best malware scanning practices?

[d3v]

Hi all.

I deal with many infected PC's all the time and many of the malwares on these machines are real stubborn to remove.

Is it best to remove the infected harddrive and link it via a SATA/IDE to USB adapter and scan the infected drive from the workstation? If so, how do I ensure my laptop dosn't get infected which has happened in the past.

I once though running malware scanners in safe mode was the most effective method but then heard that it dosn't pick up the malware that runs in the systems memory during a normal boot. The same applies to running malware scanners from a DOS disk like UBCD.

I've just been trying out Malwarebyte's anti-malware and it is much quicker that SUPERanti-spyware and did a good job of cleaning my infected machine. Which is the better malware scanner?

[HX1]

Well regardless of any scanner brand.. I would state that an approach in this manner would suffice for MOST..Without touching the hardware..Offline..may need to be online if your installing any utilitarian programs that require updates..

1.

Removing all traces of temp files..recycle bin contents..so on..

2.

Look into startup entries and services, any foreign entities need to be removed, disabled, and/or killed..

3.

Scan the registry, with something like SpyBot..( the whole program will clean up several nice little areas.. ) These entries left in your registry will do several things..They have to be removed if you are to ever get anywhere, depending on the malicious files you may have to do this several times. One piece at a time that is removed, will kill part of the infections cycle, until you actually make it to the main part ( usually a locked file ) not because it was not effective but because each stage has integral part of the other which has to be removed or shut down..right down to the registry entries..Remove all threat entries.

4.

Rootkit Scan..self explanatory..

5.

Track all pieces of the files indicated in startup, services, and shred all parts...

6.

Scan with malware detection/cleaner..usually will pick up the main infection.. useful if no active monitoring is present.

7.

Run normal registry cleaner/defragger.. for any and all invalid entries, after removing files..making sure you do an aggressive scan .. be careful of valid services..

8.

This one is actually out of order but, it is a good idea to keep a nice little simple boot disc around for files that simply won't delete; and yes most of these will still not delete in safe mode and may be locked by your registry or file activity.. Safe Mode isn't anything.. Its good for files that depend on user installed applications, thats about it.. So keep something like a basic BartPE disk to boot to and remove files..or a Live disk for w/e OS your working on..

9.

Repeat as necessary..

10.

HIPS.. You may still get infected if you choose to hook up the drives to your system, but HIPS will lock your system down; in conjunction with LUA and SRP.. This should keep your registry and files from being altered, however could present some issues for the everyday user..

Malware has taken on several different aspects and has done so for several years, they do a lot of work that takes no time to accomplish, but a little longer to track down..Several steps are necessary and these infections.. are not just simply remove, delete, or quarantine the file and go on..

EDIT: Forgot to mention that viewing a detailed file list by date in your WINDOWS and System32 folders can render great results, especially for files that have and include INI files which are not actually INI files.. Something that you get good at when you are familiar with file signatures and the particular system...

You can also advise to shred all remaining free space on all drives.. This makes sure that files do not come back from any other entries, or remnants that are left on the system. It for me, is a last step once you know its clean.. Makes sure the malicious data does not exist in any form on your system what-so-ever.

[Hottwire]

Well I think Heath summarized what most people would do :P well i do that anyway :)

[someone]

If you want plug the infected HD in your workstation you can use some light virtualisation app how one more layer of protection, like deep freeze, shadow defender or Returnil. But before you open it in your machine can be a good pratice scan it with live cds... kaspersky, avira, Dr.web offer this type of iso for free (correct if i'm wrong). You can install the GDATA trial in another machine and create a boot cd too... you can scan and remove the malware without boot the infected OS without much problems. After this is only open it to search the trash left behind.

[d3v]

Well regardless of any scanner brand.. I would state that an approach in this manner would suffice for MOST..Without touching the hardware..Offline..may need to be online if your installing any utilitarian programs that require updates..

1. Removing all traces of temp files..recycle bin contents..so on..

2. Look into startup entries and services, any foreign entities need to be removed, disbaled, and/or killed..

3. Scan the registry, with something like SpyBot..( the whole program will clean up several nice little areas.. ) These entries left in your registry will do several things..They have to be removed if you are to ever get anywhere, depending on the malicious files you may have to do this several times because one piece at a time that is removed will kill part of the infections cycle.( This is ahead of the next steps..) So this may have to be done a few times.. not because it was not effective but because each stage has integral part of the other which has to be removed or shut down..right down to the registry entries..Remove all threat entries.

4. Rootkit Scan..self explanatory..

5. Remove and track all pieces of the files indicated in startup, services, and shred all parts...

6. Scan with malware detection/cleaner..

7. Run normal Registry cleaner/defragger.. for any and all invalid entries, making sure you do an aggressive scan and remove .. be careful of valid services..

8. This one is actually out of order but it is a good idea to keep a nice little simple boot disc around for files that simply won't delete, and yes most of these will still not delete in safe mode and may be locked by your registry or file activity.. Safe Mode isn't anything.. Its good for files that depend n user installed applications thats about it..So keep something like a basic BartPE disk to boot to and remove files..or a Live disk for w/e OS your working on..

9. Repeat as necessary..

10. HIPS.. You may still get infected if you choose to hook up the drives to your system, but HIPS will lock your system down, in conjunction with LUA and SRP.. This should keep your registry and files from being altered however could present some issues for the everyday user..

Malware has taken on several different aspects and has done so for several years, they do a lot of work that takes no time to accomplish, but a little longer to track down..Several steps are necessary and these infections.. are not just simply remove or delete or quarantine the file and go on..

EDIT: Forgot to mention that viewing a detailed file list by date in your WINDOWS and System32 folders can render great results, especially for files that have and include INI files which are not actually INI files.. Something that you get good at when you are familiar with file signatures and the particular system...

You can also advise to shred all remaining free space on all drives.. This makes sure that files d not come back from any other entries, or remnants that are left on the system. It for me is a last step once you know its clean.. Makes sure the malicious data does not exist in any form on your system what-so-ever.

I already do similar as you outlined but not quite as thorough and advanced.

I use startup.exe, MSconfig and Autoruns for removing startup entries. What else do you reccomend?

I thought Spybot S&D whas been obsolete for years now and superceeded with the newer malware scanners which do everything spybot did, and more? Am I mistaked?

Can you reccomend an effective rootkit reaveler/remover program? I used to use rootkit revealer but it never let me delete them!

Do you mean tracking as in finding out the file path of the malware files and shredding them? If so whats the best program for tracking individual exe's/ Dll's, ect and what's a good file shredder?

Thanks for the tip on safe modes shortcomings and the detailed/modified view on the WINDOWS folder - this will come in very handy.

I'll look in to those lockdown programs you mention.

lastly, what is the "shred free space" thing? I recall seeing it as an option in CCleaner and never found out what the heck it did!

thank you!

[HX1]

Okay going to address the questions with numbers..LOL..

1. Recommened programs for startup entries by preference..

SpyBot S&D

- Reason I prefer this as a first choice is that it will show you DLL's that are included with startup that are not programs and you may not see with others.. It will show you the exact location of these programs as well, which will allow you to delete the files.. Reason for this is that in some cases disabling the entry will not work, so it helps with insight on files and parts to an infection. You can also find and delete BHO and ActiveX..Really going through the program step by step..is what I recommend, familiarize yourself with each aspect.. The program is still actively updated and developed.. It is by no means outdated. In fact there are only a few Security Suites out there that even attempt to address some of the areas that the program actually takes care of..

WinASO Registry Optimizer

- This program is also good for maintaining a clean startup of either malware, or just unwanted programs. It will show the entry and its location which can be in several areas...It also contains direct access to MSConfig ( I really try to stay away from this.. last time I used it to optimize I couldn't undo it and crashed an OS..LOL ) WinASO has a ton of tools worth just a trial if anything to install and have a good look at it.. It is also excellent at aggressive scanning and removing entries pertaining to services which have been deleted from cleaning and any other references to files that have been removed or shredded during cleaning..You do have to know what your doing and be ready to go through the results, because it can contain valid entries which may need to remain, in regular mode not so much so..but always good..several settings can adjust it..I have relied on this program since version 3 current at 4.5.1..I just can't say enough good things about it..

Services

- Good ol' MMC.. LOL I usually simply use this to see whats running and its dependencies, IF anything seems out of place I usually disable the service and track/hunt the thing down and shred it..

Bootvis

- This can aid in tracking down some things but I really never need it.. most of the time the locations of these files will be indicated by SpyBot, or WinASO.. so the job gets done there.. Helps you determine how much processing time is taken and by what..during boot..

2. As I mentioned above SpyBot is not obsolete nor is it abandon-ware..and Yes you are mistaken and very much so, if you think your registry is locked from modifications by malware..Some AV Suites like GDATA offer many options to address this area and scan rootikits, but this area, if infected must be addressed, even by the simplest of infections as it can lead to some serious repercussions and inhibit you from properly cleaning a system..

I recommend using GDATA Total Care if you have a good processor and RAM.. I am still thinking about making the move to it.. I made the mistake of trying to use the Notebook security download which doesn't offer a trial which lead to some issues, but it has the most complete package I have used in a security suite in a while.. I currently use ESET Smart Security, and with a proper understanding of the programs settings I believe that it can be of use for the typical layer of protection.

3. Recommended root-kit removal programs..

Sophos Anti-Rootkit

- A good scanner I have used it for a number of years...Sometimes when scanning and rarely.. it will come across files which it does not recommend removing or are of no threat..If a file is locked for not removing it can have several repercussions, particularly if they are connected to so called installed drivers or actual drivers.. If you were to remove these files the system could have an issue trying to boot..at which point you would need to know your way around several areas to remove the drivers from the roster when booting..or replace them..Usually, however the files that are shown can be removed and if anything you can go in and remove them manually, or with a PE disc.

F-Secure Blacklight

- A secondary scanner I have used on occasion..

Microsoft Malicious Software Removal Tool

- This tool is updated every month and one little known fact about the program is that it also look for several root-kits.. usually it will remove most of what it finds however it may be necessary to note the locations and remove the files manually.. as with any other program or area..

4. What I mean by tracking these files is what I have mentioned throughout my answers above, and that is basically making sure you either write the locations and names down, or put them on a digital note. You can also do a search of the system to find something..Also you can find out quite a bit about if a file is malicious or not by taking the names and plugging it into a search engine. Online documentation can be of great help, however this too can have a negative effect in some cases where you have threats that have not yet been categorized or documented well..This can also help you identify other files connected, for instance in the case of the innocent INI file(s) that the malware may be replicated from or operation parameters included in which have no relation to program or system..but only relate to removed and indicated files that need to be cleaned so in essence a valuable tool for reference, that can help you hit areas in which some programs may miss, or are unable to clean...A good test is to compress the file into an encrypted archive deleting it when finished .. like with WinRAR.. and seeing if it actually has any effect on the system..or its programs.. if it comes into question or has the characteristics of infection..if not I usually shred..besides that effect.. on valid programs a simple re-install or repair can return it to that state..

Recommended shredder..

Eraser

- This is a DoD compliant shredder software which is based on a the very powerful DBAN open-source application.. ( Like two second efficient wipe drive when booting from disc..Over-exaggerated a bit.. but you get the picture.. also very dangerous disc to have laying around .. LOL .. always use CMOS BIOS protection and Drive Lock..:thumbsup:) It will allow you to configure your own overwrite data, and overwrite Alternate Data Streams.. and can exceed Gutmann standards.. Cluster Tip Area shredding.. It allows you to wipe all data put into the recycle bin and you can setup different levels of shredding depending on use.. readily available through Context Menu...The latest version should also allow you to create a Nuke Boot Disc as well...You can also shred free space on your disc..Next to this is mechanical destruction of the disc itself, and replacement..You can also password protect your settings and access to the program..

PGP Desktop

- This program is quite a big package of utilities geared more for professional use and includes a wide variety of encryption options and tools.. also allows you to shred files/free space to DoD standard and exceed it..More for professional use..

Reason for shredding...the next program I mention will let you know exactly why shredding of data is important.. not in just the 'keep my data from unauthorized access and use' viewpoint but also from the standpoint that 'if I clean something out I want it to stay out', especially worms.. and malware that seem ( and not always the cause ) to come back from nowhere.. 'I want it dead and now' kind of thing..'I do not want corrupt data.. or any other issues.. and a healthy drive..'

R-Studio (Network Edition)

- This is a file recovery program.. 'Oh I didn't mean to delete that'.. well when you delete data first it is moved to the recycle bin.. and its location changed, where it may still be recovered, well great then you empty it.. 'Oh no.. your data is gone now'.. NO, all that happens is the data for the file is simply removed from the MFT. The data and file structure is still intact on your hard drive until it is either overwritten or purposely destroyed by shredding..Therefore if you do not shred the data I can go in and resurrect the file with this thing... In some cases even after formatting a drive.. Not to mention a file that does not depend upon anything else.. Like an infection.. can still operate without being a part of MFT..You shred for this reason...deletion however using a boot disc is a little different and with extreme instances it may be advisable to reshred any recoverable data ...'When I say dead I mean DEAD..'

5. Shredding your free space will ( as I have been going on about above.. it all ties in nicely ) in effect shred all areas that are shown as empty by the MFT, this can include, depending upon your settings the free space at the end of files..( I don't recommend this setting as it can effect the checksum and hash file checks which may invalidate the files for operation ) This basically cleans and overwrites every thing in each block/cluster on the drive..

Lastly I am going to post a few apps, some covered above that I have used and relied on in the past..( I had this above but removed it.. some may disagree..and there are several that cover actual endpoint security as well, not proxying through VPN, which is also good..but physical access/endpoints.. )

ESET Smart Security

GDATA Total Care

Microsoft Malicious Software Removal Tool

SpyBot Search and Destroy

WinASO Registry Optimizer( also system tools )

Sophos AntiRootkit

F-Secure Blacklight

ESET SysInspector

OSSEC HIDS

PGS SRP Manager

Drive Sentry

SecAgent Security Administrator

ID USB Lock Key

TrueCrypt

Seconfig XP

OpenDNS

PG2

Eraser

Windows Install Cleanup

PE Builder

There are many more that I stand behind and a few of these I no longer have the need for, but this is just a sampling of a few tools I use..

[d3v]

:) wow - thank you soo much for all the time you put into that post. I have a lot of learning ahead of me with all those points you make.

I'll get to it now :o

[HX1]

Always welcome..;)

[DKT27]

So heath, do you have robotic hands? :huh:

[HX1]

Come here and let me show you..DKT27.. :lmao: No... but this damn T3 Fiber Optic in the back of my head is really starting to itch..

[d3v]

Come here and let me show you..DKT27.. :lmao: No... but this damn T3 Fiber Optic in the back of my head is really starting to itch..

lol.

I was fixing a very badly infected laptop last night and plugged my external USB hard drive in to attempt to install spybot S&B but the infection was so bad that it eventually froze the system so I then booted to DOS and backed up all the data from the infected laptop to the external hard drive, wiped the drive twice then reformatted which all went smoothly and I thought nothing of it until later that night when I arrived home and as per usual plugged in the external hard drive to my own computer (i store all my multimeda on it) and halfway through listeing to an mp3 my NOD32 started to flag and quarentine a few executables from my external drive which I thought was simply a bad case of false-positives but then all of a sudden dozens of executables in my System32 folder such as taskman.exe and sndvol.exe were being quarentined by NOD32 followed by error after error after error and eventually a frozen computer - exactly the same symptoms as the laptop I fixed earlier that night!

Obviously my external hard drive was infected by the virus-ridden laptop it was connected to earlier last night, so my question now is how am I supposed to prevent this in the future?

I understand a HIPS program can help but suprisingly google dosn't return much information!

Thanks in advance guys.

[DKT27]

HIPS is the module that stops and asks you about any program to allow or deny changes it makes to your PC. This keeps many viruses, trojans etc. to make any changes to your PC. Many security programs have HIPS in it. For me best is Comodo Firewall.

If you wanna repair the task manager, etc. like system files, you may wanna try, Run > SFC.EXE /SCANNOW

[d3v]

HIPS is the module that stops and asks you about any program to allow or deny changes it makes to your PC. This keeps many viruses, trojans etc. to make any changes to your PC. Many security programs have HIPS in it. For me best is Comodo Firewall.

If you wanna repair the task manager, etc. like system files, you may wanna try, Run > SFC.EXE /SCANNOW

Ah so that's what HIPS means, I always thought it was some sort of elusive software, lol.

No need to repair anything as a I did a full reformat! I really believe the problem was non repairable as nothing could be done in windows mode and DOS live disk although providing remote access to the registry ect ect never seemed to stop the malware from running at startup. I would be interested in knowing what you guys would of done in this situation.

I've been advised to use a write lockable thumb drive which would be used for fixing infected machines in Windows mode and my external drive will be used only in DOS mode for large data backups.

Now the problem is disinfecting my external drive before re-plugging it back into my PC.

I just plugged the external drive in and booted to a DOS live CD where I investigated the contents of the drive and ended up deleting a suspicious looking file as well as deleting the RECYCLER and System Volume Information folder which both contained suspicious files and folders.

I have no idea if that is enough effort to disinfect the drive and I can't exactly plug it in during Windows mode and run a virus scan on it. And running malware scans from DOS has time and time again proved to be a waste of time!

but for now the problem is disinfecting my external drive before re-plugging it back into my PC.

I just plugged the external drive in and booted to a DOS live CD where I investigated the contents of the drive and ended up deleting a suspicious looking file as well as deleting the RECYCLER and System Volume Information folder which both contained suspicious files and folders.

I have no idea if that is enough effort to disinfect the drive and I can't exactly plug it in during Windows mode and run a virus scan on it. And running malware scans from DOS has time and time again proved to be a waste of time!

Can sandboxie come in hand for this particular dilemma?

Thanks in advance!

[DKT27]

First install a HIPS software.

[Toshiro]

First.. I recomment u to learn some Hijackthis

You can manually delete startup entries/processes etc with it. The best thing.. It really wont let it work again and its finished in a sec.

If needed use Hijackthis.de to let it check ur logfile. But it's always better to let the real helpers do it.

Malwarebytes is a good scanner.. so is Trojan Remover too. They fix the job better than a real-life AV. Real-life AV like Eset NOD32, Kaspersky etc.. aren't really optimized to delete unwanted stuff from an infected machine.. It mostly prevents it from being infected. If it's not blocked.. (the trojan/virus) than most of the time it can't be removed with the same AV.

Therefor, using MB and/or TR will do that job.

Also Scan ur backuped files. They could be infected, if u plug ur external HDD in the pc.. it'll get infected again.

If you need some help @ Hijackthis.. Post your Log in a reply.. I'll (or others) will check it for you.

Gl ;)

----

Yea.. Sandboxie will help you there. Run your external drive in Sandboxie and then scan it with MB and TR.

[mara-]

I'll simply answer the question: currently there is no better then Malwarebyte's Anti-Malware. SuperAntispyware was good, but it sucks now.

Beside this, as already suggested HijackThis is very good, but requires some knowledge. SpyBot really, I mean really sucks. I would never allow it to touch my system, with all due respect to heath28m who suggested it. I tried also Trojan Remover, but it was not very effective.

My suggestion for good protection and removal of viruses/malware: Eset + Malwarebyte's Anti-Malware.

Cheers ;)

[d3v]

First.. I recomment u to learn some Hijackthis

You can manually delete startup entries/processes etc with it. The best thing.. It really wont let it work again and its finished in a sec.

If needed use Hijackthis.de to let it check ur logfile. But it's always better to let the real helpers do it.

I have used HijackThis for probably 8 years now and have developed a sharp eye for what results are malicious or legit, but thanks for the guide. The only differences in my configuration is I always tick "mark everything for removal after scan" ...lol.

Malwarebytes is a good scanner.. so is Trojan Remover too. They fix the job better than a real-life AV. Real-life AV like Eset NOD32, Kaspersky etc.. aren't really optimized to delete unwanted stuff from an infected machine.. It mostly prevents it from being infected. If it's not blocked.. (the trojan/virus) than most of the time it can't be removed with the same AV.

Therefor, using MB and/or TR will do that job.

Oh yes TrojanRemover is and always has been a solid reliable and effective scanner. Love it.

I've been using Malwarebyte's anti-malware scanner for a week now and yes agreed it is very nice.

Thanks for the heads up about AV suites. I always wondered why they are so crap at removing anything!

Yea.. Sandboxie will help you there. Run your external drive in Sandboxie and then scan it with MB and TR.

After disabling autoplay fully via this guide I installed it and opened the external drive in Sandbox mode and spent a minute or two browsing around the folders with no problems - phew!

Also Scan ur backuped files. They could be infected, if u plug ur external HDD in the pc.. it'll get infected again.

TrojanRemover is scanning the external drive as I type. Clean so far and is taking aaaages.

I'll simply answer the question: currently there is no better then Malwarebyte's Anti-Malware. SuperAntispyware was good, but it sucks now.

Yea I feel you on the SuperAntispyware. only a couple of months ago it used to detect everything you could want but since then it seems to find absolutely nothing! very odd...

SpyBot really, I mean really sucks. I would never allow it to touch my system, with all due respect to heath28m who suggested it. I tried also Trojan Remover, but it was not very effective.

I dropped Spybot many years ago when other, better anti-malware scanners came out and havn't used it since, but as "heath" recommended it last week, I haven't looked back! It's better than ever.

My suggestion for good protection and removal of viruses/malware: Eset + Malwarebyte's Anti-Malware.

Yep :dance2:

[Toshiro]

Hehe patient my friend..

I would do a MBAM scan after TR finished.. Just to be sure :P

[HX1]

I have seen a lot of things mentioned here..I would like to mention that HIPS, HIDS, and NIPS are all different. HIPS stands for Host-based Intrusion Prevention System, HIDS stands for Host-based Intrusion Detection System, and NIPS stands for Network-based Intrusion Prevention System.. There are some major differences in the three.

A Prevention System locks down several areas and aspects of your system..a little program I posted about called Samurai ( which can be turned on, off, and altered ) is an excellent example of true HIPS. This used in conjunction with LUA ( Limited User Account ) and SRP..( Software Restriction Policy ) is the best way to inhibit undesired operation, intrusion, and protection. You still have to use this with Firewalls, Spam Protection, Filtering, a good AV suite, and other tools...mainly if you use a computer the way the rest of us do...

Comodo is more of an HIDS.. You have the action detected.. your system is not locked from the access and you may actively decide rather to allow it. True HIPS will not..

NIPS is usually a piece of hardware, or a system that all requests between system, and from outside sources are routed through...i some cases even requests from software on systems..The NIPS can be set to disallow and allow various actions and access.. wit some areas locked by default.. Usually in a corporate environment..

SpyBot for all of you who do not know.. is not a malware scanner.. It is a very useful tool to work with malware where AV's will fail.. this applies to other areas of the PC. A good look at the tool itself and familiarization with those tools .. I would recommend.. Some things you may not realize, are completely being missed or ignored when you 'clean' your system or protect it..

My best advice on this situation is to never use a personal device for your work.. CD's can be burned and used to install programs, and if the data on a drive is crucial to salvage then work with that data on an old system, which you can wipe and re-install on.. for that purpose only. Same thing of the media you use..OR you can set it up like I mentioned... problem is your system will remind you of a kiosk...or a corporate system which is designed to just do a few things and do them well...Your usability, customizations, settings, programs.. and desired use of a personal system will all change in this effect..one of the reasons there are so many choices for protection...in the end, its the person setting behind it..and the perceived amount of protection they have due to several outside effecting factors, objectivity, and focus... This can be your worst enemy..

EDIT:One last thing.. is that you should check your settings in ESET and make sure you are scanning/monitoring removable media..

[karachidude]

USB disk securuty or Naevius USB Antivirus,can also disable AutoRun and provides protection from malware through external drives.

HIPS is an abreviation for the Host Intrusion Prevention System,and simply what it does is trigger a visual alarm is any executable tries to run on ur machine without ur permission.It gives u the exes location and name aswell,and u can then check google to find if its malicious or not.

Comodo Firewall host a good Hips module,it includes telecast ratings,which tells u which which executable is safe and which is not,u can check on the net just to b sure.If u want stanalone HIPS(Stand alones tend to b better at thier job then suites),then none better than DEFENSEWALL HIPsS.The medicine can b found in the crack heads3 thread(signature post).

Apply USB Disk security and then running the external drive in the sandbox,should do the trick,TR specializes in removing registry restrictions and i love it for that.MBAM is king.