Advise Please

Discussion in 'malware problems & news' started by Rico, Oct 8, 2009.

Thread Status:
Not open for further replies.
  1. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,692
    Location:
    Texas
    Hi Guys,

    I'm doing malware cleanup, at my computer club, & I'm getting 3 - 5 infected machines per week to clean.

    My routine so far, working about 4 out of five times:

    1. Boot from Avira rescue disc, scan.

    Is there a better boot disc to scan with? Can Avira or others have there rescue CD's updated?

    2. After boot scan install & scan with SAS or Mbam.

    Any other suggestions here?

    3. HJT paste it for analysis at: http://www.hijackthis.de/ then research suspicious files

    4. delete, found "restore points"

    5. CCleaner + CCclean reg scan.

    6. Runscanner - delete 'file nout found'

    I need more knowledge about this tool.

    7. Reboot, scan with Avira, Mbam, SAS, Sophos anti-rootkit delete all bad guys.

    Finished:

    My last infected PC had rogue app "Safety Center" which had disabled all defenses on the machine. When I tried (after Avira rescue cd) to install tools the only one that would run was Sophos which would get 3/4 done then quit & the machine would reboot. I then tried F-secure boot disc - no boot, tried UBCD4Win & BartPe - no boot. Test Bart & UBCD4Win on clean machine - all fine. Note all OS's = XP, re-try Avira boot it booted fine, on infected. Abort Avira boot, used MS config to disable all startups, = all non MS services. Reboot used Sophos to delete some, before it crashed 'unknown items' after ages I got through Sophos. After Sophos I could install HJT etc. Note any attempt to install HJT or other tools, prior to Sophos completion resulted in a failed app.

    I think I just got lucky, what could I do to improve?

    Why do you think Bart, F-secure, UBCD4win failed to allow boot from, while Avria's boot disc worked?

    And finally 'Dr. Web Cure It' never worked for me, like the previously mentioned tools - somewhat disappointed by this one.

    Thanks for any & all comments
    Rico
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,694
    Failure to boot - hardware incompatibility. Did you try any Linux live CDs?
    By the way, live CDs are rather sensitive to RAM issues.
    Mrk
     
  3. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,692
    Location:
    Texas
    Hi Mrk!

    Thanks for responding! Not sure what you mean by 'Linux' CD, I thought all AV rescue discs were Linux based. Where should I get a Linux CD & how would I run malware apps using it?

    Take Care
    Rico
     
  4. ASpace

    ASpace Guest

    Not all are Linux based . Some are based on Windows AIK.
     
  5. ASpace

    ASpace Guest

    Do not use HiJackThis if you don't know YOURSELF what to keep and what not to keep . Don't use this automated service as it could produce false positive alarms. And always run the HJT executable renamed .

    Make sure that security applications' executables are also renamed to something randon , such nakih9rh3kn09.exe , before you run them.

    Never do this unless you are sure you are clean . Although restore points could contain infected restore points , sometimes you might need them .


    Failuire to install/run such applications could be indication of rootkit. Failure to boot/load bootable media could be indication of hardware failure or incompatibility , as already written by Mrkvonic
     
  6. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,692
    Location:
    Texas
    Hi ASpace,

    Cool! As I use HJT more often, it becomes obvious (almost) for ID'ing the bad guys, when used in conjunction with Google.

    Restore points are actually deleted after Im very sure the machine is clean.

    Crippled malware and the inability to install new security apps, seems safe to say Rootkit, hence when Sophos completed I could install security apps.

    Very confused why Avira rescue would boot, but Bart & UBCD4win would not??

    What's an alternative boot disc (perhaps Linuk) & can & which security apps can I run from that enviorn?

    Thanks Amigo
    Rico
     
  7. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    There are several alternative Linux based boot Rescue CD's. Here are some, but not all of them:

    https://www.wilderssecurity.com/showpost.php?p=1545618&postcount=18

    Another Thread:

    https://www.wilderssecurity.com/showthread.php?t=247015&highlight=rescue

    I have tried many of them on my four home PC's. I was not trying to clean anything when I tried them. I was mainly checking which one has the best hardware compatibility. The AVIRA Rescue CD works and updates on all four of my home PC's. The Kaspersky Rescue CD works and updates most of the time. I've had problems with both BitDefender and DrWeb.
     
Thread Status:
Not open for further replies.