Sigh....Rebuilding an infected computer

Friend bought a refurbished laptop from a local dealer.

He promptly got himself compromised and I'll meet with him tomorrow to
help rebuild his box.

He has copied his important folders to a flash drive.

He has an OEM installation disc provided by the dealer.


It's been a quite a while since I've dealt with an infected box, so
here's what I *guess* I need to do. Comments requested.

My inclination is to:

1. Set BIOS to allow boots only from disc and disk.

2. Start up a linux live disc, inspect the flash and delete any
autorun.inf; mystery files; etc (I'll *hope* that there's been no
firmware infection).

3. Use the live disc to dd zeros to the first sector of the HD.

4. Install/update Win 7.

5. Set BIOS to allow boots only from disk

6. Create unprivileged user account

7. Disable autorun and autoplay

8. Install bitdefender, malwarebytes, and crapcleaner. (?)

9. Install FF, TB, and either openoffice or libreoffice (?)

10. Use windows to copy files from flash to disk after deep scans by the
Anti-malwares. (I suppose I could do this with Linux and avoid
connecting the clean windows to the flash exposed to dirty windows -
seems over the top!?)

11. Emphasize the importance of keeping the box current and clean; no
need to ever log on as admin; and not clicking on mystery clicks.

So what else/different do folks recommend?

TIA


0
Roger
2/20/2014 3:27:48 PM
grc.techtalk 27358 articles. 1 followers. Follow

40 Replies
1224 Views

Similar Articles

[PageSpeed] 13

:: On Thu, 20 Feb 2014 10:27:48 -0500
:: (grc.techtalk)
:: <le5720$2fko$1@news.grc.com>
:: Roger Parks <i8k3ed@0poki.lo9> wrote:

> Friend bought a refurbished laptop from a local dealer.
> 
> He promptly got himself compromised and I'll meet with him tomorrow to
> help rebuild his box.
> 
> He has copied his important folders to a flash drive.
> 
> He has an OEM installation disc provided by the dealer.

two ways:


1: better/faster

Boot the box from a DBAN media (usb, cd) and wipe it clear, then boot
from the installation disk and rebuild the system from scratch;
install an AV and configure the system as needed, then, once done
proceed scanning the data backups to ensure they aren't infected and
then restore them

2: slow/not totally trustable

Boot the box using a "rescue CD" (avira, kaspersky, microsoft...) and
scan it cleaning whatever malware; once done, boot it from regular hdd
and run further cleaning using resident AVs and other tools; once done,
keep fingers crossed and hope you really removed any tracks of the
infection


0
ObiWan
2/20/2014 3:45:50 PM
On 02/20/2014 10:45 AM, ObiWan wrote:
> :: On Thu, 20 Feb 2014 10:27:48 -0500
> :: (grc.techtalk)
> :: <le5720$2fko$1@news.grc.com>
> :: Roger Parks <i8k3ed@0poki.lo9> wrote:
> 
>> Friend bought a refurbished laptop from a local dealer.
>>
>> He promptly got himself compromised and I'll meet with him tomorrow to
>> help rebuild his box.
[...]
> 2: slow/not totally trustable
> 
> Boot the box using a "rescue CD" (avira, kaspersky, microsoft...) and
> scan it cleaning whatever malware; once done, boot it from regular hdd
> and run further cleaning using resident AVs and other tools; once done,
> keep fingers crossed and hope you really removed any tracks of the
> infection

Without knowing the nature of the "compromise" I'd be less inclined to 
immediately go nuclear on it.

Obi's approach is one I've taken, but for the commonplace infections I 
see -- as long as it's a "fresh" infection and the malware hasn't been 
chomping away for an extended period -- a scan with Malwarebytes nearly 
always gets at the primary infection. Of course, you then scan the hell 
out of it with numerous other tools until everything comes up clean and 
you're satisfied everything is good. Takes a lot of time, but it's not 
like you have to monitor it or anything. Set the scanners to run and go 
about your business.

-- 
Mark Warner
MEPIS Linux
Registered Linux User #415318
....lose .inhibitions when replying
0
Mark
2/20/2014 5:40:15 PM
On 2/20/2014 9:45 AM, ObiWan wrote:

> 1: better/faster
>
> Boot the box from a DBAN media (usb, cd) and wipe it clear, then boot
> from the installation disk and rebuild the system from scratch;
> install an AV and configure the system as needed, then, once done
> proceed scanning the data backups to ensure they aren't infected and
> then restore them
>
> 2: slow/not totally trustable
>
> Boot the box using a "rescue CD" (avira, kaspersky, microsoft...) and
> scan it cleaning whatever malware; once done, boot it from regular hdd
> and run further cleaning using resident AVs and other tools; once done,
> keep fingers crossed and hope you really removed any tracks of the
> infection
>
>
What ObiWan said.  Double-check that you have a Windows serial number to 
activate the OS before wiping it out.

Option 2 can be faster if the infection is not severe (especially if 
there has been a lot of customization done to the OS and applications), 
but option 1 eliminates any doubt that the infection(s) is/are gone.  If 
you have downtime, burn a fresh copy of Windows Defender Offline to CD, 
boot from it, update virus definitions, and do a full scan.  Then boot 
into safe mode with networking, install/update Malwarebytes Antimalware, 
and run a full scan.  Most of the time those two actions will get you 
fixed up, but with severe infections, there may be a lot of residual 
cleanup to do after that, making option 1 more attractive.

Best of luck.
0
Tim
2/20/2014 5:46:01 PM
"Roger Parks" <> escribi� en el mensaje news:le5720$2fko$1@news.grc.com...
> Friend bought a refurbished laptop from a local dealer.
>
> He promptly got himself compromised and I'll meet with him tomorrow to
> help rebuild his box.
>
> He has copied his important folders to a flash drive.
>
> He has an OEM installation disc provided by the dealer.
>
>
> It's been a quite a while since I've dealt with an infected box, so
> here's what I *guess* I need to do. Comments requested.
>
> My inclination is to:
>
> 2. Start up a linux live disc, inspect the flash and delete any
> autorun.inf; mystery files; etc (I'll *hope* that there's been no
> firmware infection).

Don't forget to ask the user if he has used any other devices (flash drives, 
cameras, mobile phones... any device that may behave as and storage drive) 
on the infected machine, to check and clean them as well. Otherwise, the 
user may end up connecting an unknown (to you) device on the next week and 
may infect the computer again (or at least the user account, if it's a 
unprivileged account, although AVs should catch it too...) if the device was 
previously infected.


> 3. Use the live disc to dd zeros to the first sector of the HD.

Although it takes more time, you may want to clean the entire drive (by 
using dd on the entire device, or by using other disk clean programs like 
DBAN (as ObiWan suggests). That way, you'll clean any traces of the old 
system, an by writing to every sector, you'll cause the disk to reallocate 
any defective sectors as a bonus.

Anyway, even if you're in a hurry, I'll clean some more space than just the 
first sector, maybe the first megabyte, or the first four megabytes. This is 
done to clean traces of old boot loaders in the first track sectors, or in 
the space before the first Windows partition (usually starts the first 
megabyte position).


> 10. Use windows to copy files from flash to disk after deep scans by the
> Anti-malwares. (I suppose I could do this with Linux and avoid
> connecting the clean windows to the flash exposed to dirty windows -
> seems over the top!?)

I've never seen a flash memory infected itself (mbr, boot sectors...), so if 
you've already checked for infected files and previously (step 2) deleted 
autorun.inf and other strange files (like fake "Recycle bin" folders, hidden 
executable files...), it should be ok.

Anyway, if you're unsure, you may copy the files using Linux (but you should 
check them for viruses later!), then clean the flash memory using dd, and 
finaly restore it to factory default using the manufacturer program. But I 
think this shouldn't be needed at all.


> 11. Emphasize the importance of keeping the box current and clean; no
> need to ever log on as admin; and not clicking on mystery clicks.

While in step 2 and before going to step 3, you may access the old system 
program file folders and quickly check for known adware/spyware and such 
programs folders, so you can later tell the user not to reinstall programs 
<insert names here> because that programs were malware, or not to download 
anything from sites <insert names here> because the downloads are bundled 
with adware/spyware... Otherwise it takes little time before they usually 
get to the Internet to install whatever they had previously, even if it was 
known malware!


> So what else/different do folks recommend?

Installing the MVPS Hosts file and/or SpyBot S&D 1.6.x (for it's hosts file 
entries and the browser restricted sites entries) would prevent that user 
from connecting to some malware sites, and prevent some adware/spyware from 
installing... I usually add it as another layer of defense. I've my own list 
of malware/adware/spyware related sites and I usually add it to the Hosts 
file too.

As a final step, once you've reinstalled Windows and programs, and 
everything is running smoothly, I'll create a complete image backup on DVDs, 
just in case the user finds a way to get the computer infected (they usually 
do, no matter how hard you try to lock it down...), so the next time you 
only need to restore that image backup.


Hope this helps... :)

0
MiguelMS
2/20/2014 6:30:05 PM
On 2/20/2014 9:27 AM, Roger Parks wrote:
> Friend bought a refurbished laptop from a local dealer.
>
> He promptly got himself compromised and I'll meet with him tomorrow to
> help rebuild his box.
>
> He has copied his important folders to a flash drive.
>
> He has an OEM installation disc provided by the dealer.
>
>
> It's been a quite a while since I've dealt with an infected box, so
> here's what I *guess* I need to do. Comments requested.
>

You might give HitmanPro a try:
http://www.surfright.nl/en/hitmanpro

"HitmanPro is designed to work alongside existing security programs 
without any conflicts. It scans the computer quickly (less than 5 
minutes) and does not slow down the computer (except for the few minutes 
it is scanning). HitmanPro does not need to be installed. It can be run 
straight from a USB flash drive, a CD/DVD, local or network attached 
hard drive."

"HitmanPro offers you a Free Scan for a second opinion. It is designed 
to check if your security measures work. If nothing is found (and we 
sincerely hope so), then you will never need a license. When a virus is 
found, then you will receive a free 30-day license to remove the threat."

-- 
Sired, Squired, Hired, RETIRED.
0
Retired
2/20/2014 9:18:05 PM
On 2014-02-20 7:27, Roger Parks wrote:
[...]
> 2. Start up a linux live disc, inspect the flash and delete any
> autorun.inf; mystery files; etc (I'll *hope* that there's been no
> firmware infection).

I'd suggest running one or more of the bootable AV distros at this 
point. Many of the AV vendors provide .iso's you can download.

I would also suggest setting him up with some kind of *automatic* 
off-site backup solution for his personal files at the very least, given 
that this is a laptop. Carbonite, encrypted uploads to a cloud provider, 
something like that. Larger things like media, etc, can be manually 
backed up.

Regards,
Sam
0
Sam
2/20/2014 10:32:07 PM
On 02/20/14 10:45, ObiWan wrote:
> :: On Thu, 20 Feb 2014 10:27:48 -0500 :: (grc.techtalk) ::
> <le5720$2fko$1@news.grc.com> :: Roger Parks <i8k3ed@0poki.lo9>
> wrote:
>
>> Friend bought a refurbished laptop from a local dealer.
>>
>> He promptly got himself compromised and I'll meet with him tomorrow
>> to help rebuild his box.
>>
>> He has copied his important folders to a flash drive.
>>
>> He has an OEM installation disc provided by the dealer.
>
> two ways:


,

>
> 1: better/faster
>
> Boot the box from a DBAN media (usb, cd) and wipe it clear, then
> boot from the installation disk and rebuild the system from scratch;
> install an AV and configure the system as needed, then, once done
> proceed scanning the data backups to ensure they aren't infected and
> then restore them
>
> 2: slow/not totally trustable
>
> Boot the box using a "rescue CD" (avira, kaspersky, microsoft...)
> and scan it cleaning whatever malware; once done, boot it from
> regular hdd and run further cleaning using resident AVs and other
> tools; once done, keep fingers crossed and hope you really removed
> any tracks of the infection
>
>

Thanks for the reply and advice, OW!

ROTFLMAO...... you present a pretty clear personal inclination in a
situation like this! Don't know DBAN - I'll look into it. Why would it
be better than, say, dd'ing zeros or PRData over the whole volume?

Thanks Again, OW.
0
Roger
2/20/2014 10:40:18 PM
On 02/20/14 12:40, Mark Warner wrote:
> On 02/20/2014 10:45 AM, ObiWan wrote:

(paraphrase ..... "nuke it" .....)

>
> Without knowing the nature of the "compromise" I'd be less inclined
> to immediately go nuclear on it.


> Obi's approach is one I've taken, but for the commonplace infections
> I see -- as long as it's a "fresh" infection and the malware hasn't
> been chomping away for an extended period -- a scan with
> Malwarebytes nearly always gets at the primary infection. Of course,
> you then scan the hell out of it with numerous other tools until
> everything comes up clean and you're satisfied everything is good.
> Takes a lot of time, but it's not like you have to monitor it or
> anything. Set the scanners to run and go about your business.
>

Thanks for the reply and advice, Mark!

I should have provided some insight into the "nature of the compromise".

I learned of his situation this morning briefly over coffee. He is not a
techie; is a typical grandfather; and simply wanted his box for
mail/browsing/word documents. He was a trained engineer a long time ago.

He had problems accessing a Microsoft office document, and went to
google for help. Ended up on a page which appeared to be official
Microsoft, which sent him to a third party (forgot the name) which sold
him a repair/maintenance contract. This outfit somehow gained access to
his box (likely he downloaded a remote desktop package), replaced his
(Norton) AV with their product (I guess that his OEM gave him a single,
admin account which he used to install their garbage). He doesn't know
what else was done. The box "slowed down" significantly, and at some
point he became suspicious and googled the name of this outfit and found
numerous, serious accusations and complaints.

Per your query, it has indeed been in there for a while (one week
plus), and it has admin privilege and remote management capability. I
don't know how "wide" MBAMing goes; e.g. if they've tweaked the
registry, and/or modified or added system dlls, will MBAM
detect/replace those? I've been out of the Windows game for quite a
while (though I'll be back in shortly :-) ), and am quite rusty; so I
think that for me rebuilding would be easier. Trying to clean something
like this I'd always wonder what lingered........

Thanks Again, Mark.

0
Roger
2/20/2014 10:41:59 PM
On 02/20/14 12:46, Tim wrote:
> On 2/20/2014 9:45 AM, ObiWan wrote:
>
>> 1: better/faster
>>
>> Boot the box from a DBAN media (usb, cd) and wipe it clear, then
>> boot from the installation disk and rebuild the system from
>> scratch; install an AV and configure the system as needed, then,
>> once done proceed scanning the data backups to ensure they aren't
>> infected and then restore them


..
>> 2: slow/not totally trustable
>>
>> Boot the box using a "rescue CD" (avira, kaspersky, microsoft...)
>> and scan it cleaning whatever malware; once done, boot it from
>> regular hdd and run further cleaning using resident AVs and other
>> tools; once done, keep fingers crossed and hope you really removed
>> any tracks of the infection



>>
> What ObiWan said.  Double-check that you have a Windows serial
> number to activate the OS before wiping it out.
>
> Option 2 can be faster if the infection is not severe (especially if
> there has been a lot of customization done to the OS and
> applications), but option 1 eliminates any doubt that the
> infection(s) is/are gone.  If you have downtime, burn a fresh copy
> of Windows Defender Offline to CD, boot from it, update virus
> definitions, and do a full scan.  Then boot into safe mode with
> networking, install/update Malwarebytes Antimalware, and run a full
> scan.  Most of the time those two actions will get you fixed up, but
> with severe infections, there may be a lot of residual cleanup to do
> after that, making option 1 more attractive.
>
> Best of luck.

Thanks for the reply and advice, Tim!

Heh!!.......I just left a message on his phone, asking him to confirm
with the dealer that he has the SN/License!!!  Would have been
frustrating, showing up there tomorrow without it!

I do indeed fear residual damage which I would be unable to diagnose/repair.

Thanks Again, Tim


0
Roger
2/20/2014 10:43:01 PM
On 02/20/14 13:30, MiguelMS wrote:
> "Roger Parks" <> escribi� en el mensaje
> news:le5720$2fko$1@news.grc.com...

.......snip......

>>
>> 2. Start up a linux live disc, inspect the flash and delete any
>> autorun.inf; mystery files; etc (I'll *hope* that there's been no
>> firmware infection).



> Don't forget to ask the user if he has used any other devices (flash
> drives, cameras, mobile phones... any device that may behave as and
> storage drive) on the infected machine, to check and clean them as
> well. Otherwise, the user may end up connecting an unknown (to you)
> device on the next week and may infect the computer again (or at
> least the user account, if it's a unprivileged account, although AVs
> should catch it too...) if the device was previously infected.

Dang!.... I had not thought to ask about other peripherals - I'll
inspect them under 'ix; and optionally scan with an anti-malware under 'ix!

>
>
>> 3. Use the live disc to dd zeros to the first sector of the HD.
>
> Although it takes more time, you may want to clean the entire drive
> (by using dd on the entire device, or by using other disk clean
> programs like DBAN (as ObiWan suggests). That way, you'll clean any
> traces of the old system, an by writing to every sector, you'll
> cause the disk to reallocate any defective sectors as a bonus.

..

> Anyway, even if you're in a hurry, I'll clean some more space than
> just the first sector, maybe the first megabyte, or the first four
> megabytes. This is done to clean traces of old boot loaders in the
> first track sectors, or in the space before the first Windows
> partition (usually starts the first megabyte position).
>

Good point on the whole disk initialization, and defective sector
reallocation "bonus". I'll take the time. Don't know DBAM (I'm guessing
I'd need to create a bootable DOS CD), and pending a reply from Obiwan,
I'm familiar with and inclined toward 'ix/dd.

>> 10. Use windows to copy files from flash to disk after deep scans
>> by the Anti-malwares. (I suppose I could do this with Linux and
>> avoid connecting the clean windows to the flash exposed to dirty
>> windows - seems over the top!?)



> I've never seen a flash memory infected itself (mbr, boot
> sectors...), so if you've already checked for infected files and
> previously (step 2) deleted autorun.inf and other strange files
> (like fake "Recycle bin" folders, hidden executable files...), it
> should be ok.

Agreed!

>
> Anyway, if you're unsure, you may copy the files using Linux (but
> you should check them for viruses later!), then clean the flash
> memory using dd, and finaly restore it to factory default using the
> manufacturer program. But I think this shouldn't be needed at all.

Yep!

>
>
>> 11. Emphasize the importance of keeping the box current and clean;
>> no need to ever log on as admin; and not clicking on mystery
>> clicks.
>
> While in step 2 and before going to step 3, you may access the old
> system program file folders and quickly check for known
> adware/spyware and such programs folders, so you can later tell the
> user not to reinstall programs <insert names here> because that
> programs were malware, or not to download anything from sites
> <insert names here> because the downloads are bundled with
> adware/spyware... Otherwise it takes little time before they usually
> get to the Internet to install whatever they had previously, even if
> it was known malware!

Sigh..... true. He's a smart guy; just naive and phished by a bogus web
page. Needs a dose of "safe hex". Hopefully he'll learn from this.

>
>
>> So what else/different do folks recommend?
>
> Installing the MVPS Hosts file and/or SpyBot S&D 1.6.x (for it's
> hosts file entries and the browser restricted sites entries) would
> prevent that user from connecting to some malware sites, and prevent
> some adware/spyware from installing... I usually add it as another
> layer of defense. I've my own list of malware/adware/spyware related
> sites and I usually add it to the Hosts file too.

Good one! Indeed, it was a bad site that got him. I use MVPS on my linux
box, but it would be a minor PITA for him to update Hosts. IIRC SpyBot
can be autostarted (registry startup entry) and easily maintained.

>
> As a final step, once you've reinstalled Windows and programs, and
> everything is running smoothly, I'll create a complete image backup
> on DVDs, just in case the user finds a way to get the computer
> infected (they usually do, no matter how hard you try to lock it
> down...), so the next time you only need to restore that image
> backup.

Yep! Good one. If he does reinfect, I'll simply dd a new HD. Guess I'll
build a Win 7 recovery disc as well!

>
>
> Hope this helps... :)
>

It does indeed ... Thanks for the reply and advice, MiguelMS!








0
Roger
2/20/2014 10:44:53 PM
On 02/20/14 16:18, Retired wrote:
> On 2/20/2014 9:27 AM, Roger Parks wrote:

...snip..

>>
>
> You might give HitmanPro a try: http://www.surfright.nl/en/hitmanpro
>
> "HitmanPro is designed to work alongside existing security programs
> without any conflicts. It scans the computer quickly (less than 5
> minutes) and does not slow down the computer (except for the few
> minutes it is scanning). HitmanPro does not need to be installed. It
> can be run straight from a USB flash drive, a CD/DVD, local or
> network attached hard drive."


> "HitmanPro offers you a Free Scan for a second opinion. It is
> designed to check if your security measures work. If nothing is
> found (and we sincerely hope so), then you will never need a license.
> When a virus is found, then you will receive a free 30-day license
> to remove the threat."
>


Thanks for the reply and advice, Retired!

I keep hearing about HMP - especially the behavioural scan. Have you any
info. on its comparative effectiveness with standard signature scanners?
Given the threat of zero days, I'd think a sophisticated behaviour
scanner is the future for a geek's box; don't know about a low-intensity
user who might panic at a false alarm. Until now I personally haven't
had much of a need, but I expect to shortly build a W7 box for myself,
and will look more carefully at it and how it would fit in.

As per the friends box,  I remain inclined toward rebuilding rather than
cleaning. May add HMP to his box if I have good luck with it.

Thanks Again, Retired.

0
Roger
2/20/2014 10:46:58 PM
Roger Parks wrote:
>
> He had problems accessing a Microsoft office document, and went to
> google for help. Ended up on a page which appeared to be official
> Microsoft, which sent him to a third party (forgot the name) which sold
> him a repair/maintenance contract. This outfit somehow gained access to
> his box (likely he downloaded a remote desktop package), replaced his
> (Norton) AV with their product (I guess that his OEM gave him a single,
> admin account which he used to install their garbage). He doesn't know
> what else was done. The box "slowed down" significantly, and at some
> point he became suspicious and googled the name of this outfit and found
> numerous, serious accusations and complaints.
>

It may also be worth checking his router settings for any ports that have 
been opened to allow remote access after the event.

Each case varies, but most of the examples like this that I have seen, they 
have been happy to get their fees for "fixing the problem and the new AV 
licence". They have not left further trojans etc for ongoing access.

YMMV

Aland

0
AlanD
2/20/2014 10:49:18 PM
On 02/20/14 17:32, Sam Schinke wrote:
> On 2014-02-20 7:27, Roger Parks wrote: [...]
>> 2. Start up a linux live disc, inspect the flash and delete any
>> autorun.inf; mystery files; etc (I'll *hope* that there's been no
>> firmware infection).

Thanks for the reply and advice, Sam!

> I'd suggest running one or more of the bootable AV distros at this
> point. Many of the AV vendors provide .iso's you can download.

Yep! I have d/l'd Kaspersky.

> I would also suggest setting him up with some kind of *automatic*
> off-site backup solution for his personal files at the very least,
> given that this is a laptop. Carbonite, encrypted uploads to a cloud
>  provider, something like that. Larger things like media, etc, can be
>  manually backed up.

Good one! He has lots of photos of family; would sure help if he gets
hit with a fire, or ransomeware!

As an alternative, I see that WD has multi-Terrabyte NAS boxes for
$120 or so; any way something like that could be used on his LAN (and be
resistant to an attack by a trojan on his box?).

(e.g. a freeware windows b/u program?)

>
> Regards, Sam

Thanks Again, Sam!
0
Roger
2/20/2014 11:08:22 PM
On 2/20/2014 4:46 PM, Roger Parks wrote:

> I keep hearing about HMP - especially the behavioural scan. Have you any
> info. on its comparative effectiveness with standard signature scanners?
> Given the threat of zero days, I'd think a sophisticated behaviour
> scanner is the future for a geek's box; don't know about a low-intensity
> user who might panic at a false alarm. Until now I personally haven't
> had much of a need, but I expect to shortly build a W7 box for myself,
> and will look more carefully at it and how it would fit in.
>
> As per the friends box,  I remain inclined toward rebuilding rather than
> cleaning. May add HMP to his box if I have good luck with it.
>
> Thanks Again, Retired.
>

I have no other information to offer about HMP, sorry. Good luck!
-- 
Sired, Squired, Hired, RETIRED.
0
Retired
2/20/2014 11:27:08 PM
On 02/20/2014 05:49 PM, AlanD wrote:
> Roger Parks wrote:
>>
>> He had problems accessing a Microsoft office document, and went to
>> google for help. Ended up on a page which appeared to be official
>> Microsoft, which sent him to a third party (forgot the name) which sold
>> him a repair/maintenance contract. This outfit somehow gained access to
>> his box (likely he downloaded a remote desktop package), replaced his
>> (Norton) AV with their product (I guess that his OEM gave him a single,
>> admin account which he used to install their garbage). He doesn't know
>> what else was done. The box "slowed down" significantly, and at some
>> point he became suspicious and googled the name of this outfit and found
>> numerous, serious accusations and complaints.

> It may also be worth checking his router settings for any ports that 
> have been opened to allow remote access after the event.
> 
> Each case varies, but most of the examples like this that I have seen, 
> they have been happy to get their fees for "fixing the problem and the 
> new AV licence". They have not left further trojans etc for ongoing access.

I'm not sure that I've ever run into one with quite that kind of history.

In this case I'd be more inclined to nuke it. But short of that, I'd 
scour it once with MBAM at full, then hit it with ComboFix.

Combofix is heavy duty, and once you turn it loose there's no control 
and no turning back. I've used it in situations where the machine is 
"clean" but the underlying OS files and registry is corrupted as a 
result of the infection. It's been a lifesaver on a couple of situations 
where I wasn't in a position to reinstall the OS (no media available or 
something of that nature). What ComboFix does in addition to cleaning is 
it will repair OS files and rewrite registry entries and such back to 
the Windows defaults.

http://www.bleepingcomputer.com/download/combofix/

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

-- 
Mark Warner
MEPIS Linux
Registered Linux User #415318
....lose .inhibitions when replying
0
Mark
2/20/2014 11:50:38 PM
On 2014-02-20 15:08, Roger Parks wrote:
> On 02/20/14 17:32, Sam Schinke wrote:
[...]
>> I would also suggest setting him up with some kind of *automatic*
>> off-site backup solution for his personal files at the very least,
>> given that this is a laptop. Carbonite, encrypted uploads to a cloud
>>   provider, something like that. Larger things like media, etc, can be
>>   manually backed up.
>
> Good one! He has lots of photos of family; would sure help if he gets
> hit with a fire, or ransomeware!

Right. One risk with laptops is due to the ease of theft. Off-device 
backups are good, but if you are out at a coffee shop working on 
important personal documents (will, taxes, etc), having instantaneous 
backups is really comforting.

> As an alternative, I see that WD has multi-Terrabyte NAS boxes for
> $120 or so; any way something like that could be used on his LAN (and be
> resistant to an attack by a trojan on his box?).
>
> (e.g. a freeware windows b/u program?)

The easiest way I see obtaining resistance to corruption of backups by 
malware which will be able to access the credentials used to make the 
backups, is to use a backup solution that supports file versioning and 
restoration of prior versions. With said management being handled by a 
system other than the backed-up device.

So if CryptoLocker (et al) take your personal documents, encrypt them, 
and those encrypted versions get uploaded to your backup, you have the 
ability to roll back to an older backed-up version.

I'm not sure if any of the consumer-grade NAS devices support this kind 
of thing natively, and anything done by the backup client can probably 
be broken by the backup client.

This is something that Dropbox provides as a matter of course. Up to 30 
days of file versions are retained with a free account, and IIRC the 
retention goes up to a year with a paid account.

Owncloud also offers features along these lines:
http://owncloud.org/support/version-control/

Regards,
Sam
0
Sam
2/20/2014 11:53:36 PM
On 2014-02-20 14:46, Roger Parks wrote:
[...]
> As per the friends box,  I remain inclined toward rebuilding rather than
> cleaning. May add HMP to his box if I have good luck with it.

As it sounds like a relatively recent purchase (and compromise) a 
re-build will likely be quicker than trying to recreate the exact state 
of a years-old deeply tweaked/adjusted system.

Regards,
Sam
0
Sam
2/20/2014 11:56:30 PM
On 02/20/14 17:49, AlanD wrote:
> Roger Parks wrote:
>>
>> He had problems accessing a Microsoft office document, and went to
>> google for help. Ended up on a page which appeared to be official
>> Microsoft, which sent him to a third party (forgot the name) which
>> sold him a repair/maintenance contract. This outfit somehow gained
>> access to his box (likely he downloaded a remote desktop package),
>> replaced his (Norton) AV with their product (I guess that his OEM
>> gave him a single, admin account which he used to install their
>> garbage). He doesn't know what else was done. The box "slowed down"
>> significantly, and at some point he became suspicious and googled
>> the name of this outfit and found numerous, serious accusations and
>> complaints.

..

> It may also be worth checking his router settings for any ports that
>  have been opened to allow remote access after the event.

Exactly Right! It is on my list, but I forgot to post it in the OP!

FWIW, I scanned his address after he got his new laptop and new wireless
router to mobilize it. Got the following:

PORT     STATE         SERVICE
1900/udp open|filtered upnp

PORT   STATE      SERVICE
20/tcp unfiltered ftp-data
21/tcp unfiltered ftp
1723/tcp unfiltered pptp

One of his granddaughters (a proper geek) was going to go over (she's
out of town) and fix it, but got snowed out.

>
> Each case varies, but most of the examples like this that I have
> seen, they have been happy to get their fees for "fixing the problem
> and the new AV licence". They have not left further trojans etc for
> ongoing access.

Good to know. This reinforces Mark Warner's suggestion of
MBAMing/scanning it.

My experience in all of this is old W2K, and back then they'd modify
system/kernel/registry files. W7 is more protective of itself, and
perhaps these guys are not completely malevolent.

Given my (lack of) experience with W7, and the fact that this thing had
a bunch of dealer crapware installed, along with a single user account,
I'm still inclined toward nuking it :-(


>
> YMMV
>
> Aland
>

Thanks Again, Aland
0
Roger
2/20/2014 11:59:10 PM
Roger Parks was heard to say :

> ROTFLMAO...... you present a pretty clear personal inclination in a
> situation like this! Don't know DBAN - I'll look into it.

http://www.dban.org/

Be careful, DBAN will erase ALL connected hard disks on boot.

It is a tool more for secure erasure than for casual cleaning. It does 
several passes. But CCleaner could perform a similar thing by secure erasing 
the free space:
http://www.piriform.com/docs/ccleaner/using-ccleaner/wiping-free-disk-space

A simple fill the disk with zero files and erase them is faster and enough 
for casual cleaning of the disk. That could work with SSDs (yes, one write 
cycle is performed) if the OS is set to use TRIM.

> Why would it be better than, say, dd'ing zeros or PRData over the
> whole volume?

That's what DBAN does (several times).

-- 
Mark Cross @ 02/21/2014 1:47 a.m.
You cannot lead a battle if you think you look silly on a horse. — Napoleon 
Bonaparte

0
Mark
2/21/2014 5:54:49 AM
Roger Parks was heard to say :

> He has copied his important folders to a flash drive.
Excellent.

> 10. Use windows to copy files from flash to disk after deep scans by the
> Anti-malwares. (I suppose I could do this with Linux and avoid
> connecting the clean windows to the flash exposed to dirty windows -
> seems over the top!?)

I don't think there is much gain here. If the files are in a FAT pen-drive, 
the FAT filesystem does not keep permissions nor "alternate streams":
    http://www.flexhex.com/docs/articles/alternate-streams.phtml

Thus, little risk there. If a file is going to have a problem, it is also 
possible that the user is going to get such infected file in the future, so, 
your goal should be to build the OS as protected as possible and leave the 
malware problems in the hands of the (already) installed scanners.

If the file is a video, VLC would be the one receiving the attack, and it is 
quite good at being secure in such conditions. If the file is an image, 
irfanview would be the one to crash. Spreadsheets, letters, presentations: 
LibreOffice. Links: Firefox. Bad Links: there is no hope if the user install 
the malware. But only as the limited user, so the OS should be still secure.

> He has an OEM installation disc provided by the dealer.
1.- You better download a W7 ISO to burn (just in case):
http://www.mydigitallife.info/official-windows-7-sp1-iso-from-digital-river/
 
2.- Is the computer using a SSD?
    Erasing them is not as simple as a hard-disk.
    Also they should be set to use TRIM in the OS.

3.- Does the computer have a CD tray, or you will need to do the install
    by pen-drive? Prepare for it.



I do not believe that any half-baked solution will work. If you do get to 
clean the computer, there is no way of telling if some file has been 
modified to start the compromise again. If that happens, the user may not 
notice (as he did not perform the cleaning and does not know the symptoms) 
or even if he notice, a second round of this process will be needed, I mean: 
setting up a meting, preparing, etc. I say: "nuke it".

Actions, as soon as you get to the computer IMO:

1.- Boot a linux "live ISO" (any) (usually F12 allows to boot the CD), do:
      dd if=/dev/zero of=/dev/sda bs=512 count=4000

2.- Insert the W7 ISO, and while the install process, and consecutive
    update goes on, chat with your friend.
    Use your computer to check pen-drives.

3.- Set boot only to hard-disk in one of the several reboots.

4.- Create unprivileged user account, tell your friend the password
    of the admin account.

5.- Install
    a.- Firefox (No-script, adblock, Cookie Monster, LastPass?)
    b.- Chrome
    c.- Bitdefender
    d.- Malwarebytes
    e.- CrapCleaner  (yes, it is good)
    f.- TB (40tude dialog?)(http://dialog.datalist.org/) 
    g.- LibreOffice (will always get my preference)
    h.- VLC (video)
    i.- IrfanView (images)
    j.- Notepad++
    k.- 7z (zip files)
    l.- Cygwin :-)
    m.- VirtualBox.
    n.- SSH to connect later?
    o.- Just in case: http://lists.thedatalist.com/
 
6.- Disable autorun and autoplay

7.- Copy (clean) files back.

8.- Priceless:
    create a complete image backup on DVDs of the system as is now.
 
> 11. Emphasize the importance of keeping the box current and clean; no
> need to ever log on as admin; and not clicking on mystery clicks.

If your friend gets that, he will be golden for a long time.
 
> So what else/different do folks recommend?

Not much, as posted above. ;-)

-- 
Mark Cross @ 02/21/2014 12:59 a.m.
ATTORNEY:	Doctor, how many of your autopsies have you performed on dead 
people?
WITNESS:	All of them. The live ones put up too much of a fight.

0
Mark
2/21/2014 6:58:38 AM
On 2/20/2014 4:43 PM, Roger Parks wrote:

> Thanks for the reply and advice, Tim!
>
> Heh!!.......I just left a message on his phone, asking him to confirm
> with the dealer that he has the SN/License!!!  Would have been
> frustrating, showing up there tomorrow without it!
>
> I do indeed fear residual damage which I would be unable to diagnose/repair.
>
> Thanks Again, Tim
>
>
Anytime...keep us posted on how it goes!
0
Tim
2/21/2014 2:00:50 PM
On 2/20/2014 5:59 PM, Roger Parks wrote:

> Given my (lack of) experience with W7, and the fact that this thing had
> a bunch of dealer crapware installed, along with a single user account,
> I'm still inclined toward nuking it :-(
>
>
>>
>> YMMV
>>
>> Aland
>>
>
> Thanks Again, Aland
>
Wow!  This new information definitely warrants that you nuke the system. 
  I can't believe such outfits can get away with something like this, 
shame on them for taking advantage of people who don't know any better!

I hope you have unplugged this machine from the network until you decide 
what to do?  Get those ports closed in the router first, change admin 
password on it, then copy over any files/definition updates to the 
infected, unplugged machine.
0
Tim
2/21/2014 2:07:02 PM
On 02/20/14 18:53, Sam Schinke wrote:
> On 2014-02-20 15:08, Roger Parks wrote:
>> On 02/20/14 17:32, Sam Schinke wrote:
> [...]
>>> I would also suggest setting him up with some kind of
>>> *automatic* off-site backup solution for his personal files at
>>> the very least, given that this is a laptop. Carbonite, encrypted
>>> uploads to a cloud provider, something like that. Larger things
>>> like media, etc, can be manually backed up.
>>
>> Good one! He has lots of photos of family; would sure help if he
>> gets hit with a fire, or ransomeware!
>
> Right. One risk with laptops is due to the ease of theft. Off-device
> backups are good, but if you are out at a coffee shop working on
> important personal documents (will, taxes, etc), having
> instantaneous backups is really comforting.

..

>> As an alternative, I see that WD has multi-Terrabyte NAS boxes for
>> $120 or so; any way something like that could be used on his LAN
>> (and be resistant to an attack by a trojan on his box?).
>>
>> (e.g. a freeware windows b/u program?)
>
> The easiest way I see obtaining resistance to corruption of backups
> by malware which will be able to access the credentials used to make
> the backups, is to use a backup solution that supports file
> versioning and restoration of prior versions. With said management
> being handled by a system other than the backed-up device.
>
> So if CryptoLocker (et al) take your personal documents, encrypt
> them, and those encrypted versions get uploaded to your backup, you
> have the ability to roll back to an older backed-up version.
>
> I'm not sure if any of the consumer-grade NAS devices support this
> kind of thing natively, and anything done by the backup client can
> probably be broken by the backup client.

Sigh....

>
> This is something that Dropbox provides as a matter of course. Up to
> 30 days of file versions are retained with a free account, and IIRC
> the retention goes up to a year with a paid account.
>
> Owncloud also offers features along these lines:
> http://owncloud.org/support/version-control/
>
> Regards, Sam

Dang..... I never seriously considered cloud backup, but some of these
alternatives seem ideal for my friend. He's retired and NOT loaded with
$, so Dropbox along with periodic CD backups might work for him (this and
a dd of the whole HDD)

Good analysis of the situation and alternatives!

Thanks Again, Sam!


0
Roger
2/21/2014 4:45:27 PM
On 02/21/14 00:54, Mark Cross wrote:



Thanks for the reply and advice, Mark!

...snip...
>
> Be careful, DBAN will erase ALL connected hard disks on boot.

Heh.............. good to know

>
> It is a tool more for secure erasure than for casual cleaning. It
> does several passes. But CCleaner could perform a similar thing by
> secure erasing the free space:
> http://www.piriform.com/docs/ccleaner/using-ccleaner/wiping-free-disk-space
>
>
>
good to know. I won't have to d/l eraser. Presume this erases journals
as well!?

> A simple fill the disk with zero files and erase them is faster and
> enough for casual cleaning of the disk. That could work with SSDs
> (yes, one write cycle is performed) if the OS is set to use TRIM.

Glad you brought this up! :-)

(While I believe his box has an HDD, my new, laptop has an SSD so I need
to start thinking about this stuff)

I'm reluctant to dd zeros, as IIUC, unlike HDDs it adds zeros, blanks,
etc. as data, causing lots of swapping about. So I instead want to
designate all data as ripe for removal and TRIM.

FWICT, current linux can not trim an ntfs filesystem:

(/usr/src/linux-3.11.3-hardened # grep -lr FITRIM fs/ | cut -d/ -f2 |
sort | uniq | xargs echo
btrfs ext3 ext4 gfs2 jfs ocfs2 xfs)

IIUC, Windows 7 trims automatically when data is no longer needed; e.g.
deleting data, AND when deleting a whole partition - so I'm presuming the W7
installation automatically trim when I tell it to delete the partitions!?
I'm also presuming an individual menu item will appear and allow me to
make a separate deletion before I start the installation mojo.

I understand that trimming would not secure erase, but I'd presume the
trimmed data would be unreadable and therefore good 'nuff for
installation in this situation!?


>
>> Why would it be better than, say, dd'ing zeros or PRData over the
>> whole volume?
>
> That's what DBAN does (several times).

Heh...Don't think I need that for either an HDD or SSD in this
non-sensitive installation. This is a used laptop, and no telling what
the condition of the SSD is.
>

Thanks Again, Mark!
0
Roger
2/21/2014 5:05:06 PM
On 02/21/14 09:07, Tim wrote:
> On 2/20/2014 5:59 PM, Roger Parks wrote:
>
>> Given my (lack of) experience with W7, and the fact that this thing
>> had a bunch of dealer crapware installed, along with a single user
>> account, I'm still inclined toward nuking it :-(

.....snip...

>>
> Wow!  This new information definitely warrants that you nuke the
> system. I can't believe such outfits can get away with something like
> this, shame on them for taking advantage of people who don't know any
> better!
>
> I hope you have unplugged this machine from the network until you
> decide what to do?  Get those ports closed in the router first,
> change admin password on it, then copy over any files/definition
> updates to the infected, unplugged machine.

Good one!!

I'm adding your last paragraph, plus an internal check for soft/firmware
updates, to step 1 of the list!

Thanks again, Aland!

0
Roger
2/21/2014 5:13:41 PM
On 02/21/14 12:13, Roger Parks wrote:
> On 02/21/14 09:07, Tim wrote:

>
> Thanks again, Aland!
>

Yikes!  Tim!

Thanks again, Tim!!
0
Roger
2/21/2014 5:18:27 PM
"Roger Parks" <> escribi� en el mensaje news:le60j9$30bd$3@news.grc.com...
> On 02/20/14 13:30, MiguelMS wrote:
>> "Roger Parks" <> escribi� en el mensaje:
>>
>>> 11. Emphasize the importance of keeping the box current and clean;
>>> no need to ever log on as admin; and not clicking on mystery
>>> clicks.
>>
>> While in step 2 and before going to step 3, you may access the old
>> system program file folders and quickly check for known
>> adware/spyware and such programs folders, so you can later tell the
>> user not to reinstall programs <insert names here> because that
>> programs were malware, or not to download anything from sites
>> <insert names here> because the downloads are bundled with
>> adware/spyware... Otherwise it takes little time before they usually
>> get to the Internet to install whatever they had previously, even if
>> it was known malware!
>
> Sigh..... true. He's a smart guy; just naive and phished by a bogus web
> page. Needs a dose of "safe hex". Hopefully he'll learn from this.

I've read the whole story on your reply to Mark Warner... it's really scary! 
As others already replied there, you can't trust that system anymore, so 
clearing the whole disk and reinstall W7 is a must (your steps 3 and 4).

Surely such a thing won't happen again to him :)


>> Installing the MVPS Hosts file and/or SpyBot S&D 1.6.x (for it's
>> hosts file entries and the browser restricted sites entries) would
>> prevent that user from connecting to some malware sites, and prevent
>> some adware/spyware from installing... I usually add it as another
>> layer of defense. I've my own list of malware/adware/spyware related
>> sites and I usually add it to the Hosts file too.
>
> Good one! Indeed, it was a bad site that got him. I use MVPS on my linux
> box, but it would be a minor PITA for him to update Hosts. IIRC SpyBot
> can be autostarted (registry startup entry) and easily maintained.

Even if he never updates again the Hosts file, a one time installation will 
do a lot to prevent accessing bad sites or getting common adware/malware. I 
usually schedule SpyBot to update weekly (if the resident protection is left 
enabled) and run a scan monthly with the "auto-immunization" option on 
SpyBot start-up set, so new immunizations for browsers are applied and new 
host entries are added.


>> Hope this helps... :)
>
> It does indeed ... Thanks for the reply and advice, MiguelMS!

You're welcome :)

If the user can tell you the web address where he got phished, it may be 
good to contribute it to the MVPS Hosts file (or any other such services), 
to prevent it to happen to some other people :)

0
MiguelMS
2/21/2014 7:06:32 PM
"Roger Parks" <> escribi� en el mensaje news:le60mr$30bd$4@news.grc.com...
>
> Thanks for the reply and advice, Retired!
>
> I keep hearing about HMP - especially the behavioural scan. Have you any
> info. on its comparative effectiveness with standard signature scanners?
> Given the threat of zero days, I'd think a sophisticated behaviour
> scanner is the future for a geek's box; don't know about a low-intensity
> user who might panic at a false alarm. Until now I personally haven't
> had much of a need, but I expect to shortly build a W7 box for myself,
> and will look more carefully at it and how it would fit in.

I've used it a few times.

The main downside of HitmanPro is that it requieres an Internet connection 
during scan to upload suspicious files, and if the machine is infected or 
compromised somehow, you may have already unplugged it from the network (to 
prevent damage to other computers in the network). But even in that case, 
you still have an advanced scan mode (I don't remember it's "trademark name" 
right now) that gives a "suspicious mark" to the scanned files, and it does 
a really good job to spot suspicious processes, drivers... and so on.

It's a really useful tool if you are manually cleaning an infected machine 
or trying to spot anything strange that may be going on. And of course, you 
can use it to scan a clean system to get a clean result on top of the 
results from the AV the machine may already have.

0
MiguelMS
2/21/2014 9:45:32 PM
This server is eating posts (again, sigh).

I am quite certain that I posted an answer to this post, but it has not 
appeared, I would have not noticed the missing post, but I was checking a 
local problem. The post also disappeared locally. Now I am forced to rewrite 
a long post.

If it appear repeated, the above is the reason.

Roger Parks was heard to say :

> On 02/21/14 00:54, Mark Cross wrote:
 
> Thanks for the reply and advice, Mark!

Sure thing Roger. Have you seen the other post I made:
    http://www.GRC.com/groups/techtalk:262750

>> Be careful, DBAN will erase ALL connected hard disks on boot.
> Heh.............. good to know

     Indeed it is ..... before booting !!!!      ;-)

>> But CCleaner could perform a similar thing by
>> secure erasing the free space:

> good to know. I won't have to d/l eraser. Presume this erases journals
> as well!?

I am not sure, but I'll guest that "journals in use" are NOT erased, as the 
OS will not allow to write to them. But journals that get processed and 
which sector returns to the pool of "free sectors" will be filled up when 
filling the filesystem.
 
>> A simple fill the disk with zero files and erase them is faster and
>> enough for casual cleaning of the disk. That could work with SSDs
>> (yes, one write cycle is performed) if the OS is set to use TRIM.
 
> Glad you brought this up! :-)

:-)
 
> (While I believe his box has an HDD, my new, laptop has an SSD so I need
> to start thinking about this stuff)
 
> I'm reluctant to dd zeros, as IIUC, unlike HDDs it adds zeros, blanks,
> etc. as data, causing lots of swapping about. So I instead want to
> designate all data as ripe for removal and TRIM.

Well ...... correct, sort of.

There is this thread, also:
    http://www.GRC.com/groups/techtalk:262633

But nobody is hitting the nail in the head, I think. :-O

******** A long explanation to understand SSDs *************************

In a hard drive the life of a sector is very simple. It starts as an empty
sector (with zeros) and at some point in time some data is written to it,
then it may be read or written again in several repeats, there is no
mystery, there is no additional steps, it contains some bit values until
is written again.

In a SSD, a sector has a much more complex life cycle. And I am calling a
sector the perception that the OS has of a block of 512 bytes, when in fact
I should be talking about blocks of data. A SSD could keep data in chunks
of bits as big as 20 KBytes (or more) called blocks:
    http://www.anandtech.com/show/2738/8

The life of a block is very complex. It starts as an erased block (full of
ones, which really does NOT matter to us as users if it actually is ones or
zeros), then some data gets written to it, it could be one sector (512
bytes) or more, and at any time it could be read again. Then some other part
of the block could be written to, it could even be the same sector that was
there already, as the sector changed, so, in the same block there could be
two copies of an active sector (old and new), then more data could be 
written
or it gets marked as "no in use" (all of it). When a full block gets marked
as "not in use", it goes to the process of being erased. Of being cleared to
"ones" and marked as "free", the counter per this block gets incremented in
one.

So, the controller of an SSD keeps quite some information about the sectors
in the SSD. It keeps a list of "free" blocks ("all of them" on a new SSD).
Then a table pointing to the block (and part of the block) where a sector is
stored. And it keeps a counter of how many times a sector has been erased.


So, the controller stores sectors in blocks and keeps track of where they
are, therefore knowing which sectors are "in use". Also a table of which
parts of a block have been used, thus knowing which parts could still be
used.

The table of used sectors grows and gets more complex as sectors are
written. The process to re-sort the use state of blocks is called "garbage
collection". That process does not change the state "in use" to "free" of a
sector, just order the table and sector position (if needed).

The SSD knows that a sector is "in use" as soon as something is written to
it, anything, zeros, ones or any bit stream. The only way in which a SSD is
able to know that a sector is "NOT in use" is by being told with the TRIM
command.

******** Hopefully now, SSDs are understood... *************************

The TRIM command change the "in use" state of a sector, thus enabling the
internal controller to erase it (if the controller decides it is wise to
do so: some other sectors may still reside in the block).

It does not matter what you write to a sector, as soon as written, it is
"in use" as perceived by the controller. And it becomes "not in use" as
soon as a TRIM command for such sector is performed. The OS will usually
emit a TRIM command to all the sectors of a file when erasing such file.
Thus, erasing a file is a way to automatically get the TRIM commands.

Filling a disk with files and then erasing does clear the "empty space".

Of course, if there is some other way to emit the TRIM commands, then
the "fill-erase" procedure is not needed.

> FWICT, current linux can not trim an ntfs filesystem:
> (/usr/src/linux-3.11.3-hardened # grep -lr FITRIM fs/ | cut -d/ -f2 |
> sort | uniq | xargs echo
> btrfs ext3 ext4 gfs2 jfs ocfs2 xfs)

Yep, that's correct, NTFS does not have a discard option yet in Linux.
Reading "man mount.ext4" there is an option to mount with discard (TRIM),
however "man mount.ntfs" does not have such an option. However the disk
is going to be fully erased, so you could use "hdparm --trim-sector-range"
or the script wiper.sh included with the hdparm package. Even so, I actually
was thinking about making TRIM work in W7 for future performance sake.
 
> IIUC, Windows 7 trims automatically when data is no longer needed; e.g.
> deleting data,

Yes, of course, erasing a file emits trim commands to the sectors that file used.
Still, Errors may happen and garbage may grow with time.

> AND when deleting a whole partition

There are several ways to do a full/partial disk TRIM. But I am pretty sure
that such command is not automatic for a partition erasure. BICBW.

In Linux, a TRIM command is automatically issued for all sectors in which a
ext4 filesystem is going to be created. I am not aware of any automatic use
of TRIM on any partition or filesystem erasure.
Please take a look at "hdparm --trim-sector-range", the script wiper.sh included
with the hdparm package and the secure erasure procedure.
    http://lwn.net/Articles/345020/

> - so I'm presuming the
> W7 installation automatically trim when I tell it to delete the
> partitions!? I'm also presuming an individual menu item will appear and
> allow me to make a separate deletion before I start the installation mojo.

No, not that I am aware of. There is a way to perform a manual full disk TRIM
while installing W7:
    http://forums.overclockersclub.com/index.php?showtopic=184250

    
In Linux, there are some other utilities:
    http://www.windowslinuxosx.com/q/answers-how-to-trim-discard-a-whole-ssd-partition-on-linux-308251.html
    http://www.overclock.net/t/1227597/how-to-secure-erase-your-solid-state-drive-ssd-with-parted-magic
 
> I understand that trimming would not secure erase, but I'd presume the
> trimmed data would be unreadable and therefore good 'nuff for
> installation in this situation!?

Oh sure it is 'nuff.

> Thanks Again, Mark!

Don't mention it, Roger, any time.
If you need anything else, just yell.

-- 
Mark Cross @ 02/22/2014 3:01 a.m.
If you're in a vehicle going the speed of light, what happens when you turn on the headlights?

0
Mark
2/22/2014 7:12:33 AM
Mark Cross was heard to say :
> Roger Parks was heard to say :
[...]
>> I'm reluctant to dd zeros, as IIUC, unlike HDDs it adds zeros, blanks,
>> etc. as data, causing lots of swapping about. So I instead want to
>> designate all data as ripe for removal and TRIM.
[...]
> There is this thread, also:
>     http://www.GRC.com/groups/techtalk:262633
> 
> But nobody is hitting the nail in the head, I think. :-O

Ooops, missing:
    http://ubuntuforums.org/showthread.php?t=1490602

Just do: 
   # bash wiper.sh --commit /dev/sda1

:-)

-- 
Mark Cross @ 02/22/2014 3:19 a.m.
The right to be heard does not automatically include the right to be taken 
seriously.

0
Mark
2/22/2014 7:23:06 AM
        *DANG* !!

Wonderful post, Mark!

On 02/22/14 02:12, Mark Cross wrote:
> This server is eating posts (again, sigh).

Ate one of mine as well!

> I am quite certain that I posted an answer to this post, but it has
> not appeared, I would have not noticed the missing post, but I was
> checking a local problem. The post also disappeared locally. Now I
> am forced to rewrite a long post.

Thank you for taking the time to do that - it is a lot of dense, arcane,
important stuff!


>
> If it appear repeated, the above is the reason.
>

.....snip..

>
> Sure thing Roger. Have you seen the other post I made:
> http://www.GRC.com/groups/techtalk:262750

Yes!!

... and it significantly altered my installation/repair check-list!

My reply to it was eaten, so I'll repost my response to you.

>
>>> Be careful, DBAN will erase ALL connected hard disks on boot.
>> Heh.............. good to know
>
> Indeed it is ..... before booting !!!!      ;-)
>
>>> But CCleaner could perform a similar thing by secure erasing the
>>>  free space:
>
>> good to know. I won't have to d/l eraser. Presume this erases
>> journals as well!?
>
> I am not sure, but I'll guest that "journals in use" are NOT erased,
>  as the OS will not allow to write to them. But journals that get
> processed and which sector returns to the pool of "free sectors"
> will be filled up when filling the filesystem.

Excellent.

(FWIW, I've forgotten how I did it (perhaps created a separate, tiny
partition), but I did test a bunch of "secure delete" proggies a decade
ago, and IIRC at that time:
  <http://technet.microsoft.com/en-us/sysinternals/bb897443> did the best
job on journals; others didn't work as well.)


>
>>> A simple fill the disk with zero files and erase them is faster
>>> and enough for casual cleaning of the disk. That could work with
>>>  SSDs (yes, one write cycle is performed) if the OS is set to use
>>>  TRIM.
>
>> Glad you brought this up! :-)
>
> :-)
>
>> (While I believe his box has an HDD, my new, laptop has an SSD so
>> I need to start thinking about this stuff)

..

>> I'm reluctant to dd zeros, as IIUC, unlike HDDs it adds zeros,
>> blanks, etc. as data, causing lots of swapping about. So I instead
>>  want to designate all data as ripe for removal and TRIM.




> Well ...... correct, sort of.

(Heh, am re-reading this response to you AFTER thinking through your
complete post, and now very much appreciate that comment :-) )



>
> There is this thread, also:
> http://www.GRC.com/groups/techtalk:262633
>
> But nobody is hitting the nail in the head, I think. :-O



> ******** A long explanation to understand SSDs
> *************************
>
> In a hard drive the life of a sector is very simple. It starts as an
>  empty sector (with zeros) and at some point in time some data is
> written to it, then it may be read or written again in several
> repeats, there is no mystery, there is no additional steps, it
> contains some bit values until is written again.
>
> In a SSD, a sector has a much more complex life cycle. And I am
> calling a sector the perception that the OS has of a block of 512
> bytes, when in fact I should be talking about blocks of data. A SSD
> could keep data in chunks of bits as big as 20 KBytes (or more)
> called blocks: http://www.anandtech.com/show/2738/8

..

> The life of a block is very complex. It starts as an erased block
> (full of ones, which really does NOT matter to us as users if it
> actually is ones or zeros), then some data gets written to it, it
> could be one sector (512 bytes) or more, and at any time it could be
>  read again. Then some other part of the block could be written to,
> it could even be the same sector that was there already, as the
> sector changed, so, in the same block there could be two copies of an
> active sector (old and new), then more data could be written or it
> gets marked as "no in use" (all of it). When a full block gets marked
> as "not in use", it goes to the process of being erased. Of being
> cleared to "ones" and marked as "free", the counter per this block
> gets incremented in one.
>
> So, the controller of an SSD keeps quite some information about the
> sectors in the SSD. It keeps a list of "free" blocks ("all of them"
> on a new SSD). Then a table pointing to the block (and part of the
> block) where a sector is stored. And it keeps a counter of how many
> times a sector has been erased.

..

>
> So, the controller stores sectors in blocks and keeps track of where
>  they are, therefore knowing which sectors are "in use". Also a table
>  of which parts of a block have been used, thus knowing which parts
> could still be used.
>
> The table of used sectors grows and gets more complex as sectors are
>  written. The process to re-sort the use state of blocks is called
> "garbage collection". That process does not change the state "in
> use" to "free" of a sector, just order the table and sector position
> (if needed).
>
> The SSD knows that a sector is "in use" as soon as something is
> written to it, anything, zeros, ones or any bit stream. The only way
>  in which a SSD is able to know that a sector is "NOT in use" is by
> being told with the TRIM command.
>
> ******** Hopefully now, SSDs are understood...
> *************************

Yes!.... (though I will spend more time with it :-) ). A LOT there,
and your explanations are actually quite succinct


> The TRIM command change the "in use" state of a sector, thus
> enabling the internal controller to erase it (if the controller
> decides it is wise to do so: some other sectors may still reside in
> the block).

To me, this is an important point!

>
> It does not matter what you write to a sector, as soon as written,
> it is "in use" as perceived by the controller. And it becomes "not
> in use" as soon as a TRIM command for such sector is performed. The
> OS will usually emit a TRIM command to all the sectors of a file
> when erasing such file. Thus, erasing a file is a way to
> automatically get the TRIM commands.
>
> Filling a disk with files and then erasing does clear the "empty
> space".
>
> Of course, if there is some other way to emit the TRIM commands, then
> the "fill-erase" procedure is not needed.
>
>> FWICT, current linux can not trim an ntfs filesystem:
>> (/usr/src/linux-3.11.3-hardened # grep -lr FITRIM fs/ | cut -d/
>> -f2 | sort | uniq | xargs echo btrfs ext3 ext4 gfs2 jfs ocfs2 xfs)
>
> Yep, that's correct, NTFS does not have a discard option yet in
> Linux. Reading "man mount.ext4" there is an option to mount with
> discard (TRIM), however "man mount.ntfs" does not have such an
> option. However the disk is going to be fully erased, so you could
> use "hdparm --trim-sector-range" or the script wiper.sh included
> with the hdparm package.


Even so, I actually
> was thinking about making TRIM work in W7 for future performance
> sake.


>
>> IIUC, Windows 7 trims automatically when data is no longer needed;
>>  e.g. deleting data,
>
> Yes, of course, erasing a file emits trim commands to the sectors
> that file used. Still, Errors may happen and garbage may grow with
> time.
>
>> AND when deleting a whole partition
>
> There are several ways to do a full/partial disk TRIM. But I am
> pretty sure that such command is not automatic for a partition
> erasure. BICBW.


(Not a debate) FWIW I came across this (don't know if it is accurate);
parts may useful:

<http://www.hardcoreware.net/secure-erase-ssd-in-windows/>

>
> In Linux, a TRIM command is automatically issued for all sectors in
> which a ext4 filesystem is going to be created. I am not aware of
> any automatic use of TRIM on any partition or filesystem erasure.
> Please take a look at "hdparm --trim-sector-range", the script
> wiper.sh included with the hdparm package and the secure erasure
> procedure. http://lwn.net/Articles/345020/

Those sons of guns!
The wiper documentation and scripts are "hidden" in

/usr/share/doc/hdparm-9.43/wiper/wiper.sh.bz2.
Didn't even know they existed!  TU!



>
>> - so I'm presuming the W7 installation automatically trim when I
>> tell it to delete the partitions!? I'm also presuming an
>> individual menu item will appear and allow me to make a separate
>> deletion before I start the installation mojo.
>
> No, not that I am aware of. There is a way to perform a manual full
> disk TRIM while installing W7:

Yep. Opportunity didn't appear.

> http://forums.overclockersclub.com/index.php?showtopic=184250

This is interesting; he is trimming and filling with zeros. He also
indicates it takes time; I wonder if it is slower/faster than deleting
partitions and creating (temporarily) a new partition; then deleting it.


>
>
> In Linux, there are some other utilities:
> http://www.windowslinuxosx.com/q/answers-how-to-trim-discard-a-whole-ssd-partition-on-linux-308251.html
>
> http://www.overclock.net/t/1227597/how-to-secure-erase-your-solid-state-drive-ssd-with-parted-magic
>


Nice links

- err... blkdiscard is quite interesting! .... works on the block level,
though I'd guess it is kernel dependent and won't handle NTFS :-(

- nice "Freeze Locked" discussion on the second link; supplements the
earlier GRC discussion!


>> I understand that trimming would not secure erase, but I'd presume
>>  the trimmed data would be unreadable and therefore good 'nuff for
>>  installation in this situation!?
>
> Oh sure it is 'nuff.

For me, this has been an extremely valuable post, Mark!

Not just for the immediate rebuild (turns out he has a small HD anyway),
but for a forthcoming installation on a LUKS-encrypted partition on an
SSD (this on a laptop that already has an NTFS unencrypted partition).
FWICT there's lots of FUD about encryption on SSDs - your above magnum
opus has/will greatly help get my mind around what's going on, and make
the whole deal much more comfortable!


Thanks Again, Mark!



..
0
Roger
2/23/2014 7:22:00 PM
(second posting; original reply disappeared)


On 02/21/14 01:58, Mark Cross wrote:


> Roger Parks was heard to say :
>
>> He has copied his important folders to a flash drive.
> Excellent.
>
>> 10. Use windows to copy files from flash to disk after deep scans
>> by the Anti-malwares. (I suppose I could do this with Linux and
>> avoid connecting the clean windows to the flash exposed to dirty
>> windows - seems over the top!?)
>
> I don't think there is much gain here. If the files are in a FAT
> pen-drive, the FAT filesystem does not keep permissions nor
> "alternate streams":
> http://www.flexhex.com/docs/articles/alternate-streams.phtml

I hadn't thought of NTFS/ADS. I'm guessing it is FAT; will confirm it.

>
> Thus, little risk there. If a file is going to have a problem, it is
> also possible that the user is going to get such infected file in
> the future, so, your goal should be to build the OS as protected as
> possible and leave the malware problems in the hands of the
> (already) installed scanners.

Sigh......Exactly right!!

(I keep projecting my personal, picky/paranoid standards onto this
general situation.) He's not a high-security user (though he does,
against my recommendations, do banking), and may well get into trouble
again.

I'll lightly nag him about safe hex, and try to get him to limit his
financial/personal exposure to credit cards/Amazon. :-)

(of course, in addition to banks, the @#!* U.S. Internal Revenue Service
is now encouraging typical Win users to file taxes online! geeze!!!!!!)


>
> If the file is a video, VLC would be the one receiving the attack,
> and it is quite good at being secure in such conditions. If the file
> is an image, irfanview would be the one to crash. Spreadsheets,
> letters, presentations: LibreOffice. Links: Firefox. Bad Links:
> there is no hope if the user install the malware. But only as the
> limited user, so the OS should be still secure.
>
>> He has an OEM installation disc provided by the dealer.
> 1.- You better download a W7 ISO to burn (just in case):
> http://www.mydigitallife.info/official-windows-7-sp1-iso-from-digital-river/

Good one! (And IIUC, the OEM/Home dists are the same - license triggers
different "features") .

>
> 2.- Is the computer using a SSD? Erasing them is not as simple as a
> hard-disk. Also they should be set to use TRIM in the OS.

Yep. Thanks for bringing this up. Please see my reply to your earlier,
wonderful SSD post.

>
> 3.- Does the computer have a CD tray, or you will need to do the
> install by pen-drive? Prepare for it.
>

CD tray. Heh... and I do have a boot-able flash for the purpose of
copying the whole disk to DVD.

>
> I do not believe that any half-baked solution will work. If you do
> get to clean the computer, there is no way of telling if some file
> has been modified to start the compromise again. If that happens,
> the user may not notice (as he did not perform the cleaning and does
> not know the symptoms) or even if he notice, a second round of this
> process will be needed, I mean: setting up a meting, preparing, etc.
> I say: "nuke it".

Yep!

And I don't want to nurse this thing - I'll feel "cleaner" if I do a nuke!


>
> Actions, as soon as you get to the computer IMO:
>
> 1.- Boot a linux "live ISO" (any) (usually F12 allows to boot the
> CD), do: dd if=/dev/zero of=/dev/sda bs=512 count=4000
>
> 2.- Insert the W7 ISO, and while the install process, and consecutive
> update goes on, chat with your friend. Use your computer to check
> pen-drives.
>
> 3.- Set boot only to hard-disk in one of the several reboots.
>
> 4.- Create unprivileged user account, tell your friend the password
> of the admin account.
>
> 5.- Install a.- Firefox (No-script, adblock, Cookie Monster,
> LastPass?) b.- Chrome c.- Bitdefender d.- Malwarebytes e.-
> CrapCleaner  (yes, it is good) f.- TB (40tude
> dialog?)(http://dialog.datalist.org/) g.- LibreOffice (will always
> get my preference) h.- VLC (video) i.- IrfanView (images) j.-
> Notepad++ k.- 7z (zip files) l.- Cygwin :-) m.- VirtualBox. n.- SSH
> to connect later? o.- Just in case: http://lists.thedatalist.com/

Ah...... thanks for g.

Also, I hadn't thought of h through k - he'll need them sooner or later;
might as well do it now.

Ugh..... I guess that list should include flash....... 'case he uses
youtube, or for those nasty sites that require it. Maybe I'll install it
into FF and disable it - re-enabling it if he complains too much.

(heh... ain't gonna be no stinkin Cygwin, VB, SSH this time around :-) )

>
> 6.- Disable autorun and autoplay
>
> 7.- Copy (clean) files back.
>
> 8.- Priceless: create a complete image backup on DVDs of the system
> as is now.

Yes!!

>
>> 11. Emphasize the importance of keeping the box current and clean;
>> no need to ever log on as admin; and not clicking on mystery
>> clicks.
>
> If your friend gets that, he will be golden for a long time.
>
>> So what else/different do folks recommend?
>
> Not much, as posted above. ;-)

Again! Thanks for the reply and advice, Mark!


0
Roger
2/23/2014 7:25:16 PM
On 02/21/14 16:45, MiguelMS wrote:

.......snip......

> I've used it a few times.
>
> The main downside of HitmanPro is that it requieres an Internet
> connection during scan to upload suspicious files, and if the machine
> is infected or compromised somehow, you may have already unplugged it
> from the network (to prevent damage to other computers in the
> network). But even in that case, you still have an advanced scan mode
> (I don't remember it's "trademark name" right now) that gives a
> "suspicious mark" to the scanned files, and it does a really good job
> to spot suspicious processes, drivers... and so on.


> It's a really useful tool if you are manually cleaning an infected
> machine or trying to spot anything strange that may be going on. And
>  of course, you can use it to scan a clean system to get a clean
> result on top of the results from the AV the machine may already
> have.
>

Thank You for the reply!

Does it require an internet connection to effect behaviour monitoring?

If not, does it make sense to block its net access and run it routinely
on a "clean" box to detect zero-days?


0
Roger
2/23/2014 7:38:03 PM
Il giorno Thu, 20 Feb 2014 17:41:59 -0500
Roger Parks <i8k3ed@0poki.lo9> ha scritto:

> while (though I'll be back in shortly :-) ), and am quite rusty; so I
> think that for me rebuilding would be easier. Trying to clean
> something like this I'd always wonder what lingered........

agreed, wipe flat and rebuild also, ensure to change *ALL* password
both local and belonging to whatever service (email, blogs, forums,
banking... whatever) and do it *now* :/ 

0
ObiWan
2/23/2014 8:32:30 PM
Il giorno Fri, 21 Feb 2014 01:54:49 -0400
Mark Cross <none@127.0.0.1> ha scritto:

> Roger Parks was heard to say :
> 
> > ROTFLMAO...... you present a pretty clear personal inclination in a
> > situation like this! Don't know DBAN - I'll look into it.
> 
> http://www.dban.org/
> 
> Be careful, DBAN will erase ALL connected hard disks on boot.
> 
> It is a tool more for secure erasure than for casual cleaning.

well... yes, but upon boot you may select the wipe option you want
(there's the vanilla one too) and, in any case, having a DBAM boot
media around may be useful at times ;)

0
ObiWan
2/23/2014 8:38:17 PM
ObiWan was heard to say :

> Il giorno Fri, 21 Feb 2014 01:54:49 -0400
[...] 
>> Be careful, DBAN will erase ALL connected hard disks on boot.
>> 
>> It is a tool more for secure erasure than for casual cleaning.
> 
> well... yes, but upon boot you may select the wipe option you want
> (there's the vanilla one too) and, in any case, having a DBAM boot
> media around may be useful at times ;)

Sure, Obi, not trying to make a case against DBAN, it is indeed a very 
useful tool. :-)

Just making what I believe are sound warnings, but HEY: BICBW :)

-- 
Mark Cross @ 02/23/2014 5:15 p.m.
No good deed goes unpunished.

0
Mark
2/23/2014 9:18:17 PM
Roger Parks was heard to say :

> Wonderful post, Mark!

Thank you, Roger !!
 
> On 02/22/14 02:12, Mark Cross wrote:
[big snip]

> Yes!.... (though I will spend more time with it :-) ). A LOT there,
> and your explanations are actually quite succinct

Yes, it is a lot of ground, and in short sentences. I intended to draw a
map, an sketch of what a SSD needs to do, sure there is a lot of details
that I am not describing. Like the "excess over provisioned space", or
the failure rate of cells. But it was intentional, if I touch the details,
the map looks awkward, too detailed in some places, too rough in some others.
I may have not hit the correct balance, but seems to be a reasonable
"general description" of how SSDs work.

In any case, if there is any area that needs more detail, just ask.
 
>> The TRIM command change the "in use" state of a sector, thus
>> enabling the internal controller to erase it (if the controller
>> decides it is wise to do so: some other sectors may still reside in
>> the block).
> 
> To me, this is an important point!

It is the main point supporting the use of TRIM.
http://www.tomshardware.com/reviews/ssd-trim-firmware,2800.html

http://www.intel.com/pressroom/archive/releases/2009/20091026comp.htm
    "The Trim attribute of the ATA Data Set Management Command, often
     referred to as Trim, syncs the operating system's view of deleted
     files with those that are deleted, but not erased on the drive.
     Trim tells the SSD which data blocks are no longer in use. This
     helps stabilize the performance and health of the SSD over time."

[...]
>> There are several ways to do a full/partial disk TRIM. But I am
>> pretty sure that such command is not automatic for a partition
>> erasure. BICBW.
 
> (Not a debate) FWIW I came across this (don't know if it is accurate);
> parts may useful:
> 
> <http://www.hardcoreware.net/secure-erase-ssd-in-windows/>

I am not fully aware of how windows does it, that was the reason for the
BICBW  ;-)

Just one note to the link you provide, the last step in the procedure is:
    "The next step is to recreate a new partition."

It is quite probable (IMhO) that TRIM is applied on the creation of the
partition, but, again, I am not fully aware of how windows does it.


>> In Linux, a TRIM command is automatically issued for all sectors in
>> which a ext4 filesystem is going to be created. I am not aware of
>> any automatic use of TRIM on any partition or filesystem erasure.
>> Please take a look at "hdparm --trim-sector-range", the script
>> wiper.sh included with the hdparm package and the secure erasure
>> procedure. http://lwn.net/Articles/345020/
> 
> Those sons of guns!
> The wiper documentation and scripts are "hidden" in
> 
> /usr/share/doc/hdparm-9.43/wiper/wiper.sh.bz2.
> Didn't even know they existed!  TU!

What can I say:   :-)

>>> - so I'm presuming the W7 installation automatically trim when I
>>> tell it to delete the partitions!? I'm also presuming an
>>> individual menu item will appear and allow me to make a separate
>>> deletion before I start the installation mojo.
>>
>> No, not that I am aware of. There is a way to perform a manual full
>> disk TRIM while installing W7:
> 
> Yep. Opportunity didn't appear.
> 
>> http://forums.overclockersclub.com/index.php?showtopic=184250
> 
> This is interesting; he is trimming and filling with zeros.

I don't see where is he "filling with zeros", hmmmmm.

In any case I meant to show this procedure:
        Here is the Command Line:
        Hold Shift + F10 during BOOT --> will take you to a Command Prompt
        >diskpart
        diskpart>list disk
        "your drives are then listed"
        diskpart>clean all
        "select your SSD, and let it finish the Secure Erase"

This links may explain about the "diskpart" tool:
    http://www.sevenforums.com/tutorials/52129-disk-clean-clean-all-diskpart-command.html

Ah, Microsoft has some more information:
    http://technet.microsoft.com/en-us/library/cc766465%28v=WS.10%29.aspx
    "  clean all
     Specifies that each and every sector on the disk is zeroed, which
     completely deletes all data contained on the disk. "

However, it says nothing about TRIM in that page.
         I'll still leave this point as undocumented/unknown .......   :-)

> He also
> indicates it takes time; I wonder if it is slower/faster than deleting
> partitions and creating (temporarily) a new partition; then deleting it.

I don't know. I was presenting a procedure available at the W7 Install
process. Erasing and creating partitions is better done with the disk
manager in a fully operational Windows system. We are probably talking
about different conditions.

In any case, I do not know how much time it takes for each procedure.

This may help:
   http://www.ehow.com/info_12172915_long-diskpart-clean.html
   " Diskpart users report clean times of longer than five hours when
     attempting to clean a drive as large as one terabyte, or about
     1,024 gigabytes. "



>> In Linux, there are some other utilities:
>> http://www.windowslinuxosx.com/q/answers-how-to-trim-discard-a-whole-ssd-partition-on-linux-308251.html
>>
>> http://www.overclock.net/t/1227597/how-to-secure-erase-your-solid-state-drive-ssd-with-parted-magic
>>
> 
> 
> Nice links
> 
> - err... blkdiscard is quite interesting! .... works on the block level,
> though I'd guess it is kernel dependent and won't handle NTFS :-(

It will TRIM any block in any disk that supports TRIM, but yes, it is
not a filesystem level tool and therefore is NOT aware of NTFS data
structures.

> - nice "Freeze Locked" discussion on the second link; supplements the
> earlier GRC discussion!

Yep!
 
>>> I understand that trimming would not secure erase, but I'd presume
>>>  the trimmed data would be unreadable and therefore good 'nuff for
>>>  installation in this situation!?
>>
>> Oh sure it is 'nuff.
> 
> For me, this has been an extremely valuable post, Mark!

Glad It helps .... :-)

-- 
Mark Cross @ 02/23/2014 6:22 p.m.
Creativity is inventing, experimenting, growing, taking risks, breaking rules, making mistakes, and having fun. — Mary Lou Cook

0
Mark
2/23/2014 10:37:43 PM
"Roger Parks" <> escribi� en el mensaje news:ledio9$u2i$1@news.grc.com...
> On 02/21/14 16:45, MiguelMS wrote:
>>
>> The main downside of HitmanPro is that it requieres an Internet
>> connection during scan to upload suspicious files, and if the machine
>> is infected or compromised somehow, you may have already unplugged it
>> from the network (to prevent damage to other computers in the
>> network). But even in that case, you still have an advanced scan mode
>> (I don't remember it's "trademark name" right now) that gives a
>> "suspicious mark" to the scanned files, and it does a really good job
>> to spot suspicious processes, drivers... and so on.
>>
>> It's a really useful tool if you are manually cleaning an infected
>> machine or trying to spot anything strange that may be going on. And
>>  of course, you can use it to scan a clean system to get a clean
>> result on top of the results from the AV the machine may already
>> have.
>
> Thank You for the reply!
>
> Does it require an internet connection to effect behaviour monitoring?

HitmanPro is an "on-demand" scanner, it isn't a "resident protection" 
program. Whenever you want to scan a system, it requires an Internet 
connection. Then it runs its scan and uploads anything it feels like it to 
get results about it.

If you don't have an Internet connection available, it still has an advanced 
scan mode that gives a "numeric mark" to scanned program files (executable, 
dll, driver files...). It does a really good job spoting strange things (the 
highest mark I've seen was a "7", I suppose it's a mark from 0 to 10 or 
something like that), but anyway, you must manually review such results, you 
can't just go ahead and delete anything with, say, a "6 or higher" mark.


> If not, does it make sense to block its net access and run it routinely
> on a "clean" box to detect zero-days?

Maybe... ... I would let it access the Internet and upload files if possible 
(if there're no privacy concerns about it uploading files somewhere, or 
there's no known active malware in the machine that may have required you to 
disconnect it from the network...) as you'll get more reliable results. If 
you can't let that computer to access the Internet for some reason and/or 
you don't fully trust the results of the previous scan mode, then go for the 
"numeric mark" scan and results, but it'll be up to you to decide what to do 
about that results. This no-internet advanced mode may spot a "zero-day" for 
you, but maybe not or it may give a "false-positive".

For example, I remember I was doing another scan with GMER at the same time, 
and I think it spotted the GMER driver with a "5" mark, while a real malware 
..exe file running as a service got a "7" mark. That said, you have to review 
that results and decide on your own somehow that one of them was legitimate 
(the GMER driver) and the other wasn't (the malware .exe running as a 
service). That computer did not have an Internet connection at that moment. 
Maybe, with and Internet connection, it may have just spotted the malware 
..exe file and ruled out the legitimate GMER driver as suspicious?


0
MiguelMS
2/23/2014 11:41:03 PM
Roger Parks wrote:
>>> He has an OEM installation disc provided by the dealer.
>> 1.- You better download a W7 ISO to burn (just in case):
>> http://www.mydigitallife.info/official-windows-7-sp1-iso-from-digital-river/
>
> Good one! (And IIUC, the OEM/Home dists are the same - license triggers
> different "features") .

I haven't tested this one, but I know that there's a utility, ei.cfg 
remover, that's supposed to convert a downloaded .ISO into a copy that 
will accept any valid installation key: 
http://code.kliu.org/misc/winisoutils/


>> I do not believe that any half-baked solution will work. If you do
>> get to clean the computer, there is no way of telling if some file
>> has been modified to start the compromise again. If that happens,
>> the user may not notice (as he did not perform the cleaning and does
>> not know the symptoms) or even if he notice, a second round of this
>> process will be needed, I mean: setting up a meting, preparing, etc.
>> I say: "nuke it".
>
> Yep!
>
> And I don't want to nurse this thing - I'll feel "cleaner" if I do a nuke!
>

In watching this ongoing discussion, I notice that there hasn't been 
much discussion of rootkits.  Even if you manage to clean up malicious 
stuff with things like MBAM, that may not get rootkits.

Fortunately, rootkits aren't as prevalent as they were a few years ago, 
but they're still out there, and a lot of the rootkit tools tend to look 
for specific kits.  GMER or Kaspersky TDS Killer may be the most 
thorough, but I'm not sure they get everything.

Thus, for your situation, of having unknown malicious software present, 
I think that's another reason to nuke everything with DBAN, and start 
over with a clean hard disk.


Smith
0
NFN
2/24/2014 4:16:50 PM
:: On Thu, 20 Feb 2014 17:40:18 -0500
:: (grc.techtalk)
:: <le60ab$30bd$1@news.grc.com>
:: Roger Parks <i8k3ed@0poki.lo9> wrote:

 
> ROTFLMAO...... you present a pretty clear personal inclination in a
> situation like this! Don't know DBAN - I'll look into it. Why would it
> be better than, say, dd'ing zeros or PRData over the whole volume?

well... been there and all the other stuff :( ... fact is that once you
get accustomed to the idea that once a box is compromised you can't
trust it anymore and you should consider any data on it compromised too
(including credentials, data and all that), you'll clearly see that the
only way to go on is to change whatever passwords, ensure other data is
"invalidated" and flatten/rebuild the box from scratch... then ok there
are times when you can't (ok, don't want to) go that way but in those
cases you MUST be really careful when dealing with the box and in any
case, flatten it asap

my 2 cents.


0
ObiWan
2/24/2014 4:23:08 PM
Reply:

Similar Artilces:

Two infected computers
Bad day here. Friend dropped off his daughters computers. Both HPs, one laptop and one notebook. Both badly infected. They were both setup and sold by Destbuy. One has Webroot Antivirus with Spy sweeper installed by Bestbuy. Dad said do not remove it. I said but it did not work, nope keep it he says. Any way I thought this would be easy work and plugged in my trusty antimalware thumb drive. Neither computer will allow me to run any program from the drive. Not to install or run any program. On the laptop it thinks that the program on the thumb drive are infected. Though I mig...

Networked Infected Computers ?
This is a multi-part message in MIME format. --------------080001060108000505090103 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit I've been doing some probing of computers sharing my ISP's local server which have been probing *my* TCP Port 445. All of them have the usual ports open... TCP 135, 139, 445, 1025, 5000 and UDP 137 (Computer Name) - but the astonishing thing is that the user names have a common format - "Boy's Name" - "10 digit code" The boy's name varies as does the 10 digit code.... ...

computer routing stuff to another computer, through my computer
Hello, everyone. I'm new in this group and, because I'm not an expert, I thought I'd ask for your opinion before I go about warning other people about this. Please read and enlighten me... let me know what you think... I surf the net using internet prepaid cards and I'm always trying new brands/companies. Well, last Sunday I bought one called Mega (never seen it before, so it must be new) and here's what happens: Whenever my computer is connected to Mega, suspicious attempts to route data packets from a computer 64.94.96.102 (no host name) -- through my com...

Infected computer warning pop-up
Name: Product: Firefox Summary: Infected computer warning pop-up Comments: Why am I getting a pop up message from Firefox (allegedly) saying my computer is infected? Please post way to get rid of it. Normal scans don't do the job. Even using IYOGI...I can't get rid of it. It happened today on the weather.com site. Browser Details: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide on...

Antivirus Pro infected my computer
Name: Dan Email: farmfolkatfairpointdotnet Product: Firefox Summary: Antivirus Pro infected my computer Comments: When I downloaded the latest update of firefox, it put Antivirus Pro, which I understand to be a virus, on my computer also. it left after a couple days. wanted me to subscribe to and antivirus program which apparently does not exist. Browser Details: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729) From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response...

Computing Computed Field
I Have a computed field in tailor band of a group. I tried to sum that computed field in summary band using another computed expression ..It is displaying 0 instead of sum I appreciated any help Thanks Sue IF you use the format sum(x for group 1) in Tailor group then use sum(x for all) in summary. Stephan Donati Fortisoft Corporation "Sue Sambireddy" <SSambireddy@bankofny.com> wrote in message news:3AE83A22.AF41D7BC@bankofny.com... > I Have a computed field in tailor band of a group. I tried to sum > that computed field in summary band using a...

computer 2 computer
hello everyone can someone please share some ideas with me on the following setup i would like to do : my daughter has a computer with win95, and mine is win98. we would like to connect our two machines together directly without going thru an internet service provider, so that we just phone direct into each others machines. the purpose of this is for her to send me some files etc. so any suggestions on how to establish this type of remote arrangement. is there any simple software that does this, or is there a built-in facility in Windows that might facilitate this ? ...

Restoring Archives after computer rebuild
Hi, I had to re-image a collegues computer the other day there, i backed up his archives and data as normal, but when i went to restore his archives, they are just showing as blank... he has the same fid as before, and i have checked the databases too, and done a rebuild.. but nothing is working, everything is still as blank!!! even though there is about 140MB of mail there!!! Any help would be appreciated John To Steve Hilton Try TID 10058250 ? Cheers Dave -- Dave Parkes [NSCS] Occasionally resident at http://support-forums.novell.com/ Th...

Computed Field not computing
I have a series of computed fields that calculate percentages and then a series that total those percentages. When I add the third total percentage field (out of four total) to my group trailer, all my total percentage fields sum to 0 when they should all sum to 100. If I move the third computed field into another band then they all sum to 100 and when I put it back they all still compute to 100. Why would this happen? I know computed fields constantly re-compute, but these are not initially computing correctly based on the number of computed fields present in my group trailer band...

Computing computed field
I Have a computed field in tailor band of a group. I tried to sum that computed field in summary band using another computed expression ..It is displaying 0 instead of sum . I appreciated any help Thanks Sue You can place the expression from the second field in the first one instead of referring to it. Another option (often works) is to apply the GroupCalc DataWindow method (of course outside the expression in the script where you issue Retrieve(), for example.). Sue Sambireddy wrote: > I Have a computed field in tailor band of a group. I tried to sum > t...

Once malware infects your computer, reformat the drive
I've been reading this series, learned a few tricks I didn't know, and I see why Steve Gibson is right: Once malware infects your computer, reformat the drive. #1 <https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence +Mechanism+-+Part+1/15394> #2 <https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence +-+Part+2/15406> #3 <https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence +-+Part+3/15448> #4 <https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence +-+Part+4/15460> On Sun...

38 infected mozilla files in my computer
Name: Eve Email: eveonthehill_at_yahoo.com Product: Other (please state) Summary: 38 infected mozilla files in my computer Comments: My virus protection says it can't purge compressed files, they are in quarenteen right now...please help me. If they were located in the cache folder in your profile folder, then you are fine, whether it be a trojan or such. As long you don't try to run/execute the things youshould be safe as it cannot run by itself, unlike theTemparary files with IE. If it is cookies, there are tracking cookies at best, and if it is in...

80% of computers in China infected with Viruses?
Yikes! Can this be true??? From the SANS Newsbytes ... --9 October 2002 Chinese Computers Have High Rate of Virus Infection The China Daily newspaper reported the results of a survey conducted by the National Computer Virus Emergency Response Center that found that 80% of computers in China are infected with viruses. <http://www.reuters.com/news_article.jhtml?type=internetnews&StoryID= 1557133> <http://www1.chinadaily.com.cn/news/cn/2002-10-10/88972.html> My goodness. -- _________________________________________________________________ Steve Gibson, a...

Computer Infection Disrupts Asia, Europe
A virus-like infection that plagued computers in the United States was evident Tuesday in Europe and Asia as thousands of users in several countries reported disruptions. Experts said the number was likely to increase. Security officials said the infection, dubbed "LovSan" had forced thousands of computers to restart and was part of a coordinated electronic attack against Microsoft Corp. In Sweden, Internet provider TeliaSonera said about 20,000 of its customers were unable to log on to the Internet overnight after the infection clogged 40 servers that handled Internet traffi...

Web resources about - Sigh....Rebuilding an infected computer - grc.techtalk

Under the hood: Rebuilding Facebook for iOS - Facebook
Facebook Engineering hat eine Notiz mit dem Titel Under the hood: Rebuilding Facebook for iOS geschrieben. Du kannst den vollständigen Text hier ...

Rebuilding Iraq - Iraq Tenders, Projects, Directory, News & Jobs
Rebuilding Iraq provides you information on all the latest tenders, projects, news, business directory and jobs board in Iraq

Weekly Address: Recovering and Rebuilding after the Storm - YouTube
In this week's address, President Obama thanks the brave first responders and National Guardsmen for their tireless work following one of the ...

Hunt adds weight to rebuilding Reds
Karmichael Hunt says he's relishing his return to a more familiar code and has already put on some welcome bulk as he prepares to embark on his ...

Rebuilding Gold Coast beaches as summer approaches
Ten badly-eroded dune zones on the Gold Coast are slowly being repaired from the ground &ndash; or from the beach dunes &ndash; upwards thanks ...

Rebuilding Gaza 'will take 20 years'
An international assessor has said it will take 20 years for Gaza's battered housing stock to be rebuilt.

Volkswagen rebuilding quality foundations
Comment - German brand still has plenty of work to do in restoring faith for customers.

Rebuilding faith in our financial system
Confidence is a cornerstone of a free, fair and prosperous society and economy.

Rebuilding a dirty word set to burn Carlton coach Mick Malthouse
The highly strategic but ultimately bungled decision by the Carlton Football Club to announce after successive losses that it was rebuilding ...

Rebuilding lives after Haiyan (01:38)
One month since typhoon Haiyan struck the Philippines, signs of progress are mixed with reminders of the scale of the disaster and the challenges ...

Resources last updated: 11/21/2015 1:53:40 AM