Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infections - When to throw in the towel?


  • Please log in to reply
21 replies to this topic

#1 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:11:23 AM

Posted 23 February 2015 - 08:03 PM

Hello all,

I've been reading this: Stop Trying to Clean Your Infected Computer! Just Nuke it and Reinstall Windows

Personally I know that some infections cannot be cleaned and call for a reinstall (file infectors), but most of the time it's not worth it - especially if the infection is just some PUPs that can be cleaned up with a run of several tools and security solutions.

What do you think?

(and no, please don't give me the "Use Linux" excuse. I'm a gamer too, and most games aren't Linux native.)

Regards,
Alex

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:23 AM

Posted 23 February 2015 - 09:35 PM

The severity of infection will vary from system to system, some causing more damage than others, especially when dealing with backdoor Trojans, Botnets, IRCBots and rootkits. These types of infections are especially dangerous because they not only compromise system integrity but the longer they remain on a computer, the more opportunity they have to download additional malicious files which can worsen the infection so each case should be treated on an individual basis. Severity of system infection will also determine how the disinfection process goes. Since infections and severity of damage will vary, it may take several efforts with different, the same or more powerful security scanners/tools to do the job. Even then, with some types of infections, the task can be arduous and still is impossible to be 100% sure that all malware has been removed.

When dealing with Remote Access Trojans (RATS), there is a greater chance the computer has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed. In some cases, such as with polymorphic file infector, the infection may have caused so much damage, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

In fact, many experts in the security community believe that once a computer has been compromised or infected with a file infector, the best course of action is to wipe the drive clean, reformat and reinstall the OS...with your Windows CD/DVD installation disk, a disk image or factory restore (system recovery) disks provided by the manufacturer.

If I guide someone with cleaning a severly infected computer, it is my responsibility to make them aware of what state their computer is in, how severly infected/compromised it is, they should change passwords afterwards etc etc...and I won't promise them a clean computer afterwards - because that would be a lie. I've seen cases where volunteers are helping a user with a severly infected computer, this already for weeks...And that's why in such cases, I throw in the towel more often and ask to backup important data, then format and reinstall Windows. Not because I give up, but rather because it's really not worth it to clean this mess up manually and then on top restore (if possible) whatever the malware has broken/modified. In such cases, a format and reinstall is the fastest and especially the SAFEST solution.

Where to draw the line? When to recommend a format and reinstall?

 

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson, Security Program Manager at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


And for file infectors, this is what security expert miekiemoes has to say: Virut and other File infectors - Throwing in the Towel?

If I guide someone with Virut (or any other File Infector) present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall...dealing with such infections is a waste of time and that's why I prefer the fastest and safest solution - which is a format and reinstall...After all, I think it would be irresponsible to let the malware "stew" (download/spread/run more malware) for another couple of days/weeks if you already know it's a lost case.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Kilroy

Kilroy

  • BC Advisor
  • 3,335 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:05:23 AM

Posted 23 February 2015 - 10:03 PM

I have worked in IT professionally since last century.  Professionally once a machine is infected, it is too infected and needs to be reloaded.  It takes longer to clean a machine than it does to reload it.  Once a machine becomes infected you can no longer trust anything about it.

 

With today's infections that encrypt your data you are trusting that someone that would do this to you will give you back your data for a fee.  Like any black mailer, can you trust they won't ask for more later?

 

Reinstalling Windows also cleans out any garbage that has accumulated over time.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:23 AM

Posted 23 February 2015 - 10:07 PM

...It takes longer to clean a machine than it does to reload it...

And in this century we old farts can restore from an image which is even quicker.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,610 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:23 AM

Posted 24 February 2015 - 08:30 AM

Professionally once a machine is infected, it is too infected and needs to be reloaded. It takes longer to clean a machine than it does to reload it.


This is why I can have no fun whatsoever at work when a machine is infected. My boss wants me to remove the malware in like two minutes or simply re-image it. Most of the time I'm able to find the malware and remove it quite fast, but sometimes we're being told that "apparently" a machine is infected and if we don't find anything, we're still asked to re-image it anyway. It wouldn't matter to me if I wasn't already imaging tons of computers to replace old ones with newer ones and I had to focus on this task before focussing on re-imaging machines because they are "supposedly" infected.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:23 AM

Posted 24 February 2015 - 08:48 AM

In work environments it is not always a matter of time, its a matter of following the policies implemented by the higher ups whether the tech support folks agree with it or not.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,610 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:23 AM

Posted 24 February 2015 - 09:16 AM

I can understand that however I don't think that there's any policies implemented by the higher ups at the place I work. There it's really a matter of time over everything else, even more depending on the whose person the machine belongs to. Our higher ups don't really care about malware, the only form of security they care about is authorization, permission, access, etc.

Edited by Aura., 24 February 2015 - 09:16 AM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:23 AM

Posted 24 February 2015 - 09:20 AM

..Our higher ups don't really care about malware, the only form of security they care about is authorization, permission, access, etc.

Those typically are IT policies...hence the emphasis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Sintharius

Sintharius

    Bleepin' Sniper

  • Topic Starter

  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:11:23 AM

Posted 24 February 2015 - 09:40 AM

And just when we were talking about this, I just discovered that one of my two flash drives is infected with Sality.

Nuked the flash drive with a low-level format tool from Aura.

I think it probably came from the printing shop that I used to print some documents - those people have no protection on their machine, so I won't be surprised if the flash drive gets infected though.

Edit: Reviewed the scan results in EIS... apparently there are also Virut and Ramnit. Looks like one trip to the shop got me the three most common file infectors.

Alex

Edited by Alexstrasza, 24 February 2015 - 09:47 AM.


#10 Scoop8

Scoop8

  • Members
  • 326 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas TX
  • Local time:05:23 AM

Posted 24 February 2015 - 11:06 AM

Alexstrasza

 

Interesting topic and linked article, thanks for posting.

 

My post assumes that we're referring to almost all infection scenarios where the content is confined to the HDD (ie, no BIOS/UEFI/Firmware malicious presences involved).

 

Windows reinstalling is my last choice but that's just my take on it.  I guess that's because I'm lazy :) and my Win 7 install has a few things customized (a couple of Registry edits, etc) so setting up a new Win install, along with reinstalling programs, adjusting my Office settings, etc, is not something I'd do before using my full-HDD backup options.

 

I've recovered during the past few years from a couple of malicious occurrences by installing a Cloned HDD.  Image-restoration is also an option. 

 

I like to get the PC running again as fast as possible, then I can spend time later sanitizing the affected HDD.  If a situation arises where I can't quickly remove the malicious content from the spare HDD, I'd probably shelf the HDD  and consider it a long-term project (try various wiping tools, etc).

 

I haven't yet encountered a situation where I was unable to sanitize the affected HDD since I began using home 'net PC's in 2004.

 

Answering the original question, I'm a fast "towel-thrower"  :lol:  , since I'll replace my HDD before trying to remove most malicious presences.  It's just a personal preference vs downloading tools, running logs, seeking assistance online, etc. 

 

Another reason is that I'm using SATA Hot-Swap Racks on my Desktop PC so installing a Cloned spare HDD is fast. 

 

My Laptop is an older-model type so HDD access is convenient.



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:23 AM

Posted 24 February 2015 - 12:25 PM


For most users, they should follow the lead of the experts.

In my experience, users may find their system performing better for a short time after attempted disinfection only to have it become progressively worst again as the malware (especially file infectors continues to reinfect thousands of files). Some folks will try every tool or rescue disk they can find in futile attempts to repair critical system files. If something goes awry during the malware removal process the computer may become unstable or unbootable and you could loose access to all your data. In the end most folks end up reformatting out of frustration after spending hours attempting to repair and remove the infected files.

For malware writers, this apparent destructive behavior appears to viewed as an acceptable and desired side effect of a successfully infected system as explained in File Infectors: To Junk Or Not To Junk.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 rp88

rp88

  • Members
  • 2,983 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:23 AM

Posted 25 February 2015 - 12:16 PM

The best tip here is to have your own system image made, made at a time when your computer had all it's programs installed and was running well with the operating system settings you like, but before any infections have arrived. That way you can restart into the recovery environment, restore from the image and about an hour later you can boot up your pc and log into it with everything you liked installed and working, all you need to do is a bit of updating. The only disadvantage of imaging is that doing it too often can start to give extra wear on the harddrive so might slighly shorten the hard-drive's life. From everything i have heard then unless the malware has infected the BIOS or the firmware shutting the machine down and booting into the recovery environment like this doesn't give malware a chance to slip past and invade the reimaged machine. The means of making images for windows 7, 8 and 8.1 and restoring from them are covered on a very helpful guide somewhere on this site.



"only form of security they care about is authorization, permission, access, etc."
which aren't worth much if the computer is being secretly remotely controlled through malware by a hacker thousands of miles away... If they're scared of what employees in their own offices might do they should be cra*ping themselves at what an outside attacker might try.

" think it probably came from the printing shop that I used to print some documents"
tip: buy some cheap cd-rw discs, when you next visit a shop like a printers shop where you need to give them documents then give them a cd-rw which is cheap enough to either let them keep or snap in half once they're finished with it, or email the files to them.

Edited by rp88, 25 February 2015 - 12:17 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:23 AM

Posted 25 February 2015 - 12:25 PM

The best tip here is to have your own system image made, made at a time when your computer had all it's programs installed and was running well with the operating system settings you like, but before any infections have arrived

That is the same as throwing in the towel. Only instead of reinstalling you are retoring from an image which is even quicker as I noted in Post #4.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,610 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:23 AM

Posted 25 February 2015 - 12:25 PM

Well I agree with that tip, not everyone have the knowledge, nor the resources necessary to create a system image and restore to it when you're infected. Plus, I don't know how files injectors works with system images, but when you're it with something like Sality or Ramnit, it's recommended to completely "nuke" the hard drive before reinstalling anything on it, so I wouldn't use a system image to restore to a previous state when being infected with a such malware.

which aren't worth much if the computer is being secretly remotely controlled through malware by a hacker thousands of miles away... If they're scared of what employees in their own offices might do they should be cra*ping themselves at what an outside attacker might try.


You want to explain them that? I hint that kind of security everytime I talk to the "Image/Deployment" team and they are keeping Java up to date right now (with a bit of delay since they have to prepare a package, test it, deploy it, etc.), Adobe Flash Player, VLC, etc. but we still have so many outdated software in this company, it's impossible to keep track of all of them.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:23 AM

Posted 25 February 2015 - 12:31 PM

Restoring from system image works fine. My IT Team did it all the time on highly sensitive government computers.

For novice users, they can get assistance in forums like this or read any number of "How to" articles on the Internet, including vendor specific instructions for a factory restore.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users