The Conficker worm, also known as downadup and kido, has been roaming the internet for a while now. The latest version, Conficker C, has people in a bit of an uproar because once the system date on a PC rolls over to April 1, 2009 it is set to launch a massive denial of service attack. With potentially millions of infected machines the results could be devastating. What does all of this have to do with the citizens of The Empire? Read on to find out.
Read the rest of this entry »

I previously wrote a guide for End Users that gave a relatively simple and straight forward way to clean their PCs. This is a guide for professionals who have more experience and can delve into some of the more intricate details of their client systems.

Most people have their personal favorite Anti-Virus and Anti-Spyware tools, but by now you all know that I recommend AVG-Antivirus and SuperAntiSpyware, I also recommend AVG-Antirootkit. These tools are relatively simple to use and the only tip I’ll offer to other pros is to make sure you run AVG-Antirootkit before either of the other two.

The tools I’m going to talk about in this article are HiJackThis 2.0, Process Explorer, Killbox, and CCleaner. We’re also going to examine a few tools for specific malware removal like FixVundo and ComboFix.

I’ve developed a procedure that generally takes two hours on a given machine. At my rates that usually costs my client $160 which is about $90 less than most of the places in my area that offer this service. I have a machine specifically dedicated to System Cleaning that has all of the tools I use installed on it already. I have a USB thumb drive that has HiJackThis, ProcessExplorer and KillBox on it. My procedure is as follows:

1. Run AVG Anti-Rootkit
2. Remove the problem drive from the system.
3. Install the problem drive as secondary drive on Cleaning system, or using a SATA or IDE to USB converter install the drive.
4. Run SuperAntiSpyware and AVG Antivirus on the problem drive ONLY, do not select the systems main HD. I usually run these simultaneously.
5. Now move all files in the Startup folder of all user profiles including All Users and Default user into a temp directory. Some of them may be valid, but we don’t want them here for now.
6. Return the drive to the system.
7. Run FixVundo. (This may seem random and pointless right here, but in the long run it will save you a lot of trouble)
8. Run HiJackThis 2.0 and choose Analyze and Save a Log File.
9. Save the logfile to your USB drive and transfer it to a PC with internet access. Upload it to HiJackThis.de for an analysis. Check each item that is recommended by that analysis and click Fix Selected Items. All of these entries will be removed.
10. Reboot and repeat Step 7. If any entries came back you will need go to the next step.
11. Fire up Process Explorer and get ready to fight the hydra. A stiff drink might be necessary before continuing to step 12.
12. Run every .exe file through our friends over at LIUtilities and find out which ones are nasty.
13. Locate the nasty .exe’s on the problem drive.
14. Fire up KillBox and point it at the problem .exe’s. Do not try to delete them yet.
15. With process explorer select each of the nasty exe files and Suspend them.
16. Once they are all suspended kill each process tree one by one.
17. Tell KillBox to delete all of the exes, you’ll want tell it to kill explorer while it’s doing so and tell it to leave a dummy file. That should keep the Hydra for regenerating.
18. Reboot, repeat step 8.
19. Run CCleaner to remove any remaining invalid registry entries.
20. System = Clean

You may have to get creative with steps 15-17 in the way that you suspend and kill processes in order to get KillBox to delete them. You may also have to use the DeleteOnReboot option on some of the files. I’ve had rogue DLLs attach themselves to the Lsass.exe process, when you kill that process you have 60 seconds to do whatever you can do before the system automatically shuts down. When you have to get killbox to delete 8-10 files in that 60 second window or they all regenerate after the reboot it starts to feel like defusing a bomb.

When you are using HiJackThis you do have to be very cautious. It takes some experience to interpret the log file it generates, but after a while of using Hijackthis.de to analyze the files for you you will start to recognize bad entries on your own.

Combofix is the same way and I don’t currently know of an automatic analyzer for it, but there is a great guide for it over here. I recommend posting the ComboFix logs at ComputerHope for analysis until you start to get a feel for the log entries.

With this procedure you should be able to streamline your spyware removal process, undercut your competitors (And your local Best Buy) and make more of your clients happier faster. So how about using some of those increased profits to

.

Part 1, Part 2

We’ve already explored securing your system and browsing safely, now we’ll explore a few ways to keep your E-Mail safe from assault. Email is one of the most vulnerable access points in to your system because even e-mail from trusted people can contain malicious payloads. After all, not everyone is as safety conscious as you are. So to help navigate the e-mail minefield we’re going to look at two separate strategies.

The first strategy is to use an online mail service like Google Mail, this is by far the easiest way to do things and has been my preferred method for years. It puts the burden for spam blocking and virus cleaning onto a huge company with almost limitless resources. They tend to do a pretty fine job of it.

However if you’re using your ISP’s POP mail, usually something like yourname@bellsouth.net, and don’t want to give that up I recommend using Mailwasher to block spam. There is a terrific tutorial over on their site for using Mailwasher, so I won’t try to improve on that. You’ve already installed AVG Antivirus which will scan your incoming and outgoing mail for viruses, so with these two items in place you are about as well protected as software can make you. The rest is up to you.

Now we go over a few rules to keep you from betraying your system into enemy hands. First, do not open attachments from people you don’t know no matter how enticing it might sound. Second, do not open “free” screen savers, “free” games, or any other “neat” thing that someone forwards you. The final rule is to never respond to, or click any link in a spam email that you do receive. These rules combined with a Google Mail account or Mailwasher and AVG will keep you safe from any email assault. Remember to read Part One and Part Two if you haven’t already, and as always we appreciate it when you

.

*UPDATED* The Free version of AVG-AntiRootkit has been discontinued, I am instead recommended Panda Anti-Rootkit.

Everyone has run into this problem at one time or another, either with a family members PC or with their own. Usually it means a nightmarish ordeal of smashing Spyware, MalWare, and Viruses for hours. Well once you’ve read this article you’ll no longer need to fear.

I’ve been cleaning Viruses and Spyware for years and over time three products have made their way to the top of my list. Two of my top three are from Grisoft, AVG Anti-Rootkit and AVG Anti-Virus. The third is SuperAntiSpyware.

Your first step is going to be to download these three tools. You may have to download them on a clean PC and install them from a flash drive or CD if the infected PC can’t get to the internet. Once you’ve got them loaded up it’s time to start the war.

The first tool you’re going to need to fire up is AVG Anti-Rootkit. The installation is very standard, just click Next until you reach the end of the installation, then reboot the PC.

Now start up AVG Anti-Rootkit.

I recommend using the In-Depth Search to get the best results. The Anti-Rootkit will run for about 45 minutes before it completes, so go watch some TV, read a book, Write in your blog, or

Now that the Anti-Rootkit is done scanning tell it to clean anything it found. Now, reboot into Safe Mode. To get into Safe Mode just reboot and tap F8 on your keyboard every second or so until you see a menu. Choose Safe Mode and viola.Now that you’re in Safe mode install SuperAntiSpyware. Again the installation is very simple, just click next until you hit the end of the install.
Run SuperAntiSpyware and click Check for Updates. Once the updates are done click Scan your Computer. Choose the C:\ drive and select Complete Scan, now click Next. Again, this will take about an hour so go for a jog, fix some dinner. Anything you feel like doing. Once SuperAntiSpyware completes its scan click next and allow it to clean your system.Now the final step, Reboot into normal mode. Install AVG Anti-Virus. As usual the installation process consists of clicking next as many times as possible.

Now run AVG and click Scan Computer. Go take another hour long break while AVG works. When you return click OK and allow AVG to clean the system of anything it finds. There is a good chance that AVG Anti-Virus will find nothing at this point which means your system is squeaky clean. If AVG finds anything that it can’t remove you’ll be in for a bumpy ride since whatever is left will require special removal tools and advanced knowledge.

With these three tools you’ll be able to clean 99.9% of all spyware and viruses you run into with no trouble.

Pro Tip: As a shortcut you can actually run AVG Antivirus and SuperAntiSpyware at the same time which will cut your run time in half, but this will sometimes result in error messages when one cleans an item before the other gets to it.