What to have when cleaning?

Discussion in 'other security issues & news' started by sosaiso, May 1, 2006.

Thread Status:
Not open for further replies.
  1. sosaiso

    sosaiso Registered Member

    Nov 12, 2005
    I've recently taken up the hobby of cleaning out the computers of a few friends who have been severly infected with stuff.

    But I was just curious as to what tools do you carry around when it comes to doing these sort of things?

    I've been keeping on a CD-R a copy of:

    Ewido 3.5.
    Ewido 4.0 beta [experimenting as I go along]

    Hostsman. [Keep em from dialing home. I think.]
    Spywareblaster. [Immunize a little during.]

    Zonealarm firewall. [see what's dialing out if they don't have a firewall.]

    Bitdefender 8 Free.



    Are there any other tools that could be recommended? I've also come across various rootkits that don't want to be removed. Any freeware tools that could help identify these things?

    Any other freeware that you can recommend that I can add to this "kill" arsenal?

    Thanks a lot.
  2. WSFuser

    WSFuser Registered Member

    Oct 7, 2004
    for rookits, u can use rootkitreaveler or f-secure blacklight

    mwav v4.4.7 is supposedly a good virus cleaner, but i dont have a link. search teh forum, u may also find some instructions.
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    May 9, 2005
    One of the greatest dilemmae I have when trying to help fix someone's pc is how deep should I go. I'm a perfectionist, so I tend to go all the way, full format and reinstall etc. But that's not always the case.
    Here's how I do it, I hope this post helps you decide.

    Of course, this is assuming things can be done.
    If a pc takes 30 min to load and runs 100% cpu all the time, things can be rather bad.

    First thing - unplug the internet line, install ZA firewall or properly configure the victim's firewall, if possible. Reboot and try to stop everything from accessing the internet.

    Disable system restore. Reboot.

    Clean all temp files, recycle bin, cache, cookies.
    Try to manually uninstall various suspected products.
    Reboot in safe mode, run spybot, ad-aware, microsoft anti-spyware (beta 1), a2, ewido, plus trial of spy sweeper.
    Reboot and repeat the process (again in safe mode).
    Reboot in normal mode, and rerun the process.
    Reboot in normal mode, try to run various online anti-virus scanners (if possible).
    Reboot in normal mode, try to run several anti-virus scanners locally - clamwin, bitdefender, and some others, depending on the existing configuration.
    Reboot, run hijackthis and fix entries if needed.
    Reboot, run specialized tools if needed - Dr.Web, MWAV, Stinger, !avast Virus Cleaner, AVG Vcleaner, CWShredder, ADSSpy, SAV32CLI, Sysclean, ETRemover, Windows Malicious Software Removal Tool, Spyaxe familiy removal tools, and some others, depending on the hijackthis log.
    Reboot, run lpsfix, winsockfix if needed.

    If malware is ultra-persistent, run Ultimate Boot CD for Windows and use the available anti-virus and anti-spyware utilities - most mentioned above.

    Reboot again normally and make another pass with the usual scanners.

    If things are clean:
    Reenable system restore, make all possible updates, most importantly windows updates.
    Harden IE if needed - spywareblaster, spybot immunize.
    Check Java and install proper version.
    Check flash plugins and install proper ones.
    Install firefox and thunderbird if possible.

  4. ErikAlbert

    ErikAlbert Registered Member

    Jun 16, 2005
    Explain them what the work "BACKUP" means, the most neglected activity on a computer.
    Explain them what snapshot softwares can do for them.
    Explain them not to open their spam-emails and delete them immediately.
    Explain them not to download stuff from an UNKNOWN source.
  5. Rmus

    Rmus Exploit Analyst

    Mar 16, 2005
    I would format/reinstall, not leaving anything to chance.
  6. dog

    dog Guest

    That's usually my first recommendation (I backup personal files first of course) ... then re-install and provide a basic security setup (newbie friendly) - usually done free of charge for co-workers ... and friends of co-workers for a small fee. I haven't had too many requested in that regard lately ... only a few data recovery sessions on non-bootable drives (various reasons) - which I did for free. Life's better without dealing with that garbage.
  7. sosaiso

    sosaiso Registered Member

    Nov 12, 2005
    Ah, a format would be the path I go down too, except they have no XP cd. It's extremely frustrating working with this because there really is no option of just formatting. Been trying to go through their hijackthis logs, but to no avail. [really don't know how to use these to their maximum benefit either.]. Entries keep showing back up about infected files everytime I reboot.

    As to Erik, not clicking on spam they already know. Backing up is another issue. But the main concern from me for them is to: "STOP CLICKING THOSE AIM LINKS." That has always been the problem I've had to deal with. Their incessant clicking has been the doom many times.

    As for Blacklight, will that still work? I hear its license is expiring. Does Rootkit Revealer delete in addition to find?

    Thing is with their antivirus they have installed, Symantec corp edition [compliments of the university], I don't know if it has been disabled or not by the trojan/spyware/crap. I haven't bothered running it yet.

    And the other thing is, I've had things go clean in normal, full system scans and everything come up clean. But once I go back into normal mode, boom. Infected registry keys, etc start showing up again. It gets annoying to say the least.

    I guess I'll keep at the Boot Camp training at SWI, and I'll come back with any additional tools I pick up.
  8. Rmus

    Rmus Exploit Analyst

    Mar 16, 2005
    Cleaning up someone’s computer - following that, what a great opportunity to really help someone. After you have finished restoring the computer, in whatever way you do it, why not ask, "Would you like me to suggest some things that might help prevent something like this in the future?" Let’s assume "Mrs. Smith next door."

    What would you do first?

    I would open the case and show her what the hardware looks like. You would be surprised at how mystifying a computer is to many people. Mrs. Smith now can see that there is nothing strange and other-worldly about a hard drive, a CD Rom, a CPU. She may never have occasion to go into the computer again, but she can say that she has seen the inner workings of it. This eliminates the fear of the unknown, which can be a huge impediment and create unnecessary misunderstanding and confusion.

    Next, I would open Windows Explorer to the Windows directory and ask, "Do you know the difference between this .exe file and this .txt file? You would be surprised at those who can’t explain what an executable is. Then take a file using a program she has installed and ask how that program knows to start up when she double-clicks on the file.

    I’ve found a general lack of understanding about file extensions and file associations with most "Mrs. Smiths next door." But this understanding is really pivotal to developing safe computing practices, especially for downloading files from the internet, and receiving files as email attachments. I would then give her suggestions for safe browsing and email.

    People like to send/receive e-cards, pictures using email and AIM, and there is no reason that can’t be an enjoyable and safe experience if the person is taught precautions. One way I’ve used is that you have an understanding with people on your email list that you send a separate email, or phone, that an e-card or picture file, or any attachment, is coming by email. If all on your mailing list use a reputable e-card site, there is little chance of anything bad happening. I know three people who use such a site and follow the above procedures, and there has never been a problem in years. Same with sending pictures. Of course, with email, you teach Mrs. Smith how to identify phish and spam. It’s ridiculous that people still fall for this stuff, and there is no reason why it has to be. One procedure I’ve suggested is that she find out how each institution where she transacts business on-line deals with customer notifications. I’ve not found any that I’ve dealt with that do anything by email that requires giving out personal information.

    All of this seems like common sense, of course, and begs the question, why does it seem to allude people? Why do they fall for it? My conclusion is that because it happens while computing, people seem to turn off their common sense and intuition. There is something about "the computer" that assumes some type of authoritative importance and overrides ones normal instincts. But if procedures are thoroughly taught and followed, this nonsense is prevented.

    Just think, if everyone here "adopted" even one user and taught basic, safe procedures, how many fewer situations that you describe would exist.

    The above is part of how I start out with a new user. It has been my experience for many years that it provides most of the security the "Mrs. Smiths next door" need. Protection against the inadvertant mishap can be provided by a security product or two, but that’s a different topic.

    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
    Last edited: May 3, 2006
  9. Ribo

    Ribo Registered Member

    Sep 17, 2004
    I have a cd with the following:

    rootkit revealer
    spybot s&d
    winsock fix
    process explorer
    stream shell extensions

    Some of these are old I've just collected them as I remove stuff from customers pcs. I always tell people where they likely got the spyware from. I don't say "stop surfing porn!" I tell them less than reputable websites will try to load through security vulnerabilities. And I tell them anything downloaded for free usually isn't.
Thread Status:
Not open for further replies.