What are the steps to efficiently scan & remove viruses & spyware?

[NickCat11]

anyone else use this? any good?

Yes, it's a must to have in your toolkit.

 

[trapped]

I started out slaving and doing scans, but I found that it took to long and too often they wouldn't find the rootkit. All I do now is boot off a UBCD4WIN cd and remove everything manually. Reboot and then run a MBAM scan. This will fix 95% of the current rogue antivirus viruses in under 30 minutes.

 

[ZenMike]

I usually boot in safe mode and run "Malwarebytes Antimalware".

I heard an interview with the MalwareByte's guy a while ago and he said it's intended to, and runs best, *not* in Safe Mode. He said it takes advantage of (relies on) some of the same technologies as the malware to do the cleanup.

I understand the concerns, I'm just passing along what he said. I want to say it was on Mike Tech Podcast, but I'm not 100% sure.

 

[daeemann]

I usually don't slave the drive to run the antivirus software. Usually it takes longer. You run the antivirus when the computer is slaved. But so many viruses are left once you boot the computer back up. I've tested it before. You ran the exact same antivirus program when you had the hard drive slaved, and all of a sudden it starts finding so many viruses. It makes slaving the drive almost pointless.

The only time I slave the drive is in the worst case scenario, where windows won't even boot up.

Usually I ran Superantispyware doing a full scan, then malwarebytes at quick scan, hijackthis, based on the log file I might use smitfraudfix or combofix. Then I check msconfig, and use autoruns, ccleaner to remove temp files, then disable and renable systemrestore, then i use ccleaner again to remove unnecessary registry entries, but i keep backing up the registry first.

 

[karatechops4u]

the Elite Killer guide is excellent. I've been looking for an in depth guide just like it, thanks to wayliff for the suggestion!

 

[sandvtech]

Hello to all, I was readining the post here trying to learn more about how people were handling removing malware and viruses to get better at it and wanted to add to the discussion.

I usually start by booting to see how bad the computer is. If the desktop is showing, I try to install malwarebytes and do a manual update. If it installs, I go ahead and install Superantispyware and manually update it. If it doesnt install i run rkill and try again. Check to see if the customer has antivirus on pc and if not, i install an extra copy of nod32 I have. I enable all folders to be seen. Install ccleaner and clean all temp files and run a scan with mbytes and super and reboot. When pc comes back up, make sure I have latested updates on everything and run a scan with dr web. Usually run scans w/ mbytes and superantispyware until they find no traces of malware. Then usually run a scan w/ Housecall online scanner. Dont deal much w/ HJT or Autoruns becauce dont know how to use them, but if anybody has any sugestions how to learn them, it would be nice to learn. I then uninstall my tools and antivirus and install at least a free copy if they dont buy a copy from me and clean the registry using ccleaner and run a chkdsk. I am now starting to add Threatfire to my list of installations.

If desktop does not show, I try Rkill and if that doesnt work, I boot to safemode and try it from there, and just start w/ mbytes and when pc reboots i can usally get to my regular starting point.

For those computer that are lock up or to bogged down, I usually remove the drive, hook it to my laptop and run a set of scans and reinstall the drive or use a boot disk and that usually get me where I can do what needs to be done.

This has seemed to all work real well for me, but recently I have one pc that was showing clean with everything I scanned it with and someone looked at a HJT log and said I was still infected.

Im looking to learn so if anyone has better ways please let me know.

 

[lgtechcomputers]

I heard an interview with the MalwareByte's guy a while ago and he said it's intended to, and runs best, *not* in Safe Mode. He said it takes advantage of (relies on) some of the same technologies as the malware to do the cleanup.

I understand the concerns, I'm just passing along what he said. I want to say it was on Mike Tech Podcast, but I'm not 100% sure.

Thanks for the info! I'll keep it in mind.
I have been succesful doing it like that but maybe I could have done better.

 

[lgtechcomputers]

the Elite Killer guide is excellent. I've been looking for an in depth guide just like it, thanks to wayliff for the suggestion!

Yes it is awesome - I come back to refresh from time to time..

 

[kagman]

What bothers me is that some techs are only taking a few minutes to find and get rid of viruses/ etc etc... This is a time consuming process. One must remove the files we think are problem/bad but thats only part of the battle. Seems that a majority of us are on the right track. Scan Scan and Scan. Dont rely one just one program. You need to use several programs that have worked for you in the past. Hey this can take hours and hours but in the end its about doing a job you can be proud of. Then there is the joy of seeing the computer work and giving it back to its user.


--Jose--

 

[Xander]

For the viruses I'd run Kaspersky. They have a free trial version on their website. For the spyware I'd run Advanced windows care and Windows Defender (both free).

If all that fails I'd format and be done with it. Some of this crap is just impossible to remove and its getting worse.

Or you could try www.aec.cz

I'd avoid IObit's Advanced Windows Care at all costs. Use MalwareByte's Antimalware .... it's from them that IObit steals their database from anyway.

Then, once MBAM does its work, let SuperAntiSpyware get its back.

Back in the old days, Spybot & Adaware were the team to deal with. Nowadays, it's MBAM & SAS.

 

[ideal-pc]

I use a combination depending on the infection, one of the most common these days seems to be the pesky fake antivirus stuff. If I can get into Safe mode I use combo fix & roguekill first, then mop up with a rescue CD such as F-secure rescue (yes it's slow but very good!)

Once the system is up & running again clean up & delete the renamed infected files & run a scan with Malwarebytes or Superantispyware just to be on the safe side. Not had a re-infection yet with this process, well not through a fault of my own anyway! Customer who don't update antivirus or insist on free ones, oh yeah!

 

[sys-eng]

What bothers me is that some techs are only taking a few minutes to find and get rid of viruses/ etc etc... This is a time consuming process. One must remove the files we think are problem/bad but thats only part of the battle. Seems that a majority of us are on the right track. Scan Scan and Scan. Dont rely one just one program. You need to use several programs that have worked for you in the past. Hey this can take hours and hours but in the end its about doing a job you can be proud of. Then there is the joy of seeing the computer work and giving it back to its user.
--Jose--

It is very very rare that I get one that can be repaired in a few minutes.
I try to restore the system back to proper working order which seems to be very rare. Most of the infections that come to me are associated with rogue security programs which have also let in numerous other infections. The time-consuming part is after removing the infections there is often much more work to be done such as:

* repair windows update
* repair web browsers
* repair the e-mail application (calendar, notifications, server connection)
* restore address books if possible
* verify that Microsoft Office programs work (save locations, default templates, etc.)
* restore desktop icons if possible
* repair favorites/bookmarks association to web browsers
* repair QuickBooks links to files and server
* repair drawing programs (Autodesk, SmartDraw, CADPro, TurboCAD, etc.)
* repair photo editors' relationship to jpeg and raw files
* reinstall JAVA and discover which programs require special JRE's
* repair security permissions for God knows how many files
* reinstall itunes (infections often damage files used by itunes)
* reinstall wireless keyboard and mouse

- - Disinfecting the computer was the easy part.

 

[onkyo]

Everyone had great suggestions, I think another thing that needs to be pointed out is to make sure and check for updates on;
Java, Flash, Adobe Reader and of course windows


"NOT Helpful"

You can get 99% of them by hand with no scanners. Scanners should not be used as a crutch. They should be used at the end to finish the job by scanning for all the random junk that doesnt matter and getting rid of it.

"Helpful"

Since I'm trying to differentiate myself from the big box stores, I rarely wipe and reinstall (unless the person has practically nothing on their computer).

My clients usually are having problems because they not only click on the wrong things, they (1) have no antivirus or let it expire or (2) are having problems because they're running too many AV/malware programs. As part of the cleanup process, I usually have to uninstall a few programs.

I make sure that the hidden files are viewable, then almost always run ccleaner, malwarebytes, and Hijack This. (I usually forget to do this, but I've read that it's good to enable all programs in startup/msconfig.)

Then, depending on what it is, I try fixes specific to the problem (googled):

Two good sites for such fixes are Bleeping Computer and MajorGeeks.

For example, I got the following from Bleeping Computer on how to remove
Windows Police Pro that's worked very well for me:

[unable to post URL!]

Sometimes removal tools, such as Combofix (which I understand is no longer available), are the only things that do the trick--not to mention fix damage to Windows/connectivity problems. (FYI: Combofix can be dangerous, if you're in a hurry . . . )

I finish with an online scan (usually either Bitdefender or Symantec) in safe mode to be sure I got everything, and then toggle system restore to wipe out old restore points that might harbor bugs.

The before I give the computer back, I make sure they have some kind of protection, even if it's only AVG free.

This probably isn't as efficient a system as the other answers, but I rarely get a call back to fix the same problems.

 

[Xander]

Everyone had great suggestions, I think another thing that needs to be pointed out is to make sure and check for updates on;
Java, Flash, Adobe Reader and of course windows


"NOT Helpful"


"Helpful"

Penalizing a perfectly good post as "Not Helpful" without qualifying that statement is in poor sport, new guy (Edit: Aug 2010 but 10 whole posts!)

There was nothing at all wrong with what he said. Your "helpful" post was just more 'spoonfeedy' than the other one. If it was helpful because he named a couple of really well known sites... you need to get out more. Any google search on a piece of rogueware will net you those two in the first page; there should be nothing new about them.

To cite Greggh as being unhelpful for no reason at all? Not cool. In fact, it sways me to use the Rep system here.

Edit: You might also consider contributing to a thread rather than just rating it.

 

[sys-eng]

Ditto what eHousecalls.ca said.

If you rely totally on scanners, then you are in trouble when one of these rogue security programs blocks your scanner. Then you scan the drive remotely only to find out that the scanner missed three installers that rebirth the infection on the next reboot or the seventh reboot. The scanners miss the installers because they are self-morphing changing their hash numbers and certificates.

And when was the last time a scanner replaced damaged files for Windows, MS Office, Adobe, QuickBooks, etc.?

 

[studiot]

then disable and renable systemrestore

Only one reference to this. It should be writ larger.

I notice several posters recording MBAM finishing in around 10 minutes.

When I get around to using MBAM as a sweeper upper after the tussle with the main culprit has been won I am never suprised to see the first red number an hour and a half into a scan.

And tussle is often the word to gain initial control of the machine.

I do find, however that most of the fake AVs have a delay so if you can get your stuff started right after boot you can zap them, before they get fully armoured.

 

[Xander]

I notice several posters recording MBAM finishing in around 10 minutes.

They must be running Quick scans. I've only seen 10 minute Full scans on the rarely-seen, brand new, hotfast varieties.

I do find, however that most of the fake AVs have a delay so if you can get your stuff started right after boot you can zap them, before they get fully armoured.

Really? I don't think I've ever seen one with a "go ahead and delete me" delay. Most kick in well before the desktop loads.

 

[studiot]

For instance I removed a fake AVG ransom virus last week that took about 2 minutes to 'come on'. The Dell quad core W7 was no slouch BTW.

And for those that like Mcaffee this little bugger had taken over the Mc console reporting to Windows that Mc was alive, well and up to date, even though Mc services were not actually running since it had disabled them.
The client had actually just completed a Mc 'scan' - reported clean before calling me in.

Perhaps a better title to this thread would have been about methods of gaining original control, since the sweepup that follows is pretty mundane if time consuming.

I also echo comments about putting other damage right again after virus removal.

We have discussed all this before here and the methods haven't altered.

 

[MyITGuyOnLI]

For those nasty 'Rouge Anti-Virus Programs'

To get rid of those nasty 'Rouge Anti-Virus Programs', I will (if possible) do a Ctrl-Alt-Del to bring up the Task Monitor and see if I can determine which process is the offending one. I try to track that down via, msconfig, regedit and windows explorer if it gives me the path. I remove all mentions of it, reboot into Safe Mode and run Malwarebytes.

Granted this doesn't always work, but it is where I start.

There is also a new one that I have seen recently that when you open IE8 it automatically runs this program. They just keep making it more interesting for us to find them!

 

[Martyn]

To get rid of those nasty 'Rouge Anti-Virus Programs', I will (if possible) do a Ctrl-Alt-Del to bring up the Task Monitor and see if I can determine which process is the offending one. I try to track that down via, msconfig, regedit and windows explorer if it gives me the path. I remove all mentions of it, reboot into Safe Mode and run Malwarebytes.

Granted this doesn't always work, but it is where I start.

There is also a new one that I have seen recently that when you open IE8 it automatically runs this program. They just keep making it more interesting for us to find them!

Just boot into Safe Mode and go from there.