To rebuild or not to rebuild.....thats the question 2

[rpearson]

A client is bringing in a PC (MS Windows)that is apparently infested with Malware\Virus. Another PC shop had attempted to clean the Malware\Virus , but apparently had no luck. With situations like this in the past , it was easier for me to back up the system and rebuild it , than to spend hours trying to clean it, and in some cases it would become unstable by all the pokin around. In most cases the user doesnt have the OS CD or the OEM CD's to reinstall everything, which leads to more issues and time.

I would also try different brands of AV and Spyware remover to achieve the job, sometimes its a success. Am I taking a good approach to this? Or am I lacking the expertise of defeating the virus , without having to rebuild a system that is usually overwhemingly infested and unstable?

 

[tazuk]

It's difficult to give an answer for a specific case, as types and levels of infections vary depending on the nature of the infection. In the past I've had success in removing 300+ malware elements on a single machine (Kazzaa user of course), but I've also had to rebuild machines infected with a single element.
As a rule of thumb I tend to take the following approach (apologies if I'm stating the obvious):
1. Backup data, note licence keys etc
2. Install, update and run the following free utilities:
(a) Lavasoft Ad-Aware
(b) Spybot - Search and Destroy
3. Remove detected malware in blocks (quarantining where possible first), checking functionality is not disabled as the elements are removed.
4. Install any missing elements from the following set of security utilities:
(a) Firewall
(b) AV product (updated)
(c) SpywareBlaster (updated)
5. Connect compromised machine to the internet (isolated from any network)
6. Run free online AV scan using BitDefender or TrendMicro or similar.
7. Run free online trojan scan.
8. Install and run the following manual removal tools:
(a) Bazooka Spyware Scanner
(b) HijackThis
9. Install and run the following traffic monitors:
(a) FileMonitor
(b) ActivePorts
10. Check running machine processes against known clean machine with matching OS, looking for unusual / unknown processes and identifying any found.

NB: System Restore should be disabled for removals if machine running XP.

These steps should enable you to establish whether the machine requires a rebuild. Researching results found may result in a decision being made before all steps are completed.

HTH

TazUk

Blue-screening PCs since 1998

 

[diogenes10]

I don't use XP or understand its features very well so this may be an inappropriate question.

In regard to system restore, rather than just disabling it, wouldn't it be more appropriate, as a second step after backups and information gathering, to see if there is a restore point that allows going back before the infection?






-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[aquias]

There is a catch to that. How far back do you go with your restore and what information are you willing to risk losing in a restore action?

If you know when the infection started and know that you will not lose anything of value then yes, restore and move on with life. However, most people don't know when they get infected so to move backwards is a big risk for them.

The reason for advising to disable system restore while battling a malware attack is so that you do not create any restore points that are infected with malware (thus avoiding the, oops I goofed this up, let me restore...ah crap...I've got this again?!).

It is also adviseable to delete any restore points that you are not positive are malware free, to avoid the above situation.

As for inappropriate diogenes...I think I speak for everyone when I say that's a very valid question. I could give you a few inappropriate questions but I like posting here .

 

[diogenes10]

aquias

Thanks.

(I like posting here too.)

diogenes

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?