Go Back   Technibble Forums > General Computers > Tech-to-Tech Computer Help

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 12-07-2010, 04:40 PM
desert_gold_hound desert_gold_hound is offline
 
Join Date: Sep 2008
Location: Lake Havasu City, AZ 86403
Posts: 86
desert_gold_hound is an unknown quantity at this point
Default Addmitting My own Flaw

I do consider my self a good tech, however; I am far from the best. I like to learn new things, fixing hardware (swollen caps....), treat customers with respect, good with laptop hardware and rebuilding, willing to find the answers I don't know and work hard.

With all the above positives I have there is one negative that I must overcome I suck at virus, spyware, and malware removal. I run AVG, Malware Bites, SpyBot, and then if that doesn't do it (unless they tell me the name of virus) I nuke and pave. I don't do manual removals in most cases unless like I said I know the name of virus/bug and can Google it. I used to have a partner that was really good at the above but he is no longer with this world.

What I am getting at is I must learn to find, and destroy these problems manually. I am going to start by getting virus on a test bench and manually trying to find them and get rid of them with little research as possible. I have a buddie I am sure can load up some good ones.

I am wondering what you all think is this the best way to learn to deal with these little insects or should I just keep up with what I am doing nuke and pave with a backup. I prefer this in most cases as its cheaper for the customer, however; business customers don't like this path as much.

Don't get me wrong I am not the type of tech that only nukes and paves I do look for problems and fix them. I even dig into what viruses I know about that AVG doesn't work on and keep a list of places they hide.

Well let me know how you suggest learning to deal with these bugs and I will start getting busy.
Reply With Quote
  #2  
Old 12-07-2010, 04:42 PM
joydivision's Avatar
joydivision joydivision is offline
 
Join Date: Jul 2009
Location: Manchester, UK
Posts: 3,375
joydivision will become famous soon enough
Default

Start by reading the virus section of this forum. The book is a little out of date but I would recomend Rootkits for dummies too as it goes into a lot of detail about how rootkits work and how to detect them.

You need to have a breif understanding of rootkits as they now effect everything we do.
Reply With Quote
  #3  
Old 12-07-2010, 05:07 PM
dannyd dannyd is offline
 
Join Date: Apr 2010
Location: Accrington Lancashire UK
Posts: 129
dannyd is an unknown quantity at this point
Default

Install a virtual machine, create a snapshot of a clean system, download some malware samples from http://www.malwaredomainlist.com/ install hijack this, proses explorer autoruns ect learn how malware changes system settings startups ect, scan with scanners, learn the virus starting points and then manually delete.
__________________
http://www.easyonlinepcfix.co.uk/
site under construction.
Please usehttp://www.google.co.uk/before asking for help.
Reply With Quote
  #4  
Old 12-07-2010, 06:08 PM
MobileTechie's Avatar
MobileTechie MobileTechie is offline
 
Join Date: Oct 2009
Location: UK
Posts: 4,337
MobileTechie has a spectacular aura aboutMobileTechie has a spectacular aura about
Default

Definitely do it on VMs - you can just roll them back or recreate a new one when you've finished to guarantee a clean system to work with plus no real chance of getting infected yourself.

Watch the Mark Russinovitch video lecture on "advanced malware removal" for basic malware. Info on rootkits is harder to come by in such a spoonfed manner. I'd recommend Rootkits for Dummies book as a good intro on the subject. Download and try to work out how to use: Rootkit Unhooker, Kernel Detective, Root Repeal, Ice Sword, Blacklight and Malware Defender. Practical scanning tools that actually work on modern kits include Gmer and TDSS Killer.
Reply With Quote
  #5  
Old 12-07-2010, 06:33 PM
desert_gold_hound desert_gold_hound is offline
 
Join Date: Sep 2008
Location: Lake Havasu City, AZ 86403
Posts: 86
desert_gold_hound is an unknown quantity at this point
Default

Thank you all. I will be checking out that dummies book. I now have a place to go from. Whats sad is I have a current A+ cert and have always kept it up-to-date and yet I don't know much about the internal workings of operating systems. That is not to say I don't have some understanding I have no problem getting around registry, driver problems, or even fixing a lot of problems with windows. I just know what to do and how but not what is going on in the back ground.

I think its time I go from being that Good Tech to that even better tech. I have always prided my self as being one of the best tech's in almost every town I have lived. The problem is most towns have been 20,000 or less population. Its time I admit my faults and fix them. I hope some others can admit their faults as that is what makes us better at anything.
Reply With Quote
  #6  
Old 12-07-2010, 09:21 PM
MobileTechie's Avatar
MobileTechie MobileTechie is offline
 
Join Date: Oct 2009
Location: UK
Posts: 4,337
MobileTechie has a spectacular aura aboutMobileTechie has a spectacular aura about
Default

Anyone with that attitude over a period of time will keep learning and do well. You can't learn it all. I wish I had more time the learn all the things I want to learn. I'm sure you know stuff others don't in various areas.

The A+ cert is pretty basic and really just gives you the essentials. I'd recommend the MS exams too. If you learn the ones required for an MSCA you'll end up knowing a lot of useful stuff you probably didn't know before. Then you'll forget it in a year when you don't use it but that's life! The exam cert gives business clients confidence in my experience.

The manual removal skills are sometimes a little overplayed by some and can often be pretty basic stuff to be honest. On a very simple level your basic malware infection is an executable file plus a registry entry to make it start with Windows. If you learn the common places those files and entries are found you're well on the way to removing them manually. Once you've identified one file you can often use the created or modified date to search and find other files and then search the reg for their entries and so on. Autoruns makes this much quicker.

Process Explorer will show the processes of simple infections but only simple ones. Most evade it these days.

On the rootkit side things get more tricky. Generally they are making changes to address tables to make functions point to their own code which enables them to hide resources like files and processes. This is called hooking. If you download one from malwaredomainlist.com (search for TDSS) you can see this in action by running the exe file and watching it vanish! The user-level ones alter various applications in Windows but not all and tend to inject their own dlls. The kernel level ones can hook the kernel itself thus affecting all applications that use the kernel, which is to say almost all applications unless specially written to avoid this and generally inject their own driver or alter a valid one. Drivers have low level access by default. So obviously the detection tactics rely on looking for these hooks, dlls and driver files. Some RKs try to hide their files by altering the output of Windows functions or applications. So an offline check using a bootdisk will enable you to see the differences in the lists of files. Hence their self-protection becomes a tool for detection. The ones that use valid Windows files will have problems signing them properly or producing the correct hash value. They can hide this anomolies in Windows but outside of Window they have no power so again this comparison can be useful.

So it's worth learning about file signing, address tables etc. You need to know what is normal by studying a known clean system, infecting it and looking at the tables and files and learning to spot anomalies. It's all cat and mouse as both sides up their game and switch tactics. Most of the stuff in that Dummies book is out of date now but still worth knowing. These days I hardly ever see a rootkit altering the IAT. My personal view is that it is very hard for a non programmer to truly understand what is going on with rootkits but we can only try. There are people on this forum writing little tools to test their own ideas and using them. othersteve and gandalf's posts are worth looking out for on this subject I find.

If you want to swap samples or general converse on it them feel free to post here or let me or others know. It's a hot subject and an interesting one.

Quote:
Originally Posted by desert_gold_hound View Post
Thank you all. I will be checking out that dummies book. I now have a place to go from. Whats sad is I have a current A+ cert and have always kept it up-to-date and yet I don't know much about the internal workings of operating systems. That is not to say I don't have some understanding I have no problem getting around registry, driver problems, or even fixing a lot of problems with windows. I just know what to do and how but not what is going on in the back ground.

I think its time I go from being that Good Tech to that even better tech. I have always prided my self as being one of the best tech's in almost every town I have lived. The problem is most towns have been 20,000 or less population. Its time I admit my faults and fix them. I hope some others can admit their faults as that is what makes us better at anything.

Last edited by MobileTechie; 12-07-2010 at 09:24 PM.
Reply With Quote
  #7  
Old 12-08-2010, 12:06 AM
loaner's Avatar
loaner loaner is offline
 
Join Date: Apr 2010
Posts: 170
loaner is an unknown quantity at this point
Default

There is a nice little ditty by Bryce that will give you some kind of idea about a few things. here's the link

http://www.technibble.com/articlecon...us-Scanner.wmv

roy
__________________
"Computers are incredibly fast, accurate and stupid; humans are incredibly slow, inaccurate and brilliant; together they are powerful beyond imagination." -- Albert Einstein
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 07:42 AM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.