Removing malware from an infected PC - battling antivirus programs

Quote:
"Malware can be so hard to remove that walking away from an infected
copy of Windows and, instead, restoring a known clean copy (such as the
factory fresh state) will often be the right approach. "

http://blogs.computerworld.com/battling_antivirus_programs?source=NLT_SEC

 

While it appears possible to "Clean" a machine of malware, how does one
know for sure that it's completely clean? It's always been my position
that if you want a "Clean" machine you must wipe and rebuild it in a
clean environment, that's the only way to be 100% certain it's clean.

With that said, I know many people that are not willing to wipe their
machines and don't want to put forth the effort and are willing to
accept the RISK that the machine is clean "enough" since they can't find
anything using various tools.

One thing that most of us have learned is that most cleaner programs
find different things and many common things, but no single program
finds everything all the time. This should be a clear indicator that
there is no way to be sure that a compromised system is cleaned by any
means short of wiping and reinstalling it.

 

Thanks for your response, Leythos.

You said "how does one know for sure that it's completely clean?". I
suspect you meant that to be a rhetorical question, but it *is* one that
bothers me.

Many visitors to the Microsoft groups are naive and inexperienced and
come here heavily laden with their troubles and woes. They are given
help and advice and carry out suggested actions without fear or
intrepidation. They are also directed to all manner of 'Help' forums
where they are then instructed to carry out 'cleaning action' which
often involves downloading and running unknown (to them) software.

How could any of these folk possibly know if malware had been *added* to
their computer, rather than it being removed?

Just a thought!

 

Many people don't know if malware has been added to their computer.

When my computer comes under the least amount of suspicion I no longer even
try. I just go back to an image that I feel 99.99% certain is clean, and
continue from there.

 

No - that was not a rhetorical question.

How do you (and you may be either a novice user or a computer professional)
know that the machine is clean? Unless you follow Leythos' procedure, you
don't--it is all a matter of percentages, and "feel" and experience.
Experience can betray us as soon as something which is outside our previous
experience appears.

That said, very few users are ready to reinstall clean, even with some
assurance of the ability to preserve data.

I don't know what Microsoft PSS says when helping folks clean there systems,
but there should always be some disclaimers in any cleaning operation, and
the more remote, the more so--although clean HijackThis logs (and who
defines those?) are a pretty good indicator.

Additionally, even if you can satisfactorily clean a system, you aren't
doing much more than assuring yourself of more work in the future if you
can't help the user become more secure in the process--how did they get
infected? What steps can they take to avoid it in the future.

There are limits to the level of dialog that we can achieve in a
newsgroup--the O.P. always has the option to decide when they've done/had
enough.



--

 

Please don't feed the trolls...especially /that/ troll, Bill. <eg>

 

What is so special about ~BD~, PA Bear?

Why the 'evil grin'?

 

Dear Dave,

As a neophyte, I can testify that is is a daunting process!

I appreciate the comments stated in this newsgroup that show understanding
for how baffling it seems at first!

Bye,
Will

 

Thanks for posting your thoughts, Will

Richard Urban has spoken wisely in this thread. Please pay heed to
anything that Shenan Stanley offers as advice.

Most folk with 'problems' are (IMO) totally blinkered and have thoughts
solely related to their own personal position. They are (IMO) highly
vulnerable. I have felt duty-bound to stay and monitor the activity of
others (the 'helpers') operating within just some of the Microsoft
newsgroups (there are thousands - literally).

When I first arrived 'here' over three years ago I had, mistakenly,
thought that Microsoft staff would be monitoring and checking to ensure
a 'safe' environment for us ........ but alas that is not so. This is
the real Wild West of the Internet and my guess is that there are a few
bad apples in the barrel here. Be wary, Will!

Dave

 

Hoople head.

: Thanks for posting your thoughts, Will
:
: Richard Urban has spoken wisely in this thread. Please pay heed to
: anything that Shenan Stanley offers as advice.
:
: Most folk with 'problems' are (IMO) totally blinkered and have thoughts
: solely related to their own personal position. They are (IMO) highly
: vulnerable. I have felt duty-bound to stay and monitor the activity of
: others (the 'helpers') operating within just some of the Microsoft
: newsgroups (there are thousands - literally).
:
: When I first arrived 'here' over three years ago I had, mistakenly,
: thought that Microsoft staff would be monitoring and checking to ensure
: a 'safe' environment for us ........ but alas that is not so. This is
: the real Wild West of the Internet and my guess is that there are a few
: bad apples in the barrel here. Be wary, Will!
:
: Dave
:
:
:
: : > Dear Dave,
: >
: > As a neophyte, I can testify that is is a daunting process!
: >
: > I appreciate the comments stated in this newsgroup that show
: > understanding for how baffling it seems at first!
: >
: > Bye,
: > Will
: >
: >
: > : >>
: >> : >>> In article <>,
: >>> says...
: >>>> Quote:
: >>>> "Malware can be so hard to remove that walking away from an
: >>>> infected
: >>>> copy of Windows and, instead, restoring a known clean copy (such as
: >>>> the
: >>>> factory fresh state) will often be the right approach. "
: >>>>
: >>>>
http://blogs.computerworld.com/battling_antivirus_programs?source=NLT_SEC
: >>>
: >>> While it appears possible to "Clean" a machine of malware, how does
: >>> one
: >>> know for sure that it's completely clean? It's always been my
: >>> position
: >>> that if you want a "Clean" machine you must wipe and rebuild it in a
: >>> clean environment, that's the only way to be 100% certain it's
: >>> clean.
: >>>
: >>> With that said, I know many people that are not willing to wipe
: >>> their
: >>> machines and don't want to put forth the effort and are willing to
: >>> accept the RISK that the machine is clean "enough" since they can't
: >>> find
: >>> anything using various tools.
: >>>
: >>> One thing that most of us have learned is that most cleaner programs
: >>> find different things and many common things, but no single program
: >>> finds everything all the time. This should be a clear indicator that
: >>> there is no way to be sure that a compromised system is cleaned by
: >>> any
: >>> means short of wiping and reinstalling it.
: >>>
: >>> --
: >>> - Igitur qui desiderat pacem, praeparet bellum.
: >>> - Calling an illegal alien an "undocumented worker" is like calling
: >>> a
: >>> drug dealer an "unlicensed pharmacist"
: >>> (remove 999 for proper email address)
: >>
: >>
: >> Thanks for your response, Leythos.
: >>
: >> You said "how does one know for sure that it's completely clean?". I
: >> suspect you meant that to be a rhetorical question, but it *is* one
: >> that bothers me.
: >>
: >> Many visitors to the Microsoft groups are naive and inexperienced and
: >> come here heavily laden with their troubles and woes. They are given
: >> help and advice and carry out suggested actions without fear or
: >> intrepidation. They are also directed to all manner of 'Help' forums
: >> where they are then instructed to carry out 'cleaning action' which
: >> often involves downloading and running unknown (to them) software.
: >>
: >> How could any of these folk possibly know if malware had been *added*
: >> to their computer, rather than it being removed?
: >>
: >> Just a thought!
: >> --
: >> Dave
: >>
: >
:
:

 

--

Many thanks for posting, Bill. I appreciate your comments.

I'm simply a 'user' but with more than three years now of experimenting
with all manner of 'cleaning' - both on this and a previous box (which I
trashed because I was *certain* that a gremlin remained within it, no
matter *what* I did! ..... and that included installing a completely new
hard drive). I agree that it is better to *destroy partitions*, format
and re-install windows whenever one has an inkling that malware may be
present ......... it's knowing that it *is* 'on board' which is the hard
part nowadays!

My difficulty with newsgroups - and some forums - is knowing who may be
trustworthy. Perhaps you'd like to ask Robear Dyer (aka PA Bear) why he
has said to you here in this thread " ........ especially /that/troll" -
what is 'special' about me? (~BD~, BoaterDave, Imbeady2 and Beady!)

I know that he has not liked me asking searching questions ........ and
he knows he has lied about me being banned by ISP's. That has NEVER
happened.

 

Not rhetorical at all, it was meant for discussion.

For years I've cleaned machines, used all of the tools, and for my
customers network, any my own, where we manage the firewall, av,
browsing, etc... none of the tools have ever detected malware, but for
unmanaged customers or customers that won't play by the security rules,
as well as customers home computers (since we don't do residential work
unless it's the owner(s) of a company we provide service for), well,
sadly I've seen a few of them compromised and the cost of "cleaning" is
much greater than the cost of securing them in the first place.

In almost all cases it's a stupid person doing something that they've
been warned against for more than a decade, but they ignored the
warnings for some reason that is beyond me. Almost always the compromise
is because of some unethical (in my opinion) action on the user (porn,
gambling, pirated downloads, etc...)....

We have a standard form we provide to anyone with a compromised machine,
it describes the two options - attempted cleaning of "KNOWN and
DETECTABLE MALWARE" and "Wiping and reinstalling". Our form clearly
lists that we assume no liability for the first and will NOT certify the
machine as "Clean" using the first method - for the second method we
will certify (with vendor media) that the machine is known clean and
free of malware at the time it was returned to the customer.

In almost all cases, the form is of enough concern to them that we are
permitted to wipe/reinstall, but it's a shame that it takes the simple
language to "Scare" them into doing the proper thing. It's not like they
didn't already know this, but it seem that most people treat their
computers like toasters instead of like Bank Records.

 

This is a simple one BD, trust NO ONE, PERIOD.

Don't trust me, nor anyone else in these groups, as we've seen before,
there are unethical people that impersonate others and most people have
no clue that it's happening (since they can't read headers).

The first rule of security - Block Everything. Second rule, trust
nothing until given a reason to trust it.

 

Thanks for spelling it out for others to see, Leythos.

When first I ventured onto a newsgroup I had never even heard of a
Header, let alone know how to read one!

Mr Foldes is clever though - he can read an IP address even if it is
encrypted within the Header info. I'm uncertain how he can do that.

 

I've been on Usenet since 84, that's a lot of changes and a lot of crap
to have watched over the years.

Always double check anything you read, email, web, Usenet, etc... Don't
believe that an email sent from someone that appears to be a friend or
someone you email every day is actually from them - if it looks
suspicious or you don't know, call the person or disregard it.

 

Thanks for posting again Leythos. I do like your expression of treating
their computers like toasters!

When you say "Wiping and reinstalling" do you mean deleting all
partitions and formatting or do you feel that it is satisfactory (say,
on a single hard disk that has two partitions C: and D to reinstall
Windows on the C: drive leaving data on D: intact? TIA

 

Wipe, as in the entire physical drive, everything, period, nada left.

 

That is straight-forward advice ....... but I wonder how many (even
'professionals') follow it!

Are you just as confident that ........ I'll call them 'gremlins'
.......... cannot remain within a computer if the hard drive is wiped as
you describe (or even replaced with a new one)?

What about gremlins hiding in, say, a RAM stick or somewhere on the
motherboard? There again, how could you possibly know the answer?!!

Dave

 

Since the RAM (internal system memory) is cleared when the computer is
powered down - that would be quite the trick.

If the 'gremlin' was in the BIOS - the only writable media I know about that
could act in the way you are implying internal to the machine with your
"somewhere on the motherboard" comment - you've been more than infested with
malware.

Now - if you mean 'on a USB Memory Stick/Thumb Drive, CD, DVD, SD card,
floppy diskette, zip disk, bluetooth connected device like a phone, etc -
you might have a point.

 

In line responses

I know that all memory on system RAM is *supposed* to die without
power - when you study the construction, though, it seems quite feasible
to me (a layman) that such an item *could* be configured to retain
'gremlins', so to speak!

(The Chinese are *velly* cleffer!)

In another group, Tim Jackson replied thus:-

It can, but it isn't a likely attack route. The method varies according
to the make and model of motherboard, and some boards have a jumper that
must be set to allow any writing the flash ROM at all, or have a
hard-coded alarm that warns you when writing is being enabled. So it is
an unreliable and expensive method for a hacker.

If you want to check, then look into your motherboard's flash update
utility (probably on the CD that came with it, or on the manufacturer's
website) and see if you can copy the existing flash contents. If so then
you can make a baseline copy, and periodically repeat the process to
make sure you continue to get the same data.

You can probably find a security utility somewhere that will mirror the
BIOS area of the memory map, which is pretty much the same thing in most
cases

**********************

As always, Shenan, thank you for posting your views. I appreciate it!