Virus Removal Training?

[Dark]

Does anyone know of some good training material for malware removal? Preferably videos (for time sake) and preferably free since I just started my business and money is tight.

I know my weak points and must admit that virus removal is probably my second biggest soft spot. For the most part I'm dependent on the various scanners I employ to remove virus' for me and it's weighing on me something fierce.

As yet I haven't found a virus that I couldn't remove through those means but I really want to deepen my understanding of the entire process. Especially manual removal since, according to what I've read here, it tends to be much faster than running repeated scans. I always run each scan at least twice if it finds a virus on the first pass. The reason I do this is because sometimes after the scanner 'removes' the virus then you reboot the computer and run the scan again and viola! it's back even though the scanner claimed it had been removed. At that point I usually try a different scanner and do some serious finger crossing.

I truly desire to do right by my customers and it's really bugging me that I'm so dependent on these scanners.

For those who are curious, I feel my biggest weak point is charging people. If my business fails it won't be for a lack of customers or lack of knowledge in repairing computers, it will be due to a lack of cut throat, capitalistic drive. I've been working on peoples computers for free for so long, nice guy syndrome I guess, that I'm really having a hard time charging people money and when I do I tend to under charge them. < I think I'll need a whole different thread (on a psychology forum lol) for this one.

Virus remove training suggestions?
I do have a virtual machine I use to infect and remove virus' but a more accurate translation would be that it's a scanner tester since that's all I do is infect then scan.

 

[RegEdit]

There's an hour and 10 minute seminar video posted somewhere on Microsoft's site. Hopefully someone has a link? You'll learn plenty. It teaches how to use AutoRuns and Process Explorer among other things. The only thing it doesn't cover is how to use a BART PE CD to load and edit the registry start up entries.

UPDATE: Well it WAS called "Advanced Manual Malware Cleaning Techniques by Mark Russinovich" but Microsoft inexplicably removed it.

 

[LunchBox]

You can also join Bleeping Computer. They have a mailware removal training (all online) which will help you learn manual removal or malware. The only thing they ask is that when you finish the training (it can take a minimum of 6 months) you help people on their site or associated sites to remove their malware.

 

[RegEdit]

A great way to learn is to download viruses off Malwaredomainlist.com, install them on a "test machine" and then remove them.

 

[iisjman07]

I agree with regedit, download some malware and install it in a virtual machine; get to learn how to use tools like Process Explorer and Autoruns

 

[ohmzoned]

Video from Mark

Here is the link to the video people mentioned, it does a great job of explaining how to use autoruns and process explorer.

http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359

 

[Dark]

Thanks for the replies. I'll throw my OCD at those suggestions and see what I can learn.

The more sources the better though so if anyone else has some suggestions I'll be happy to check them out.

Thank you.

 

[Dark]

Here is the link to the video people mentioned, it does a great job of explaining how to use autoruns and process explorer.

http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359

The link doesn't work. I'll keep searching for the video though.

 

[lgtechcomputers]

Search for this term using google "Advanced Manual Malware Cleaning Techniques by Mark Russinovich"

The fifth result is a PDF that has the powerpoint presentation.

At least something...I have not found the video either.

 

[Dark]

Thank you LGTech. Got the PDF.

I searched Google video for "by Mark Russinovich" and found this video: http://www.youtube.com/watch?v=fXFcU_DKi_c
Is this the same video under a different title?

 

[Martyn]

No the proper one is in front of a live audience and he goes through how processes are recreated after you delete them and cause reinfections. I have watched it and it is over an hour long.

edit

Actually it threw me because you see the audience normally at the beginning. I think this is it broken up into sections.

 

[Dark]

I'll watch all of these that are in this series anyway (the more the better right) and keep looking for the other.

 

[Martyn]

I'll watch all of these that are in this series anyway (the more the better right) and keep looking for the other.

Yes it's a shame if it isn't still around.

 

[RegEdit]

Is this the same video under a different title?

No. This is the same guy talking. He may very well present the same removal techniques. I haven't watched these YouTube videos yet.

 

[dannyd]

i have the video saved to my hard drive somewhere but don't know if it would break technibble rules uploading it for you??

 

[Dark]

i have the video saved to my hard drive somewhere but don't know if it would break technibble rules uploading it for you??

That would be very generous of you if it's permitted.

If I do manage to get a copy from somewhere I may see about putting it up on youtube. Be nice if it was a downloadable file from Technibble.

 

[B3ng]

http://forum.sysinternals.com/advanced-malware-cleaning_topic23633.html

there is a direct download link on the 2nd post of this thread.

Glad i found this as its a really interesting watch. hats off to the OP for starting this thread!!

 

[Xander]

Nice find, B3nd. Nice find, B3nd.

 

[MobileTechie]

The training offered by the malware removal sites is pretty good , but it's quite long and laborious. They are training you to remove viruses via forums, so much of it is how to post instructions people will follow. I found that very boring. Then, as mentioned, they expect you to give back by helping on the forums. I started the training but simply did not have the time to complete it or commit to helping at the end of it.

The Russinovich stuff is a touch out of date but still very useful indeed I think. Personally I don't find myself using process explorer as often as I used to in the days when viruses were happy to let you use your PC. Plenty of malware won't let you run it or can hide quite successfullly from it.

I'd agree that practicing on some live malware, with some idea of how to approach it is going to be invaluable.

For example. I had a fake AV called Antispyware OEM in today which appears to be quite new if google results are anything to go by. This is what I did to remove it:

1. Boot into safe mode which allowed me to run regedit, otherwise I'd have used a boot disk.
2. Use regedit to check the common start-up places in the registry for suspicious entries. I found entries in the Run key in the local machine hive for a file called qsimijsdw.exe and another called A00F63A2F5.exe I noted the file names and locations the referred to and deleted these entries.
3. Searched the registry for other instances of tthe files and found them in the Local User hive too. Deleted those.
4. Went to the locations, found the files, renamed them and noted the date and time they were created.
5. Searched the PC for other instances of those files.
6. Searched the PC for other instances of that date and time.
7. Delete some other files that step 6 found.

That's it. That's what I do 90% of the time. Sometimes reg entries are hard to find, so I'll reverse the process and check the common file areas (temp files, application data, system32) to find suspcious files and then search the reg for those. But that is my technique in a nutshell - the malware has to start somehow (commonly a reg entry) and it has to have some executables to run (usually in a handful of folders). Break that link it can't operate.

It's not always as easy. Rootkits can be much harder to find but this is a good place to start in my opinion and I'm sure it's similar to what most people here do. If you do that on some infected VMs you'll soon learn the places to look and what is legit and what is malware.

Having said all that I'm pretty sure that starting in safe mode running MBAM or doing a system restore would have worked just as well.

 

[Dark]

You're awesome B3ng. You know what this means? HUG TIME!

Thanks also to you Mobile Techie. I'm going to print up your post and a couple of others I've seen on this forum that are similar and work to hone my skills.