Malware Infected Machine Best Way To Deal With It

ally_uk

Here is the scenario say if you have a machine that is clogged up with Malware and Spyware and god knows what else you know the sort rogue software that when the O/S loads you are unable to do anything because you are bombarded with rogue adverts telling you that your Machine is infected and you need to part with a few dollars to resolve the issue.

What is the best way to deal with the issue? Hirens? Trinity Resuce Kit or is there some sort of Malwarebytes live cd out there?

Forsaken_GA

You reinstall.

You might boot it on a livecd for backup purposes, but when a machine reaches that point, the only way I'll ever trust it again is a full nuke and pave.

dave330i

Boot in safe mode with internet access. Download and install Malwarebytes to clean the system.

ally_uk

There have been a few occasions where Safe Mode doesn't help either

DevilWAH

Forsaken_GA wrote: »

You reinstall.

You might boot it on a livecd for backup purposes, but when a machine reaches that point, the only way I'll ever trust it again is a full nuke and pave.

Exactly, once infected all ways infected!! Reinstall is the only way to be 100% sure, or learn a lot about the inner working of PC's and do a manual clean out job your self. And when I say a lot I mean a LOTTTTTTTTTTTTTTT, to the point you could write the clean up tools your self! No software solution will be 100% as non are 100% accurate and up to date.

I might try a rescue on a home machine, but never at work. First sign of trouble at work and it gets rebuilt, no point taking chances. They do say over 50% of malware is not noticeable by the User and runs behind the scene, the adds might stop popping up but that does not mean it has really gone away.

WafflesAndRootbeer

ally_uk wrote: »

Here is the scenario say if you have a machine that is clogged up with Malware and Spyware and god knows what else you know the sort rogue software that when the O/S loads you are unable to do anything because you are bombarded with rogue adverts telling you that your Machine is infected and you need to part with a few dollars to resolve the issue.

What is the best way to deal with the issue? Hirens? Trinity Resuce Kit or is there some sort of Malwarebytes live cd out there?

You have two options.

1. You take out the HDD and connect it to another computer that has up-to-date AV software and run a full scan of the drive with whatever you prefer. That is the only guaranteed way to remove a lot of infections and malware as they can't be loaded into memory as they normally would be by the host OS. Once you do that and follow up with a second cursory scan, you can put the HDD back into the computer and fire it up. The best thing to do is to leave it disconnected from any network until you come up with a final clean scan using the AV or whatever on the computer as some things can only be detected and dealt with when active but the scanning on another machine should remove most or all of the infected files. It's the messed up system processes and hijacked system command scripts that give you the malware that you really have to worry about and those can usually only be dealt with while they are running and unable to reach out for downloads.

2. Wipe and re-install the software. 60% of the time, it works every time.

jamesp1983

dave330i wrote: »

Boot in safe mode with internet access. Download and install Malwarebytes to clean the system.

This has always worked for me, but you can't be 100% sure without a wipe/reinstall.

the_Grinch

I agree wipe and reload is the way to go. If that isn't an option, if it is a home machine I will pull the drive and scan it. I once had to work on my Uncle's machine and I used Bitdefender's Bootable Linux.

Index of /rescue_cd

That stopped the machine from blue screening for about 30 minutes and then it started again in the middle of a Malwarebytes scan. Ultimately pulling the drive and scanning it (as suggested by Waffles) cleaned it. Good luck!

veritas_libertas

Forsaken_GA wrote: »

You reinstall.

You might boot it on a livecd for backup purposes, but when a machine reaches that point, the only way I'll ever trust it again is a full nuke and pave.

Agreed...

Tackle

Before you run any scans, I've been using this program called rkill.exe when an OS reload is not possible (Yes, there are instances of this). It does not remove malware, but kills known rogue processes until you reboot. Works very well when malware will not allow you to access the web, install a program or when navigating is extremely slow.

tr1x

Reinstalling will end up being much faster than trying to remove all that malware yourself. Whenever I even slightly suspect malware, I just reinstall because it's faster, easier, and more reliable than working on removing it yourself (unless it's something very minor - which isn't your case).

MentholMoose

Forsaken_GA wrote: »

You reinstall.

You might boot it on a livecd for backup purposes, but when a machine reaches that point, the only way I'll ever trust it again is a full nuke and pave.

100% agreed since it's always the safer option and usually faster. Unfortunately it can be difficult in some environments... if the user data, OS, and applications are not separated, and there is no imaging infrastructure, a reinstall is really a hassle.

antielvis

Why would you reinstall? Pull the drive, connect it to another computer, download MalwareBytes & scan the drive. A full scan will take an hourish, less time than a rebuild AND save your data.

A reinstall/reimage is easy, but it doesn't teach you real problem solving.

nycid

Combo fix!

ptilsen

From a security standpoint, wiping the disk is always the best course. If you are working within a highly sensitive organization and there is any chance a system could still be compromised, that is unacceptable.

When you are not working within a highly sensitive organization, you can safely risk removal of an infection so long as you are reasonably confident you can completely remove the infection and/or the infection is not there for purposes of stealing sensitive credentials or providing a backdoor or foothold into the network.

When troubleshooting infections, I typically start with built-in tools. Task Manager, Services MMC console, and System Configuration Utility are enough to remove most modern-day infections. I look for rogue processes, services, or startup entries.

If this initial attempt fails, I will do the same in Safe Mode. I will also run other tools within Safe Mode, primarily Malware Bytes, Hijack This, CWShredder, an antivirus scanner, and a rootkit scanner, roughly in that order. I have also used System Restore to view a list of of services -- a well-designed virus can act as a System service which cannot be disabled from within Windows and can even hide itself from the the Services MMC snap-in and the service controller utility. Oh, don't forget regedit, which is sometimes necessary to fix an infection.

These days, most infections, IMO, are profile-level Scareware. Only one use account is infected, and the scope of the infection is limited to that account. Removing the executable(s) of the virus or wiping the profile is typically sufficient in these instances.

Malware Bytes is definitely one of my favorite tools overall, and one of the few scanners that I'll immediately use.

rsutton

antielvis wrote: »

Why would you reinstall? Pull the drive, connect it to another computer, download MalwareBytes & scan the drive. A full scan will take an hourish, less time than a rebuild AND save your data.

A reinstall/reimage is easy, but it doesn't teach you real problem solving.

Except you don't know if the computer is actually clean. MBAM is fine and all but it does not catch everything. Even using multiple tools does not guarantee the computer is clean. Worst case scenario you have given a user back their computer that is still infected and someone is data mining/keylogging/monitoring their computer which could result in serious problems.

DevilWAH

antielvis wrote: »

Why would you reinstall? Pull the drive, connect it to another computer, download MalwareBytes & scan the drive. A full scan will take an hourish, less time than a rebuild AND save your data.

A reinstall/reimage is easy, but it doesn't teach you real problem solving.

How does running a virus / malware scan teach you to problem solve. If you want to problem solve down load the tools from sysinternals and learn how to "really trouble shoot" follow process and registory read and write and may be if you are really good you will be able in about 10 years to be 100% confident of cleaning a system.

Virus checks and malware scanners are not 100% accurate, so why would you assume that malwarebytes will find every thing and even more repaire it...

Forsaken_GA

antielvis wrote: »

Why would you reinstall? Pull the drive, connect it to another computer, download MalwareBytes & scan the drive. A full scan will take an hourish, less time than a rebuild AND save your data.

A reinstall/reimage is easy, but it doesn't teach you real problem solving.

As others have mentioned, there's still going to be a trust issue. Security companies are traditionally behind the curve, they're reactive, not proactive.

Then there's a simple matter of expediency. If you have a standard image you can drop onto a hard drive, that's usually a hell of alot quicker to get up and running than running it through a scanner. So sure, while doing a full and exhaustive forensic analysis of your own computer and maybe your family members may be something they appreciate, that doesn't tend to scale well within the enterprise. And after the fourth time Uncle Lee trashes his windows install by looking at sites he shouldn't be looking at, you get just a tad bit tired of cleaning the box.

Bain

If this is a windows system then I typically boot into safe mode and do a system restore to a time when the person said the system worked appropriately. Then I would run a thorough scan using a specialized program that I have on a flash drive.

However, if the computer is old and slow, I will simply remove the HD and perform everything on another system.

I have reformatted systems in the past, but found that to not be the true route a professional should take. That is the last route.

Forsaken_GA

Bain wrote: »

I have reformatted systems in the past, but found that to not be the true route a professional should take. That is the last route.

Well, I suppose we all have different definitions of a professional.

In my opinion, the professional considers the needs of the user. If the user is ok with a reinstall and wants their computer working again as quickly as possible (and in my experience, this has nearly always been the case), you'd be quite unprofessional by insisting on it as a last option. When I was still doing freelance desktop support, I tended to offer the user several options.

A - Flatten the box entirely, make it pristine, and hand it back to them. They would be responsible for restoring content and applications
B - Transfer what I could off the drive, assuming the drive crashing wasn't the entire problem, flatten it, restore their content, and they're responsible for reinstalling their applications
C - Transfer what I could off the drive, flatten it, restore the content, reinstall their apps, do their account setups, etc
D - Try and restore the box as is to a proper working order if at all possible.

In the cases of infection, D always came with the warning that I could not guarantee that the machine would be fully cleaned, and that it could relapse.

In all cases, I took the time to educate my users on better practices and to exercise some caution when running programs of dubious origin and visiting websites of questionable content, along with a recommendation to purchase and use anti-virus if they hadnt' been, and to get away from IE as a browser.

My fee varied depending on what they chose. If they wanted to pay less money, they had to sacrifice some value in the service.

The overwhelmingly popular choice was B. What most people cared about was that they had their pictures, their bookmarks, and their email (I was doing support back in the days before webmail and the use of IMAP at major ISP's became popular choices, so almost all mail was POP3 and stored on the local computer) and that their computer was back up and running again as soon as possible. That option, I could guarantee a 24 hour turn around on, and usually same day (all depending on how out of date the machine was, and how much patching of Windows I had to do)

You can say a true professional goes out of their way to fix the machine in place without having to resort to the blunt tools. And you're entitled to your opinion. My opinion is that doesn't make you a professional, it makes you an artiste. In my opinion, the real professional takes the time to understand their clients needs and desires, and also understands their own worth to the customer in relation to that and charges accordingly.

Daniel333

With the proliferation of app virtualization, desktop virtualization, Macintosh etc. You dont really see these talks too much anymore. Our corporage image can be installed faster than we can make the ticket.

But Ill start with who is asking? As a security professional, you would have to preserve the machine, talk to your security department, write a report and explain to management why every piece of customer information that that PC and user could touch now must be assumed in the hands of the dark side. Normally ends in days of calling customers and sending letters explaining how your sorry and offer to pay for credit protection...

If it's John Doe's computer I suppose you pull a Geek Squad attack and put your faith in all the antimalware tools out there. So if you must, here is how we did it back int he Geek Squad days

-Pull the HDD
-backup the data
-replace drive in system, system restore back as far as reasonable, and disable system restore delete points (remember, malware copies itself into restore points)
-pull drive again
-blast it with say 15+ antimalware solution (we had a script which ran a total of 20!)
- clear ntfs streams
-manually clean temp files while your at it, might save you some scan time, also delete unused profiles
-A number of tools to load the registry remotely out there, but go and remove startup items
-Finally boot the machine to safe mode, rerun some scans. I found sometimes those registry cleanup tools remove dead trees, and compress the registry when malware goes crazy and inflates the database too large
- sfc check to make sure you have no rogue system files
- boot to windows, patch the heck out of it (ff, java, itunes etc) Secunia is nice to detect third party issues
- address the CAUSE of the problems

MentholMoose

Forsaken_GA wrote: »

As others have mentioned, there's still going to be a trust issue. Security companies are traditionally behind the curve, they're reactive, not proactive.

Exactly. Everyone is running anti-virus already, so if a computer gets infected, how does running another AV scan guarantee it is clean? I guess you can hope that the virus definitions have been updated to detect the threat, or maybe use several AV products and hope one of them actually works. That's not much of a guarantee, though.

CodeBlox

antielvis wrote: »

Why would you reinstall? Pull the drive, connect it to another computer, download MalwareBytes & scan the drive. A full scan will take an hourish, less time than a rebuild AND save your data.

A reinstall/reimage is easy, but it doesn't teach you real problem solving.

Depending on how bad the malware has infected my system, I'm not so sure if I could be at comfort anymore unless I re-imaged the computer which by the way is probably quicker in some cases... On our helpdesk, a lot of **** that gets escalated to field services gets re-imaged. Most likely because it's a lot quicker then spending hours troubleshooting. Usually the customer wants to get back up and running as quickly as possible. Some people call it lazy, but hey, the customer is happy.

Funny thing, I have a VM (Win XP) and yesterday, I tried my hardest to intentionally find some malware to download to the machine and see what happens... I could NOT find any whatsoever!!

DevilWAH

Bain wrote: »

I have reformatted systems in the past, but found that to not be the true route a professional should take. That is the last route.

I would disagree, most of the companies I have worked for have had the policy that if a users PC was infected (not that anti virus software had blocked something but there was an actual infection). Then the system was re-imaged.

Backing up user data, copying image and putting data back takes about 45 minutes, which is less time than it takes to do a full scan of most systems.

While it is nice to do the clean manually, to do it correctly takes hours and a lot of skill. I have seen systems cleaned with multiply solutions, looking fine and returned to the user, only form them to come in a few days later with the exact same issue, because it has not been cleaned correctly

I have sat down before with registry monitors, file monitors and process monitors and tracked back a piece of malware, watching what files it modifies and how its avoids deletion. And yes after about 4 hours work I managed to do what no aniti-malware software seemed able to do. But I only did that because it was my PC and it was more interesting to do it than just re-image.

But for some one else PC or a company PC I would always push for a rebuild.

DevilWAH

CodeBlox wrote: »

Funny thing, I have a VM (Win XP) and yesterday, I tried my hardest to intentionally find some malware to download to the machine and see what happens... I could NOT find any whatsoever!!

There use to be a site called "Virus Vault" or some thing, way back in the dark ages of the internet, you could down load zip files of infected filed there, Some guy was trying to collect every virus made. Don't think its around any more though

Forsaken_GA

DevilWAH wrote: »

There use to be a site called "Virus Vault" or some thing, way back in the dark ages of the internet, you could down load zip files of infected filed there, Some guy was trying to collect every virus made. Don't think its around any more though

Those who remember the dark ages before the internet know what the acronym VCL stands for

SteveLord

I haven't had to fully wipe one in several years. Last one was a co-worker's computer who's son infected to hell and back via Limewire and who knows what else. Nowadays nearly all of the time (in my experiences) it's a computer suffering from rogue antivirus software...which isn't too difficult to remove.