You are here: Home > My Current Malware Removal And Detection Techniques

My Current Malware Removal And Detection Techniques

By on October 30, 2008 in Anti-Malware HowTo

I thought I’d share my current malware detection and removal techiques for my infected St. Louis clients.

0 – 10 minutes:

1.  Delete Temp Files with EzPCFix (drastically decreases my scan time).

10 – 30 minutes:

1.  Reboot PC in safe mode with networking.

2.  Run GMER and disable any rootkits found.

3.  Reboot in safe mode with networking

4.  Install MalwareBytes.  Update.  Perform a quick scan.  Remove Malware.

5.  Run MSCONFIG.  Disable everything in startup.

6.  Reboot.

7.  Install SuperAntiSpyware (I wish I could install in safe mode, however they use the windows install which doesn’t work in safe mode).  Install.  Update.  Quick Scan.  Remove.  Reboot.

30 – 90 Minutes – Client chooses if they want Avira Free or Spyware Doctor With Antivirus.  I briefly explain some differences between free and paid anti-malware.  80% of my clients will choose Spyware Doctor with Antivirus.

1.  Install Spyware Doctor With Antivirus.  Update.  Run Quick Scan.  Remove Malware (if any are left).

2.  Reset Browsers.

3.  Wrap up.

  • Teach the client how to update SAS and MBAM.
  • If the client does not want to update SAS or MBAM i’ll recommend the pro versions of both (provided there is ample RAM).
  • Encourage the client to switch to Firefox
  • Collect My $
  • Give’m 3 cards
  • Grab a beer.
Please +1 this post if you like me :)

About malwarekilla

View all posts by malwarekilla

, , , ,

  • http://na James

    great techniquie m8 when are some new reviews gonna be on u tube lol im bored i enjoy watching ur reviews lmao :D

  • malwarekilla

    I’ll probably have one up tonight.

  • Dieselman

    Honestly whats better MBAM or SAS. I dont need both cause I have NIS 2009. Thanks. SAS seems better to me.

  • asianboy

    Hey matt, I have SAS and Avira Antivir 8 and I scanned it. They could not find anything but, I have a problem. I have some weird ad that is about vimax… And it shows on every website that I go to… Please help me!

  • malwarekilla

    @Dieselman – I would go with SAS. The SAS crew seems to really be on top of everything.

  • malwarekilla

    @asianboy – can you shoot me a screen shot of this vimax ad?

  • asianboy
  • malwarekilla

    @asianboy – please run a full MBAM scan and remove anything it finds.

    If that doesn’t work please send me a HiJackThis Log

  • f

    Do you tell them that avira has the annoying popups?

    You should also install avast and see if that detects anything.
    Good guide, but i dont need it

  • malwarekilla

    @f – yes, that’s why they usually opt to buy Spyware Doctor With Antivirus.

    Avast? Decent for antivirus, however it requires a lot of errr….help. See my re-review that I’m uploading in a few minutes.

    Glad you don’t need it :P ….no one should.

  • asianboy

    Ok I’ll scan for it now and Matt i also have another problem… I have Spybot search and destroy and Whenever i scan it, it finds a virus called zlob.DNSchanger…I always remove it but it always comes back. My avira, SAS, and my ad-aware doesn’t detect that in the scan. I look in the regedit to see if the address/file is there. And its not there…So i cant delete it manually. Umm i also scanned it using spybot search and destroy in safe mode. After i rebooted it in normal mode, it comes back again.. I dont know what else to do =[

  • kierkegaard

    Does EzPcFix work on Vista?

  • xion

    The avira popup can be disabled….

  • Emperor Darius

    I see you’re still using Spyware doctor :P
    Anyway, Dr.Web released a bootable CD, you may want to take a look :http://news.drweb.com/show/?i=133&c=5

  • vkotzath

    Hey Matt.Could you make a video-tutorial on how to use gmer?I’ve used it and it’s rather complicated sometimes…

  • Bob

    Couldnt disagree more. Typical, by the book approach which indicates an understanding of which tools are good to use, but little understanding of malware itself, or the various technologies & concepts which power the tools.

    1.) The notion that 1 rootkit scanner will do the job in most cases is absurd and shows complete lack of understanding. First, there are different antirootkit technologies, and neither is ‘best’. Second, there are many utilities based on the different categories, and more often than not…. if youre dealing with anything more than a simplistic rootkit, running a single scan is hardly sufficient at all. Do some research into the area, and youll start finding example after example where only 1 out of 5-6 of the best antirootkit programs were able to detect it.

    Because of that, running a rootkit from the start is pretty backwards, both from a time-efficiency standpoint, and a thoroughness standpoint. The former, because if your goal is to detect any rootkits, youre going to need run at least 2-3 to be even kind of thorough.

    2.) There is a common perspective among techs that running automated, general purpose scans is sufficient for most everything, as long as you use the “good programs”. Nothing could be further from the truth.

    Viruses which are for the most part invisible to signature based scanners, such as polymorphics, are all-too-common. If you rely solely on scanners, your only indications will be blatant symptoms — a poor way to go if the virus is designed to stay as undetected as possible! Malware that drops a randomized payload is increasingly prevalent, and common infections like Vundo arent going to be scathed by your typical antivirus and anti spyware….. and more often than not, even Malwarebytes.

    Bottom line: Calling a malware removal procedure good without including at least some sort of manual scan which enumerates the registry keys of common hijack points, is like calling an airport security system which relies solely on facial recognition of known badguys, a sufficient one.

    3.) Get familiar with the online malware communities based around sites like bleepingcomputer, malwareremoval.com, whatthetech/tom coyote…. and what do you find?

    A huge portion of the 10000s of people that have come for help are people who are still infected after running all the programs you listed… and then some.

    On paper, running a battery of a good antivirus + antispyware + malwarebytes + maybe antiadware, takes care of pretty much everything as long as there’s no rootkit…. with a few exceptions here and there.

    In practice, the reality is much different.

    The people who come to our forums come because they have symptoms — from malware which wasnt removed by the 1-2-3 cookie cutter approach that you mentioned. The keyword being that they had symptoms. The most dangerous malware is designed to avoid causing symptoms as much as possible — backdoors, keyloggers, and some polymorphic viruses.

    How many people think they are clean because they have no symptoms, and because the computer guy told them that they scanned for malware & they it got everything? I’d say if a randomized study was done, of a large test group, by people who ACTUALLY know what they are doing, the results would probably be frightening!

    Answer me this: If you take some logs, or looked at some dumps, and find some clues pointing to a rootkit using kernal-mode hooking, what would be the basic strategy. Reformat isnt always a viable option, especailly with businesses!

  • malwarekilla

    @Bob – ….uhhhh….maybe you missed the post date on this, it’s waaayyyyy old. I use a bootable anti-malware disc that cleans rootkits 100% everytime…lol…before you write a book might wanna read some of the latest posts, not ones from 2008…moron…

  • Daniel Barras

    7. Install SuperAntiSpyware (I wish I could install in safe mode, however they use the windows install which doesn’t work in safe mode). Install. Update. Quick Scan. Remove. Reboot.

    You can use the http://www.superantispyware.com/portablescanner.html portable scanner which is updated everyday and you can run it directly from a USB in safe mode etc.


Remove-Malware Traffic Stats