. Prevx free + manual cleaning with UBCD4Win if needed
6. Switch Windows firewall on.
7. Winpatrol (for manual analysis: HOSTS-file, startups etc.)
8. Uninstall old AV. Install new AV and scan with it.
9. CCleaner
10. Verify the Integrity of Windows system files (sfc /scannow)
11. Check for Windows/Microsoft updates.
12. Check updates of other programs with Secunia sofware inspector
13. Empty the system restore and create a new restore point. (XP, Vista/7)
14. run chkdsk /r


*) Notice, that all these portable antimalware can be used with UBCD4Win boot cd.

**) If you meet a malwate that still blocks executables, try a "Force Breach" start of Hitman Pro (hold the left Ctrl-key until the man with the ladder appears while opening Hitman Pro). If you get UAC prompt you need to keep holding ctrl while you acknowledge the message. In case the internet connection is broken or unavailable, start a Early Warning Scoring (EWS) scan by selecting it from the Next button. This will also reveal: 1) The use of a local proxy server (an indication of malware redirecting or sniffing your web activity). 2) Check and fix an invalid Winsock stack. 3) Detect problems with NDIS (Network Driver Interface). 4) Track down rootkits or other malware that are cloaked, perform suspicious activity or have many bad characteristcs (unethical construction and/or behavior).