The Conficker worm, also known as downadup and kido, has been roaming the internet for a while now. The latest version, Conficker C, has people in a bit of an uproar because once the system date on a PC rolls over to April 1, 2009 it is set to launch a massive denial of service attack. With potentially millions of infected machines the results could be devastating. What does all of this have to do with the citizens of The Empire? Read on to find out.
Read the rest of this entry »

I previously wrote a guide for End Users that gave a relatively simple and straight forward way to clean their PCs. This is a guide for professionals who have more experience and can delve into some of the more intricate details of their client systems.

Most people have their personal favorite Anti-Virus and Anti-Spyware tools, but by now you all know that I recommend AVG-Antivirus and SuperAntiSpyware, I also recommend AVG-Antirootkit. These tools are relatively simple to use and the only tip I’ll offer to other pros is to make sure you run AVG-Antirootkit before either of the other two.

The tools I’m going to talk about in this article are HiJackThis 2.0, Process Explorer, Killbox, and CCleaner. We’re also going to examine a few tools for specific malware removal like FixVundo and ComboFix.

I’ve developed a procedure that generally takes two hours on a given machine. At my rates that usually costs my client $160 which is about $90 less than most of the places in my area that offer this service. I have a machine specifically dedicated to System Cleaning that has all of the tools I use installed on it already. I have a USB thumb drive that has HiJackThis, ProcessExplorer and KillBox on it. My procedure is as follows:

1. Run AVG Anti-Rootkit
2. Remove the problem drive from the system.
3. Install the problem drive as secondary drive on Cleaning system, or using a SATA or IDE to USB converter install the drive.
4. Run SuperAntiSpyware and AVG Antivirus on the problem drive ONLY, do not select the systems main HD. I usually run these simultaneously.
5. Now move all files in the Startup folder of all user profiles including All Users and Default user into a temp directory. Some of them may be valid, but we don’t want them here for now.
6. Return the drive to the system.
7. Run FixVundo. (This may seem random and pointless right here, but in the long run it will save you a lot of trouble)
8. Run HiJackThis 2.0 and choose Analyze and Save a Log File.
9. Save the logfile to your USB drive and transfer it to a PC with internet access. Upload it to HiJackThis.de for an analysis. Check each item that is recommended by that analysis and click Fix Selected Items. All of these entries will be removed.
10. Reboot and repeat Step 7. If any entries came back you will need go to the next step.
11. Fire up Process Explorer and get ready to fight the hydra. A stiff drink might be necessary before continuing to step 12.
12. Run every .exe file through our friends over at LIUtilities and find out which ones are nasty.
13. Locate the nasty .exe’s on the problem drive.
14. Fire up KillBox and point it at the problem .exe’s. Do not try to delete them yet.
15. With process explorer select each of the nasty exe files and Suspend them.
16. Once they are all suspended kill each process tree one by one.
17. Tell KillBox to delete all of the exes, you’ll want tell it to kill explorer while it’s doing so and tell it to leave a dummy file. That should keep the Hydra for regenerating.
18. Reboot, repeat step 8.
19. Run CCleaner to remove any remaining invalid registry entries.
20. System = Clean

You may have to get creative with steps 15-17 in the way that you suspend and kill processes in order to get KillBox to delete them. You may also have to use the DeleteOnReboot option on some of the files. I’ve had rogue DLLs attach themselves to the Lsass.exe process, when you kill that process you have 60 seconds to do whatever you can do before the system automatically shuts down. When you have to get killbox to delete 8-10 files in that 60 second window or they all regenerate after the reboot it starts to feel like defusing a bomb.

When you are using HiJackThis you do have to be very cautious. It takes some experience to interpret the log file it generates, but after a while of using Hijackthis.de to analyze the files for you you will start to recognize bad entries on your own.

Combofix is the same way and I don’t currently know of an automatic analyzer for it, but there is a great guide for it over here. I recommend posting the ComboFix logs at ComputerHope for analysis until you start to get a feel for the log entries.

With this procedure you should be able to streamline your spyware removal process, undercut your competitors (And your local Best Buy) and make more of your clients happier faster. So how about using some of those increased profits to

Part 1, Part 2

We’ve already explored securing your system and browsing safely, now we’ll explore a few ways to keep your E-Mail safe from assault. Email is one of the most vulnerable access points in to your system because even e-mail from trusted people can contain malicious payloads. After all, not everyone is as safety conscious as you are. So to help navigate the e-mail minefield we’re going to look at two separate strategies.

The first strategy is to use an online mail service like Google Mail, this is by far the easiest way to do things and has been my preferred method for years. It puts the burden for spam blocking and virus cleaning onto a huge company with almost limitless resources. They tend to do a pretty fine job of it.

However if you’re using your ISP’s POP mail, usually something like yourname@bellsouth.net, and don’t want to give that up I recommend using Mailwasher to block spam. There is a terrific tutorial over on their site for using Mailwasher, so I won’t try to improve on that. You’ve already installed AVG Antivirus which will scan your incoming and outgoing mail for viruses, so with these two items in place you are about as well protected as software can make you. The rest is up to you.

Now we go over a few rules to keep you from betraying your system into enemy hands. First, do not open attachments from people you don’t know no matter how enticing it might sound. Second, do not open “free” screen savers, “free” games, or any other “neat” thing that someone forwards you. The final rule is to never respond to, or click any link in a spam email that you do receive. These rules combined with a Google Mail account or Mailwasher and AVG will keep you safe from any email assault. Remember to read Part One and Part Two if you haven’t already, and as always we appreciate it when you

Process Explorer is an excellent tool available from Microsoft for free. Using it you can see all of the processes running on your PC and what files they are using.

The installation is incredibly simple, just download the file and extract it. Then double click on Process Explorer. Tada it runs. You’ll see a screen that looks something like this:

From here you can trace which process has what file open. It’s as simple as it can be, jut click on Find at the top and type in the name of the file you want to searh for. Process explorer returns a list of every process that is involved with that file. Now if you click on one of the entries it will take you to the specific thread and you can kill that thread to free the file.

That’s the meat and potatoes of process explorer. There are many other things you can do with it, such as suspending a process, which leaves it alive but stops it from running, changing the priority that the system assigns to a process, and monitoring your systems resource usage more comprehensively than the regular task manager. Process Explorer is a very simple, but very powerful tool and is a fantastic resource for every kind of trouble shooting.

If you were helped by this review and enjoy the product please

In Part One of this series we talked about how to clear your system out and get your security software in place, but security software is only part of the equation. Your computer is still only as secure as you are. So in part two we’re going to discuss Safe Surfing habits and how to keep from accidentally opening the gates and letting the mongols in.

The first thing you’re going to have to do is scrap Internet Explorer. A lot of people still think that there are no other options for web browsers if you want to watch videos and do all of the things you love on the web. This is not true. Welcome to the world of Firefox everything Internet Explorer can do, Firefox can do and it’s not as vulnerable to virus and spyware attacks.

Now, if you are really and truly security conscious you can setup what’s known as a Sandbox for your web browser. SVS is a sandbox program that you can use. I recommend using SVS and Mozilla together to visit any unfamiliar website for the first time. If you don’t know what the site is, don’t take the risk that it will infect your PC.

To install SVS just download the SVS Personal package and unpack it. Now run the Software Virtualization Agent installer. When you are asked for a license click “Get it Free” and accept the license, a file will download that has your personal license key, copy it and paste it into the license space. Click next and accept all of the defaults. You’ll have to restart your system once the install is complete. Next download the SVS Trinket, extract the Trinket and double click on the installer, after a final reboot you’ll need to download Firefox for SVS and extract it (If you just MUST HAVE Internet Explorer then here is a link to the virtualization file for it).

The final step is to right click on the little golden disc with a V on it that is now in the system tray near the clock, click Import and navigate to the Firefox VSA file, click open and let it import. Now when you want to launch firefox just right click on that disc and pick Firefox from the list and choose Activate. You’ll see a Virtual Firefox icon appear. Click it and surf.

I know this seems AWFULLY complicated to get set up, but once you’re done your browser launches just like it always has until you unload it and you’re completely safe. But for those who think that’s too much trouble I have an alternate solution below.

If you choose not to use Firefox or SVS then the next section is very important. Do not click on any popup, EVER. I don’t care if it looks like a message from Bill Gates offering you a million dollars to click the ad, it’s a LIE. Do not click popups. Do not click animated ads with monkeys on them. Do not download animated screen savers, do not download animated wall paper. And remember this maxim, there is nothing free on the internet. Everyone is trying to make money in some way. Either through ad revenue, sales, or donations. If someone is giving something away think twice about accepting it. That goes for me too, every product I recommend on this site is a product I use and a product I have an affiliate agreement with. I have ads on the site and requests for donations.

With the sandbox in place you can be a little more relaxed about what you click on because the sandbox prevents any malicious files from being transferred onto your system.

These steps will protect your computer from inadvertently becoming infected by a file you download or a video you watch. Always practice safe web surfing and remember to