Steps To PROPERLY Clean an Infected PC ?

Discussion in 'other security issues & news' started by Anhydrous, May 31, 2008.

Thread Status:
Not open for further replies.
  1. Anhydrous

    Anhydrous Registered Member

    Joined:
    Nov 28, 2006
    Posts:
    20
    Hey all

    I'm trying to get everyones input on cleaning other peoples PC's of viruses.I have pc's ready to be dedicated to this cause.Heres what I would like to know just to see how varied techs,etc. are in doing this:

    1.All software used for cleaning,removing temp files,etc.
    2.Steps in order in which to provide the fastest scans and removal of viruses.

    Please note that I also have all the different external HDD enclosers needed to run from my machine as well.

    Thanks to everyone who submits a reply.;)
     
  2. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Re: Steps To PROPERLY Cean an Infected PC ?

    Payware or freeware or doesn't it matter ?
     
  3. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    Re: Steps To PROPERLY Cean an Infected PC ?

    I did home user IT for 6 years and in the end my antimalware tools were down to this list :

    Xp_secconsole.exe
    Dialafix
    HJT
    Autoruns (whitelist and sig checking on)
    RunScanner
    ProcessExplorer
    RKU
    GMER
    IceSword
    Sigverif (part of windows)
    EventVwr (part of windows)
    VistaPE bootdisk

    Make a copy of the registry and if you can , another from a few weeks ago , just in case .

    Look through eventlogs to look for trouble related to malware damage

    ProcessExplorer to get a quick look at what was running and to shut it down
    HJT for fast finding and fixing of 017s a few real odd load points
    Autoruns and RunScanner for most regular malware
    RKU and GMER to look for rooters
    IceSword to force delete files
    Xp_secconsole.exe and Dialafix to fix policy restrictions

    VistaPE bootdisk for when things were a little to crazy to fix live (VistaPE had great SATA support)

    Sigverif to check for patched files


    Once everyting is clear I blow away event logs , reboot a few times and run a bunch of their applications . If the event logs stay clear then that part is done , usually there is minor damage recorded there often not related to malware but I fix it anyway .

    Once I am 100% that the systm is clean and stable I blow away old restore points and make a new one .

    EDIT :

    Clear temps , so obvious that I forgot . CCleaner is good enough for this .
     
  4. Anhydrous

    Anhydrous Registered Member

    Joined:
    Nov 28, 2006
    Posts:
    20
    Re: Steps To PROPERLY Cean an Infected PC ?

    Your choice.I can afford to buy whatever it takes,so money is not an issue.This is strictly to see what everyone here uses for virus/spyware removal.

    Thanks for the reply !
     
  5. denniz

    denniz Registered Member

    Joined:
    Jul 26, 2007
    Posts:
    431
    Location:
    The Netherlands
    For general cleaning that's not to technical I would use a collection of freeware tools like:

    -Prevx CSI
    -Dr.Web CureIt
    -SuperAntiSpyware
    -MalwareBytes
    -A-Squared
    -ThreatFire
     
  6. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    When I clean family and friends PC's, I generally use (almost everytime in this order):

    -ATF Cleaner for cleaning temp
    -SuperAntiSpyware
    -Dr.Web's CureIt!

    If the machine was hosed and/or the problem (slow, pop-ups, browser or desktop hijack, etc) doesn't go away, I scan 2 more times:

    -MBAM
    -Kasperky's AVP Tool
    -Sometimes, RKU

    After that, HiJackThis, trying to identify obvious malicious entries, but I'm no expert, so this works only for REALLY obvious entries.

    -XPsecconfig for checking policy restrictions (restore acces to taskmanager, etc)

    Usually at this point the problem is gone. Dump all old restore points, reboot, defrag, and that's it.

    Sometimes however, I must look for help in forums, to analyze HJT logs or to help with rootkits and such.
     
  7. dave88

    dave88 Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    177
    PROPERLY? I would restore a pre infection image, or if that is not available I would backup anything I needed off the pc, format the drive, re-install OS

    Personally I cannot fully trust a system after it has been infected, I guess it depends on the severity of the infection though. Minor threats can be removed by AV's but I would personally start with superantispyware.
     
  8. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    The funny thing is that I don't know/use any tools of nossirah's list, except CCleaner in the past. It shows how big my lack of knowledge is regarding cleaning someone else computer. :D
     
  9. Anhydrous

    Anhydrous Registered Member

    Joined:
    Nov 28, 2006
    Posts:
    20
    I have never been a big fan of this companies.I tried it out the other day for fun and noticed the extremely high amount of false positives the scan shows.

    Here is what I have been using lately:

    CCleaner for temps
    Nod32,Superantispyware Pro for viruses.
    Firefox with NoScipts and Adblock Plus w/G filter


    Thanks for the replies,keep them coming !!! :thumb:
     
  10. EliteKiller

    EliteKiller Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    1,138
    Location:
    TX
    I clean a lot of infected pc's and here's what I typically do on each one.

    1.) Reboot to safe mode w/ networking and disable system restore
    2.) Run HJT
    3.) Run CCleaner & ATFCleaner

    Depending on the infections....

    4.) Run Smitfraudfix / RogueFix / Combofix (if pc reboots pc then go back into safe mode)
    5.) Run MBAM > update > quick scan
    6.) Run HJT for a 2nd time and review the log. If random dll's and other nasties exist I make a custom CFScript and drop it on the Combofix.exe to unhook them

    Afterwards....

    7.) Run Dr.Web CureIt and/or Kaspersky AVP Tool with all settings maxed out
    8.) Run a-squared free
    9.) Reboot to normal mode
    10.) Install SAS and run a full scan
    11.) Run a final HJT

    In some cases the OS will need a repair after the cleanup.
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    EliteKiller,
    How long does it take usually to clean someone else computer ?
     
  12. EliteKiller

    EliteKiller Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    1,138
    Location:
    TX
    1.5 hr @ $50/hr

    If the OS gets hosed then it will take even longer.
     
  13. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Hello,

    I usually take the following steps when analyzing someone's crapped machine:

    Obvious stuff:
    Clean temporary files and such - ATF Cleaner.
    Check Add/Remove for stupid trials, demos etc.
    Check the services, msconfig.

    Malware detection:
    Run HijackThis, ProcessExplorer, AutoRuns, look for funky stuff.
    Depending on the situation, may run an anti-virus cleaner (maybe online).
    Depending on the situation, may also run a few more tools, like AVZ, RKR, SAS.

    Advanced:
    Run Rootkitty from within OS and then from live CD (like UBCD4WIN), compare outputs.
    Run a few tools from live CD (UBCD4WIN, Helix etc), check out the registry, look for suspicious files etc and necessary take care of them, correlate to anti-malware tools findings. Necessarily, I'll fix permissions and such from the live CD.

    Of course, it really depends who I'm dealing with and what they can afford to gain/lose. Some people are so paranoid about their precious little boxes they will never let someone format them - even though this is a much more sensible approach that spending hours scanning.

    All that said, I find malware cleaning to be counterproductive as much as getting infected. The most sensible solution is to have an imaging policy and then simply revert back to a clean state.

    Mrk
     
  14. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    Yes Erik most of us here learned to stay clean but many of us are surrounded by stupid,ignorant people asking for cleaning their machines. :D
     
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    My help approach,

    - Clean up first temp files/registry/directories
    - Do a virus scan
    - seperate data from programs (create a data partition)
    For three reason:
    a) after having checked data , you save time by only looking at program paritition (for real nasties)
    b) when something is very stubborn, you can use FajoXPFileSec (on XP home, others use Window's own), to disallow access to programs by
    normal user, this to get clues where it is coming from (file infector/polymprphic) or whether it is in admin/user mode problem.
    c) when you want to blow away the programs partition, you save data
    - Look for rootkits/autoruns/hijacks (see Nosirrah/elite killer, safe mode is important to cure / scope the problem)
    - Sometimes I use C, to get additional clues

    Above approach is only for friends with their own business, for all others, seee below. I also ask them why they do pay their bookkeeper, but do not use a local ICT services shop specialised at the soho market. I ask them with what data they would ask their accountant/bookkeeper to account for or keep their books. Data is crucial also for your business (dumbo). Now ask around with friends (als having a SOHO operation) and select two guys to talk to, I help you with the selection and ask difficult questions on SLA's etc. It is also often more profitable to team this software support with a periodic hardware support/replacement/refurbishment contract.

    My educate approach
    friends with only data which has value, I assess the first anti-rootkit/autorun results. WHen it will take me to much time, I will point to some items (Gmer fi) and say "Yeh, you really messed up, I save your data re-format your harddisk (only programs partition)". Tell them the benefits of backup up umages and data and let them install everything all over again.

    Saves me a lot of time and is very educational for them (to feel the consequences).

    Afterwards I tell them they need a Maxtor/Seagate external harddisk (because Maxxblast is for free, install Syncback free for data backup).
    Install it for them and show them and in a few minitues time you can fall back to a previous image (do it afther they spend a evening re-installing all programs, calling friends for illigitemate software copies they used to have, etc).

    Use this combo for defense (show them OpenOffice and free/opensource alternatives to prevent them from loading garbage on their computer):

    Default FireWall + DefenseWall + ThreatFire + when on Vista LUA in quiet mode.

    ThreatFire setting:
    - create a restore point befor quarantaine
    - change default settings (red and grey alerts) auto quarantaine, only prompted for yellow alerts (unknown threats).

    Reason: when the security programs does not prompt, I won't get questions

    My motto
    Do not only make the PC healthy. also the USER (or at least the OWNER of a PC) is PROPERLY CURED. It is mean, but effective

    Regards Kees
     
    Last edited: Jun 1, 2008
  16. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    its my experience that most people are stubborn stupid and forget fast they just learned. ;)
     
  17. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    That is why I promote :D

    A) Action learning, let them clean up their own ****
    B) Feel the consequences, just remove something, get a BSOD at start up, tell them they have to tell their wife (private circumstances) they just lost all their family photo's/movies or ask them "you have a copy of your client/debtor data don't you?(Soho circumstances), when you see the red appear on their cheeks/neck you know you have touched a weakspot. Next put in a mystic CD and boot up in last known good :)
    C) Leave them with a no care post-fix situation (private DefenseWall/ThreatFire, Soho a local service provider), only backup your data/image every now and then.

    I have not met anyone who was not cured afterwards, so Hupi I disagree :shifty:
     
    Last edited: Jun 1, 2008
  18. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    After reading this thread, I know for certain I can't clean someone else computer.
    In my newbie period, I re-installed my computer from scratch 2 times a year because it was so infected that my computer didn't work properly anymore, especially my browser. I didn't know what was going on either until I became a member of SWI, Wilders and read about the bad things on internet.

    Nowadays, I use IB + ISR + non-blacklist security softwares and that works very efficiently and above all time-saving.
    But that only works on MY computer and is completely useless to clean someone else computer. One thing I know for sure, if somebody ask me to clean his computer, I say NO.

    My solution isn't based on technical knowledge either, I work with theoretical logical reasonings. That's how I do my job also, I always have to start from scratch, because it doesn't exist yet.
    Each time I didn't know how to do it technically, I asked Wilders, like how do I partition, how do I disconnect internet in Windows, but I never ask Wilders how to fix it.

    I agree with Huupi, that most users don't learn from their mistakes. They are glad, somebody else fixed it for them (friend, forum, ...), but do nothing until it happens again. That's not a solution, that is a vicious circle. :)
     
  19. Hellas

    Hellas Registered Member

    Joined:
    Jun 1, 2008
    Posts:
    3
    Location:
    Salamis Island, Hellas
    a) Deactivate your 'System Restore'.

    b) Start your PC in the 'Safe Mode'.

    Special Detection/Restoration Tools:

    Rogue Removal kit: http://www.elitekiller.com/files/rogueremoval.zip

    RunScanner: http://www.runscanner.net/

    Junk File Cleaners:

    CCleaner: http://www.ccleaner.com/download

    Sweepi: http://www.yooapps.ch/?c=produkte/download_details&downloadid=20&l=E

    Spyware Removal:

    Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php

    SUPERAntiSpyware: http://superantispyware.com/superantispywarefreevspro.html

    Virus Removal:

    Dr.Web CureIt!: http://freedrweb.com/

    Kaspersky Virus Removal Tool: http://downloads2.kaspersky-labs.com/devbuilds/AVPTool/






     
  20. EliteKiller

    EliteKiller Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    1,138
    Location:
    TX
  21. Hellas

    Hellas Registered Member

    Joined:
    Jun 1, 2008
    Posts:
    3
    Location:
    Salamis Island, Hellas
    Anytime...John...:D
     
  22. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    The key to all of this (and why the answers are so varied) is that the tools need to match the user's skillset .

    If you know what you are doing there is no need for the use of any signature based tool to clean up a system unless the goal is to walk away from the scan and work on something else .

    Tools that show you what is running/set to run combined with google and virustotal.com for the few ones you are not 100% sure on will get you through a cleanup very quickly .

    If you have seen zlob a few thousand times you will see it instantly and from PE kill the two zlob process trees , kill rundll (for the %SYSDIR% dll) , kill all browser instances , kill the rogue exe and then delete the two programs folders , one %SYSDIR% folder and one %SYSDIR% dll . Autoruns after to find and delete the load points . There are many super common infections just like this one and once you have seen them a bunch of times you will get very fast at cleaning them up . IEDefender trojan , VAC , DNCChanger and ISecurity are all very common codec born infections and very easy to clean up with just a few tools . The time to do install 2 scan tools (1 virus and 1 malware) , update them and then scan + remove would be much greater then a by hand cleanup with a few good tools .

    If GMER or RKU spot a rooter (something you get the hang of after seeing the normal hooks of AVs and other legit software many times) all that is needed to to set avenger or any other driver based DOR tool to kill it on reboot and then use catchme or GMER to break its file header and disable its service . I do not know of any rooters that can survive all three rooter killing methods but there are a few that can get by two of the three and most can get by at least one .

    Another pitfall with scan tools is that I have see them delete patched but critical files before many times . If you find a patched file it is much better to first drop a clean version into dllcache and then use a tool like IceSword to force delete the patched file dropping the clean one in behind with paste . If you are not quick enough WFP will often get the copy in dllcache first so that is why you make sure the backup is clean before you do the swap . Boot disks are also very good for doing clean over patched . RC is also good for this and you can even set up the clean files and a batch file using xcopy ahead of time so from RC one command and it done . I have a pile of clean system files that I can use if the person I am helping has no install disk and all regular backups have either been patched or destroyed . Some OEM systems have an I386 folder even if they do not have an install disk so if the dllcache copy is bad you may still luck out there . There are some virus infections that IMO are not worth cleaning up unless there are no options to backup and reinstall . If you see "sality" or "virut" show up in a scan you are in for one heck of an long cleanup (could be many thousands of infected files) and it is very easy to miss one and then you are back to square one . For these I only clean them with Kaspersky and the infected drive as a slave to ensure that nothing is in memory . Slaved scan cleanup of mass patched files is always far more effective and safe .

    Depending on what they have installed for security , whether or not it is up to date and if it is functioning correctly or not I sometimes uninstall their security software before I begin a cleanup . At this point all it has the ability to do is get in the way and cause conflicts . If it was going to be of any help it would not have let the problem happen to begin with . There are also many infections that break security software and these problems are often easier to fix by doing a complete uninstall/reinstall .

    This is one of those skills you have to learn by doing and then keep at it . If I took 2 months off I would be getting rusty and after a year I would not know what I was doing any more .
     
  23. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    Hey Nosirrah,very informative,so this is how a proffessional cleaner deal with malware ! should admit that a great deal is beyond my understanding though. ;)
     
  24. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    What does anyone think about hooking up the infected pc's drive as a slave on another machine where you have a dedicated master drive that has many cleanup tools installed?

    Of course this master drive boots into Returnil mode when the infected slave is attached.

    Do you think some memory resident infections may be a prob and not detected as these won't be active?
     
  25. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    I did slave scanning for a while before I switched to non-sig tools and there is one problem that happens from time to time .

    If you have malware that has hijacked the registry in a way that certain services or critical windows components have become dependent on the malware and you remove just the malware from a slave scan , goodbye boot .

    You can get around this by using regedit and load hive to load and correct the registry from the infected drive remotely .

    As far as an infected slave drive infecting the work system , I never had it happen but I would not trust that completely . I have not ried it but I'm guessing there could be a way with the MBR to infect another system with a slave drive .

    EDIT :

    When I did this I had ghost set up on my work machine so I had a way out . I also had PG set up so if I did accidentally run something I could just deny it .
     
Loading...
Thread Status:
Not open for further replies.