Top to bottom troubleshooting: Part 2

In this post I will be going over the main methods that I use to remove infections from Windows based computers.  This technique is another best case, works on 9/10 machines I see type deal, so it covers the majority of the common infection issues users are likely to see.

I like to start at the lowest level I can when troubleshooting these types of issues and work my way up, using a similar approach to how I troubleshoot hardware problems.  That way it is much more difficult to miss things.  If you skip over issues, you almost always have inconveniences down the road.  That is especially true when there are rootkit infections present.

As much as we’d like to say that rootkits are going the way of the curb with the adoption of 64-bit operating systems, we are finding time and again that this simply is not true.  Malware creators are finding creative ways to bypass the 64-bit security mechanisms, making it important to check for their presence lest you get burnt later on.

Note: I almost always run these tools in safe mode first.  I know there are user level rootkits and the argument can be made to clean in normal mode but for me, cleaning in safemode gives a much better idea of what and where to look for things.

Infection Removal

Probably the best all around tool for infection removal out there, a handy piece of software called ComboFix by sUBs.  It is always the first thing I run and is the heavy hitter of my removal tools.  This tool has rootkit detection built into it, so it will alert you if it detects the presence of suspicious activity (this is actually the first thing to inspect for but we will get to it in a bit).  I don’t know how many times that this tool has saved me an excessive amount of time and effort.  It is pretty much automatic; download it, make sure it is up to date and then let it do its thing. It spits out a log file when it is finished giving clues to what exactly it was able to remove.

If ComboFix detects the presence of a rootkit and says it has successfully removed said rootkit, be sure to double check with another, different scanner to be sure.  CombFix is good at what it does but it is not designed to remove some of the more advanced rootkits so be sure to be thorough in your removal process.

Rootkit Inspection

There are a few really handy tools when dealing with rootkits, making your life easier when removing these bastards.  The first  is a nice little program called  TDSSKiller,  which can detect and remove a variety of different rootkits.  It runs a quick scan for a number of well known rootkits and attempts to remove them, afterwards producing a log file for later analysis.  If the program is unable to remove the rootkit(s) it will at least give you clues of where to look at with the more advanced tools mentioned in this section.

The one I always find myself coming back to when a machine is hosed is called  GMER.  This tool will give you a quick way to detect the presence of rootkits when you fire it up.  If it detects rootkit activity it will usually tell you and list the items in red within the Rootkil/Malware tab of the program. There are many advanced features and uses for this program which I may cover in other posts but are out scope for this topic.

Another solid rootkit scanner I have had success with is  RootRepeal.  If I am suspicious of rootkits after I have done a basic analysis with GMER I will usually run a full scan with RootRepeal, mainly because the scan doesn’t take nearly as long as the full scan in GMER.

Temp File Cleaning

Once we have cleaned out rootkits, it is a good idea to clean out temporary files.  Infections are commonly hidden inside of temp files and folders so be sure to check them just in case.   Another good reason to clean out temp files at this point is because it actually speeds up the process of malware scanning since these potentially malicious files and folders will have been cleaned already.  At the very least, temp file cleaning helps to improve the performance of the computer and free up space if there are an ungodly amount of temp files (believe me, I have seen some crazy %&#$).  I have had the best results with TFC by OldTimer for this type of thing.  It is fast and powerful.

Virus Cleaning

We’re almost done, so bear with me.  The final step in the process is to clean up all the loose ends left behind from the removal process.  Usually there are bad registry keys or trojan remnants or whatever else left over that still linger after the main cleaning process has been run.

At this stage there are a couple of handy tools.  The first is the  Malwarebytes free scanner.  This is another essential tool that I use on nearly every infection I work on.  If I believe a machine has be cleaned up enough at this point I will run a quick scan and if no malware traces are found I will call it a day.  If the quickscan reveals traces, I will remove them, reboot the machine and run a full scan to search for further traces.

Another good 2nd opinion scanner is Hitman Pro, a free cloud based scanner that does an excellent job of analyzing left over malware traces.

Once these scans are clean all we need to do is put a reliable anti-virus software on the computer and call it a day.  This however can be tricky.   Without starting a holy war here I have to say I have had luck recently with Microsoft Security Essentials (which is free up to 8 licenses or something).  I’ve heard good things about the full paid version of Malwarebytes for real time protection, as well as Kaspersky, NOD32 and Avira ant-virus products.  The reason I have been recommending MSE is due to its light installation, low background noise, freeness and its decent detection rates (flame me if you must).

As a side note, one thing I will say with full  certainty  though is that I absolutely abhor Symantec Anti-anything as well as McAfee-anything.  There are programs designed  specifically  to remove them because they are so bad.  They are expensive on memory and cpu overhead, take up tons of space and get in the way of everything a user does.

Conclusion

There are a ton of viruses and malware out there which are continually evolving and expanding into new areas.  Likewise, there are a ton of tools out there to combat the bad guys.  Some of these tools are better than others, but generally speaking the combination of tools I have outlined here will combat the majority of malicious code out there targeted towards the average user.  These tools have kept up with the malware writers and while they don’t offer a perfect solution they do a pretty good job.

So to reiterate, here is the general order of my cleaning process:

  • Combofix
    • TDSSKiller
    • GMER
    • RootRepeal
  • TFC
  • Malwarebytes
  • Hitman Pro
  • Microsoft Security Essentials (virus protection)

Josh Reichardt

Josh is the creator of this blog, a system administrator and a contributor to other technology communities such as /r/sysadmin and Ops School. You can also find him on Twitter and Facebook.