how-to block ads
Malware Removal: When to Flatten and Reinstall Windows
So, you didnt protect the system and it got hacked. What to do? Well, lets see:
You cant clean a compromised system by patching it. Patching only removes the vulnerability. Upon getting into your system, the attacker probably ensured that there were several other ways to get back in.
You cant clean a compromised system by removing the back doors. You can never guarantee that you found all the back doors the attacker put in. The fact that you cant find any more may only mean you dont know where to look, or that the system is so compromised that what you are seeing is not actually what is there.
You cant clean a compromised system by using some vulnerability remover. Lets say you had a system hit by Blaster. A number of vendors (including Microsoft) published vulnerability removers for Blaster. Can you trust a system that had Blaster after the tool is run? I wouldnt. If the system was vulnerable to Blaster, it was also vulnerable to a number of other attacks. Can you guarantee that none of those have been run against it? I didnt think so.
You cant clean a compromised system by using a virus scanner. To tell you the truth, a fully compromised system cant be trusted. Even virus scanners must at some level rely on the system to not lie to them. If they ask whether a particular file is present, the attacker may simply have a tool in place that lies about it. Note that if you can guarantee that the only thing that compromised the system was a particular virus or worm and you know that this virus has no back doors associated with it, and the vulnerability used by the virus was not available remotely, then a virus scanner can be used to clean the system. For example, the vast majority of e-mail worms rely on a user opening an attachment. In this particular case, it is possible that the only infection on the system is the one that came from the attachment containing the worm. However, if the vulnerability used by the worm was available remotely without user action, then you cant guarantee that the worm was the only thing that used that vulnerability. It is entirely possible that something else used the same vulnerability. In this case, you cant just patch the system.
You cant clean a compromised system by reinstalling the operating system over the existing installation. Again, the attacker may very well have tools in place that tell the installer lies. If that happens, the installer may not actually remove the compromised files. In addition, the attacker may also have put back doors in non-operating system components.
You cant trust any data copied from a compromised system. Once an attacker gets into a system, all the data on it may be modified. In the best-case scenario, copying data off a compromised system and putting it on a clean system will give you potentially untrustworthy data. In the worst-case scenario, you may actually have copied a back door hidden in the data.
You cant trust the event logs on a compromised system. Upon gaining full access to a system, it is simple for an attacker to modify the event logs on that system to cover any tracks. If you rely on the event logs to tell you what has been done to your system, you may just be reading what the attacker wants you to read.
You may not be able to trust your latest backup. How can you tell when the original attack took place? The event logs cannot be trusted to tell you. Without that knowledge, your latest backup is useless. It may be a backup that includes all the back doors currently on the system.
The only way to clean a compromised system is to flatten and rebuild. Thats right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).
The above quote taken from this page:www.microsoft.com/technet/commun504.mspx
Not having the original install disk and/or backups prior to the compromise makes this option pretty much impossible. However, continuing to use this PC on the internet as a trusted machine is a risk for future use. It might be time for a new computer and retire this one.
I can tell you that I would not use it after this serious a breach. Give your friend this link if they do not understand what happens when your computer is wide open and under control of a remote access trojan:Invasion of the Computer Snatcherswww.washingtonpost.com/wp-dyn/co342.html
That is the reality of what we are dealing with here. This PC has been so seriously compromised that I do not want to mislead you into thinking that this "cleaning" will reverse the potential of the damage already done. The fact that it was hosting Multiple rootkits and backdoor trojans makes the breach pretty much a worst case scenerio, with many of these problems you have seen thus far trying to "clean" the system.Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part IIwww.microsoft.com/technet/commun704.mspx
quote: From original post by DSLR's CalamityJane. Used with permission.
with a rootkit on the system that makes the system no longer trustworthy. Windows Explorer and the command line will no longer show you the files that are actually on the system. The registry editor is now lying. Account manager tools will not show you all the users. At this stage of an intrusion, you can no longer trust the system to tell you about itself. Thats where you get into a flatten and rebuild (some people call it "nuke and pave") scenario. The system is now completely compromised.
Article Source: »Re: [Virus] Virus's and spyware!
by LoPhatPhuud edited by lilhurricane
last modified: 2012-01-06 21:04:08