what should I bring with me

Smallguy

hey looking for some ideas on what ot bring with me on a support call for the gf's cousin.

he downlaoded some trojan off of msn and can't get back online

so far I'll bring

ERD commander 2005
avg
spy bot
hijackthis

what else would be a good resources for this... I'm pretty sure that the trojan jsut messed up IE not TCP/IP but with out know trojan I have no way to tell

I think I might even bring firefox 2.0 an see if I can get online with it

royal

ad-aware

trend micro free online virus scan - just google for free online virus scan.

seuss_ssues

I clean several a week.

Be sure and turn system restore off.
Adaware
pest patrol
spybot s&d
hijackthis
avg
and trend micro of panda scan

that will clean 99% of the malware problems out there.

And be sure and update all those programs before scanning, and update windows too.

JDMurray

Has anyone tried installing all of the usual free A/V and Spyware scanners on a Windows XP bootable USB drive so you can clean the infected hard drive without actually booting off of it? I've always wanted to try this, but have never gotten around to doing it.

keatron

I've wanted to try it as well, but usually when a family member calls me to do this (if I can find the time), I usually take their hard drive, slave it to another machine, then run the scan from there on the drive with it running as a slave.

Smallguy

I ended up formatting the machine after a a few hours of running tools and found 7 viruses and wasstill not able to browse by FQDN

so I bit the bullet and formatted

JDMurray

keatron wrote:

I usually take their hard drive, slave it to another machine, then run the scan from there on the drive with it running as a slave.

This is exactly what I do too, but what a pain to set up. I'd rather just boot off a USB thumb drive and run the tools directly on the infected machine. The only disadvantages is that you also need to carry an external hard drive to back up the infected drive, and older motherboard's BIOS that won't boot from a USB device.

Hmmm...maybe it's better just to an external EIDE/USB drive for cleaning rather than just a USB thumb drive. I should give that a try first.

keatron

jdmurray wrote:

keatron wrote:

I usually take their hard drive, slave it to another machine, then run the scan from there on the drive with it running as a slave.

This is exactly what I do too, but what a pain to set up. I'd rather just boot off a USB thumb drive and run the tools directly on the infected machine. The only disadvantages is that you also need to carry an external hard drive to back up the infected drive, and older motherboard's BIOS that won't boot from a USB device.

Hmmm...maybe it's better just to an external EIDE/USB drive for cleaning rather than just a USB thumb drive. I should give that a try first.

JD I think we should write something to solve this problem.

jescab

I just cleaned a computer that had 27 viruses, it had been hijacked so many times that the hijacking sites were fighting each other and thousands of spyware/malware. NO JOKE - this was the wrose I have ever seen a computer infected.

RussS

jdmurray wrote:

Has anyone tried installing all of the usual free A/V and Spyware scanners on a Windows XP bootable USB drive so you can clean the infected hard drive without actually booting off of it? I've always wanted to try this, but have never gotten around to doing it.

I did have a subscription for the Avast bootable CD and thought that it was an awesome tool. However now that I am not so much involved in virus/spyware cleansing of clients PCs I discontinued as it is rather expensive.
Currently I am using the UBCD for Win and follow a particular methodology.
Boot to CD and empty Temp and Temp Internet folders in the user profiles - empty Temp and Prefetch folders in the Windows directory - remove unknowns out of Downloaded Program Files folder.
Start up remote registry editor and check
HKCU/Software/Microsoft/Windows/CurrentVersion/Run and
HKLM/Software/Microsoft/Windows/CurrentVersion/Run (plus the other run entries) and look for and delete any entries that should not be there. Use the browser on the CD to Google for anything youu are unsure of.
Next I run an online scan from Trend Micro (have a business partnership there) and then an online scan from ewido.
Reboot machine and run Disk Cleanup, then run Windoctor.
After that I run an online scan from SYmantec.

Always finish with ScanDisk and Defrag before returning to client.

seuss_ssues

You should check out Bart PE. It is a bootable windows environment and its free.

I have been meaning to make a Bart PE disk with all of the utilities that i frequently use.

You would have to load the machines registry files into the environment or else your cleaners wouldnt be able to access it to clean them.
Other than that should work great.

Anyone tried it?

sprkymrk

Smallguy wrote:

hey looking for some ideas on what ot bring with me on a support call for the gf's cousin.

he downlaoded some trojan off of msn and can't get back online

Format, fdisk, WXP CD.


I honestly don't usually waste my time, especially with business customers. If a machine has been compromised by a trojan/virus/spyware, I'll back up whatever data is most important and blow the rest away. Format/reinstall is the only way to go on a compromised computer because you just never can be entirely susre it's clean. Even with someone's home computer it's the best bet (IMHO). I have found that it takes almost as long to really clean and repair a spyware/virus infested computer as it does to just reinstall.

My 2 cents.

JDMurray

keatron wrote:

JD I think we should write something to solve this problem.

I've been thinking about the good and bad sides of using a USB-bootable external drive for cleaning systems. My original assumption was that I'd use Windows XP or MC for the bootable OS. However, Windows is very sensitive to the motherboard and peripheral hardware on the machine, and the cleaning drive may not boot on all systems. For example, if I created my bootable drive using an Asus system, would it successfully boot on a system with an ECS motherboard? Always booting Windows in safe mode might solve this problem, but the scanning/cleaning/repairing/defragging/backup tools I'd want to use may not run in safe mode.

Another wrinkle is every time Windows booted and saw new hardware, it would increment its "hardware has changed" counters and eventually require reactivation. I know the trick to backup and restore the wpa.dbl file to undo the counters, but I'd rather not hack Windows to the point of violating the EULA.

And yes, I know a great bootable OS alternative is Knoppix, but I've never researched what are the best scanning/cleaning/repairing/defragging/backup tools available for Linux, and how they compare in effectiveness to the same tools available for Windows. It would seem that the same tools would be either more expensive or non-existent. I'll have to search to see if anyone has already put together a Linux distro to make a bootable, updatable cleaning drive.