How-to Guide for Virus/Trojan/Malware Removal

looks interesting. did some quick research on it and people seem to generally say it has a very high false-positive rate....
 
Very good guide. However, Spybot's best days are long long past gone. Now it's slow, buggy and can't detect meaningful spyware anymore.
 
fss69 said:
Very good guide. However, Spybot's best days are long long past gone. Now it's slow, buggy and can't detect meaningful spyware anymore.
Click to expand...

It has it's uses still. I will admit it's not the greatest at detection and removal anymore. But the web browser "inoculation" is still useful.
 
MBAM, it seems, is becoming too popular. The last three Vundo variants I've seen I have been unable to install or run MBAM at all. For some reason, though, I've been able to install SuperAntiSpyware and actually run it to remove them....
 
fss69 said:
Very good guide. However, Spybot's best days are long long past gone. Now it's slow, buggy and can't detect meaningful spyware anymore.
Click to expand...

Yes it does. While I agree it's not as good as MalwareBytes or SAS, it still does fine remnants that the others use. We still use it on the bench when we have time for doing lengthy scans on clients infected rigs...and I still see it pickup a few items the others missed. Yes legit items...not just useless things like cookies.

While a lot of the time I only have time to run a few scans...so I'll use the big boys....I know they'll not get 100% of the stuff, but I'm fine with the idea that they seem to get the majority of the stuff, and what they miss will be ineffective in coming back. But sometimes we have the time to run a few scans using a few more tools...and I'll notice Spybot still picks up a few more things.
 
Captain Colonoscopy said:
MBAM, it seems, is becoming too popular. The last three Vundo variants I've seen I have been unable to install or run MBAM at all. For some reason, though, I've been able to install SuperAntiSpyware and actually run it to remove them....
Click to expand...

Yeah I ran into a few machines several months ago that were hit with that REALLY nasty new variant of Windows Police Pro. That variant was the toughest one I've ever run across. Anyways, one of it's features...blocked installs, and running...of your usual cleaning programs.

MalwareBytes for example, I renamed the installer "installmwb.com"...and then the executable to launch it from mbam.exe to something like mally.com...and run it.

SymantecUnhookexec.inf restores some of the shell\open\command functions which are hosed by the rogues.
 
Just to add to "the shotgun effect".....a heavily infested rig that came into our bench a few days ago, our main break/fixit guy Dave has been working on it. Got whacked with a trojan that did the "log off" as soon as you logged in, the usual "userinit" replacement fixed that.

Anyways...MalwareBytes found a ton of stuff, replaced their McAfee with NOD32v4, found a ton of stuff, SAS found a bit more, Spybot found a bit more..

This morning Dave ran the Microsoft Malware Removal Tool..that thing most people never run, it updates via Microsoft Updates. You can run a manual scan with it, start==>run==>MRT. It found another 1/2 dozen trojans.

Microsoft Security Essentials probably would have found the same, as I'm guessing they share definitions somewhat....but in case I didn't mention the MRT in prior posts in this thread...I've seen it pickup things other good programs miss...several times. It's built into Windows...why not use it! :cool:
 
Latest malware we've run into here at work sets IE to use a proxy under the LAN settings. After using mbam to remove, users were complaining they couldn't get into the internet afterwards. We had been removing profiles, which fixed this issue, but found the proxy setting while looking into things a little closer. Easy fix if someone is having issues after a removal.
 
YeOldeStonecat said:
Yeah I ran into a few machines several months ago that were hit with that REALLY nasty new variant of Windows Police Pro. That variant was the toughest one I've ever run across. Anyways, one of it's features...blocked installs, and running...of your usual cleaning programs.

MalwareBytes for example, I renamed the installer "installmwb.com"...and then the executable to launch it from mbam.exe to something like mally.com...and run it.

SymantecUnhookexec.inf restores some of the shell\open\command functions which are hosed by the rogues.
Click to expand...

Yeah, I couldn't get MBAM to run at all, even after renaming. That SymantecUnHookExec.inf is a freaking awesome though. :D
 
MrWizard6600 said:
man I hate to be such a downer but I really cant agree with the philosophy of this thread.

Not all spyware can be removed, and from a security standpoint if thats true in my mind it means that no spyware can be removed, or at least any machine once infected and then "cleaned" can never be trusted again.

Computers have been abstracted to such a high degree by so many people and for so many people that planting something in a spot nobody checks isn't impossible. Furthermore its in the spyware authors best intrest to not be found, and not be noticed. Spam-relays are intrested in routing spam and if the code thinks your after it, maybe it modifies its routine to only run between 2AM and 6AM to avoid being discovered. Who knows. These are the same people who've invented (annoyingly strong) polymorphic programs, the only effect solution is a reformat (and even then, there are known ROM-firmware infections).

The only way to really remove spyware as an issue is to remove the vectors it comes in over. To avoid malicious actions against you via computing you need to modify your behavior. Convienience is often the enemy of security; use long passwords and never use the same one twice, check your (inbound and outbound) port activity from time to time, check the certificates/encryption that people claim to be using (MD5 has been cracked!), dont trust every google result you find, and make sure you're updated!!
Click to expand...

I could not DISAGREE more. An operating system can be cleaned and can be trusted again. Under your same "scrutiny" no machine could be trusted at anytime no matter the location. Machines get infected because people are stupid. That is why social engineering is the prominent way of infection these days. Also what happens if a server shows a sign of infection. Throw it away, it cannot be trusted? Learn your operating systems, understand them, check traffic logs. I would put money up that if you ran the same scan/clean that CC posted, you would find crap on your network. Which in turn means no one could ever trust your network or its info EVER again. What a fallacy. Also as far as data backups go, they cannot be trusted either if they came from an infected machine. EVER again. I do not see your logic. Stop all traffic that may be a security threat. Every port on your system is a security threat. Every firewall hanging in a demarc is a security threat. Every IT tech that does not go through EVERY line of EVERY log is a security threat.
BTW- the biggest security threats are the ones none of your "appliances" catch. Even TOR is succeptable to Man in the middle now. Oh noes!!!!!!!!!1111111111111 What are we to do? Put back on our tinfoil hats and hop for the best?

Good thread Captain. Keep up the good fight.
 
Added rkill to the list of recommended tools. had this one save the day this morning. killed Personal Security rogue on a client's computer from a remote session. :D
 
CableDude said:
Anyone use GMER?
Click to expand...

It's very potent if you don't know what you're doing. The same could be said about many of these tools, but GMER is particularly touchy (it was built for an online community such as ours and the person who wrote it was there to train others on it), and as such I'd caution people who are just giving it a try. It is extremely useful in some situations (for those that don't know, it is somewhat like a very powerful HijackThis with scanning features built in) but I have seen people on forums just click away on it and completely screw their system up to the point where they had to be walked through a repair method or just decide to reformat.
 
kevinzak said:
It's very potent if you don't know what you're doing. The same could be said about many of these tools, but GMER is particularly touchy (it was built for an online community such as ours and the person who wrote it was there to train others on it), and as such I'd caution people who are just giving it a try. It is extremely useful in some situations (for those that don't know, it is somewhat like a very powerful HijackThis with scanning features built in) but I have seen people on forums just click away on it and completely screw their system up to the point where they had to be walked through a repair method or just decide to reformat.
Click to expand...

It BSOD my pc on 2 separate occasions (scanning both times). Fortunately, I was able to boot back into Windows without any issues.

I went with Rootrepeal and Sophos Anti-rootkit.
 
YeOldeStonecat said:
Here's another good little utility for our "USB bag of tricks"..
Fix Win
http://www.thewindowsclub.com/repair-fix-windows-7-vista-problems-with-fixwin-utility

Specific to the topic of this thread, this utility has some tools to re-enable/fix some items that some malware whacks on your system, such as regedit, task manager, tcp/winsock, etc.
Click to expand...

added to the list of nifty tools. looks like it will come in handy.

I don't know about anyone else but I've seen a rash of new Vundo variants the last week. I've had to clean five client PCs already and two of my relatives . . . . sheesh.....
 
Got infected by AKM Antivirus 2010 Pro. My PC just went heywire. Nothing worked! This thing popped up all over. All my apps and games reported as infected. This is bogus 100%. It would not terminate, so I used Killbox.exe to delete it.
 
so, you used the tools in the guide and followed the steps outlined and this did not remove the infection? Only Killbox.exe was able to terminate the process?
 
Yes, only Killbox teminated the process. Then I followed steps on site in my other post and all went back to normal, no need to re-install OS.
 
Captain Colonoscopy said:
Looks interesting. Have you had a chance to play with it in the wild?
Click to expand...

Not on a "tanked" machine yet....ran it on 2x bench rigs at the office just to see its behavior. Runs very quick..pounds certain system files 'n directories, and then rips through the registry. I'm not sure yet how frequently its updated....as in how frequently one should download a fresh version to keep on their drive.
 
Captain Colonoscopy said:
I haven't. Is it free?
Posted via [H] Mobile Device
Click to expand...

There's a 30 day free version, after that..it's scan and report only. It uses several AV vendors engines wrapped up in one package...cloud based along with Eset, GData, AntiVir I think...and I forget the others...I think it was 5x total.
 
YeOldeStonecat said:
There's a 30 day free version, after that..it's scan and report only. It uses several AV vendors engines wrapped up in one package...cloud based along with Eset, GData, AntiVir I think...and I forget the others...I think it was 5x total.
Click to expand...

Sounds snazzy . . . but . . . it's not free . . . . so not for this list . . . .
 
When you run combofix doesn't it say not to download from several sites and combofix.org is one of them
 
You must log in or register to reply here.
Back
Top