Can you really 100% clean a compromised machine 100% of the time without wiping it?

[Mike Hall \(MS-MVP\)]

David

I think that it was you with the suggestion that a Google search on pcbutts1
would be interesting.. hmmmmm.. he has no friends.. and is he still trying
to coerce people into downloading anti-spyware from his own site?.. is it to
make it look like they are his creation, or to deal a few java/byteverify
exploits to test the downloaded progs?

 

[Richard Urban]

Leythos started this thread at 12:19 PM.

You jumped in at 3:31 PM

The fact that you call HIM a stalker, when you intrude on his thread, shows
you for the fool that you really are!

Richard Urban

Stalker, a jealous stalker at that, that to resort to lies to try to
prevent the user from getting his system fixed. Can you fix it Leythos?

 

[Kerry Brown]

From: "Kerry Brown" <[email protected]*a*m>


| Had to laugh at Quickbooks. It is a pain, QB Pro is even worse.
|
| I usually don't bother to set up limited accounts for home users. I find
far
| too many programs, mostly games, that won't run. Inevitably the next
time I
| see the computer they are using an administrator account. For business
use
| it's a different story.
|
| I find the biggest culprit for re-infection is instant messaging and
| teenagers. They refuse to believe that someone they have met on the
Internet
| would purposely try to infect them. They also believe that no one would
ever
| create a malicious add-on for MSN Messenger. The next biggest culprit is
P2P
| file sharing. It sometimes takes four or five trips to my shop before
they
| believe me that Kazaa is not safe.
|
| Kerry
|

While I agree with you on P2P and IM, I think you left out another
important infection
vector, the Browser.

There are *so many* malicious web sites out there that install
adware/spyware and Downloader
Trojans. Many use HTML and Java based Exploitation code and take
advantage of users who
don't keep up with MS Critical Updates. Even with all Critical Updates
installed Social
Enginerring is being used very well to get unwary, unsavvy, computer users
to install the
malware. It is hard to teach Safe Hex to a newbie computer user who is in
awe of the
Internet. They click on anything and everything with no thoughts of
consequences. I won't
even blame IE.

Below is a McAfee log excerpt using Opera.

C:\Program Files\Opera\profile\cache4\opr000FY.htm Exploit-MhtRedir.gen
D:\temp\jar_cache8079.tmp Exploit-ByteVerify
D:\temp\jar_cache8080.tmp\JAR_CACHE8080.TMP JV/Shinwow
C:\Program Files\Opera\profile\cache4\opr000G0.jar\OPR000G0.JAR JV/Shinwow
C:\Program Files\Opera\profile\cache4\opr000G1.jar Exploit-ByteVerify

Below is a McAfee log excerpt using fireFox.

D:\temp\JavaCache\javapi\v1.0\jar\loaderadv669.jar-25c202f2-29886f34.zip\LOADERADV669.JAR-25
C202F2-29886F34.ZIP JV/Shinwow
D:\temp\JavaCache\javapi\v1.0\jar\java.jar-28679adb-596f9d19.zip\JAVA.JAR-28679ADB-596F9D19.
ZIP Exploit-ByteVerify
D:\temp\IE6\Temporary Internet Files\Content.IE5\FZ4HCZOS\sploit[1].anr
Exploit-ANIfile
D:\temp\JavaCache\javapi\v1.0\jar\loaderadv669.jar-26f1a09b-464225cc.zip\LOADERADV669.JAR-26
F1A09B-464225CC.ZIP JV/Shinwow
D:\temp\JavaCache\javapi\v1.0\jar\java.jar-29973884-1c19679d.zip\JAVA.JAR-29973884-1C19679D.
ZIP Exploit-ByteVerify

I got, "The page cannot be displayed" in IE6 SP1 when going to this
malicious site.

I have a few sites like that I use for testing as well. I check them out
periodically with a test machine I don't mind formatting if need be.
Relevant to the current discussion elsewhere in the thread I got a new
version of surf sidekick from one of the test sites a few weeks ago. It was
very hard to remove. It attached itself to the logon process and was active
in safe mode. I had to boot to BartPe to edit the registry and delete a
couple of randomly named well hidden files to remove it. Current updates of
Ewido and Webroot Spysweeper will remove it.

Kerry

 

[Leythos]

Stalker, a jealous stalker at that, that to resort to lies to try to prevent
the user from getting his system fixed. Can you fix it Leythos?

And even with all the lame things you do, we can add your inability to
stay on-subject in a thread to the list now.

 

[David H. Lipman]

From: "Mike Hall (MS-MVP)" <[email protected]>

| David
|
| I think that it was you with the suggestion that a Google search on pcbutts1
| would be interesting.. hmmmmm.. he has no friends.. and is he still trying
| to coerce people into downloading anti-spyware from his own site?.. is it to
| make it look like they are his creation, or to deal a few java/byteverify
| exploits to test the downloaded progs?
|

Leythos suggested a Google search.

PCBUTTS1 web site has been password protected since he posted a SmitFraud Removal tool and
the code was edited by him to obfuscate the true creator, hoahdfear. He replace most, but
not all, strings of 'noahdfear' with 'PCBUTTS1' to make it look like he was the author of a
batch script. However, he failed to repalce all strings and the true author left code to
update a log file as...

echo smitRem log file>>%systemdrive%\smitfiles.txt
echo version 2.2>>%systemdrive%\smitfiles.txt
echo.>>%systemdrive%\smitfiles.txt
echo by noahdfear>>%systemdrive%\smitfiles.txt
echo.>>%systemdrive%\smitfiles.txt

He was confronted with the plagiarism of the code and PCBUTTS1 went right back and edited
the file and replaced
the reamaining strings of 'noahdfear' with 'PCBUTTS1'. He then password protected his web
site to prevent further scrutiny.

He's done that sh!t before with VBS code he stole from Kelly's Corner.

http://groups.google.com/group/24ho...utts1+kelly+vbs&rnum=1&hl=en#5b72be9f92c39aa8

He has also stolen code from Mike Burgess. He denounces the good work of MS MVP's but then
turns around and steals their hard earned work !

He once posted information to create a Registry file. He did not realize that a few lines
were very long and wrapped when posted via a News Client. I challenged to him to look at a
set of instructions he posted to create a .REG file and told him he left out critical
information for the resultant .REG file to work. I gave him a good week to discern the
problem. He couldn't and I followed up and posted that the resultant .REG file needed
certain lines to be unwarapped for the .REG file to work poperly. He insisted that was
nothing wrong. Since I know the Registry and how to create and edit .REG files I knew
otherwise and this discourse proved that he had zero skills in working with the Registry and
proved as well that he has no programming skills. Thus, he has to steal code from others to
make himself look like a hero if he does help somone erradicate and infection. The problem
is he doesn't give credit to the real author and he replaces the text in the code stating
the true author with his own name. Such as...

echo.
echo ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
echo º º
echo º Trojan-Spy.HTML.smitfraud.c Killer º
echo º º
echo º by noahdfear º
echo º º
echo º version 2.7 º
echo º º
echo ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ


with...

echo.
echo ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
echo º º
echo º Trojan-Spy.HTML.smitfraud.c Killer º
echo º º
echo º by pcbutts1 º
echo º º
echo º version 2.2 º
echo º º
echo ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
echo.


The reason PCBUTTS1 has "version 2.2" in his file was that was the time of his stealing the
code and remained that way when I downloaded the files from his web site ~9:45AM (ET)
Sunday, Oct. 23.

Pond scum is too kind to describe PCBUTTS1 !

 

[Leythos]

I think that it was you with the suggestion that a Google search on pcbutts1
would be interesting.. hmmmmm.. he has no friends.. and is he still trying
to coerce people into downloading anti-spyware from his own site?.. is it to
make it look like they are his creation, or to deal a few java/byteverify
exploits to test the downloaded progs?

There are several reason as best any of us can tell, he's said a couple
of these at one time for another:

1) He claim has full permission to host the vendors files, even after
they have publically asked him to not host them and in fact have said
they never gave permission to host them.

2) He only provides a link to the EXE, not to a PAGE with the vendors
info or anything that would be considered the norm. He does not
post/provide a link to the vendors site or file download areas.

3) He's unable to provide a MD5 checksum with the files to prove that
they are the same as he downloads from the vendors sites.

4) He gets paid for volume of traffic on his sites where advertisers pay
him - I suspect that he uses the file leaching method to increase his
monthly volume to bilk advertisers out of more money.

5) He's been caught, twice, with other people code on his site (before
he passworded it) where he edited their names/comments so that the files
would include PCBUTTS1 in the author/contributor shown when started -
but he failed to edit all the authors names out of the files, so it was
easy to see that they actually were written by another person.

6) He's claims that he has permission to host, even though he doesn't
follow any vendors MIRROR rules, but will not post any proof at all.

7) He makes usenet posts under various identities and pretends that he's
not pcbutts1

8) He has moved to password authentication for his downloads since we
were able to pull his hacked files off his site and post the contents
showing he stole them in the groups.

9) He's never denied that he stole the files in question.

10) He replies in a thread after my posts, without him being in the
thread first, calling me a Stalker, but with all of his changes to hide
I can't really be stalking him.

11) He appears to live on other people's works, not having a technical
skill that any of us have been able to detect.

 

[Guest]

Dave,

Thanks for the info and thanks for setting me straight. I sit/stand/type
corrected, and appreciate the time you've taken to provide me (us) with this
info.

No more virii for me.

- S

 

[Plato]

Cleaning up systems has become 75% of my business. Mostly due to
Adware/Spyware/Hijackers. I charge by the hour and if my efforts are

And I thought 50% of my business was a lot.

 

[Leythos]

And I thought 50% of my business was a lot.

With our network setups, the only time we have to remove malware any
more is new clients, and that's just until we secure their network and
enact security standards.

 

[Leythos]

Most of us the worked on computers for a living have run across many
compromised computers with many different types of malware.

As people post with compromised machines we direct them to all of the
tools that we know about in an effort to help them regain use of their
machines in a malware free mode, or at least enough access to backup
their documents and files to restore later.

What is really at question is the ability of the current tools we have
to clean 100% of the malware 100% of the time in the current and future
environment for a givem machine at a given instant.

[snip]

So after reading all of the replies in this thread, ignoring a response
from one lunatic, it appears that we're all on the same page when it
comes to ensuring a clean machine - a Wipe/Rinstall is the only proper
method to ensure a clean machine 100% of the time.

So this begs the next question:

As responsible (I hope) technical types, with security and data
integrity in mind at all times, other than getting a clients/home users
machine to a point that we/they can salvage files, why do we give them
the impression that their machines are clean when we ourselves know that
they might not be clean?

If you take the typical poster here, some unknown person asking for help
with a compromised machine. We get a "little" information, pull more
info out of them, but we have no idea as to the extent of the compromise
of their computers. We take a "best guess" approach to get them back to
a usable state, but, is "usable" what we should really be doing? If it
was your relative (one that you liked a lot) with the compromised
machine, wouldn't you just flatten their system after salvaging their
documents and then rebuild it from scratch?

99% of the time we have no idea what the posters computer is used for,
what personal data they might have on it, what financial data might be
on it, what business data might be on it.... I know it's a hassle for
the client/home user to flatten/rebuild their computer, but, considering
all of the unknowns, the security of their data, shouldn't we be
encouraging the flattening of their systems as the proper method to
clean a unknown system?

This has nothing to do with skills of the tech, it has to do with the
value of the data on the compromised machine, that in Usenet we don't
really know what the posters actual situation is, how many other things
have compromised their machine that they don't know about, and we don't
know about the undetected malware on their machines.

Let me give an example: Granny buys a computer, her 40 year old son
spec's it out and set it up (a brand XYZ computer). He does all the
stuff that the vendor required, then connects her to a Cable Modem.
Granny goes out to POGO.COM and plays some games, visits some websites,
starts noticing pop-ups, goes to one site that says it can clean her
system.... Now she gets an email from a friend that asks her to run this
program to clean a virus they may have sent her.... lots of normal stuff
over the next days. Granny loads AOL IM on her computer to keep in touch
with her grandkids and some of them send her links in IM chats - she
follows the links thinking her GK would only send her good links...

Granny posts that she's seeing funny things and follows the directions
of all that post in reply to her problem, system, after several
interactions appears to be clean.

What Granny didn't tell us is that she processes the accounting for 4
companies using QuickBooks and lots of Excel spreadsheets, has SSN,
account numbers, etc... in those sheets and in a QB setup for each
company. She also manages her retirement stocks online now that she can
get to them.....

Weeks later she's back posting that the problems are back, that
something got into her computer and used the account information and
drained her funds..... Oh, and she had to switch ISP's because the first
one disabled her service because her machine was spamming the Net due to
a virus on her machine...

With the above in mind, she should have been told to get a NAT Router
(at least), quality Commercial AV protection, setup and run as a Limited
User, use an alternative browser - you know, all the things we tell our
own Granny to do.... We should have also told her to get out the restore
disks and reinstall, even if it means calling her lame son or a
technician, since there are always things we're not going to know about
some anonymous posters situation.

 

[deebs]

Maybe we know that but rather than pay for a technical expert to do it
we prefer the experience and learning and challenge in having a go?

If all fails then it's a journey to the computer repairshop?

BTW - I'd rather visit this website for advice than some computer shops
if you know what I mean

Most of us the worked on computers for a living have run across many
compromised computers with many different types of malware.

As people post with compromised machines we direct them to all of the
tools that we know about in an effort to help them regain use of their
machines in a malware free mode, or at least enough access to backup
their documents and files to restore later.

What is really at question is the ability of the current tools we have
to clean 100% of the malware 100% of the time in the current and future
environment for a givem machine at a given instant.

[snip]

So after reading all of the replies in this thread, ignoring a response
from one lunatic, it appears that we're all on the same page when it
comes to ensuring a clean machine - a Wipe/Rinstall is the only proper
method to ensure a clean machine 100% of the time.

So this begs the next question:

As responsible (I hope) technical types, with security and data
integrity in mind at all times, other than getting a clients/home users
machine to a point that we/they can salvage files, why do we give them
the impression that their machines are clean when we ourselves know that
they might not be clean?

If you take the typical poster here, some unknown person asking for help
with a compromised machine. We get a "little" information, pull more
info out of them, but we have no idea as to the extent of the compromise
of their computers. We take a "best guess" approach to get them back to
a usable state, but, is "usable" what we should really be doing? If it
was your relative (one that you liked a lot) with the compromised
machine, wouldn't you just flatten their system after salvaging their
documents and then rebuild it from scratch?

99% of the time we have no idea what the posters computer is used for,
what personal data they might have on it, what financial data might be
on it, what business data might be on it.... I know it's a hassle for
the client/home user to flatten/rebuild their computer, but, considering
all of the unknowns, the security of their data, shouldn't we be
encouraging the flattening of their systems as the proper method to
clean a unknown system?

This has nothing to do with skills of the tech, it has to do with the
value of the data on the compromised machine, that in Usenet we don't
really know what the posters actual situation is, how many other things
have compromised their machine that they don't know about, and we don't
know about the undetected malware on their machines.

Let me give an example: Granny buys a computer, her 40 year old son
spec's it out and set it up (a brand XYZ computer). He does all the
stuff that the vendor required, then connects her to a Cable Modem.
Granny goes out to POGO.COM and plays some games, visits some websites,
starts noticing pop-ups, goes to one site that says it can clean her
system.... Now she gets an email from a friend that asks her to run this
program to clean a virus they may have sent her.... lots of normal stuff
over the next days. Granny loads AOL IM on her computer to keep in touch
with her grandkids and some of them send her links in IM chats - she
follows the links thinking her GK would only send her good links...

Granny posts that she's seeing funny things and follows the directions
of all that post in reply to her problem, system, after several
interactions appears to be clean.

What Granny didn't tell us is that she processes the accounting for 4
companies using QuickBooks and lots of Excel spreadsheets, has SSN,
account numbers, etc... in those sheets and in a QB setup for each
company. She also manages her retirement stocks online now that she can
get to them.....

Weeks later she's back posting that the problems are back, that
something got into her computer and used the account information and
drained her funds..... Oh, and she had to switch ISP's because the first
one disabled her service because her machine was spamming the Net due to
a virus on her machine...

With the above in mind, she should have been told to get a NAT Router
(at least), quality Commercial AV protection, setup and run as a Limited
User, use an alternative browser - you know, all the things we tell our
own Granny to do.... We should have also told her to get out the restore
disks and reinstall, even if it means calling her lame son or a
technician, since there are always things we're not going to know about
some anonymous posters situation.

 

[Leythos]

Maybe we know that but rather than pay for a technical expert to do it
we prefer the experience and learning and challenge in having a go?

I don't dispute that it can be fun/learning to remove malware, I love to
find something unknown and remove it manually, but, there are many
people that post to these groups that don't have those skills.

If all fails then it's a journey to the computer repairshop?

Or posting back here for the reinstall instructions - or downloading
them from the vendors website.

BTW - I'd rather visit this website for advice than some computer shops
if you know what I mean

Yep, I've not been in a single shop in the last 8 years where I felt the
tech's were more than script monkeys.

 

[Galen]

In Leythos <[email protected]> had this to say:

My reply is at the bottom of your sent message:

99% of the time we have no idea what the posters computer is used for,
what personal data they might have on it, what financial data might be
on it, what business data might be on it.... I know it's a hassle for
the client/home user to flatten/rebuild their computer, but,
considering all of the unknowns, the security of their data,
shouldn't we be encouraging the flattening of their systems as the
proper method to clean a unknown system?

I snipped again.

Should we? Perhaps. It's a measure of what they will do vs. what they should
do. They should keep cloned images going back months and regular snapshots
taken in the mean-time. They, the end-users, do not do this. If we tell them
to "flatten their system" they will not. At a bare minimal we're able to
stem the tide to some extent by offering generic cleaning advice or more
specific cleaning advice when the exact nature of the problem is known.
Agreed that this is not the optimal solution however it's the best that
we're likely to get followed. Some of us have been posting in these groups
for what seems like eons and over time we've learned this. There are others
who, for whatever reason, will post a mishmash of stuff to people that may
or may not help. Personally I've resolved to use only a single link (I was
tired of cutting/pasting so I have been building a site/company based on
getting information out there) which gives only generic malware cleaning
advice. When I do see something that's just so far beyond anything that can
be cleaned rationally to the 99% certainty then the offerings from me
consist of backing up and reformatting. Yet another reason to advocate
cloning systems and prevention...

--
Galen - MS MVP - Windows (Shell/User & IE)
http://dts-l.org/

Please note that if you're reading this in a browser and the domain is
not owned by Microsoft then this work is being used without permission.

Access MS Newsgroups :
http://kgiii.info/windows/all/general/msnewsgroups.html

 

[Leythos]

In Leythos <[email protected]> had this to say:

My reply is at the bottom of your sent message:


I snipped again.

Not a problem, I try and snip down to where I think it's needed - as
that's the norm and has been since the 80's.

Should we? Perhaps. It's a measure of what they will do vs. what they should
do. They should keep cloned images going back months and regular snapshots
taken in the mean-time. They, the end-users, do not do this.

LOL, I wish people would do this. When we clean a customers computer we
make a DVD image of the clean system and give it to them. The customers
almost never have the skill to restore the image, but they can find the
DVD when needed most times

If we tell them "flatten their system" they will not.

But that's the crux of the issue - if we actually stress the
implications of not flattening their system, the fact that their system
is only as clean as the current reactionary software can clean it, then
they might have an easier time with the wipe/reinstall decision.

At a bare minimal we're able to
stem the tide to some extent by offering generic cleaning advice or more
specific cleaning advice when the exact nature of the problem is known.
Agreed that this is not the optimal solution however it's the best that
we're likely to get followed. Some of us have been posting in these groups
for what seems like eons and over time we've learned this.

Yes, but changing a 'way' is difficult for most people, and it often
takes ages for people use to doing something one way to see the issue.
I'm not saying "stemming the tide" is bad, but it doesn't fix the actual
problems in all cases. If enough people told them to stand on one leg
and bark at the moon, they would try it

There are others
who, for whatever reason, will post a mishmash of stuff to people that may
or may not help. Personally I've resolved to use only a single link (I was
tired of cutting/pasting so I have been building a site/company based on
getting information out there) which gives only generic malware cleaning
advice.

Yep, I have a copy/paste response for most of the leading free malware
removal tools, trying to keep the text down to the links and a simple
description of them - stressing that they be run in SAFE MODE. We have a
company website that also contains malware removal information, in
detail, and a company bbs that contains detailed instructions that we
direct clients too, but it's not something I post here.

When I do see something that's just so far beyond anything that can
be cleaned rationally to the 99% certainty then the offerings from me
consist of backing up and reformatting. Yet another reason to advocate
cloning systems and prevention...

I guess that I just have, after 20+ years of doing this, wonder if we're
not doing justice to individuals with compromised machines. While we all
know that we can clean them most of the time, how do we tell a poster
that this will remove most malware many times, but your machine could
still be compromised with undetected malware and even unknown malware.
Since most of us have found that it takes more than one product/tool to
actually clean a system completely, are we really doing these users with
compromised machines justice by hiding a symptom of the real issue?

 

[Galen]

In Leythos <[email protected]> had this to say:

My reply is at the bottom of your sent message:

Not a problem, I try and snip down to where I think it's needed - as
that's the norm and has been since the 80's.


LOL, I wish people would do this. When we clean a customers computer
we make a DVD image of the clean system and give it to them. The
customers almost never have the skill to restore the image, but they
can find the DVD when needed most times


But that's the crux of the issue - if we actually stress the
implications of not flattening their system, the fact that their
system is only as clean as the current reactionary software can clean
it, then they might have an easier time with the wipe/reinstall
decision.


Yes, but changing a 'way' is difficult for most people, and it often
takes ages for people use to doing something one way to see the issue.
I'm not saying "stemming the tide" is bad, but it doesn't fix the
actual problems in all cases. If enough people told them to stand on
one leg and bark at the moon, they would try it


Yep, I have a copy/paste response for most of the leading free malware
removal tools, trying to keep the text down to the links and a simple
description of them - stressing that they be run in SAFE MODE. We
have a company website that also contains malware removal
information, in detail, and a company bbs that contains detailed
instructions that we direct clients too, but it's not something I
post here.


I guess that I just have, after 20+ years of doing this, wonder if
we're not doing justice to individuals with compromised machines.
While we all know that we can clean them most of the time, how do we
tell a poster that this will remove most malware many times, but your
machine could still be compromised with undetected malware and even
unknown malware. Since most of us have found that it takes more than
one product/tool to actually clean a system completely, are we really
doing these users with compromised machines justice by hiding a
symptom of the real issue?

Methinks you're preaching to the choir. It's very early in the morning here
so I haven't time to really answer this to the best of my ability other than
to say that we don't truly do them a dis-service either. I can only speak on
my own behalf but the link that I recommend - on my site obviously - is sure
to advise people to use more than one tool. In fact it gives them a whole
bunch of options and recommends using more than one tool. I'd also recommend
HJT but, well, then people would want me to look at their logs in the forum
probably and I'll never have any time if they started doing that.

One thing I'd like to stress - and it's not yet on the page but is actually
an article submitted to the my site developer - is that it's my opinion that
the tools being billed as malware removal tools are nothing more than
malware prevention and identification tools. They idealy prevent the
installation of malware on the system and when it's found identify it.
Removal should be done by hand. But, well, that's just my opinion. Hmm...
Wow... Hmm... I've been at this silliness since 1979??? Wow I'm getting
old... Ah well... 20 years is a long time, maybe we need to become used car
salesmen or real estate salesmen. I think if I could do it all again I would
have stayed in college, forever...

--
Galen - MS MVP - Windows (Shell/User & IE)
http://dts-l.org/

Please note that if you're reading this in a browser and the domain is
not owned by Microsoft then this work is being used without permission.

Access MS Newsgroups :
http://kgiii.info/windows/all/general/msnewsgroups.html

 

[Shenan Stanley]

Most of us the worked on computers for a living have run across many
compromised computers with many different types of malware.

As people post with compromised machines we direct them to all of the
tools that we know about in an effort to help them regain use of their
machines in a malware free mode, or at least enough access to backup
their documents and files to restore later.

What is really at question is the ability of the current tools we have
to clean 100% of the malware 100% of the time in the current and
future environment for a givem machine at a given instant.

This thread is not personal, about anyone's skills, about any
individual, it's only about cleaning malware off machines to the point
that we could state that 100% of all malware, known and unknown, is
removed from the machine at the moment you finish cleaning it.

Do you feel 100% certain that your tools and skills can clean a
compromised machine, 100% of the time, without any malware, known or
unknow, remaining on the machine - 100% of the time?

Since I don't believe that any one can actually say "YES" without
limitations, then how do we help all of these clueless users ensure
their machines are clean?

We all know that you can wipe/reboot/install from clean disks, in a
clean environment, and the machine will be clean at that moment.

We all know that it takes between 30~90 minutes to restore a machine
from scratch (depending on the method, quicker for ghost images), and
that it's time consuming to get everything back to normal for
customers.

We all know that no one wants to wipe/reinstall as it means lots of
extra work.

Now, we also know that removing the malware can take hours in some
cases, most takes less. For some malware you have to boot to the
recovery console and manually remove it.

So, it comes down to this - clean their system enough to save files to
CD/DVD, then wipe it to ensure that the malware is 100% removed and
the system is clean enough to be certified as clean.

While most of us will just clean a machine and reboot it several
times, check the registry, tasks, netstat, etc.... then run the
malware removal tools several times, etc... It just means that we're
willing to take the level of risk for not having to put the time in
to ensure that the system is 100% certified clean, which means we
don't really want to reinstall everything again

I know that some will claim they can perfectly clean a machine, but,
if you're really that sure you can clean 100% of malware, 100% of the
time, now and in the future, of known and unknown malware, without a
wipe/reinstall, then I think you're just fooling yourself.

Again, are we assuming that by providing "reactionary" tools and
methods that don't wipe/reinstall, that we're doing visitors to this
group (and others) justice and actually providing them with a 100%
clean platform to continue with?

I'm not 100% sure I'll wake up every morning..
(or even where sometimes..)

So - it would be ridiculous for anyone to claim 100% certainty on anything
with as many variables as that.

 

[deebs]

I'm not 100% sure I'll wake up every morning..
(or even where sometimes..)

So - it would be ridiculous for anyone to claim 100% certainty on anything
with as many variables as that.

I understand that the most secure server is one encased in a concrete
room, well underground with no incoming or outgoing wires (yes,
deductions can be made purely from observations of mains power use).
The trouble is that it ceases to be a server.

On the otherhand, the most functional server is one that can be reached
freely but this tends to be the least secure

Between these two extremes are the do-able IMO

 

[Kerry Brown]

If you take the typical poster here, some unknown person asking for help
with a compromised machine. We get a "little" information, pull more
info out of them, but we have no idea as to the extent of the compromise
of their computers. We take a "best guess" approach to get them back to
a usable state, but, is "usable" what we should really be doing? If it
was your relative (one that you liked a lot) with the compromised
machine, wouldn't you just flatten their system after salvaging their
documents and then rebuild it from scratch?

<snip>

Many of the typical posters you are talking about would not be able to
rebuild their system from scratch. They would end up with something that
doesn't function as well as it did with the malware on it. It may be more
secure but most people would take functional over security. That's why
Microsoft always beats Linux in the marketplace If we went strictly by
your guidelines we would tell everyone to find a good technician and pay
them to fix their pc. In reality that is probably the best advice but not
too many people would take it. I think all we can do is give them advice on
the problem they have asked about, warn them about any possible consequences
your advice may cause, and possibly get a lecture or two in once in a while
about the importance of backups. The way I look at it if one person a week
reading these newsgroups decides it's time to do a backup then everyone's
time has been worth it. I'm looking forward to a time when I can go back to
network and hardware troubleshooting instead of the mind numbing work of
fighting malware.

Kerry

 

[Galen]

In deebs <[email protected]> had this to say:

My reply is at the bottom of your sent message:

Between these two extremes are the do-able IMO

Heyya Deebs... Pick what you want to do, know what the risks are, and then
make your choice based on what you want to accomplish today. That's my
truthful recommendation. If you LIKE using a poker playing program and don't
mind leeking your personal information or make it a point not to keep any
real info on there and don't mind your PC slowing down when you fill it full
of trash then so be it. Who am I to say what you can't do? What I do think
is that there should be some sort of minimal standard of protection (with
optional over-ride until the point at which they become a source of
infection) enforced by the ISP. Now that'd be alright...

--
Galen - MS MVP - Windows (Shell/User & IE)
http://dts-l.org/

Please note that if you're reading this in a browser and the domain is
not owned by Microsoft then this work is being used without permission.

Access MS Newsgroups :
http://kgiii.info/windows/all/general/msnewsgroups.html

 

[Guest]

Ok here's the deal. I think the only way to "Certify 100% Clean" is to format
and re-install the OS...........period.

The bottom line is I can save all of the customers data, do a fomat,
re-install with all the updates and install anti-virus software in about 1½
hours. Plus setup file sharing, networking, and make many tweaks. Why even
mess around trying to clean when most of the time it is just not going to
work.

I get $130.00 for each machine, flat rate. I usually do about 10 machines a
month, so it makes for some nice pocket money.

When the customer ruins their machine again I do it all over again and
charge the same money.