Anti-Malware Toolbox

Discussion in 'other anti-malware software' started by TheKid7, Dec 9, 2010.

Thread Status:
Not open for further replies.
  1. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    What do you have in your Anti-Malware Toolbox? What steps do you usually perform?

    Thanks in Advance.

    I have almost no experience in cleaning Malware from PC's. If I were going to clean Malware from a PC, I would most likely do the following.

    If the PC is bootable (Safe Mode):

    1. DrWeb Cureit "Express Scan" in "Enhanced Protected Mode"
    2. Install, update and run a "Full" scan with Malwarebytes Anti-Malware.
    3. SuperAntiSpyware Portable "Full" scan

    If the PC is unbootable:

    1. DrWeb Live CD, "Express Scan"
    2. AVIRA Rescue CD scan
    3. If the DrWeb Live CD worked properly, then I would proceed to Step 2 of the "If the PC is bootable...."section, above.
    4. If the DrWeb Live CD did not work properly, then I would proceed to Step 1 of "If the PC is unbootable" section. I am assuming that the AVIRA Rescue CD would be able to get the PC bootable again. If not, I would probably do a "Full" scan with the Kaspersky Rescue Disk.
     
  2. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    I just keep ultimate boot cd for win in a safe place and wait for disaster:D
     
  3. EliteKiller

    EliteKiller Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    1,138
    Location:
    TX
    A majority of the infections nowadays are rogue antivirus/antispyware, trojans, and rootkits. I cannot even remember the last time I had to use a rescue disc of any kind. A large % of pc's are still bootable even though they are infected. However a lot of malware blocks .exe and access to critical windows functions. I've found that using the run command, or command prompt, in normal mode and running HMP from a flash drive while holding down the ctrl key (force breach mode) will typically nuke the rogue processes so that you can continue cleaning up the remnants. If for w/e reason you cannot figure out how to execute HMP in normal mode then safe mode should work. DrWeb takes too long and yields little to no results when other anti-malware tools are used. Afterwards a quick scan w/ MBAM, TDSSkiller, PCAV, and if there are nasties still present then combofix could be an ace in the hole. Obviously you should look at scan logs, hosts file, scheduled tasks, and dig deeper if you have that ability.
     
  4. codylucas16

    codylucas16 Registered Member

    Joined:
    Nov 17, 2009
    Posts:
    267
    UBCD4Win when the PC is unbootable.

    Hitman Pro, Emsisoft Emergency Kit, SAS Portable and Dr Web CureIT for when it is.
     
  5. ako

    ako Registered Member

    Joined:
    Nov 16, 2006
    Posts:
    627
    Here is my toolbox :D

    http://www.techsupportalert.com/content/probably-best-free-security-list-world.htm#cleanup

    Cleaning procedure

    Below a combat proven cleaning procedure for removing stubborn malware. ( All steps are not necessarily needed.)

    1. AV boot cd - Kaspersky/Avira (How to enter BIOS. How to set BIOS to boot from the CD)
    2. UBCD4Win + DrWeb Cureit/Emsisoft Emergency*
    3. If system becomes unbootable try repairing Windows with the XP recovery console or Vista/7 system recovery options menu. (These may be found in the boot menu, but if they have not been installed, you can use them with original Windows install cd or with a specially made recovery cd. (Look also here.)
    4. Repair possibly corrupted .exe association made by malware.
    5. Repair internet connection, if it was lost during cleaning.
    6. COMODO Firewall with Defence+ ***
    7. You can try to perform the next two steps in Safe Mode** with networking
    8. Hitman Pro****
    9. Malwarebytes antimalware/Superantispyware
    10. Prevx free + manual cleaning
    11. Winpatrol (For manual analysis: HOSTS-file, startups etc.)
    12. Remove with CCleaner temp-files and clean registry. (Take registry snapshot before cleaning.)
    13. Clean Alternate Data Streams (ADS)
    14. Verify the Integrity of Windows system files (sfc /scannow)
    15. Check DNS-settings. Here more info.
    16. Switch Windows firewall on.
    17. Uninstall old (possibly corrupted) AV. Install new AV and scan with it.
    18. Check for Windows/Microsoft updates.
    19. Check updates of other programs with Secunia sofware inspector
    20. Repair system modifications made by malware.
    21. Empty the system restore and create a new restore point. (XP, Vista/7)
    22. run chkdsk /r
    23. If you suspect you've had MBR-rootkit you can repair MBR with the XP recovery console or Vista/7 system recovery menu. (Look also here.)

    *) Notice, that all these portable antimalware can be used with UBCD4Win boot cd. You can copy them to hard disk, USB stick or CD. Run always "full scan".

    **) Some malware does not run in safe mode.

    ***) Use paranoid settings and prevent anything unknown from running. Check these.

    ****) If you meet a malware that still blocks executables, try a "Force Breach" start of Hitman Pro (hold the left Ctrl-key until the man with the ladder appears while opening Hitman Pro). If you get UAC prompt you need to keep holding ctrl while you acknowledge the message. In case the internet connection is broken or unavailable, start a Early Warning Scoring (EWS) scan by selecting it from the Next button. This will also reveal: 1) The use of a local proxy server (an indication of malware redirecting or sniffing your web activity). 2) Check and fix an invalid Winsock stack. 3) Detect problems with NDIS (Network Driver Interface). 4) Track down rootkits or other malware that are cloaked, perform suspicious activity or have many bad characteristcs (unethical construction and/or behavior).
     
  6. egomoo

    egomoo Registered Member

    Joined:
    Aug 28, 2007
    Posts:
    115
    How long do you take for a PC malware removal?

    1.use Rkill or antiexehijack first to kill malware process
    2.use Safe Returner to detect any startup items with manual research (less than 5 minutes)
    3.run scan with MBAM (only scan C driver about 20 minutes) mean while checking internet setting ,HOSTS and others.....
    4.if the above failed,try scan with TDSSKILLER

    all will be done in less than half an hour
     
  7. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    I didn't know what Rkill was so I googled it and what a nifty little tool, thanks.
     
  8. egomoo

    egomoo Registered Member

    Joined:
    Aug 28, 2007
    Posts:
    115
    YES,especially rogue do not allow users to open any program

    you could use Rkill and antiexehijack first,then use MBAM or other...

    here is the latest version of antiexehijack

    http://www.safereturner.com/download.html
     
  9. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Thank you very much!!!
     
  10. Sherlock_Holmes

    Sherlock_Holmes Registered Member

    Joined:
    Mar 21, 2010
    Posts:
    1,449
    Location:
    Mumbai
    why use rkill when u can kill processes with hmp in force breach mode and then scan with hmp for malware too
     
  11. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    Most simply and easiest solution. Paragon Imaging on an external HD.
     
  12. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    too much work just formatt pc while your coffee is ready;) :D
     
  13. atomomega

    atomomega Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    1,285
    When people ask me to check their pc cause they think they got a virus, I usually recommend to reformat. I'ts easier to keep a system clean with periodical check-ups than cleaning/disinfecting/re-installing...
     
  14. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    +1 :thumb:
    I always recommend reformating, it's faster, easier and brings the best results!
    Then i always set a "Pop Up Less" set up and hope they don't screw it again :D
     
  15. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    Issue is after a reformat you still have to reinstall and reconfigure. Its still a hassle.

    Imaging > reformat any day. Way faster, nothing to reinstall, nothing to reconfigure. Its a set and forget operation that takes about an hour or two tops.
     
  16. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    Cleaning is necessary under certain conditions like file infector virus, auto-run virus (certain strains copies themselves to all partitions), new folder virus, etc. If one is not sure about infection type, he should run a scan of all partitions/data from bootable AV CD. After cleaning, one can either restore from backup or reinstall OS.
     
  17. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    No specific toolbox yet.

    I don't have much experience with malware infections since I have not yet tested malware on Virtual Machines. I've only been hit on my real PC twice - once through drive-by download when I was a noob and second time when I let a click-addict use my PC without restrictions. That was back then. Theory knowledge from reading materials taught me enough not to repeat the same mistake.

    Anyway, I'd probably go with trial and error with the usual detection/removal tools (MBAM, SAS, HMP) or whatever recommended on search engine results. Failing that and if I think it's not worth the effort, I'll just start afresh.
     
  18. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    1) Start Hitman Pro while pressing the 'ctrl'-button and do a scan/cleanup. Reboot.
    2) Run Hitman Pro again (hopefully you don't have to press ctrl-button again). If anything is found, clean and reboot.
    3) Run MBAM and do the same procedure. Clean until it founds nothing.
    4) Hopefully you can now browse the web. Use different online scanners from ESET, McAfee, BitDefender etc. This will do the trick.


    If computer won't boot, try do all this in 'safe mode'. Worst case scenario, I use one of my weekly made images in Acronis. If that fails, well, what are you going to do? Just re-install Windows. :) Of course, all my personal images of my life and all the work related stuff are always backed-up on an external drive.
     
  19. Doraemon

    Doraemon Registered Member

    Joined:
    Aug 5, 2009
    Posts:
    202
    At work (we are "IT crew") we always begin with ComboFix (amazed that only one person mentioned this great tool!). :cautious: :blink: o_O

    Though, lately I've seen that Hitman is quite an impressive tool itself. Catches a loot of ~ Snipped as per TOS ~ and is fast as hell. We also use Dr.Web CureIt for first cares although it's too slow and sometimes doesn't catch anything.

    Recently I cleaned a PC with winlogon.exe and explorer.exe infected (NTFS stream was incorrect) and Hitman asked for the original XP CD and replaced the bad exes itself! :blink: :blink: :eek: :eek: Others failed miserably to do this because at every reboot those exes were bad again. :rolleyes:

    Anyway, I always try with this three for starters: ComboFix, Hitman, Dr.Web CureIt. Then make a deeper clean with these: MSSE, A2 Free, HiJackThis, MBAM, SAS, avast Free pre-Windows scan. Sometimes I use alternative tools as Panda Cloud, Spyware Doctor and such. :argh: :argh: :argh:
     
    Last edited by a moderator: Dec 10, 2010
  20. Doraemon

    Doraemon Registered Member

    Joined:
    Aug 5, 2009
    Posts:
    202
    Ooops! Forgot about GMER, UnHackMe and TDSKiller for rootkit activity! :D
     
  21. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
  22. atomomega

    atomomega Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    1,285
    Well, most of the standard users don't even know about system imaging. I guess the OP was talking about a toolbox to be used on other people's machines (clients, noobs, average users). Now, if he is talking about a toolbox for ourselves, I personally don't need one as I use ShadowProtect Desktop for imaging. Also, keep in mind that a system image strategy is only good as long as the images remain perfectly clean. As we all know, a pre-infected image is simply useless.
     
  23. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    I didn't know that, thanks. Do you start program while holding down Ctrl? Never mind, I see shadek answered before I seen the post but thanks.
     
    Last edited: Dec 13, 2010
  24. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    MBAM is the first one I run, renaming the main exe if need be to get a scan going as most infections I work on have been rogues.

    TDSSKiller for ckheckup then Avira with ComboFix last if I still can't nab a prob.

    Dial-A-Fix for any XP internet probs.

    Format - reinstalls just ain't any fun and not much of a learning experience but in some cases inevitable.

    Quite a nifty little app if an exe killing rogue is around. RogueKiller
     
  25. Sherlock_Holmes

    Sherlock_Holmes Registered Member

    Joined:
    Mar 21, 2010
    Posts:
    1,449
    Location:
    Mumbai
    yes...and i forgot to mention it replaces corrupt windows files too :thumb:
     
Loading...
Thread Status:
Not open for further replies.