Never Seen This One Before

[futuretech]

I do image usually before starting unless its a laptop which sometimes is a pain to get drive slaved to do the image.

[BOB IROC]

System Sweeper.

http://connect.microsoft.com/systemsweeper

I haven't tried it yet but will next time I come across a Malware infected machine that needs a bit of effort to repair.

Their other Anti-Virus/Anti-Malware utilities seem to work well. I have used the Microsoft Safety Scanner with success.

http://www.microsoft.com/security/sc...s/default.aspx

I find that to be useful in machines that have had their Antivirus disabled and the machine will not allow the installation of something new but you need to run it on a live machine to get all the running processes and such.

[Kodiak]

Zonie the unhide.exe worked great. Just run it and everything came back just like you said. Thanks for that.

I seen some posts in other forums that said malewarebytes isn't effective in safe mode but I ran it in both and it didn't find anything more in regular mode then it did in safe mode. So far this time around I'm not running into the "access is denied" with malewarebytes. Before I also got the same with spybot.

Thanks for the input all. Great forum.

[Kodiak]

In the event an infection is making you worry that you may need to rely on the infected restore points I'd prefer to go the direction of imaging the drive and doing the removal process with the least likely chance of letting the infection come back. That way if it goes to being unusable you can reload the image and start over rather than have a restore point mess up a cleaning that could have completed without fail.

I don't bother with imaging an infected machine I just format if the first attempt at removal fails. I do get their data before format however. I figure if you try once a second time won't work either and is a waste of time.

Does anyone have an answer to why you wouldn't run a system restore point first off? I mean one far enough back before the infection. I don't see you losing anything by this and you may just remove the infection completely.

[BOB IROC]

I don't bother with imaging an infected machine I just format if the first attempt at removal fails. I do get their data before format however. I figure if you try once a second time won't work either and is a waste of time.

Does anyone have an answer to why you wouldn't run a system restore point first off? I mean one far enough back before the infection. I don't see you losing anything by this and you may just remove the infection completely.

I do pretty much the same. Back up data to USB hard drive or something and reinstall from scratch. If I am going to spend time like that I may as well do the method to ensure all traces of the infection are gone.

Also that way I can make sure the computer is properly patched and has adequate protection from the start. I find that is a big reason people are still getting affected aside from being click happy and not reading/knowing what they are actually doing.

[slgrieb]

Ideally, all removals need to be done in standard mode, because that's the only way to be sure that all the active malware is ,well, active and therefore gets detected. Sometimes, it can be a coin toss as to whether it's quicker to try a removal in safe mode first, or yank the drive. If I recognize some familiar bit of Rogue AV junk that's blocking a standard mode scan, but letting me scan in safe mode, I'll generally do that, rather than slave the drive.

Still,you always have to follow up with standard mode scans as part of any removal process. You can find plenty of argument about whether Malwarebytes needs to be run in full scan mode at all, or whether quick scan is always sufficient. I really think quick scan is fine for checking a system you think is clean, but one that''s definitely infected needs a full scan.

That's true for a couple of reasons; First, there are nasties that can detect MBAM (and other tools) running and shut themselves down. That means that MBAM has a reduced chance of locating the pest in question. I've had some pretty experienced people tell me that since MBAM scans all system loading points, etc, etc, that anything that it doesn't detect is just an unimportant leftover. Frankly, that's a crock. And, it brings me to point two.

A lot of the stuff MBAM ignores in quick scan mode isn't harmless. Here's my best example to date. A few months ago, I had to clean up a computer that had most malware known to man running on it, including TDSS4. Anyway, to cut to the chase once I had the computer pretty clean, I re-ran MBAM in quickscan mode and it detected a PUP called Whitesmoke ToolBar. After reading up on that a bit, it was extremely clear that Whitesmoke needed to die, so I let MBAM remove it. It removed 3 items. So, I decided to do a follow up full scan, which found 3 pages of "leftovers" including installers for the malware scattered in directories all over the drive, and an updater and a downloader running as Scheduled tasks.

Edit: Just wanted to re-iterate that my objection to backing up data, formatting and restoring the data is the excellent chance of re-infection. It can happen through a macro virus in an Office file, an infected PDF, a Big Breasted Russian Girls Want Your Love screen saver, or whatever. You can't be sure the data is clean unless you've cleaned the machine.

[Niclo Iste]

I agree, just backing up folders and moving them after a reinstall isn't truely safe. For all you know you've infected the machine again or even your cleaning machine with a 0 day infector. Best to keep the infection isolated to the unit it came in on. To be honest if someone is wanting a recovery from an infection there is no cheap way about it. Think of it like cancer, you can go all out and get the full treatment, or you can just hope it goes away on its own. I'm not trying to step on anyone's toes here but it's been an argument I've had with several of my associates here locally and if I was wrong they wouldn't be coming to me for advice as much as they do. When it comes down to it some infections take sending it back to the user just to find out that it wasn't removed fully because it was a 0 day or an unknown variant. This is why I don't believe in a standard method for removals as well since each infection reacts differently and so should we. All in all the users have two choices and this I think helps them learn not to be so irresponsible with their computer habits. They can either pay for the results of a long and costly removal or they can say bye bye to their files with a blown away system that has a quarantined backup that I save for them in case they declare they have to have the info, but I also inform them that if they reinfect because of it that's their fault not mine.

[BOB IROC]

I agree, just backing up folders and moving them after a reinstall isn't truely safe. For all you know you've infected the machine again or even your cleaning machine with a 0 day infector. Best to keep the infection isolated to the unit it came in on. To be honest if someone is wanting a recovery from an infection there is no cheap way about it. Think of it like cancer, you can go all out and get the full treatment, or you can just hope it goes away on its own. I'm not trying to step on anyone's toes here but it's been an argument I've had with several of my associates here locally and if I was wrong they wouldn't be coming to me for advice as much as they do. When it comes down to it some infections take sending it back to the user just to find out that it wasn't removed fully because it was a 0 day or an unknown variant. This is why I don't believe in a standard method for removals as well since each infection reacts differently and so should we. All in all the users have two choices and this I think helps them learn not to be so irresponsible with their computer habits. They can either pay for the results of a long and costly removal or they can say bye bye to their files with a blown away system that has a quarantined backup that I save for them in case they declare they have to have the info, but I also inform them that if they reinfect because of it that's their fault not mine.

I don't think it was meant that it was done blindly. You would always scan and clean that backed up data before moving it back.

Actually my basic steps are to run Full Scans using a few Utilities such as the Microsoft Safety Scanner, MalwareBytes and sometimes a couple others out there if the machine is bootable.

Then Back up the data and reformat. Then scan those files again before copying them back.

In all the years I have been doing these basic steps I have had only a handful come back with another infection and all of those fell back into their bad habits of unsafe browsing or file downloading.

I also find that old Java is a source of letting these things in. I still find machines with the old Java installed along side with the newer versions. A fresh install with the latest patches and some good security advice seems to work for me but backing up data without scanning it is just insane.

[Niclo Iste]

By the way sorry for the huge block of text rather than appropriate paragraphs. I am writing while at work when I get breaks between calls.

[slgrieb]

I have to admit that there have certainly been times when I just didn't really see a way out except the Nuclear Option, but I'm also certain that in at least one case, I did in fact reinfect a machine. Didn't like that at all. Especially the part about eating the time to do it over.

[slgrieb]

I also find that old Java is a source of letting these things in. I still find machines with the old Java installed along side with the newer versions.

Absolutely. Though it isn't just Java, of course. How often do you still see machines with Acrobat Reader 5.0,, old Flash Players, etc.? In the same vein, I run across folks that are running AV software where the license expired years ago, so naturally, not only is the version obsolete, but so is the database. In fact I recently hit an expired NAV 2003. I'm sitting there disinfecting the computer, and this guy is telling me he can't believe he's infected because he has Norton!

[BOB IROC]

Absolutely. Though it isn't just Java, of course. How often do you still see machines with Acrobat Reader 5.0,, old Flash Players, etc.? In the same vein, I run across folks that are running AV software where the license expired years ago, so naturally, not only is the version obsolete, but so is the database. In fact I recently hit an expired NAV 2003. I'm sitting there disinfecting the computer, and this guy is telling me he can't believe he's infected because he has Norton!

All way too often. I was just using Java as an example but Flash and Acrobat are big sources too. The more updated versions have better auto-update mechanisms built in but it does not help those with the old versions.

Don't get me started on outdated Antivirus programs or computers with no Antivirus/Antimalware protection at all. I can honestly say every machine that I get that has an active infection has obvious signs of neglect or a user that needs to stop being unsafe.

I have become a fan of a program called Secunia PSI recently and have been installing it on client computers. Does a very good job of notifiying and updating most software that installed on the computer. Some applications it can update itself silently and others it will notify the user it is out of date and provide a safe and direct link to the download for the update. I even think it will identify the outdated versions and explain how to remove them.

[slgrieb]

PSI is very good. Older versions used to have fairly frequent problems with displaying messages that some program or other still needed to be updated even after it was updated. Sometimes a rescan or reboot fixed it; sometimes not.

I think they've largely gotten past that. Latest version's fully compatible with Win7 and Vista. Definitely, the enhanced ability of the current version to handle many updates automatically is nice. Far fewer calls asking "Secunia says I need to update this program. Should I do it?"

[Kodiak]

This has turned out to be a very informative thread. Nice info Ladies and Gents. Some more things I can put in my bag of tricks.


The virus removal on the machine with all the files hidden worked out real well unlike a few of the others with this nasty virus.