Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What should I know to do basic malware removal/tune up tech support?


  • Please log in to reply
9 replies to this topic

#1 TheJBizz

TheJBizz

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 01 July 2014 - 12:58 AM

Hey everybody,

 

So because I've assembled my own computer, friends and family have lately been trusting me to help out with their computer trouble, which is usually malware and speed issues. I really like being able to help, but I'm still very much a novice at this stuff, so I pretty much check around Bleeping Computer and whatever I can find online to figure out what's going on. I follow http://malwaretips.com/blogs/malware-removal-guide-for-windows/ to the letter, which more or less involves running the usual scans like MalwareBytes and ADW Cleaner in safe mode. I also have been using MSCONFIG alongside Bleeping's database of startup programs to try and speed up their boot, along with defragging their drives and replacing their antiviruses like Norton and McAfee with Avast. I've had some success so far -- I was able to completely clean a neighbor's computer that was full of serious malware that was keeping him from even logging in -- but I'd like to feel confident that I have a consistent system to do rudimentary tech support stuff like this.

 

What should I do and know?



BC AdBot (Login to Remove)

 


#2 1PW

1PW

  • Members
  • 316 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North of the 38th parallel.
  • Local time:03:11 AM

Posted 01 July 2014 - 09:01 AM

Hello TheJBizz:

 

If you intend to make malware removal a full-time career, this forum's training program is amongst the best anywhere. Following the threads of others while their computers are undergoing a clean-up may show you proper sequential methodology rather than using random shotgun techniques of doing whatever it was you did the last time. Are you aware of the passive diagnostic applications on this forum?

 

BTW - Neither Xplodes' AdwCleaner nor Malwarebytes Anti-Malware are intended to be used in the safe mode unless all else has failed. Of course that re-establishes the need for proper procedures. Although unmentioned above, I would close with a caution against using sUBs' ComboFix without proper supervision.

 

When all else fails, this forum's quiteman7 will always direct you to the right path.


All viruses are malware but not all malware are viruses and if the malware doesn't self replicate it just isn't a virus.


#3 TheJBizz

TheJBizz
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 01 July 2014 - 10:17 AM

I am not aware, no.

 

I've definitely been warned about using ComboFix, so I haven't messed with it. What's the problem with running MBAM or ADWC in safe mode?

 

Thanks for your help!



#4 1PW

1PW

  • Members
  • 316 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North of the 38th parallel.
  • Local time:03:11 AM

Posted 01 July 2014 - 12:50 PM

As you would probably pick-up with long observation, not all services,drivers, wedges, shims etc. are being brought to bare on potential threats that already may be persistantly system resident.

 

As an isolated and single example, and only in the case of Malwarebytes Anti-Malware, MBAMChamelion would not be properly detecting rootkits, as is one of the most important and major features of the application. I will not go further.

 

Your procedures need to be arranged such that if remediation tasks, in Windows normal mode, are thwarted from their goal, a more appropriate and different tool(s) or technique(s) should likely have preceeded it.

 

Are you returning underserved computers to their owners with undiscovered bots resumming their dutiful and silent reports of usernames, passwords, financial disclosures, ad naseum? i.e. is all malware truly neutralized?

 

Please do not allow the above to discourage your efforts to begin a proper course of study. Many may have started just as you are now.


All viruses are malware but not all malware are viruses and if the malware doesn't self replicate it just isn't a virus.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:11 AM

Posted 01 July 2014 - 01:17 PM

I find Malwaretips.com removal guides to be thorough in most cases but generally find the recommendation to scan with HitmanPro afterwards as overkill. BTW, BleepingComputer also has removal guides. An updated searchable list of the newest rogues (and how to remove them) can be found in the Spyware And Malware Removal Guides Index or the Virus, Spyware, & Malware Removal Guides which are listed in order of the most current threat. At the bottom of each page, there is a link to view Previous Entries.

Adding to what 1PW said...Safe Mode is a troubleshooting mode designed to start Windows with minimal drivers and running processes to diagnose problems with your computer. This means some of the programs that normally start when Windows starts will not run.

Why use safe mode? The Windows operating system protects files when they are being accessed by an application or a program. Malware writers create programs that can insert itself and hide in these protected areas when the files are being used. Using safe mode reduces the number of modules requesting files to only essentials which make your computer functional. This in turn reduces the number of hiding places for malware, making it easier to find and delete the offending files when performing scans with anti-virus and anti-malware tools. In many cases, performing your scans in safe mode speeds up the scanning process. Scanning in safe mode was a recommended course of action years ago before malware writers began to employ more sophisticated techniques to counter removal efforts in that mode.

Why not use safe mode? Some security tools like anti-rootkit scanners (ARKs) and programs with anti-rootkit technology use special drivers which are required for the scanning and removal process. These tools are designed to work in normal mode because the drivers will not load in safe mode which lessens the scan's effectiveness. Other security tools are optimized to run from normal mode where they are most effective. For example, Malwarebytes Anti-Malware is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, Malwarebytes loses some effectiveness for detection and removal when used in safe mode. For optimal removal, normal mode is recommended so it does not limit the abilities of Malwarebytes.

Scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. If the malware is not related to a running process (i.e. malicious .dll) it probably will not make a difference performing a scan in normal or safe mode. A hidden piece of malware such as a rootkit which protects other malicious files and registry keys from deletion may not be detected in either mode without the use of special tools. Additionally, if the scanner you're using does not include definitions for the malware, then they may not detect or remove it regardless of what mode is used. Also keep in mind that there are various types of malware infections which target the safeboot keyset so booting into safe mode is not always possible.

If you're interested in learning about malware removal and how to use specialized fix tools like DDS, RSIT, OTL, ComboFix, FRST, GMER, etc is something you are interested in, please read BleepingComputer's Malware Removal Training Program.

The above link explains how to apply and what is required. If there are no slots available, you will have to keep checking back at a later time. We are swamped with such requests and there are not enough instructors able to provide teaching so that limits the number of trainees we can accept.

Due to the self-paced structure of training and limited number of instructors here at BC, it is impossible to say with any accuracy when slots will open. New slots are opened up as our existing trainees complete the lower levels of study and move up toward more advanced levels. This is to prevent our volunteer staff being overwhelmed by an influx of new trainees. There is no notification system in place for when slots open so you need to keeping checking back if BC Study Hall is the school you prefer to enroll in. The logistics and management of such a notification system and the fact we have a worldwide membership negate the potential effectiveness and fairness one would expect from it.

If you don't want to wait for an opening here at BleepingComputer, please be aware that training in malware removal is conducted at various other online Unite Schools to include:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 1PW

1PW

  • Members
  • 316 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North of the 38th parallel.
  • Local time:03:11 AM

Posted 01 July 2014 - 02:39 PM

Our fellow member Metalica keeps our Malwarebytes Malware Removal Guides populated and up-to-date too. The catch with removal guides is you must have properly identified the malware before effectively using the correct guide. Does the same malware ever go by different names? Unfortunately - yes.

 

@TheJBiz: If you haven't already done so - start thinking in terms of prevention more, so that remediation is less.

 

And as always, your Bleepin' Janitor is spot on. I hope Lawrence has taken out a big term-life policy on you., qm7 :)


All viruses are malware but not all malware are viruses and if the malware doesn't self replicate it just isn't a virus.


#7 TheJBizz

TheJBizz
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 01 July 2014 - 04:14 PM

I, of course, admit that I don't truly know if I've caught everything. In the case of what I brought up in my OP, the only thing I can say is that I also ran MBAM a couple times in normal mode along with an Avast scan after the whole Malwaretips.com shebang was done and they found nothing. Now that I know more about safe mode, I can try to not make that mistake again.

 

In terms of preventative care, I talk to the person and get their permission to install and register Avast and set up a weekly full scan. I myself have a weekly Avast scan and defrag along with an occasional MBAM, and browse the web using NoScript and AdBlock Pro.

 

The BC malware removal school is currently full, but I certainly will look into those other options. Being able to at least help with this kind of stuff is something I'd like to do, and 1PW has certainly put the fear in me that I might be a bigger harm than good.

 

Again, thank you both.


Edited by TheJBizz, 01 July 2014 - 04:15 PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:11 AM

Posted 01 July 2014 - 07:45 PM

And as always, your Bleepin' Janitor is spot on. I hope Lawrence has taken out a big term-life policy on you., qm7 :)

So does my wife. :hysterical:

 

Again, thank you both.

You're welcome on behalf of the Bleeping Computer community.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Guest_Kaosu_*

Guest_Kaosu_*

  • Guests
  • OFFLINE
  •  

Posted 02 July 2014 - 12:13 AM

 I think, there is no problem in it for use.

 

 

It is not wise to use a specialized tool unless you have the required knowledge to know when it is needed. You really don't want to go around using ComboFix unless you know what you're doing, because it can easily cause damage to the operating system if used improperly.


Edited by Kaosu, 02 July 2014 - 12:14 AM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA

Posted 02 July 2014 - 09:18 AM

It is not wise to use a specialized tool unless you have the required knowledge to know when it is needed. You really don't want to go around using ComboFix unless you know what you're doing, because it can easily cause damage to the operating system if used improperly.

That is correct and we have a pinned topic which specifically covers that: ComboFix usage, Questions, Help? - Look here

BTW, the posting of the OP (Fiza200) you quoted was automatically removed when he was flagged as a spammer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users