In order to remove exectued malware, reinstall your operating system

June 20, 2008

Instead of replying to every single "I have a virus" post, I am going to

say this once.

The best current practice for cleaning up a system on which malware has

been executed is to reinstall the operating system cleanly. Vendors will

offer you software, bells and whistles to no end, but the only way to be

certain that your system is clean is to reinstall it. Of course you need

to do this in a way that does not repeat whatever you did in order to have

the malware installed in the first place.

You do need is a good antivirus and firewall product to continuously

protect you from intrusion attempts. This is absolutely vital. In

addition, your virus scanner will try to remove any non-executed malware

from e.g. incoming email. However, once malicious software has actually

run on your computer, you should reinstall.

Please believe me when I say that professional sysadmins do not wield

FixCleanSuperThis or WizKillHyperThat when cleaning up after e.g. a server

compromise. They try to work out how the intrusion occurred, and then they

reinstall the system from scratch, in a way that does not reopen the

previous attack window.

Your comments are welcome.

--

Thor Kottelin

http://www.anta.net/

Antivirus, firewall, parental control: http://www.anta.net/sw/norman/

June 20, 2008

From: "Thor Kottelin" <thor@anta.net>

| Instead of replying to every single "I have a virus" post, I am going to

| say this once.

| The best current practice for cleaning up a system on which malware has

| been executed is to reinstall the operating system cleanly. Vendors will

| offer you software, bells and whistles to no end, but the only way to be

| certain that your system is clean is to reinstall it. Of course you need

| to do this in a way that does not repeat whatever you did in order to have

| the malware installed in the first place.

| You do need is a good antivirus and firewall product to continuously

| protect you from intrusion attempts. This is absolutely vital. In

| addition, your virus scanner will try to remove any non-executed malware

| from e.g. incoming email. However, once malicious software has actually

| run on your computer, you should reinstall.

| Please believe me when I say that professional sysadmins do not wield

| FixCleanSuperThis or WizKillHyperThat when cleaning up after e.g. a server

| compromise. They try to work out how the intrusion occurred, and then they

| reinstall the system from scratch, in a way that does not reopen the

| previous attack window.

| Your comments are welcome.

| --

| Thor Kottelin

| http://www.anta.net/

| Antivirus, firewall, parental control: http://www.anta.net/sw/norman/

Yes. Everyone should wield a sledge hammer at all flies and one size fits all.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

June 20, 2008

On Fri, 20 Jun 2008 06:37:06 -0400, "David H. Lipman"

<DLipman~nospam~@Verizon.Net> wrote:

>Yes. Everyone should wield a sledge hammer at all flies and one size fits all.

Well, if you don't know about the damage, better use a big tool.

See, unless you have a baseline and can revert to a known clean state

that way this is the only reasonable solution. There is NO other way

to make sure you made a full clean.

I know that what you normally promote is much more convenient - but

this is about security, not about luck and good feelings. I'm afraid

you don't understand the nature of modern malware.

June 20, 2008

Well, the best way to clean machine is to leave it in the right place, pay

money and get it after some time cleaned and "cured". There are many ways of

how to get rid of viruses. One of the way - debug machine using WinDbg

kernel debuger, and with the help of it force the "bad" code to stop

execution.

Re-installation of OS is not the best solution.

--

V.

This posting is provided "AS IS" with no warranties, and confers no

rights.

"Thor Kottelin" <thor@anta.net> wrote in message

news:ewxMc8r0IHA.2068@TK2MSFTNGP05.phx.gbl...

> Instead of replying to every single "I have a virus" post, I am going to

> say this once.

>

> The best current practice for cleaning up a system on which malware has

> been executed is to reinstall the operating system cleanly. Vendors will

> offer you software, bells and whistles to no end, but the only way to be

> certain that your system is clean is to reinstall it. Of course you need

> to do this in a way that does not repeat whatever you did in order to have

> the malware installed in the first place.

>

> You do need is a good antivirus and firewall product to continuously

> protect you from intrusion attempts. This is absolutely vital. In

> addition, your virus scanner will try to remove any non-executed malware

> from e.g. incoming email. However, once malicious software has actually

> run on your computer, you should reinstall.

>

> Please believe me when I say that professional sysadmins do not wield

> FixCleanSuperThis or WizKillHyperThat when cleaning up after e.g. a server

> compromise. They try to work out how the intrusion occurred, and then they

> reinstall the system from scratch, in a way that does not reopen the

> previous attack window.

>

> Your comments are welcome.

>

> --

> Thor Kottelin

> http://www.anta.net/

>

> Antivirus, firewall, parental control: http://www.anta.net/sw/norman/

>

June 20, 2008

From: "Root Kit" <b__nice@hotmail.com>

| On Fri, 20 Jun 2008 06:37:06 -0400, "David H. Lipman"

| <DLipman~nospam~@Verizon.Net> wrote:

|

>> Yes. Everyone should wield a sledge hammer at all flies and one size fits all.

|

| Well, if you don't know about the damage, better use a big tool.

|

| See, unless you have a baseline and can revert to a known clean state

| that way this is the only reasonable solution. There is NO other way

| to make sure you made a full clean.

|

| I know that what you normally promote is much more convenient - but

| this is about security, not about luck and good feelings. I'm afraid

| you don't understand the nature of modern malware.

Actually I do.

I wouldn't wipe a system and reinstall the OS just because the user has an adware BHO.

One size does NOT fit all.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

June 21, 2008

On Fri, 20 Jun 2008 18:25:14 -0400, "David H. Lipman"

<DLipman~nospam~@Verizon.Net> wrote:

>I wouldn't wipe a system and reinstall the OS just because the user has an adware BHO.

Of course not. Adware is not malware. It's just a user-induced

problem.

>One size does NOT fit all.

When dealing with the unknown, yes. And that's true in the vast

majority of cases.

June 21, 2008

Re: In order to remove exectued malware, reinstall your operatingsystem

Root Kit wrote:

> On Fri, 20 Jun 2008 06:37:06 -0400, "David H. Lipman"

> <DLipman~nospam~@Verizon.Net> wrote:

>

>> Yes. Everyone should wield a sledge hammer at all flies and one size fits all.

>

> Well, if you don't know about the damage, better use a big tool.

>

> See, unless you have a baseline and can revert to a known clean state

> that way this is the only reasonable solution. There is NO other way

> to make sure you made a full clean.

>

> I know that what you normally promote is much more convenient - but

> this is about security, not about luck and good feelings. I'm afraid

> you don't understand the nature of modern malware.

it is you who does not understand the nature of modern malware if you

think a generic removal procedure like wipe-n-reinstall is sufficient

for recovery....

it's no longer just about what got on to your computer but also about

what got out ... a generic removal procedure won't help you determine

what kinds of sensitive information may have gotten leaked and the

frequency of compromise for most average people makes acting like it all

got leaked each time completely unmanageable...

diagnosis/thorough knowledge is required in order to have some idea of

what secondary effects the malware might have had besides just intruding

into the pc, and once such thorough knowledge is had the sledge hammer

approach is no longer necessary...

generic removal (note, not the same as recovery) may still be more

expedient once you have thorough knowledge of the problem, but

wipe-n-reinstall is still sub-optimal... restoring from an image is

better as you don't run the risk of forgetting to apply security-related

configuration changes that you made the first time 'round... also, it's

generally faster than re-installing...

--

"it's not the right time to be sober

now the idiots have taken over

spreading like a social cancer,

is there an answer?"

June 21, 2008

"Thor Kottelin" <thor@anta.net> wrote in message

news:ewxMc8r0IHA.2068@TK2MSFTNGP05.phx.gbl...

> Instead of replying to every single "I have a virus" post, I am going to

> say this once.

>

> The best current practice for cleaning up a system on which malware has

> been executed is to reinstall the operating system cleanly.

Generally yes, but if a known malware has made changes, they can

be reversed in many cases. However, once we delve into the unknown

(such as when a known trojan downloads an unknown and executes it

or a backdoor has been exposing you to unknowns) the best method is

as you have suggested - flatten and rebuild.

> Vendors will offer you software, bells and whistles to no end, but the

> only way to be certain that your system is clean is to reinstall it.

Certaincy is a funny thing, how would you know the original problem

is not still there even after reinstalling from what you assume is clean .

> Of course you need to do this in a way that does not repeat whatever you

> did in order to have the malware installed in the first place.

Knowing the malware involved could give a hint as to what method was

used to attain the result desired by the malware author. A SuperAnti-

wild-assed-guess -- flatten and rebuild approach does nothing to counter

the next one using the same or similar method. Best to analyze the

intrusion and take action. Your method does not of course prevent

someone from saving the compromised system aside (maybe the HD)

for forensic study, and placing a (cough) clean system in its place.

> You do need is a good antivirus and firewall product to continuously

> protect you from intrusion attempts. This is absolutely vital. In

> addition, your virus scanner will try to remove any non-executed malware

> from e.g. incoming email. However, once malicious software has actually

> run on your computer, you should reinstall.

I agree, with the stipulation that the malware does something leading to

the unknown factor. It is perfectly alright to remove known changes.

Some malware is really simple to remove, so why go overboard.

> Please believe me when I say that professional sysadmins do not wield

> FixCleanSuperThis or WizKillHyperThat when cleaning up after e.g. a server

> compromise. They try to work out how the intrusion occurred, and then they

> reinstall the system from scratch, in a way that does not reopen the

> previous attack window.

Sysadmins probably don't load their servers up with fluff that they

feel they need to reinstall. Most users have lots and lots of stuff they

haven't even backed up, let alone incorporated into their reinstallation

media, that they just can't live without.

Sure, the result of getting bitten should be pain - the recovery process

should leave a lasting impression on the user to learn how to avoid the

clearly avoidable and backup - backup-backup!

June 21, 2008

"Root Kit" <b__nice@hotmail.com> wrote in message

news:3m4n54de8aa2oueqtc4gdt06u5j3bn4vvb@4ax.com...

> On Fri, 20 Jun 2008 06:37:06 -0400, "David H. Lipman"

> <DLipman~nospam~@Verizon.Net> wrote:

>

>>Yes. Everyone should wield a sledge hammer at all flies and one size fits

>>all.

>

> Well, if you don't know about the damage, better use a big tool.

>

> See, unless you have a baseline and can revert to a known clean state

> that way this is the only reasonable solution. There is NO other way

> to make sure you made a full clean.

>

> I know that what you normally promote is much more convenient - but

> this is about security, not about luck and good feelings. I'm afraid

> you don't understand the nature of modern malware.

Sorry - but that deserves a LOL - ...and I seldom LOL.

June 24, 2008

On Sat, 21 Jun 2008 11:37:41 -0400, kurt wismer <kurtw@sympatico.ca>

wrote:

>it is you who does not understand the nature of modern malware if you

>think a generic removal procedure like wipe-n-reinstall is sufficient

>for recovery....

How did you get the idea I might think that was sufficient? We were

talking about removing malware from an infected machine - not about

total recovery.

>it's no longer just about what got on to your computer but also about

>what got out ... a generic removal procedure won't help you determine

>what kinds of sensitive information may have gotten leaked and the

>frequency of compromise for most average people makes acting like it all

>got leaked each time completely unmanageable...

What "got out" is a little hard to get back, isn't it? - Anyway,

cleaning an infected machine and doing forensic analysis are too

different things.

>diagnosis/thorough knowledge is required in order to have some idea of

>what secondary effects the malware might have had besides just intruding

>into the pc, and once such thorough knowledge is had the sledge hammer

>approach is no longer necessary...

Once again, unless you have a baseline you cannot obtain such

"thorough knowledge".

>generic removal (note, not the same as recovery) may still be more

>expedient once you have thorough knowledge of the problem, but

>wipe-n-reinstall is still sub-optimal...

Once again, unless you have a baseline you cannot obtain such

"thorough knowledge".

>restoring from an image is

>better as you don't run the risk of forgetting to apply security-related

>configuration changes that you made the first time 'round... also, it's

>generally faster than re-installing...

Yes. it may be better. I usually use the phrase "revert to a known

clean state" - which ultimately (unless you have something like a

known good image) means flatten and rebuild.

June 24, 2008

On Sat, 21 Jun 2008 17:28:07 -0400, "FromTheRafters"

<Erratic@ne.rr.com> wrote:

>

>"Root Kit" <b__nice@hotmail.com> wrote in message

>news:3m4n54de8aa2oueqtc4gdt06u5j3bn4vvb@4ax.com...

>> On Fri, 20 Jun 2008 06:37:06 -0400, "David H. Lipman"

>> <DLipman~nospam~@Verizon.Net> wrote:

>>

>>>Yes. Everyone should wield a sledge hammer at all flies and one size fits

>>>all.

>>

>> Well, if you don't know about the damage, better use a big tool.

>>

>> See, unless you have a baseline and can revert to a known clean state

>> that way this is the only reasonable solution. There is NO other way

>> to make sure you made a full clean.

>>

>> I know that what you normally promote is much more convenient - but

>> this is about security, not about luck and good feelings. I'm afraid

>> you don't understand the nature of modern malware.

>

>Sorry - but that deserves a LOL - .

Yes. The idea of malware "removal" for average users is quite

laughable.

>..and I seldom LOL.

There's always room for improvement.

June 25, 2008

Re: In order to remove exectued malware, reinstall your operatingsystem

Root Kit wrote:

> On Sat, 21 Jun 2008 11:37:41 -0400, kurt wismer <kurtw@sympatico.ca>

> wrote:

>

>> it is you who does not understand the nature of modern malware if you

>> think a generic removal procedure like wipe-n-reinstall is sufficient

>> for recovery....

>

> How did you get the idea I might think that was sufficient? We were

> talking about removing malware from an infected machine - not about

> total recovery.

contextlessly advocating a generic removal procedure (ie. advocating it

without even giving a hint that there's a lot more to recovery than just

removal) sends the message that flattening and rebuilding is all anyone

really needs to do... at least it does to the neophytes struggling with

the problem of amateur malware incident response that the OP was

addressing en masse...

>> it's no longer just about what got on to your computer but also about

>> what got out ... a generic removal procedure won't help you determine

>> what kinds of sensitive information may have gotten leaked and the

>> frequency of compromise for most average people makes acting like it all

>> got leaked each time completely unmanageable...

>

> What "got out" is a little hard to get back, isn't it?

yes, but if you have an idea of what got out you can, for most

information of interest to the bad guys, remove any value that

information might have had...

> - Anyway,

> cleaning an infected machine and doing forensic analysis are too

> different things.

and analysis will be hard after you've flattened the box... analysis

first, then removal...

>> diagnosis/thorough knowledge is required in order to have some idea of

>> what secondary effects the malware might have had besides just intruding

>> into the pc, and once such thorough knowledge is had the sledge hammer

>> approach is no longer necessary...

>

> Once again, unless you have a baseline you cannot obtain such

> "thorough knowledge".

while you may be content to give advice that assumes such a baseline

doesn't exist, i prefer advice that promotes creating such baselines...

you said, after all, that your interest was in security rather than luck

and good feelings - people aren't going to get real security without

being prepared...

--

"it's not the right time to be sober

now the idiots have taken over

spreading like a social cancer,

is there an answer?"

June 25, 2008

On Tue, 24 Jun 2008 20:00:10 -0400, kurt wismer <kurtw@sympatico.ca>

wrote:

>and analysis will be hard after you've flattened the box... analysis

>first, then removal...

Since an infected machine cannot be trusted, you cannot do proper

analysis on the infected system anyway. If you want to do such a thing

you can keep a mirror of the system for later analysis.

June 25, 2008

From: "Root Kit" <b__nice@hotmail.com>

| On Tue, 24 Jun 2008 20:00:10 -0400, kurt wismer <kurtw@sympatico.ca>

| wrote:

>>and analysis will be hard after you've flattened the box... analysis

>>first, then removal...

| Since an infected machine cannot be trusted, you cannot do proper

| analysis on the infected system anyway. If you want to do such a thing

| you can keep a mirror of the system for later analysis.

First you must define "infected".

Infected with a password stealing Trojan is quite different from being infected with a

simple adware BHO.

One might consider the system to be compramised to the point of wiping and reinstalling if

one was infected with a password stealing Trojan but that is not the case with a with a

simple adware BHO.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

June 26, 2008

Re: In order to remove exectued malware, reinstall your operatingsystem

Root Kit wrote:

> On Tue, 24 Jun 2008 20:00:10 -0400, kurt wismer <kurtw@sympatico.ca>

> wrote:

>

>> and analysis will be hard after you've flattened the box... analysis

>> first, then removal...

>

> Since an infected machine cannot be trusted,

technically its the suspect environment that can't be trusted... despite

hand waving about hardware {whatever}'s, they are as yet not credible

threats so you should be able to boot a suspect machine from a

known-clean bootable removable medium and trust that environment...

> you cannot do proper

> analysis on the infected system anyway. If you want to do such a thing

> you can keep a mirror of the system for later analysis.

indeed you can, but since people have been advocating "flatten and

rebuild" rather than "make an image, flatten and rebuild" we arrive once

again at presenting purely removal advice to people who need recovery...

also, doing removal before diagnosis has the very likely chance of

putting the system back into harm's way without taking the steps needed

to prevent the exact same compromise from happening again...

--

"it's not the right time to be sober

now the idiots have taken over

spreading like a social cancer,

is there an answer?"

June 26, 2008

On Wed, 25 Jun 2008 17:36:01 -0400, "David H. Lipman"

<DLipman~nospam~@Verizon.Net> wrote:

>From: "Root Kit" <b__nice@hotmail.com>

>

>| On Tue, 24 Jun 2008 20:00:10 -0400, kurt wismer <kurtw@sympatico.ca>

>| wrote:

>

>>>and analysis will be hard after you've flattened the box... analysis

>>>first, then removal...

>

>| Since an infected machine cannot be trusted, you cannot do proper

>| analysis on the infected system anyway. If you want to do such a thing

>| you can keep a mirror of the system for later analysis.

>

>First you must define "infected".

Well, that could probably start a whole new discussion, so how about

sticking to the subject which indicated "executed malware"?

>Infected with a password stealing Trojan is quite different from being infected with a

>simple adware BHO.

Once again (since you seem so determined to use proper terms): AdWare

is not malware. AdWare is just a user self-induced annoyance.

>One might consider the system to be compramised to the point of wiping and reinstalling if

>one was infected with a password stealing Trojan but that is not the case with a with a

>simple adware BHO.

Since adware is not malware we can't disagree here.

June 26, 2008

On Wed, 25 Jun 2008 22:36:39 -0400, kurt wismer <kurtw@sympatico.ca>

wrote:

>Root Kit wrote:

>> On Tue, 24 Jun 2008 20:00:10 -0400, kurt wismer <kurtw@sympatico.ca>

>> wrote:

>>

>>> and analysis will be hard after you've flattened the box... analysis

>>> first, then removal...

>>

>> Since an infected machine cannot be trusted,

>

>technically its the suspect environment that can't be trusted...

Agreed.

>despite hand waving about hardware {whatever}'s, they are as yet not credible

>threats so you should be able to boot a suspect machine from a

>known-clean bootable removable medium and trust that environment...

Yup.

>> you cannot do proper

>> analysis on the infected system anyway. If you want to do such a thing

>> you can keep a mirror of the system for later analysis.

>

>indeed you can, but since people have been advocating "flatten and

>rebuild" rather than "make an image, flatten and rebuild" we arrive once

>again at presenting purely removal advice to people who need recovery...

>

>also, doing removal before diagnosis has the very likely chance of

>putting the system back into harm's way without taking the steps needed

>to prevent the exact same compromise from happening again...

I don't see the OP ruling out that option.

June 26, 2008

"Root Kit" <b__nice@hotmail.com> wrote in message

news:4jg664hdbur8bih0rk7334h2e85bs16332@4ax.com...

> On Wed, 25 Jun 2008 22:36:39 -0400, kurt wismer <kurtw@sympatico.ca>

> wrote:

>

>>Root Kit wrote:

>>> On Tue, 24 Jun 2008 20:00:10 -0400, kurt wismer <kurtw@sympatico.ca>

>>> wrote:

>>>

>>>> and analysis will be hard after you've flattened the box... analysis

>>>> first, then removal...

>>>

>>> Since an infected machine cannot be trusted,

>>

>>technically its the suspect environment that can't be trusted...

>

> Agreed.

>

>>despite hand waving about hardware {whatever}'s, they are as yet not

>>credible

>>threats so you should be able to boot a suspect machine from a

>>known-clean bootable removable medium and trust that environment...

>

> Yup.

>

>>> you cannot do proper

>>> analysis on the infected system anyway. If you want to do such a thing

>>> you can keep a mirror of the system for later analysis.

>>

>>indeed you can, but since people have been advocating "flatten and

>>rebuild" rather than "make an image, flatten and rebuild" we arrive once

>>again at presenting purely removal advice to people who need recovery...

>>

>>also, doing removal before diagnosis has the very likely chance of

>>putting the system back into harm's way without taking the steps needed

>>to prevent the exact same compromise from happening again...

>

> I don't see the OP ruling out that option.

An interesting thread. Thanks to all! style_emoticons/)

I've posed a question to '-jen' in another thread here, but I would really

appreciate comments from you knowledgeable guys too. To save you trouble

looking, here's a copy of the thread and the question I've asked:-

"jen" <jen@example.com> wrote in message

news:ryN7k.11262$PZ6.8370@bignews5.bellsouth.net...

> "Bushy" <djbushnell@ATGMIAL.com> wrote in message

> news:hIL7k.13862$IK1.11670@news-server.bigpond.net.au...

>> Just had a nasty run in with this trojan. web searches tell me the best

>> and most effective way of being rid of it for sure is a reinstall and

>> reformat. Okay, i'll cop that. i shouldn;t have been running dodgy bits

>> of software off the internet.

>>

>> My question is if anyone can point me to statistics or comments about

>> flec006.exe effectiveness rate? i've read it is an identity theft/

>> phishing trojan, and i want to know how likely it is that my details are

>> compromised. i've already changed passwords for anything financial in

>> nature, but should i go to the extent of contacting the banks and having

>> account numbers changed, credit card numbers changed etc etc?

>

> Yes! You have a Bagle variant. See here:

> http://forums.majorgeeks.com/showthread.php?t=148513

> FLEC006.EXE - Dangerous:

> http://fileinfo.prevx.com/spyware/qq3de627...LEC006.EXE.html

> Troj/Bagle-KP:

> http://www.sophos.com/security/analyses/vi...rojbaglekp.html

>

> -jen

>

Hi -jen!

I read the Major Geeks thread you posted with interest. Perhaps the most

pertinent point, IMO, made by the 'helper' - Chaslang' - was:-

"That is really the safest thing to do based on the infections you had. Also

DO NOT just reinstall over your current version of Windows. You MUST DELETE

YOUR PARTITION, re-partition, format, and then reinstall from scratch to be

sure you are clean. Just a simple reinstalling could leave things hanging

around."

I'm fairly confident that many people with a single, partitioned, hard drive

will simply wipe their C: drive, re-install Windows and think they are

starting afresh - clean! Any malware 'worth its salt' will simply hide on

another partition and then 'jump back' again onto C: once Windows has been

re-installed. That is how I read matters in simple terms. Do you agree? TIA

Dave

TIA for any further comment/guidance.

D.

June 26, 2008

"~BD~" <BoaterDave@nospam.invalid> wrote in message

news:%23ADjAr21IHA.2064@TK2MSFTNGP05.phx.gbl...

> I'm fairly confident that many people with a single, partitioned, hard

> drive

> will simply wipe their C: drive, re-install Windows and think they are

> starting afresh - clean! Any malware 'worth its salt' will simply hide

> on

> another partition and then 'jump back' again onto C: once Windows has

> been

> re-installed.

Hi Dave,

In order for malware to do anything, it must be executed.

Does a default Windows installation really run software on another

partition (except using the autorun feature/backdoor/vulnerability)?

--

Thor Kottelin

http://www.anta.net/

Antivirus, firewall, parental control: http://www.anta.net/sw/norman/

June 26, 2008

"Thor Kottelin" <thor@anta.net> wrote in message

news:3OP8k.23573$_03.1375@reader1.news.saunalahti.fi...

> "~BD~" <BoaterDave@nospam.invalid> wrote in message

> news:%23ADjAr21IHA.2064@TK2MSFTNGP05.phx.gbl...

>

>> I'm fairly confident that many people with a single, partitioned, hard

>> drive

>> will simply wipe their C: drive, re-install Windows and think they are

>> starting afresh - clean! Any malware 'worth its salt' will simply hide on

>> another partition and then 'jump back' again onto C: once Windows has

>> been

>> re-installed.

>

> Hi Dave,

>

> In order for malware to do anything, it must be executed.

>

> Does a default Windows installation really run software on another

> partition (except using the autorun feature/backdoor/vulnerability)?

>

> --

> Thor Kottelin

> http://www.anta.net/

>

> Antivirus, firewall, parental control: http://www.anta.net/sw/norman/

>

>

I'm afraid I don't know the answer to your question, Thor! style_emoticons/

I've re-read what I said and it sounds very flimsy and non-technical - I'm

sorry about that!

However, it was the comment by 'Chaslang' to which I was really referring.

He must have had a good reason for saying that all partitions should be

deleted to make sure that a disk was really clean.

I've read about MBR infections. Could same activate malware on any

unformatted partition? ( I do not know the answer btw!)

Perhaps someone else will comment further.

Dave

June 26, 2008

From: "~BD~" <BoaterDave@nospam.invalid>

< snip >

| I'm fairly confident that many people with a single, partitioned, hard drive

| will simply wipe their C: drive, re-install Windows and think they are

| starting afresh - clean! Any malware 'worth its salt' will simply hide on

| another partition and then 'jump back' again onto C: once Windows has been

| re-installed. That is how I read matters in simple terms. Do you agree? TIA

| Dave

|

| TIA for any further comment/guidance.

| D.

No !

The following is untrue...

"Any malware 'worth its salt' will simply hide on another partition and then 'jump back'

again onto C: once Windows has been re-installed."

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

June 26, 2008

From: "~BD~" <BoaterDave@nospam.invalid>

| I'm afraid I don't know the answer to your question, Thor! style_emoticons/

| I've re-read what I said and it sounds very flimsy and non-technical - I'm

| sorry about that!

| However, it was the comment by 'Chaslang' to which I was really referring.

| He must have had a good reason for saying that all partitions should be

| deleted to make sure that a disk was really clean.

| I've read about MBR infections. Could same activate malware on any

| unformatted partition? ( I do not know the answer btw!)

| Perhaps someone else will comment further.

| Dave

If it is a Boot Sector Infector, a true virus, that infects other media such as a "NYB" or

"Form" virus. However, they don't live well on NTFS.

If it is a Trojan such as the Win32:MBRoot it is using the MBR to stay rooted on the

platform to make removal difficult.

Using the Master Boot Record does NOT mean "Any malware 'worth its salt' will simply hide

on another partition and then 'jump back' again onto C: once Windows has been

re-installed."

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

June 26, 2008

From: "Root Kit" <b__nice@hotmail.com>

| On Wed, 25 Jun 2008 17:36:01 -0400, "David H. Lipman"

| <DLipman~nospam~@Verizon.Net> wrote:

>>From: "Root Kit" <b__nice@hotmail.com>

>>| On Tue, 24 Jun 2008 20:00:10 -0400, kurt wismer <kurtw@sympatico.ca>

>>| wrote:

>>>>and analysis will be hard after you've flattened the box... analysis

>>>>first, then removal...

>>| Since an infected machine cannot be trusted, you cannot do proper

>>| analysis on the infected system anyway. If you want to do such a thing

>>| you can keep a mirror of the system for later analysis.

>>First you must define "infected".

| Well, that could probably start a whole new discussion, so how about

| sticking to the subject which indicated "executed malware"?

>>Infected with a password stealing Trojan is quite different from being infected with a

>>simple adware BHO.

| Once again (since you seem so determined to use proper terms): AdWare

| is not malware. AdWare is just a user self-induced annoyance.

>>One might consider the system to be compramised to the point of wiping and reinstalling

>>if

>>one was infected with a password stealing Trojan but that is not the case with a with a

>>simple adware BHO.

| Since adware is not malware we can't disagree here.

Adware is most definitely malware.

You need to dig up Marco Guiliani's writeup on the Gromozon malware.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

June 26, 2008

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

news:%23KR0IF91IHA.524@TK2MSFTNGP05.phx.gbl...

> From: "~BD~" <BoaterDave@nospam.invalid>

<snip>

> No !

>

> The following is untrue...

>

> "Any malware 'worth its salt' will simply hide on another partition and

> then 'jump back'

> again onto C: once Windows has been re-installed."

>

> --

> Dave

> http://www.claymania.com/removal-trojan-adware.html

> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

>

>

Thank you for your reply, David. As I said earlier ...................

"I read the Major Geeks thread '-jen' posted with interest. Perhaps the most

pertinent point, IMO, made by the 'helper' - Chaslang' - was:-

"That is really the safest thing to do based on the infections you had. Also

DO NOT just reinstall over your current version of Windows. You MUST DELETE

YOUR PARTITION, re-partition, format, and then reinstall from scratch to be

sure you are clean. Just a simple reinstalling could leave things hanging

around.""

Please will you/can you explain why 'Chaslang' may have said this? There

must have been a reason. I believe he is right!

Do you, personally, feel it unecessary to delete ones partitioning (thus

losing all data) before re-partitioning, formating and then reinstalling

from scratch?

Perhaps malware can remain resident in other areas inside a computer, not

just on the HD.

Is this possible? If so, where else could it hide ........ and for how long

after power curtailed?

Dave

June 26, 2008

"Root Kit" <b__nice@hotmail.com> wrote in message

news:s4g664l1pnho40418jc31cvhpgi2fh7ids@4ax.com...

> Once again (since you seem so determined to use proper terms): AdWare

> is not malware. AdWare is just a user self-induced annoyance.

There is overlap between adware and malware. Some adware

is easily fit into the trojan category since 'trojan' is defined

subjectively.

The trojan's payload happens to be adware related.

Just because something is one does not exclude it from being the other

also.

Sign In

In order to remove exectued malware, reinstall your operating system

Recommended Posts

Guest Thor Kottelin

Popular Days

Popular Days

Guest David H. Lipman

Guest Root Kit

Guest Volodymyr M. Shcherbyna

Guest David H. Lipman

Guest Root Kit

Guest kurt wismer

Guest FromTheRafters

Guest FromTheRafters

Guest Root Kit

Guest Root Kit

Guest kurt wismer

Guest Root Kit

Guest David H. Lipman

Guest kurt wismer

Guest Root Kit

Guest Root Kit

Guest ~BD~

Guest Thor Kottelin

Guest ~BD~

Guest David H. Lipman

Guest David H. Lipman

Guest David H. Lipman

Guest ~BD~

Guest FromTheRafters

Join the conversation

Browse

Activity

Support