virus removal techniques and procedures

jhsmith205

What are you guys thoughts on virus/malware removal? I usually just back up what I can and do a clean install. What do you guys normally do?

philz1982

Well you isolate the machine right and build a map of potential infections? Also determine how the infection happened so you can adjust your perimeter defenses and policies.

Verities

Assuming its a Windows based OS, boot into Safe Mode (without Networking) and run whatever virus removal software you have installed. I usually use Malwarebytes free edition and then Miscrosoft Security Essentials. If the infection is very bad, I'll use Super AntiSpyware but it takes a lot longer and has really every tool you'll need. Most of the viruses I had to remove from clients computers, were due to downloading email attachments and opening them.

Alternatively, if you have something that's really bothering a client and they need to save their work before you either shutdown (assuming they can't access any options to restart the computer) and boot into safe mode, use Rkill (.com is more useful as .exe file extensions can sometimes be blocked by viruses after infection) and TDSS Killer (removes root kits).

After I'm done I usually boot back into Windows normally and do one more scan with Malwarebytes to confirm all infections have been remedied.

Deathmage

I normally do this:

I store all of my tools on a 32 GB flash drive

Step 1: boot into Safe Mode

a: run hijackthis
b: run combofix (it's updated daily)
c: run TDSSkiller (updated daily too)
d: run Malwarebytes
e: run chkdsk /f [partition name]
f: run Defraggler until fragmentation is @ 0%, if it can't do 0% I boot onto Falcon PE and run Defraggler off the CD until it does get to 0%
g: once defraggler is done reboot into windows.

Step 2: inside of normal Windows

a: perform a restore point.
b: run ccleaner, run the temp cleaner and registry cleaner (making a backup of all of the registry keys just in-case)
c: run defraggler to check to make sure it's 0% (if you have a SSD skip defraggler altogether)
d: run Spybot Search and Destroy (updated daily, you can download the definition separately and store on flash drive)
e: run Mcaffee Stinger (updated daily)
f: run TDSSkiller (updated daily)
g: run Malwarebytes (updated daily, you can download the definition separately and store on flash drive)
h: run msconfig (to make sure nothing is starting on boot that shouldn't be after running hijackthis in safe mode)
h: run Avira Anti-virus (install without the guard)
j: check device manager to make sure no rogue hardware is present, if drivers are needed remediation were necessary
k: checked system > advanced settings > Performance > set setting to best performance and just toggle the last bubble on the bottom to keep the graphical aesthetics of Windows and hit apply and then ok [close open windows].
l: check services and disable any un-needed services like Help and Support, Adobe Acrobat, Javascript updater.
m: remove an unnecessary programs, including javascript if it's not needed by Windows (too many security flaws with java, if it's not needed remove it)
n: run ccleaner again and run registry cleaner (making a backup of all of the registry keys just in-case) - also run the temp cleaner one last time, being sure to toggle Font Cache, DNS Cache, Windows Error Reporting (helpful if your cleaning someone's PC and there savvy, you can remove all record of what you did to clean their PC!!!), old prefetch data, IIS Log Files.
o: perform windows updates
p: create a final "clean-slate" restore point.
q: reboot PC and give it a quick run down after reboot, and vet the checklist from above and give is a 2-thumbs up!

Note: if your really **** and know this user will screw up there PC again in the future, you can get Norton Ghost or Acronis Boot Disk and make a bit-level image of there hard drive to restore in the future. I normally keep a 3 TB external on hand at all times just for these purposes and then lock up the external in my safe at home.

devils_haircut

Well, we use folder redirection at my job, so user profiles are backed up already (exception being whatever is saved to the desktop, which I grab and throw onto the network).

Then I re-image the machine.

SephStorm

Depends if you are talking about enterprise infections or home. Also whether you mean real viruses or just malware in general.

YFZblu

I'm assuming we are talking about a confirmed compromise and not just adware/ JavaScript detection without additional indicators.

Reimage. Unless you are capable of reversing and comprehending all of its capabilities, assume you no longer have control of the asset.

srabiee

Re-imaging and restoring user profiles in virtualized environment at work. We didn't usually mess with cleaning viruses, as we could have the VM re-imaged and the profile restored within 15 ~ 30 minutes easily (VMware environment utilizing Horizon View)

For individual machines that must be cleaned, I would generally use the following in this order:
1) TDSSKiller
2) ComboFix
3) Malwarebytes
4) Kaspersky Virus Removal Tool (sometimes)
5) Microsoft Security Essentials
6) Spybot Search & Destroy
7) CCleaner

I have other tools on my malware cleaning thumb drive as well. It really depends on the type and severity of the particular malware, and the behavior that the system exhibits after each subsequent utility completes. I have certainly encountered situations where I was unable to successfully repair the system to 100% functionality due to a particularly nasty infection, and ended up having to re-image or reinstall Windows and restore programs and data. From this aspect, VDI has saved me from so many headaches.

Depending on your particular environment, the purpose of the machine, the network it is connected to, etc, it may be mandatory or highly recommended for you to follow YFZBlu's advice and immediately isolate and re-image the machine.

lsud00d

From an individual (i.e. non-Enterprise perspective), a guy automated this process and it's pretty cool!!

https://www.reddit.com/r/sysadmin/comments/2poens/tron_v431_20141218_add_sb_flag_bugfixes_xpost/

BackgroundTron is a script that "fights for the User"; basically automates a bunch of scanning/disinfection/cleanup tools on a Windows system. I got tired of running these utilities manually and decided to just script the whole thing. I hope this helps other techs and admins.

The Silent Assassin

Verities wrote: »

Assuming its a Windows based OS, boot into Safe Mode (without Networking) and run whatever virus removal software you have installed. I usually use Malwarebytes free edition and then Miscrosoft Security Essentials. If the infection is very bad, I'll use Super AntiSpyware but it takes a lot longer and has really every tool you'll need. Most of the viruses I had to remove from clients computers, were due to downloading email attachments and opening them.

Alternatively, if you have something that's really bothering a client and they need to save their work before you either shutdown (assuming they can't access any options to restart the computer) and boot into safe mode, use Rkill (.com is more useful as .exe file extensions can sometimes be blocked by viruses after infection) and TDSS Killer (removes root kits).

After I'm done I usually boot back into Windows normally and do one more scan with Malwarebytes to confirm all infections have been remedied.

Most of the viruses we've seen at work are profile based. Rare that we've seen something as nasty as Cryptolocker or other ransom ware. when those two pop up we do a full reimage or swap out the HD and drill a hole though it. With that being said I can vouch for the MWB... although I did have one job where it was forbidden to install, legal issues I think.

gc8dc95

Our policy is DBAN and then reimage for any indication of malware/virus. If it is a high level threat, then destroy the drive.

We dont trust any removal tool to be thorough enough, but this also has to do with compliance and regulations as well.

techfiend

Backup profile and reimage is the norm where I work now. They've been through trying to get rid of malware and more often then not it messes up something else while doing it. Might try tron the next time though, it looks interesting and automated cli is fun.

Deathmage: How many days does it take you to disinfect?

LeifAlire

useful if still on the network to run netstat -f to see if it is talking outside of your network.

ally_uk

Sod all that rubbish if it is a Windows client nuke the machine from orbit and install Linux problem resolved......

JoJoCal19

Agree with most of the others, a re-image is the way to go. One of the things I monitor is Symantec Endpoint Manager and if I get hits for viruses or malware, I cut a ticket to the desktop team to go pick up the box/laptop for imaging.