dummptyhummpty Posted June 19, 2009 Posted June 19, 2009 I really enjoy trying to remove viruses and I'd like to get better at it. I didn't know if there were any specific websites or books I should read. Also I didn't know if there was some way to practice, maybe infect a VM and try to fix it? Tools I currently use: Malware Bytes ComboFix Rootkit Reveler HiJack This AutoRuns ProcessExplorer Are there any guides that would help me use these tools more effectively? Thanks! Quote
dummptyhummpty Posted June 19, 2009 Author Posted June 19, 2009 The only tool you need: Windows Install disk I disagree, that's the lazy way out. Quote
Sparda Posted June 19, 2009 Posted June 19, 2009 ok, the only other tool you need: any one of: clonezilla, dd | gzip, Norton Ghost , acronis true image or any other imaging tool. The need of the Windows disk has been negated and you have decreased down time. Quote
dummptyhummpty Posted June 19, 2009 Author Posted June 19, 2009 ok, the only other tool you need: any one of: clonezilla, dd | gzip, Norton Ghost , acronis true image or any other imaging tool. The need of the Windows disk has been negated and you have decreased down time. You'd be a perfect fit for the Geek Squad (speaking from experience). Edit: I do see where your method might be a better solution. Your method is fine for the corporate environment where everything is standardized and/or stored on a server. I'm asking in regards to home users where they have data scattared all over, may have lost install discs, etc. Quote
Sparda Posted June 19, 2009 Posted June 19, 2009 No, I wouldn't. I struggle to answer questions like "I'm a secure?" "Does this make me secure?" "Can't you just remove <insert name of malware>?". Any such questions don't have a yes answer, strictly speaking they are all "No" including the post fixed ", but..." or ", however...". Quote
dummptyhummpty Posted June 19, 2009 Author Posted June 19, 2009 No, I wouldn't. I struggle to answer questions like "I'm a secure?" "Does this make me secure?" "Can't you just remove <insert name of malware>?". Any such questions don't have a yes answer, strictly speaking they are all "No" including the post fixed ", but..." or ", however...". I was joking. When I worked there, the solution was to just format everything (to save on time, time = money). I realize that there is no guarantee to removing malware, but I don't mind spending some time trying, before I have to grab the Window Disc. Quote
Sparda Posted June 19, 2009 Posted June 19, 2009 One thing missing from your list is the Microsoft Malicious Software removal tool which is installed every so often by Windows/Microsoft Update or can be manually download. My opinion will remain that starting from scratch is the correct method of malware removal, ideally having images of your computer so that starting from scratch takes minuets in stead of hours. This is the only way to grantee complete removal. Quote
dummptyhummpty Posted June 19, 2009 Author Posted June 19, 2009 One thing missing from your list is the Microsoft Malicious Software removal tool which is installed every so often by Windows/Microsoft Update or can be manually download. I forgot about that one, thank you. Quote
decepticon_eazy_e Posted June 19, 2009 Posted June 19, 2009 The only tool you need: Windows Install disk The Ubuntu Install disk works better. Quote
Jason Cooper Posted June 20, 2009 Posted June 20, 2009 I have always found spybot search and destroy to be useful for removing malware on personal machines, but for a corporate environment you can't beat being able to just take their base unit away and put another one you had prepared earlier in its place. Very little downtime for the user and you can reimage their machine and use it as the spare. Quote
dummptyhummpty Posted June 20, 2009 Author Posted June 20, 2009 I have always found spybot search and destroy to be useful for removing malware on personal machines, but for a corporate environment you can't beat being able to just take their base unit away and put another one you had prepared earlier in its place. Very little downtime for the user and you can reimage their machine and use it as the spare. I've used that in the past. Just to be clear, I was asking in regard to the home user and NOT corporate user. For those we usually spend some time on it and if not just wipe it since most users have all their data stored on the server. Quote
Darcon Posted June 20, 2009 Posted June 20, 2009 I really enjoy trying to remove viruses and I'd like to get better at it. I didn't know if there were any specific websites or books I should read. Also I didn't know if there was some way to practice, maybe infect a VM and try to fix it? Tools I currently use: Malware Bytes ComboFix Rootkit Reveler HiJack This AutoRuns ProcessExplorer Are there any guides that would help me use these tools more effectively? Thanks! The only other ones that I'd recommend that are not in your list are Super Anti-Spyware -- Picks up things that MalwareBytes does not. Dial-A-Fix -- Only for Win XP - Repairs basic WinXP catalogs & services that get messed up by infections HiJackThis Log Analyzer - http://hijackthis.de/ - Parses the HiJack This log for you There are no all encompassing guides for removal that I know of. It is more along the lines of knowing what order to run things and how to run them (mostly in safe mode if possible and for each individual profile). If you are setting up a VM machine to infect, infecting it with files from the Malware Database can let you try to fix infections on some of the latest malware. Quote
Brian Sierakowski Posted June 20, 2009 Posted June 20, 2009 Are you familiar with Hiren's boot cd? This will let you run a lot of the tools you mentioned above in a dos or PE, which has really helped me out quite a bit in isolating and eliminating troublesome software. http://www.hiren.info/pages/bootcd Quote
dummptyhummpty Posted June 20, 2009 Author Posted June 20, 2009 The only other ones that I'd recommend that are not in your list are Super Anti-Spyware -- Picks up things that MalwareBytes does not. Dial-A-Fix -- Only for Win XP - Repairs basic WinXP catalogs & services that get messed up by infections HiJackThis Log Analyzer - http://hijackthis.de/ - Parses the HiJack This log for you There are no all encompassing guides for removal that I know of. It is more along the lines of knowing what order to run things and how to run them (mostly in safe mode if possible and for each individual profile). If you are setting up a VM machine to infect, infecting it with files from the Malware Database can let you try to fix infections on some of the latest malware. Thanks, I've heard of those, but haven't really used them. Are you familiar with Hiren's boot cd? This will let you run a lot of the tools you mentioned above in a dos or PE, which has really helped me out quite a bit in isolating and eliminating troublesome software. http://www.hiren.info/pages/bootcd No I haven't. Where do you download the cd from? I look all over, but didn't see a link. I've used UBCD4Win, which seems to be very similar. Quote
Darcon Posted June 21, 2009 Posted June 21, 2009 Are you familiar with Hiren's boot cd? This will let you run a lot of the tools you mentioned above in a dos or PE, which has really helped me out quite a bit in isolating and eliminating troublesome software. http://www.hiren.info/pages/bootcd Unfortunately, Hiren's as well as MiniPE are considered warez due to the software contained within them. Quote
dummptyhummpty Posted June 21, 2009 Author Posted June 21, 2009 Unfortunately, Hiren's as well as MiniPE are considered warez due to the software contained within them. Ok, well thanks for letting me know about them. Quote
runkittyrun Posted June 23, 2009 Posted June 23, 2009 personal if all you want is experance and training, i'd set up a computer for it that is not connected to any outside sorce or any of your normal computers, then get some virus sorce code and complie them and take turns removing them Quote
psydT0ne Posted June 24, 2009 Posted June 24, 2009 imho...antivirus is a preventative measure only... if you think you're infected you need to backup. format, reinstall. In most cases if you think you've been successful in removing nasties, they're probably the ones that they wanted you to find and you're deluding yourself. Quote
Signal Hacker Posted June 24, 2009 Posted June 24, 2009 Oh COME ON!!! Is no one gonna say it? Well.......alright then.... This is my anti-virus tool!!!!!111111 (j/k, I know that the various *nix OS's aren't an option for everyone, especially those of us in the corporate IT world) Quote
Signal Hacker Posted June 24, 2009 Posted June 24, 2009 To add a more serious comment, Sparda's initial response isn't too far off. Anyone who's had the "pleasure" of dealing with Conficker can tell you...malware is getting smarter and smarter every day. My gf got her laptop blasted by Conficker (she claims innocence, saying it's the fault of her little cousin who she let borrow it when she was visiting family) and I tried everything to get that crap off her machine. I even stooped to the low of calling...................Microsoft Tech Support. And WOW were they dumb! The guy on the other line tries to tell me at first, "Oh, you don't have Conficker." and I yell back, "I can't reach any website remotely related to security, I can't update Windows, I've got some piece of scareware called SpyProtect popping up asking me for $50, and my LAN has slowed to a crawl on account of all the spambot....YES, I have Conficker!!!!!" After hours on the phone with those geniuses and still no relief in site...I booted into the Recovery partition on her laptop and reinstalled Windows......then I left some space on the HDD and installed Ubuntu in case this kind of crap happens again. With the rise of smarter worms like this, and especially newer polymorphic virii, some top-notch security experts like Dan Geer foresee that the future of protecting against malware is going to lie in backups and rapid restores, not in anti-virus and patches. Doubt anti-virus and other removal tools will ever be totally a thing of the past, but I see his point. Quote
dw5304 Posted June 24, 2009 Posted June 24, 2009 what we do here at the shop is boot into a bootable barts disk. goto the system32 and look for files that do not have a date delete them seeing there malware, also sort by date and move the ones that look weird to a new folder, then we will check the drivers folders and do the same, then delete the temps for windows, ie, user, ect. then will go into alluser, local system, and network accounts and make shure that there is nothing missing in there temps as well... then ill reboot into safe mode and install malwarebytes update it, w/ cd let it run remove crap it finds then ill install avast tell it to scan on reboot install update for it and reboot the pc then will log into normal mode and then run malwarebytes again and see if i missed anything if nothing returns remove avast if customer wants it removed defrage hdd and set on the shelf for customer Quote
psydT0ne Posted June 25, 2009 Posted June 25, 2009 I suggest listening to a podcast called Security Now by Steve Gibson and Leo Leporte. Steve gave an extremely in depth explaination of Conficker and its variables. Episode #193 | 23 Apr 2009 | 104 min. You can grab it here: http://www.grc.com/securitynow.htm Well worth the listen and as it so happens his advice?.....backup format reinstall doo dah doo dah... Quote
digip Posted June 25, 2009 Posted June 25, 2009 One thing that I find interesting with windows that people soon forget, and this only works if someone set up windows proerly and didn't hsoe the administrators account, but lets say you set up user accounts on the mahcine. Set cacls so that users can not access or change other users directories and files. Then if one account gets hosed or malware, create a new account with access rights to the old acocunts files, copy over what you want to keep(don;t run anything until verified clean though) and then delete the old account. Then you don't have to spend all day backing up, formatting, reinstalling the machine. In a corporate environment, its great to just grab a a disk image and reinstall quickly from your last backup, but when a home user has a whole family of people using the same desktop machine or laptop, you would need to backup each users files, then format, reinstall, recreate each user, and restore each users files. Thats just a pain in the ass. If you can create a new account on a machine that is free of malware and such, copy over your important files, then delete the old account off the machine. That is the quickest fix I can think of, but this only works if the malware was not able to compromise the admin account on the machine. If it hosed the admin account, then you could use a bootable pe and create a new user that way, and do the same thing, having a clean account, copy over the files you need and delete all the f*ked accounts from the box. No need to format and reinstall. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.