Anti-Malware Toolbox

What do you have in your Anti-Malware Toolbox? What steps do you usually perform?

Thanks in Advance.

I have almost no experience in cleaning Malware from PC's. If I were going to clean Malware from a PC, I would most likely do the following.

If the PC is bootable (Safe Mode):

1. DrWeb Cureit "Express Scan" in "Enhanced Protected Mode"
2. Install, update and run a "Full" scan with Malwarebytes Anti-Malware.
3. SuperAntiSpyware Portable "Full" scan

If the PC is unbootable:

1. DrWeb Live CD, "Express Scan"
2. AVIRA Rescue CD scan
3. If the DrWeb Live CD worked properly, then I would proceed to Step 2 of the "If the PC is bootable...."section, above.
4. If the DrWeb Live CD did not work properly, then I would proceed to Step 1 of "If the PC is unbootable" section. I am assuming that the AVIRA Rescue CD would be able to get the PC bootable again. If not, I would probably do a "Full" scan with the Kaspersky Rescue Disk.

 

I just keep ultimate boot cd for win in a safe place and wait for disaster

 

A majority of the infections nowadays are rogue antivirus/antispyware, trojans, and rootkits. I cannot even remember the last time I had to use a rescue disc of any kind. A large % of pc's are still bootable even though they are infected. However a lot of malware blocks .exe and access to critical windows functions. I've found that using the run command, or command prompt, in normal mode and running HMP from a flash drive while holding down the ctrl key (force breach mode) will typically nuke the rogue processes so that you can continue cleaning up the remnants. If for w/e reason you cannot figure out how to execute HMP in normal mode then safe mode should work. DrWeb takes too long and yields little to no results when other anti-malware tools are used. Afterwards a quick scan w/ MBAM, TDSSkiller, PCAV, and if there are nasties still present then combofix could be an ace in the hole. Obviously you should look at scan logs, hosts file, scheduled tasks, and dig deeper if you have that ability.

 

UBCD4Win when the PC is unbootable.

Hitman Pro, Emsisoft Emergency Kit, SAS Portable and Dr Web CureIT for when it is.

 

Here is my toolbox

http://www.techsupportalert.com/content/probably-best-free-security-list-world.htm#cleanup

Cleaning procedure

Below a combat proven cleaning procedure for removing stubborn malware. ( All steps are not necessarily needed.)

1. AV boot cd - Kaspersky/Avira (How to enter BIOS. How to set BIOS to boot from the CD)
2. UBCD4Win + DrWeb Cureit/Emsisoft Emergency*
3. If system becomes unbootable try repairing Windows with the XP recovery console or Vista/7 system recovery options menu. (These may be found in the boot menu, but if they have not been installed, you can use them with original Windows install cd or with a specially made recovery cd. (Look also here.)
4. Repair possibly corrupted .exe association made by malware.
5. Repair internet connection, if it was lost during cleaning.
6. COMODO Firewall with Defence+ ***
7. You can try to perform the next two steps in Safe Mode** with networking
8. Hitman Pro****
9. Malwarebytes antimalware/Superantispyware
10. Prevx free + manual cleaning
11. Winpatrol (For manual analysis: HOSTS-file, startups etc.)
12. Remove with CCleaner temp-files and clean registry. (Take registry snapshot before cleaning.)
13. Clean Alternate Data Streams (ADS)
14. Verify the Integrity of Windows system files (sfc /scannow)
15. Check DNS-settings. Here more info.
16. Switch Windows firewall on.
17. Uninstall old (possibly corrupted) AV. Install new AV and scan with it.
18. Check for Windows/Microsoft updates.
19. Check updates of other programs with Secunia sofware inspector
20. Repair system modifications made by malware.
21. Empty the system restore and create a new restore point. (XP, Vista/7)
22. run chkdsk /r
23. If you suspect you've had MBR-rootkit you can repair MBR with the XP recovery console or Vista/7 system recovery menu. (Look also here.)

*) Notice, that all these portable antimalware can be used with UBCD4Win boot cd. You can copy them to hard disk, USB stick or CD. Run always "full scan".

**) Some malware does not run in safe mode.

***) Use paranoid settings and prevent anything unknown from running. Check these.

****) If you meet a malware that still blocks executables, try a "Force Breach" start of Hitman Pro (hold the left Ctrl-key until the man with the ladder appears while opening Hitman Pro). If you get UAC prompt you need to keep holding ctrl while you acknowledge the message. In case the internet connection is broken or unavailable, start a Early Warning Scoring (EWS) scan by selecting it from the Next button. This will also reveal: 1) The use of a local proxy server (an indication of malware redirecting or sniffing your web activity). 2) Check and fix an invalid Winsock stack. 3) Detect problems with NDIS (Network Driver Interface). 4) Track down rootkits or other malware that are cloaked, perform suspicious activity or have many bad characteristcs (unethical construction and/or behavior).

 

How long do you take for a PC malware removal?

1.use Rkill or antiexehijack first to kill malware process
2.use Safe Returner to detect any startup items with manual research (less than 5 minutes)
3.run scan with MBAM (only scan C driver about 20 minutes) mean while checking internet setting ,HOSTS and others.....
4.if the above failed,try scan with TDSSKILLER

all will be done in less than half an hour

 

I didn't know what Rkill was so I googled it and what a nifty little tool, thanks.

 

YES,especially rogue do not allow users to open any program

you could use Rkill and antiexehijack first,then use MBAM or other...

here is the latest version of antiexehijack

http://www.safereturner.com/download.html

 

Thank you very much!!!

 

why use rkill when u can kill processes with hmp in force breach mode and then scan with hmp for malware too

 

Most simply and easiest solution. Paragon Imaging on an external HD.

 

too much work just formatt pc while your coffee is ready

 

When people ask me to check their pc cause they think they got a virus, I usually recommend to reformat. I'ts easier to keep a system clean with periodical check-ups than cleaning/disinfecting/re-installing...

 

+1
I always recommend reformating, it's faster, easier and brings the best results!
Then i always set a "Pop Up Less" set up and hope they don't screw it again

 

Issue is after a reformat you still have to reinstall and reconfigure. Its still a hassle.

Imaging > reformat any day. Way faster, nothing to reinstall, nothing to reconfigure. Its a set and forget operation that takes about an hour or two tops.

 

Cleaning is necessary under certain conditions like file infector virus, auto-run virus (certain strains copies themselves to all partitions), new folder virus, etc. If one is not sure about infection type, he should run a scan of all partitions/data from bootable AV CD. After cleaning, one can either restore from backup or reinstall OS.

 

No specific toolbox yet.

I don't have much experience with malware infections since I have not yet tested malware on Virtual Machines. I've only been hit on my real PC twice - once through drive-by download when I was a noob and second time when I let a click-addict use my PC without restrictions. That was back then. Theory knowledge from reading materials taught me enough not to repeat the same mistake.

Anyway, I'd probably go with trial and error with the usual detection/removal tools (MBAM, SAS, HMP) or whatever recommended on search engine results. Failing that and if I think it's not worth the effort, I'll just start afresh.

 

1) Start Hitman Pro while pressing the 'ctrl'-button and do a scan/cleanup. Reboot.
2) Run Hitman Pro again (hopefully you don't have to press ctrl-button again). If anything is found, clean and reboot.
3) Run MBAM and do the same procedure. Clean until it founds nothing.
4) Hopefully you can now browse the web. Use different online scanners from ESET, McAfee, BitDefender etc. This will do the trick.


If computer won't boot, try do all this in 'safe mode'. Worst case scenario, I use one of my weekly made images in Acronis. If that fails, well, what are you going to do? Just re-install Windows. Of course, all my personal images of my life and all the work related stuff are always backed-up on an external drive.

 

At work (we are "IT crew") we always begin with ComboFix (amazed that only one person mentioned this great tool!).

Though, lately I've seen that Hitman is quite an impressive tool itself. Catches a loot of ~ Snipped as per TOS ~ and is fast as hell. We also use Dr.Web CureIt for first cares although it's too slow and sometimes doesn't catch anything.

Recently I cleaned a PC with winlogon.exe and explorer.exe infected (NTFS stream was incorrect) and Hitman asked for the original XP CD and replaced the bad exes itself! Others failed miserably to do this because at every reboot those exes were bad again.

Anyway, I always try with this three for starters: ComboFix, Hitman, Dr.Web CureIt. Then make a deeper clean with these: MSSE, A2 Free, HiJackThis, MBAM, SAS, avast Free pre-Windows scan. Sometimes I use alternative tools as Panda Cloud, Spyware Doctor and such.

 

Ooops! Forgot about GMER, UnHackMe and TDSKiller for rootkit activity!

 

Some Nice Anti-Malware Tools to have:

Rogue Removal Kit by EliteKiller (John) who is also a Wilders Member

Anti-Malware Toolkit

NirLauncher



TechTools 3.0
Tech Toolkit 2.0



WSCC - Windows System Control Center

Admin Swiss Knife Suite

 

Well, most of the standard users don't even know about system imaging. I guess the OP was talking about a toolbox to be used on other people's machines (clients, noobs, average users). Now, if he is talking about a toolbox for ourselves, I personally don't need one as I use ShadowProtect Desktop for imaging. Also, keep in mind that a system image strategy is only good as long as the images remain perfectly clean. As we all know, a pre-infected image is simply useless.

 

I didn't know that, thanks. Do you start program while holding down Ctrl? Never mind, I see shadek answered before I seen the post but thanks.

 

MBAM is the first one I run, renaming the main exe if need be to get a scan going as most infections I work on have been rogues.

TDSSKiller for ckheckup then Avira with ComboFix last if I still can't nab a prob.

Dial-A-Fix for any XP internet probs.

Format - reinstalls just ain't any fun and not much of a learning experience but in some cases inevitable.

Quite a nifty little app if an exe killing rogue is around. RogueKiller

 

yes...and i forgot to mention it replaces corrupt windows files too