Need A New Plan

Hi Guys,

When I get an infected PC, I do the following with limited success.

1. Safe Mode > SmitFraudFix
2. Reboot to/with Avira Rescue > scan w/ 'remove infected'
3. boot to windows 'MBAM' scan & remove > requires reboot
4. After reboot 'MBAM' still infected.
5. Eset online scanner

I was using Sophos anti-rootkit, but this finds stuff, then recommends 'Not Removing', I got in trouble one time by not heeding Sophos's warning sbout Not Recommended, I removed despite warning.

1 - 5 please replace or alter or add.

Thanks
Rico

 

Why do you do what you do ?

SmitFraudFix ? That just for certain malware, and on bleepingcomputer.com they say 'I do not recommend using the tool without guidance from a qualified malware removal specialist!'.

The Avira Rescue CD (updated!) is a good one. Although I don't know if your scan setting is the right choice. It doesn't have an option for cleaning ?
You can supplement it with the Dr Web Live CD, it's supposedly better at cleaning than Avira, but with a lower detection.

MBAM is a good choice. Some like SAS, I don't.

Eset online scanner ? Not my choice. I'd use the Kaspersky or Bitdefender online scanner, if you feel you need something like that.

You can use Prevx or Hitman Pro, A-squared if you feel you need more.

There are threads about these products on this forum. 'search' is your friend.

I used Sophos' anti-rootkit once, all it said was that my system was corrupted. Anti-rootkit tools can be dangerous, some more so than others.

You clean PCs professionally, or for friends ?

Honestly, if you ask for a 1-5 step guide, are you sure you are competent enough to clean other people's computers ?
You may want to back up data before attempting to clean a computer, you never know what can go wrong.

Probably a good read: https://www.wilderssecurity.com/showthread.php?t=252253

 

Hi Fly,

This has worked where other apps have failed + has not caused problems.

Yes it cleans, removes infected! Never had much luck with 'Dr Web' seem this one gives a clean bill of health, while the malware is still present.

Yes I know MBAM & SAS are good. I'm looking to improve the cleaning here, not your endorsement of my choice. Often times malware survives MBAM & SAS cleaning, upon reboot.

Trial apps. Hitman is/was hit or miss.

Thanks! I hear Google is good also

Perhaps you've mis-interpreted Sophos, I do not get what you got + I mentioned the warning (see OP).

Assist or part of team that cleans (as a service), for a very large computer club. How does this help improve cleaning?

As some malware seem to survive the reboot, (using tools you acknowledge are good MBAM), I've asked for improvements for some of the things I do. So far you suggestions do not improve my methods, or anyones!

I have a dedicated ext hdd, for bu's, of folks who seek malware removal.

Thanks! Finally got around to something useful. So far in my limited experience cleaning malware ( 50 + machines, I've yet to format, & cured all), I'm just looking, for helpful suggestions & for sure 1 - 5 is not set in stone, nor adhered to in a zealous manner.

By the way 'Fly' what qualifications do you possess, that makes your comments so insightful?

Take Care
Rico

 

(partial quote)

Sigh. Good intentions never go unpunished ?

In your original post you did not mention anything about yourself or the computers you clean/context. If you want a good answer, you must provide sufficient information.

Your '5 steps' were unusual. I didn't know what to make of it.

So I tried to come up with something ?

I only thought of the last link after writing the original post.

 

Hi Fly,

No problem! Cleaning or trying to clean malware, for me is a ever evolving chain of events. I try to improve, use what is more successful more often. The tools that don't do much tend to gather dust.

Regarding SmitFraudFix - Recently I had a machine where no security apps would install. I don't remember how I found it, but liked it because it, killed all processes before it cleaned, & after cleaning I was able to install MBAM etc.

Do you think malware that survives MBAM (after reboot) is a rootkit? That's why Sophos. Or it could be a definition not yet recognized.

I've got to run, bowling league! Look fwd to chatting.

Take Care
Rico

 

One possibility is for you create an UBCD4W: http://www.ubcd4win.com/

With that you can run a HijackThis scan and also check through the system32 directory to remove unwanted files.

After that, you can boot into safe mode and remove the rest of the junk with mbam.

 

Can I recommend posting on a Hijack This forum. If you do have a rootkit (which it seems you do) then they will be able to help you remove it quite easily That should save you a lot of trouble.

 

Malware that survives MBAM after a reboot isn't necessarily a rootkit.

Stealth viruses, trojans, whatever ?

Maybe you like VIPRE/Counterspy ? I haven't used Counterspy for a long time, but it used to be a good antispyware application.

 

Thanks for reminding me about Vipre, I was going to give it a try then forgot it.

If rootkits are hidden objects, do they reveal themselves using HJT? I thought that was the whole idea behind Blacklight etc.

Ok! But by being 'stealth' they behave like rootkits, in that they hide from the OS? So stealth, non rootkit, malware most likely does not show up on HJT scans. So were left with definition updates, to cure?

Good! Thanks!! I 've made the disc, I need to use this more & become more comfortable in that area

Thanks
Rico

 

Certain entries that may not show up in a HJT scan, run from the host OS, will show up when you run the HJT scan from the UBCD4W.

It is possible for process A to protect process B from termination, whilst process B hides the presence of process A. Using HJT from the UBCD4W you can see process A and deal with it.

Most of the nasties live in the system32 directory so you can sort by date and check out the latest files. If you right click and check the properties, generally the genuine ones have extra information such as company name etc and the bad ones don't.

I find that getting rid of the recent fake antivirus products is done quickest by using HJT from the UBCD4W, getting rid of suspect files from system32 and then booting into safe mode and scanning with mbam. Sometimes it takes a bit more effort especially if somethings hooked into explorer, so then you might want to try Sysinternals autoruns to see what's going on.

Please note I'm not an expert at this, I'm only telling you what I have observed. A little knowledge is sometimes a dangerous thing.

 

Thanks SpikeyB nice post!

Rico

 

An easy way to increase your diagnostic toolbox is to visit the malware cleaning forums. Focus on threads that were resolved, discuss rootkits and have a lot of posts. Become a temporary (non stalking) fanboy of a particular Malware Cleaning Specialist and follow their progress.

They pretty much all start out with HJT as well as other diagnostic scans, like Deckards System Scanner or DDS, even anti-rootkit scan logs are requested as prerequisites on some sites.

Have fun!

 

Rico,

Since I noticed you showed some interest in VIPRE and had also mentioned sometimes not being able to install any security software I thought I'd suggest looking into our VIPRE Rescue Program. It's a basic version of VIPRE designed to run on systems too heavily infected to run or install a normal anti-virus. It's also possible to run it off of a bootable CD. You can find the VIPRE Rescue Program here:

http://live.sunbeltsoftware.com/

 

HJT is greyed out of UBCD4WIN - it's to be ran within a live Windows enviroment. The alternative in UBCD4WIN is EzPCFix, which kinda like HJT, but on steroids. It requires advanced knowledge of the registry hives.

Smitfraudfix, and also Combofix, are last resorts - if all else fails category. Both are specialist removers, and pretty harsh. I'd go through the scanning business with as many AV live CD's as I can be bothered to make ... before using either Combofix or Smitfraud.

And most of the fakeware junk and malware can only be removed from non-live Windows enviroment. Kinda saves time to just leap into UBCD4WIN/live CD from the start.

 

Great!

Nick - Thanks I've bookmarked your page & will give it a shot, next infected PC comes my way, shouldn't be more than two days. I'll post back.

Keyboard_Commando - So HJT doesn't not work from UBCD4WIN? EZpcFix is on the disc. I'll check it out. Thanks

Rico

 

Thanks for letting me know. I found the explanation here: http://ubcd4win.com/forum/index.php?showtopic=7988

I have an old version of UBCD with HJT 1.99.1 and was thinking it was about time to update. I wont bother now I know this.

Thanks again.