Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

lookin for some assitance/advice


  • Please log in to reply
5 replies to this topic

#1 Michael_Tsp

Michael_Tsp

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 25 November 2009 - 04:14 PM

Hello, My name is Michael and I'm new here

First I guess I should start with why I have decided to post here. I work for dell as a your tech team agent. I receive several calls a day regarding virus' and other malware. About a week ago, I first came across the root kit known as max++. Needless to say, normal removal methods did not work. I could not just reformat the computer as the cust was a musician and he did not want to lose all his unfinished music. After the normal tools did not work, I thought that it could be a rootkit. I downloaded and ran the trial version of unhackme. It detected the max++ rootkit however it was not able to clean the infections. It would schedule a start up scan and never fully complete. At this point I wanted to learn a bit more about max++, after a brief google search I came across a forum on here regarding the removal steps for xp and it worked flawlessly. Cust was super happy and I was glad I did not have to reformat his comp. It was at this point that i decided I wanted to learn much more about the removal of virus'/malware from computers.

Since then I have been reading everything I can get my hands on that has anything to do with rootkits, how they should be delt with and just a better all around understanding of how they work and possible removal tactics. I have only had one other cust with the same infection, and I was able to remove it following some of previous steps i used.

Now with that said, I'm trying to put a general guide on how to approach this situation. What tools are safe to use, and which ones should only be used by people who know what they're doing, those sorts of things. I realize not everyone is capable of the research or patience required to deal with certain infections. As of right now the standard is to attempt the virus scan using anyone of the free tools, and if that does not work than to reformat the computer. To me as a person, this is unacceptable as it leaves little to no room for a customer to back up their data. Since I'm just a lowly tech support agent I have no opportunity to get the policy changed. To make matters worse no one I talk to at work seems to care, there are no solid answers just a lot of chaff and misunderstanding of policy.

So now I turn to the community. My end goal is to make a general approach guide, not how to deal with the specific virus/rootkit. The reason I wish to put this together is to help the customer. It must also be noted that I WILL NOT be submitting this guide to dell. The upper management around me has made it clear that they are not interested in this as they feel it will make their calls last longer than 33.5 mins. I intend to pass the guide to close friends that i both respect and trust.

Before I go any further on this subject I would like to know what you guys think of it. Also I'm still curious as to if your support team would condone such efforts. I realize infection removal is a difficult process that must be done by people who know what there doing, and I'm striving hard to increase my knowledge on the subject.

I look forward to your teams response, and if I have posted this in the wrong forum I am sorry.

Thanks in advance

-Michael

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:00 PM

Posted 25 November 2009 - 06:46 PM

I guess I am not 100% sure what you are looking to do. Is this going to be a guide against this infection, which I think is not really possible as the dynamics of this one change from person to person. Or are you looking to make a general purpose guide on all the various tools that are available and why they are used?

I am not sure how much we are going to help, but curious to see what your ultimate end goal is.

#3 Michael_Tsp

Michael_Tsp
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 25 November 2009 - 11:08 PM

The theory is something like this

Person with a fair understanding of how to use computers comes across a computer with an infection. Person is not sure what kind of infection it is, although they have tried malware bytes and it has failed to run. Also the internet connection has been terminated in the last day or so.

This would be the typical situation that I can see my self coming across.

The following would be a typical list of tools that I turn to when fighting virus'

Ccleaner
malware bytes
housecall 7.1 beta
Avast free av
combofix

and due to my recent success with it, although I do not know its limits

win32kdiag



By using these tools, the windows recovery tools, some time and some thinking out side of the box, I have been able to remove about 90% of infections that I have come across.

Most of the time when permissions are an issue, I tend to use an sfc scan which has been working just fine so far.

Lost internet connections are a bit more of a challenge for me. I reset the Internet explorer settings, delete all temp internet files, disable all add ons, cookies and clear the ssl state. Next I delete all the contents of temp, %temp% and prefetch, and as a final precaution I disable all startup items and non ms services. Typically after I have done these things I regain internet connectivity, if I havent gained connectivity at this point I'm at a loss.

As for the actual removal of the virus, I leave that up to malware bytes and housecall.

These are basically my cleaning steps. As I have been reading more of the posts on this forum, I keep seeing more and more tools that Have been used in partial to remove infections. Could some one please explain some of these tools as to what they are used for, what are the limits of said tool, and most importantly will it work on the xp, vista and seven.

Junction.zip
inherit
dds
systemlook (and what does this command do ?)
:dir
C:\WINDOWS\system32 /n*.dll /t50

peek.bat

The following cmd commands

sc config eventlog start= disabled
sc config eventlog start= auto

DIR /a/s c:\scecli.dll netlogon.dll eventlog.dll >Log.txt&log.txt

OTL

So those are my steps, and the tools that I see your team using that I have questions about. Any feed back would be appreciated.

Thanks again

-Michael

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:00 PM

Posted 27 November 2009 - 08:47 AM

Hey Michael,

Some of these things we really do not like to discuss in public due to the sensitive nature of these tools. If you would like to join a trainee program to learn more about them, then I suggest you apply to one of these schools:

http://www.uniteagainstmalware.com/schools.php

Unfortunately we are booked up here at BC and am not sure when a new slot will open.

#5 Michael_Tsp

Michael_Tsp
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 29 November 2009 - 02:57 AM

Thank you for your response, and for sure I will be looking into this. I understand for the most part what the tools do, but since its all new to me, I can only see whats on the surface. Maybe with luck one of the schools will be accepting new students. As for the guide, I'm still sorta stuck on how in depth I should go. I tried a rough draft and found my self including many things that would be helpful to someone who didn't know, but useless to those with a good foundation. I'm leaning more towards a html or pdf document with an index. So I'll be at it for a while to say the least. Thank you for your response Grinler. If I have any other questions, other than those regarding tools, I shall return and ask away.

Thanks again

-Michael

#6 Beverly Roberts

Beverly Roberts

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 29 November 2009 - 05:25 AM

The most simple and effective method to prevent infection is to use a LiveCD when you surf the web. Everytime you reboot your machine with a LiveCD all previous infection will be removed since the LiveCD is a CDROM. The only drawback is that you can't save any data on your machine, but you can use online storage ie. google docs. You can download a linux LiveCD for free from many different linux distributions. Don't be afraid to use linux. The GUI is analogous to Windows.

Beverly Roberts




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users