New Tools Needed After Cleaning Virus & Spyware

[Petef56]

My typical method of cleaning an infected computer is to remove the HD and clean it using a clean computer by running scans with NOD32, MalwareBytes, and SuperAntiSpyware. This method has worked fine for the past few years.

Within the past several months I'm having many more computers that will not restart to Windows after I reinstall the "cleaned up" hard drive. That problem was often fixed by booting to the recovery console (XP) or using the recovery utility Command Prompt (Vista & Win7) in order to run chkdsk /f, and /fixboot, or /fixmbr.

HOWEVER, in recent weeks I'm finding that the above fixes don't work anymore and even though the had drive is "cleaned", it won't start to windows. So I'm wondering what other tools/utilities I need to resolve this particular problem, as well as all the other problems the often exist after a hard drive is "cleaned".

BTW: Today, I tried using the OTLPEstd utility on such a "cleaned" computer and upon booting to the CD, it resulted in a BSOD. http://oldtimer.geekstogo.com/OTLPEStd.exe

What other utilities are you guys using?

---pete---

[Nuclear Krusader]

I follow exactly the same procedure, but haven't run into that problem.

What OS is in the bench machine you're using for scans?

[jdeb]

I do not use all of those programs. I pretty much use Microsoft System Sweeper, MSE, and occasionally Malwarebytes. They work the majority of the time. When they don't I recover the machine.

[Nuclear Krusader]

I've found System Sweeper to be rather flaky, sometimes it will just refuse to work/update.

[jdeb]

Quote:

Originally Posted by Nuclear Krusader I've found System Sweeper to be rather flaky, sometimes it will just refuse to work/update.

Right. I use a RW disc and burn a new one every couple of weeks.

[Nuclear Krusader]

I see. I use a thumb drive, as I can't burn CDs that often.

[Petef56]

Quote:

Originally Posted by Nuclear Krusader I follow exactly the same procedure, but haven't run into that problem. What OS is in the bench machine you're using for scans?

I have Win XP on the bench machine and the infected computers that won't startup to Windows are typically XP, Vista, or Win7.

When NOD32 sometimes asks for me to choose whether to CLEAN or DELETE an infected item I always choose DELETE.

That's odd you have not seen this problem. Is anyone else here, having the same problem where Windows won't start up after the hard drive is removed, cleaned with another computer and then reinstalled?

---pete---

[Petef56]

Quote:

Originally Posted by jdeb I do not use all of those programs. I pretty much use Microsoft System Sweeper, MSE, and occasionally Malwarebytes. They work the majority of the time. When they don't I recover the machine.

6 months ago and earlier, I'd only need to recover about 5% of the time. In recent months it's more like 30% of the time. ---pete---

[jdeb]

Quote:

Originally Posted by Petef56 6 months ago and earlier, I'd only need to recover about 5% of the time. In recent months it's more like 30% of the time. ---pete---

That is about right. Maybe a little high. It is worse with 32 bit versions of windows. I am about 20% on 32 bit and 5% or less on 64bit. I could make it lower but I am not charging enough as it is. There is no money in it for sure. I make more doing builds and regular scheduled maintenance. I have some customers with some pretty old systems. MSE has been great for me. I replaced AVG on all my builds or the majority and life has been good.

[Nuclear Krusader]

You're not using the chkdsk version of XP to fix problems on hard drives that have Vista/7 installed, are you?

[Petef56]

Quote:

Originally Posted by Nuclear Krusader You're not using the chkdsk version of XP to fix problems on hard drives that have Vista/7 installed, are you?

No. I use the corresponding repair utility for Vista and Win7.

I wonder why jdeb and I are having this problem often and you are not seeing it all. Can you please describe your test pc?

Mine is a Dell Optiplex GX620 WinXP Pro and I have a USB v3 card and USB to SATA adapter by SIIG. I am also setup for removable hard drives using a SATA trayless adapter and an IDE drive tray.

On some of the newer customer computers hard drives I have to add a jumper to the hard drive to slow it down from 3GB/sec to 1.5GB/sec, otherwise it causes my XP test PC to hang. The same "hang" problem occurs if I use the USB connection or the corresponding SATA or IDE drive tray.

I'll have to pay closer attention in the future to see if I can find any patterns related to the drive interface I use or the need for jumpers. Up to now, I just assumed the problem was due to new techniques used by the "bad guys" who create the virus and spyware.

---pete---

[Petef56]

Quote:

Originally Posted by jdeb That is about right. Maybe a little high. It is worse with 32 bit versions of windows. I am about 20% on 32 bit and 5% or less on 64bit. I could make it lower but I am not charging enough as it is. There is no money in it for sure. I make more doing builds and regular scheduled maintenance. I have some customers with some pretty old systems. MSE has been great for me. I replaced AVG on all my builds or the majority and life has been good.

Thanks for the sanity check. Yeah, it's frustrating for sure. After spending all that time cleaning you really can't charge for the time lost once you do a reinstall of Windows.

I can't help to think that there is another way to repair the boot sector or startup files to get the "cleaned" hard drive to start to Windows.

BTW: I forgot to mention that I also use TDSS Killer on the infected hard drive when it's hooked up to my text computer for cleaning. But for the record, it has not found any rootkits in many recent weeks. TDSS Killer was very useful about 3 to 6 months ago.

---pete---

[jdeb]

Quote:

Originally Posted by Petef56 Thanks for the sanity check. Yeah, it's frustrating for sure. After spending all that time cleaning you really can't charge for the time lost once you do a reinstall of Windows. I can't help to think that there is another way to repair the boot sector or startup files to get the "cleaned" hard drive to start to Windows. BTW: I forgot to mention that I also use TDSS Killer on the infected hard drive when it's hooked up to my text computer for cleaning. But for the record, it has not found any rootkits in many recent weeks. TDSS Killer was very useful about 3 to 6 months ago. ---pete---

Yeah, I have an arsenal for rootkits as well. Nuke probably is more patient than us. I used to be that way but I have been so busy lately. I generally do not spend more than an hour on any virus repair. I recover when I can. I have a lot of images to work with, which saves a lot of time. Re-installing applications can be a pain. I do not have any real issues with the repairing of MBR. The 32bit OS is the one that gives the most headache. Matter of fact, I can not recall the last time one of my regular customers came in with virus infected PC. Never had one Linux build customers, ever come in and I use clam av on theirs.

[Force Flow]

Here's the general procedure I've been using over the past few months

1. malwarebytes scan (sometimes more than once)
2. spybot scan
3. AV scan (AVG, MSE, whatever)
4. CCleaner (making sure to clear out the Java cache since it's unchecked by default)
5. hijackthis
6. uninstall all versions of java other than the most recent
7. windows updates
8. browser, flash, adobe reader, and java updates

[quartet-man]

Wow, FF. That is some serious maintenance.

[Petef56]

Quote:

Originally Posted by Force Flow Here's the general procedure I've been using over the past few months malwarebytes scan (sometimes more than once) spybot scan AV scan (AVG, MSE, whatever) CCleaner (making sure to clear out the Java cache since it's unchecked by default) hijackthis uninstall all versions of java other than the most recent windows updates browser, flash, adobe reader, and java updates

On multi-scans, I repeat all scans until they all come up with nothing found. It was common several months ago that I'd have to manually edit the Registry to get some stubborn items out.

Now days, scanning to clean is only half the job. I have over 25 other things that I do or check to ensure the computer is clean and secure.

Check & Clean out Task Scheduler

Reset IE

IE - Manage Search providers

Check the Hosts file and/or Google.. NJ State
and check a few links for evidence of redirection.

Install/run HJT to clean out anything the other scans missed.

Manually clean all temp files & PF, but first save "smtmp" to \My Downloads

Control Panel > Java, and check for updates.

Run Adobe reader and check for updates

Run Adobe Flash updates

Uninstall useless or dangerous programs

Check whether applications will run

Check keyboard for scrambled keys

Check My Computer > C: to see if drive is exploralble

Access the AOL Mail login page to see if encryption is working in IE.

Check Display Properties...Screen Saver tab and and Background tab

Check System Restore to see if it's enabled & working properly

Run Windows Updates manually to ensure it's working

Check if Task Manager is accessible.

Check Windows Firewall ON?

Check Windows Firewall Exceptions

Check if Windows Auto Updates is ON, Verify Updates is working.

Check Date & Time

Run Scandisk at startup

Run Prompt: SFC /scannow


Note: Some apply only to WinXP and some only apply when I notice
certain things. It's complicated and time consuming, but unless all these things are considered the computer may not be clean or secure.

---pete---

[Nuclear Krusader]

That's some serious list, Pete; I'll keep it for referece, though I've already been doing some of those things. You just made me reconsider my billing scheme: up to now I've been charging customers only 1 hour labour, unless I have to reinstall the OS, in which case I up it to 1.5 hours. But what with all I have to do now to 'clean up' a machine, maybe I should charge 1.5 hours for cleaning and 2 hours if the OS has to be reinstalled.

One extra thing I also do sometimes is run chkdsk and the manufacturers' short test on HDDs.

[Detonate]

I use pretty much the same procedure as ForceFlow. I do it from XP Pro running in Virtualbox on my Linux computer. I almost never have to reinstall Windows. If I have a problem, it is usually with a Vista system, and when that happens I reformat the hard drive and install Linux Mint. After discussing it with the customer. After explaining the advantages of this most are willing to try it and all that have tried it are very satisfied. The down side to this from a business standpoint is, that you don't get many repeat calls.

[rjfvillarosa]

Quote:

Originally Posted by Force Flow [*]CCleaner (making sure to clear out the Java cache since it's unchecked by default)

From Malwarebytes:

Mysterious Case of the Executable Hijack | Marcin Kleczynski

[Nuclear Krusader]

Java is nothing but a pain in the arse.