TECHNOTIKA, on 15 September 2009 - 04:48 AM, said:
Hi
I am doing a lot of "malware, virus" cleaning etc.
I have been a fan of UBCD4WIN for ages and was wondering what steps all you other pro's use to clean up "a hostile" PC.
Perhaps it's something other than UBCD however I know that using the CD is best because its in pre win environs.
Also any tips to actually prove you cleaned the scum off?
Thanks guys!!!!!

Was tired of hearing the crickets and created an account just so I can start off with a response. Would also like to hear how others are using this for malware/virus work too so thought I'd start by sharing how I use UBCD4WIN.
A few months into Information Assurance work myself and came upon UBCD4WIN as I was looking for a bootable CD to overcome the poor password management in my work environment. New to UBCD4WIN so only recently have been exploring the other tools that come with the standard build. I guess I can break it down like this:
1. Administrator password reset
-Boot to UBCD4WIN environment to change the local administrator password. I needed this because if a workstations port were disabled by the N.O.C then I had no way to log on with my admin account to conduct my malware/virus cleanup.
2. Profile clean up
- I like to clean out the temp files of all user profiles, on the workstation, etc as it makes the anti-virus scan run a little faster. I ran CCleaner recently out in the field but learned via their forums that CCleaner only cleans the profile of the currently logged in user.
-I will try out ATF cleaner on my next build.
3. Sysinternals
-When I create my ISO I use the "Custom" option and point to a folder I label 'PsTools'. I have the entire Sysinternals suite from Microsoft extracted in that folder. In that folder I also downloaded Windows System Control Center, which is basically just a front end GUI for Sysinternals and tools from Nirsoft.
4. Anti-virus
-We use Symatenc Anti-virus Corporate Edition at work, so I download the latest Symantec virus definitions before burning my ISO. I save it in a folder in my PsTools folder mentioned above. If a workstation I am investigating is not getting updated from one of our parent servers I at least have the latest definitions to install locally before I run a full scan.
-I have yet to run any of the free AV software that comes with UBCD4WIN but I do update them before I burn my ISO.
5. Malware
-I have yet to use them in the field, but I also update MalwareBytes and Spybot Search & Destroy before I burn my ISO.
And I also saved and printed a copy of the Spware/Virus removal and clean up post at
http://www.ubcd4win....showtopic=2162. I tried out EZPCFix on my own laptop to delete the Temp files. I have yet to try it in the field but will keep it in mind if I don't have any luck with ATF Cleaner mentioned above. Still deciphering some of the other recommended registry cleaning techniques in that guide, but I like having a printed copy as a reference.
As far as knowing if a workstation is clean...hmm. To date SAVCE is catching everything malicious so I guess I have been lucky so far. If the SAV log says a risk has been quarantined and/or deleted I tend to go with that. I also read up on the risk detected and check any registry entries it is reported to write. BUT so as not to be too reliant on one solution I have been testing out both MalwareBytes and HiJackThis. I lurk on the Malwarebytes, Bleeping Computer, and MajorGeeks forums to learn how to use these products. Usually I read the logs posted by users requesting assistance, and then compare them to the post infection logs after they have been provided assistance.
That's my experience and usage...