Portable USB Flash Drive Anti-Virus Toolkit

2009-06-28T09:39:00.000-07:00

Hey everyone, welcome to the blog. I've done quite a bit of anti-virus/software troubleshooting over the last three years, and over that time I've collected a decent virus-fighting toolkit (with lots of help from the knowledge and experience of my coworkers) that I keep on my flash drive. Let me know what you think, and possibly if there is some tool that's really made a difference for you.

1) Process explorer - The most useful application on the planet for virus removal. When running procexp, make sure to view attached DLL's in the bottom pane (Ctrl + D). Then sort the listed DLL's by company name, then description. Having done this, the attached DLL's that don't have a listed provider (viruses usually won't) will appear at the top of the list for each process. Another thing to look for is packed images. Any file running a packed image will appear with purple highlighting (by default) in process explorer. Viruses will often use this technique to hide from heuristics based virus scanners, but be aware that harmless installers also will be packed. Process explorer also has the ability to rapidly kill processes by first disabling the 'Confirm Kill' option from the 'Options' dropdown, then using the arrow keys and the delete key to navigate the process tree and kill processes.

2) Autoruns - The best autostart management program available. First, cancel the initial scan using the escape key. Then hide legitamate Microsoft and Windows entries (Alt + O, M) and verify code signatures (Alt + O, V). Autoruns will now verify the code signatures of startup entries and only display third party and unverified entries. This shortens the list you have to look through greatly, and tells you whether or not an entry is legitamately signed.

3) Spybot S&D - A good spyware scanner. Make sure that it is up to date before you run it, and on Vista that it is run with administrator priviledges (If you don't, it will get all the way to the end of the scan and *then* tell you that you needed to run it as an administrator).

4) CCleaner - Removes temporary files and other (probably) unwanted data. I run this utility first to minimize the number of files that virus scanners have to look through.

5) SFC - Not really an app, but a windows tool that you may not know about. Running 'sfc /scannow' from command line will cause windows to verify and replace core Windows files. The Vista version of this tool can be run 'offline' from a Vista DVD by running 'sfc /scannow /offbootdir=c:\ /offwindir=c:\windows' where 'c:\' and 'c:\windows' are your operating system's drive and directory. SFC is usefull when you suspect that Windows files have been corrupted.

6) SDFix - A script that removes viruses and repairs many Windows registry hacks. I would run this if I get a "... has been disabled by your administrator" message or if control panels or tabs are missing or disabled. This utility must be run from safe mode. Windows XP only.

7) ComboFix - A powerfull all purpose virus deleting script. This is very good at eliminating tough-to-remove-via-conventional-means viruses. There was a widely distributed infected copy of it a few months back, so make sure you get it from a legitamate source. I run combofix mostly as a last resort to remove viruses as it is very powerful and there is a certain risk involved when running it. It is effective though. Windows XP only

8) IceSword - An anti-rootkit tool. Icesword was designed to detect/remove rootkits, but I haven't had much success using it on them. Instead, I mainly use Icesword's file and registry editor features. Icesword has the ability to see and delete folders and files even if they are completely hidden from Windows. Icesword's 'Force Delete' can delete files/folders even if they are currently in use! The drawback is that IceSword only seems to run on about 3/4 of computers due to what I assume is a Windows incompatibility. There is a separate version of IceSword for Vista.

9) NoNav 2.49 - Gets rid of NAV/SAV installs if normal uninstallers fail (this happens about 1/4 the time in my experience). This can be hard to find, but google came up with a download on John Lamb's site here. His blog also contains information about removing the newer SEP installs, which I don't have very much experience with.

10) Rootkit Unhooker - Another anti-rootkit tool. I've had some success using this tool against rootkits. It has the ability to scan for and unhook code hooks.

11) Process Monitor - I haven't used this tool much, but it is very good if you need to see *everything* that is happening on a computer. It will monitor registry, process/thread, and file-system activity with many advanced options.

12) KillBox - A file deletion utility. I haven't used this utility recently, as IceSword is much better (if it works at all that is), but it has a good array of options for removing hard-to-remove files.

13) MalwareBytes - Another spyware scanner. I'm not entirely convinced of its usefulness, but it does have a very thorough anti-malware scan (I've seen it take 5 hours on a slow computer). Other IT people I've worked with seem to think it's great though. :) YMMV.

All these utilities can be run from directly from your flash drive*. To protect your flash drive from viruses, I recommend getting a flash drive with a read-only switch (PQI's titanium and black models have this feature).

*) CCleaner and Spybot can be installed then copied to and run from your flash drive, but I prefer to just use the installers. I'm unsure about MalwareBytes - never tried running it straight from my flash drive.

Well, there you go. Comments? Suggestions?
-Sam

Heavenly Code

Portable USB Flash Drive Anti-Virus Toolkit