UBCD4Win Forums: Virus Removal Techniques - UBCD4Win Forums

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Virus Removal Techniques

#1 User is offline   TECHNOTIKA Icon

  • Newbie
  • Pip
    • Group: Members
    • Posts: 3
    • Joined: 20-February 07

    Posted 15 September 2009 - 07:48 AM

    Hi

    I am doing a lot of "malware, virus" cleaning etc.
    I have been a fan of UBCD4WIN for ages and was wondering what steps all you other pro's use to clean up "a hostile" PC.
    Perhaps it's something other than UBCD however I know that using the CD is best because its in pre win environs.
    Also any tips to actually prove you cleaned the scum off?
    Thanks guys!!!!! :rolleyes:
    0

    #2 User is offline   gunjin Icon

    • Newbie
    • Pip
      • Group: Members
      • Posts: 1
      • Joined: 19-September 09

      Posted 19 September 2009 - 10:19 AM

      View PostTECHNOTIKA, on 15 September 2009 - 04:48 AM, said:

      Hi

      I am doing a lot of "malware, virus" cleaning etc.
      I have been a fan of UBCD4WIN for ages and was wondering what steps all you other pro's use to clean up "a hostile" PC.
      Perhaps it's something other than UBCD however I know that using the CD is best because its in pre win environs.
      Also any tips to actually prove you cleaned the scum off?
      Thanks guys!!!!! :rolleyes:


      Was tired of hearing the crickets and created an account just so I can start off with a response. Would also like to hear how others are using this for malware/virus work too so thought I'd start by sharing how I use UBCD4WIN.

      A few months into Information Assurance work myself and came upon UBCD4WIN as I was looking for a bootable CD to overcome the poor password management in my work environment. New to UBCD4WIN so only recently have been exploring the other tools that come with the standard build. I guess I can break it down like this:

      1. Administrator password reset
      -Boot to UBCD4WIN environment to change the local administrator password. I needed this because if a workstations port were disabled by the N.O.C then I had no way to log on with my admin account to conduct my malware/virus cleanup.

      2. Profile clean up
      - I like to clean out the temp files of all user profiles, on the workstation, etc as it makes the anti-virus scan run a little faster. I ran CCleaner recently out in the field but learned via their forums that CCleaner only cleans the profile of the currently logged in user.
      -I will try out ATF cleaner on my next build.

      3. Sysinternals
      -When I create my ISO I use the "Custom" option and point to a folder I label 'PsTools'. I have the entire Sysinternals suite from Microsoft extracted in that folder. In that folder I also downloaded Windows System Control Center, which is basically just a front end GUI for Sysinternals and tools from Nirsoft.

      4. Anti-virus
      -We use Symatenc Anti-virus Corporate Edition at work, so I download the latest Symantec virus definitions before burning my ISO. I save it in a folder in my PsTools folder mentioned above. If a workstation I am investigating is not getting updated from one of our parent servers I at least have the latest definitions to install locally before I run a full scan.
      -I have yet to run any of the free AV software that comes with UBCD4WIN but I do update them before I burn my ISO.

      5. Malware
      -I have yet to use them in the field, but I also update MalwareBytes and Spybot Search & Destroy before I burn my ISO.

      And I also saved and printed a copy of the Spware/Virus removal and clean up post at http://www.ubcd4win....showtopic=2162. I tried out EZPCFix on my own laptop to delete the Temp files. I have yet to try it in the field but will keep it in mind if I don't have any luck with ATF Cleaner mentioned above. Still deciphering some of the other recommended registry cleaning techniques in that guide, but I like having a printed copy as a reference.

      As far as knowing if a workstation is clean...hmm. To date SAVCE is catching everything malicious so I guess I have been lucky so far. If the SAV log says a risk has been quarantined and/or deleted I tend to go with that. I also read up on the risk detected and check any registry entries it is reported to write. BUT so as not to be too reliant on one solution I have been testing out both MalwareBytes and HiJackThis. I lurk on the Malwarebytes, Bleeping Computer, and MajorGeeks forums to learn how to use these products. Usually I read the logs posted by users requesting assistance, and then compare them to the post infection logs after they have been provided assistance.

      That's my experience and usage...
      0

      #3 User is offline   rdsok Icon

      • rdsok
      • PipPipPipPipPipPipPipPip
        • Group: Admin
        • Posts: 6,037
        • Joined: 02-October 05
        • Gender:Male
        • Location:Norman, Ok. USA

        Posted 19 September 2009 - 12:07 PM

        I would also direct you at looking at forums and websites that specialize in cleanup procedures instead of a general forum that just touches on all things like UBCD4Win does. Remember that while UBCD4Win does include antispyware/antivirus utils... it also include all sorts of other utils to help address a wide variety of issues, it isn't just malware oriented.

        Almost all of the antimalware forums list a set of prefered steps they suggest. I think you will find them all very similar so repeating them here is redunant and also off-topic for the project itself ( booting a Windows PE enviroment from a CD/DVD or USB disk )

        Things to consider when addressing malware..

        It will always be faster to run scans when booted into Windows itself when compared to UBCD4Win or any other PE boot enviroment. Because of that I try to do most the work that I can from Windows itself and only use UBCD4Win on the cases that block the cleanup procedures in Windows. This can save hours of scan time that is needed.

        There is no one best cleanup util... use several to verify that the system is really clean. When running them from Windows itself, I will use the installed antivirus software and then typically Malwarebytes Anti-Malware and Spybot... I also will do follow-up's with A-Squared but since it also lists potentially unwanted programs ( like the various VNC's and other common utils ) I selectively choose what I have it remove.

        Almost all of the antivirus/antispyware utils have a report function... Save the reports to show what was found and removed.
        Plan A is always more effective when the device you are working on understands that Plan B involves either a large hammer or screwdriver....
        0

        #4 User is offline   SteelTrepid Icon

        • Administrator
        • PipPipPipPipPipPipPipPip
          • Group: Admin
          • Posts: 6,191
          • Joined: 27-April 04
          • Gender:Male
          • Location:Ohio

          Posted 20 September 2009 - 12:21 AM

          I will add more to this tomorrow when I have some free time.
          "I play Russian roulette everyday, a man's sport, with a bullet called life"

          "My cause is noble, my power is pure"
          0

          #5 User is offline   pcuser Icon

          • Project Programmer
          • PipPipPipPipPipPipPip
            • Group: Moderator & Development
            • Posts: 3,889
            • Joined: 20-November 04
            • Gender:Male
            • Location:Kneebrasskee

            Posted 20 September 2009 - 02:21 AM

            Quote

            Also any tips to actually prove you cleaned the scum off?

            Does the file still exist?

            Quote

            And I also saved and printed a copy of the Spware/Virus removal and clean up post at http://www.ubcd4win....showtopic=2162.

            Keep in mind that I wrote that over four years ago and alot has changed since then.
            If you're afraid of taking any chances then the chances are great that you will never learn anything

            Multiboot Plugins - UBUSB (Ultimate Boot USB) - EzPcFix - RootKitty - Network Configuration Utility - UnIsoFS - A Small Linux Distro - SELogger - HashME - WSock - My Paypal
            0

            #6 User is offline   Lord Necron Icon

            • Member
            • PipPip
              • Group: Members
              • Posts: 32
              • Joined: 12-August 09
              • Gender:Male
              • Location:USA

              Posted 21 September 2009 - 09:07 PM

              Not much, but I put a few pointers here.
              Posted Image
              Posted Image
              Posted Image
              0

              Page 1 of 1
              • You cannot start a new topic
              • You cannot reply to this topic

              1 User(s) are reading this topic
              0 members, 1 guests, 0 anonymous users