1) Process explorer - The most useful application on the planet for virus removal. When running procexp, make sure to view attached DLL's in the bottom pane (Ctrl + D). Then sort the listed DLL's by company name, then description. Having done this, the attached DLL's that don't have a listed provider (viruses usually won't) will appear at the top of the list for each process. Another thing to look for is packed images. Any file running a packed image will appear with purple highlighting (by default) in process explorer. Viruses will often use this technique to hide from heuristics based virus scanners, but be aware that harmless installers also will be packed. Process explorer also has the ability to rapidly kill processes by first disabling the 'Confirm Kill' option from the 'Options' dropdown, then using the arrow keys and the delete key to navigate the process tree and kill processes.
2) Autoruns - The best autostart management program available. First, cancel the initial scan using the escape key. Then go to Options->Filter Options in the menu. Check 'Verify code signatures' and 'Hide Microsoft entries' and click Ok. Autoruns will now verify the code signatures of startup entries and only display third party and unverified entries. This shortens the list you have to look through greatly, and tells you whether or not an entry is legitamately signed. Not all valid entries will be correctly signed, but again, this will limit what you need to check.
3) Spybot S&D - A good spyware scanner. Make sure that it is up to date before you run it, and on Vista that it is run with administrator priviledges (If you don't, it will get all the way to the end of the scan and *then* tell you that you needed to run it as an administrator). I haven't had much experience with it, but there is now a portable version of Spybot available from http://portableapps.com.
4) CCleaner - Removes temporary files and other (probably) unwanted data. I run this utility first to minimize the number of files that virus scanners have to look through. Download the portable version from Piriform's website: http://www.piriform.com/ccleaner/download/portable.
5) SFC - Not really an app, but a tool included with Windows (from XP onward) that you may not know about. Running 'sfc /scannow' from command line will cause windows to verify and replace core Windows files. The Vista version of this tool can be run 'offline' from a Vista DVD by running 'sfc /scannow /offbootdir=c:\ /offwindir=c:\windows' where 'c:\' and 'c:\windows' are your operating system's drive and directory. SFC is usefull when you suspect that Windows files have been corrupted. In most cases, SFC will not run from safe mode.
6) SDFix - A script that removes viruses and repairs many Windows registry hacks. I would run this if I get a "... has been disabled by your administrator" message or if control panels or tabs are missing or disabled. This utility must be run from safe mode. Windows XP only.
7) ComboFix - A powerfull all purpose virus deleting script. This is very good at eliminating tough-to-remove-via-conventional-means viruses. There was a widely distributed infected copy of it a few months back, so make sure you get it from a legitamate source. I run combofix mostly as a last resort to remove viruses as it is very powerful and there is a certain risk involved when running it. It is effective though. Windows XP only
8) IceSword - An anti-rootkit tool. Icesword was designed to detect/remove rootkits, but I haven't had much success using it on them. Instead, I mainly use Icesword's file and registry editor features. Icesword has the ability to see and delete folders and files even if they are completely hidden from Windows. Icesword's 'Force Delete' can delete files/folders even if they are currently in use! The drawback is that IceSword only seems to run on about 3/4 of computers due to what I assume is a Windows incompatibility. There is a separate version of IceSword for Vista.
9) NoNav 2.49 - Gets rid of older NAV/SAV installs if normal uninstallers fail (this happens about 1/4 the time in my experience).
10) Rootkit Unhooker - Another anti-rootkit tool. I've had some success using this tool against rootkits. It has the ability to scan for and unhook code hooks.
11) Process Monitor - I haven't used this tool much, but it is useful if you need to see *everything* that is happening on a computer. It will monitor registry, process/thread, and file-system activity with many advanced options.
12) KillBox - A file deletion utility. I haven't used this utility recently, as IceSword is much better (if it works at all that is), but it has a good array of options for removing hard-to-remove files.
13) MalwareBytes - Another spyware scanner. I'm not entirely convinced of its usefulness, but it does have a very thorough anti-malware scan (I've seen it take 5 hours on a slow computer). Other IT people I've worked with seem to think it's great though. :) YMMV.
14) Recuva - Also available from Piriform in portable format, this tool will attempt to recover deleted files.
15) Clamwin Portable - A portable lightweight antivirus scanner.
CrystalDiskInfo Portable - disk health monitoring tool
CrystalDiskMark Portable - disk benchmark utility
HDHacker Portable (Freeware) - MBR and boot sector manager
Regshot Portable - registry and file comparison
WinMerge Portable - file comparison and merging
7-Zip Portable - Multilingual file archiver and compressor
Explorer++Portable - multi-tab file manager
Ant Renamer Portable - Advanced file renaming utility
IObit Uninstaller Portable (Freeware) - uninstaller and cleaner
Command Prompt Portable - Simple link to a customizable command prompt
WinMTR Portable - network diagnostic tool
16) Other PortableApps. I'm currently trying out a bunch more utilities from PortableApps.com, including:
CrystalDiskInfo Portable - disk health monitoring tool CrystalDiskMark Portable - disk benchmark utility HDHacker Portable (Freeware) - MBR and boot sector manager Regshot Portable - registry and file comparison WinMerge Portable - file comparison and merging 7-Zip Portable - Multilingual file archiver and compressor Explorer++Portable - multi-tab file manager Ant Renamer Portable - Advanced file renaming utility IObit Uninstaller Portable (Freeware) - uninstaller and cleaner Command Prompt Portable - Simple link to a customizable command prompt WinMTR Portable - network diagnostic toolAll these utilities can be run from directly from your flash drive. To protect your flash drive from viruses, I recommend getting a flash drive with a read-only switch. There's a good list of flash drives with this capability here. l these utilities can be run from directly from your flash drive.
These tools are all intended to be run in a live (possibly virus-compromised) Windows environment. I have another toolkit meant to be run in offline mode (without booting to Windows normally) that I will write about in a future post.
Let me know what you're using in your toolkits!
3 comments:
Many peoples want to know How to make a portable antivirus toolkit? for their computer
nice posting.. thanks for sharing.
Nice Post about portable antivirus toolkit
Post a Comment