Would you continue using a HD you disinfected--or do a cleanreinstall or Ghost an older HD image?

[RayLopez99]

Just what the title says. Do you really feel good using a PC you have
disinfected? Don't you feel better with a known PC that never had a
virus? Do you eat your own cooking?

BTW while this was my first Windows virus in a long while, I still
have confidence in Windows and would never switch to Linux--not worth
the loss of functionality.

RL


Thanks FromTheRafters. Using a stand alone CD provided (downloaded
from) by Kaspersky, running under LInux, which is ironic for a Windows
user like me but understandable (as you want to find rootkits), the
Kasperksy CD found an infection by "trojan-downloader.Win32.Agent.
{RANDOM FOUR LETTERS ADDED AT END}". Once I removed this (using the
same CD) I no longer get reboots. Problem solved.

Question: should I do a clean reinstall and/or reinstall from a month
ago when my system was known to be clean? Or can I trust Kaspersky
has removed this trojan?

My thoughts: I like doing a clean reinstall once in a while since you
get rid of junk programs that the Revo uninstaller (an excellent
program I use) or Windows Uninstall failed to completely remove. On
the other hand, why go through the several hours if not half a day's
worth of work to reinstall from a clean slate?

I'm leaning towards uninstall as well as changing passwords on all
online accounts in case this trojan was a keyboard logger (I don't
think it is--but there's so many variants of this trojan it's hard to
tell what it does).

 

[VanguardLH]

Newsgroups: ...,comp.os.linux.advocacy

You really expected anyone to reply when you deliberately choose to
include some advocacy newsgroup. What does disinfecting an HDD have to
do with proselytizing your personal choice for an OS? The other groups
to which you posted are OS-agnostic. There was no need to include an
unrelated and off-topic newsgroup. Don't cross-post to flame-bent
newsgroups unless you want to get ignored by many potential respondents
including inhabitants in the other non-flame newsgroups.

NOTE:
The flame[d] group deliberately added by the OP was omitted in my reply.

Do you really feel good using a PC you have disinfected?

I do *if* I have deligently cleaned the PC so I know it's clean. If you
have to question the state of your host then you also question whether
or not the tools or methods you used were thorough.

Don't you feel better with a known PC that never had a virus?

Depends on how long it takes to eradicate the pest. Since I can do
flatten and rebuild of the OS and apps in about 3 days (assuming I don't
trust my image backups to be malware free), I don't spend more than that
amount of time to clean the pest from the host. Once you spend a day
working on eradication, you'll have some idea of how much more time it
will take. Don't keep pushing for a clean when you see that it'll take
less time to flatten and rebuild.

BTW while this was my first Windows virus in a long while, I still
have confidence in Windows and would never switch to Linux--not worth
the loss of functionality.

Oh, and that's why you cross-posted to a Linux advocacy group so you
could generate a flame over there. Uh huh.

Question: should I do a clean reinstall and/or reinstall from a month
ago when my system was known to be clean? Or can I trust Kaspersky
has removed this trojan?

How do you know when your computer got infected? How do you know your
backups (not described here) are clean? Just because the effects of
malware didn't become present until later doesn't mean the pest isn't
lurking in your backups. Once you restore, you'll have to go through
the entire process of verifying the restoration is also clean.

If you don't trust Kaspersky (and other security tools you should also
use and not just rely on one product) then why bother with the
disinfection? If you didn't figure the tool(s) you used for pest
eradication would work, why didn't you go the "flatten and rebuild" or
reimage route?

My thoughts: I like doing a clean reinstall once in a while since you
get rid of junk programs that the Revo uninstaller (an excellent
program I use) or Windows Uninstall failed to completely remove. On
the other hand, why go through the several hours if not half a day's
worth of work to reinstall from a clean slate?

Revo Uninstaller is of value only for their hardcoded list of known apps
that they recorded in their program to perform an uninstall of those
apps. Unless you pay for the product, you do not get their install
monitor. That means it cannot do much about programs they haven't
included in their known apps table. If you buy the product then you get
their install monitor (provided you trigger it to monitor an
installation). Zsoft Uninstaller is free. It doesn't have a real-time
install monitor but instead takes a snapshot of your host before an
install, you do the install, and then compares the state of the host
after the install with the prior snapshot that it took to log the
changes (so you can undo them later). You use the Add/Remove Programs
applet to uninstall the unwanted program and then use Zsoft Uninstaller
to remove the remnants.

We don't know what type of "backups" you have. You might only have
logical file backups: the files get saved into a backup file stored
somewhere so a restore simply replaces that file back in the existing
file system on the HDD. If you are doing image backups of partitions
then restoring them can come close to replicating a prior state of the
HDD. Some imaging programs are logical structured which means they
restore but use the clusters in order versus a sector-by-sector image
that puts the exact image back onto the HDD (but is larger than a
logical image because even the unused sectors [unused by the file system
for the OS, that is, but not necessarily unused by apps] are included in
a sector-by-sector image). A file backup won't necessarily eradicate a
pest versus an image backup of a partition - assuming the backup is
itself clean.

Takes me only an hour to restore my C: drive (the OS partition) from
backups saved on HDDs but then I only have 35GB currently occupying that
partition. Don't know what type of backups you are saving, what program
you use, how it is configured, what you use for the storage media on
which the backups are stored, or the size of your backups (i.e., how
much space is consumed on the HDD in the backed up partition and how
much of it you include in your backups).

I'm leaning towards uninstall as well as changing passwords on all
online accounts in case this trojan was a keyboard logger (I don't
think it is--but there's so many variants of this trojan it's hard to
tell what it does).

So what OTHER security tools have you used to scan your HDD to engender
a higher level of trust by you that it is clean? One tool is not
sufficient. One tool will have gaps which you hope to avoid by
overlapping the use of multiple tools (not all of which are concurrently
resident since they may conflict with other but you use as manual
scanners to increase your trust level).

 

[Dustin]

Just what the title says. Do you really feel good using a PC you have
disinfected? Don't you feel better with a known PC that never had a
virus? Do you eat your own cooking?

It depends on what I found on the machine. for example, while messing
around with a malware sample a couple of years ago; it got loose. I
thought I cleaned everything up, but it did patch a few critical dll
files on me.

Once I replaced them with hash'd known good ones, the issue was
resolved. So for this case, reinstalling windows, then the apps, then
configuration of everything (which for this machine, is a lot! of
software)... disinfection was the better choice. I have every folder
contents hash'd and stored on read only media, so I can boot bart
anytime and replace bad/modded files.

IE: I took the time to do the prep work so I can recover from any
situation that might present itself.

That and the box is happily imaged via ghost to an external HD and
across the lan to the server.

BTW while this was my first Windows virus in a long while, I still
have confidence in Windows and would never switch to Linux--not worth
the loss of functionality.

Did you actually have a virus or something else, Ray?

 

[JeffM]

[...]a PC you have disinfected?

The proper way to disinfect a PC
is to overwrite the Windoze partition with a Linux install.

"Disinfecting" includes getting rid of your easily-infected toy OS
and its easily-infected toy M$ filesystems.

Barring that,
overwrite ALL of the drives containing Windoze filesystems.
DBAN has been pointed out to you before
as has the Linux dd command.

Other than overwriting EVERYTHING that uses M$ "technology",
there is no other way to be sure
that you have gotten ALL the infections off a Windoze system.
(aka "Nuke it from orbit; it's the only way to be sure.")

Don't you feel better with a known PC that never had a virus?

Fantasy.
You can NEVER be sure
that a Windoze box DOESN'T have an infection.
All you can know is that the anti-whatever app THAT YOU RAN
didn't find anything at the time you ran it.

The Black Hats are smarter than
your AV vendor and the M$ "designers" combined.

I still have confidence in Windows

....and the Easter Bunny and Santa Claus.

and would never switch to Linux

....yet you post your mindless Windoze drivel to a Linux group.
Loser.

 

[Sjouke Burry]

Just what the title says. Do you really feel good using a PC you have
disinfected? Don't you feel better with a known PC that never had a
virus? Do you eat your own cooking?

I am writing this response from a computer, which had about 3 types of
viri removed from it in the last 7 years.
Never had to re-install XP.
Never needed the disk image copies I have on a backup disk.
So yes, I am feeling fine about using this computer.

 

[RayLopez99]

Newsgroups: ...,comp.os.linux.advocacy

You really expected anyone to reply when you deliberately choose to
include some advocacy newsgroup.  What does disinfecting an HDD have to
do with proselytizing your personal choice for an OS?  The other groups
to which you posted are OS-agnostic.  There was no need to include an
unrelated and off-topic newsgroup.  Don't cross-post to flame-bent
newsgroups unless you want to get ignored by many potential respondents
including inhabitants in the other non-flame newsgroups.

NOTE:
The flame[d] group deliberately added by the OP was omitted in my reply.

Who cares. Move on.

I do *if* I have deligently cleaned the PC so I know it's clean.  If you
have to question the state of your host then you also question whether
or not the tools or methods you used were thorough.

What is 'thorough'? Define your pain threshold. If your life
depending on eradicating a virus, would you do a flatten and rebuild
as you call it or disinfect?

Depends on how long it takes to eradicate the pest.  Since I can do
flatten and rebuild of the OS and apps in about 3 days (assuming I don't
trust my image backups to be malware free), I don't spend more than that
amount of time to clean the pest from the host.  Once you spend a day
working on eradication, you'll have some idea of how much more time it
will take.  Don't keep pushing for a clean when you see that it'll take
less time to flatten and rebuild.

Makes sense.

Oh, and that's why you cross-posted to a Linux advocacy group so you
could generate a flame over there.  Uh huh.

Right. They enjoy an occasional bone thrown their way. I like
reinforcing a person's prejudices--it humors me in the same way
throwing a tasty sausage to a dog does. I might even humor you later
on in this thread.

How do you know when your computer got infected?  How do you know your
backups (not described here) are clean?  Just because the effects of
malware didn't become present until later doesn't mean the pest isn't
lurking in your backups.  Once you restore, you'll have to go through
the entire process of verifying the restoration is also clean.  

Interesting. To the extent you are no bull shitting, which I think
you probably are, do feel free to tell us about "delayed" malware that
"lurked" in a system. Sounds rare to me. My trojan manifested itself
it seems rather suddenly and persisted. Why delay? Either the
malware will attempt to stay silent and collect information until such
time it is detected or not, and will try and wreck the system from the
get-go. It's not a bomb with a proximity fuse that needs people to be
lulled into a false sense of security (pace Stuxnet).

If you don't trust Kaspersky (and other security tools you should also
use and not just rely on one product) then why bother with the
disinfection?  If you didn't figure the tool(s) you used for pest
eradication would work, why didn't you go the "flatten and rebuild" or
reimage route?

Actually I did go the latter route; was up all night. But for future
reference I'd like to know what others do. Actually you introduce a
third option: let the AV program "remove" the virus then move on. I
did not include that option in the original post--so I ask it now--
how many of you "roll back" to a clean version rather than let an AV
program "remove" malware? That would be overkill IMO but I guess it's
the safest way if you don't trust the AV writers.

Revo Uninstaller is of value only for their hardcoded list of known apps
that they recorded in their program to perform an uninstall of those
apps.  Unless you pay for the product, you do not get their install
monitor.  That means it cannot do much about programs they haven't
included in their known apps table.  If you buy the product then you get
their install monitor (provided you trigger it to monitor an
installation).  Zsoft Uninstaller is free.  It doesn't have a real-time
install monitor but instead takes a snapshot of your host before an
install, you do the install, and then compares the state of the host
after the install with the prior snapshot that it took to log the
changes (so you can undo them later).  You use the Add/Remove Programs
applet to uninstall the unwanted program and then use Zsoft Uninstaller
to remove the remnants.

Well it sounds like a panacea. CNet is OK on it, see here:
http://download.cnet.com/ZSoft-Uninstaller/3000-2096_4-10409090.html
- however they make this curious statement: "ZSoft Uninstaller works
well, although it's not as robust as some other free uninstallers out
there. Even though it may not have all the chrome of the competition,
when it comes to getting its core task done--uninstalling unwanted
apps--ZSoft Uninstaller is a good choice"
Read more: ZSoft Uninstaller - Free software downloads and software
reviews - CNET Download.com http://download.cnet.com/ZSoft-Uninstaller/3000-2096_4-10409090.html#ixzz1VRz4q3di

So I wonder if "chrome" means user interface and eye candy. If so,
then ZSoft is probably a good program. Thanks for the
recommendation.

We don't know what type of "backups" you have.  You might only have
logical file backups: the files get saved into a backup file stored
somewhere so a restore simply replaces that file back in the existing
file system on the HDD.  If you are doing image backups of partitions
then restoring them can come close to replicating a prior state of the
HDD.  Some imaging programs are logical structured which means they
restore but use the clusters in order versus a sector-by-sector image
that puts the exact image back onto the HDD (but is larger than a
logical image because even the unused sectors [unused by the file system
for the OS, that is, but not necessarily unused by apps] are included in
a sector-by-sector image).  A file backup won't necessarily eradicate a
pest versus an image backup of a partition - assuming the backup is
itself clean.

I'm doing an image backup using Acronis. And I did notice that yes a
non-sector-by-sector image restoration (I tested this last night)
gives a curious effect that's hard to explain but here goes: if you
reformat the hard drive, then create an account that's called
"Administrator2" while your originally, Acronis-backed image file (non-
sector-by-sector) had a user account called "Administrator1", you'll
get TWO, not one, user accounts restored when you do the restoration.
I suppose this would not be the case if you did a sector-by-sector
image backup file restoration. It's a minor annoyance since you can,
after the restoration, delete the 'temporary' account Administrator2
in the above example. This phenomena does make sense if you think
about it but it was a bit unexpected to me.

So what OTHER security tools have you used to scan your HDD to engender
a higher level of trust by you that it is clean?  

I used Comodo, a Linux based CD version of Kaspersky (which caught the
virus in question--and removed it), and I used on a trial basis a
malware remover called Hitman Pro (not that great, but does remove
cookies quite nicely, though not worth paying for it)

One tool is not
sufficient.  One tool will have gaps which you hope to avoid by
overlapping the use of multiple tools (not all of which are concurrently
resident since they may conflict with other but you use as manual
scanners to increase your trust level).

Please show us your tool list. Not your tool, your list of tools.

Well I hope I did not insult you too much, but this is Usenet.

Look forward to your reply.

RL

 

[RayLopez99]

(e-mail address removed):




It depends on what I found on the machine. for example, while messing
around with a malware sample a couple of years ago; it got loose. I
thought I cleaned everything up, but it did patch a few critical dll
files on me.

Once I replaced them with hash'd known good ones, the issue was
resolved. So for this case, reinstalling windows, then the apps, then
configuration of everything (which for this machine, is a lot! of
software)... disinfection was the better choice. I have every folder
contents hash'd and stored on read only media, so I can boot bart
anytime and replace bad/modded files.

Wow man, how do you do something like that? I've hash'd a single file
using some freeware tool but to hash every file in a HD must require
some proprietary software I would imagine. I think Microsoft should
do that for all system files: have a dictionary of known good hashes
and compare any changes to that dictionary,and at least warn the user
if these critical system file hashes change.

IE: I took the time to do the prep work so I can recover from any
situation that might present itself.

That and the box is happily imaged via ghost to an external HD and
across the lan to the server.


Did you actually have a virus or something else, Ray?

Yes Kaspersky recognized it as Trojan-Downloader.Win32.Agent. This
Kaspersky was on a Linux DVD and run at boot time. Caught and removed
the virus, no more sudden reboots after that, but being paranoid I
went ahead and did a complete flatten and rebuild of my system (and
still doing it as we speak--I took a break just now to post here).

--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.

Did you kill somebody? Or just .killfile them? At least you're past
your unsanitary hand problem. ;-)

RL

 

[RayLopez99]

[...]a PC you have disinfected?

The proper way to disinfect a PC
is to overwrite the Windoze partition with a Linux install.

"Disinfecting" includes getting rid of your easily-infected toy OS
and its easily-infected toy M$ filesystems.

Barring that,
overwrite ALL of the drives containing Windoze filesystems.
DBAN has been pointed out to you before
as has the Linux dd command.

Oh, yes, you're the shithead that pointed out DBAN to me. Got news
for you pal: I tried DBAN, but since the MBR was corrupted, it (and
for that matter Acronis Disk Manager) refused to see the internal HD
on boot. Solution? Easy, just reinstall Windows (which has a format
command--I guess a "quick" format but still a format, on initial
installation), install Acronis, and then use Acronis (just to be extra
safe) to reformat, then install Windows again, and proceed.

"THANKS" --for nothing, you know-nothing.

Other than overwriting EVERYTHING that uses M$ "technology",
there is no other way to be sure
that you have gotten ALL the infections off a Windoze system.
(aka "Nuke it from orbit; it's the only way to be sure.")


Fantasy.
You can NEVER be sure
that a Windoze box DOESN'T have an infection.
All you can know is that the anti-whatever app THAT YOU RAN
didn't find anything at the time you ran it.

The Black Hats are smarter than
your AV vendor and the M$ "designers" combined.


...and the Easter Bunny and Santa Claus.


...yet you post your mindless Windoze drivel to a Linux group.
Loser.

Ha ha ha. Thanks for the comedy, shithead. I can tell you've not got
any money and living off mommy.

RL

 

[RayLopez99]

I am writing this response from a computer, which had about 3 types of
viri removed from it in the last 7 years.
Never had to re-install XP.
Never needed the disk image copies I have on a backup disk.
So yes, I am feeling fine about using this computer.

You are very brave, or very knowledgeable, or maybe both.

Good to you.

RL

 

[David H. Lipman]

I am writing this response from a computer, which had about 3 types of
viri removed from it in the last 7 years.
Never had to re-install XP.
Never needed the disk image copies I have on a backup disk.
So yes, I am feeling fine about using this computer.

No you didn't - there is no such thing in relation to computer malware.

http://homepages.tesco.net/~J.deBoynePollard/FGA/plural-of-virus.html
http://linuxmafia.com/~rick/faq/plural-of-virus.html
http://en.wikipedia.org/wiki/Plural_of_virus#Virus

 

[(PeteCresswell)]

Per RayLopez99:

Just what the title says. Do you really feel good using a PC you have
disinfected? Don't you feel better with a known PC that never had a
virus?

My bias is to not use such a PC - but it's not a religious issue.

Once you learn the ins and outs of keeping data and system on
separate drives, restoring from a known good image becomes close
to trivial - and that's the path I choose given the option.

 

[FromTheRafters]

Per RayLopez99:

My bias is to not use such a PC - but it's not a religious issue.

Once you learn the ins and outs of keeping data and system on
separate drives, restoring from a known good image becomes close
to trivial - and that's the path I choose given the option.

Exactly - make the 'flatten and rebuild' scenario the less daunting and
it becomes a no-brainer.

 

[FromTheRafters]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message



How many executable files pristine Windows XP contains - well quite a many.

Then you have installed other software for it.

That means millions of places a virus and a trojan can hide itself. They
can even install them self so that traditional anti-virus programs does
not see them.

Security experts (which I am not) have a very clear message. If machine
is infected - reinstall. It is a fact that infected machine can not ever
trusted.

It depends upon what was there. It is overkill to flatten and rebuild
over discovering some lame trojan.

 

[David H. Lipman]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message



How many executable files pristine Windows XP contains - well quite a many.

Then you have installed other software for it.

That means millions of places a virus and a trojan can hide itself. They
can even install them self so that traditional anti-virus programs does
not see them.

Security experts (which I am not) have a very clear message. If machine
is infected - reinstall. It is a fact that infected machine can not ever
trusted.

There limits to the locations malware can be installed and that is diminished if it is
under a LUA.

Also, it is NOT a fact that an "...infected machine can not ever be trusted."
It depends on the malware, aits family and associations. For example a FakeAlert trojan
used in a con game can be a simple trojan not associated with a rootkit and could be a
singular DLL or EXE file.

 

[JEDIDIAH]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message

RayLopez99 wrote:

[deletia]
Security experts (which I am not) have a very clear message. If machine
is infected - reinstall. It is a fact that infected machine can not ever
trusted.

It depends upon what was there. It is overkill to flatten and rebuild
over discovering some lame trojan.

If it is "overkill" than the OS is not very maintainable.

The process of flattening and rebuilding should not be terribly bothersome.

...and yes such severity is warranted. Anything less is gross negligence.

 

[FromTheRafters]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message

On 08/19/2011 05:01 AM, Sjouke Burry wrote:
RayLopez99 wrote: [deletia]
Security experts (which I am not) have a very clear message. If machine
is infected - reinstall. It is a fact that infected machine can not ever
trusted.

It depends upon what was there. It is overkill to flatten and rebuild
over discovering some lame trojan.

If it is "overkill" than the OS is not very maintainable.

The process of flattening and rebuilding should not be terribly bothersome.

...and yes such severity is warranted. Anything less is gross negligence.

I disagree with the first statement, agree with the second, and disagree
with the third.

 

[JeffM]

If it is "overkill" [then] the OS is not very maintainable.
The process of flattening and rebuilding should not be terribly bothersome.

You Linux guys are all alike:
You think everything should be *easy*.

...and yes such severity is warranted. Anything less is gross negligence.

If you have ONE infection on your Windoze box,
you likely have MORE.
If you can't be bothered to scrape it clean and start over,
don't EVER connect that thing back to a network;
I'm tired of seeing the backscatter from your pwned spambot box.

 

[Peter Köhlmann]

Lol! You never cease to amaze!

Except that he is right. And you are a pompous stupid twit
How is your imaginary "Debian install" doing?

 

[RayLopez99]

No you didn't - there is no such thing in relation to computer malware.

http://homepages.tesco.net/~J.deBoy...//en.wikipedia.org/wiki/Plural_of_virus#Virus

Dave--sorry for the previous insults directed to you by me, please
ignore them buddy; forgive and forget.

So Dave tell me: when you surf the web via Linux using say VMWare,
and you don't password protect your 'root' (Sudo I think they call
it), nor run a firewall (except the hardware firewall you have), nor
run any anti-virus program in Linux, is it possible for evil hackers
to compromise your Windows 7 PC via the Linux VMWare portion?

Thanks in advance, your online friend,

Ray

 

[RayLopez99]

Per RayLopez99:


My bias is to not use such a PC - but it's not a religious issue.

Once you learn the ins and outs of keeping data and system on
separate drives, restoring from a known good image becomes close
to trivial - and that's the path I choose given the option.

THanks PeteCresswell. That seems to be, as I research this issue, the
consensus: removing the virus is often as much work (or just about)
as a restore. But sometimes not--hence I ask whether you would trust
the AV software to remove a trojan using a 'one click' fast fix--it's
a bit suspicious to me that a virus could be removed so quick by a
program, hence I took the restore (or rather, even harder, clean metal
re-installation) route.

RL