FAQ of the Software/Operating Systems section

Discussion in 'Operating Systems' started by Animatrix, Oct 12, 2005.

  1. Mannerheim

    Mannerheim Ancient Guru

    Messages:
    4,748
    Likes Received:
    1
    Graphics Card::
    nvidia GTX 1070 mobile
    Can i shutdown virtual memory with 6144MB DDR2 ??? Without any probs with Vista 64bit?
     
  2. Animatrix

    Animatrix Ancient Guru

    Messages:
    6,843
    Likes Received:
    3
    Graphics Card::
    BFG 8800GT OC2 512
    It is not possible to turn off virtual memory. But i assume you mean the page file, not virtual memory (it's not the same). Yes you can turn off the page file, no it is not a good idea and i would not suggest doing so no matter how much RAM you have installed. Some software will look for a page file and will not run without one.
     
  3. Animatrix

    Animatrix Ancient Guru

    Messages:
    6,843
    Likes Received:
    3
    Graphics Card::
    BFG 8800GT OC2 512
    Please save or print for offline usage.



    ***Malware Cleaning; short version***​



    1. Download and install the following tools

    CCleaner
    HijackThis
    SUPERAntiSpyware
    Malwarebytes Anti-Malware
    Dr.Web CureIt!

    Note: Please update all the scanners now but do not start any scan yet.

    If your experiencing issues installing any of the scanners, try renaming the installer. Just give it some random name.


    2. Unplug the system from the network

    Unplug the network cable to the PC and do not reconnect to the network until the last step.



    3. Clean junk files

    Run CCleaner, press the Options button then the Advanced button, untick the option "Only delete files in Windows Temp folders older then 48 hours", go back to the cleaner page and press the Run Cleaner button.



    4. Scan for malware

    A). Preform a quick scan with all the scanners, let them clean what they find.

    B.) Start your computer in Safe mode. Now perform a full scan on the system par****on (usually C:) with each anti-malware scanner. In safe mode that is. Not all scanners can scan in safe mode, but most can.



    5. Post a HijackThis log

    Rename HijackThis to some random name (blabla.exe) and post the HijackThis log to the software section. Copy and paste the log into your post.

    How to generate a HijackThis log file





    ***Malware Cleaning; long version***​


    1. Clean the HOSTS file, reset IE security settings and firewall


    Even if your not experiencing any connection issues it is advisable to make sure the hosts file, browser related settings such as the Internet Explorer Zones and the Windows firewall, all are reset.



    2. Download and install the following tools



    If your experiencing issues installing any of the scanners, try renaming the installer. Just give it some random name.


    3. Unplug the system from the network


    • Unplug the network cable to the PC and do not reconnect to the network until the last step.


    4. Clean junk files
    • Run ATF-Cleaner, check on Select all, press Empty selected button.

    • Run CCleaner, press the Options button then the Advanced button, untick the option "Only delete files in Windows Temp folders older then 48 hours", go back to the cleaner page and press the Run Cleaner button.


    5. Scan for malware


    Level 1 / 2 scans are mandatory, they must be performed.


    • Level 1 scan

      Preform quick or full scan with all the scanners.


    • Level 3 scan

      You can also scan the system without booting it, there are mainly two ways of doing it.

    • Use a boot CD with anti-malware tools and scan the hard disk.

      Caution: Word of warning on cleaning with boot CDs

    • Or connect the hard disk to another system as a data hard disk and scan it.

      As one potentially can spread the malware, caution is advised. Leave the drive alone, just scan it don't start poking around. If it is a removable drive, before you remove it and plug it in the other system look in the root of the drive for a Autorun.inf file (info on autorun), if you find one either make sure it's not malware related or just rename it to Autorun.inf.back. You can also disable Autorun first on the second system before plugging in the drive.



    6. Run online scans


    • Connect the system back to the network and do at least one online scan.
    Bitdefender Online Scanner
    http://www.bitdefender.com/scan8/ie.html
    http://kb.bitdefender.com/KB424-en--How-to-run-the-Online-Scanner-on-Vista.html

    ESET Online Scanner
    http://www.eset.com/onlinescan/

    Trendmicro Online Scanner
    http://housecall.trendmicro.com/housecall/
    http://prerelease.trendmicro-europe.com/hc66/launch/



    7. Scan with HijackThis and Autoruns


    • Rename HijackThis to some random name (blabla.exe), scan and save the log.

      How to generate a HijackThis log file

    • Run AutoRuns > press Esc to stop the scan > under Options check "Verify code signatures" and "Hide Microsoft Entries" > press F5 and let it scan, please be patient the "Verify code signatures" option needs to connect to the internet for the verification > after it's done go to File then Save this will save the log in the ".arn" format, upload the file here. If you use File > Export it will be saved as a .txt file and you can post this log like HijackThis logs (i.e. copy, paste). But only if it's not huge, which it shouldn't be as long as you made the changes to the options (i.e "Verify code signatures" and "Hide Microsoft Entries").


    8. Post your HijackThis and Autoruns logs

    Make a thread in the software section and post the logs. Please do NOT post any logs made from before you did the cleaning steps just outlined. When you post the logs, post any other information found during scans.





    ***After cleaning***​


    1. Clear old restore points

    Restore points has to be wiped in order to make sure no malware is in the restore points. Please disable and then re-enable system restore.


    XP Instructions
    Vista Instructions


    2. Check for updates to Windows

    Microsoft Windows Update


    3. Check for updates to software

    Secunia Software Inspector


    4. Run a system file check

    SFC /scannow


    5. Run a defrag on the system

    While your waiting for the defrag to finish please read How did I get infected in the first place[/color]







    ***Manual malware detection and removal***​


    First a word of warning. Wise men say, once a system has been compromised it can never be trusted. And yes it is true, the only way to be sure the system is clean is to wipe it completely and reinstall the operating system from a known good clean source. On the other hand i do firmly believe that most systems can be cleaned and that what can be done can be undone. There is nothing magical or mysterious about operating systems or malware, they work by principles well understood, keep that in mind. It is in the end a judgment call and making the right choice should be based on more then just your believe in your cleaning abilities. On system of critical importance or used for sensitive information it would be unwise to gamble. On the other side you have the systems that simply are not worth wasting time cleaning. Somewhere in the middle of all this is where we will be focusing.

    Just don't say i didn't warn you. Knowledge is power, but with power comes responsibility.


    1. Know thy system

    The better you know the system the easier it will be to spot an offender. Knowing about operating system specific components, the correct names and locations of system files and so on is necessary. You can and will learn as you go along, its a technical subject and some reading will likely be required.


    2. Investigating the system

    Make sure you have enable viewing of hidden files and folders.

    Always start by scanning and cleaning systems using anti-malware scanners first, let the scanners do as much of the legwork as possible. Why waste time figuring out how to clean something when others have done it for you.

    Next is a list of tools that can be used for finding, tracking and dealing with malware. They all have one thing in common, they do for the most not distinguish between good and bad, that will be your job. You have to learn how the tools work and understand the information they give. Otherwise they will be close to worthless, or simply dangerous in the wrong hands. I suggest you start by viewing the video Advanced Malware Cleaning, it will give you an introduction into manual malware detection and cleaning, as well as some of the tools listed here.


    Auto startup tools:

    Autoruns: helps you find and get rid of auto starting objects. To quickly get to the possible problem start-ups press Esc to stop the scan > under Options check "Verify code signatures" and "Hide Microsoft Entries" > press F5 and let it scan, please be patient the "Verify code signatures" option needs to connect to the internet for the verification > after it's done you can save the log by going to File > Save. Autoruns also has a handy "jump to" feature which let you jump to a particular registry key, and using the "properties" feature it can take you to the properties of a file (exe/dll) quickly.

    HiJackThis: can just as Autoruns uncover and get rid of unwanted auto starting objects. It is widely used for cleaning systems and should be in your kit.

    Use databases and search engines to help identify objects.

    http://www.systemlookup.com
    http://www.bleepingcomputer.com/filedb/
    http://gladiator-antivirus.com/forum/index.php?showtopic=24610

    Read some HijackThis log tutorials to learn about the tool.

    Last use an auto log analyzer to quickly get to the obvious bad stuff. Some use a community feedback system which can help identify lesser know processes and auto starting objects.

    http://www.hijackthis.de
    http://www.help2go.com/component/detective
    http://hjt.networktechs.com


    File and process tools:

    Filealyzer: is a neat tool to analyse and display file contents, resources, PE Header, Import/Export table, Hex dump, it also gives the CRC-32 and the MD5 checksum of the file and much more.

    PEiD: detects most common packers, cryptors and compilers for PE files. It can currently detect more than 600 different signatures in PE files.

    Warning, please note that when unpacking you may be warned about execution of the file, do NOT execute malware on your PC, if you have to execute it make sure you do so in a safe environment, like a VM, sandbox or a dedicated system.

    Packers, Crypters, Protectors

    Process Explorer: is a great tool to do investigation with. Use it to inspect processes and dlls. Process "Parent/Child" relationship, location and command line arguments, handles, strings, thread activity. You can suspend processes, kill processes including the process tree and close open handles. You can also verify signatures.

    Process Monitor: is for monitoring live system activity with can help pinpoint files and registry resources used by malware.


    Network tools:

    TCPView: is handy for looking at network trafic, resolving addresses and doing Whois, as well as closing connections.

    Packet sniffers: are used for looking at network traffic, unlike tools like TCPView sniffers work at a much lower level.


    Sectools.org: Top 100 Network Security Tools


    That which hides in the dark:

    The problem with investigating compromised systems is that they can't be trusted and that all software running on the compromised system, including anti-malware and system investigation tools are possibly blinded by the malware, given bogus information, or the malware is hiding in unseen parts of the operating system like in Alternate Data Streams. More and more malware use rootkits or incorporate rootkit like technologies which makes finding and removing the malware much harder. Malware will hook, inject/load itself into processes, hijack API calls and generally do whatever it takes to avoid detection and removal. Most such malware can be quite unstable, especially when kernel mode is involved. Tools crashing, or tools causing the system to crash, can be a sign of hitting malware. However most malware is still targeting the low hanging fruit and considers the average joe user to be fairly easy to trick, rogue software and grayware can often be uninstalled using add/remove and a little manual cleaning.

    In the end it's a cat and mouse game, no rootkit can hide forever and no rootkit detector can detect all rootkits. No base belongs to anyone.


    Rootkit scanners:

    http://www.antirootkit.com/software/index.htm
    http://antivirus.about.com/od/rootkits/Rootkit_Information_and_Detection.htm

    http://www.gmer.net/index.php
    http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.html
    http://www.f-secure.co.uk/blacklight/blacklight.html
    http://antirootkit.com/software/IceSword.htm


    On-line malware scanners and analyzers:


    Use multi-scanners on suspicious files, files your antivirus did not catch, or did catch, yet you want a second opinion about to check for false positives. They all have a file size limit so you can't scan very large files.

    http://www.virustotal.com
    http://virusscan.jotti.org
    http://scanner.virus.org
    http://www.virscan.org/
    http://scanner.virus.org/
    http://www.viruschief.com/index.html


    Use malware analyses services like ThreatExpert to see how malware or unknow programs behaves and look for suspect behavior.
    CWSandbox

    Norman Sandbox
    Sunbelt Sandbox
    ThreatExpert



    Virtual environments, sandboxing:

    Running suspicious or unknown processes, as well as known malicious processes, inside a virtual environment or sandbox is a way of isolating harmful effects, it also gives an easy way of reverting any system changes. Great for testing and looking at stuff without having to worry about the harmful effects. It should be noted that some malware is virtual machine aware, that is they will look to see if they are running in a VM and will adjust it's behavior to fool you into thinking they are harmless, then when you run them in the real OS they show their true face. There are tell tell signs of running in a VM, but some can be mitigated. For example VMWare tools is handy but also one place malware can look to quickly figure out if it is running inside a VM.

    Other malware might (at least in theory) even be able to brake out of the VM or sandbox and get to the real system. However that would be considered a exploitable security flaw in the VM or sandbox which should be fixed (if known about obviously, consider a 0day VM exploit). Having said that as far as i know all anti-virus labs use VMs, which is one of the reasons why malware has come up with the anti-VM stuff to begin with, but never the less if they can use them so can we. Some precaution should be taken such as disabling sharing and considerations to network access.


    Debuggers, Disassemblers, HEX editors, Malcode analyzers:

    Here we are in the realm of malware analysis, and reverse engineering. The following tools are not of much use to most people, however they are part of malware investigation never the less. For advanced users only.


    Google: Disassembler, Wikipedia: Disassembler
    Google: Debuggers, Wikipedia: Debugger
    Softpedia, list of software

    Windbg, Windows Debuggers: Part 1: A WinDbg Tutorial
    RootKit Hunting: They can run, but cannot hide

    OllyDbg
    IDA Pro
    PE Explorer
    iDefense Labs software

    Practical malware analysis (forum has censored the URL so i link to a google search of the pdf)
    http://www.google.com/search?name=f&hl=en&q=bh-dc-07-Kendall_McMillan-WP.pdf



    3. Time to clean the system

    For now all you have done is investigating the system. Now with the knowledge obtained in hand we can terminate malicious processes, delete startup/run commands and delete files. Suspending processes using Process Explorer before killing them may be helpful in cases when processes are monitoring each others back and processes get relaunched when killed (buddy system).


    1. Suspend and kill the malicious processes, then find then and delete.


    2 Search for the startup run commands and delete.


    3. Look for services used by malware, stop and delete.

    Using the command line sc stop service name, sc delete service name.


    4. Clean the HOSTS file, reset IE security settings, firewall and TCP/IP.

    HostsXpert
    Zoneout

    "Windows cannot display Windows Firewall settings" error while accessing Firewall settings in Windows XP
    You cannot start the Windows Firewall service in Windows XP SP2
    Reset TCP/IP settings


    5. Disable and re-enable system restore to wipe old restore points which malware might be using. It is advisable to not wipe the restore points until after you have scanned and cleaned. Some malware will cripple system files and cleaning them can make the system unbootable so a restore point may be handy to have around, but in the end it should be wiped.


    6. Run system file checker to search for and repair damaged system files. Have your Windows CD/DVD ready.


    7. Scan the hard disk from a boot CD or second system. Take care when cleaning with boot CD's that are not specifically made for cleaning, you can use the detection just fine but cleaning without the tools full access and knowledge about the environment can cause nasty side effects, worse case scenario the system may become unbootable.

    Word of warning on cleaning with boot CDs

    Alternate Operating System Scanner
    http://www.pctools.com/aoss/

    Avira AntiVir Rescue System
    http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html

    Bitdefender: LinuxDefender Live! CD
    http://www.bitdefender.com/site/LinuxDefender-Mirrors.html

    Kaspersky Rescue Disk
    http://ftp.kaspersky.com/devbuilds/RescueDisk/
    http://fileforum.betanews.com/detail/Kaspersky_Rescue_Disk/1213647614/1

    Ultimate Boot CD for Windows
    http://www.ubcd4win.com/index.htm



    8. Rinse and repeat. Sometimes even after your best efforts the malware returns on reboot. If it does you will just have to give it a second go hopefully the second time around the malware will be defeated.



    Dark matter

    There are people that in this process of learning about malware and the lowest levels of operating systems get a little too involved and some just go off the deep-end. Without the proper knowledge and depending on your mental well being it can be a bad place to go for some people. I know this might sound extreme but trust me there are many people which simply can't deal with the idea of a compromised system and for some it becomes an obsession, i have seen it happen and it's a sad sight. They start looking for strings in some executable yet they don't know what they are looking at, or for. They scan with anti-rootkit scanners not realizing the many false positives caused by, ironically enough, anti-malware software installed on the system which will hook, inject and hide itself from the system just like malware does. My point is the deeper you look the more phantoms you tend to see, don't waste your time looking for phantoms and don't freak yourself out.
     
    Last edited: Feb 17, 2009
  4. brassoo

    brassoo Member Guru

    Messages:
    172
    Likes Received:
    0
    Graphics Card::
    9800 sli
    great topic guys lots of Information
     

  5. danielhcn

    danielhcn Member

    Messages:
    10
    Likes Received:
    0
    Graphics Card::
    Evga GTX260(216)896MB SSC
    Hi guys.Recently,i format my hd and installed winXp 32bit and vista ultimate 64bit(previously using xp 32bits)in 2 hd each.After everything was done then i found out that got 2 selections of xp(one new and one old)in bios and vista work fine(one selction).How to remove the unwork old xp from the xp selection?And i also follow the methods in this topic to type MSCONFIG in RUN,but it didnt work to me and i even try on EasyBCD 1.7.2 but still didnt work.Any suggestions and other solutions?Sorry for any inconvenience cause.
     

Share This Page