What do people use to clean up malware and viruses these days?

harvest

I'm about to get back into the IT business after 6 years away. I'm sure things have changed somewhat. Most of my work in the previous decade was cleaning up the shit that users somehow got onto their systems, so I'm interested to know what tools are used these days to clean them up. Previously I used Ad-Aware, Spybot, and HIjackThis for most of my work (this was 2002-2006). Any tips on what to use these days?

Dratatoo

An external boot disk, (emergency disk) from the Anti Virus provider of your choice isn't a bad idea. With most Linux Live CDs (Knoppix for example) you should be able to rescue / backup data from an infected machine.

Edit: Spybot, and HIjackThis are still current.

Usually with modern PCs I would simply use the "nuke it from orbit approach" - Windows 7 install takes like 30 minutes. Even a cleaned machine is not thrustworthy IMO - some of the later rootkits are really nasty > like hiding in the Masterboot record and invisible partitions to reinfect the OS.

harvest

Nuking it from orbit is actually more time-intensive than that though, because you have to relocate or recreate all the user folders. Personally I have My Documents and similar folders on a different disk so that if I do need to nuke and pave I can just point the new user to the old folders, but when you're talking about a computer with 3+ users it can turn into quite the job.

I haven't dealt with any of the new, worst-of kinds of rootkits you describe yet, but that wasn't a thing when I was previously doing this kind of work.

TychoCelchuuu

My general approach is Malwarebytes, Dr. Web CureIt!, ComboFix, ClamAV, and Microsoft Security Essentials. If all of those come up clean the likelihood of remaining infection is lower. The first three come on Hiren's Boot CD, which is what I use (it also has a Windows version of ClamAV which might work fine). The last thing I do is install and run MSE, because it's a great antivirus and it saves me lots of work in the future by protecting the people from further infections.

uean

TDSSKiller
ComboFix
MalwareBytes
RKill
gmer

I generally just run TDSSKiller and ComboFix in safe mode. If TDSSKiller finds anything, pop the drive and get SRS with some more advanced tools after mounting it as a secondary drive on another machine. COmboFix and MalwareBytes will do most of everything for you though. Unhide, gmer, and rkill are good tools to run if you are having problems with persistent mofos infecting the profile you boot up in. And MSE to replace whatever garbage (looking at you AVG) is on the system if they need a free AV. Same engine as MS Forefront, but free!

Short of nasty rootkits there's rarely a virus I can't kill these days.

uean

Dratatoo wrote: »

Usually with modern PCs I would simply use the "nuke it from orbit approach" - Windows 7 install takes like 30 minutes. Even a cleaned machine is not thrustworthy IMO - some of the later rootkits are really nasty > like hiding in the Masterboot record and invisible partitions to reinfect the OS.

This. I don't spend a lot of time. I'll pop a drive and do some more in depth cleaning if I have to for some reason (like the client not having access to proprietary software for reinstall making imaging the machine not possible) but when things get real nasty I'll just 0 out the drive and reimage it.

Bendery It Like Beckham

Norton Power Eraser is a great rootkit removing tool along with TDSS killer. A lot of work that I do is done via live CD PE, or command line. Most scanners like Malwarebytes! and Spybot just don't cut it for recurring infections. HighJackThis is awesome but has no Winsock repair tool, you have to use LSP fix.

your biggest tool is going to be knowing how/where a virus hides, and what the procedure is for removing it. The most recent malware likes to infect system drivers (ACP ACPI BFE BFF, and a large assortment of storage drivers) for its method of injection, having a tool or the ability to recognize which drivers need to be replaced (If you can read a crashdump you'll have success here) will make your life a lot easier, as well as knowing how to expand drivers from service packs.

Good luck, and dont forget to check the fonts file ... and if a virus hides all their shortcuts/startmenu items dont delete the temp files (they got moved there!)

harvest

TychoCelchuuu wrote: »

My general approach is Malwarebytes, Dr. Web CureIt!, ComboFix, ClamAV, and Microsoft Security Essentials. If all of those come up clean the likelihood of remaining infection is lower. The first three come on Hiren's Boot CD, which is what I use (it also has a Windows version of ClamAV which might work fine). The last thing I do is install and run MSE, because it's a great antivirus and it saves me lots of work in the future by protecting the people from further infections.

I got Hiren's Boot CD launching off a 1gb memory stick I had lying around, seems like it could be a useful tool. Far better than safe mode anyway. Although I'd still have to boot the machine off its disk to clean up the registry after some malware. Still, for the money I'd say that it's working.

TychoCelchuuu

Hiren's has registry editors on it too, if I recall correctly, although once the malware's gone you might as well do it from Windows.

harvest

Yeah that's what I've done in the past. Pop the disk in the bench computer and remove all the malware files, then reinstall it and do the registry edits with it live. This usually worked, and on the occasions it didn't I didn't usually troubleshoot, just nuke and pave.

KiTA

Combofix, then Malwarebytes. Both downloaded under a nonstandard name (c1f2.exe, 1324132413413fasdf.exe) and installed to nonstandard locations. Rootrepeal is supposed to be good for killing off Rootkits that stop the previous two from running, but I've never seen one that can stop Combofix, presuming you rename the EXE when you download it.

Lord_Snot

It should be said that combofix can badly mess up Win7 and Vista machines, and should only be used on XP and previous, at least, that used to be the case.

urahonky

ComboFix concerns me... It looks so... Virus'ish.

TychoCelchuuu

urahonky wrote: »

ComboFix concerns me... It looks so... Virus'ish.

If you're scared of ComboFix because it runs in a command prompty looking window I don't think you're really the sort of person who should be in charge of cleaning viruses off of machines. Leave it to others.

edit: and I understand the wariness about ComboFix, LordSnot. I used to be like that too, but after running it literally dozens of times (probably closer to hundreds although who's counting) on Windows Vista/7 machines without ever having once seen it break something I couldn't easily and immediately fix, I've lost all my fear. I now run it with impunity.

urahonky

I've been in IT for roughly 7 years. I think I can handle it. I just always think, in the back of my mind, that the site could have been hijacked and they planted their own virus within it and I wouldn't be the wiser.

I blame this book: http://www.amazon.com/The-Rootkit-Arsenal-Evasion-Corners/dp/144962636X/ref=sr_1_1?ie=UTF8&qid=1337342381&sr=8-1 for making me paranoid.