copparedds
New Member
- Reaction score
- 0
- Location
- Jamaica
System restore wont work as i deleted those files as well.
Who here actually knows how to cleanup spyware and viruses?
- Thread starter greggh
- Start date
Okay, you can try to get them back, but as far as I know it's unlikely that they can be retrieved.
Here's what I'd do: Check the System Restore folder to make sure none of the registry key files are still there. System Restores are found in {root}:\System Volume Information\_restore{ABUNCHOFRANDOMTEXT}. You'll have to add yourself in permissions under the Security tab to open the folder.
If there's nothing of interest left, run "Restoration" on that drive. A lot of the time it won't know where the files came from, but it might be useful to sort by directory and look for the SVI folder. If not, search for .reg files.
That's all I'd know how to do, if anyone else has any suggestions I'm curious. Barring that I'd back up and nuke & pave.
Here's what I'd do: Check the System Restore folder to make sure none of the registry key files are still there. System Restores are found in {root}:\System Volume Information\_restore{ABUNCHOFRANDOMTEXT}. You'll have to add yourself in permissions under the Security tab to open the folder.
If there's nothing of interest left, run "Restoration" on that drive. A lot of the time it won't know where the files came from, but it might be useful to sort by directory and look for the SVI folder. If not, search for .reg files.
That's all I'd know how to do, if anyone else has any suggestions I'm curious. Barring that I'd back up and nuke & pave.
copparedds
New Member
- Reaction score
- 0
- Location
- Jamaica
Thanks for the tips however there are no files to be restored. I had planned to N&P a few weeks back but just couldnt be bothered. I guess im gonna have to do it now. Its way better to mess up my machine that a customers and then trying justify my actions with them.
certifiedtek123
New Member
- Reaction score
- 0
- Location
- NH
Why do temp files next to last step?
Excellent post Greg,
Alot of the bad guys get in via temp holding areas and sit there especially to pull in more malware why not get rid of the temp files right away?
Excellent post Greg,
Alot of the bad guys get in via temp holding areas and sit there especially to pull in more malware why not get rid of the temp files right away?
GeeksInKhakis
Member
- Reaction score
- 10
- Location
- Vancouver, WA (USA)
forgot one key poll option...
Poll answers are
1. by hand
2. scanners
3. Mostly scanners, some by hand at the end.
I think a fourth option is more relevant and may be more indicative of how alot of folks do it.
4. most by hand, finish up with full scans.
Poll answers are
1. by hand
2. scanners
3. Mostly scanners, some by hand at the end.
I think a fourth option is more relevant and may be more indicative of how alot of folks do it.
4. most by hand, finish up with full scans.
Agreed, it is more of all of the above as needed answer I'd give in response to this question/poll.
allanc
Well-Known Member
- Reaction score
- 387
- Location
- Toronto, Ontario, Canada
A question to clarify and help my understanding of your observations and techniques.
You are saying that a legitimate Windows file name (e.g. 'IExplore.exe', etc) is *rarely infected*. Correct?
joydivision
Well-Known Member
- Reaction score
- 58
- Location
- Manchester, UK
Just something I am missing. I do some of the above by hand now but I want to start doing it all by hand. I feel I have relied on scanners too much it was just the only way I knew.
I had been so busy with wireless networks, hardware repairs, fixing windows problems, supporting users that viruses used to be just something I came across every few weeks, now its a lot more common.
What I am missing is that I find on many older computers the Windows Boot CD takes a good 10-15 minutes to boot up, what is wrong with booting into safe mode and then setting windows to show all hidden files? Surely it is a lot quicker? Have I missed something?
I had been so busy with wireless networks, hardware repairs, fixing windows problems, supporting users that viruses used to be just something I came across every few weeks, now its a lot more common.
What I am missing is that I find on many older computers the Windows Boot CD takes a good 10-15 minutes to boot up, what is wrong with booting into safe mode and then setting windows to show all hidden files? Surely it is a lot quicker? Have I missed something?
joydivision
Well-Known Member
- Reaction score
- 58
- Location
- Manchester, UK
I usualy check the date of explorer.exe to make sure its the original. However I can't see how the file can be replaced within windows itself all what will happen is the registery will tell explorer.exe to load lots of dlls up.
allanc
Well-Known Member
- Reaction score
- 387
- Location
- Toronto, Ontario, Canada
IExplore.exe was only an example.
I was trying to differentiate between two types of Malware:
1. Those that infects files (regardless of file name infected) that already existed *before* the Malware was installed.
2. Malware that does not infect preexisting files.
I was asking whether in the OP opinion and experience, #1 occurred very infrequently.
Wheelie
Active Member
- Reaction score
- 34
Dude. You got sKiLz
... hopefully you're not charging for 15 minutes! I charge $100 to $120 for that
PcTek9
Well-Known Member
- Reaction score
- 87
- Location
- Mobile, AL
Well... You might get some of them, but you won't get them all. I've written many programs in intel assembly language, and in c++, and other languages, and I know that I can easily make the language date any file howsoever I wish it dated. Including reading the original date, and replacing it with my file the same size, and the same date.
One of my favourite programs for seeing if their is a virus inside a file is called Hiew by Sen. Sen wrote hiew (hackers view) and gave it the ability to disassemble any file into hex or on the fly assembly language.
I also use MASM or microsoft assembler for writing, analyzing assembly code. There exist a zoo of disassembly programs for all languages. So you can disassemble something and look at the code. With hiew i can open any file and just see what is going on.
Hex/Text view gives an idea sometimes who made the file. But that can be faked. Like lastnight I had an antivirus swear that a file was a virus. I looked at it and saw it had been written by microsoft.
If I switch into assembly language then I can look for interrupt calls to give me an idea of what the program does. e.g. int 10h is video, 16h is keyboard, 17h is printer, 21h is console services. Then of course just look near that to see the subfunction call code being moved into what ever register right before the interuppt call.
Then this will tell you what operation the program is doing, like is it about to format the drive, or open another program and write to that, etc.
So really, what I think this guy is doing is the best he can to get the most of them from the start. He is right. They are usually named something stupid like alskdfjlsdfj.dll but not always.
So I would use something to find out if there are any rootkits. Kernel mode rootkits are much more difficult to find than usermode rootkits. There is 1 type of kernel mode rootkit that can only be detected by a few rootkit scanners.
I currently have a creation that is completely invisible to windows. I use this creation to access systems with the owners permission. If for example I need to access a computer system in an emergency and fix something but I'm miles away... You would think vnc might be an option or something along those lines, but it never fails someone at the corporation will kill the process in the i.t. department.
So what this does is allow me to remotely fix their servers. Their IT people never know it's on there doing it's job. Of course it's completely invisible and not picked up by any antivirus scanner. In other words, the process is hidden, the program instance is hidden, even the input and output are hidden. Of course remote administration tools are not illegal, but you can only use them with the owners permission.
Of course it's not reproducing itself, like a virus would, or copying itself like a trojan. But it does show you the power of having something completely invisible even to commercial scanners. So basically just b/c everything looks ok, doesn't mean it is. Someone that possessed malicious intent and can program in c++ could obviously use the very same techniques to code a very bad virus or trojan.
One of my favourite programs for seeing if their is a virus inside a file is called Hiew by Sen. Sen wrote hiew (hackers view) and gave it the ability to disassemble any file into hex or on the fly assembly language.
I also use MASM or microsoft assembler for writing, analyzing assembly code. There exist a zoo of disassembly programs for all languages. So you can disassemble something and look at the code. With hiew i can open any file and just see what is going on.
Hex/Text view gives an idea sometimes who made the file. But that can be faked. Like lastnight I had an antivirus swear that a file was a virus. I looked at it and saw it had been written by microsoft.
If I switch into assembly language then I can look for interrupt calls to give me an idea of what the program does. e.g. int 10h is video, 16h is keyboard, 17h is printer, 21h is console services. Then of course just look near that to see the subfunction call code being moved into what ever register right before the interuppt call.
Then this will tell you what operation the program is doing, like is it about to format the drive, or open another program and write to that, etc.
So really, what I think this guy is doing is the best he can to get the most of them from the start. He is right. They are usually named something stupid like alskdfjlsdfj.dll but not always.
So I would use something to find out if there are any rootkits. Kernel mode rootkits are much more difficult to find than usermode rootkits. There is 1 type of kernel mode rootkit that can only be detected by a few rootkit scanners.
I currently have a creation that is completely invisible to windows. I use this creation to access systems with the owners permission. If for example I need to access a computer system in an emergency and fix something but I'm miles away... You would think vnc might be an option or something along those lines, but it never fails someone at the corporation will kill the process in the i.t. department.
So what this does is allow me to remotely fix their servers. Their IT people never know it's on there doing it's job. Of course it's completely invisible and not picked up by any antivirus scanner. In other words, the process is hidden, the program instance is hidden, even the input and output are hidden. Of course remote administration tools are not illegal, but you can only use them with the owners permission.
Of course it's not reproducing itself, like a virus would, or copying itself like a trojan. But it does show you the power of having something completely invisible even to commercial scanners. So basically just b/c everything looks ok, doesn't mean it is. Someone that possessed malicious intent and can program in c++ could obviously use the very same techniques to code a very bad virus or trojan.
joydivision
Well-Known Member
- Reaction score
- 58
- Location
- Manchester, UK
But you can't expect us all to have a look at each file and see what is going on it would take for ever. Edit also surely you cannot fake the date modified as the operating system does that?
Last edited:
Last edited:
Wheelie
Active Member
- Reaction score
- 34
Rootkits are an extremely interesting breed of programs. They compromise the OS at the kernel level (at the CPU registers). I really have enjoyed learning about how they work and why you can't see them. And you are right PcTek9 - the key is looking at the register right before the interrupt call. There's a table of jumps at the end of every program which is called the IAT (Interrupt Access Table). All calls vector thru that and then look up the next address in the OS and then departs from there on it's merry way. The evil-minded person can actually hijack the OS at this point by changing the address to his/her own code (program) and that call then goes to the malicious program instead of the OS. At that point the hacker can do whatever he/she pleases ... and therein lies the problem. When that happens you have absolutely no clue what is going on in that PC.
I have absolutely no time for messing with a PC when a rootkit is found on it. At that point I do what Microsoft's published stance is: backup the data, delete the partition, format the drive, and reload Windows.
I have absolutely no time for messing with a PC when a rootkit is found on it. At that point I do what Microsoft's published stance is: backup the data, delete the partition, format the drive, and reload Windows.
MobileTechie
Well-Known Member
- Reaction score
- 32
- Location
- UK
Personally I'll use a scanner first. I don't believe it slows the process down much, if at all because after you've removed an infection by hand, you'd have to be mad not to scan the system anyway. It is often a safe and effective way of ridding the computer of multiple infections. It can also help identify infections even which allows you to look up the removal instructions giving you a head start on your manual removal.
Yes techs should be able to remove malware manually but that doesn't mean you need to do it manually every time.
That's just my opinion.
Yes techs should be able to remove malware manually but that doesn't mean you need to do it manually every time.
That's just my opinion.
studiot
New Member
- Reaction score
- 1
- Location
- Somerset UK
and therein lies another potential trap. How can you be 100% sure that the data does not contain hidden malware?
Do you guarantee this to your client?
Wheelie
Active Member
- Reaction score
- 34
Absolutely. You can scan the data after you're done and any remaining dirty files will then very easily show up. You should carefully examine any exe, bat, dll, sys, etc files that are in the My Docs folder (or desktop, favorites, etc) anyway. They really should not even be there to begin with. You can safely remove any you find in those locations thus eliminating the problem. Never had a flareup yet. Your brain is the best anti virus software on the market
Similar threads
