Looking for "official" best practises on malware removal

thebigd · May 15, 2009

Hope I dont offend anyone with the subject title of this post. I firmly believe the best resources on the internet are websites just like this one and the people that communicate through these forums.

But for anyone else who works in a corporate setting I'm sure you understand how important accountability is.

What im looking for, are resources from credible sites (is, us-cert, microsoft, eset, etc) that specify a 'best practises' for malware removal. I'm looking specifically for something that mentions the value of scanning a system either in Safe Mode, or a PE environment. This is something I almost always do and have done for years. I have friends who basically make a living cleaning this crap out (guys who own Nerds On Site franchises, local shops etc) and there advice is the same.

Again the reason I ask, is you can't really point to forums or newsgroups because ultimately there really is no 'accountability' and its too easy for someone who doesnt know any better to totally discredit them as a legit resource.

Any help greatly appreciated.

TIA...

chaslang · May 17, 2009

The below is what we consider the best practice. If companies like McAfee and Symantec wrote up a procedure you would be using their tools and procedures to try and remove malware which they do not properly do. That is the reason this forum and others like it exist. Much of the malware that exists now requires special tools and frequently additional manual steps to fully remove. While scanning in safe mode is sometimes helpful and use a PE environment can also be useful in some cases, but they will very frequently not be as effective as the below and the manual steps that follow.

Please follow the instructions in the READ & RUN ME FIRST link given futher down and attach the requested logs when you finish these instructions.

If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.

TDSSserv Non-Plug & Play Driver Disable

If something does not run, write down the info to explain to us later but keep on going.

Do not assume that because one step does not work that they all will not.

READ & RUN ME FIRST. Malware Removal Guide

After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.

To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:

Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.

Click to expand...

thebigd · May 18, 2009

--------------------------------------------------------------------------------

The below is what we consider the best practice. If companies like McAfee and Symantec wrote up a procedure you would be using their tools and procedures to try and remove malware which they do not properly do. That is the reason this forum and others like it exist. Much of the malware that exists now requires special tools and frequently additional manual steps to fully remove. While scanning in safe mode is sometimes helpful and use a PE environment can also be useful in some cases, but they will very frequently not be as effective as the below and the manual steps that follow
Click to expand...

Thanks for the reply.

I am very aware of the procedure that is outlined on this site, and while I appreciate your effort, that's not really what I was looking for

And since no one else has responded, I think it's best to let this thread die, I can take this elsewhere.

Log in or Sign up

Looking for "official" best practises on malware removal

thebigd Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

thebigd Private E-2