Is There A Better Faster Way To Clean Infected Systems?

In hindsight, you're right. I was rude, rude in letting my inner demons get the best of me last night. Please, accept an apology - mine.

 

I never hold a grudge, hehe, that would be silly, we all make mistakes and it was man of you to openly apologize.

Of course your forgiven...

PEACE

 

The most effective way of removing computer infections is from outside the Operating System. It is not foolproof, but most effective, especially for Rootkits.
Cleaning in Safe Mode is not as effective as cleaning from outside the Operating System because some Malware and Rootkits can cloak themselves in Safe Mode.
One of the most effective ways was revealed to you in Post #4 by user "thathagat" by following the link provided in the Post.

EDIT: There are three methods mentioned:

01)- BartPE CD/DVD
http://www.nu2.nu/pebuilder/

02)- UBCD4Win CD/DVD
http://www.ubcd4win.com/index.htm

03)- Avira AntiVir Rescue System CD (two listed for download, .exe and .iso)
http://www.avira.com/en/support/support_downloads.html

Another effective way of cleaning computers of infections, especially Rootkits, is by using AntiHookExec along with HiJackThis, Autoruns, and Process Explorer.
AntiHookExec works by restoring the data structures that have been hooked by Rootkits back to their original unhooked state. When these structures are restored,
traditional system-analysis tools such as: HiJackThis, Autoruns, Rededit, Task Manager, and Process Explorer can locate and help in removing Rootkit components.
AntiHookExec restores user-level hooks, it does not however, restore kernel hooks, so you will have to augment its capabilities by running an dedicated anti-rootkit
program to detect kernel-mode Rootkits. Some dedicated anti-rootkit programs are Blacklight, RootkitRevealer, IceSword and GMER.

There are two methods of installing AntiHookExec so that it works properly with other programs. Use only one method, not both:

01)- AntiHookExec.exe must be moved to the C:\Windows\system32\ -folder

OR

02)- Update the path environment variable to recognize the AntiHookExec directory as an system-wide variable
Example: AntiHookExec.exe is in the directory C:\Program Files\AntiHookExec\
Append the following command to the end of the environment path, including the semicolon
;C:\Program Files\AntiHookExec\

Using AntiHookExec with other tools:

To launch system-analysis tools through AntiHookExec and unleash the power of these tools, type the following at the Windows RUN Dialog Box:
(Assuming all system-analysis tools are installed in C:\Program Files\ -with their respective name), the Quotes are also required because of the spaces in the path.

01)- To launch HiJackThis through AntiHookExec:
AntiHookExec.exe "C:\Program Files\HijackThis\HijackThis.exe"

02)- To launch Autoruns through AntiHookExec:
AntiHookExec.exe "C:\Program Files\ Autoruns\autoruns.exe"

03)- To launch Process Explorer through AntiHookExec:
AntiHookExec.exe "C:\Program Files\Process Explorer\procexp.exe"

04)- To launch the Windows Registry Editor through AntiHookExec:
AntiHookExec.exe "C:\Windows\regedit.exe"

05)- and so on

Links:

AntiHookExec:
http://www.security.org.sg/code/antihookexec.html

Trend Micro HiJackThis:
http://free.antivirus.com/hijackthis/

Microsoft Sysinternals Autoruns:
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Microsoft Sysinternals Process Explorer:
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

F-Secure Blacklight:
http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/blacklight/

Microsoft Sysinternals RootkitRevealer:
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

Antirootkit.com IceSword:
http://www.antirootkit.com/software/IceSword.htm

GMER Rootkit Detector and Remover:
http://www.gmer.net/


HKEY1952

 

Thanks HKEY1952...

Between BartPE and UBCD4Win is either favored more then the other?

As far as rootkits go, I can't say I've gotten very involved with them and rootkit apps to find them...

Like with GMER as an example, I personally wouldn't know a good hook from a bad one, unless the app told you it was bad so I'd know to remove it.

THANKS...

 

The Ultimate Boot CD for Windows (UBCD4Win) is an attractive alternative to the Bart Preinstallation Environment (BartPE) simply because it does an lot of the work for you.
The UBCD4Win has the BartPE Builder as its core, however, it extends the basic BartPE offerings by including many well-known programs as part of the UBCD4Win's standard build.
There are many security programs, recovery programs, and backup programs included in the basic UBCD4Win CD build. This obviously saves you the time and trouble of searching
for and installing your own plug-ins, although the option for adding customized plug-ins is also still available.

List of tools included with Ultimate Boot CD for Windows can be viewed here:
http://www.ubcd4win.com/contents.htm

And downloaded here:
http://www.ubcd4win.com/downloads.htm

GMER is an very effective detector that offers some user-friendly functions that the beginner or intermediate user should feel comfortable using.
GMER will highlight in red, found: hidden, hooked, etc. entries. However, even the most experienced troubleshooter should and must thoroughly scrutinize all suspected entries
before removal.....so you are not alone here. When sanitizing an system from infections, all variables must be covered and checked for: Viruses, Spywares, Rootkits, the works.
One can not just delve in and check for one variable such as an Virus by scanning in Safe Mode and then concluding that the system is clean.
I could never find out what GMER stands for.

You can read about and download GMER here:
http://www.gmer.net/

Now the Avira AntiVir Rescue System CD is very attractive to start troubleshooting with. The CD boots the computer outside of the Operating System and runs an Virus scan. What is great
about the Avira AntiVir Rescue System CD is that Avira claims that the download is updated several times an day, so there is always an updated download there to create the CD.
Creating the Avira AntiVir Rescue System CD is easy, just download and save the executable (rescue_system-common-en.exe) from the Avira Support Tools Web Page. After downloading
and saving the executable to the final location on the disk, just place an blank CD/DVD into the drive and double click the (rescue_system-common-en.exe) and the program will
burn an bootable CD/DVD for you. Reboot the computer and the computer will boot from the Avira AntiVir Rescue System CD presenting you with an Graphical User Interface (GUI). The scans
and program are somewhat customizable at each bootup and is effective in detecting and removing malware. The Program also caches an Log that can be saved.
The Avira AntiVir Rescue System CD executable (rescue_system-common-en.exe) does not install any files or directories on the hard drive, it only creates the bootable CD/DVD.

You can download and read about the Avira AntiVir Rescue System here:
http://www.avira.com/en/support/support_downloads.html
(look for Avira AntiVir Rescue System in the list, there are two, .exe and .iso) I always use the .exe and the description is farther down the page.
I always save the file naming it with the version number.


HKEY1952

 

Yeh, I'll take a punt on Combofix and maybe using secedit/SubInACL to reset reg permissions if need be?
Reset Reg Permissions

 

with these cds, can you update them from running the cd, or do you have to actually burn off a new cd each time, because then you would have to burn a cd each morning for example, also a good live cd is dr web live cd, its very good for those virut type example as it heals the infection rather than just deleting it.

 

I have a caddy for sata and an adapter/plug for parallel drives which connects via usb to a vm set up with various tools.

 

Are you referring to the Avira AntiVir Rescue System CD?
If so, there is an option in the Graphical User Interface to update the definitions, however I have not been able to figure out how to use this feature.
We are booted into an virtual environment off of an CD with no Internet connection.
The only logical way I can think of to update the definitions is to save an local copy on the hard drive somewhere and update the definitions there, and then
burn the disk from that.....that is too much work though.....it is easier just using an Rewritable Disk for this scenario.
Besides, I have not observed the Date and Version Number of the download change that often, the current is: 17 Aug 2009 - Version : 20090817180313

I always check the status of the offered download first before burning an new disk:
http://www.avira.com/en/support/support_downloads.html


HKEY1952

 

Hi Guys,

I'm new to cleaning other peoples infections & will use this thread to help me in my cleaning. So far I rely heavily on M-bam, SAS, da bomb AVira rescue. I take Bart & UBCD with me, but so far haven't used them.

Bart & UBCD share a common problem for me:

1. Not always able to update or get them on the net to update.
2. Trying to get them to boot, or changing boot order, is not same each box.
3. While on Bart, it's easy to get confused, what drive is what.

Any thoughts on 'safe mode scans, or clean boot scans?

Also I've noticed running M-bam first, SAS will always find something when it scans.

How is it & what to look for, when SAS identifies malware, needs to reboot, & the malware is still present?

I was thinking the file is still in use, therefore can't be removed, initiating a reboot. Hence clean boot or safe mode. Does this make any sense?

Also (I can't find the link right now) I believe a German web site has a place to post HJT logs, which gives instant comments on each item. I use this as a research tool. What do you think, any similar sites?

What do you think of 'RunScanner'? I should figure out how to use this, seems like a powerful tool.

Anything to speed up scan times would be fabulous, yesterday I spent 4 hrs twiddling my thumb, while running scans, for an elderly couple. Even an estimated scan time would be great, then you could leave, have lunch return just in time for the next scan.

Thanks
Rico

 

UBCD4Win is a pain in the ass, I can't get it to run, I either have it blue screen on me after the Windows logo, or I get to the desktop and the USB won't work.

 

If there is such a sys snapshot tool, the "firest aid" would be a lot easier

This tool can run at each startup and quit after making a new system snapshot including the file structure, important regkey structure/value, and sys file hash.

Once something goes bad, one can make a quick diognoise on the spot based on a diff report of the snapshots of the past 7 days. This's quicker and in my opinion more precise.

Actually even a snapshot taken 3 days ago can still be really helpful though not preciese. That's just what ERA+SysInspect now can do.

That's all what I can think of now. All in all, IMHO logs are the key for quick on-site analysis.

 

I don't think there is a quicker way other than embedding different applications into one package, then automate the processes on your own. Of course that would probably require some programming skills.
In this age, nothing is impossible. Your friend might have the answer that we, technicians, need. http://teachmeaboutcomputers.com