Notice: I am aware that Internet Explorer 6 pushes the middle column down below the sidebars. This is because IE is not standards compliant. Please use Firefox for all of your web-browsing needs.

  •  

  • Recent Posts

  • Archives

    [+] 2008

  • Build website traffic for free!

  • RSS CERT Current Activity

    • « Pro Tip: Manage your Wireless connection with Windows | Home | How To: Add an external email address to an exchange distribution list. »

    A Consultants Guide to System Cleaning

    By TheEmperor | February 12, 2008

    I previously wrote a guide for End Users that gave a relatively simple and straight forward way to clean their PCs. This is a guide for professionals who have more experience and can delve into some of the more intricate details of their client systems.

    Most people have their personal favorite Anti-Virus and Anti-Spyware tools, but by now you all know that I recommend AVG-Antivirus and SuperAntiSpyware, I also recommend AVG-Antirootkit. These tools are relatively simple to use and the only tip I’ll offer to other pros is to make sure you run AVG-Antirootkit before either of the other two.

    The tools I’m going to talk about in this article are HiJackThis 2.0, Process Explorer, Killbox, and CCleaner. We’re also going to examine a few tools for specific malware removal like FixVundo and ComboFix.

    I’ve developed a procedure that generally takes two hours on a given machine. At my rates that usually costs my client $160 which is about $90 less than most of the places in my area that offer this service. I have a machine specifically dedicated to System Cleaning that has all of the tools I use installed on it already. I have a USB thumb drive that has HiJackThis, ProcessExplorer and KillBox on it. My procedure is as follows:

    1. Run AVG Anti-Rootkit
    2. Remove the problem drive from the system.
    3. Install the problem drive as secondary drive on Cleaning system, or using a SATA or IDE to USB converter install the drive.
    4. Run SuperAntiSpyware and AVG Antivirus on the problem drive ONLY, do not select the systems main HD. I usually run these simultaneously.
    5. Now move all files in the Startup folder of all user profiles including All Users and Default user into a temp directory. Some of them may be valid, but we don’t want them here for now.
    6. Return the drive to the system.
    7. Run FixVundo. (This may seem random and pointless right here, but in the long run it will save you a lot of trouble)
    8. Run HiJackThis 2.0 and choose Analyze and Save a Log File.
    9. Save the logfile to your USB drive and transfer it to a PC with internet access. Upload it to HiJackThis.de for an analysis. Check each item that is recommended by that analysis and click Fix Selected Items. All of these entries will be removed.
    10. Reboot and repeat Step 7. If any entries came back you will need go to the next step.
    11. Fire up Process Explorer and get ready to fight the hydra. A stiff drink might be necessary before continuing to step 12.
    12. Run every .exe file through our friends over at LIUtilities and find out which ones are nasty.
    13. Locate the nasty .exe’s on the problem drive.
    14. Fire up KillBox and point it at the problem .exe’s. Do not try to delete them yet.
    15. With process explorer select each of the nasty exe files and Suspend them.
    16. Once they are all suspended kill each process tree one by one.
    17. Tell KillBox to delete all of the exes, you’ll want tell it to kill explorer while it’s doing so and tell it to leave a dummy file. That should keep the Hydra for regenerating.
    18. Reboot, repeat step 8.
    19. Run CCleaner to remove any remaining invalid registry entries.
    20. System = Clean

    You may have to get creative with steps 15-17 in the way that you suspend and kill processes in order to get KillBox to delete them. You may also have to use the DeleteOnReboot option on some of the files. I’ve had rogue DLLs attach themselves to the Lsass.exe process, when you kill that process you have 60 seconds to do whatever you can do before the system automatically shuts down. When you have to get killbox to delete 8-10 files in that 60 second window or they all regenerate after the reboot it starts to feel like defusing a bomb.

    When you are using HiJackThis you do have to be very cautious. It takes some experience to interpret the log file it generates, but after a while of using Hijackthis.de to analyze the files for you you will start to recognize bad entries on your own.

    Combofix is the same way and I don’t currently know of an automatic analyzer for it, but there is a great guide for it over here. I recommend posting the ComboFix logs at ComputerHope for analysis until you start to get a feel for the log entries.

    With this procedure you should be able to streamline your spyware removal process, undercut your competitors (And your local Best Buy) and make more of your clients happier faster. So how about using some of those increased profits to

    .


    If you can't find your answer here then Petition The Emperor for Aid
    Remote Support

    Topics: adware, anti-virus, ccleaner, combofix, consultant, consulting, helpdesk, hijackthis, killbox, malware, spyware, system clean, system maintenace, virus clean, vundo |

    Comments are closed.