Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected PC question


  • Please log in to reply
3 replies to this topic

#1 stufoo

stufoo

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 08 August 2012 - 06:23 PM

I have noticed that it is recommended to back up your data before running many of the virus/malware removal tools...Wouldn't this be possibly backing up infected files that would bring the virus/malware back to your PC after it has been cleaned?

I am support for an enterprise atmosphere with over 18,000 employees statewide and recently several PCs have scanned and come up with Zero Access.....the instructions from higher up direct us to pull the pc, run Malawarebytes and stinger and if it persists we are to scrub it and reimage it without any data restore. I am dealing with a user whose PC is the sole source for many years of data and photos that support her position...needless to say she was not happy about losing her data and I could not get her to understand the damage this security breach could possibly inflict on our network. Do to her reaction I have been directed to run Combofix and once I am able to remove ZeroAccess and any others from the machine, I will be permitted to copy the photos only to removable storage which I will have to send to our head of security to test and verify the safety of the files.

That being said, I am curious as to whether the files will be clean and free of infeection. Any information is welcome, the more I read it seems, the more questions I have. Thanks.....stufoo


Mod Edit:moved to more appropriate forum.
AntiVirus, Firewall and Privacy Products and Protection Methods
~~boopme

Edited by boopme, 08 August 2012 - 06:35 PM.


BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:02 AM

Posted 08 August 2012 - 08:40 PM

I am support for an enterprise atmosphere with over 18,000 employees statewide << Then you should know this answer already -
Hi -
I think the "General Statement" applies to keeping important data so you do not loose everything with some tools used.

She should be able to download any personal data to CD, USB stick, or DVD and remove it from the computer where they can be scanned
Your MBAM Company License will first be able to allow you to scan these files internally and see if any infections are reported there without deletion

Remember that you are only removing the infection from an isolated computer, and "Scrubbing" is not required to remove the infection.
Just remove the computer and run the required tools, then return it - Otherwise you may as well scrub all the linked computers on the company system

Sounds like you are dealing with a department head, and the clean of just one computer should not take an Expert like you very long at all -

Thank You -


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,098 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:02 PM

Posted 09 August 2012 - 06:29 AM

I think the "General Statement" applies to keeping important data so you do not loose everything with some tools used.

That is correct.

If your computer has been infected with malware and you need to back up data to transfer to another computer, you can back up all your important documents, personal data files, photos, music, videos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), dynamic link library (*.dll), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or by adding double file extensions and/or space(s) in the file's name to hide the real extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable or there isn't one installed, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk. Again, do not back up any files with the following file extensions: .exe, .scr, .dll, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:02 PM

Posted 10 August 2012 - 01:58 AM

To add to the extension list provided by quietman7, I recommend you also exclude the following extensions from your backup:

BAT: Batch File
CMD: Windows Command
COM: DOS Command File
HTA: HTML Application
MSI: Windows Installer File
PIF: Program Information File

And you should also check that the malware found on this machine doesn't infect MS Office documents with macros (.DOC, .XLS, .PPT, ...).

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users