Advanced Virus/Malware/Spyware Removal

PR Tech

PR Tech

Active Member
Reaction score
27
Location
Paso Robles, CA
Anyone willing to tech an online class on advanced virus/malware removal? I am willing to pay. I am always looking to learn more and become better at my craft. I feel like I rely a bit too much on scanners and want to become more proficient at utilizing Process Explorer and other manual removal techniques. It would be interesting to see we can put together a group to make it worth someones time to teach new techniques (or tried and true techniques).
 
I maybe want a try.

please PM

you may need hours of time if you use scanners with malware signature database

In my opinion,first manual removal ,then let scanner do other job
 
Sadly process explorer is all but useless these days. Even the most basic malware hides its processes from it.
 
Thank you for the links Crgky12y. I certainly apprciate it. I am not so much having trouble removing infections, but I know there is always more I can learn to hone my craft. I use a variety of techniques and so far they have been sucessful. However, due to the rapidly changing nature of infections, I want to be as much ahead of the game as possible. I am up for trying new ways of tracking down and removing infections. Again, I appreciate links to any video tutorials or sites that get down to the nitty gritty of it.
 
What techniques are you using currently?

It's impossible for anyone to say whether they have anything to teach you if we don't know what you already know.
 
I'm pretty good with the viruses. But I could really learn some stuff about rootkits. How are you guys unhooking them. I have used tdss and it is not doing much for me. I have played with gmer but There is so much about rootkits that I dont' know.
 
Also Interested.

PR Tech said:
Anyone willing to tech an online class on advanced virus/malware removal? I am willing to pay. I am always looking to learn more and become better at my craft. I feel like I rely a bit too much on scanners and want to become more proficient at utilizing Process Explorer and other manual removal techniques. It would be interesting to see we can put together a group to make it worth someones time to teach new techniques (or tried and true techniques).
Click to expand...

I would be also interested. I'm pretty good at virus/malware removal but feel I could learn more and maybe doing it at a much faster pace.
 
AdamsAPlus said:
I'm pretty good with the viruses. But I could really learn some stuff about rootkits. How are you guys unhooking them. I have used tdss and it is not doing much for me. I have played with gmer but There is so much about rootkits that I dont' know.
Click to expand...


Hang around the sysinternals, kernelmode, and other such forums, and it won't take long to learn. :)
 
How much do you want to learn?
There is so much information available.
You need to know what you expect to get out of it and what your expectations are...
How far down the rabbit hole do you want to travel ?
Malware is written in many languages (many) and there are even some trends back toward malware's early days when viruses were written in assembly language (using assembly language for windows, not for dos like in the old days.)
Most malware are written in scripting languages or high level languages.
So... How advanced do you want to get?
John Mcaffee used to have the pvtools for analyzing viruses way way back when...
It's ancient. I'm more than certain they probably have customized tools still, only more updated and advanced.
But analyzing malware usually revolves around several levels of comprehension and understanding.
Are you a tech that uses only scanners?
Are you a tech that knows what processes should be running and kills ones that shouldn't?
Are you a tech that can go through the windows registry searching for viruses and trojans embedded in runkeys and everywhere else?
Do you go into the system directory and type dir /o:d to see what's been added last?
Do you realize that 99.9999% of viruses come from the internet and therefore ...
or...
Are you interested in learning even more?
c++, c, vbscript, jscript, java, assembly, and others just to name a few?
Then are you interested in decompiling the malware into it's precompiled state and reading the code to see what it does?
For example if it's an assembly language based virus, can you disassemble it using something like vcomm's sourcer? or even Sen's Hackers View? then edit the code and recompile it or change it? Or use the knowledge to write a small program that will remove it? Have you outdated knowledge of things like soft ice debugger? lol.
If it's a script can you edit and understand the script? Do you know how to unpack files that have been packed and encrypted so that you can then decompile them? Also how to identify which is which?
Do you use windows based and console based compilers and linkers and decompilers?
What tools are available to you to 'deconstruct' the malware?
 
Last edited:
After watching Mark Russinovich's video it's important to go to MalwareDomainList.com and download 10 or so viruses, then infect your test machine and clean it. Do this once a week for a month and you'll learn a lot. Post questions here if you get stuck cleaning off viruses.
 
The thing is, to really understand rootkits and other malwares you need to be able to program and debug.

But do we really need to understand them? Probably not. What we need to be able to do is to detect them and to remove them. 90% of this entails using built-in or 3rd party tools to spot anomalies. You don't need to disassemble the file 3rY7311q.exe you found in a user's temp folder to know it's probably some malware.

We also don't usually have the time to go into intricate details about it. For standard malware you're looking at startup entries, processes and executable files in a limited number of locations. There are tricks and tools to finding these that are very common knowledge. With rootkits you're looking at similar things plus hooks, added drivers and altered system files. Again their are tools and tricks to find these but these are not so easy to find on google.
 
How far down the rabbit hole do you want to travel ?
> As far down as I can. I just have a huge desire to learn more.

Most malware are written in scripting languages or high level languages.
So... How advanced do you want to get?
> I want to become advanced at all types of infection removal. I am proficient now, but I can always do better. I do not currently infect a virtual machine to root out problems, but I should and will to get a better understanding of how infections behave.

Are you a tech that uses only scanners?
> No, but I believe I rely on them more than I should. I try to use a variety of techinques. I use ProcessExplorer and Autoruns, but I am not at the level I would like to be at with tracking down the baddies. I also use UBCD4Win when needed.

Are you a tech that knows what processes should be running and kills ones that shouldn't?
> I have absolutely killed a good process or two in my day. It has been trial and error with figuring out what does not belong.

Are you a tech that can go through the windows registry searching for viruses and trojans embedded in runkeys and everywhere else?
> Yes, but I don't know all of the keys I should be checking each time I do a removal to see if something is still lurking.

Do you go into the system directory and type dir /o:d to see what's been added last?
> No. I will add this to my prodedure list. I normally do this manually by going to folders that are generally targeted. I like your way much better.

Are you interested in learning even more?
> For sure. It looks like there are a few TN's that are also game. I do not want to be just merely competent.

Then are you interested in decompiling the malware into it's precompiled state and reading the code to see what it does?
> Not unless it would assist me with being able to better identify and remove infections. This is possibly where the rabbit hole ends for me. Again, I guess it all depends on how this would assist in the end...to provide a virus/malware/spyware free system back to the client. I am confident I am doing this now, but the complication factor has skyrocketed over the last year or so. How do we stay one step ahead, if you know what I mean?

If it's a script can you edit and understand the script? Do you know how to unpack files that have been packed and encrypted so that you can then decompile them? Also how to identify which is which?
> I do not.

Do you use windows based and console based compilers and linkers and decompilers?
> No.

What tools are available to you to 'deconstruct' the malware?[/QUOTE]
> None to deconstruct. I only use tools available to me to remove infections.

Thank you everyone for taking time to respond to this post. The feedback is tremendous and so very much appreciated.
 
I don't think a person needs to be able to program/debug/decompile before they can effectively remove malware.

You should read up on rootkits though.

- Rootkits
- What are they?
- What types are there?
- What Windows mechanisms do they utlize?
- What tools are effective in removing the rootkit/s?
 
Well...
Many programmers can easily create things that are not detected by antivirus.
I myself made a remote admin tool, which could be used as a trojan quite easily. No antivirus on the market picked it up. Even though I used it to remote admin a business owners servers, (with that customers permission of course), and watch over their IT and accounting people. It could have been used for many things... That is the reason I keep it to myself and the client. Only we know it's there and what it does. Do you understand?

* So your entire theory about scanners rendering a machine 'clean' is pretty much not real. Because if a simple person like myself can write something in c++ that lets me remote admin a server under the auspices of antispyware without ever being detected, then it just goes to show you that anyone else can do the same.

All you are doing, with your knowledge, is removing what antivirus vendors have identified as a virus or trojan or some other malware. Which is fine and I don't care to argue semantics with you.

I would like to point out, that using the technique you guys use... You cannot ever guarantee the machine is 100% clean when you give it back to the customer.
It's not even a question in my mind. at all. ever. period.

This is exactly why most of the big chains lift the users documents, reformat the drive, then reinstall the os, drivers, and finally the documents.

Make of it what you will... It is what it is. Anyone can write a virus or trojan or remote admin tool. <wink>

I don't write viruses (code that replicates) or trojans (code that replicates and sabotages). It is illegal, and if you deploy such code into the wild, you can be fined and imprisoned if they catch you. Remote admin tools do not fall under the same category. That's not to say that as a computer virus researcher I can't create them on my virtual machine and erase them, but I guarantee you, that if someone as thick as me can do this, there are others who have done much more.

You may send back a pc that you scanned with 5 different scanners thinking it is clean as a whistle. That same machine you give back could be compromised by something you and your scanners dont even know exists. So you are giving back an infected machine.
 
PcTek9 said:
Well...
Many programmers can easily create things that are not detected by antivirus.
I myself made a remote admin tool, which could be used as a trojan quite easily. No antivirus on the market picked it up. Even though I used it to remote admin a business owners servers, (with that customers permission of course), and watch over their IT and accounting people. It could have been used for many things... That is the reason I keep it to myself and the client. Only we know it's there and what it does. Do you understand?

* So your entire theory about scanners rendering a machine 'clean' is pretty much not real. Because if a simple person like myself can write something in c++ that lets me remote admin a server under the auspices of antispyware without ever being detected, then it just goes to show you that anyone else can do the same.

All you are doing, with your knowledge, is removing what antivirus vendors have identified as a virus or trojan or some other malware. Which is fine and I don't care to argue semantics with you.

I would like to point out, that using the technique you guys use... You cannot ever guarantee the machine is 100% clean when you give it back to the customer.
It's not even a question in my mind. at all. ever. period.

This is exactly why most of the big chains lift the users documents, reformat the drive, then reinstall the os, drivers, and finally the documents.

Make of it what you will... It is what it is. Anyone can write a virus or trojan or remote admin tool. <wink>

I don't write viruses (code that replicates) or trojans (code that replicates and sabotages). It is illegal, and if you deploy such code into the wild, you can be fined and imprisoned if they catch you. Remote admin tools do not fall under the same category. That's not to say that as a computer virus researcher I can't create them on my virtual machine and erase them, but I guarantee you, that if someone as thick as me can do this, there are others who have done much more.

You may send back a pc that you scanned with 5 different scanners thinking it is clean as a whistle. That same machine you give back could be compromised by something you and your scanners dont even know exists. So you are giving back an infected machine.
Click to expand...

This is def worst case scenario. Hopefully things like this would be found by checking out startup, running processes, etc. What big chains wipe and reload? Geek Squad doesnt.
 
@PcTek,

A little offline analysis of the registry loading points via a tool such as OTL followed by a system file integrity scan to hunt for patched drivers can clean up even the nastiest rootkit infections. Following that, the only thing that's generally left is any ancillary junk which is no longer being loaded with the OS by the time it's scanned/removed, or at the very worst, an MBR bootkit or one of the rarer polymorphic file infectors. All of these are detectable and nearly all are removable.

I truly believe that with the proper care and expertise, it's possible to disinfect nearly anything with what amounts to, effectively, 100% confidence. But the initial offline analysis is truly the most important ingredient of this technique if you ask me.

Just my two zenny.
 
* I thought geeksquad's policy was to format and reload. So I may be misinformed.

However, I have definitely carried computer viruses for years on a cd that had been scanned by multiple scanners with nothing found. Maybe several years passed by before the virus on that cd was found. This has not happened to any of you? I am very surprised if that is true.

I found a virus in a professional cd burning software on a factory made cd. I found a virus on a cd my friend made for my birthday, I myself scanned it many times through the years with different scanners.

While I agree it is a worst case scenario - I do not believe that it is rare, or that it is isolated to certain individuals. If anyone out there has had a situation where you found a virus on files that you know you scanned many times with various antivirus software, and then one day anti-virus technology caught up with virus technology and you discovered an infection you didnt know you had, please chime in. :)
 
You must log in or register to reply here.

Similar threads

ThatPlace928
Leader of Qakbot Malware Conspiracy Indicted for Involvement in Global Ransomware Scheme
Replies
4
Views
442
ThatPlace928
ThatPlace928
HCHTech
Alerts!
Replies
10
Views
821
Sky-Knight
Sky-Knight
callthatgirl
How to Import and Export PST into New Outlook
Replies
0
Views
300
callthatgirl
callthatgirl
thecomputerguy
Adding EDR to my stack and how to sell it.
Replies
6
Views
990
Sky-Knight
Sky-Knight
D
Anti-Virus and Anti-Malware for MSP
2
Replies
23
Views
3K
gadgetfixup
gadgetfixup
Back
Top