We help IT Professionals succeed at work.

virus removal

JeffBeall
JeffBeall asked
on
i'm going to help a friend remove a virus from their computer tomorrow, so today i want to get all the best tools for the job and go "loaded for bear" tomorrow to hopefully fix him up in a hurry.
traditionally i like to put the hard drive of the infected computer in my clean computer and have my computer clean the infected drive.
i do this because it seems like the latest viruses disable most of the things that help to defeat them. so if the infected drive isn't the boot drive, then the virus can defeat things like the task manager.
having said all that, i was thinking of bring malware bytes, combo fix, and on my pc i have updated windows 7 and microsoft's security essentials ( updated ).
how does this sound for a plan of attack?
Comment
Watch Question

Assistant Vice President\Network Manager
Commented:
Those are good tools and I would suggest tdskiller and spybot as well. Perhaps download a copy of Avast (or some virus protection) in case they don't have any.
Commented:
I'd add HijackThis available here:

http://free.antivirus.com/hijackthis/

And I'd check the Bleeping Computer forums for any additional suggestions:

http://www.bleepingcomputer.com/
Author of the Year 2011
Top Expert 2006
Commented:
"Slaved scans" are problematic for a lot of reasons - primarily because Windows File Protection service is NOT running. Your scanner could therefore delete critical system files - with no way for Windows to replace them when you try to start the OS - ergo instant BSOD.

For general guidelines, read this EE Article:
Malware Fighting – Best Practices

For specific tools and instructions, read these EE Articles and post the logs when you are done:
Basic Malware Troubleshooting
Stop-the-Bleeding-First-Aid-for-Malware
Rogue-Killer-What-a-great-name
Kent WSr. Network / Systems Admin
Commented:
Another option, if there is a restore point previous to when the virus was contracted, you can roll it back to that date.  Bam.  Done.  Of course, you loose any info he's saved between there and there, but sometimes that's a very acceptable loss.  We usually try this method quickly upon someone getting infected, and usually can roll them back to 4-24 hours, painlessly, pretty quickly.
Commented:
I would not recommend your approach to slave the infected drive to your clean system (containment is key) Instead check out systemsweeper below- boot the infected system with it.
Once systemsweeper is done you can install e.g. hitman pro (second opinion cloud based scanner)
and finish with it. This should take care of all the infections (including rootkits and redirectors)

You can download and use http://connect.microsoft.com/systemsweeper for free -
and check the formerly infected systems. Another good scanner is hitman pro (cloud based av) http://www.surfright.nl/en/downloads
 

Author

Commented:
I've used combo fix and malware bytes and like these tools, but once or twice even these tools were defeated. i have tried them in "normal mode" and the install of malware bytes wouldn't complete. Same with combo fix.
when you can't install these tools, what other choice is there?
that is why i was thinking of a "slaved drive scan"
Kent WSr. Network / Systems Admin

Commented:
Also, I've used The Ultimate Boot CD (just google and burn an ISO to DVD), or the Kaspersky Rescue Disk.
Both work well and include a plethora of removal tools.
Steven CarnahanAssistant Vice President\Network Manager

Commented:
to install malwarebytes when it won't (because of infection) you need to rename it prior to install and then again after install. That is the normal method of getting it to run.
Author of the Year 2011
Top Expert 2006

Commented:
As noted in the EE Articles I referenced, you need to run a 'rogue process stopper' before you take your next steps.

Please take a few minutes to review the information provided and ask for clarification either in the Articles or here.

Kent WSr. Network / Systems Admin

Commented:
3rd interjection, sorry...The Ultimate Boot CD has a Malwarebytes downloader / installer that runs in the boot space setup by TUBCD (an x-type virtual desktop).  I was able to run, update, and scan when, on the infected drive, I wasn't able to run it at all.
Author of the Year 2011
Top Expert 2006

Commented:
To get a legitimate copy of Malwarebytes go here: http://www.malwarebytes.org/ and you will be linked to here:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button

Comment copied from earlier post by 'rpggamergirl':
I would not use HitmanPro, too risky, it's not that good for removing infections specially when system files are patched.
Since last year there has been many reported unbootable PCs after scanning with HitmanPro.

These below are just in one forum.
 
Posted 24 November 2011  
Ran Hitman Pro 3.5 now Windows won't boot
http://www.geekstogo.com/forum/topic/310549-ran-hitman-pro-35-now-windows-wont-boot/


Posted 21 November 2011
Hitman Pro 3.5....Can't Boot. Please HELP!
http://www.geekstogo.com/forum/topic/310433-hitman-pro-35cant-boot-please-help/


Posted 14 November 2011  
Hitman Pro killed my OS...
http://www.geekstogo.com/forum/topic/310084-hitman-pro-killed-my-os/


Posted 08 November 2011
Used Hitman pro 3.5 to remove google redirect virus and now computer won't boot.
http://www.geekstogo.com/forum/topic/309834-used-hitman-pro-35-to-remove-google-redirect-virus-and-now-computer-wont-start/ 
Steven CarnahanAssistant Vice President\Network Manager

Commented:
I agree with younghv.  Please read the referenced articles.  They are there because they offer good information usually gathered and tested over time.
KarlSenior Technical Consultant
Commented:
I have used malwarebytes, combofix and a good few others and ones that have got me going where others have failed are the free AVG rescue CD and also the free Sophos command line scanner
Author of the Year 2011
Top Expert 2006

Commented:
@mugojava -
The information in your comment here (http:#a37247107) is incorrect.

A "System Restore" ONLY affects the System files - it leaves any data and/or profile files strictly alone.
Kent WSr. Network / Systems Admin

Commented:
@younghv good to know.  We've had to restore other than system files on a few occasions after using a restore point, so I don't know if that's always 100%.  We use roaming profiles also, so that's a little different than a local profile.  It's always been successful in reverting a system recently infected, so it's our first action to try.  Second is the Kaspersky rescue CD or the UBCD, both of which have saved an otherwise eaten-alive system.  

Author

Commented:
aren't all the suggestions for using CD's like using a " slave drive" virus thing?
Author of the Year 2011
Top Expert 2006

Commented:
"aren't all the suggestions for using CD's like using a " slave drive" virus thing?"

As noted previously, the information you are seeking is in the Articles.

Point number 5 from the "Best Practices" Article:
***********************
BootCD SCANS

Is similar to slaving a drive (the drive is inactive):

The virus scanner's database on the BootCD is most likely outdated.
It can't create restore points (the system restore service is not running)
System File Protection is not on so the system could wind up with missing system files and broken configurations.
You get errors because registry values are not removed, so you still need to scan again within windows to remove redundant registry entries.


Author

Commented:
younghv, thats what i was referring to, meaning that i shouldn't use cd's.
Author of the Year 2011
Top Expert 2006

Commented:
When a Windows OS is running, System Files are protected from deletion. If you delete one, Windows will automatically replace it.

When you use a Boot CD or Slave a drive - and delete a system file - it may be a critical one that will not let the system boot-up.

It used to be very common practice to make that recommendation, but obviously is a potentially dangerous procedure to use.

A possible exception to that would be the Windows "System Sweeper" (mentioned above) - but only if the system won't boot to either Normal or Safe Mode:
http://connect.microsoft.com/systemsweeper
Kent WSr. Network / Systems Admin

Commented:
@ JeffBeall & younghv
Actually, UBCD is similar to a Live CD, it brings your machine up with network connectivity, and you can run and update the AV / Malware software provided in the software list.  It's all GUI based, and, yes, it does look at the infected drive as a slave drive, but from my experience, it's only found and removed actual infected files. You have the chance to review what is being removed, also.   I've never had it render a system inoperable.  Plus, keep in mind, if it does remove a system file, that file was almost surely infected, so you weigh cleaning it vs running with an infected dll or similar.  
In most cases, you are doing this to prevent a complete reload...so, in many instances, it's a great choice.  
Many times once FakeAV or variants hit, you don't have many choices.  
1. You can fight it for days, attempting to load stand-alone cleaners, and never really be sure it's not in a trojan state.
2. Use something like a UBCD or Kaspersky Rescue Disk that gives network connectivity and updated definitions.
3.  Reload OS from scratch. Reloading from scratch always wipes out all existing system files ;)

System sweeper may be another option, but that's in Beta, with limited use factors...jury is still out.  But, I know what has worked for us in fighting this crap on over 100 workstations, so, real use scenario I'm laying out, whoever wants to heed.  We stopped trying to one-on-one war with the FakeX junk a long time ago...now, we first do a system restore, if possible, then fight with one of the good boot CDs, if that doesn't work, we reload the OS.  But, all our users are instructed to keep "important" files in network locations, so if they really loose much, it's on them.  That's not the case with everyone, I do understand.  But, when you gotta...you gotta.  Many variants of malware that hit today don't leave a whole lot of options.

A note on prevention - the full version of Malwarebytes or a cloud-based *good* scanning / active protection system like Mcafee SaaS is a pretty cheap way to keep the junk off systems in the first place.
Author of the Year 2011
Top Expert 2006

Commented:
Time for me to walk away from this.

@JeffBeall -
Please evaluate all the advice you have been given and make your best decision as to what will help you - at the least risk to your systems.

Those of us who actually specialize in treating malware infections take some pride in staying current with best practice procedures and focus on what works now - as opposed to years old practices.

Good luck with solving this one.

/unsubscribe

Author

Commented:
first off, I want to thank everyone for all the responses!
I didn't know I would get such a great response.
I am helping a friend, and a reinstall is not practical, but might be the final option.
I agree with mugojava, at work I wipe and re-load windows because I always tell everyone to put their files on our file share. I know that whoever writes these things is smarter than me.

Author

Commented:
thanks for all the help, i have renamed process explorer, malware bytes and combo fix. i think i'll try the process explorer and malware bytes first.
maybe i'll get lucky and this will be a pretty tame virus, i can always hope.