Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware, viruses and computers


  • Please log in to reply
17 replies to this topic

#1 scotty_ncc1701

scotty_ncc1701

  • Members
  • 520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 AM

Posted 11 June 2014 - 05:38 PM

I know that the opinions on how to handle computer virus infections number very, very high, probably as much as the number of computer users in the world.  But as I've said before, I've been malware, virus and hack free since the fall of 1995.  Since I was infected in the fall of 1995, I've taken a very aggressive approach to protecting my computer, and my wife's computer.

Over the years when I've help many, many friends and family members, at the minimum with their systems, one thing always was true... even after the infection was supposedly cleaned, the computer(s) still didn't work as well as it did, before the infection.  Despite the efforts of AVAST, Comodo, Norton, etc, there is absolutely no way they will, or can guarantee that all changes made to your system by malware, virus, etc are completely gone.

So each time I helped a FRIEND OR FAMILY MEMBER clean their system(s), my three basic rules were clear:

1.  If they didn't reset their system back to factory specs, and rebuild the computer, they were on their own; I wouldn't help them again.

2.  If after the rebuild happened, they started to turn off security stuff (e.g. Firefox addons, firewall, etc), even just one item, they were on their own; I wouldn't help them again.

3.  If the suspected program causing the infection(s) was known (e.g. downloaded install file), they had to:
3.1.  Securly wipe the program off their computer; and
3.2.  Never use the program again.
3.3.  If they didn't, they were on their own; I wouldn't help them again.

It's as simple as this: I was helping them free of charge, so as the old saying goes, "It's my way, or the highway"!

IT IS MY OPINION, that if anyone gets a virus, a system reset is necessary.  This is because, as I said above, there is no way to insure that the computer system is 100% back to it's pre-infection state.

Have a great day!
 



BC AdBot (Login to Remove)

 


#2 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,246 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:06:10 PM

Posted 11 June 2014 - 05:48 PM

 

IT IS MY OPINION, that if anyone gets a virus, a system reset is necessary.

I bet the Malware Removal Team would beg to differ.  It would also depend on the type of infection , Will love to see what the Trained Malware Removal Team say.


Edited by NickAu1, 11 June 2014 - 09:46 PM.

Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


#3 scotty_ncc1701

scotty_ncc1701
  • Topic Starter

  • Members
  • 520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 AM

Posted 11 June 2014 - 06:17 PM

I have no doubts that there be difference of opinions, which is fine, because it makes the world go around. :thumbsup2:  :bounce:

But, the point still remains, that there is no way, with 100% assurance, that everything is/was removed, beyond the shadow of a doubt.

IT ALL COMES DOWN TO ONE THING, AND ONE THING ONLY: it's better to be safe, than sorry!

Have a good day!



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:10 AM

Posted 11 June 2014 - 09:19 PM

There are no guarantees or shortcuts when it comes to malware removal, especially when dealing with backdoor Trojans, Remote Access Trojans, Botnets, IRCBots and rootkits. These types of infections are dangerous because they not only compromise system integrity, they have the ability to download even more malicious files. Rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They are used by backdoor Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This exploit allows them to steal sensitive information like passwords, personal and financial data which is then sent back to the hacker.

Security vendors that claim to be able to remove rootkits and backdoor Trojans cannot guarantee that all traces of the malware will be removed as they may not find all the remnants or correct all the damage. This means infections will vary and some will cause more harm to your system than others.

Many experts in the security community believe that once infected with such malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson, Security Program Manager at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


If a system is infected with a polymorphic file infector there is no guarantee the infection can be completely removed. File infectors can cause so much damage to critical system files that they cannot be completely cleaned or repaired. Infectors like Virut also create non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files (which could number in the thousands) cannot be deleted and anti-virus scanners cannot disinfect them properly because there are bugs in the viral code. When disinfection is attempted, the files become corrupted and the system may become irreparable. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, file infections are known to have IRCBot functionality which opens a back door that compromises your computer and there is no way to be sure it can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Since many file infectors are not effectively disinfectable, your best option is to perform a full reformat and reinstall the operating systems. This is what security expert miekiemoes has to say:

If I guide someone with Virut (or any other File Infector) present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall...dealing with such infections is a waste of time and that's why I prefer the fastest and safest solution - which is a format and reinstall...After all, I think it would be irresponsible to let the malware "stew" (download/spread/run more malware) for another couple of days/weeks if you already know it's a lost case.

Virut and other File infectors - Throwing in the Towel?

However, members of our Malware Response Team (MRT) do their best to help folks remove serious infections.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,246 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:06:10 PM

Posted 11 June 2014 - 09:53 PM

 

However, members of our Malware Response Team (MRT) do their best to help folks remove serious infections.

They do a great job. Hats off to all the team and thank you for your hard work.

 

 

It would also depend on the type of infection

In my opinion.

I used to have a bunch of those silly "Screen Melt" and "Shut down a pc" type of viruses that friends and I used to send each other for fun.

 

PS.

I am not arguing or being disrespectfull, I am trying to learn.


Edited by NickAu1, 11 June 2014 - 10:13 PM.

Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:10 AM

Posted 12 June 2014 - 06:04 AM

It would also depend on the type of infection

In my opinion.

That is the opinion of many experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Scoop8

Scoop8

  • Members
  • 326 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas TX
  • Local time:03:10 AM

Posted 13 June 2014 - 09:24 AM

scotty

 

Thanks for the thread, interesting reading.  This is a topic that I've been reading about recently, ie, sanitizing an infected HDD, recovering from malicious content without the use of malware-removal experts.


That's an amazing track record, since 1995 :).  My batting average isn't even in "AAA" level compared your major league stats :).

 

On average, I've been affected by some kind of unwanted intrusions about once every 1.5 years or so since my home 'net use began in 2004 but the rate has declined.  The last occurrence was in Nov 2012, an "FBI" malware variant. 


One thing that I've seen with my own experiences with malicious intrusions, is that sometimes things happen even when exercising the usual cautious practices, ie, no e-mail attachment openings, no suspicious 'net site visits, etc.


The last time, with the FBI screen ransomware, I was at a reputable site which I've visited twice-daily for years.  I'm guessing that the intrusion penetrated my AV defenses via a 3rd-party ad route but that's just a guess.


The point is, I was careful but still got hit by an intrusion.  Fortunately, by that time, I had been cloning and imaging on a periodic basis.  I removed my original "C" HDD and installed the cloned spare and was running normally in minutes.  I later booted up on "Gparted" (HDD utility tool) and removed the partitions from the affected HDD and recloned back to it from the spare HDD.  After testing the previously-infected HDD (booted up and ran on it a while), I returned it to service as a cloned spare HDD.


Since then, I've read more about a few instances where a rootkit or other difficult to remove malicious object can sometimes survive a standard format, and in less frequent incidences, removing partitions on the HDD.


Due to that, I read more about the topic so as to have a couple of alternative plans in the event that future HDD sanitizing is required.


Fortunately from what I've read here and elsewhere, BIOS/firmware/CMOS intrusions are rare.  I've been curious about UEFI PC's, ie, Windows 8[.1], GPT HDD's vs MBR's and how that's working for Win 8 members here and elsewhere.  I haven't looked into that much yet since I'm running Win 7 on my PC's but a friend has asked me to check it out so I'm starting to do that.


I want to be clear; I think the malware-removal experts serve a very valuable avenue of recovery for many PC users.  My approach is just a personal choice that I want to learn about, to be able to recover locally without seeking assistance.


My nephew, years ago, mentioned the same thing that quietman7 referenced in his post, the part about recommending a HDD clean and reinstall in the event of malicious infections, or to be more specific, a rootkit or one of the more difficult types of malicious intrusions into one's HDD.


Since I don't like to reinstall :) (who does), reload all programs, etc, I chose to pursue and learn the cloning/imaging scene.


I've recovered twice over the years with this method so I guess it's "so far, so good" for now.


I realize that it may not be a cure-all, in the event that I have an unknown dormant infection that may have a delayed-trigger mechanism included in the code.

 

Since that's a possibility, although from what I've read, rare, I have several full-HDD images stored on a disconnected HDD with the images taken over several months' time.

 

To summarize my thoughts about this, it would seem that there are 2 main points that need to be known:


- Are the malicious intrusion[s] confined to the HDD?  In other words, are the BIOS/Video Card BIOS/CMOS EEProm components of the PC affected?  From everything I can find to read about this specific concern, those incidents seem to be very rare.

 

- If the HDD alone is affected, then one would need to formulate a plan for restoring the affected HDD to clean operational status as the cloned backup HDD.

 

That may be accomplished by several methods, ie secure-erase utilies.  I've used the "Diskpart" utility within CMD to run the "clean" command which marks all content for deletion, including any hidden partitions ("HPA"s).

 

Diskpart also provides a one-pass secure erase command "clean all" .  The CMD prompt can be accessed via a Windows System Repair CD.

 

If the PC user is maintaining a periodic full-HDD Imaging or Cloning schedule, it would seem to me that a HDD (OS) reinstall shouldn't be required to recover from malicious intrusions.


In the rare event of any firmware infections, there are also some things that can be tried to restore the PC's functionality.

 

Thanks to member TsVk! for providing some of the following ideas about this topic.

 

- Power off the PC:  Desktop's, remove AC power, press and hold the power switch to discharge residual capacitor voltages and to insure that the RAM is fully reset/emptied of any stored content.

 

- Remove the CMOS battery for a few minutes. In the event that the BIOS IC has been compromised and a reflash doesn't restore it to operational status, all may not be lost.

 

I have my BIOS backed up on a .ROM file just in case I need to reflash but if that didn't fix an infected BIOS IC, there's another alternative to pursue.

 

If the PC is a Desktop model, inspect the MotherBoard to see if the BIOS IC is socketed (removable).  With my Asus Board, the BIOS IC is a "DIP 8" design and removable.  I can order a BIOS IC online that comes flashed with the BIOS version of my choice, for about $14.00 U.S.


In the event of a more involved issue, such as the Video Card BIOS containing the malicious object, I have a .ROM BIOS file saved on a backup HDD.  I've never flashed a Video Card's BIOS though, wouldn't want to try that except as a last resort.

 

I figure the odds of encountering an issue outside of the HDD are somewhat rare.  I've only been able to read a few posts around the 'net where such cases seemed to have been verified.

 

 

Here's what I'd do in the event of future malicious intrusions into my HDD:

 

- Shut down PC.  Remove AC power from tower  Leave PC powered down for a few minutes to allow power supply to discharge, push power button on, etc.

 

- Remove all HDD's from tower except for the infected "C" HDD.

 

- Boot up into the Windows System Repair CD.

 

- From CMD prompt, select the "C" HDD.  Run the "clean" command.

 

* Optional: Run the "clean all" command.  I'd probably not do that to see if the "clean" command was all that was needed to render all malicious content benign.

 

- Shut down PC.  Install my cloned spare from the shelf, into my PC in one of my Sata bays.  Keep the original "C" HDD installed.

 

- Boot up on a cloning media, Acronis in my case. Clone back to the original "C" HDD.

 

- Shut down PC.  Remove the cloned spare.  Keep the original "C" HDD installed.  Boot up and see if all's ok. 

 

I've recovered twice over the years with some of these steps.  Having read more information the past couple of years, I'd include all the above steps if I encounter another malicious intrusion.

 

 



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:10 AM

Posted 13 June 2014 - 09:37 AM

One thing that I've seen with my own experiences with malicious intrusions, is that sometimes things happen even when exercising the usual cautious practices, ie, no e-mail attachment openings, no suspicious 'net site visits, etc.

Keep in mind that even legitimate web sites and the ads they display can be a source of infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 scotty_ncc1701

scotty_ncc1701
  • Topic Starter

  • Members
  • 520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 AM

Posted 13 June 2014 - 10:41 AM

That's an amazing track record, since 1995 :).  My batting average isn't even in "AAA" level compared your major league stats :).


After getting clobbered with 600+ viruses, that is when I took an agressive approach.  Not a week goes by that I don't look for improved security measure, as well as trying to read all I can.
 

On average, I've been affected by some kind of unwanted intrusions about once every 1.5 years or so since my home 'net use began in 2004 but the rate has declined.  The last occurrence was in Nov 2012, an "FBI" malware variant.


AT LEAST once every 3-4 months, I'll take the prestine image, as explained in other threads, and reapply it.

http://www.bleepingcomputer.com/forums/t/537481/backups/#entry3394151

Once AVAST, etc updates, I'll image the computer again, and that becomes my new base image.

AT LEAST once every year, I rebuild our computers from scratch.
 

One thing that I've seen with my own experiences with malicious intrusions, is that sometimes things happen even when exercising the usual cautious practices, ie, no e-mail attachment openings, no suspicious 'net site visits, etc.


That can be true.  But using programs like Mailwasher, will help even more.  It gives you a list of the files on the server, and you can delete the e-mails before they even get to your PC.  Although the older version of Mailwasher that I'm using is fine, I'm in the process of writing my own, and I hope to have it done shortly, at least the public BETA version.

Another thing that CAN HELP, is just reading the e-mails in plain text.
 

The last time, with the FBI screen ransomware, I was at a reputable site which I've visited twice-daily for years.  I'm guessing that the intrusion penetrated my AV defenses via a 3rd-party ad route but that's just a guess.


I do realize that that is a possibility, that a reputable site can be hacked.  But the more popular it is, the more the admins of that site need to be agressive on security.
 

The point is, I was careful but still got hit by an intrusion. 


I agree that it is possible for anyone to get hit, even me.  But it also helps that a person takes additional actions.  If the person relies only on basic stuff, they'll get hit.  I helped a friend rebuilt his computer after an infection, and set the security to the same as mine (TIGHT).  Within a short time, he started to turn things off, got infected.
 

I want to be clear; I think the malware-removal experts serve a very valuable avenue of recovery for many PC users.  My approach is just a personal choice that I want to learn about, to be able to recover locally without seeking assistance.


I've always, after the 1995 incident, taken an aggressive approach to protecting our computers.  How a person handeles a malware issue is, of course, up to them.  But if I help someone, and they get infected because they turned things off, just because it might require another mouse click or so, they're on their own.
 

Since I don't like to reinstall :) (who does), reload all programs, etc, I chose to pursue and learn the cloning/imaging scene.


If you look in my post:

http://www.bleepingcomputer.com/forums/t/537481/backups/#entry3394151

You'll see a few things that is important to consider in imaging a hard drive.
 

Since that's a possibility, although from what I've read, rare, I have several full-HDD images stored on a disconnected HDD with the images taken over several months' time.


See previous comment.

Have a great day!



#10 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,246 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:06:10 PM

Posted 13 June 2014 - 04:21 PM

Whats a Virus :hysterical:
 
Any Linux users following this thread should look into port spoof. http://portspoof.org/ as an added layer of security, And to just plain mess with any would be hacker.


Edited by NickAu1, 13 June 2014 - 06:48 PM.

Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:10 AM

Posted 13 June 2014 - 04:48 PM

Careful Nick...don't let Grinler or Fabian hear you say that. :whistle:
 

...whenever someone states that linux or macs are more secure I laugh. You ever look at the monthly security updates for those operating systems?

The reality is that the market base is too small and not worth their while. Not worth their time to target a much smaller base.

Grinler, BC Site Admin & Microsoft MCP: Post #2332.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,246 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:06:10 PM

Posted 13 June 2014 - 05:31 PM

 Yes    2rxefet.gifI remember that little chat.   :bowdown: Grinler and Fabian
 
Ummmm Ummmm UMMMM that wasnt me, nobody saw it, nobody can prove a thing.
 
Its in the Linux TOS that Linuxers bag M$ as often as they can ,,,Isnt IT?
 
Are there any current active viruses that affect Linux? Notice I did not say rootkits trojans or other exploits.
 
Members please note I take pc security seriously and advise everybody to do the same.
If you have any questions about PC security please click the link in my sig to quietmans post on Answers to common security questions - Best Practices
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


Edited by NickAu1, 13 June 2014 - 07:05 PM.

Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


#13 palerider2

palerider2

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 13 June 2014 - 05:38 PM

Thanks for those links quietman7. This quote is from the fourth one, dated May 2007 :

 

"The [Google] researchers hope to use their findings to "map" the problem and aid the development of a new generation of safe surfing tools that steer users away from harm."

 

A subject that's very interesting to me. The research team don't appear to have made inroads into the problem over 7 years. That's not to say, without their efforts, the problem hasn't been reduced compared to what it might have been.

 

I won't say too much more as I plan to post further in the thread that I started on safer hardware.

 

EDIT: But as for my approach to malware etc, my protection on the internet derives from

- sacrificial PC with no personal stuff on it

- fairly secure browser (Chrome)

- Extensions to block Ads, Flash, scripts

- Sandboxie

- Use MD5, SHA-1 checksums for EXEs

- assume everything else is infected, so open it in a sandbox

 

PLUS, NOW: screw down update engines, to protect against hacking

(assumes you know which update engines you can trust)

 

It's a different approach and it assumes

- the PC will be rebuilt periodically

- not so much effort goes into backing up because everything can be safely lost

 

EDIT2: several edits in order to respect forum etiquette.


Edited by palerider2, 13 June 2014 - 11:25 PM.


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:10 AM

Posted 13 June 2014 - 08:27 PM

I won't say too much more as I plan to post further in the thread that I started on safer hardware.

Yes...it's not considered proper forum etiquette posting for assistance in someone else's topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 anniyan

anniyan

  • Members
  • 222 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Under your bed, mwahahahahaha!
  • Local time:01:40 PM

Posted 28 July 2014 - 07:04 PM

This is what Jesper M. Johansson, Security Program Manager at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?. :

  • You may not be able to trust your latest backup. How can you tell when the original attack took place? The event logs cannot be trusted to tell you. Without that knowledge, your latest backup is useless. It may be a backup that includes all the back doors currently on the system.

so what is the use of cloning/imaging/backups? he put it rightly, what i had in my mind.



Become a BleepingComputer fan on Facebook
Have you seen.....Select Real Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users