In order to remove exectued malware, reinstall your operating system

  • Thread starter Thread starter Thor Kottelin
  • Start date Start date
T

Thor Kottelin

Instead of replying to every single "I have a virus" post, I am going to
say this once.

The best current practice for cleaning up a system on which malware has
been executed is to reinstall the operating system cleanly. Vendors will
offer you software, bells and whistles to no end, but the only way to be
certain that your system is clean is to reinstall it. Of course you need
to do this in a way that does not repeat whatever you did in order to have
the malware installed in the first place.

You do need is a good antivirus and firewall product to continuously
protect you from intrusion attempts. This is absolutely vital. In
addition, your virus scanner will try to remove any non-executed malware
from e.g. incoming email. However, once malicious software has actually
run on your computer, you should reinstall.

Please believe me when I say that professional sysadmins do not wield
FixCleanSuperThis or WizKillHyperThat when cleaning up after e.g. a server
compromise. They try to work out how the intrusion occurred, and then they
reinstall the system from scratch, in a way that does not reopen the
previous attack window.

Your comments are welcome.

--
Thor Kottelin
http://www.anta.net/

Antivirus, firewall, parental control: http://www.anta.net/sw/norman/
 
From: "Thor Kottelin"

| Instead of replying to every single "I have a virus" post, I am going to
| say this once.

| The best current practice for cleaning up a system on which malware has
| been executed is to reinstall the operating system cleanly. Vendors will
| offer you software, bells and whistles to no end, but the only way to be
| certain that your system is clean is to reinstall it. Of course you need
| to do this in a way that does not repeat whatever you did in order to have
| the malware installed in the first place.

| You do need is a good antivirus and firewall product to continuously
| protect you from intrusion attempts. This is absolutely vital. In
| addition, your virus scanner will try to remove any non-executed malware
| from e.g. incoming email. However, once malicious software has actually
| run on your computer, you should reinstall.

| Please believe me when I say that professional sysadmins do not wield
| FixCleanSuperThis or WizKillHyperThat when cleaning up after e.g. a server
| compromise. They try to work out how the intrusion occurred, and then they
| reinstall the system from scratch, in a way that does not reopen the
| previous attack window.

| Your comments are welcome.

| --
| Thor Kottelin
| http://www.anta.net/

| Antivirus, firewall, parental control: http://www.anta.net/sw/norman/


Yes. Everyone should wield a sledge hammer at all flies and one size fits all.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
On Fri, 20 Jun 2008 06:37:06 -0400, "David H. Lipman"
wrote:

>Yes. Everyone should wield a sledge hammer at all flies and one size fits all.

Well, if you don't know about the damage, better use a big tool.

See, unless you have a baseline and can revert to a known clean state
that way this is the only reasonable solution. There is NO other way
to make sure you made a full clean.

I know that what you normally promote is much more convenient - but
this is about security, not about luck and good feelings. I'm afraid
you don't understand the nature of modern malware.
 
Well, the best way to clean machine is to leave it in the right place, pay
money and get it after some time cleaned and "cured". There are many ways of
how to get rid of viruses. One of the way - debug machine using WinDbg
kernel debuger, and with the help of it force the "bad" code to stop
execution.

Re-installation of OS is not the best solution.

--
V.
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Thor Kottelin" wrote in message
news:ewxMc8r0IHA.2068@TK2MSFTNGP05.phx.gbl...
> Instead of replying to every single "I have a virus" post, I am going to
> say this once.
>
> The best current practice for cleaning up a system on which malware has
> been executed is to reinstall the operating system cleanly. Vendors will
> offer you software, bells and whistles to no end, but the only way to be
> certain that your system is clean is to reinstall it. Of course you need
> to do this in a way that does not repeat whatever you did in order to have
> the malware installed in the first place.
>
> You do need is a good antivirus and firewall product to continuously
> protect you from intrusion attempts. This is absolutely vital. In
> addition, your virus scanner will try to remove any non-executed malware
> from e.g. incoming email. However, once malicious software has actually
> run on your computer, you should reinstall.
>
> Please believe me when I say that professional sysadmins do not wield
> FixCleanSuperThis or WizKillHyperThat when cleaning up after e.g. a server
> compromise. They try to work out how the intrusion occurred, and then they
> reinstall the system from scratch, in a way that does not reopen the
> previous attack window.
>
> Your comments are welcome.
>
> --
> Thor Kottelin
> http://www.anta.net/
>
> Antivirus, firewall, parental control: http://www.anta.net/sw/norman/
>
 
From: "Root Kit"

| On Fri, 20 Jun 2008 06:37:06 -0400, "David H. Lipman"
| wrote:
|
>> Yes. Everyone should wield a sledge hammer at all flies and one size fits all.
|
| Well, if you don't know about the damage, better use a big tool.
|
| See, unless you have a baseline and can revert to a known clean state
| that way this is the only reasonable solution. There is NO other way
| to make sure you made a full clean.
|
| I know that what you normally promote is much more convenient - but
| this is about security, not about luck and good feelings. I'm afraid
| you don't understand the nature of modern malware.

Actually I do.

I wouldn't wipe a system and reinstall the OS just because the user has an adware BHO.
One size does NOT fit all.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
On Fri, 20 Jun 2008 18:25:14 -0400, "David H. Lipman"
wrote:

>I wouldn't wipe a system and reinstall the OS just because the user has an adware BHO.

Of course not. Adware is not malware. It's just a user-induced
problem.

>One size does NOT fit all.

When dealing with the unknown, yes. And that's true in the vast
majority of cases.
 
Re: In order to remove exectued malware, reinstall your operatingsystem

Root Kit wrote:
> On Fri, 20 Jun 2008 06:37:06 -0400, "David H. Lipman"
> wrote:
>
>> Yes. Everyone should wield a sledge hammer at all flies and one size fits all.
>
> Well, if you don't know about the damage, better use a big tool.
>
> See, unless you have a baseline and can revert to a known clean state
> that way this is the only reasonable solution. There is NO other way
> to make sure you made a full clean.
>
> I know that what you normally promote is much more convenient - but
> this is about security, not about luck and good feelings. I'm afraid
> you don't understand the nature of modern malware.

it is you who does not understand the nature of modern malware if you
think a generic removal procedure like wipe-n-reinstall is sufficient
for recovery....

it's no longer just about what *got on to* your computer but also about
what *got out*... a generic removal procedure won't help you determine
what kinds of sensitive information may have gotten leaked and the
frequency of compromise for most average people makes acting like it all
got leaked each time completely unmanageable...

diagnosis/thorough knowledge is required in order to have some idea of
what secondary effects the malware might have had besides just intruding
into the pc, and once such thorough knowledge is had the sledge hammer
approach is no longer necessary...

generic removal (note, not the same as recovery) may still be more
expedient once you have thorough knowledge of the problem, but
wipe-n-reinstall is still sub-optimal... restoring from an image is
better as you don't run the risk of forgetting to apply security-related
configuration changes that you made the first time 'round... also, it's
generally faster than re-installing...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"
 
"Thor Kottelin" wrote in message
news:ewxMc8r0IHA.2068@TK2MSFTNGP05.phx.gbl...
> Instead of replying to every single "I have a virus" post, I am going to
> say this once.
>
> The best current practice for cleaning up a system on which malware has
> been executed is to reinstall the operating system cleanly.

Generally yes, but if a *known* malware has made changes, they can
be reversed in many cases. However, once we delve into the unknown
(such as when a known trojan downloads an unknown and executes it
or a backdoor has been exposing you to unknowns) the best method is
as you have suggested - flatten and rebuild.

> Vendors will offer you software, bells and whistles to no end, but the
> only way to be certain that your system is clean is to reinstall it.

Certaincy is a funny thing, how would you know the *original* problem
is not still there even after reinstalling from what you assume is *clean*.

> Of course you need to do this in a way that does not repeat whatever you
> did in order to have the malware installed in the first place.

Knowing the malware involved could give a hint as to what method was
used to attain the result desired by the malware author. A SuperAnti-
wild-assed-guess -- flatten and rebuild approach does nothing to counter
the *next* one using the same or similar method. Best to analyze the
intrusion and take action. Your method does not of course prevent
someone from saving the compromised system aside (maybe the HD)
for forensic study, and placing a (cough) *clean* system in its place.

> You do need is a good antivirus and firewall product to continuously
> protect you from intrusion attempts. This is absolutely vital. In
> addition, your virus scanner will try to remove any non-executed malware
> from e.g. incoming email. However, once malicious software has actually
> run on your computer, you should reinstall.

I agree, with the stipulation that the malware does something leading to
the *unknown* factor. It is perfectly alright to remove known changes.

Some malware is really simple to remove, so why go overboard.

> Please believe me when I say that professional sysadmins do not wield
> FixCleanSuperThis or WizKillHyperThat when cleaning up after e.g. a server
> compromise. They try to work out how the intrusion occurred, and then they
> reinstall the system from scratch, in a way that does not reopen the
> previous attack window.

Sysadmins probably don't load their servers up with *fluff* that they
feel they need to reinstall. Most users have lots and lots of stuff they
haven't even backed up, let alone incorporated into their reinstallation
media, that they just can't live without.

Sure, the result of getting bitten *should* be pain - the recovery process
should leave a lasting impression on the user to learn how to avoid the
clearly avoidable and backup - backup-backup!
 
"Root Kit" wrote in message
news:3m4n54de8aa2oueqtc4gdt06u5j3bn4vvb@4ax.com...
> On Fri, 20 Jun 2008 06:37:06 -0400, "David H. Lipman"
> wrote:
>
>>Yes. Everyone should wield a sledge hammer at all flies and one size fits
>>all.
>
> Well, if you don't know about the damage, better use a big tool.
>
> See, unless you have a baseline and can revert to a known clean state
> that way this is the only reasonable solution. There is NO other way
> to make sure you made a full clean.
>
> I know that what you normally promote is much more convenient - but
> this is about security, not about luck and good feelings. I'm afraid
> you don't understand the nature of modern malware.

Sorry - but that deserves a LOL - ...and I seldom LOL.
 
On Sat, 21 Jun 2008 11:37:41 -0400, kurt wismer
wrote:

>it is you who does not understand the nature of modern malware if you
>think a generic removal procedure like wipe-n-reinstall is sufficient
>for recovery....

How did you get the idea I might think that was sufficient? We were
talking about removing malware from an infected machine - not about
total recovery.

>it's no longer just about what *got on to* your computer but also about
>what *got out*... a generic removal procedure won't help you determine
>what kinds of sensitive information may have gotten leaked and the
>frequency of compromise for most average people makes acting like it all
>got leaked each time completely unmanageable...

What "got out" is a little hard to get back, isn't it? - Anyway,
cleaning an infected machine and doing forensic analysis are too
different things.

>diagnosis/thorough knowledge is required in order to have some idea of
>what secondary effects the malware might have had besides just intruding
>into the pc, and once such thorough knowledge is had the sledge hammer
>approach is no longer necessary...

Once again, unless you have a baseline you cannot obtain such
"thorough knowledge".

>generic removal (note, not the same as recovery) may still be more
>expedient once you have thorough knowledge of the problem, but
>wipe-n-reinstall is still sub-optimal...

Once again, unless you have a baseline you cannot obtain such
"thorough knowledge".

>restoring from an image is
>better as you don't run the risk of forgetting to apply security-related
>configuration changes that you made the first time 'round... also, it's
>generally faster than re-installing...

Yes. it may be better. I usually use the phrase "revert to a known
clean state" - which ultimately (unless you have something like a
known good image) means flatten and rebuild.
 
On Sat, 21 Jun 2008 17:28:07 -0400, "FromTheRafters"
wrote:

>
>"Root Kit" wrote in message
>news:3m4n54de8aa2oueqtc4gdt06u5j3bn4vvb@4ax.com...
>> On Fri, 20 Jun 2008 06:37:06 -0400, "David H. Lipman"
>> wrote:
>>
>>>Yes. Everyone should wield a sledge hammer at all flies and one size fits
>>>all.
>>
>> Well, if you don't know about the damage, better use a big tool.
>>
>> See, unless you have a baseline and can revert to a known clean state
>> that way this is the only reasonable solution. There is NO other way
>> to make sure you made a full clean.
>>
>> I know that what you normally promote is much more convenient - but
>> this is about security, not about luck and good feelings. I'm afraid
>> you don't understand the nature of modern malware.
>
>Sorry - but that deserves a LOL - .

Yes. The idea of malware "removal" for average users is quite
laughable.

>..and I seldom LOL.

There's always room for improvement.
 
Re: In order to remove exectued malware, reinstall your operatingsystem

Root Kit wrote:
> On Sat, 21 Jun 2008 11:37:41 -0400, kurt wismer
> wrote:
>
>> it is you who does not understand the nature of modern malware if you
>> think a generic removal procedure like wipe-n-reinstall is sufficient
>> for recovery....
>
> How did you get the idea I might think that was sufficient? We were
> talking about removing malware from an infected machine - not about
> total recovery.

contextlessly advocating a generic removal procedure (ie. advocating it
without even giving a hint that there's a lot more to recovery than just
removal) sends the message that flattening and rebuilding is all anyone
really needs to do... at least it does to the neophytes struggling with
the problem of amateur malware incident response that the OP was
addressing en masse...

>> it's no longer just about what *got on to* your computer but also about
>> what *got out*... a generic removal procedure won't help you determine
>> what kinds of sensitive information may have gotten leaked and the
>> frequency of compromise for most average people makes acting like it all
>> got leaked each time completely unmanageable...
>
> What "got out" is a little hard to get back, isn't it?

yes, but if you have an idea of what got out you can, for most
information of interest to the bad guys, remove any value that
information might have had...

> - Anyway,
> cleaning an infected machine and doing forensic analysis are too
> different things.

and analysis will be hard after you've flattened the box... analysis
first, then removal...

>> diagnosis/thorough knowledge is required in order to have some idea of
>> what secondary effects the malware might have had besides just intruding
>> into the pc, and once such thorough knowledge is had the sledge hammer
>> approach is no longer necessary...
>
> Once again, unless you have a baseline you cannot obtain such
> "thorough knowledge".

while you may be content to give advice that assumes such a baseline
doesn't exist, i prefer advice that promotes creating such baselines...

you said, after all, that your interest was in security rather than luck
and good feelings - people aren't going to get real security without
being prepared...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"
 
On Tue, 24 Jun 2008 20:00:10 -0400, kurt wismer
wrote:

>and analysis will be hard after you've flattened the box... analysis
>first, then removal...

Since an infected machine cannot be trusted, you cannot do proper
analysis on the infected system anyway. If you want to do such a thing
you can keep a mirror of the system for later analysis.
 
From: "Root Kit"

| On Tue, 24 Jun 2008 20:00:10 -0400, kurt wismer
| wrote:

>>and analysis will be hard after you've flattened the box... analysis
>>first, then removal...

| Since an infected machine cannot be trusted, you cannot do proper
| analysis on the infected system anyway. If you want to do such a thing
| you can keep a mirror of the system for later analysis.

First you must define "infected".

Infected with a password stealing Trojan is quite different from being infected with a
simple adware BHO.

One might consider the system to be compramised to the point of wiping and reinstalling if
one was infected with a password stealing Trojan but that is not the case with a with a
simple adware BHO.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
Re: In order to remove exectued malware, reinstall your operatingsystem

Root Kit wrote:
> On Tue, 24 Jun 2008 20:00:10 -0400, kurt wismer
> wrote:
>
>> and analysis will be hard after you've flattened the box... analysis
>> first, then removal...
>
> Since an infected machine cannot be trusted,

technically its the suspect environment that can't be trusted... despite
hand waving about hardware {whatever}'s, they are as yet not credible
threats so you should be able to boot a suspect machine from a
known-clean bootable removable medium and trust that environment...

> you cannot do proper
> analysis on the infected system anyway. If you want to do such a thing
> you can keep a mirror of the system for later analysis.

indeed you can, but since people have been advocating "flatten and
rebuild" rather than "make an image, flatten and rebuild" we arrive once
again at presenting purely removal advice to people who need recovery...

also, doing removal before diagnosis has the very likely chance of
putting the system back into harm's way without taking the steps needed
to prevent the exact same compromise from happening again...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"
 
On Wed, 25 Jun 2008 17:36:01 -0400, "David H. Lipman"
wrote:

>From: "Root Kit"
>
>| On Tue, 24 Jun 2008 20:00:10 -0400, kurt wismer
>| wrote:
>
>>>and analysis will be hard after you've flattened the box... analysis
>>>first, then removal...
>
>| Since an infected machine cannot be trusted, you cannot do proper
>| analysis on the infected system anyway. If you want to do such a thing
>| you can keep a mirror of the system for later analysis.
>
>First you must define "infected".

Well, that could probably start a whole new discussion, so how about
sticking to the subject which indicated "executed malware"?

>Infected with a password stealing Trojan is quite different from being infected with a
>simple adware BHO.

Once again (since you seem so determined to use proper terms): AdWare
is not malware. AdWare is just a user self-induced annoyance.

>One might consider the system to be compramised to the point of wiping and reinstalling if
>one was infected with a password stealing Trojan but that is not the case with a with a
>simple adware BHO.

Since adware is not malware we can't disagree here.
 
On Wed, 25 Jun 2008 22:36:39 -0400, kurt wismer
wrote:

>Root Kit wrote:
>> On Tue, 24 Jun 2008 20:00:10 -0400, kurt wismer
>> wrote:
>>
>>> and analysis will be hard after you've flattened the box... analysis
>>> first, then removal...
>>
>> Since an infected machine cannot be trusted,
>
>technically its the suspect environment that can't be trusted...

Agreed.

>despite hand waving about hardware {whatever}'s, they are as yet not credible
>threats so you should be able to boot a suspect machine from a
>known-clean bootable removable medium and trust that environment...

Yup.

>> you cannot do proper
>> analysis on the infected system anyway. If you want to do such a thing
>> you can keep a mirror of the system for later analysis.
>
>indeed you can, but since people have been advocating "flatten and
>rebuild" rather than "make an image, flatten and rebuild" we arrive once
>again at presenting purely removal advice to people who need recovery...
>
>also, doing removal before diagnosis has the very likely chance of
>putting the system back into harm's way without taking the steps needed
>to prevent the exact same compromise from happening again...

I don't see the OP ruling out that option.
 
"Root Kit" wrote in message
news:4jg664hdbur8bih0rk7334h2e85bs16332@4ax.com...
> On Wed, 25 Jun 2008 22:36:39 -0400, kurt wismer
> wrote:
>
>>Root Kit wrote:
>>> On Tue, 24 Jun 2008 20:00:10 -0400, kurt wismer
>>> wrote:
>>>
>>>> and analysis will be hard after you've flattened the box... analysis
>>>> first, then removal...
>>>
>>> Since an infected machine cannot be trusted,
>>
>>technically its the suspect environment that can't be trusted...
>
> Agreed.
>
>>despite hand waving about hardware {whatever}'s, they are as yet not
>>credible
>>threats so you should be able to boot a suspect machine from a
>>known-clean bootable removable medium and trust that environment...
>
> Yup.
>
>>> you cannot do proper
>>> analysis on the infected system anyway. If you want to do such a thing
>>> you can keep a mirror of the system for later analysis.
>>
>>indeed you can, but since people have been advocating "flatten and
>>rebuild" rather than "make an image, flatten and rebuild" we arrive once
>>again at presenting purely removal advice to people who need recovery...
>>
>>also, doing removal before diagnosis has the very likely chance of
>>putting the system back into harm's way without taking the steps needed
>>to prevent the exact same compromise from happening again...
>
> I don't see the OP ruling out that option.

An interesting thread. Thanks to all!
smile.gif
)

I've posed a question to '-jen' in another thread here, but I would really
appreciate comments from you knowledgeable guys too. To save you trouble
looking, here's a copy of the thread and the question I've asked:-

***************************************************

"jen" wrote in message
news:ryN7k.11262$PZ6.8370@bignews5.bellsouth.net...
> "Bushy" wrote in message
> news:hIL7k.13862$IK1.11670@news-server.bigpond.net.au...
>> Just had a nasty run in with this trojan. web searches tell me the best
>> and most effective way of being rid of it for sure is a reinstall and
>> reformat. Okay, i'll cop that. i shouldnt have been running dodgy bits
>> of software off the internet.
>>
>> My question is if anyone can point me to statistics or comments about
>> flec006.exe effectiveness rate? i've read it is an identity theft/
>> phishing trojan, and i want to know how likely it is that my details are
>> compromised. i've already changed passwords for anything financial in
>> nature, but should i go to the extent of contacting the banks and having
>> account numbers changed, credit card numbers changed etc etc?
>
> Yes! You have a Bagle variant. See here:
> http://forums.majorgeeks.com/showthread.php?t=148513
> FLEC006.EXE - Dangerous:
> http://fileinfo.prevx.com/spyware/qq3de627...LEC006.EXE.html
> Troj/Bagle-KP:
> http://www.sophos.com/security/analyses/vi...rojbaglekp.html
>
> -jen
>

Hi -jen!

I read the Major Geeks thread you posted with interest. Perhaps the most
pertinent point, IMO, made by the 'helper' - Chaslang' - was:-

"That is really the safest thing to do based on the infections you had. Also
DO NOT just reinstall over your current version of Windows. You MUST DELETE
YOUR PARTITION, re-partition, format, and then reinstall from scratch to be
sure you are clean. Just a simple reinstalling could leave things hanging
around."

I'm fairly confident that many people with a single, partitioned, hard drive
will simply wipe their C: drive, re-install Windows and think they are
starting afresh - clean! Any malware 'worth its salt' will simply hide on
another partition and then 'jump back' again onto C: once Windows has been
re-installed. That is how I read matters in simple terms. Do you agree? TIA

Dave

**********************************************************

TIA for any further comment/guidance.

D.
 
"~BD~" wrote in message
news:%23ADjAr21IHA.2064@TK2MSFTNGP05.phx.gbl...

> I'm fairly confident that many people with a single, partitioned, hard
> drive
> will simply wipe their C: drive, re-install Windows and think they are
> starting afresh - clean! Any malware 'worth its salt' will simply hide
> on
> another partition and then 'jump back' again onto C: once Windows has
> been
> re-installed.

Hi Dave,

In order for malware to do anything, it must be executed.

Does a default Windows installation really run software on another
partition (except using the autorun feature/backdoor/vulnerability)?

--
Thor Kottelin
http://www.anta.net/

Antivirus, firewall, parental control: http://www.anta.net/sw/norman/
 
"Thor Kottelin" wrote in message
news:3OP8k.23573$_03.1375@reader1.news.saunalahti.fi...
> "~BD~" wrote in message
> news:%23ADjAr21IHA.2064@TK2MSFTNGP05.phx.gbl...
>
>> I'm fairly confident that many people with a single, partitioned, hard
>> drive
>> will simply wipe their C: drive, re-install Windows and think they are
>> starting afresh - clean! Any malware 'worth its salt' will simply hide on
>> another partition and then 'jump back' again onto C: once Windows has
>> been
>> re-installed.
>
> Hi Dave,
>
> In order for malware to do anything, it must be executed.
>
> Does a default Windows installation really run software on another
> partition (except using the autorun feature/backdoor/vulnerability)?
>
> --
> Thor Kottelin
> http://www.anta.net/
>
> Antivirus, firewall, parental control: http://www.anta.net/sw/norman/
>
>

I'm afraid I don't know the answer to your question, Thor!
sad.gif


I've re-read what I said and it sounds very flimsy and non-technical - I'm
sorry about that!

However, it was the comment by 'Chaslang' to which I was really referring.
He must have had a good reason for saying that all partitions should be
deleted to make sure that a disk was *really* clean.

I've read about MBR infections. Could same activate malware on any
unformatted partition? ( I do not know the answer btw!)

Perhaps someone else will comment further.

Dave
 
Back
Top