Efficient and effective procedure to clean a severely infected PC

[robd]

I would like to pose a few questions to all the savvy techies who frequent the forum.

I work for an IT consulting firm that also provides support. Lately we have been getting in a lot of 'sick ' PCs. Most recently a PC came in with a severe infestation. One of my new coworkers had a difficult time dealing with partly because he was doing trial and error off of instinct without a procedure to follow and thus taking a whopping three days to complete from the time the PC arrived until it was finally clean. Of course this did not go over well and made me realize we need to solidify a proper procedure to follow.

I am conceptualizing an in house solution to treat a patient HD hooked up via a USB SATA / IDE adapter. Of course this poses a few issues, regarding some software being ultimately designed to run in the native environment. Although, I have worked that out in all the jibba jabber below, if you do care to look over my mess of a thought process then feel free.

Ok, basically I want to decrease the turn around time on these PCs drastically. What do I need: a procedure – check, main time hog: scans – decrease this by using a pre-configured [proper utilities installed / up to date] system with plenty of resources may work to alleviate this issue, point CCleaner manually to include the directories of the patient hard drive incurring a run through of the host directories as well but due to the speed and efficiency of the app shouldn’t be a big deal, manually configure Ad-aware and Spybot to scan on the patient HD [requires upgraded / paid Ad-aware], of course this is simple with AV programs and most internet scanners except for ESET’s off the top of my head. *note: most internet scanners require IE but to use Firefox just grab the IEtab add-on and add the domains to the site filter in options (Nice!). Now the running of a registry cleaner and Hijackthis is a different story (maybe I can contact the developers to include an option to specify the system directory in an advanced setting). Otherwise just run them natively through the patient OS. Updates will have to be done on the patient OS.

Any thoughts, suggestions, or criticisms? Please back up criticisms with some relevant information or don’t bother.

============================================================================

Stream of consciousness: thought process that led to the above, read at your leisure or not at all.

I've visited and read Tarun's guide [Anti-Malware and Cleaning pinned at top] along with the forum postings at Lunarsoft.net amongst others. It seems to me there should be a wealth of these type of guides yet there is not for some reason. [Not to say everyone is clueless about preventative measures] I found his guide to be of high interest because basically he has already done what I set forth to accomplish. : Currently, I am in the process of developing a streamlined procedure (that is both effective and efficient) to clean severely infected client systems. Although I do have a few reservations about his guide along with different opinions of my own, for the most part it employs most of the software I have been using for years with the exception of some others.

Assuming my procedure is similar to that of Taruns, I would like to remedy a few insufficiencies but not at the cost of effectiveness. So here goes, I'm just going to spill my brain -- so bare with me hopefully we can sort it out after.

Say for example we follow the guidelines laid forth by Tarun which is directly applicable to all the single users who visit this forum. I would like to switch gears and pose a method to use being that of a service oriented in a business environment dealing with many infected PCs on a somewhat regular basis. I know, apparently some of these companies are not instituting proper prevention.

I would like to pose a few questions that hopefully garner helpful feedback.

Each PC that comes in to be disinfected / cured, would required time to set up with the correct software. Also, the legal issue concerning the licensing since the being used in a business environment as well as sending back the PC to the client with a bunch of 'foreign software' and waiting to field their telephone calls.

I originally thought off the top of my head to set up a single PC in house the with the proper software to aid in our efforts to continually handle client PCs, although issues arrive with standard cleaning software that essentially is designed for the host machine running it. Then I thought of a Bart PE'd disk coupled with a flash drive containing configurations and maybe some updates [not sure if it is possible, used Linux live CD's in this fashion]. So maybe a hybrid solution would work. One of the two methods mentioned and then doing direct work within the patient PCs live environment will suffice if increasing speed of the time consuming scans. I do realize that older hard drives at 5400 rpm will somewhat thwart the effort of trying to use a system with more resources to scan but yet should give speedier results than that of the infected machine for more than one reason. Of course Hijackthis is one of the apps needed to run natively and any reg-cleaner as well.

My main question with this approach }}let alone all the other issues which I will hopefully address}} is how would this affect detection of the hard to find / remove infections that use random file name generation and therefore require heuristics to be employed yet the infections are dormant and therefore undetectable? Maybe, this approach is good in a sense that it will basically clean the easiest junk first [temp files, cache] then focus on the more difficult while in the native environment. My main problem is basically some the older machines with severe infections and sizable file systems would still take way too long not to mention incurring difficult infections that require special attention.

With CCleaner, you can point it to specified directories and it is quite a fast utility so taking in account that you will ultimately be scanning the host PC each time you do a patient HD hooked up via a USB SATA / IDE adapter. It might be a bit tricky to initially set up but with the aid of knowing the patient HD will default to the same drive letter each time one can set the directories once and forget about it. I figure doing a search for all temp directories as well as other known directories and then using PROCMON to analyze CCleaner's behavior should take care of the rest. Initially a bit of work but may be beneficial to others out there.

Then there is the question of the spyware scanners designed in mind to be run natively. Since I am in the process of conceptualizing a way cut out some of the redundancy in performing system cleans I realize that it may not be feasible to eradicate any redundancies without creating extra tasks that would annihilate any time saved by alleviating some redundancy in the task at hand. *Ok Ad-Aware upgraded to Plus or Pro versions can do a customized scan, not sure if that means how it scans or whether I can pick where it scans or both. Spybot can by default be set to scan specific directories by switching to advanced mode. Excellent, now I'm on to something.

[Tarun]

Ok, basically I want to decrease the turn around time on these PCs drastically. What do I need: a procedure – check, main time hog: scans – decrease this by using a pre-configured [proper utilities installed / up to date] system with plenty of resources may work to alleviate this issue, point CCleaner manually to include the directories of the patient hard drive incurring a run through of the host directories as well but due to the speed and efficiency of the app shouldn’t be a big deal, manually configure Ad-aware and Spybot to scan on the patient HD [requires upgraded / paid Ad-aware], of course this is simple with AV programs and most internet scanners except for ESET’s off the top of my head. *note: most internet scanners require IE but to use Firefox just grab the IEtab add-on and add the domains to the site filter in options (Nice!). Now the running of a registry cleaner and Hijackthis is a different story (maybe I can contact the developers to include an option to specify the system directory in an advanced setting). Otherwise just run them natively through the patient OS. Updates will have to be done on the patient OS.

Any thoughts, suggestions, or criticisms? Please back up criticisms with some relevant information or don’t bother.

Have you considered a batch file or making an AutoIt program to automate the process?

Stream of consciousness: thought process that led to the above, read at your leisure or not at all.

I've visited and read Tarun's guide [Anti-Malware and Cleaning pinned at top] along with the forum postings at Lunarsoft.net amongst others. It seems to me there should be a wealth of these type of guides yet there is not for some reason. [Not to say everyone is clueless about preventative measures] I found his guide to be of high interest because basically he has already done what I set forth to accomplish. : Currently, I am in the process of developing a streamlined procedure (that is both effective and efficient) to clean severely infected client systems. Although I do have a few reservations about his guide along with different opinions of my own, for the most part it employs most of the software I have been using for years with the exception of some others.

Assuming my procedure is similar to that of Taruns, I would like to remedy a few insufficiencies but not at the cost of effectiveness. So here goes, I'm just going to spill my brain -- so bare with me hopefully we can sort it out after.

I'm always welcoming feedback for ways to improve the guide. I'd love to hear feedback and suggestions.

Say for example we follow the guidelines laid forth by Tarun which is directly applicable to all the single users who visit this forum. I would like to switch gears and pose a method to use being that of a service oriented in a business environment dealing with many infected PCs on a somewhat regular basis. I know, apparently some of these companies are not instituting proper prevention.

IESpyAds (for HKCU and HKLM) and OpenDNS would be a wonderful pair to stop them. OpenDNS would allow you to protect the entire network in the safest way possible.

Each PC that comes in to be disinfected / cured, would required time to set up with the correct software. Also, the legal issue concerning the licensing since the being used in a business environment as well as sending back the PC to the client with a bunch of 'foreign software' and waiting to field their telephone calls.

I originally thought off the top of my head to set up a single PC in house the with the proper software to aid in our efforts to continually handle client PCs, although issues arrive with standard cleaning software that essentially is designed for the host machine running it. Then I thought of a Bart PE'd disk coupled with a flash drive containing configurations and maybe some updates [not sure if it is possible, used Linux live CD's in this fashion]. So maybe a hybrid solution would work. One of the two methods mentioned and then doing direct work within the patient PCs live environment will suffice if increasing speed of the time consuming scans. I do realize that older hard drives at 5400 rpm will somewhat thwart the effort of trying to use a system with more resources to scan but yet should give speedier results than that of the infected machine for more than one reason. Of course Hijackthis is one of the apps needed to run natively and any reg-cleaner as well.

If you develop an AutoIt script to install and scan with these applications it may speed up the process. Alternatively, you could always program an application that handles that process. I've seen a few tech CDs that do this. With the reg cleaner, the most I'd use is CCleaner's Issues though I wouldn't make registry cleaning a requirement. Registry cleaners can do more harm than good, and I've seen CCleaner's Issues cleanup cause a few problems on some computers (mainly Windows 2000).

My main question with this approach }}let alone all the other issues which I will hopefully address}} is how would this affect detection of the hard to find / remove infections that use random file name generation and therefore require heuristics to be employed yet the infections are dormant and therefore undetectable? Maybe, this approach is good in a sense that it will basically clean the easiest junk first [temp files, cache] then focus on the more difficult while in the native environment. My main problem is basically some the older machines with severe infections and sizable file systems would still take way too long not to mention incurring difficult infections that require special attention.

For files that have those random names, the best tool you can use is Malwarebytes AntiMalware. You should contact them explaining your situation and inquire about a site license or something similar. There is a batch file that detects the randomly named malware but Malwarebytes handles it better than a batch file.

With CCleaner, you can point it to specified directories and it is quite a fast utility so taking in account that you will ultimately be scanning the host PC each time you do a patient HD hooked up via a USB SATA / IDE adapter. It might be a bit tricky to initially set up but with the aid of knowing the patient HD will default to the same drive letter each time one can set the directories once and forget about it. I figure doing a search for all temp directories as well as other known directories and then using PROCMON to analyze CCleaner's behavior should take care of the rest. Initially a bit of work but may be beneficial to others out there.

CCleaner is unfortunately a program that would need to be installed and ran on the users machine. Mainly because it detects the environment variables like the temp folder paths for cleaning, as they can vary on some installs/machines. Same would go for the registry cleaner, it would have to be run from within that machine's OS.

Then there is the question of the spyware scanners designed in mind to be run natively. Since I am in the process of conceptualizing a way cut out some of the redundancy in performing system cleans I realize that it may not be feasible to eradicate any redundancies without creating extra tasks that would annihilate any time saved by alleviating some redundancy in the task at hand. *Ok Ad-Aware upgraded to Plus or Pro versions can do a customized scan, not sure if that means how it scans or whether I can pick where it scans or both. Spybot can by default be set to scan specific directories by switching to advanced mode. Excellent, now I'm on to something.

I'd pick Malwarebytes AntiMalware over Ad-Aware because of how well it detects randomly named malware and many more things. As for Spybot, I would use the /allhives switch to ensure everything is scanned.

[robd]

Have you considered a batch file or making an AutoIt program to automate the process?

Actually, I have not but am familiar with AutoIt because nLite which I recall that you are not fond of, I would be interesting and discussing that at a later time and date. But I will let you know if and when I decide to go that route. For the most part, once I develop a procedure that works satisfactorily for me I will be sure to apprise you of the results.

If you develop an AutoIt script to install and scan with these applications it may speed up the process. Alternatively, you could always program an application that handles that process. I've seen a few tech CDs that do this. With the reg cleaner, the most I'd use is CCleaner's Issues though I wouldn't make registry cleaning a requirement. Registry cleaners can do more harm than good, and I've seen CCleaner's Issues cleanup cause a few problems on some computers (mainly Windows 2000).

I still like the idea of having an in-house PC to handle the scanning for a couple reasons; limit the amount of software we install on client PCs as I do believe it should be removed at the end of the procedure, ablility to use the desktop AV scanner of my choice rather than the preinstalled McAfee which I loathe. As far as internet AV scanners go, they require downloading of the scanning engine as well as definition updates. This might not be such an issue but surprisingly the connection we have at work is quite meager. I would also really like to see how much it would speed up general scanning although I do realize that a constraint would be the hard speed mostly that of 5400s. I don't really expect to see too many of them.

Well, being relegated to use the CCleaner and the registry tool in the native OS isn't that big of a deal I suppose. Good point with the environment variables, I should have realized that myself.

I have experienced CCleaner breaking a PC. Before I noticed the added functionality I used and still use JV16's Registry Cleaner from the suite personally. We have to get a license at work for it if I decide to keep that as part of the procedure. Most of the PCs that come have a multitude of garbage that has been installed and uninstalled; e.g. toolbars , chat programs, etc. I believe a registry cleaning would be beneficial, I have yet to mess up a machine with JV16's registry cleaner.

I also defrag the clients hard drive with an excellent standalone utility by Jeroen Kessels [JKdefrag]. I carry it on my thumb drive. It is a command line utility but there are a few different GUIs provided by others if one does not wish to use the CLI. The utility provides a nice feature that optimizes the registry rather quickly. I imagine you might think this to be superfluous as well. In my eyes though, the client will receive their PC back not only free of issues yet in an optimized state which is noticeably improved.

As far as the automation by way of programming / scripting out the activities, that's something I will have to look into as I am more familiar in that respect on a Linux platform. Although Power Shell might be ideal, finally Microsoft made an effort to give us a little more power over the Windows OS. Still they do not provide much documentation at the lower level API obviously for security reasons or that of Intellectual property.

Thanks for the tip on Malwarebytes, I actually was doing some searching around and found that program but was somewhat skeptical and needed to check into a little bit. I then saw mention of it over at LunarSoft. Today I will try and spend some time familiarizing myself with it. Appreciate the /allhives switch tip on Spybot.

Eventually, I will present information about the procedure I ultimately employ. Getting a framework together is most important and from there hone it down and polish it up. Once I am satisfied, then I will spend time finding the best way to automate the procedure.

Thanks a bunch Tarun

[simanco]

This has been pretty much what my job entailed during the past four years, so I'll chime in with how we did it.

We would first pull the harddrive from any machine that came in the office and attach it to a known-clean machine via a USB adapter with the appropriate PATA/SATA/laptop connector.

We would scan that drive with our current AV of choice. Then we would do scans with Ad-Aware and usually some second spyware removal type of app.

Before we pulled the drive from the USB, we would copy over the utilities we knew we would be using to further clean up the system once it was booted up. We normally took a quick manual look around the directory structure to see if there was anything overtly obvious to delete.

Usually the first step upon bootup would be to run HiJack this and do a reboot. At that point the machine was normally stable enough to run through scans with any number of tools -- over the years we have used Spyware Doctor, Spyware Xterminator, Doctor Spyware Cleaner, AdAware, Spybot Search and Destroy, Spyware Blaster, Registry Mechanic, Super Anti-Spyware ... etc.

We always used AdAware, Spybot Search and Destroy and Spyware Blaster. The last two would leave their "immunizations" behind and it seemed to help with our clients.

After our spyware related scans we would throw software updates at the machine to bring it up to our current patch level. This usually meant "throw everything at it you can!"

Before the machine would leave the office we did a full AV scan using whatever software the client had, or whatever software we had added because they had none.

It was standard practice in all of this to run applications and do a bit of surfing to make sure the machine "seemed to be right" and figure out if it "felt like it was running like it was supposed to".

The scans, and the MS updates took all our time. My boss always wanted the updates downloaded from the MS Update site rather than any automated means. This took time but did allow us to monitor the system to see if it was working properly. The only other slow-down would be if we were working on an old slow system. Give relatively up to date hardware the procedure (my boss insisted upon calling it a Code 11) would normally take up to 4-6 hours for everything.

Jim

[robd]

Thanks for the input Jim.

Eventually, I'd like to get the number of applications down to a minimum.

Just used MalwareBytes today and am so far impressed. There was a machine being worked on with a SmitFraud infection and the desktop AV, online AV, and Spybot failed to do anything about it. Right after grabbing the fix utility for the tech I remembered about trying MalwareBytes and it took care of the issue.

[IcemanND]

I have an easy solution: backup data, reload system. Works every time.

[robd]

I have an easy solution: backup data, reload system. Works every time.

Ideally IcemanND that would be the solution. The problem with most of our clients is they do not image their PCs or have any type of backup solution except for the data they maintain on their servers.

I would like to be able to target the issue and resolve it rather than circumvent it.

[IcemanND]

Well you not treating the issue, rather your fixing the symptom. The users behavior and habits that got the system that way in the first place is the issue. But I digress....sigh.

I worked in a service center for a university for eight years and it is far faster and you don't have the system return because you missed something when you reload it. We would back up the users data to our own server, wipe the system and then reload it, And restore their data. Over the years we collected copies of each manufacturers OEM XP cd's so we could use those for reloading the systems.

If you are talking corporate users then I would hope the company would be maintaining their software titles somehow for reloading when necessary.

[robd]

Ultimately you are correct. We do not have much control over that though, yeah I would like to implement something along the lines of Altiris, which was employed at my University. Any changes made to the system would be discarded and essentially rolled back to the initial configuration.

I am not looking to solve the root cause. What I am investigating really is a way to clean an infected PC that is presented to me without any care to how or why it happened. If based on this discussion thread and our continued efforts at work to prove unsatisfactory whether in turn around time or even just the success of the procedure I venture to guess I will be developing a procedure for techs to just: backup, reinstall, and reconfigure.

Also, please keep in mind that not every PC will be that bad. I just want to develop a procedure to employ for any PC that comes to be serviced. This procedure will consist of checking for and removing malware, maintenance, updates, and optimization. This what I am striving to achieve and hopefully find a way to automate most of it.