How would you fix a badly infected PC?

[walterbyrd]

Please note: I am not asking about prevention.

Let's suppose somebody gives you a PC that is loaded with malware, and
it's your job to fix it.

What is the fastest, easiest, way to go about it?

Is there any way to clean the machine without loading any new software
on it?

Would it be best way to clean the machine without booting the machine
from the infected drive? For example should the hdd be removed, and
connected to another PC as a second drive? Or, should you boot from a
CD, then have a networked computer actually clean the drive? And what
software woud you use to clean the infected drive? Can the process be
automated?

Thanks, in advance.

[Crispy Critter]

On 26 Oct 2006 13:43:58 -0700, walterbyrd wrote:

> Please note: I am not asking about prevention.
>
> Let's suppose somebody gives you a PC that is loaded with malware, and
> it's your job to fix it.
>
> What is the fastest, easiest, way to go about it?
>
> Is there any way to clean the machine without loading any new software
> on it?
>
> Would it be best way to clean the machine without booting the machine
> from the infected drive? For example should the hdd be removed, and
> connected to another PC as a second drive? Or, should you boot from a
> CD, then have a networked computer actually clean the drive? And what
> software woud you use to clean the infected drive? Can the process be
> automated?
>
> Thanks, in advance.

It's quicker to wipe and reinstall than attempt to fix it. There are people
who claim they can fix it but IMO they can never be 100% cetrtain the PC is
completely clean. Wipe and reinstall does.

[David H. Lipman]

From: "Crispy Critter" <not@for.email>


|
| It's quicker to wipe and reinstall than attempt to fix it. There are people
| who claim they can fix it but IMO they can never be 100% cetrtain the PC is
| completely clean. Wipe and reinstall does.

If there is important data on that PC you just wiped, you might have a clean PC but data is
more valuable than time.

If you are going to make a blanket statement, add backing up the data such as creating a
Ghost image of the platform PRIOR to wiping the PC.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[David H. Lipman]

From: "Leythos" <void@nowhere.lan>


|
| While I agree, the OP didn't mention anything of value on the
| compromised system, so I didn't address that either.
|
| In most cases, while one can save their "data", sometimes the "data"
| contains the malware in a form that can re-compromise the system.
|

Very true. However, one doesn't restore data until anti malware utilities are installed
using "On Access" scanning. Most malware is found in the Browser caches, TEMP folder,
"Program Files" and in the OS directoty tree.

Since the malware is NOT installed through the newly installed OS it is not working in the
OS and as the data is being extracted from the backup it is scanned and will be dealt with
accordingly my the "On Access" anti malware scanner.

For example a DOC or PPT file will be scanned and if it is a Trojan Downloader or containss
a Macro Virus it will be dealt with. One does NOT extract the Browser caches or TEMP
folders nor the Program Files or Windows trees.

When one is truly worried about malware that would cause a reload one would be worried about
reinfection. The fact is the chances of reinfection from a data restore is magnitudes less
then that chances of bing reinfected based upon installing drivers, programs and utilities.
Additionally reinfection possibilities abount by not securing the systenm during the
installation process where exploitations and internet worms have a greater propensity of
infecting the PC. For example, between the time that WinXP is installed and SP2 is
installed a SDBot variant worms its way in to the system.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[walterbyrd]

Leythos wrote:

> Most people don't even come close to the skills necessary to clean a
> machine without assistance of other software. Cleaning a machine without
> tools would take longer than a wipe/reinstall.
>

I'm sorry if I didn't make myself clear. I did not mean to suggest
cleaning a PC without any software, I meant not attempting to install
any new software on the infected hdd. IMO: a possible problem with
loading new software on a PC that is already infected, is that the
existing malware may adversly affect that installation of the
anti-malware software. Of couse, if the installation of anti-malware
software is adversly affected, that would in turn adversly affect the
attempted malware removal.

A potential problem with removing malware with a wipe/reinstall is that
the owner of the PC have not have all the CDs required to re-install
all of the software. Or, the CDs may be in bad condition. Or, the PC
owner may have the CDs, but not the registration numbers. I have also
known people to deliberately hide important data files in program
directories.

I think it would be great if there was some super-duper anti-malware
software that could work over a network to totally clean an infected
hdd. It would be great, IMO, if I could boot the infected PC from a
floppy or CD, because I never trust that the malware was removed if the
the malware is running during the malware scan.

A problem with removing the hdd is that laptops are becoming more
common that desktops. And hdds are not always easy to remove on
laptops. Also, removing an hdd may even void a warrenty.

I suppose another possibility would be to use msconfig to make sure
that only the essential services are started. But I don't know if I can
totally trust msconfig to do that on an infected machine.

[walterbyrd]

Far Canal wrote:

> Are you asking a question for the sake of it or do you have a problem
> that requires fixing? There is no cure all for malware, like there
> isn't a fix for every trojan or virus. Your childish *what if*
> questions are pointless.
>
> You've been around Usenet for some time - so WTF are you multiposting
> this all over the place?
> alt.certification.a-plus
> alt.comp.virus
> alt.comp.anti-virus
> alt.privacy.spyware

Why do you have such a bug up your butt? My question was neither
childish, nor pointless. I happen to know that malware infected PCs are
very common. I am often tasked with cleaning such machines (as are many
people who work with PCs). The question is entirely relevant, and
appropriate, where I have posted it.

Yes, I posted to all of four different groups. So what? I did that
because not every person reads every group. I wanted an answer, or at
least a discussion, so naturally I want to reach as wide a group as
possible. I only posted to groups where I thought the question was
appropriate.

Sorry to have put you into such a snit, and caused you to go into such
a hissy-fit.

[walterbyrd]

Leythos wrote:

> I addressed what you wrote - this expansion of the requirement changes
> what I would have suggested, to a point, but, not as for how to ensure
> the machine is clean.
>

Yes, you addressed what I wrote. If somebody asked how to unjam a
printer, you could suggest they drop a nuclear bomb on their house.
That would indeed adress the question. But, some might suggest that it
is only common sense that people want to keep their software
applications, and data, and keep their houses - and towns

Yeah, I know, I'm just a dumb-ass, I'm also a smart-ass.

Anyway, what is Multi_AV? Also, when a PC is booted from a cdrom,
aren't you limited with what you can do? It would be difficult to keep
up-to-date .DATs on a cdrom.

Somebody on another board suggested using an external USB drive. I'm
not sure if all PCs will boot from an external USB drive, but if you
could, that may be the way to go. As I remember, Symantec will not
install on a USB drive - or at least not the personal edition. But,
frankly, I'm begining to fell that Symantec sucks anyway.

[Todd H.]

"walterbyrd" <walterbyrd@iname.com> writes:

> Yes, I posted to all of four different groups. So what? I did that
> because not every person reads every group.

What you're missing is the distinction between multiposting (highly
annoying) vs cross-posting (moderately annoying to some because
sometimes it drags flame prone group antics into otherwise happy
groups, but cross-posting is often appropriate if several groups do
apply to a given discussion).

You should've crossposted, if anything.

> I wanted an answer, or at least a discussion, so naturally I want to
> reach as wide a group as possible. I only posted to groups where I
> thought the question was appropriate.

This harkens to the classic question of "How can I choose what groups
to post in?" in this:
http://www.faqs.org/faqs/usenet/emily-postnews/part1/

> Sorry to have put you into such a snit, and caused you to go into
> such a hissy-fit.

Crossposting to those groups would've achieved your goal.

Multiposting is lame because if I'm subscribed to all those groups I
need to read your message 4 times rather than just once (since my news
reader will mark the article read when I read it in the first group I
visit). It's also lame because in a multipost scenario, the replies
to your posts are scattered all over hell instead of being contained
to one nice coherent thread that allows everyone to benefit (or
suffer, depending on who responds and how).

Best Regards,
--
Todd H.
http://www.toddh.net/

[Mister]

Normally I would just let this go, but...
Far Canal reminds me of the tough guy who wants to beat up the loud
guy at a party, instead of just ignoring him. While the loud guy may
be annoying, he is completely harmless, much like the question that
was asked.
Instead of just ignoring the question, you had to brush up on your
language skills and reply with an ignorant response. I will probably
get a similar ignorant, if not stupid response to my post as well from
you.
In any case, I think I will ask a so called "stupid question" on a
weekly basis and multipost it just to annoy you.

Question #1:
How much will 16K of conventional memory cost?


On Fri, 27 Oct 2006 03:52:44 +0100, Far Canal <me@privacy.net> wrote:

>walterbyrd wrote
>
>>
>> Far Canal wrote:
>>
>> > Are you asking a question for the sake of it or do you have a problem
>> > that requires fixing? There is no cure all for malware, like there
>> > isn't a fix for every trojan or virus. Your childish *what if*
>> > questions are pointless.
>> >
>> > You've been around Usenet for some time - so WTF are you multiposting
>> > this all over the place?
>> > alt.certification.a-plus
>> > alt.comp.virus
>> > alt.comp.anti-virus
>> > alt.privacy.spyware
>>
>> Why do you have such a bug up your butt? My question was neither
>> childish, nor pointless. I happen to know that malware infected PCs are
>> very common. I am often tasked with cleaning such machines (as are many
>> people who work with PCs). The question is entirely relevant, and
>> appropriate, where I have posted it.
>
>It's very apparent you've learned jack **** from what little work you've
>done.
>
>
>> Yes, I posted to all of four different groups. So what? I did that
>> because not every person reads every group. I wanted an answer, or at
>> least a discussion, so naturally I want to reach as wide a group as
>> possible. I only posted to groups where I thought the question was
>> appropriate.
>
>Instead of being a ****wit in one group, you've gone for the jackpot in
>4 groups. Multiposting is ignorant and ****ing stupid.
>
>
>> Sorry to have put you into such a snit, and caused you to go into such
>> a hissy-fit.
>>
>>

[pcbutts1]

You really should ignore Leythos his fix for everything is a wipe and
reload. There has never been a system that I could not totally clean of
malware using the free tools that are available. Start with Avast let it
update then tell it to run a bootime scan. When done reboot in safe mode
then install your anti-malware software and run it. Disable system restore,
reboot in normal mode and run the scans again.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com



"walterbyrd" <walterbyrd@iname.com> wrote in message
news:1161914652.858559.18490@b28g2000cwb.googlegro ups.com...
>
> Leythos wrote:
>
>> I addressed what you wrote - this expansion of the requirement changes
>> what I would have suggested, to a point, but, not as for how to ensure
>> the machine is clean.
>>
>
> Yes, you addressed what I wrote. If somebody asked how to unjam a
> printer, you could suggest they drop a nuclear bomb on their house.
> That would indeed adress the question. But, some might suggest that it
> is only common sense that people want to keep their software
> applications, and data, and keep their houses - and towns
>
> Yeah, I know, I'm just a dumb-ass, I'm also a smart-ass.
>
> Anyway, what is Multi_AV? Also, when a PC is booted from a cdrom,
> aren't you limited with what you can do? It would be difficult to keep
> up-to-date .DATs on a cdrom.
>
> Somebody on another board suggested using an external USB drive. I'm
> not sure if all PCs will boot from an external USB drive, but if you
> could, that may be the way to go. As I remember, Symantec will not
> install on a USB drive - or at least not the personal edition. But,
> frankly, I'm begining to fell that Symantec sucks anyway.
>