I mostly do it manually
Well, to be correct I used to mostly do it manually, but now I use a program that I wrote which I call
D7 to AID me in doing the bulk of the malware removal. All the program does (
other than absolutely everything) is allow me to quickly and easily view all the appropriate registry locations "manually" with whitelisting/blacklisting functionality and a few automated tasks as well.
Depending on the severity of the infection (or of course whether I am working remotely or not,) sometimes I start the malware removal with D7 on the system live, sometimes use D7 in offline mode via a network bootable Windows PE 2 based environment, if the machine is modern enough to be capable of booting to our network, or if not I attach it to a "tech bench" machine designed for scanning/removal.
I planned to post about
D7 sooner or later anyway.
If anyone is interested I have posted a new thread here.
Aside from D7, for infected file detection on an offline hard drive, on my "tech bench" computer I have
Microsoft Security Essentials with realtime protection enabled (though I never actually run a scan with it) but instead I run a command line scan with
Kaspersky's SOS tool which they made available to partners at one time (and I scan %systemroot%\System32 directory only if I'm in a hurry) so that when Kaspersky SOS scans each file, both it and MSSE (in real time) get their chance to find the virus.
As side note for those interested, it's been like 6 months since I've seen Kaspersky detect one that MSSE didn't catch first. I only still run Kaspersky due to the ability to do command line scans so I can automate the scans the way I like.
I will say this about MSSE though, I'm not happy with it's disinfection, I've seen it fail or screw up the file a number of times, so if it detects a legitimate file as being infected with an actual virus, rather than relying on MSSE to "disinfect" it I'm a fan of just replacing the file with a known good copy. For this reason I keep a copy of the Windows directories of fresh installs (and fairly patched/updated installs, I should add) on my network and will replace a file on an infected machine from that stash in a flash.
When I'm done with the "offline" portion of my scans, then I prepare for any live scans/removal. First I almost always just go ahead and boot to a CD and do a
bootrec /fixmbr (vista/7) or
fixmbr (xp) before I boot the system live to fix any MBR infection.
Then usually I boot the system, run
D7 again which in turn runs
Kaspersky TDSS killer (because that's a popular infection for me these days,) and occasionally a few other tools maybe a quick scan with
GMER (never a full), and maybe
Combofix if it's an XP box.
Worthy of note and I haven't seen it mentioned elsewhere here, I almost always run the obscure and not really malware related
Driverview from Nirsoft because even though it isn't intended as a malware detection tool, it _always_ finds KLMD.SYS and other such rootkit like junk - although removal of said junk usually means I need to go back to the offline method, but at least Driverview lets me know when it's present.
For cleaning up the leftovers on the live system, I might run
Malwarebytes and an app called
Hitman Pro, though sometimes I skip them if I'm pressed for time, and they mostly only find cookies after I'm done with D7 anyway.
Finally if time permits,
I will follow up with the client's own installed anti-virus package, whatever it may be, to ensure it doesn't find anything leftover and that it works properly.
