Advance Manual Virus Removal

[sharpwitz]

I am new to virus removal and it seems like learning to remove a virus manually is a lot faster than running virus scanners. I've also noticed that I re-install Windows more than I'd like to. I feel like a clean install guarantees all things removed but it seems like the lazy way out.

Here are my steps which seriously needs help.

1. Hijackthis
2. Check Run and Run Once in the registry
3. msconfig - to untick startup items and services
4. sometimes i'll run a winsocket fix or clear our IE settings and cookies
5. Ccleaner
6. if it's an exe prob, i have a script that will fix file type assoc.
7. Malwarebytes to clean out remnants

A. I don't like to slave the drive and use an AV program to scan. Seems like a waste of time and a bit amateurish?

B. I rely on the Task Manager and msconfig moreso than Process Explorer and Autorun. Am I missing something here?

C. I don't use ComboFix, SmitFraud, FixVundo, CWShredder, SDFix, CoolWebSearch, and Conficker. Maybe I should or is this a waste of time?

D. I heard about using a Bart PE disk to load hives? What's that all about and if it is super important, where may i find tutorial on using Bart PE disks to remove viruses? maybe a youtube video?

E. I don't use Rkill or SafeMSI, maybe I should?

F. How can I tell if I am dealing with a rootkit virus?
So many tools to choose from Avast Antirootkit, AVG anti-rootkit, F-Secure Blacklight, HItman Pro, IceSword, RKdetector, RootAlyzer, Rootkit Buster, Rootkit Detective, Rootkit Revealer, Rootkit Unhooker, Sophos, TDSS Killer, UnHackMe, and GMER. Yikes!

Please help decipher all of these tools and techniques for maximum efficiency and competency to help advance those like me, who desire to take it up a notch for personal enrichment sake.

Thank you.

 

[14049752]

I feel like a clean install guarantees all things removed but it seems like the lazy way out.

I think that there are times when a clean install is worthwhile, and other times it's not. It's about knowing when to do it.

A. I don't like to slave the drive and use an AV program to scan. Seems like a waste of time and a bit amateurish?

Again, depends on when you're doing it. Sometimes slaving the drive and scanning the drive is the best way to get rid of an infection on the mbr, for example. I personally just use a customized UBCD4Win build, instead of pulling and slaving the drive.

B. I rely on the Task Manager and msconfig moreso than Process Explorer and Autorun. Am I missing something here?

You absolutely are. The second two are far more powerful and more detailed. Take a while to really learn to use them and understand what they're showing you.

C. I don't use ComboFix, SmitFraud, FixVundo, CWShredder, SDFix, CoolWebSearch, and Conficker. Maybe I should or is this a waste of time?

I use Combofix and SmitFraud, none of the others. I use them just to clean up after my manual scans, like anything else. They take such a short amount of time to run that I use them as a way to be more thorough.

D. I heard about using a Bart PE disk to load hives? What's that all about and if it is super important, where may i find tutorial on using Bart PE disks to remove viruses? maybe a youtube video?

BartPE/UBCD4Win, same thing, look up UBCD4Win. That page will get you started.

E. I don't use Rkill or SafeMSI, maybe I should?

Depends. I don't use either, but have them if I ever find the need. Usually I have most stuff cleaned off from inside my UBCD4Win build, by the time I reboot into Windows there's no need for this stuff.

F. How can I tell if I am dealing with a rootkit virus?

Usually it's installed as a driver.

 

[Xander]

What ^he said. Really...get to know Process Explorer and Autoruns. Taskmgr and MSconfig are, frankly, too limited in their use to be a decent tool to a tech.

Download the video linked in this post. It's the guy who wrote some of Sysinternals software and he knows what he's talking about:
http://www.technibble.com/forums/showpost.php?p=152487&postcount=10

 

[jscx93]

taskmgr and msconfig are noob tools compared to autoruns

Here is my usual removal process

Phase One - Prep
-Disable restore
-ccleaner /auto
-autoruns

Phase two - Clean
-manual folder removal
-hitman pro 3.5 (for testing cloud - works great so far
-a2 portable for reg keys - 4.2 million defs - finds a lot of randoms
-super anti portable for reg /missed also - These are the only 2 scanners
-combofix if necessary

Reboot and double check it is clean, other wise reboot. If clean then I go onto my tune up script

-autoruns
-pc decrap
-ccleaner
-glary - i made this into portable - clears extra reg keys from startup removed from 3 previous programs
-my defrag - silent (auto installs for xp/vista)
-firefox 3.9 w/flash and adblock plus
-Reg key for showing icons
-xp tweak list reg file

Ive got this entirely scripted now. This has helped a great deal because we have 4 repair techs now doing the exact same thing, it has built consistency as well as helped people w/o a methodology just walk through it. My admin can now fix computers using this set which is a huge relief on me, so now i can focus on business clients more.

 

[Xander]

Phase One - Prep
-Disable restore

Agree with most of your steps. I leave Restore available until I know I'm out of the woods. There's been a couple of times where, despite making a relatively innocuous change, things have gone south on me and SysRestore let me back up a step.
I wait to clear Restore until I've got the worst of it removed. Always have a Plan B.

Granted, those couple of times were when I was pretty new to manual removal but it was a good lesson in keeping a card up my sleeve.


Edit: "glary - i made this into portable"
It already is: http://www.glarysoft.com/products/utilities/glary-utilities/builds/

 

[Nomad Computer Repair]

F. How can I tell if I am dealing with a rootkit virus?
So many tools to choose from Avast Antirootkit, AVG anti-rootkit, F-Secure Blacklight, HItman Pro, IceSword, RKdetector, RootAlyzer, Rootkit Buster, Rootkit Detective, Rootkit Revealer, Rootkit Unhooker, Sophos, TDSS Killer, UnHackMe, and GMER. Yikes!

I find the best way to negate rootkits is to do your virus and spyware scans from a live CD such as UBCD4Win or DART.
And I'll also give a big thumbs up for Process Explorer, and Autoruns.

 

[PcTek9]

I concurr, it's 2:37 am, and i've got a pc rebooting over and over not letting a thing in. but of course, he wants all his data saved. im about to pass out over my keyboards... LOL. but anyway, back to his idea, you can't clean a pc with your manual removal methods if you don't also include using a live cd/usb stick with antivirus removal software, b/c sometimes the system is so screwed up it won't even boot to begin with.
- just my 2 cents.
p.s. shardana is getting a work out from me with this bug. LOL.

** do keep in mind, there are reasons for everything we do... whether we slave the drive and scan it in another system, use a live cd, or live usb stick, or use the methods you listed, or even just reinstall everything. i just can't remember what they are at the moment. But it's those weird situations you get into, like... the pc boots over and over, but, the cd won't boot the live antivirus cd, so i have to use usb antivirus or slave it in the virus machine with the cables, so eventually you narrow down what you need to do and just do it.

One thing i love doing, is running cloud products - THEY SPEED UP REMOVAL of viruses exponentially.

 

[Galdorf]

You should always start with rootkit scan otherwise you are going to miss infections, i start with gmer,tdsskiller,Vba32 AntiRootkit.
Task manager does not show hidden processes malware defender is prob one of the best tools out there it combines autoruns, process explorer,rootkit unhooker,winpatrol it also allows fast identification of unsigned files.
It has many settings you can use it to log files that have been installed for removal it's the swiss army knife of malware removal/blocking tools.

 

[MobileTechie]

I don't know about that. I think it depends on the situation. Most malware calls I get are fake AV. They call me up telling me it was working fine, then last night they got this thing telling them they had viruses and now it's screwed up. 90% of those just have the one fake AV virus that takes like 5 mins to remove. I'm not bothering to run ARK tools on that beforehand. Afterwards yes but I'm going to cure the obvious problem before looking for others.

The rootkit infections I get tend to be where the customer had "odd things" happening and may or may not suspect a virus. Those I treat differently.

I'm yet to meet any rootkits that show no hooks on the various hook revealers such as rootkit unhooker or kernel detective. Have you?

BTW that VBA ARK you introduced the other day is very nice - kind of like kernel detectve for dummies in that it shows you just the stuff that is likely to be relevant rather than 10 tabs of debugging code.

 

[Galdorf]

Sanity Check is also a good tool for malware not for beginners though you need some knowledge how rootkits and malware works.

 

[gazza]

Manual cleaning is about knowing the file structure of the operating system concerned, so that you as a tech can identify files and folders that aren't legitimate. For example when I am manually looking at the folders and files with my MSDART live disc, if I see a file called winlogon.exe in the c:\ partition I know straight that this is malware because the correct location for this file is in c:\windows\system32 folder. As techs we have to familiarise ourselves with the file structure and registry hives of Windows operating systems.

One thing I always do is take a disc image of the clients drive and copy that to a removable storage in case something goes wrong. I also agree with the post about not disabling system restore, system restore is one of the first things I do if I know exactly when the computer was infected and it is better to have infected restore point than nothing at all. I also use process explorer to suspend any processes that don't have vendor information, providing of course you have a internet connection. Once I get to this point I run the third party tools like Ccleaner, hitman pro, malwarebytes, file association fixes and replace the hosts file with the default version. The more you familiarise yourself with the file structure and registry the better you will be at malware removal.