What to do if you're infected - eXPerience Rev.3

[Guest]

[eXPerience]

This guide will help you removing malware from your system. Note : This is only a guide and cannot be held responsible for any damage to your system!

(optional : Comodo Back-up)
Superantispyware
Malwarebytes Antimalware
A-squared Free
Hijackthis




1) Back-up all your files and folders using a Comodo Back-up

2) Check for definition Updates (Important!).


3) Allow each program to scan. Scan one at a time.


4) Let the programs clean the infections.

Do not fix anything with A-squared directly, this program is known for it's false positives and might do damage to your system if use wrongly

5) Reboot and see if you find any remains of the virus

6) Download and run Hijackthis. Afterwards, do a system scan and save a log file. A text file will open in notepad, save this one and later upload it together with your post. DO NOT FIX ANYTHING YET !!! .




7) Open a new topic. In that topic, please include :
- The hijackthis log
- the A-squared log
- it might be usefull to report the malware names also

It's important that you make a new topic, this way we can verify that the infection is indeed gone !

Xan

[OmeletGuy]

Since you made a new Post

I will post what i posted on the other one here:

Is this a new what to do if your infected board? i would say change A-Squared to COMODO since the Family signs are comming with in the next 2 to 3 weeks!

If COMODO adds 5000 Family signatures look at how much it can catch!

# of FS      Max for 1 Sig   Total
5000    *   23542      = 117,710,000     
4000    *   23542      = 94,168,000     
3000    *   23542      = 70,626,000     
2000    *   23542      = 47,084,000   
1000    *   23542      = 23,542,000   

[eXPerience]

I'm expecting the users to have Comodo on their computer . The help with cleaning board is a childboard of CIS so I don't find it usefull adding CIS also

Xan

[OmeletGuy]

Oh ok i get you now! Why not switch A2 for Avira, or is A2 that good?

[eXPerience]

A squared is a great on demand scanner. Avira is good in detecting the installers, but I got my doubts on the cleanup. It also gives adds, and it installs a realtime scanner. (Which was also the reason that I used Bitdefender in the past)

Xan

[OmeletGuy]

What about Avast (i know it has realtime), you may also want to include a svhost identifier so that you can see if any Malware is using it, i dont think hijackthis works for that!

[eXPerience]

Any idea about a userfriendly svhost analyzer that makes some report that I can understand ?
Perhaps that's an overkill ? We should keep this as userfriendly as possible, we can always ask for that svhost files later ?

Xan

[OmeletGuy]

Any idea about a userfriendly svhost analyzer that makes some report that I can understand ?
Perhaps that's an overkill ? We should keep this as userfriendly as possible, we can always ask for that svhost files later ?

Xan

Your right a svhost identifier would be over kill, and i dont know one that is user friendly.

But one thing you should say is set CIS to Proactive Security.

[eXPerience]

Is that part of the cleaning up ? 

Xan

[OmeletGuy]

No but i should help to detect keyloggers and other spy malware, that the other AV and maybe CAV's missed

Then again Hijackthis should pick it up right?

[eXPerience]

I was thinking the same . So it's ready to go public ?

Xan

[pnowak]

Xan, I miss one important info:
"6) Reboot into normal mode ..."   - does it mean the previous steps should be done in safe mode

[adric]

Any idea about a userfriendly svhost analyzer that makes some report that I can understand ?
Perhaps that's an overkill ? We should keep this as userfriendly as possible, we can always ask for that svhost files later ?

Xan

http://www.codeplex.com/svchostviewer

Al

[Jose_Lisbon]

It is always a good idea to use GMER after all the other scans.
It makes sure that you have/have not rootkits.

[eXPerience]

Xan, I miss one important info:
"6) Reboot into normal mode ..."   - does it mean the previous steps should be done in safe mode

Oh yeah, that was part of the oldest version of it... Doesn't matter, I deleted it now, thanks for the info !

Using GMER after all these scanners and hijackthis ? isn't that a bit an overkill ?

Xan

[Tags:]