Strategy to disinfect/scan infected computers?

Discussion in 'other anti-malware software' started by wearetheborg, Aug 17, 2010.

Thread Status:
Not open for further replies.
  1. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    A companion thread to
    https://www.wilderssecurity.com/showthread.php?t=279793

    If a computer is already infected, I would assume that it can cause the anti-malware softwares to give false negatives. What strategy do you follow for scanning other people's computers?

    I'm considering making a UBCD4Win and slipstreaming these programs in, and booting from the CD.

    Any easier method?
     
  2. 031

    031 Registered Member

    Joined:
    Sep 5, 2007
    Posts:
    185
    Location:
    Bangladesh
    I frequently use Dr.web cureit and Kaspersky AVP tool to clean infected machines and both of them are fantastic.
    Then i install avast and schedule a boot time scan just to check everything is ok.
    However if the machine is heavily infected i think reformat is the best option.
     
  3. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    I use UBCD4Win,(with additional plugins added) upon heavily infected systems,to good effect.At the least it'll get the system usable again and even if it fails you have access to a whole array of backup/imaging tools,etc to facilitate reinstallation easily.Personally I couldn't imagine being without it now it just has so many uses in system repairs.Bear in mind though that not all software functions properly within a PE so if you plan to create your own plugins expect a fair amount of trial and error.

    Some of the extras I've added successfully to my disk are:

    Paragon B&R
    Dr web Cureit
    A2 hijackfree
    Easeus Data Recovery
    Sophos CL AV
    Minitool Partition Recovery
    Easeus Partition Master
     
    Last edited: Aug 17, 2010
  4. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    HITMAN PRO! MBAM! HITMAN PRO!
    then install Prevx SafeOnline. :D
     
  5. EliteKiller

    EliteKiller Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    1,138
    Location:
    TX
    I clean several infected pc's on a weekly basis, and it is extremely rare for me to use a bootable "rescue" cd of any kind. Even on the heavily infect systems w/ rootkits you can get HMP to run in force breach mode. Afterwards I will typically run combofix, look at the log and remove other infections, ccleaner to take out the garbage and speed up scans, then run MBAM. Now it's time to fire up HJT and look at the log. If it's clean I'll usually install Avast or Avira, configure the settings, and run a quick scan. Now it's time to remove exploited software (java, qt, flash, etc.) and install the latest versions, windows updates, other asst'd cleanup. Secunia comes in real handy.

    I like HMP so much that I have a couple of paid licenses.
     
  6. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    -CCleaner
    -DiskMax

    ----------------
    -HMP
    -EAM
    -MBAM

    ----------------
    -GMER
    -Sophos A/R

    ----------------
     
  7. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    My strategy is usually like this:

    Preparation Step: KillProcess (2.44) + Autoruns (10.02) + Process Explorer (12.04) + Remove Fake Antivirus (1.65)

    1. Kaspersky VRT (9.0.0.722) or Bootable CD, if system is severly infected
    2. Dr.Web Cureit or Bootable CD, if system is severly infected
    3. Malwarebytes Anti-Malware (1.46) + SUPERAntiSpyware (4.41.0.1000) Portable
    4. Panda Anti-Rootkit (1.08 ) + GMER (1.0.15.15281)
    5. HiJackThis (2.04)
    6. CCleaner Slim 2.34.1200 + Comodo System Cleaner (2.2.335611.5) + PC De-Crapifier (2.2.5)

    If system is highly infected, I backup all/important data (depends on data and its size) by using Active Boot Disk Suite (5.0.5) (also help to manually remove notorious files from other than system partitions) and reinstall OS on client computer.
     
  8. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,285
    I never disinfect.

    If I get infected while using Returnil, I reboot. If problems remain or if I get infected while Returnil is not in use, I restore a clean image of the system partition (usually less than 10 minutes).
     
  9. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    regardless of what some others might say, you have the basic understanding right. you need to eliminate the possibility that active malware can interfere with the removal process and you do that by eliminating the possibility that malware on the suspect drive can become active in memory in the first place - this means either booting from a rescue CD as you're suggesting, or removing the drive and attaching it to a second computer as a slave drive.

    some of the time (perhaps even most of the time) you may be able to actually neutralize malware while operating in the compromise system itself, but not all of the time.

    now if you want an easier method of recovery than booting clean and disinfecting, i would suggest booting clean and restoring a previously made image of the drive. that may not be feasible depending on the scenario you're dealing with (you should be able to do this for your own systems, but maybe not other people's).
     
  10. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    very simple comboFix and hitman pro;) :thumb: the pc is back to normal:)
     
  11. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    Hitman Pro:cool: for leftover registry entries MBAM or SAS
     
  12. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    And after you think it's all cleaned up:

    chkdsk /r

    sfc /scannow
     
  13. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    The tool i really use the most is EAM command line scanner, never needed a Booting CD.
    Even on the MOST infected laptop i've ever cleaned xD
    It had over 400 infections of malware (Without cookies) scanned with EAM :D
    Later used MBAM and HMP :rolleyes:
     
  14. ako

    ako Registered Member

    Joined:
    Nov 16, 2006
    Posts:
    627
    http://www.techsupportalert.com/content/probably-best-free-security-list-world.htm#cleanup

    Below a combat proven cleaning process for removing stubborn malware. (Start with boot cd:s to kill most resistance before going to Windows.)

    1. AV boot cd - Avira/Kaspersky
    2. UBCD4Win + DrWeb Cureit/Emsisoft Emergency*
    3. Hitman Pro**
    4. Malwarebytes antimalware
    5. Prevx free + manual cleaning with UBCD4Win if needed
    6. Switch Windows firewall on.
    7. Winpatrol (for manual analysis: HOSTS-file, startups etc.)
    8. Uninstall old AV. Install new AV and scan with it.
    9. CCleaner
    10. Verify the Integrity of Windows system files (sfc /scannow)
    11. Check for Windows/Microsoft updates.
    12. Check updates of other programs with Secunia sofware inspector
    13. Empty the system restore and create a new restore point. (XP, Vista/7)
    14. run chkdsk /r


    *) Notice, that all these portable antimalware can be used with UBCD4Win boot cd.

    **) If you meet a malwate that still blocks executables, try a "Force Breach" start of Hitman Pro (hold the left Ctrl-key until the man with the ladder appears while opening Hitman Pro). If you get UAC prompt you need to keep holding ctrl while you acknowledge the message. In case the internet connection is broken or unavailable, start a Early Warning Scoring (EWS) scan by selecting it from the Next button. This will also reveal: 1) The use of a local proxy server (an indication of malware redirecting or sniffing your web activity). 2) Check and fix an invalid Winsock stack. 3) Detect problems with NDIS (Network Driver Interface). 4) Track down rootkits or other malware that are cloaked, perform suspicious activity or have many bad characteristcs (unethical construction and/or behavior).
     
    Last edited: Aug 19, 2010
Loading...
Thread Status:
Not open for further replies.