XP Home infected , cannot restore

[tommy]

I have an XP home pc, 2.5ghz, 500mb system that I cannot restore a normal
windows screen to. It boots to a desktop wallpaper, no icons, no taskbar, no
systray. Have to use task manager to run programs [ with the "create new
task / run" function ].

The virus has somehow modified permissions to stop AV programs [ and certain
others with error message insufficient permissions ] from running. I tricked
it by installing to alternate directories, like program files\malwarebytes2
and programfiles\HJT2, and have run these in safe mode. Mbam told me that it
found 6 trojans, and removed them, but I still cannot boot to the destop
with icons again. I see only the wallpaper when booted up. [ nothing in
safemode except the safemode stamps in the corners ]

I cannot find the gpedit.msc. I cannot open windows explorer to allow hidden
files to show.
I can open mmc.msc, but cannot find the gpedit snap-on available.

I ran the latest McAfee Stinger. Found nothing. Ran mbam full scan found no
additional viruses.

Process list is very clean: Very little cpu activity is seen . Every process
is at zero after booting. It is so clean that I suspect somebody else has
come in and cleaned the extraneous processes.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis2\HijackThis.exe

The HJT log shows that there is lots of BHOs, other entrys etc, and I can
see nothing unusual in it, but as above, when booted, no activity is noted.

 

[CuMorrigu]

CuMorrigu had written this in response to
http://www.secure-gear.com/antivirus/XP-Home-infected-cannot-restore-32744-.htm
:
What I would do is boot from a jump drive into another OS and delete some
of the files off of it that way.

UBCD4Win (http://www.ubcd4win.com) has a utility in the install directory
that will let you create a USB drive that you can boot off of and run win.
I believe you can even modify it to run AV

If you like linux, Fedora has a new tool out that will do the same thing,
expect with linux. (https://fedorahosted.org/liveusb-creator/)

I would reccomend ClamAV for the Linux distro, it's free and it's good.

Once you are booted off of the jump drive run the A/V scan that comes with
it on you internal HDD and clean it up that way.

That is all if you can't get into the HDD. Once you do get into the HDD,
try running TrendMicro's Houscall (http://housecall.trendmicro.com/) and
Kaspersky's (it's down right now) online A/V tool. The reason I like
running the online programs for cleaning an infected machine is that 1)
you know it's going to be clean 2) you can run multiple programs w/o
having to worry about installing them on your machine (you can only have
one A/V program)

Once I get the online A/V scans done I install my A/V program, I usually
use either AVG Free (http://free.avg.com/us-en/homepage) or the A/V
program included in Iolo's System Mechanic Pro (http://www.iolo.com/). I
REALLY like Iolo, lots of great tools to help you out for a not too bad
price. I also know that used to (don't know if this still works) if you
downloaded the demo and then bought the product through the demo, you
could save like half of the price.

Once you get all of that done, it's time for the Malware scanners. I
usually use a cocktail, Adaware by Lavasoft, Spybot Search and Destroy and
Windows Defender. With those three you'll catch just about everything. I
then usually leave Spybot SnD on there, it's got some useful tools under
the advanced settings.

CuMo


-------------------------------------
tommy wrote:

I have an XP home pc, 2.5ghz, 500mb system that I cannot restore a
normal
windows screen to. It boots to a desktop wallpaper, no icons, no
taskbar, no
systray. Have to use task manager to run programs [ with the
"create new
task / run" function ].

The virus has somehow modified permissions to stop AV programs [ and
certain
others with error message insufficient permissions ] from running. I
tricked
it by installing to alternate directories, like program
filesmalwarebytes2
and programfilesHJT2, and have run these in safe mode. Mbam told me
that it
found 6 trojans, and removed them, but I still cannot boot to the
destop
with icons again. I see only the wallpaper when booted up. [ nothing
in
safemode except the safemode stamps in the corners ]

I cannot find the gpedit.msc. I cannot open windows explorer to allow
hidden
files to show.
I can open mmc.msc, but cannot find the gpedit snap-on available.

I ran the latest McAfee Stinger. Found nothing. Ran mbam full scan
found no
additional viruses.

Process list is very clean: Very little cpu activity is seen . Every
process
is at zero after booting. It is so clean that I suspect somebody else
has
come in and cleaned the extraneous processes.

 

[FromTheRafters]

....and *then* flatten and rebuild?

CuMorrigu had written this in response to
http://www.secure-gear.com/antivirus/XP-Home-infected-cannot-restore-32744-.htm
:
What I would do is boot from a jump drive into another OS and delete
some
of the files off of it that way.

UBCD4Win (http://www.ubcd4win.com) has a utility in the install
directory
that will let you create a USB drive that you can boot off of and run
win.
I believe you can even modify it to run AV

If you like linux, Fedora has a new tool out that will do the same
thing,
expect with linux. (https://fedorahosted.org/liveusb-creator/)

I would reccomend ClamAV for the Linux distro, it's free and it's
good.

Once you are booted off of the jump drive run the A/V scan that comes
with
it on you internal HDD and clean it up that way.

That is all if you can't get into the HDD. Once you do get into the
HDD,
try running TrendMicro's Houscall (http://housecall.trendmicro.com/)
and
Kaspersky's (it's down right now) online A/V tool. The reason I like
running the online programs for cleaning an infected machine is that
1)
you know it's going to be clean 2) you can run multiple programs w/o
having to worry about installing them on your machine (you can only
have
one A/V program)

Once I get the online A/V scans done I install my A/V program, I
usually
use either AVG Free (http://free.avg.com/us-en/homepage) or the A/V
program included in Iolo's System Mechanic Pro (http://www.iolo.com/).
I
REALLY like Iolo, lots of great tools to help you out for a not too
bad
price. I also know that used to (don't know if this still works) if
you
downloaded the demo and then bought the product through the demo, you
could save like half of the price.

Once you get all of that done, it's time for the Malware scanners. I
usually use a cocktail, Adaware by Lavasoft, Spybot Search and Destroy
and
Windows Defender. With those three you'll catch just about
everything. I
then usually leave Spybot SnD on there, it's got some useful tools
under
the advanced settings.

CuMo


-------------------------------------
tommy wrote:

I have an XP home pc, 2.5ghz, 500mb system that I cannot restore a
normal
windows screen to. It boots to a desktop wallpaper, no icons, no
taskbar, no
systray. Have to use task manager to run programs [ with the
"create new
task / run" function ].

The virus has somehow modified permissions to stop AV programs [ and
certain
others with error message insufficient permissions ] from running. I
tricked
it by installing to alternate directories, like program
filesmalwarebytes2
and programfilesHJT2, and have run these in safe mode. Mbam told me
that it
found 6 trojans, and removed them, but I still cannot boot to the
destop
with icons again. I see only the wallpaper when booted up. [ nothing
in
safemode except the safemode stamps in the corners ]

I cannot find the gpedit.msc. I cannot open windows explorer to allow
hidden
files to show.
I can open mmc.msc, but cannot find the gpedit snap-on available.

I ran the latest McAfee Stinger. Found nothing. Ran mbam full scan
found no
additional viruses.

Process list is very clean: Very little cpu activity is seen . Every
process
is at zero after booting. It is so clean that I suspect somebody else
has
come in and cleaned the extraneous processes.

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32taskmgr.exe
C:WINDOWSsystem32ctfmon.exe
Crogram FilesTrend MicroHijackThis2HijackThis.exe

The HJT log shows that there is lots of BHOs, other entrys etc, and I
can
see nothing unusual in it, but as above, when booted, no activity is
noted.

 

[ASCII]

I have an XP home pc,

I cannot find the gpedit.msc.

I didn't think the group policy editor came in the home edition,
unless you put it in later as I did http://tinyurl.com/gpedit-msc

The HJT log shows that there is lots of BHOs, other entrys etc, and I can
see nothing unusual in it,

Lots of BHO's aren't unusual?

 

[tommy]

I didn't think the group policy editor came in the home edition,
unless you put it in later as I did http://tinyurl.com/gpedit-msc


Lots of BHO's aren't unusual?

9 BHOs

if you want to see it [ I know this isn't the usual place to post it ]

here it is, see if you see anything [ sending to your email addr ]

 

[ASCII]

I didn't think the group policy editor came in the home edition,
unless you put it in later as I did http://tinyurl.com/gpedit-msc


Lots of BHO's aren't unusual?

9 BHOs

if you want to see it [ I know this isn't the usual place to post it ]

here it is, see if you see anything [ sending to your email addr ]

As many who frequent this and other fora populated with the more esoteric
elements of usenet, I employ a bogus email addy, as you probably have found out
by now.
FWIW: I use HJT to delete "fix' any BHOs that appear,
usually after a new or re-installation of the OS.
IOW: there aren't any on my system, even one is too many.

 

[tommy]

I have an XP home pc, 2.5ghz, 500mb system that I cannot restore a
normal windows screen to. It boots to a desktop wallpaper, no icons,
no taskbar, no systray. Have to use task manager to run programs [
with the "create new task / run" function ].

The virus has somehow modified permissions to stop AV programs [ and
certain others with error message insufficient permissions ] from
running. I tricked it by installing to alternate directories, like
program files\malwarebytes2 and programfiles\HJT2, and have run these
in safe mode. Mbam told me that it found 6 trojans, and removed them,
but I still cannot boot to the destop with icons again. I see only
the wallpaper when booted up. [ nothing in safemode except the
safemode stamps in the corners ]

I cannot find the gpedit.msc. I cannot open windows explorer to allow
hidden files to show.
I can open mmc.msc, but cannot find the gpedit snap-on available.

I ran the latest McAfee Stinger. Found nothing. Ran mbam full scan
found no additional viruses.

Process list is very clean: Very little cpu activity is seen . Every
process is at zero after booting. It is so clean that I suspect
somebody else has come in and cleaned the extraneous processes.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis2\HijackThis.exe

The HJT log shows that there is lots of BHOs, other entrys etc, and I
can see nothing unusual in it, but as above, when booted, no activity
is noted.

I am now running Sophos under Multi-AV. I tricked the virus again by
changing the name of Startmenu to Startmenu2 after copying the AV-CLS folder
to the target. Its been hours. I am going to try them all, but since MBAM
usually gets this stuff, I will be amazed if its cleared up the whole
problem..

 

[tommy]

I have an XP home pc, 2.5ghz, 500mb system that I cannot restore a
normal windows screen to. It boots to a desktop wallpaper, no icons,
no taskbar, no systray. Have to use task manager to run programs [
with the "create new task / run" function ].

The virus has somehow modified permissions to stop AV programs [ and
certain others with error message insufficient permissions ] from
running. I tricked it by installing to alternate directories, like
program files\malwarebytes2 and programfiles\HJT2, and have run these
in safe mode. Mbam told me that it found 6 trojans, and removed them,
but I still cannot boot to the destop with icons again. I see only
the wallpaper when booted up. [ nothing in safemode except the
safemode stamps in the corners ]

I cannot find the gpedit.msc. I cannot open windows explorer to allow
hidden files to show.
I can open mmc.msc, but cannot find the gpedit snap-on available.

I ran the latest McAfee Stinger. Found nothing. Ran mbam full scan
found no additional viruses.

Process list is very clean: Very little cpu activity is seen . Every
process is at zero after booting. It is so clean that I suspect
somebody else has come in and cleaned the extraneous processes.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis2\HijackThis.exe

The HJT log shows that there is lots of BHOs, other entrys etc, and I
can see nothing unusual in it, but as above, when booted, no activity
is noted.

I am now running Sophos under Multi-AV. I tricked the virus again by
changing the name of Startmenu to Startmenu2 after copying the AV-CLS
folder to the target. Its been hours. I am going to try them all, but
since MBAM usually gets this stuff, I will be amazed if its cleared
up the whole problem..

Sophos found nothing except some [ minor?] corrupted files. > 8 hrs scanning
Trend found 1 [ minor? ] spyware item . Still no improvement.
I am going to try searching for registry items after McAfee and KAV
MultiAV is a nice idea.

 

[The Central Scrutinizer]

How are you certain this was caused by a virus?

 

[tommy]

How are you certain this was caused by a virus?

I have an XP home pc, 2.5ghz, 500mb system that I cannot restore a
normal windows screen to. It boots to a desktop wallpaper, no icons,
no taskbar, no
systray. Have to use task manager to run programs [ with the "create
new task / run" function ].

The virus has somehow modified permissions to stop AV programs [ and
certain
others with error message insufficient permissions ] from running. I
tricked
it by installing to alternate directories, like program
files\malwarebytes2
and programfiles\HJT2, and have run these in safe mode. Mbam told me
that it
found 6 trojans, and removed them, but I still cannot boot to the
destop with icons again. I see only the wallpaper when booted up. [
nothing in safemode except the safemode stamps in the corners ]

I cannot find the gpedit.msc. I cannot open windows explorer to allow
hidden
files to show.
I can open mmc.msc, but cannot find the gpedit snap-on available.

I ran the latest McAfee Stinger. Found nothing. Ran mbam full scan
found no
additional viruses.

Process list is very clean: Very little cpu activity is seen . Every
process
is at zero after booting. It is so clean that I suspect somebody
else has come in and cleaned the extraneous processes.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis2\HijackThis.exe

The HJT log shows that there is lots of BHOs, other entrys etc, and
I can see nothing unusual in it, but as above, when booted, no
activity is noted.

The guy said he had experienced re-direction dating back to 6 mos ago.
He has little pc experience.
There were viruses on there. Malwarebytes took off 6 of them.
Important programs were blocked by policy [permissions], including all
antivirus pgms. [ I had to change names for any AV client to run ]
He has a restore partition, but wants to do that himself.
I was able to install gpedit, but no policies had been set.

 

[The Central Scrutinizer]

sounds like the whole operation needs to be nuked! Holy crap
on all of that!!!!

--

How are you certain this was caused by a virus?

I have an XP home pc, 2.5ghz, 500mb system that I cannot restore a
normal windows screen to. It boots to a desktop wallpaper, no icons,
no taskbar, no
systray. Have to use task manager to run programs [ with the "create
new task / run" function ].

The virus has somehow modified permissions to stop AV programs [ and
certain
others with error message insufficient permissions ] from running. I
tricked
it by installing to alternate directories, like program
files\malwarebytes2
and programfiles\HJT2, and have run these in safe mode. Mbam told me
that it
found 6 trojans, and removed them, but I still cannot boot to the
destop with icons again. I see only the wallpaper when booted up. [
nothing in safemode except the safemode stamps in the corners ]

I cannot find the gpedit.msc. I cannot open windows explorer to allow
hidden
files to show.
I can open mmc.msc, but cannot find the gpedit snap-on available.

I ran the latest McAfee Stinger. Found nothing. Ran mbam full scan
found no
additional viruses.

Process list is very clean: Very little cpu activity is seen . Every
process
is at zero after booting. It is so clean that I suspect somebody
else has come in and cleaned the extraneous processes.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis2\HijackThis.exe

The HJT log shows that there is lots of BHOs, other entrys etc, and
I can see nothing unusual in it, but as above, when booted, no
activity is noted.

The guy said he had experienced re-direction dating back to 6 mos ago.
He has little pc experience.
There were viruses on there. Malwarebytes took off 6 of them.
Important programs were blocked by policy [permissions], including all
antivirus pgms. [ I had to change names for any AV client to run ]
He has a restore partition, but wants to do that himself.
I was able to install gpedit, but no policies had been set.

 

[Shadow]

I have an XP home pc, 2.5ghz, 500mb system that I cannot restore a normal
windows screen to. It boots to a desktop wallpaper, no icons, no taskbar, no
systray. Have to use task manager to run programs [ with the "create new
task / run" function ].

My friend, boot a nice little linux dist, move as much of your
data as you can to some other media (burn it to DVDs), then reformat,
reinstall windows. Your "executable" "open-withs" are probably all
re-directed to the bag-guy-worm/trojan.
Not much you can do, about it. Unless you don't mind weeks and
weeks of painful cleaning-up.
A linux dist with clamav or f-prot will probably clean up the
bad guy, but not the registry damage.
Format.
[]'s
Is that really 500Mb or a typo ? Or are you referring to ram ?

 

[tommy]

I have an XP home pc, 2.5ghz, 500mb system that I cannot restore a
normal windows screen to. It boots to a desktop wallpaper, no icons,
no taskbar, no systray. Have to use task manager to run programs [
with the "create new task / run" function ].

My friend, boot a nice little linux dist, move as much of your
data as you can to some other media (burn it to DVDs), then reformat,
reinstall windows. Your "executable" "open-withs" are probably all
re-directed to the bag-guy-worm/trojan.
Not much you can do, about it. Unless you don't mind weeks and
weeks of painful cleaning-up.
A linux dist with clamav or f-prot will probably clean up the
bad guy, but not the registry damage.
Format.
[]'s
Is that really 500Mb or a typo ? Or are you referring to ram ?

500 mb ram
I have used TRK Trinity Rescue Kit which is similar to what you suggest.
Do you know of more like TRK?

The kit is going to reinstall. He wants to do it himself. There is a drive
D: restore partition activated by hitting F10

I have gotten lots of these cleaned by using MBAM and followup by some other
gerneral purpose AV clients. This is just an unusually difficult one.

 

[Glen]

Sell your ****ing PC and give us all a rest!

I have an XP home pc, 2.5ghz, 500mb system that I cannot restore a normal
windows screen to. It boots to a desktop wallpaper, no icons, no taskbar, no
systray. Have to use task manager to run programs [ with the "create new
task / run" function ].

My friend, boot a nice little linux dist, move as much of your
data as you can to some other media (burn it to DVDs), then reformat,
reinstall windows. Your "executable" "open-withs" are probably all
re-directed to the bag-guy-worm/trojan.
Not much you can do, about it. Unless you don't mind weeks and
weeks of painful cleaning-up.
A linux dist with clamav or f-prot will probably clean up the
bad guy, but not the registry damage.
Format.
[]'s
Is that really 500Mb or a typo ? Or are you referring to ram ?

 

[Shadow]

On Fri, 16 Oct 2009 09:42:51 -0500, "tommy"

Format.
[]'s
Is that really 500Mb or a typo ? Or are you referring to ram ?

500 mb ram
I have used TRK Trinity Rescue Kit which is similar to what you suggest.
Do you know of more like TRK?

If you are not familiar with linux it is probably the best
choice. I had a brief look at the home page and it appears to be made
for these cases. But any live-cd bootable linux dist will do, slax,
puppy, LFS, even ubuntu.
If you have a fast connection, you can download f-prot or
Clamav and the latest databases to most of these (I'm sure you can
with ubuntu), to scan the harddisk. Not sure what TRK comes with.

The kit is going to reinstall. He wants to do it himself. There is a drive
D: restore partition activated by hitting F10

Good. I'd scan that D: drive first. It might be where the
bad-guy is. Use the "scan all file types" option.

I have gotten lots of these cleaned by using MBAM and followup by some other
gerneral purpose AV clients. This is just an unusually difficult one.

They always leave a "broken" system behind. Unless you are
keeping the data for "sentimental" purposes, I'd just reformat. I
still have DOS 6.2 on a partition, can't even boot it, it's there
because ... well, because PS. Ignore the nasty guy. He's just a bot.

 

[tommy]

Sell your ****ing PC and give us all a rest!

I have an XP home pc, 2.5ghz, 500mb system that I cannot restore a
normal windows screen to. It boots to a desktop wallpaper, no
icons, no taskbar, no systray. Have to use task manager to run
programs [ with the "create new task / run" function ].

My friend, boot a nice little linux dist, move as much of your
data as you can to some other media (burn it to DVDs), then reformat,
reinstall windows. Your "executable" "open-withs" are probably all
re-directed to the bag-guy-worm/trojan.
Not much you can do, about it. Unless you don't mind weeks and
weeks of painful cleaning-up.
A linux dist with clamav or f-prot will probably clean up the
bad guy, but not the registry damage.
Format.
[]'s
Is that really 500Mb or a typo ? Or are you referring to ram ?

my pc is not infected. I was finished posting on this subject, and Shadow
had to ask a question. Please read the whole thread. This is repetitive.
Interesting however. I did find that some posters on comp.security.firewalls
believe in reinstalling if even one virus appears !

 

[tommy]

On Fri, 16 Oct 2009 09:42:51 -0500, "tommy"

Format.
[]'s
Is that really 500Mb or a typo ? Or are you referring to ram ?

500 mb ram
I have used TRK Trinity Rescue Kit which is similar to what you
suggest.
Do you know of more like TRK?

If you are not familiar with linux it is probably the best
choice. I had a brief look at the home page and it appears to be made
for these cases. But any live-cd bootable linux dist will do, slax,
puppy, LFS, even ubuntu.
If you have a fast connection, you can download f-prot or
Clamav and the latest databases to most of these (I'm sure you can
with ubuntu), to scan the harddisk. Not sure what TRK comes with.

TRK includes ClamAV dos. and three others , you have to have the internet
connected to use the others.
I was hoping you were familiar with TRK or some others that have this
capability built in.

Good. I'd scan that D: drive first. It might be where the
bad-guy is. Use the "scan all file types" option.

Done [ not too long ago ]

 

[Rick]

repetitive. Interesting however. I did find that some posters on
comp.security.firewalls believe in reinstalling if even one virus
appears !

They have a point in a way. Their position is that since a lot of
malware downloads and installs other malware packages, combined with the
fact that no anti-virus/malware package finds and cleans ALL malware, you
can never be sure that your computer is truly clean. In effect, since you
cannot prove a negative (that your computer is NOT infected), your only
recourse is to wipe everything clean and reinstall from a known, clean
source.

If you follow that logic just a little further, you run into other
troubling thoughts. Since new malware vectors are being found all the
time, and new malware packages that are not yet detectable are also being
released all the time, you can never _prove_ your PC is not currently
infected by some new package via a new vector. Therefore, the only
logical thing to do is to completely wipe your PC clean and reinstall
everything from a known, clean source every single day. Of course, that
is an equally silly stance.

What it all boils down to is that you need to evaluate the situation and
decide on the apropriate action for that situation. A system that is used
for basic purposes by a home user, which has had a rogueAV installed on
it and is quickly taken off the net before it is brought to you for
cleaning is one thing. A system that handles sensitive information and/or
has multiple infections including various rootkits, policy setting
changes, etc. is another thing entirely. And then there are the available
tools issues. Those who advocate "an immediate wipe and reinstall from
backup image" are completely ignoring the fact that the vast majority of
home users never _have_ a "backup image". Hell, a lot of them don't even
have OS reinstallation disks! They bought low end machines that only have
a "recovery partition" which cannot be trusted on a badly infected
machine. On the other hand, in a corporate or educational environment
where a backup image is often immediately available, it's quicker and
easier to "cure" even a minor infection by wiping and reinstalling.

The bottom line is you need to look at the system, evaluate the
situation and available tools, then make the best cost/benefit analysis
that you can. In some cases, a wipe and reinstall are called for. In
others a thorough cleaning may be called for.

Anyway, that's my 2 cents worth.....

 

[tommy]

They have a point in a way. Their position is that since a lot of
malware downloads and installs other malware packages, combined with
the fact that no anti-virus/malware package finds and cleans ALL
malware, you can never be sure that your computer is truly clean. In
effect, since you cannot prove a negative (that your computer is NOT
infected), your only recourse is to wipe everything clean and
reinstall from a known, clean source.

If you follow that logic just a little further, you run into other
troubling thoughts. Since new malware vectors are being found all the
time, and new malware packages that are not yet detectable are also
being released all the time, you can never _prove_ your PC is not
currently infected by some new package via a new vector. Therefore,
the only logical thing to do is to completely wipe your PC clean and
reinstall everything from a known, clean source every single day. Of
course, that is an equally silly stance.

What it all boils down to is that you need to evaluate the situation
and decide on the apropriate action for that situation. A system that
is used for basic purposes by a home user, which has had a rogueAV
installed on it and is quickly taken off the net before it is brought
to you for cleaning is one thing. A system that handles sensitive
information and/or has multiple infections including various
rootkits, policy setting changes, etc. is another thing entirely. And
then there are the available tools issues. Those who advocate "an
immediate wipe and reinstall from backup image" are completely
ignoring the fact that the vast majority of home users never _have_ a
"backup image". Hell, a lot of them don't even have OS reinstallation
disks! They bought low end machines that only have a "recovery
partition" which cannot be trusted on a badly infected machine. On
the other hand, in a corporate or educational environment where a
backup image is often immediately available, it's quicker and easier
to "cure" even a minor infection by wiping and reinstalling.

The bottom line is you need to look at the system, evaluate the
situation and available tools, then make the best cost/benefit
analysis that you can. In some cases, a wipe and reinstall are called
for. In others a thorough cleaning may be called for.

Anyway, that's my 2 cents worth.....

IK