Removing malware from an infected PC - battling antivirus programs

Discussion in 'Virus Information' started by ~BD~, Jan 20, 2009.

  1. ~BD~

    ~BD~ Guest

    Quote:
    "Malware can be so hard to remove that walking away from an infected
    copy of Windows and, instead, restoring a known clean copy (such as the
    factory fresh state) will often be the right approach. "

    http://blogs.computerworld.com/battling_antivirus_programs?source=NLT_SEC
     
    ~BD~, Jan 20, 2009
    #1
    1. Advertisements

  2. ~BD~

    Leythos Guest

    While it appears possible to "Clean" a machine of malware, how does one
    know for sure that it's completely clean? It's always been my position
    that if you want a "Clean" machine you must wipe and rebuild it in a
    clean environment, that's the only way to be 100% certain it's clean.

    With that said, I know many people that are not willing to wipe their
    machines and don't want to put forth the effort and are willing to
    accept the RISK that the machine is clean "enough" since they can't find
    anything using various tools.

    One thing that most of us have learned is that most cleaner programs
    find different things and many common things, but no single program
    finds everything all the time. This should be a clear indicator that
    there is no way to be sure that a compromised system is cleaned by any
    means short of wiping and reinstalling it.
     
    Leythos, Jan 20, 2009
    #2
    1. Advertisements

  3. ~BD~

    ~BD~ Guest


    Thanks for your response, Leythos.

    You said "how does one know for sure that it's completely clean?". I
    suspect you meant that to be a rhetorical question, but it *is* one that
    bothers me.

    Many visitors to the Microsoft groups are naive and inexperienced and
    come here heavily laden with their troubles and woes. They are given
    help and advice and carry out suggested actions without fear or
    intrepidation. They are also directed to all manner of 'Help' forums
    where they are then instructed to carry out 'cleaning action' which
    often involves downloading and running unknown (to them) software.

    How could any of these folk possibly know if malware had been *added* to
    their computer, rather than it being removed?

    Just a thought!
     
    ~BD~, Jan 20, 2009
    #3
  4. Many people don't know if malware has been added to their computer.

    When my computer comes under the least amount of suspicion I no longer even
    try. I just go back to an image that I feel 99.99% certain is clean, and
    continue from there.
     
    Richard Urban, Jan 21, 2009
    #4
  5. No - that was not a rhetorical question.

    How do you (and you may be either a novice user or a computer professional)
    know that the machine is clean? Unless you follow Leythos' procedure, you
    don't--it is all a matter of percentages, and "feel" and experience.
    Experience can betray us as soon as something which is outside our previous
    experience appears.

    That said, very few users are ready to reinstall clean, even with some
    assurance of the ability to preserve data.

    I don't know what Microsoft PSS says when helping folks clean there systems,
    but there should always be some disclaimers in any cleaning operation, and
    the more remote, the more so--although clean HijackThis logs (and who
    defines those?) are a pretty good indicator.

    Additionally, even if you can satisfactorily clean a system, you aren't
    doing much more than assuring yourself of more work in the future if you
    can't help the user become more secure in the process--how did they get
    infected? What steps can they take to avoid it in the future.

    There are limits to the level of dialog that we can achieve in a
    newsgroup--the O.P. always has the option to decide when they've done/had
    enough.



    --
     
    Bill Sanderson, Jan 21, 2009
    #5
  6. Please don't feed the trolls...especially /that/ troll, Bill. <eg>
     
    PA Bear [MS MVP], Jan 21, 2009
    #6
  7. ~BD~

    John D Guest

    What is so special about ~BD~, PA Bear?

    Why the 'evil grin'?
     
    John D, Jan 21, 2009
    #7
  8. ~BD~

    doneganw Guest

    Dear Dave,

    As a neophyte, I can testify that is is a daunting process!

    I appreciate the comments stated in this newsgroup that show understanding
    for how baffling it seems at first!

    Bye,
    Will
     
    doneganw, Jan 21, 2009
    #8
  9. ~BD~

    ~BD~ Guest

    Thanks for posting your thoughts, Will :)

    Richard Urban has spoken wisely in this thread. Please pay heed to
    anything that Shenan Stanley offers as advice.

    Most folk with 'problems' are (IMO) totally blinkered and have thoughts
    solely related to their own personal position. They are (IMO) highly
    vulnerable. I have felt duty-bound to stay and monitor the activity of
    others (the 'helpers') operating within just some of the Microsoft
    newsgroups (there are thousands - literally).

    When I first arrived 'here' over three years ago I had, mistakenly,
    thought that Microsoft staff would be monitoring and checking to ensure
    a 'safe' environment for us ........ but alas that is not so. This is
    the real Wild West of the Internet and my guess is that there are a few
    bad apples in the barrel here. Be wary, Will!

    Dave



     
    ~BD~, Jan 21, 2009
    #9
  10. Hoople head.

    : Thanks for posting your thoughts, Will :)
    :
    : Richard Urban has spoken wisely in this thread. Please pay heed to
    : anything that Shenan Stanley offers as advice.
    :
    : Most folk with 'problems' are (IMO) totally blinkered and have thoughts
    : solely related to their own personal position. They are (IMO) highly
    : vulnerable. I have felt duty-bound to stay and monitor the activity of
    : others (the 'helpers') operating within just some of the Microsoft
    : newsgroups (there are thousands - literally).
    :
    : When I first arrived 'here' over three years ago I had, mistakenly,
    : thought that Microsoft staff would be monitoring and checking to ensure
    : a 'safe' environment for us ........ but alas that is not so. This is
    : the real Wild West of the Internet and my guess is that there are a few
    : bad apples in the barrel here. Be wary, Will!
    :
    : Dave
    :
    :
    :
    : : > Dear Dave,
    : >
    : > As a neophyte, I can testify that is is a daunting process!
    : >
    : > I appreciate the comments stated in this newsgroup that show
    : > understanding for how baffling it seems at first!
    : >
    : > Bye,
    : > Will
    : >
    : >
    : > : >>
    : >> : >>> In article <>,
    : >>> says...
    : >>>> Quote:
    : >>>> "Malware can be so hard to remove that walking away from an
    : >>>> infected
    : >>>> copy of Windows and, instead, restoring a known clean copy (such as
    : >>>> the
    : >>>> factory fresh state) will often be the right approach. "
    : >>>>
    : >>>>
    http://blogs.computerworld.com/battling_antivirus_programs?source=NLT_SEC
    : >>>
    : >>> While it appears possible to "Clean" a machine of malware, how does
    : >>> one
    : >>> know for sure that it's completely clean? It's always been my
    : >>> position
    : >>> that if you want a "Clean" machine you must wipe and rebuild it in a
    : >>> clean environment, that's the only way to be 100% certain it's
    : >>> clean.
    : >>>
    : >>> With that said, I know many people that are not willing to wipe
    : >>> their
    : >>> machines and don't want to put forth the effort and are willing to
    : >>> accept the RISK that the machine is clean "enough" since they can't
    : >>> find
    : >>> anything using various tools.
    : >>>
    : >>> One thing that most of us have learned is that most cleaner programs
    : >>> find different things and many common things, but no single program
    : >>> finds everything all the time. This should be a clear indicator that
    : >>> there is no way to be sure that a compromised system is cleaned by
    : >>> any
    : >>> means short of wiping and reinstalling it.
    : >>>
    : >>> --
    : >>> - Igitur qui desiderat pacem, praeparet bellum.
    : >>> - Calling an illegal alien an "undocumented worker" is like calling
    : >>> a
    : >>> drug dealer an "unlicensed pharmacist"
    : >>> (remove 999 for proper email address)
    : >>
    : >>
    : >> Thanks for your response, Leythos.
    : >>
    : >> You said "how does one know for sure that it's completely clean?". I
    : >> suspect you meant that to be a rhetorical question, but it *is* one
    : >> that bothers me.
    : >>
    : >> Many visitors to the Microsoft groups are naive and inexperienced and
    : >> come here heavily laden with their troubles and woes. They are given
    : >> help and advice and carry out suggested actions without fear or
    : >> intrepidation. They are also directed to all manner of 'Help' forums
    : >> where they are then instructed to carry out 'cleaning action' which
    : >> often involves downloading and running unknown (to them) software.
    : >>
    : >> How could any of these folk possibly know if malware had been *added*
    : >> to their computer, rather than it being removed?
    : >>
    : >> Just a thought!
    : >> --
    : >> Dave
    : >>
    : >
    :
    :
     
    Tom [Pepper] Willett, Jan 21, 2009
    #10
  11. ~BD~

    ~BD~ Guest

    --

    Many thanks for posting, Bill. I appreciate your comments.

    I'm simply a 'user' but with more than three years now of experimenting
    with all manner of 'cleaning' - both on this and a previous box (which I
    trashed because I was *certain* that a gremlin remained within it, no
    matter *what* I did! ..... and that included installing a completely new
    hard drive). I agree that it is better to *destroy partitions*, format
    and re-install windows whenever one has an inkling that malware may be
    present ......... it's knowing that it *is* 'on board' which is the hard
    part nowadays!

    My difficulty with newsgroups - and some forums - is knowing who may be
    trustworthy. Perhaps you'd like to ask Robear Dyer (aka PA Bear) why he
    has said to you here in this thread " ........ especially /that/troll" -
    what is 'special' about me? (~BD~, BoaterDave, Imbeady2 and Beady!)

    I know that he has not liked me asking searching questions ........ and
    he knows he has lied about me being banned by ISP's. That has NEVER
    happened.
     
    ~BD~, Jan 21, 2009
    #11
  12. ~BD~

    Leythos Guest

    Not rhetorical at all, it was meant for discussion.

    For years I've cleaned machines, used all of the tools, and for my
    customers network, any my own, where we manage the firewall, av,
    browsing, etc... none of the tools have ever detected malware, but for
    unmanaged customers or customers that won't play by the security rules,
    as well as customers home computers (since we don't do residential work
    unless it's the owner(s) of a company we provide service for), well,
    sadly I've seen a few of them compromised and the cost of "cleaning" is
    much greater than the cost of securing them in the first place.

    In almost all cases it's a stupid person doing something that they've
    been warned against for more than a decade, but they ignored the
    warnings for some reason that is beyond me. Almost always the compromise
    is because of some unethical (in my opinion) action on the user (porn,
    gambling, pirated downloads, etc...)....

    We have a standard form we provide to anyone with a compromised machine,
    it describes the two options - attempted cleaning of "KNOWN and
    DETECTABLE MALWARE" and "Wiping and reinstalling". Our form clearly
    lists that we assume no liability for the first and will NOT certify the
    machine as "Clean" using the first method - for the second method we
    will certify (with vendor media) that the machine is known clean and
    free of malware at the time it was returned to the customer.

    In almost all cases, the form is of enough concern to them that we are
    permitted to wipe/reinstall, but it's a shame that it takes the simple
    language to "Scare" them into doing the proper thing. It's not like they
    didn't already know this, but it seem that most people treat their
    computers like toasters instead of like Bank Records.
     
    Leythos, Jan 22, 2009
    #12
  13. ~BD~

    Leythos Guest

    This is a simple one BD, trust NO ONE, PERIOD.

    Don't trust me, nor anyone else in these groups, as we've seen before,
    there are unethical people that impersonate others and most people have
    no clue that it's happening (since they can't read headers).

    The first rule of security - Block Everything. Second rule, trust
    nothing until given a reason to trust it.
     
    Leythos, Jan 22, 2009
    #13
  14. ~BD~

    ~BD~ Guest

    Thanks for spelling it out for others to see, Leythos.

    When first I ventured onto a newsgroup I had never even heard of a
    Header, let alone know how to read one!

    Mr Foldes is clever though - he can read an IP address even if it is
    encrypted within the Header info. I'm uncertain how he can do that. ;)
     
    ~BD~, Jan 22, 2009
    #14
  15. ~BD~

    Leythos Guest

    I've been on Usenet since 84, that's a lot of changes and a lot of crap
    to have watched over the years.

    Always double check anything you read, email, web, Usenet, etc... Don't
    believe that an email sent from someone that appears to be a friend or
    someone you email every day is actually from them - if it looks
    suspicious or you don't know, call the person or disregard it.
     
    Leythos, Jan 22, 2009
    #15
  16. ~BD~

    ~BD~ Guest


    Thanks for posting again Leythos. I do like your expression of treating
    their computers like toasters! :)

    When you say "Wiping and reinstalling" do you mean deleting all
    partitions and formatting or do you feel that it is satisfactory (say,
    on a single hard disk that has two partitions C: and D:) to reinstall
    Windows on the C: drive leaving data on D: intact? TIA
     
    ~BD~, Jan 22, 2009
    #16
  17. ~BD~

    Leythos Guest

    Wipe, as in the entire physical drive, everything, period, nada left.
     
    Leythos, Jan 22, 2009
    #17
  18. ~BD~

    John D Guest

    That is straight-forward advice ....... but I wonder how many (even
    'professionals') follow it!

    Are you just as confident that ........ I'll call them 'gremlins'
    .......... cannot remain within a computer if the hard drive is wiped as
    you describe (or even replaced with a new one)?

    What about gremlins hiding in, say, a RAM stick or somewhere on the
    motherboard? There again, how could you possibly know the answer?!! ;)

    Dave
     
    John D, Jan 22, 2009
    #18
  19. Since the RAM (internal system memory) is cleared when the computer is
    powered down - that would be quite the trick.

    If the 'gremlin' was in the BIOS - the only writable media I know about that
    could act in the way you are implying internal to the machine with your
    "somewhere on the motherboard" comment - you've been more than infested with
    malware.

    Now - if you mean 'on a USB Memory Stick/Thumb Drive, CD, DVD, SD card,
    floppy diskette, zip disk, bluetooth connected device like a phone, etc -
    you might have a point.
     
    Shenan Stanley, Jan 23, 2009
    #19
  20. ~BD~

    ~BD~ Guest

    In line responses


    I know that all memory on system RAM is *supposed* to die without
    power - when you study the construction, though, it seems quite feasible
    to me (a layman) that such an item *could* be configured to retain
    'gremlins', so to speak!

    (The Chinese are *velly* cleffer!)


    In another group, Tim Jackson replied thus:-
    It can, but it isn't a likely attack route. The method varies according
    to the make and model of motherboard, and some boards have a jumper that
    must be set to allow any writing the flash ROM at all, or have a
    hard-coded alarm that warns you when writing is being enabled. So it is
    an unreliable and expensive method for a hacker.

    If you want to check, then look into your motherboard's flash update
    utility (probably on the CD that came with it, or on the manufacturer's
    website) and see if you can copy the existing flash contents. If so then
    you can make a baseline copy, and periodically repeat the process to
    make sure you continue to get the same data.

    You can probably find a security utility somewhere that will mirror the
    BIOS area of the memory map, which is pretty much the same thing in most
    cases

    **********************

    As always, Shenan, thank you for posting your views. I appreciate it!
     
    ~BD~, Jan 23, 2009
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.