[H] Suggested tools for helping a friend with bad virus infestation
A co-worker friend of my wife asked if I would be willing to look at their PC. Appearantly they have a bad virus infestation on their PC and have not been using an anti-virus program. They have spoke to tech support at Gateway and were told that they may be best off backing up their data and reformating. I have not seen the PC yet so I don't know how bad it is. I have never had to deal with a PC that has a virus and has NO anti-virus at all. I am looking for suggestions of what software tools I should bring with me when I go look at the PC. I have a bootable Norton Anti-virus disc and can let it scan the PC and try to clean it up. Is there something better that I should use? If I do have to reformat and re-install the OS, what is the best way to backup the data and not re-infect the PC when the data is restored?
Re: [H] Suggested tools for helping a friend with bad virus infestation
On Fri, 10 Feb 2006, Jerry Jones wrote: A co-worker friend of my wife asked if I would be willing to look at their PC. Appearantly they have a bad virus infestation on their PC and have not been using an anti-virus program. They have spoke to tech support at Gateway and were told that they may be best off backing up their data and reformating. I have not seen the PC yet so I don't know how bad it is. I have never had to deal with a PC that has a virus and has NO anti-virus at all. I am looking for suggestions of what software tools I should bring with me when I go look at the PC. I have a bootable Norton Anti-virus disc and can let it scan the PC and try to clean it up. Is there something better that I should use? If I do have to reformat and re-install the OS, what is the best way to backup the data and not re-infect the PC when the data is restored? From a time/value perspective, if you can get them to agree to a reformat that is generally what I prefer to do. Backup their data (Now they have a known good backup) and reinstall windows. This gives you the advantage of installing the latest bios/drivers/updates, etc while not worrying about remnants of virus infections from installations past. The amount of time you will spend cleaning the system, rebooting, etc rarely justifies doing the cleaning on a system you can just format and restore data to instead. Just make sure you backup all the data they could need. That said, if you really want to attempt to clean as opposed to formatting, you can get yourself a Bart disk and boot from that and run your antivirus, or take the drive out and put it into a USB2/Firewire and scan it from a known good machine. Christopher Fisk -- `That young girl is one of the least benightedly unintelligent organic life forms it has been my profound lack of pleasure not to be able to avoid meeting.' - Marvin's first ever compliment about anybody.
Re: [H] Suggested tools for helping a friend with bad virus infestation
At 02:44 PM 10/02/2006, Jerry Jones wrote: A co-worker friend of my wife asked if I would be willing to look at their PC. Appearantly they have a bad virus infestation on their PC and have not been using an anti-virus program. They have spoke to tech support at Gateway and were told that they may be best off backing up their data and reformating. I have not seen the PC yet so I don't know how bad it is. I have never had to deal with a PC that has a virus and has NO anti-virus at all. Those are the most fun. :) I am looking for suggestions of what software tools I should bring with me when I go look at the PC. I have a bootable Norton Anti-virus disc and can let it scan the PC and try to clean it up. Is there something better that I should use? If I do have to reformat and re-install the OS, what is the best way to backup the data and not re-infect the PC when the data is restored? It would be best to scan the computer without booting the OS, as the OS is compromised and may allow proper removal. At worst, scan from Safe Mode. Better would be to move the hard drive to a known clean computer and scan with it's AV. Or you could use a BartPE CD. T
Re: [H] Suggested tools for helping a friend with bad virus infestation
I'd also second the backup reinstall, nothing else is 100% in this day age of things that cloak themselves and not-as-yet detected exploits/malware. In addition I would suggest they rotate all passwords used anywhere and consider monitoring their credit reports if they've done any online transactions. As to what to backup, everything. What to restore, non-programs (doc, pdf, txt, etc...) then carefully go through them with a up to date AV (online) scanner(s). If they are with an ISP offering name brand AV for free, install it if reputable otherwise buy one. Christopher Fisk wrote: On Fri, 10 Feb 2006, Jerry Jones wrote: I am looking for suggestions of what software tools I should bring with me when I go look at the PC. I have a bootable Norton Anti-virus disc and can let it scan the PC and try to clean it up. Is there something better that I should use? If I do have to reformat and re-install the OS, what is the best way to backup the data and not re-infect the PC when the data is restored? From a time/value perspective, if you can get them to agree to a reformat that is generally what I prefer to do. Backup their data (Now they have a known good backup) and reinstall windows. This gives you the advantage of installing the latest bios/drivers/updates, etc while not worrying about remnants of virus infections from installations past. The amount of time you will spend cleaning the system, rebooting, etc rarely justifies doing the cleaning on a system you can just format and restore data to instead. Just make sure you backup all the data they could need. That said, if you really want to attempt to clean as opposed to formatting, you can get yourself a Bart disk and boot from that and run your antivirus, or take the drive out and put it into a USB2/Firewire and scan it from a known good machine.
RE: [H] Suggested tools for helping a friend with bad virus infestation
At 03:20 PM 10/02/2006, Mesdaq, Ali wrote: Honestly just reformat. If you were to try to clean it you would need to be versed in rootkit detection and other kernel level skills to even be remotely able to clean out a partially sophisticated virus. Its just totally not worth it then you never have the peace of mind you got rid of all of them. Man, I'm shocked at the surrender attitude coming from this list. Removing viruses and spyware is possible, and really isn't much more time consuming than a reinstall, and is much less time consuming than a reinstall plus software install plus configuration plus data recovery. (Especially since data back without virus scan makes the reinstall questionable as viruses can hide in apparent data files. T
RE: [H] Suggested tools for helping a friend with bad virus infestation
On Fri, 10 Feb 2006, Thane Sherrington (S) wrote: Man, I'm shocked at the surrender attitude coming from this list. Removing viruses and spyware is possible, and really isn't much more time consuming than a reinstall, and is much less time consuming than a reinstall plus software install plus configuration plus data recovery. (Especially since data back without virus scan makes the reinstall questionable as viruses can hide in apparent data files. I gave the suggestion on how to do it without the reinstall, I'm just saying from the standpoint of someone who does this for family: You're going to run into something that you have to research, that research time takes away from time that could be spent socializing/hanging out. In a business environment, yeah, removal is fine, but as a favor for someone, go the full reinstall route IMO, it's more sure thing, less gambling on how long it's going to take, and you leave knowing they at least have a backup from that day in case there is a disaster after that. Plus, you can sit down and watch TV while the thing is running the reinstall. Christopher Fisk -- Hmmm, look at those eyes. He's trying to hypnotize me, but not in the good Las Vegas way. -- Homer Simpson, Mountain of Madness
Re: [H] Suggested tools for helping a friend with bad virus infestation
This is not surrender, it's the current state of things. Why go through a process that you can't guaranty? At least if you backup everything, reformat/reinstall then restore only what is assumed to be data you're narrowing down the field quite a bit and also removing the potential for a cloaked active or unknown virus. If viruses can hide in apparent data files then using your method there is even more untrusted files to scan miss plus the potential for active infection cloaking itself. One way is now a hit-or-miss hack job, the other the proper solution. It's not a academic exercise, it's a job, there is no reason to spend time and still not be certain you've done the job right. Thane Sherrington (S) wrote: At 03:20 PM 10/02/2006, Mesdaq, Ali wrote: Honestly just reformat. If you were to try to clean it you would need to be versed in rootkit detection and other kernel level skills to even be remotely able to clean out a partially sophisticated virus. Its just totally not worth it then you never have the peace of mind you got rid of all of them. Man, I'm shocked at the surrender attitude coming from this list. Removing viruses and spyware is possible, and really isn't much more time consuming than a reinstall, and is much less time consuming than a reinstall plus software install plus configuration plus data recovery. (Especially since data back without virus scan makes the reinstall questionable as viruses can hide in apparent data files. T
RE: [H] Suggested tools for helping a friend with bad virus infestation
At 04:00 PM 10/02/2006, Christopher Fisk wrote: In a business environment, yeah, removal is fine, but as a favor for someone, go the full reinstall route IMO, it's more sure thing, less gambling on how long it's going to take, and you leave knowing they at least have a backup from that day in case there is a disaster after that. Plus, you can sit down and watch TV while the thing is running the reinstall. But if you agree that the removal route isn't safe, then how can you guarantee the data? T
RE: [H] Suggested tools for helping a friend with bad virus infestation
On Fri, 10 Feb 2006, Thane Sherrington (S) wrote: At 04:00 PM 10/02/2006, Christopher Fisk wrote: In a business environment, yeah, removal is fine, but as a favor for someone, go the full reinstall route IMO, it's more sure thing, less gambling on how long it's going to take, and you leave knowing they at least have a backup from that day in case there is a disaster after that. Plus, you can sit down and watch TV while the thing is running the reinstall. But if you agree that the removal route isn't safe, then how can you guarantee the data? Because data is data, it's not executed, it's not stored in registry, it's much easier to verify with virus scanning software. When was the last time you saw a tiff file with a virus? Christopher Fisk -- Pop a Poppler in your mouth When you come to Fishy Joe's What they're made of is a mystery Where they come from no one knows You can pick 'em you can lick 'em you can chew 'em you can stick 'em If you promise not to sue us you can shove one up your nose.
Re: [H] Suggested tools for helping a friend with bad virus infestation
You have better odds on cleaning the data files then you do cleaning an entire system. Data alone, unaccessed by the programs that facilitate virus delivery makes he data easier to clean. If you can't see that, time to step back and see the forest through the trees. This is not about making statement by not giving up and not bowing down to some malware assholes will, it's about getting the job done right. Thane Sherrington (S) wrote: At 04:00 PM 10/02/2006, Christopher Fisk wrote: In a business environment, yeah, removal is fine, but as a favor for someone, go the full reinstall route IMO, it's more sure thing, less gambling on how long it's going to take, and you leave knowing they at least have a backup from that day in case there is a disaster after that. Plus, you can sit down and watch TV while the thing is running the reinstall. But if you agree that the removal route isn't safe, then how can you guarantee the data? T
Re: [H] Suggested tools for helping a friend with bad virus infestation
At 04:07 PM 10/02/2006, warpmedia wrote: One way is now a hit-or-miss hack job, the other the proper solution. It's not a academic exercise, it's a job, there is no reason to spend time and still not be certain you've done the job right. I am doing the job right. Just because you can't get the time down to a reasonable level to clean a system doesn't mean it's impossible. It just means you haven't figured it out yet. T
Re: [H] Suggested tools for helping a friend with bad virus infestation
You've got half of the answer. But even if it had a payload, having not been opened with the exploitable program or delivered through a series steps would mean it's payload is not executed and MAY be detectable. In some cases the simple act of how the file 1st delivered to the PC is the starting domino and that goes away when remove the resulting infection by reformatting, restore only the data scan it. Remember people it's not just the payloads that are an issue here, it's the chain of events from delivery to infection. That chain can be broken making opening the file the only way to restart the chain of events. Christopher Fisk wrote: On Fri, 10 Feb 2006, Thane Sherrington (S) wrote: At 04:00 PM 10/02/2006, Christopher Fisk wrote: In a business environment, yeah, removal is fine, but as a favor for someone, go the full reinstall route IMO, it's more sure thing, less gambling on how long it's going to take, and you leave knowing they at least have a backup from that day in case there is a disaster after that. Plus, you can sit down and watch TV while the thing is running the reinstall. But if you agree that the removal route isn't safe, then how can you guarantee the data? Because data is data, it's not executed, it's not stored in registry, it's much easier to verify with virus scanning software. When was the last time you saw a tiff file with a virus? Christopher Fisk
Re: [H] Suggested tools for helping a friend with bad virus infestation
At 04:30 PM 10/02/2006, warpmedia wrote: This is not about making statement by not giving up and not bowing down to some malware assholes will, it's about getting the job done right. I am doing the job right. I'm glad that you find reinstallation the best route, but it's not the only route, and I find it isn't the best. If the machine is clean at the end, and the customer has a functional Windows and programs and all their data, it doesn't matter which route you take. I just hate the idea of reinstalling all those apps, creating all the users, and making sure the data is in the right place. T
RE: [H] Suggested tools for helping a friend with bad virus infestation
At 04:27 PM 10/02/2006, Christopher Fisk wrote: Because data is data, it's not executed, it's not stored in registry, it's much easier to verify with virus scanning software. When was the last time you saw a tiff file with a virus? What about Word Macros, WMF infections, movie files with embedded code, etc? T
Re: [H] Suggested tools for helping a friend with bad virus infestation
warpmedia wrote: This is not surrender, it's the current state of things. Why go through a process that you can't guaranty? At least if you backup everything, reformat/reinstall then restore only what is assumed to be data you're narrowing down the field quite a bit and also removing the potential for a cloaked active or unknown virus. If viruses can hide in apparent data files then using your method there is even more untrusted files to scan miss plus the potential for active infection cloaking itself. One way is now a hit-or-miss hack job, the other the proper solution. It's not a academic exercise, it's a job, there is no reason to spend time and still not be certain you've done the job right. Aren't you liable to carry the virus with you into the backup? Sam
Re: [H] Suggested tools for helping a friend with bad virus infestation
No it means you are assuming because you find nothing more no one has complained yet. Kind of like an AIDS test, just because it's negative doesn't mean a whole lot since it tests for the presence of something. Granted that applied both surgical cleaning and data only cleanings, but data only is less risky. Honestly speaking neither method is the true solution. The true solution is to dump everything including data for fear of unknown infections but that's just not acceptable since most people don't have one much less many backups. Along the same lines, no web server that's been exploited can be trusted until wiped, reinstalled and data restored from backups made before the exploit. Difference is they tend to have the backups and are not trying to pick though an infected store of data. The worst way to do this is trying to disinfected the whole system. You gonna do what you want to do, but it is certainly more risky than the other two options. Thane Sherrington (S) wrote: At 04:07 PM 10/02/2006, warpmedia wrote: One way is now a hit-or-miss hack job, the other the proper solution. It's not a academic exercise, it's a job, there is no reason to spend time and still not be certain you've done the job right. I am doing the job right. Just because you can't get the time down to a reasonable level to clean a system doesn't mean it's impossible. It just means you haven't figured it out yet. T
Re: [H] Suggested tools for helping a friend with bad virus infestation
I've not said it's the only, just that it's better. You can't be SURE it's clean since the executables have been surgically fixed, period. I'm not trying to be an ass T, it's just that you have no way of BEING SURE so limiting what you need to disinfect IS the better way because you are assuming on a smaller base of files. It's seems that the reinstallers are arguing from a less risk posture and you are arguing from your ego. Thane Sherrington (S) wrote: At 04:30 PM 10/02/2006, warpmedia wrote: This is not about making statement by not giving up and not bowing down to some malware assholes will, it's about getting the job done right. I am doing the job right. I'm glad that you find reinstallation the best route, but it's not the only route, and I find it isn't the best. If the machine is clean at the end, and the customer has a functional Windows and programs and all their data, it doesn't matter which route you take. I just hate the idea of reinstalling all those apps, creating all the users, and making sure the data is in the right place. T
Re: [H] Suggested tools for helping a friend with bad virus infestation
Yes, but if you are restoring only the data files it's not the same as doing a full restore with the executables nor is it like how the infected file got there in the 1st place. I've just posted the statement that only wiping everything including data and starting from scratch is known clean but the worse of 3 methods. Look at it this way: 1. IE is exploited to both drop execute an infected file on your system. 2. If you only restore the file on a clean system, it would stay inert until you executed it yourself. 3. If you scanned the file now unfettered by it's payload actions, you have a better chance of detecting cleaning it. Like I said a few posts back, it's the chain of events before the file more than user clicked on the file causing infections these days. Sam Franc wrote: warpmedia wrote: This is not surrender, it's the current state of things. Why go through a process that you can't guaranty? At least if you backup everything, reformat/reinstall then restore only what is assumed to be data you're narrowing down the field quite a bit and also removing the potential for a cloaked active or unknown virus. If viruses can hide in apparent data files then using your method there is even more untrusted files to scan miss plus the potential for active infection cloaking itself. One way is now a hit-or-miss hack job, the other the proper solution. It's not a academic exercise, it's a job, there is no reason to spend time and still not be certain you've done the job right. Aren't you liable to carry the virus with you into the backup? Sam
RE: [H] Suggested tools for helping a friend with bad virus infestation
On Fri, 10 Feb 2006, Thane Sherrington (S) wrote: At 04:27 PM 10/02/2006, Christopher Fisk wrote: Because data is data, it's not executed, it's not stored in registry, it's much easier to verify with virus scanning software. When was the last time you saw a tiff file with a virus? What about Word Macros, WMF infections, movie files with embedded code, etc? See many word macro's that couldn't be cleaned from a removable device that could from the machine the macro infected? We're not blindly putting the data back onto the system, we're scanning that, but not worrying about the integrety of the OS because it is known good. Christopher Fisk -- The fundamental question is: 'Will I be a successful president when it comes to foreign policy?' I will be, but until I'm the president, it's going to be hard for me to verify that I think I'll be more effective. George W. Bush, June 27, 2000 Comment made in Wayne, Michigan during the presidential campaign.
Re: [H] Suggested tools for helping a friend with bad virus infestation
At 03:49 PM 2/10/2006, Thane Sherrington (S) typed: I am doing the job right. I'm glad that you find reinstallation the best route, but it's not the only route, and I find it isn't the best. If the machine is clean at the end, and the customer has a functional Windows and programs and all their data, it doesn't matter which route you take. I just hate the idea of reinstalling all those apps, creating all the users, and making sure the data is in the right place. In the past 10yrs I've had only 2 machines that I couldn't clean well enough those were machines that lived in the prOn zone. I did re-installs on them at no charge. When I know that they are prOn machines I don't mind socking it to them in the wallet for the cleanup because usually it means that it's going to take a while. --+-- Wayne D. Johnson Ashland, OH, USA 44805 http://www.wavijo.com
