Would you continue using a HD you disinfected--or do a clean reinstall or Ghost an older H...

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Just what the title says.  Do you really feel good using a PC you have
disinfected?  Don't you feel better with a known PC that never had a
virus?  Do you eat your own cooking?

BTW while this was my first Windows virus in a long while, I still
have confidence in Windows and would never switch to Linux--not worth
the loss of functionality.

RL


Thanks FromTheRafters.  Using a stand alone CD provided (downloaded
from) by Kaspersky, running under LInux, which is ironic for a Windows
user like me but understandable (as you want to find rootkits), the
Kasperksy CD found an infection by "trojan-downloader.Win32.Agent.
{RANDOM FOUR LETTERS ADDED AT END}".  Once I removed this (using the
same CD) I no longer get reboots. Problem solved.

Question:  should I do a clean reinstall and/or reinstall from a month
ago when my system was known to be clean?  Or can I trust Kaspersky
has removed this trojan?

My thoughts:  I like doing a clean reinstall once in a while since you
get rid of junk programs that the Revo uninstaller (an excellent
program I use) or Windows Uninstall failed to completely remove.  On
the other hand, why go through the several hours if not half a day's
worth of work to reinstall from a clean slate?

I'm leaning towards uninstall as well as changing passwords on all
online accounts in case this trojan was a keyboard logger (I don't
think it is--but there's so many variants of this trojan it's hard to
tell what it does).

Re: Would you continue using a HD you disinfected--or do a clean reinstall or Ghost an older HD image?

RayLopez99 wrote:

Quoted text here. Click to load it

You really expected anyone to reply when you deliberately choose to
include some advocacy newsgroup.  What does disinfecting an HDD have to
do with proselytizing your personal choice for an OS?  The other groups
to which you posted are OS-agnostic.  There was no need to include an
unrelated and off-topic newsgroup.  Don't cross-post to flame-bent
newsgroups unless you want to get ignored by many potential respondents
including inhabitants in the other non-flame newsgroups.

NOTE:
The flame[d] group deliberately added by the OP was omitted in my reply.

Quoted text here. Click to load it

I do *if* I have deligently cleaned the PC so I know it's clean.  If you
have to question the state of your host then you also question whether
or not the tools or methods you used were thorough.

Quoted text here. Click to load it

Depends on how long it takes to eradicate the pest.  Since I can do
flatten and rebuild of the OS and apps in about 3 days (assuming I don't
trust my image backups to be malware free), I don't spend more than that
amount of time to clean the pest from the host.  Once you spend a day
working on eradication, you'll have some idea of how much more time it
will take.  Don't keep pushing for a clean when you see that it'll take
less time to flatten and rebuild.

Quoted text here. Click to load it

Oh, and that's why you cross-posted to a Linux advocacy group so you
could generate a flame over there.  Uh huh.

Quoted text here. Click to load it

How do you know when your computer got infected?  How do you know your
backups (not described here) are clean?  Just because the effects of
malware didn't become present until later doesn't mean the pest isn't
lurking in your backups.  Once you restore, you'll have to go through
the entire process of verifying the restoration is also clean.  

If you don't trust Kaspersky (and other security tools you should also
use and not just rely on one product) then why bother with the
disinfection?  If you didn't figure the tool(s) you used for pest
eradication would work, why didn't you go the "flatten and rebuild" or
reimage route?

Quoted text here. Click to load it

Revo Uninstaller is of value only for their hardcoded list of known apps
that they recorded in their program to perform an uninstall of those
apps.  Unless you pay for the product, you do not get their install
monitor.  That means it cannot do much about programs they haven't
included in their known apps table.  If you buy the product then you get
their install monitor (provided you trigger it to monitor an
installation).  Zsoft Uninstaller is free.  It doesn't have a real-time
install monitor but instead takes a snapshot of your host before an
install, you do the install, and then compares the state of the host
after the install with the prior snapshot that it took to log the
changes (so you can undo them later).  You use the Add/Remove Programs
applet to uninstall the unwanted program and then use Zsoft Uninstaller
to remove the remnants.

We don't know what type of "backups" you have.  You might only have
logical file backups: the files get saved into a backup file stored
somewhere so a restore simply replaces that file back in the existing
file system on the HDD.  If you are doing image backups of partitions
then restoring them can come close to replicating a prior state of the
HDD.  Some imaging programs are logical structured which means they
restore but use the clusters in order versus a sector-by-sector image
that puts the exact image back onto the HDD (but is larger than a
logical image because even the unused sectors [unused by the file system
for the OS, that is, but not necessarily unused by apps] are included in
a sector-by-sector image).  A file backup won't necessarily eradicate a
pest versus an image backup of a partition - assuming the backup is
itself clean.

Takes me only an hour to restore my C: drive (the OS partition) from
backups saved on HDDs but then I only have 35GB currently occupying that
partition.  Don't know what type of backups you are saving, what program
you use, how it is configured, what you use for the storage media on
which the backups are stored, or the size of your backups (i.e., how
much space is consumed on the HDD in the backed up partition and how
much of it you include in your backups).

Quoted text here. Click to load it

So what OTHER security tools have you used to scan your HDD to engender
a higher level of trust by you that it is clean?  One tool is not
sufficient.  One tool will have gaps which you hope to avoid by
overlapping the use of multiple tools (not all of which are concurrently
resident since they may conflict with other but you use as manual
scanners to increase your trust level).

Re: Would you continue using a HD you disinfected--or do a clean reinstall or Ghost an older HD image?

ae89-203bf953c1bc@a27g2000yqc.googlegroups.com:

Quoted text here. Click to load it
have

It depends on what I found on the machine. for example, while messing
around with a malware sample a couple of years ago; it got loose. I
thought I cleaned everything up, but it did patch a few critical dll
files on me.

Once I replaced them with hash'd known good ones, the issue was
resolved. So for this case, reinstalling windows, then the apps, then
configuration of everything (which for this machine, is a lot! of
software)... disinfection was the better choice. I have every folder
contents hash'd and stored on read only media, so I can boot bart
anytime and replace bad/modded files.

IE: I took the time to do the prep work so I can recover from any
situation that might present itself.

That and the box is happily imaged via ghost to an external HD and
across the lan to the server.
 
Quoted text here. Click to load it

Did you actually have a virus or something else, Ray?
 

--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.

Re: Would you continue using a HD you disinfected--or do a clean reinstall or Ghost an older HD image?

Quoted text here. Click to load it

Wow man, how do you do something like that?  I've hash'd a single file
using some freeware tool but to hash every file in a HD must require
some proprietary software I would imagine.  I think Microsoft should
do that for all system files:  have a dictionary of known good hashes
and compare any changes to that dictionary,and at least warn the user
if these critical system file hashes change.

Quoted text here. Click to load it

Yes Kaspersky recognized it as Trojan-Downloader.Win32.Agent.  This
Kaspersky was on a Linux DVD and run at boot time.  Caught and removed
the virus, no more  sudden reboots after that, but being paranoid I
went ahead and did a complete flatten and rebuild of my system (and
still doing it as we speak--I took a break just now to post here).

Quoted text here. Click to load it

Did you kill somebody?  Or just .killfile them? At least you're past
your unsanitary hand problem. ;-)

RL

Re: Would you continue using a HD you disinfected--or do a clean reinstall or Ghost an older HD image?


Quoted text here. Click to load it

I wrote a small app to do it... shrug.. it's a geeky thing. Sadly,
after writing my own, I found one already existed! LOL. by pure luck
tho, they're compatable. IE: my results file is readable by theirs and
vice versa.
 
Quoted text here. Click to load it

That's a generic definition for a trojan. Not strickly viral. :)
 
Quoted text here. Click to load it

It's Sully Erna's song from his single album Avalon; Sinner's prayer.
The lead singer of Godsmack.


--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.

WinTroll: Stupid question to post to a Linux group (was: disinfected)

Dopez wrote:
Quoted text here. Click to load it
The proper way to disinfect a PC
is to overwrite the Windoze partition with a Linux install.

"Disinfecting" includes getting rid of your easily-infected toy OS
and its easily-infected toy M$ filesystems.

Barring that,
overwrite ALL of the drives containing Windoze filesystems.
DBAN has been pointed out to you before
as has the Linux dd command.

Other than overwriting EVERYTHING that uses M$ "technology",
there is no other way to be sure
that you have gotten ALL the infections off a Windoze system.
(aka "Nuke it from orbit; it's the only way to be sure.")

Quoted text here. Click to load it
Fantasy.
You can NEVER be sure
that a Windoze box DOESN'T have an infection.
All you can know is that the anti-whatever app THAT YOU RAN
didn't find anything at the time you ran it.

The Black Hats are smarter than
your AV vendor and the M$ "designers" combined.

Quoted text here. Click to load it
...and the Easter Bunny and Santa Claus.

Quoted text here. Click to load it
...yet you post your mindless Windoze drivel to a Linux group.
Loser.

Re: WinTroll: Stupid question to post to a Linux group (was: disinfected)

Quoted text here. Click to load it

Oh, yes, you're the shithead that pointed out DBAN to me.  Got news
for you pal:  I tried DBAN, but since the MBR was corrupted, it (and
for that matter Acronis Disk Manager) refused to see the internal HD
on boot.  Solution?  Easy, just reinstall Windows (which has a format
command--I guess a "quick" format but still a format, on initial
installation), install Acronis, and then use Acronis (just to be extra
safe) to reformat, then install Windows again, and proceed.

"THANKS" --for nothing, you know-nothing.

Quoted text here. Click to load it

Ha ha ha.  Thanks for the comedy, shithead.  I can tell you've not got
any money and living off mommy.

RL

Re: WinTroll: Stupid question to post to a Linux group (was: disinfected)

JeffM wrote:

Quoted text here. Click to load it

I nominate this as post of the day.


Re: Would you continue using a HD you disinfected--or do a clean reinstall or Ghost an older HD image?

RayLopez99 wrote:
Quoted text here. Click to load it

I am writing this response from a computer, which had about 3 types of
viri removed from it in the last 7 years.
Never had to re-install XP.
Never needed the disk image copies I have on a backup disk.
So yes, I am feeling fine about using this computer.

Re: Would you continue using a HD you disinfected--or do a clean reinstall or Ghost an older HD image?

wrote:
Quoted text here. Click to load it

You are very brave, or very knowledgeable, or maybe both.

Good to you.

RL

Re: Would you continue using a HD you disinfected--or do a clean reinstall or Ghost an older HD image?


Quoted text here. Click to load it


No you didn't - there is no such thing in relation to computer malware.

http://homepages.tesco.net/~J.deBoynePollard/FGA/plural-of-virus.html
http://linuxmafia.com/~rick/faq/plural-of-virus.html
http://en.wikipedia.org/wiki/Plural_of_virus#Virus


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: Would you continue using a HD you disinfected--or do a clean reinstall or Ghost an older HD image?

wrote:
Quoted text here. Click to load it
i/Plural_of_virus#Virus
Quoted text here. Click to load it

Dave--sorry for the previous insults directed to you by me, please
ignore them buddy; forgive and forget.

So Dave tell me:  when you surf the web via Linux using say VMWare,
and you don't password protect your 'root' (Sudo I think they call
it), nor run a firewall (except the hardware firewall you have), nor
run any anti-virus program in Linux, is it possible for evil hackers
to compromise your Windows 7 PC via the Linux VMWare portion?

Thanks in advance, your online friend,

Ray

Re: Would you continue using a HD you disinfected--or do a clean reinstall or Ghost an older HD image?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message

On 08/20/2011 01:55 PM, RayLopez99 wrote:
Quoted text here. Click to load it

Let's see. First someone have to crack the Linux via getting user to
install some software as root, which installs back door - not likely.
For automatic infestation of Windows 7 that VMware Linux virtual machine
should contain some Linux trojan which would be able to us for example
shared folders or samba to compromise Windows 7 host - yet again unlikely.

So practically no way.





Quoted text here. Click to load it


--
Kari Laine

PICs, Displays,Relays - USB-SPI-I2C http://www.byvac.com
USB and FPGA boards  http://www.ztex.de
I am just a happy customer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org /

iQEcBAEBAgAGBQJOT6I/AAoJEPjW/Kjfref2xOMH/iWG6fMXCDHyvoaizTTD3ggi
guLXYK/td6CfC8G+liIt15A0qpC+ShqdKOPvhiUKGjPP3nZiLli9H+xxQkJGMuqT
K5soRpEcwRhasxlXHqpu5bU+ZvfB593d5AY25OrkNSbCiAJ6UHhcpmJ77sWmlaL0
DHGlEAXczAetWgUBsMNHyVFUpILrm/sh2piaaLKsDqlsVw4C6nV/iOBu0wtlm2aB
PMNp0cLnUy4l/cM7Dkb+FQiLK+m5DTxxT6Jz7WEp09WpkmV1ZfFtZbHlEI56mQ4D
37OGK50tTSDNzI0BMD3GUSEyfTuylLM2SXGn8+HBb0AYz9L3MrbWr3+YADzKp0s=
=lGXb
-----END PGP SIGNATURE-----

Re: Would you continue using a HD you disinfected--or do a clean reinstall or Ghost an older HD image?


Quoted text here. Click to load it

First scenario fairly easy I would think...

Second scenario I agree "not likely" because Windows 7 host is on
guard for those tricks (I hope).  But I can see, given time, perhaps
somebody coming up with a way for Linux to infect Windows when the
latter is hosting the former in a virtual machine.

Now *THERE'S* payback:  Linux infecting Windows! LOL

RL

Re: Would you continue using a HD you disinfected--or do a clean reinstall or Ghost an older HD image?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message

On 08/19/2011 05:01 AM, Sjouke Burry wrote:
Quoted text here. Click to load it

How many executable files pristine Windows XP contains - well quite a many.

Then you have installed other software for it.

That means millions of places a virus and a trojan can hide itself. They
can even install them self so that traditional anti-virus programs does
not see them.

Security experts (which I am not) have a very clear message. If machine
is infected - reinstall. It is a fact that infected machine can not ever
trusted.






--
Kari Laine

PICs, Displays,Relays - USB-SPI-I2C http://www.byvac.com
USB and FPGA boards  http://www.ztex.de
I am just a happy customer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org /

iQEcBAEBAgAGBQJOTph+AAoJEPjW/Kjfref2FvgH+wVZjwSR61uCEo+InfCGkgLU
E2SjlGUSPGl1kgz/ykhybZkLEOrAeXdgoCAyULqwhfXd4htj9TU4ZfkfWJcBeNiv
cn6AMiGIJUznONjp8DhPFkSjpA01V4r083KZ7DHaN+d6+HEJ2tvWpLw3C9gYxsDD
Z1nROrI7U7gMCtMyXJEQpNpp0IU4a3TYDrTlpoWPn4kRcsidvKjYkFvkF3A0gtqN
veKJ8m59sILm3lm9QZLPsbSIA3dSXkRENN+ITK9cfMdDTV4NwUAC1tNX7BC4YeO2
dRu88Y8KVVBIGydL2KEMghxCdBbth6DyYI6JBqSWLkF7vlfaKNmZ7oFYYPJdSlk=
=yWBG
-----END PGP SIGNATURE-----

Re: Would you continue using a HD you disinfected--or do a clean reinstall or Ghost an older HD image?

Kari Laine wrote:
Quoted text here. Click to load it

It depends upon what was there. It is overkill to flatten and rebuild
over discovering some lame trojan.


Re: Would you continue using a HD you disinfected--or do a clean reinstall or Ghost an older HD image?

Quoted text here. Click to load it
[deletia]
Quoted text here. Click to load it

   If it is "overkill" than the OS is not very maintainable.

   The process of flattening and rebuilding should not be terribly bothersome.

   ...and yes such severity is warranted. Anything less is gross negligence.

--
     These Mac Fanboys want vi imposed on everyone.                   |||
                                                                     / | \

Re: Would you continue using a HD you disinfected--or do a clean reinstall or Ghost an older HD image?

JEDIDIAH wrote:
Quoted text here. Click to load it
I disagree with the first statement, agree with the second, and disagree
with the third.

Re: Would you continue using a HD you disinfected--or do a clean reinstall or Ghost an older HD image?

Quoted text here. Click to load it
JEDIDIAH wrote:
Quoted text here. Click to load it
You Linux guys are all alike:
You think everything should be *easy*.  8-)

Quoted text here. Click to load it
If you have ONE infection on your Windoze box,
you likely have MORE.
If you can't be bothered to scrape it clean and start over,
don't EVER connect that thing back to a network;
I'm tired of seeing the backscatter from your pwned spambot box.

Re: Would you continue using a HD you disinfected--or do a clean reinstall or Ghost an older HD image?


Quoted text here. Click to load it

Folks, there are a few COLA "advocates" here. Dont let their total
ignorance bring you down.

Site Timeline