Jump to content

Getting better at virus removal.

dummptyhummpty

By dummptyhummpty
in Security

 Share

Recommended Posts

dummptyhummpty Newbie

dummptyhummpty

Posted
Posted

I really enjoy trying to remove viruses and I'd like to get better at it. I didn't know if there were any specific websites or books I should read. Also I didn't know if there was some way to practice, maybe infect a VM and try to fix it?

Tools I currently use:

Malware Bytes

ComboFix

Rootkit Reveler

HiJack This

AutoRuns

ProcessExplorer

Are there any guides that would help me use these tools more effectively? Thanks!

Link to comment
Share on other sites
dummptyhummpty Newbie

dummptyhummpty

Posted
  • Author
Posted
ok, the only other tool you need:

any one of: clonezilla, dd | gzip, Norton Ghost , acronis true image or any other imaging tool.

The need of the Windows disk has been negated and you have decreased down time.

You'd be a perfect fit for the Geek Squad (speaking from experience).

Edit: I do see where your method might be a better solution. Your method is fine for the corporate environment where everything is standardized and/or stored on a server. I'm asking in regards to home users where they have data scattared all over, may have lost install discs, etc.

Link to comment
Share on other sites
Sparda Newbie

Sparda

Posted
Posted

No, I wouldn't. I struggle to answer questions like "I'm a secure?" "Does this make me secure?" "Can't you just remove <insert name of malware>?". Any such questions don't have a yes answer, strictly speaking they are all "No" including the post fixed ", but..." or ", however...".

Link to comment
Share on other sites
dummptyhummpty Newbie

dummptyhummpty

Posted
  • Author
Posted
No, I wouldn't. I struggle to answer questions like "I'm a secure?" "Does this make me secure?" "Can't you just remove <insert name of malware>?". Any such questions don't have a yes answer, strictly speaking they are all "No" including the post fixed ", but..." or ", however...".

I was joking. When I worked there, the solution was to just format everything (to save on time, time = money). I realize that there is no guarantee to removing malware, but I don't mind spending some time trying, before I have to grab the Window Disc.

Link to comment
Share on other sites
Sparda Newbie

Sparda

Posted
Posted

One thing missing from your list is the Microsoft Malicious Software removal tool which is installed every so often by Windows/Microsoft Update or can be manually download.

My opinion will remain that starting from scratch is the correct method of malware removal, ideally having images of your computer so that starting from scratch takes minuets in stead of hours. This is the only way to grantee complete removal.

Link to comment
Share on other sites
Jason Cooper Newbie

Jason Cooper

Posted
Posted

I have always found spybot search and destroy to be useful for removing malware on personal machines, but for a corporate environment you can't beat being able to just take their base unit away and put another one you had prepared earlier in its place. Very little downtime for the user and you can reimage their machine and use it as the spare.

Link to comment
Share on other sites
dummptyhummpty Newbie

dummptyhummpty

Posted
  • Author
Posted
I have always found spybot search and destroy to be useful for removing malware on personal machines, but for a corporate environment you can't beat being able to just take their base unit away and put another one you had prepared earlier in its place. Very little downtime for the user and you can reimage their machine and use it as the spare.

I've used that in the past. Just to be clear, I was asking in regard to the home user and NOT corporate user. For those we usually spend some time on it and if not just wipe it since most users have all their data stored on the server.

Link to comment
Share on other sites
Darcon Newbie

Darcon

Posted
Posted
I really enjoy trying to remove viruses and I'd like to get better at it. I didn't know if there were any specific websites or books I should read. Also I didn't know if there was some way to practice, maybe infect a VM and try to fix it?

Tools I currently use:

Malware Bytes

ComboFix

Rootkit Reveler

HiJack This

AutoRuns

ProcessExplorer

Are there any guides that would help me use these tools more effectively? Thanks!

The only other ones that I'd recommend that are not in your list are

Super Anti-Spyware -- Picks up things that MalwareBytes does not.

Dial-A-Fix -- Only for Win XP - Repairs basic WinXP catalogs & services that get messed up by infections

HiJackThis Log Analyzer - http://hijackthis.de/ - Parses the HiJack This log for you

There are no all encompassing guides for removal that I know of. It is more along the lines of knowing what order to run things and how to run them (mostly in safe mode if possible and for each individual profile).

If you are setting up a VM machine to infect, infecting it with files from the Malware Database can let you try to fix infections on some of the latest malware.

Link to comment
Share on other sites
dummptyhummpty Newbie

dummptyhummpty

Posted
  • Author
Posted
The only other ones that I'd recommend that are not in your list are

Super Anti-Spyware -- Picks up things that MalwareBytes does not.

Dial-A-Fix -- Only for Win XP - Repairs basic WinXP catalogs & services that get messed up by infections

HiJackThis Log Analyzer - http://hijackthis.de/ - Parses the HiJack This log for you

There are no all encompassing guides for removal that I know of. It is more along the lines of knowing what order to run things and how to run them (mostly in safe mode if possible and for each individual profile).

If you are setting up a VM machine to infect, infecting it with files from the Malware Database can let you try to fix infections on some of the latest malware.

Thanks, I've heard of those, but haven't really used them.

Are you familiar with Hiren's boot cd?

This will let you run a lot of the tools you mentioned above in a dos or PE, which has really helped me out quite a bit in isolating and eliminating troublesome software.

http://www.hiren.info/pages/bootcd

No I haven't. Where do you download the cd from? I look all over, but didn't see a link. I've used UBCD4Win, which seems to be very similar.

Link to comment
Share on other sites
psydT0ne Newbie

psydT0ne

Posted
Posted

imho...antivirus is a preventative measure only...

if you think you're infected you need to backup. format, reinstall.

In most cases if you think you've been successful in removing nasties, they're probably the ones that they wanted you to find and you're deluding yourself.

Link to comment
Share on other sites
Signal Hacker Newbie

Signal Hacker

Posted
Posted

Oh COME ON!!!

Is no one gonna say it?

Well.......alright then....

This is my anti-virus tool!!!!!111111

334px-Tux.svg.png

:lol: (j/k, I know that the various *nix OS's aren't an option for everyone, especially those of us in the corporate IT world)

Link to comment
Share on other sites
Signal Hacker Newbie

Signal Hacker

Posted
Posted

To add a more serious comment, Sparda's initial response isn't too far off. Anyone who's had the "pleasure" of dealing with Conficker can tell you...malware is getting smarter and smarter every day. My gf got her laptop blasted by Conficker (she claims innocence, saying it's the fault of her little cousin who she let borrow it when she was visiting family) and I tried everything to get that crap off her machine. I even stooped to the low of calling...................Microsoft Tech Support.

And WOW were they dumb! The guy on the other line tries to tell me at first, "Oh, you don't have Conficker." and I yell back, "I can't reach any website remotely related to security, I can't update Windows, I've got some piece of scareware called SpyProtect popping up asking me for $50, and my LAN has slowed to a crawl on account of all the spambot....YES, I have Conficker!!!!!"

After hours on the phone with those geniuses and still no relief in site...I booted into the Recovery partition on her laptop and reinstalled Windows......then I left some space on the HDD and installed Ubuntu in case this kind of crap happens again.

With the rise of smarter worms like this, and especially newer polymorphic virii, some top-notch security experts like Dan Geer foresee that the future of protecting against malware is going to lie in backups and rapid restores, not in anti-virus and patches. Doubt anti-virus and other removal tools will ever be totally a thing of the past, but I see his point.

Link to comment
Share on other sites
dw5304 Newbie

dw5304

Posted
Posted

what we do here at the shop is boot into a bootable barts disk.

goto the system32 and look for files that do not have a date delete them seeing there malware,

also sort by date and move the ones that look weird to a new folder,

then we will check the drivers folders and do the same,

then delete the temps for windows, ie, user, ect.

then will go into alluser, local system, and network accounts and make shure that there is nothing missing in there temps as well...

then ill reboot into safe mode and install malwarebytes

update it, w/ cd

let it run

remove crap it finds

then ill install avast

tell it to scan on reboot

install update for it

and reboot the pc

then will log into normal mode and then run malwarebytes again and see if i missed anything

if nothing returns

remove avast if customer wants it removed

defrage hdd

and set on the shelf for customer

Link to comment
Share on other sites
psydT0ne Newbie

psydT0ne

Posted
Posted

I suggest listening to a podcast called Security Now by Steve Gibson and Leo Leporte. Steve gave an extremely in depth explaination of Conficker and its variables.

Episode #193 | 23 Apr 2009 | 104 min.

You can grab it here:

http://www.grc.com/securitynow.htm

Well worth the listen and as it so happens his advice?.....backup format reinstall doo dah doo dah...

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

One thing that I find interesting with windows that people soon forget, and this only works if someone set up windows proerly and didn't hsoe the administrators account, but lets say you set up user accounts on the mahcine. Set cacls so that users can not access or change other users directories and files. Then if one account gets hosed or malware, create a new account with access rights to the old acocunts files, copy over what you want to keep(don;t run anything until verified clean though) and then delete the old account. Then you don't have to spend all day backing up, formatting, reinstalling the machine. In a corporate environment, its great to just grab a a disk image and reinstall quickly from your last backup, but when a home user has a whole family of people using the same desktop machine or laptop, you would need to backup each users files, then format, reinstall, recreate each user, and restore each users files. Thats just a pain in the ass.

If you can create a new account on a machine that is free of malware and such, copy over your important files, then delete the old account off the machine. That is the quickest fix I can think of, but this only works if the malware was not able to compromise the admin account on the machine. If it hosed the admin account, then you could use a bootable pe and create a new user that way, and do the same thing, having a clean account, copy over the files you need and delete all the f*ked accounts from the box. No need to format and reinstall.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...