I have to clean-up from what has been described to me a Vista PC that is potentially heavily infected with virii and malware. What portable apps should I have in my arsenal (apps under development are fine)? Are there any non-portable apps I should consider?
I have my list pretty set, which is just the standard array of apps I would use but I'm just curious as to others' responses.
Bring out all the power apps, you're likely to need them.
Here's what I'd be bringing, minimum (in order from weakest to strongest, although that's just MHO):
* Process Explorer (not an antivirus software, per se, but it sure is useful for seeing what's running)
* AutoRuns (once again, not an antivirus software, but quite useful for seeing autoruns, browser codecs, etc. - use it to get into system sections, such as codecs, which frequently contain malware but are generally hard to access)
* CCleaner
* Revo Uninstaller
* SpyDLLRemover
* Ad-Aware
* ClamWin
* Spybot S&D
* Avast!
* RKUnhooker (not sure if you've heard of this one; it's a somewhat-dated, but still-potent, anti-rootkit app. I've got a link if you need one)
* MalwareBytes Anti-Malware (MBAM)
I'd recommend renaming the executables before running them, since many viruses now actively hunt and kill AV apps to avoid being discovered. Renaming the executables (e.g. procexp.exe becomes l2k3j4l1h2341h23lh.exe - just mash some random keyboard keys until you're satisfied) will give you some protection from less-advanced malware. You'll also want to run from a read-only device (e.g. a USB stick with a physical readonly switch turned on - don't trust a software readonly switch) to make sure the device doesn't get infected, too.
If the machine is so malware-riddled you can't even run an AV program, even a renamed one, your best bet is probably data recovery & reimaging. I use a Ubuntu LiveCD in situations like this, but just about any Linux distro would work as long as it's got a LiveCD. Once you're finished with data recovery, you can also wipe the HD from within the LiveCD before re-installing Windows.
Good luck!
"The question I would like to know, is the Ultimate Question of Life, the Universe and Everything. All we know about it is that the Answer is Forty-two, which is a little aggravating."
Yeah... lol, I'm thinking from what has been described that this is an FDisk job all the way, but I'll see what I can do.
Thanks for the list, a few surprises, some not so, but very useful, so thanks!
If it's that bad, be careful with data recovery. I wouldn't be surprised if some "benign" files (e.g. MS Office) documents have gotten "loaded". Be especially careful with executables: regular programs, batch files, anything that can run code (especially MS Office files - I've heard horror stories about people who got infected MS Office docs from a friend. The friend, of course, had no idea their computer was infected in the first place).
Otherwise, you're likely to end up with a re-infected machine and another long round of troubleshooting/data recovery/re-imaging.
My standard question in this situation is "when did you make your last backup?"; depending on the answer, and how critical the data on the PC is, I sometimes forgo the data recovery altogether.
My pleasure!
Here's two more you might want:
* HiJack This (once again, just diagnostics - do NOT delete anything in the list unless you're sure it's malware. Like AutoRuns, it only lists what's going on in certain parts of your system, and is not an antivirus app)
* Combofix (Watch it, I've heard this has the possibility to majorly screw up a system. You can probably use it with impunity, since the system sounds screwed anyway)
You can get Combofix from here or here; make sure you save it to the desktop. I don't know the reasoning behind that, but I've seen numerous threads on the Avast forums where people were instructed to use Combofix, and they've always been told "save it to the desktop".
This might help you too: http://forum.avast.com/index.php?topic=37542.msg376122#msg376122
That whole thread is pretty helpful, but that specific post is especially so.
Let us know how it turns out!
"The question I would like to know, is the Ultimate Question of Life, the Universe and Everything. All we know about it is that the Answer is Forty-two, which is a little aggravating."
Do HijackThis and ComboFix do the same?
How about SUPERAntiSpyware Portable?
Well, I could probably write a small essay on the joys of cleaning up a Windows Vista PC but in the interests of not wanting to kill people with boredom, I'll keep this short.
The first major problem was that I don't think any kind of maintenance had ever been performed on this computer. The primary user's account had over 8GBs!!! (yes, you read that correctly) of temporary files. I don't think I've ever seen a number that big before.
The second problem was that although the computer didn't have any highly dangerous viruses on it, it was laden with spyware, no doubt helping to download more cr@p and generally slowing things down a bit.
The third problem, and ironically the most obvious but the one I overlooked was that the computer has 1GB of RAM... but it's running Vista, which needs it's own nuclear power station just to boot.
The solution: Spend hours scanning, rescanning for malware, clicking "ok" buttons because "Yes, It was me, I did really want to run that program", get bored and frustrated, say "s***w it!", format the drive, install XP instead. Job done.
Now I just have to spend hours downloading critical updates instead and then I'll install a few portable apps when those are done, but at least the computer will be usable.
I haven't use Vista much but this has been an interesting experience. I feel terribly ashamed on behalf of any developer who was ever involved in Vista. No wonder Microsoft want that embarrassment of an OS erased from the history books. Lucky for them it looks like they've redeemed themselves with Windows 7 (from what I've heard). Had it been Vista 2: The Revenge, that would have been a PR disaster.
For the record, I used:
AVG was installed on the system but seemed to be locked up and unusable. In it's defense some Microsoft anti-virus/anti-spyware tool was also running at the same time (sounds like a bad idea to me).
Oh, wow. Sounds like another candidate for The Daily WTF. 1 GB of RAM for Vista?
MBAM should take care of just about any relatively-minor infection like the ones you're describing; if there's anything worse, I've been experimenting with a couple of big guns (they can blow up big infections or they can blow up the computer, depending on how well they're used) that I'd be happy to send you.
Incidentally, you might want to get rid of the MS tool and AVG; I've heard Avast! and MBAM play nicely together, and a double solution is probably best at this point. I doubt two resident scanners would do well together, though, which is probably part/most of the problem with AVG.
Glad to hear you got it taken care of!
"The question I would like to know, is the Ultimate Question of Life, the Universe and Everything. All we know about it is that the Answer is Forty-two, which is a little aggravating."
What's really sad is this was a store-bought Compaq system, not some half-@$$ed, hacked together knock-off from Shady Sams Homebrew Computer Store. Compaq should know better. No wonder it was cheap!
I actually don't mind AVG, I had a big problem with version 8, but it was very rapidly replaced with 8.1, so apparently I wasn't the only one. Version 9 seems to be very stable (except on Vista apparently). I use AVG on all my computers without any problems. Never tried Avast!
The users of this computer are not very tech savvy, and in fact they're prone to just clicking "OK" on the first popup that tells them their computer is infected. I suspect that a whole slew of useful and not so useful tools have been installed on this PC at some point or other. I'll be sure to tell them to install NOTHING! In truth, once I set them up with XP and all the software, there really shouldn't be any reason for them to install anything.
Oh, please send that to TDWTF. That is definitely worthy of being included.
I wonder how many rogue AV's they collected? 9_9
yeah, the less interaction that kind of user has with the computer, the better. And installing things definitely counts as interaction.
"The question I would like to know, is the Ultimate Question of Life, the Universe and Everything. All we know about it is that the Answer is Forty-two, which is a little aggravating."
8GB of temp files? Holy crap. I think the most I've ever seen is 2GB, and that was only once.
Regarding the MS antivirus, MSSE is actually pretty nice. I used to use AVG, but I found it slowed copy/move operations and unzipping down to a crawl half the time. MSSE doesn't slow the system down a lot, and I haven't had a virus get past it yet.
Regarding the 1GB of RAM, yeah, it was actually typical when Vista first came out for less expensive pre-installed Vista machines (yes, even the big OEMs!) to only have a gig of RAM. So no surprise there, really. Luckily Windows 7 runs just fine on 1 GB of RAM (7 runs on any hardware that can run Vista, and runs better in all cases), which I can personally attest to as I use it all the time on my netbook. I love Win7; I cringe now if I have to use XP. And unlike with Vista, Win7 actually makes Aero practical rather than just being useless eye candy.
I think the number was partly over inflated by the fact that there were tons of EXEs in the system temporary folders (not temporary Internet files) and in some cases the EXE was duplicated several times setup(1).exe, setup(2).exe, setup(3).exe etc.
This was no doubt in part due to impatient user syndrome, with the user clicking several times because seemingly no response from the computer... which in turn was a lot to do with the fact that the computer was only running 1GB of RAM.
The user is definitely at fault but at the same time, they aren't computer scientists or network administrators, so I feel badly for them that they have a system that is letting them down.
Things run much more smoothly now under XP, although I'm still having trouble finding a few XP drivers but I haven't looked too hard yet. Once I get some portable apps on there the user shouldn't have to mess with the PC at all (and hopefully they won't), which will help keep it more stable.
The thing I've found with XP is that, while it generally flies on current hardware, there are certain instances where it'll seem to become noticeably laggy (XP doesn't multitask well in my experience). Vista and later are slower obviously, but at the same time they give a more consistent response time. It's like what I've found between Google Chrome and Firefox: no doubt Chrome is a speed demon, but when it hits a situation that slows it down, you notice right away. Firefox on the other hand is actually slower, but because it tries to wait until an element is fully loaded before displaying it, it seems faster.
Don't forget also that when you buy a new computer from an OEM, the OEM loads it with all kinds of crap that generally you don't need, and most users don't bother to remove it. On a Vista machine with only 1GB of RAM, that's going to hurt. I can tell you that I've run Vista with only a gig before, and it's actually not that bad if you're only doing one or two things at a time (which is generally the way I use the computer). But add all the OEM cruft to that, and suddenly you have what basically amounts to a giant paperweight.
Well I think the best Anti-Malware portable app I've come across is the Anti-Malware Repair Toolkit. It's a bundle of all the top malware-fighting tools in one handy app. The impressive thing about the toolkit is that all utilities can be updated on-the-fly - including malware definitions (as long as there's an Internet connection present) which is vital! This is great for fixing client PC's which have nasty infections.
http://portableusbtoolkit.com/Repair_Hard_Drive/build-a-usb-repair-toolkit