Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Banishing the demons of stupidity from a system that has been owned

By onyxruby in Technology
Thu Aug 12, 2004 at 02:18:05 PM EST
Tags: Software (all tags)
Software

Occasionally a computer will become so significantly compromised with viruses, trojans, backdoors, hacked, spyware or malware that it becomes irrecoverable with normal means. Occasionally said computer will belong to a client, family member, friend or otherwise very important person who needs said computer back with data. In most business envrionments user data should be on the server and the following process is not typically appropriate. This process is Windows specific, and will help you deal with Windows less than graceful failures when taken over by viruses, trojans, spyware or has been hacked.

If you do not have data to recover, or an substantial operational need to keep that exact install, then just wipe the drive and reinstall the Operating System. There are times however when you really need to recover a system and format c:\ is not an option. This process is not intended to be all inclusive, but to give you a starting point so that you can start doing other needed system repairs and or recover files safely. Fundamentally a recovered system that has been owned can be recovered, but never again should be considered known or trusted. It is always better to wipe and reinstall, but it is not always an option.


What I step people through here is a process of setting up a second computer for use as a recovery station. You will use imaging software, back up data, create logs, removing virues, trojans, spyware and malware. You should be familar with imaging software, the principals of virus software, trojans, spyware and malware. Knowledge of the registry and certain system files is assumed. If you can't readily find these files or navigate the registry, than you should work with more experienced personal if possible.

What this process will do is consistently recover systems that otherwise are a total loss. I am writing this because I have had a lot of requests over the years from techs for my process. I have used this process to recover systems to a usable state with dozens of viruses, bad boot records, damaged partition tables, backdoors, trojans, hundreds of spyware infections (not counting cookies) and umpteen thousands of infected files. This is not designed for systems that are servers and or systems that have only a light infection.

This process requires a dedicated secondary computer beyond the victim computer. This is strictly needed and if not available the system cannot be properly recovered. You do not need high end hardware, but I will make some hardware recommendations I have found useful over the years. I like Gigabyte brand motherboards because they have a dual BIOS. The secondary BIOS allows you to have the recovery system recover from a virus that would flash the BIOS (like the old Chernobyl virus).

It seems to work best if you have 512 MB of RAM. You don't need anything fast at all for a CPU, an old 600-700 MHz CPU will work just fine and is readily available at low cost. Beyond this hardware-wise I have found it very useful to have three removable IDE hard drive caddies and a CDRW. The hard drive caddies only cost about $20 apiece and are very handy for drive swapping.

I set up the primary master hard drive with the Operating System. I then set up the CDRW as the primary slave. This allows me to use the secondary IDE channel for a victim drive and a recovered data drive.

Before work starts on the victim drive, it is needed to prepare the recovery computer. I will first do a clean install, from a known good CD, of Windows XP (SP2). Windows 2000 can also work, but does not have built CD burning software for storing log files. I will update the Operating System with all patches and security updates needed. I make a base image with my imaging software at this point. I use Drive Image, but Ghost or Drive Works can work just as well. I make sure my image is sized to 733,000,000 bytes as this just barely fits on the standard 700 MB CD-ROM.

I also make sure the CD-ROM is bootable or have a bootable version of my drive imaging software available. Drive Image can use the CD in the 2002 version to boot and access the program. The particular imaging software used is largely not relevant. The important thing is that you have made a known good image of your system on read-only media and can boot read-only media to get to your image.

At this point you install your first anti-virus scanning program. Update your antivirus software. Once installed make options like deep scanning, heuristic scans and scanning within zip files are selected. If in doubt, if you have a scanning option, take it. Many anti-virus programs will not scan within these files. Make note of unscannable files - anything password protected will not be scanned and many viruses will take advantage of this. At this point, burn an image of the system with your first anti-virus software package installed, updated and configured.

At this point you will want to go back to your first image and restore it. Now install your second anti-virus software and configure as your first. Repeat this process for all four scanners. I have many times seen viruses make it through McAfee, Norton and Trend only to be caught by Computer Associates' scanner. There is no particular order; do them alphabetically if that helps keep them clear in your mind. I don't do five virus scanners as this is what I consider to be the point of diminishing returns.

The four virus scan program companies I presently use (yes I have licenses for them all) are: McAfee, Norton, Trend, and Computer Associates. I'm not religious on these four, and occasionally cycled one companies scan software out for another.

It might make sense to simply install multiple anti-virus scanners on one system to avoid extra imaging steps. Don't do this. Whilst the likes of McAfee and Norton once played well together, they no longer do. Nowadays they can often even refuse to install if the other is in place - with good reason. Amongst other things you can get false positives from files locked in quarantine from another scanner. If real-time protection is enabled they can cause significant system instability and your system may slow to a crawl. They can also prevent each other from working properly. CDs are cheap, your sanity is not.

Once you have finished this far you should have 5 sets of CDs in hand. One set for each scanner and one without any software installed at all. Now go back and restore your first image set. It is time to create a utility image with Spybot and AdAware. Be very careful with both as phonetically similar sounding domain names have been registered for both in the names of various spyware companies. They will offer you spyware removal software that will remove their competitor's spyware for you - leaving their own intact. The safest way to ensure you get both of these is to go to Download.com. This is run by CNET and they have free versions of both products that you can download from a known good source.

You'll have to manually search a number of locations to find whatever SpyBot and AdAware can miss. I will cover some locations to always look at later in the article. You should have a good familiarity with the Windows registry, services and standards DLLs. You also need to know the legitimate hotfixes and service packs. I have seen many spyware packages with installed names in the style of an official Microsoft hotfix. If you are ever in doubt, compare a known good system or look up the suspect file. Don't be afraid to punch the exact name of a suspect system file into Google. You'll quickly learn if it's spyware if you do.

If you are dealing with additional damage such as missing partitions or the like you may want to install some utilities to address these issues. For partitions I recommend PartitionMagic. It just plain works and Symantec had the good sense not to put it out to pasture when they bought Powerquest like they did with several Powerquest products. In my experience most utility suites like Norton Systemworks or System Mechanic bludgeon their way through things and can often do more harm than good and should be avoided.

Now if you are merely dealing with viruses and spyware gone mad, you will be ready to start your recovery process. Go ahead and make a sixth set of images like your first five.

Are you dealing with recovery of data that has been destroyed or a partition that has been wrongly formatted? I would recommend installing Ontrack's Easy Recovery Professional. Unfortunately only a business environment can afford their expensive license. If that doesnt work I would then try Winternals suite of software they call the "Administrator's Pack" - but be aware that this license is extremely expensive. At this point you need to ask yourself how much your data is worth. If you are in a business environment than they are both worth picking up for a shop license and installing. If you are not sure or unable to afford these products than I would suggest going to SourceForge and looking for open source software that can do these things. Many open source products work very well and are well worth trying.

Once these are installed you should make your sixth and final image set in the same standard as your first images. At this point you should have your recovery system setup and fully patched and secured. All antivirus and spyware software is up to date for today and everything has been burned to CD.

Physically disconnect the recovery computer yourself from the network and modem if you have one. Put the victim drive and first recovery drive in your computer and remove your OS drive. At this point you want to start by making an image of the victim drive before you do anything else. Don't do a disk to disk copy, it isn't exactly the same as what your victim drive has - and this can prove important.

Once this image is made remove the recovery drive and set it aside. You should now have only the victim drive and the OS drive in the system. Cold boot the recovery computer and restore your first image off of CD. From this point forward you are using read-only media and it doesn't matter if your system is infected. Even if your BIOS is infected at this point you can simply recover from your dual BIOS motherboard.

Run your first antivirus image against your victim drive. Always try to clean before deleting if the file is needed. Quarantine if you have to. What one anti-virus software program cannot clean another may. Burn all log files to CD. When one has finished give the recovery computer a cold boot and restore your next image. Once this image is restored repeat the earlier process for all four antivirus images.

You may want to then run the entire set of four scanners again if you had several thousand infected files. Surprisingly, this can be helpful even though there is nothing different with the images. If there are still important files that could not be cleaned afterwards consider them lost and a good impetus for frequent future backups. Delete any remaining infected files at this point, or burn them to CD if they are important enough for a later attempt at cleaning down the road. Regardless, remove them from the victim drive.

At this point you want to restore your utility image that has your spyware scanners on this. Treat spyware exactly like you would a virus. I consider it notable that most modern spyware has very similar behaviors to that of many viruses. Many spyware programs will disguise their names, hook into system calls like DLLs, bury themselves in recovery files, and otherwise find ways to reinstall themselves. Some will replace genuine Windows files with their own versions, requiring manual replacement of the compromised files. Keep in mind SpyBot and AdAware can pick up each others quarantined files, and don't consider this a problem if they do. They play well together where the anti-virus companies' products do not.

At this point you are ready for manual scans of problem points that can still be missed. This is where things can diverge. If you are recovering data and will reinstall the OS, than you don't need to go any further. Put your recover drive in the system and pick over the victim drive for all data that is desired. If you need to restore the victim drive to operational duty without formatting it and starting over, than read on.

Manually examine these locations in detail:

Hidden partitions (not always viewable ~ depends on software at your disposal)

  • System restore files and or folders. Many times I have seen hidden system restore partitions (such as Compaq's) infected with spyware.
  • System restore V:\System Volume Information ~ V: = Victim Drive
  • Roxio (now Norton) GoBack also bears scrutiny and scorn. This product is very problematic and should be avoided.
  • Registry locations: ~ If you don't know what you're doing here you don't belong here!

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

    Check the RunServices and RunServices Once key locations in these same locations as well if you have these in your registry (depends on OS)

    WIN.INI File - look for lines starting with "LOAD=" or "RUN="

    Start Menu:

    Your start menu also has a startup folder. Look for anything here as well.

    .BAT and .CMD Files can load things as well and tend to overlooked anymore since they don't seem to used much anymore outside of network logons. Look for any .CMD or .BAT file in the above locations and specifically for WINSTART.BAT under the Windows or WINNT folder.

    Remove anything here that does not strictly belong. Challenge and don't be afraid to remove things (including hardware stuff), you can always remark things out and put them back if need be. This is not a comprehensive list of all ways to automatically load software, but will catch the most common. Feel free to google for methods beyond what I have presented.

    Once done with all of the above you should now safely be able to look at other issues that require the drive to be in the system such as driver problems. Remember the point of all of this is not fixing everything - that isn't reasonable. The point is to create the environment where the system can now be safely fixed. As always, unless there is a strict need elsewise, it is best to take your data that can now safely recovered off of the victim drive and rebuild the victim computer from the ground up.

    Permission to reproduce this document is given provided it is not altered or credit removed for its production.

    Sponsors

    Voxel dot net
    o Managed Hosting
    o VoxCAST Content Delivery
    o Raw Infrastructure

    Login

    Poll
    My personal system
    o Never touched 62%
    o Virus once 20%
    o Owned and turned into a zombie 0%
    o Owned, humiliated, and my picture put on p2p 1%
    o Owned to the point of having my ISP threaten to cut me off 0%
    o Spyware, but no viruses 8%
    o Lots of problems 0%
    o I learned my lesson 3%
    o My system, I have no time to work on my computer 2%

    Votes: 108
    Results | Other Polls

    Related Links
    o Google
    o Download.c om
    o SourceForg e
    o Also by onyxruby


    Display: Sort:
    Banishing the demons of stupidity from a system that has been owned | 111 comments (86 topical, 25 editorial, 0 hidden)
    Admirable, but... (2.85 / 7) (#1)
    by pwhysall on Wed Aug 11, 2004 at 07:12:48 AM EST

    ...once a system is compromised, it is forever untrustworthy.

    Wipe it, rebuild it and restore data from a known good backup.

    It's the only way to be sure.
    --
    Peter
    K5 Editors
    I'm going to wager that the story keeps getting dumped because it is a steaming pile of badly formatted fool-meme.
    CheeseBurgerBrown

    Wiping (2.33 / 3) (#2)
    by onyxruby on Wed Aug 11, 2004 at 07:22:05 AM EST

    Wiping is always best, I agree. Unfortunately a lot of people put important data on their system parition or don't have backups that are useable, if at all. With data recovery services starting at a few hundred bucks, it just isn't reasonable at the friends and family rate. When you find yourself in that bind, and you know that a box has been owned, you may still have to have a way to get that data off before you wipe it. That is what I am trying to cover.

    Those occasions where I haven't been able to just do a wipe after recovering data have mainly dealt with commercial systems that were keyed with DRM crap that could not be reasonably restored otherwise (manufacture goes tit's up etc).

    The moon is covered with the results of astronomical odds.
    [ Parent ]

    Backups! Backups! Backups! (3.00 / 2) (#4)
    by pwhysall on Wed Aug 11, 2004 at 07:26:01 AM EST

    Or, "I wish I'd Bought A Tape Drive".

    While I agree with getting a system to a point where you can safely recover data from it, I do not agree with attempting to further recover a system for use once data has been recovered. That's the point, for me, for a home system, at which I reformat.

    Not being able to restore data from backup for commercial systems says more about the owner of those commercial systems than it does about the system.
    --
    Peter
    K5 Editors
    I'm going to wager that the story keeps getting dumped because it is a steaming pile of badly formatted fool-meme.
    CheeseBurgerBrown
    [ Parent ]

    cripes (none / 0) (#9)
    by momocrome on Wed Aug 11, 2004 at 09:35:41 AM EST

    how often do you two get 0wned?

    this post would've been anonymous.

    "Give a wide berth to all that foam and spray." - - Lucian, The Way to Write History
    [ Parent ]

    I didn't say *MY* home system :-) (none / 1) (#11)
    by pwhysall on Wed Aug 11, 2004 at 09:37:52 AM EST


    --
    Peter
    K5 Editors
    I'm going to wager that the story keeps getting dumped because it is a steaming pile of badly formatted fool-meme.
    CheeseBurgerBrown
    [ Parent ]
    Last time was around 94' or so (none / 0) (#28)
    by onyxruby on Wed Aug 11, 2004 at 02:44:49 PM EST

    Last time I got a system owned was around 94' or so. A particurly nasty virus called MonkeyB got on my system through the college lab. Making things all the more fun was that I was McAfee's first customer with the virus. Ah the good old days, when you could talk to an engineer about a problem and not just be told your out of luck. Unfortunately I know people who aren't very careful. Somehow or another these recoveries always seem to come my way.

    The moon is covered with the results of astronomical odds.
    [ Parent ]

    A system could be made trustworthy again... (none / 0) (#99)
    by ErikOsterholm on Sat Aug 14, 2004 at 09:41:54 PM EST

    ...it's just usually harder to do than it is worth doing.

    There are only a few places where Windows loads files automatically at startup.  Clearly, these can be examined and cleaned.

    All system files can be checked against known good copies using MD5 or even straight file comparisons.  The problem is the patch level--you don't know precisely which version of the file is on the infected computer.  Microsoft should create an MD5 database of all patchlevels of their files so that this could be undertaken--but I don't expect them to do it.  However if you are a recovery service company, you could fairly easily do this yourself.  It would probably take no more than 16 hours of work to create the database, and then a custom application to do the scan and report unknown file "versions" on the infected machine so you know what in Windows has been compromised.

    Similar scans could be done for popular applications, though most viruses these days seem to only target OS files.

    Also, at least a little time could be saved by creating disks using BartPE, which gives you a working Windows environment on a CD.  Instead of having to reimage every time, you just pop in the new CD and boot up, and you're good to go.  There are plugins for many virus scanning utilities, you can make a ramdisk (for those programs that just absolutely require writeability), and best of all, you can automate things so you just pop the CD in and it automatically performs the scan for you.  Very nifty utility.  More info here:

    http://www.nu2.nu/pebuilder/

    [ Parent ]

    Registry locations (2.66 / 3) (#3)
    by eejit on Wed Aug 11, 2004 at 07:22:49 AM EST

    There are literally dozens more places in the registry that spyware/trojans/etc use to startup, I suggest looking at a quick history of the CWS spyware and note some of the registry locations it uses, such as Browser helper objects, ActiveX, etc...

    CWS' Eeevil History

    It's an absolute PITA to get rid of.

    Just as a side note, why go to all that effort? If it's just software related then backup your important stuff (err... warez, porn, mp3s, etc) format the drive and start over, job done.

    For my systems - no way (3.00 / 3) (#6)
    by onyxruby on Wed Aug 11, 2004 at 07:28:41 AM EST

    I don't go through all this effort for my systems. My systems have their data and operational capacity distinctly seperated. I'll just blow away a troublesome system and restore the image. I have no data on the system drive to lose. Unfortunately a lot of people don't seperate things out, and get sloppy. Remember as well that this is for your extreme cases that require gettings things to a safe point to work on them. This is not a one-size fits all solution. I very carefully cover that right away.

    As for cool web search, may the programmers for that rot in hell. It's one of the nastiest out there, but I've seen other things start to compete with it. Nothing like having windows system restore *fix* your system you just cleaned. As for the registry, there are indeed more places to put things, but I'm trying to convey some of the more popular ones. You can also hook dll's into dll's and so on. The article was long enough as it was - bleh.

    The moon is covered with the results of astronomical odds.
    [ Parent ]

    Also worth checking (none / 1) (#12)
    by brain in a jar on Wed Aug 11, 2004 at 09:41:44 AM EST

    Is the security policy on the machine. Since this is changed (loosened) by some malware.<P>

    Otherwise interesting article, I'm sure some folks will find it useful.<P>

    Life is too important, to be taken entirely seriously.

    circletimessquare's guide to unhosing a... (1.66 / 6) (#16)
    by circletimessquare on Wed Aug 11, 2004 at 11:45:08 AM EST

    significantly compromised system

    format c:<enter>

    are you sure? (y/n)

    y<enter>


    The tigers of wrath are wiser than the horses of instruction.

    format is not necessarily safe (3.00 / 8) (#19)
    by yamla on Wed Aug 11, 2004 at 12:22:36 PM EST

    This will work if and only if your format command hasn't been compromised.

    [ Parent ]
    thank you mr. obvious (none / 1) (#43)
    by circletimessquare on Wed Aug 11, 2004 at 06:26:48 PM EST

    it's called a joke


    The tigers of wrath are wiser than the horses of instruction.

    [ Parent ]
    Yes, yes it is. (3.00 / 6) (#50)
    by sllort on Wed Aug 11, 2004 at 07:12:14 PM EST

    Like the part of the sentence you didn't expect,
     like the brown end of a ciggy bug,
       like the part that absorbs the bullet's energy,
         like the worst part of a plumber,

    You're the butt.

       
    --
    Warning: On Lawn is a documented liar.
    [ Parent ]

    gordonjcp's version. (2.40 / 10) (#33)
    by gordonjcp on Wed Aug 11, 2004 at 03:19:05 PM EST

    1. Press RESET
    2. Open CD tray, insert NetBSD disk
    3. Once prompts start to appear, say "yes" lots of times
    4. Remove CD and reboot

    Give a man a fish, and he'll eat for a day. Teach a man to fish, and he'll bore you rigid with fishing stories for the rest of your life.


    [ Parent ]
    I go for the big magnet solution, personally. [nt] (3.00 / 2) (#57)
    by pb on Wed Aug 11, 2004 at 09:19:15 PM EST


    ---
    "See what the drooling, ravening, flesh-eating hordes^W^W^W^WKuro5hin.org readers have to say."
    -- pwhysall
    [ Parent ]
    Write-in: (2.94 / 18) (#17)
    by The Honorable Elijah Muhammad on Wed Aug 11, 2004 at 12:00:01 PM EST

    Nuke the site from orbit.


    ___
    localroger is a tool.
    In memory of the You Sad Bastard thread. A part of our heritage.
    Hold on just a minute there! (3.00 / 9) (#18)
    by wiredog on Wed Aug 11, 2004 at 12:21:51 PM EST

    We're talking about a substantial investment here.

    Wilford Brimley scares my chickens.
    Phil the Canuck

    [ Parent ]
    Let's move cautiously. (3.00 / 9) (#20)
    by pwhysall on Wed Aug 11, 2004 at 12:42:05 PM EST

    First, this physical installation had a substantial dollar value attached to it...
    --
    Peter
    K5 Editors
    I'm going to wager that the story keeps getting dumped because it is a steaming pile of badly formatted fool-meme.
    CheeseBurgerBrown
    [ Parent ]
    Well that's great, that's just fuckin' great man. (3.00 / 9) (#22)
    by The Honorable Elijah Muhammad on Wed Aug 11, 2004 at 12:52:43 PM EST

    Now what the fuck are we supposed to do? We're in some real pretty shit now man... That's it man, game over man, game over, man! Game over! What the fuck are we gonna do now? What are we gonna do?


    ___
    localroger is a tool.
    In memory of the You Sad Bastard thread. A part of our heritage.
    [ Parent ]
    Hiisssssssss (3.00 / 3) (#41)
    by Wah on Wed Aug 11, 2004 at 06:17:45 PM EST

    nt
    --
    umm, holding, holding...
    [ Parent ]
    Get away from her, you bitch! (none / 0) (#89)
    by Russell Dovey on Thu Aug 12, 2004 at 05:18:17 PM EST

    nt

    "Blessed are the cracked, for they let in the light." - Spike Milligan
    [ Parent ]

    IAWTP (none / 1) (#44)
    by curien on Wed Aug 11, 2004 at 06:40:50 PM EST

    It's the only way to be sure.

    --
    This sig is umop apisdn.
    [ Parent ]
    Question (2.60 / 5) (#23)
    by sllort on Wed Aug 11, 2004 at 01:16:02 PM EST

    What do you do if your system is compromised by a one-off stealth trojan/backdoor/rootkit that resides in the NT kernel as a module, cloaks itself, binds no ports, and for which no signature exists from any antivirus vendor anywhere?

    Just curious.
    --
    Warning: On Lawn is a documented liar.

    How would you ever know? (3.00 / 3) (#25)
    by pwhysall on Wed Aug 11, 2004 at 01:32:55 PM EST


    --
    Peter
    K5 Editors
    I'm going to wager that the story keeps getting dumped because it is a steaming pile of badly formatted fool-meme.
    CheeseBurgerBrown
    [ Parent ]
    agree (none / 1) (#36)
    by phred on Wed Aug 11, 2004 at 04:23:16 PM EST

    and it goes back to a previous comment, once 0wned, its best to reinstall from known good media. There are some darn nice rootkits out there.

    [ Parent ]
    I dunno (none / 0) (#48)
    by sllort on Wed Aug 11, 2004 at 07:07:48 PM EST

    Maybe they'd make a little tiny error in their code which would cause an upgrade to crash and you'd send in the bluescreen to Microsft and they'd reply that there was a highly suspicious service in the memory dump you sent and send an incident response team out to investigate.

    Just winging it here.
    --
    Warning: On Lawn is a documented liar.
    [ Parent ]

    I believe that's called (3.00 / 4) (#30)
    by misfit13b on Wed Aug 11, 2004 at 02:49:18 PM EST

    a "Service Pack".

    [ Parent ]
    God damn it. (3.00 / 2) (#64)
    by acceleriter on Wed Aug 11, 2004 at 11:52:05 PM EST

    When I want to give a 5, they're not available anymore!

    [ Parent ]
    Reply to This? sihT ot ylpeR?Did I miss something (none / 0) (#69)
    by Tezcatlipoca on Thu Aug 12, 2004 at 04:31:39 AM EST



    Might is right
    Freedom? Which freedom?
    [ Parent ]
    HTML in his sig. [nt] (none / 0) (#72)
    by Empedocles on Thu Aug 12, 2004 at 04:38:09 AM EST



    ---
    And I think it's gonna be a long long time
    'Till touch down brings me 'round again to find
    I'm not the man they think I am at home

    [ Parent ]
    You can put a network scanner. (none / 0) (#70)
    by Tezcatlipoca on Thu Aug 12, 2004 at 04:33:23 AM EST

    That is less complicated than what you think, a Linux firewall should do the trick.

    Most antiviruses will protect your files ensuring they are note changed (or so I think, I don't use Windows).

    Might is right
    Freedom? Which freedom?
    [ Parent ]

    Incorrect. (none / 0) (#82)
    by sllort on Thu Aug 12, 2004 at 12:05:07 PM EST

    A Linux firewall cannot and will not protect you from a trojan that is already inside your Windows system, unless it blocks ALL network packets, in which case a brick would have done a better job.

    Additionally the first thing an attacker will do once they insert a rootkit is quietly put your antivirus tools to sleep. There's a great little tool out there called morphine which you can read up on, but even better technology exists.
    --
    Warning: On Lawn is a documented liar.
    [ Parent ]

    compromised servers (none / 1) (#103)
    by aderusha on Mon Aug 16, 2004 at 03:00:54 PM EST

    if you have a compromised server (on any platform), your best course of action is always to bring the machine down and off the wire as soon as possible, especially in the situation where you are faced with an unknown adversary. a simple worm attack is usually an automated infection, but a cloaked rootkit is almost always the result of a "hands-on" cracker. mount the system's volumes read-only on an isolated system and backup its data, being careful not bring along any sort of executable code. this would also be a great time to look at your backup logs to find out the date of the compromise, and an even better time to look at your other systems for similar signs. you may also want to invest now in an IDS system which includes file fingerprinting, which would have alerted you to these changes immediately.

    [ Parent ]
    Another good util (2.60 / 5) (#27)
    by WorkingEmail on Wed Aug 11, 2004 at 02:30:35 PM EST

    Another utility for the adept computer user is HijackThis. It's a small, standalone program which can clean up a well-hosed Internet Explorer, and then some more.


    Actually, there are some spywares and such that will target this program specifically - prevent you from downloading it, or prevent you from running it.


    Clean system (1.50 / 6) (#31)
    by LilDebbie on Wed Aug 11, 2004 at 03:08:00 PM EST

    Amazingly, I've never had a problem with my old ass 98 system even though I've rarely ever update windows or virus protection. Yay for running win98 when everyone is writing nt4.0 virii.

    My name is LilDebbie and I have a garden.
    - hugin -

    -1, "virii" (2.22 / 9) (#59)
    by kitten on Wed Aug 11, 2004 at 09:27:42 PM EST


    mirrorshades radio - darkwave, synthpop, industrial, futurepop.
    [ Parent ]
    What about (none / 0) (#79)
    by wiredog on Thu Aug 12, 2004 at 11:22:41 AM EST

    "virile"?

    Wilford Brimley scares my chickens.
    Phil the Canuck

    [ Parent ]
    viruses:virii :: boxes:boxen [nt] (2.00 / 3) (#91)
    by jimrandomh on Thu Aug 12, 2004 at 06:17:29 PM EST


    --
    CalcRogue: TI-89, 92+, PalmOS, Windows and Linux.
    [ Parent ]
    Same here. Downside... (none / 0) (#95)
    by mcgrew on Fri Aug 13, 2004 at 10:29:50 AM EST

    I can't run DOOM. I've downloaded a couple of how-tos for installing it in Linux, but KDE doesn't seem to like my new motherboard and video card.

    "The entire neocon movement is dedicated to revoking mcgrew's posting priviliges. This is why we went to war with Iraq." -LilDebbie
    [ Parent ]

    Optimum reaction (2.05 / 17) (#34)
    by fyngyrz on Wed Aug 11, 2004 at 03:33:39 PM EST

    1) Put linux install CD in drive

    2) Format entire drive, all partitions

    3) Install Linux.


    Blog, Photos.

    To the naysayers. (none / 0) (#71)
    by Tezcatlipoca on Thu Aug 12, 2004 at 04:38:04 AM EST

    The above is a legitimate solution.

    You don't like it, fine, but it is a real solution that works today, you ignore it and deride it unjustly and at your peril.

    Might is right
    Freedom? Which freedom?
    [ Parent ]

    You skipped step 1 (none / 1) (#94)
    by mcgrew on Fri Aug 13, 2004 at 10:27:49 AM EST

    1. Back up all data

    If you don't need your data, you don't need your computer.

    "The entire neocon movement is dedicated to revoking mcgrew's posting priviliges. This is why we went to war with Iraq." -LilDebbie
    [ Parent ]

    Egads man! (2.80 / 10) (#39)
    by cr8dle2grave on Wed Aug 11, 2004 at 05:21:34 PM EST

    You're one generous sonofabitch to perform that kind of work under the Friends & Family Discount Plan®.

    Personally, I can only think of a few situations, none of them likely to be encountered outside of a data-center, where salvaging a totally compromised Windows OS installation is worth more effort than running Stinger, running a full virus scanner, then finishing by running Spybot and Ad-Aware plus assorted reg hacks. If a Windows box is totally hosed, more often than not, just recovering the required data and scanning it for viruses will suffice. And in such cases your approach seems to be just a tad on the excessive side.

    A much quicker, if somewhat less bulletproof, approach would be to boot up a Linux Live CD on the infected box, and copy the required files over to a network mount or removable media of some sort. Clam AV will detect most virus signatures and can be run on the data files before they are copied, and then Trend or McAfee can be used on a Windows workstation to scan the data files once they are stored on the network or removable media.

    Honestly, I've found that a good Live CD and a USB storage device (temp files + any tools that need to be installed on the infected box) is all that's required to get almost any box back in working condition.

    ---
    Unity of mankind means: No escape for anyone anywhere. - Milan Kundera


    I'll second that (none / 0) (#85)
    by Sgt York on Thu Aug 12, 2004 at 02:43:18 PM EST

    I do a little side business fixing computers, most of them are for viruses, spyware, etc so I wind up doing a lot of data recovery followed by reinstall. I have Slax (Slackware live distro) and a 1GB USB drive. Put the two together, and you can salvage anyone's mail, adressbook, bookmarks, documents, etc. On one occasion I had a guy demand that I salvage his 50GB of pr0n, all I did was hook up a spare hard disk to it. Well, 2 spare hard disks. Same thing works for just about any large chunk of data. You can then disinfect at your leisure in a safe environment.

    Live CD's are sweet. You can rescue anything with them.
    There is a reason for everything. Sometimes, that reason just sucks.
    [ Parent ]

    Another tool to mention.. (2.33 / 3) (#40)
    by Wah on Wed Aug 11, 2004 at 06:16:14 PM EST

    is 'autoruns.exe'.

    It's a small app that scans various parts of Windwos for ALL the programs that load-up at start-up.

    Very nice to recover a system that seems totally broken.  Between that, Ad-aware, and a decent firewall, anyone can keep a system clean, or clean a dirty one.

    Quit test for ya, how long can you leave a newly installed Windows box on the Net before it gets attacked?

    2004 is definitely the year the Internet became a hostile place.  Ya know, war and all that.
    --
    umm, holding, holding...

    12 seconds (none / 0) (#47)
    by cr8dle2grave on Wed Aug 11, 2004 at 06:54:22 PM EST

    Or at least that's how long it took a couple months back when I last timed it (XP on a Speakeasy DSL line).

    ---
    Unity of mankind means: No escape for anyone anywhere. - Milan Kundera


    [ Parent ]
    Yea (none / 0) (#54)
    by Wah on Wed Aug 11, 2004 at 08:39:13 PM EST

    the supa-freaky thing is that much of this happens wirelessly now.  Plug in a new machine. New wi-fi cards finds network. Logs in.

    Swoosh.  

    Wild.  I guess saying the 'atmosphere' of the internet is hostile is a bit too literal, eh?
    --
    umm, holding, holding...
    [ Parent ]

    A few minutes (none / 0) (#111)
    by sgp on Sun Aug 29, 2004 at 11:10:20 PM EST

    On a Solaris install, a few years back - installed it, patched it, all offline.
    Got attacked within minutes. (port 25, open relay spammer). Of course, it was secure by then.
    Attack != Success
    The Linux box on my ADSL line keeps getting hit with some Windows thing at the moment - not a problem, though.
    A bigger PITA - mistakenly set up an internal proxy server as a global proxy a few years ago - soon realised the mistake, but we still get hit with requests - 4,450 yesterday. Of course, those requests fail, but we still get them.

    I can't imagine what it would be like to get crap like that on an unpatched box without a firewall.
    To take a car on the road, you need to pass a test - you don't need to know exactly how a car works, but you have to demonstrate starting it, using it, stopping it, whilst actively avoiding any potential problems. It's simply polite.

    There are 10 types of people in the world:
    Those who understand binary, and those who don't.

    [ Parent ]

    or just use a Mac (2.57 / 7) (#49)
    by anon 17753 on Wed Aug 11, 2004 at 07:09:58 PM EST

    There's a reason why the Windows world if full of malware - nobody cares enough about the neighborhood. I suggest reading John Gruber's Broken Windows.

    Sure, there are ways to 0wn my Mac (although most people will give up long before they succeed), but I don't have malware attacking me during normal everyday use.

    Yeah, if you want to do it the RIGHT way, (3.00 / 3) (#52)
    by rodoke3 on Wed Aug 11, 2004 at 08:34:21 PM EST

    though my experience shows that those tend to be good opportunities to grab free hardware. After all, people who are stupid or lazy enough to let their computer get to that sorry state before calling anyone will only do it when they need it fixed "now!!" and by then, they'll be ready to believe anything you tell them! I've seen cases where people have scammed entire computers from people too lazy to learn OS maintenance. This is especially good for/against young people as the kids with computer knowledge and the kids with truckloads of disposable income are rarely the same people. ;^)

    I take umbrage with such statments and am induced to pull out archaic and over pompous words to refute such insipid vitriol. -- kerinsky


    Yeah, a friend of mine chose that option (3.00 / 4) (#68)
    by Kasreyn on Thu Aug 12, 2004 at 03:08:15 AM EST

    He (and later I) was working for a small and not-very-tech-wise company as their chief tech / network guy, whenever there were problems with a computer, even if they were recoverable, he pronounced them irrecoverable and personally saw to the "disposal" of the old machine... said disposal being, back to his place where we'd rip it to its component parts and stack the boards and drives in the closet with the others, pausing only to reformat whichever one was giving problems...

    It was simply too easy. Amazingly, they never got a second opinion on any of the computers, they always trusted him.


    -Kasreyn


    "Extenuating circumstance to be mentioned on Judgement Day:
    We never asked to be born in the first place."

    R.I.P. Kurt. You will be missed.
    [ Parent ]
    Unnecessarily complex. (2.75 / 4) (#55)
    by Empedocles on Wed Aug 11, 2004 at 08:59:59 PM EST

    I'll write a complete critique when I get a chance, but this is perhaps the most convoluted and superstitious recovery process I have ever seen.

    I found the BIOS virus references particularly amusing, since I don't think I've ever seen a motherboard where you didn't have to change a BIOS protect jumper to flash the BIOS. I went and did a quick search anyway, and the only thing I could find was a reference to this virus, which is years old and only worked on one specific chipset.

    ---
    And I think it's gonna be a long long time
    'Till touch down brings me 'round again to find
    I'm not the man they think I am at home

    I had a MB like that (none / 0) (#83)
    by bugmaster on Thu Aug 12, 2004 at 12:42:52 PM EST

    One of the old Asus boards, I forget which one. How do I know that it was flashable without the jumper ? Oh trust me. I know. To this day, I can't figure out how I got that virus.
    >|<*:=
    [ Parent ]
    Easiest and most efficient cleaner: (2.20 / 5) (#56)
    by acceleriter on Wed Aug 11, 2004 at 09:12:01 PM EST

    FDISK

    FDISK: Nuke the site from orbit (none / 0) (#107)
    by zaxus on Tue Aug 17, 2004 at 12:17:41 PM EST

    It's the only way to be sure.

    ---
    "If you loved me, you'd all kill yourselves today." - Spider Jerusalem, Transmetropolitan


    [ Parent ]
    All that? (2.28 / 7) (#60)
    by kitten on Wed Aug 11, 2004 at 09:34:48 PM EST

    If all you want is to recover your files, then shove a Knoppix CD in there, boot it, and move the files you need to another computer (or another hard drive, or onto a CD, or whatever). Then wipe the hard drive and reinstall Windows, and when you're done, move your files back. Done.
    mirrorshades radio - darkwave, synthpop, industrial, futurepop.
    ALmost right (3.00 / 2) (#62)
    by jolly st nick on Wed Aug 11, 2004 at 10:43:45 PM EST

    This pretty much mirrors what I would do, except that after the fresh windows install I'ld

    (1) install anti virus (2) isntall anti spyware (3) install firefox and make it the default browser (4) install Tbird and disable outlook express.

    I'd also consider installing a small linux partition and setting up dual boot in order to facilitate the process in the future.

    The big area of exploits seems to be IE adware/spyware these days. This area is developing so quickly it's hard to stay ahead. Moving people over to Mozilla/Firefox is a huge help.

    [ Parent ]

    That's my policy at work... (3.00 / 4) (#63)
    by regeya on Wed Aug 11, 2004 at 11:08:53 PM EST

    I basically said, "look, you guys don't pay me to be a sysadmin, and I have another job to do, so here's the deal: either switch to Firefox and Thunderbird, or hire some Windows admin type to keep fixing the Windows boxes."

    Stinginess won.

    [ yokelpunk | kuro5hin diary ]
    [ Parent ]

    It's sad (none / 0) (#106)
    by CheezyDee on Tue Aug 17, 2004 at 03:46:38 AM EST

    But I find that antivirus software is a waste of time, especially with home users on dialup. "It just takes so long to update!" or "The virus thing wouldn't let me use the computer!" or some such crap. The only way to teach someone that they *NEED* to keep up with patches and antivirus updates is for them to lose something important; maybe they will listen to you in the future.

    I like to use a seperate machine with a removable drive tray as well, but I wouldn't even think about using Windows to scan or recover a known infected drive; it's looking for trouble. I've had pretty good success with the old 2.4 kernel with NTFS read support for recovering files when needed. Then its just a matter of zero filling the old drive and PFR.

    [ Parent ]
    You're done all right (none / 0) (#65)
    by nh1 on Thu Aug 12, 2004 at 12:07:47 AM EST

    Then wipe the hard drive and reinstall Windows, and when you're done, move your files back. Done.

    Yes, you've copied back the infected files. Users' files, especially MSOffice documents, can contain viruses.

    [ Parent ]

    4 virus scanners? (1.00 / 2) (#67)
    by Haxx on Thu Aug 12, 2004 at 02:57:03 AM EST

    If you ran 4 virus scanners at the same time your system resources would be so low that you'd be lucky to be able to move the mouse around.

    Not only that... (3.00 / 4) (#76)
    by gordonjcp on Thu Aug 12, 2004 at 08:30:38 AM EST

    ... you get a kind of "turf war" between the virus scanners. "Hey, Sophos, 'sup? That's a nice .dll hook, I'd move that before something happens to it"

    Give a man a fish, and he'll eat for a day. Teach a man to fish, and he'll bore you rigid with fishing stories for the rest of your life.


    [ Parent ]
    Bwahaha. (none / 0) (#78)
    by Farq Q. Fenderson on Thu Aug 12, 2004 at 10:10:51 AM EST

    I've seen it happen. It just dies. SPLAT.

    Kinda reminds me of the aweseome gdb error message about refusing to debug itself. If you correctly guess the pid it will run as (i.e. do a ps, add two to the highest pid), you can tell it to attept to attach to itself. It just flat-out refuses. IIRC strace doesn't have this kind of protection... I forget what happens though.

    farq will not be coming back
    [ Parent ]

    a friend of mine tried it ... (none / 0) (#87)
    by astatine on Thu Aug 12, 2004 at 03:27:06 PM EST

    the result was the process was deadlocked in uninterruptible wait (ps status code D) on itself, and so was indestructible as well.

    Society, they say, exists to safeguard the rights of the individual. If this is so, the primary right of a human being is evidently to live unrealistically.Celia Green
    [ Parent ]
    Oh. (none / 0) (#92)
    by Farq Q. Fenderson on Thu Aug 12, 2004 at 10:03:03 PM EST

    Weird. I don't remember that happening. Maybe my memory is faulty... or maybe we were using different versions of strace.

    farq will not be coming back
    [ Parent ]
    my strace says (none / 0) (#109)
    by treat on Tue Aug 17, 2004 at 10:44:30 PM EST

    strace: I'm sorry, I can't let you do that, Dave.

    if I run:

    strace -p $(( `perl -e 'print $$'` + 1 ))

    [ Parent ]

    RTFA (none / 0) (#86)
    by bdoserror on Thu Aug 12, 2004 at 03:21:41 PM EST

    4 virus scanners, on separate, different images. He specifically mentions that they don't run together, you run them in series.
    --

    "Complexity is easy, simplicity is hard."
    [ Parent ]

    Song. (2.87 / 16) (#74)
    by komet on Thu Aug 12, 2004 at 06:22:28 AM EST

    If you're 0wn0red and you know it, reinstall.
    If you're 0wn0red and you know it, reinstall.
    If you're 0wn0red and you know it
    network traffic sure will show it
    If you're 0wn0red and you know it, reinstall.

    YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME.

    excellent. (n/t) (none / 1) (#84)
    by Gandalf21 on Thu Aug 12, 2004 at 01:48:56 PM EST


    "Capitalism is the extraordinary belief that the nastiest of men, for the nastiest of reasons, will somehow work for the benefit of us all." - John Maynard Ke
    [ Parent ]
    wasting your time (2.80 / 5) (#77)
    by lurker4hire on Thu Aug 12, 2004 at 09:38:22 AM EST

    Really, others have said it and more will say it again.

    With windows, if the system is completely fucked, no amount of virus scanning, reg hacking, etc etc is going to be 100%. You may rid the system of viruses and spyware, but I guarantee that unless you do a reinstall of windows you'll have .dll's that may not be viruses, but are shoddily written buggy pieces of crap, or better yet, poorly written modifications of system .dll's.

    You could shorten this article to:

    • Boot from LiveCD (ERD commander, Knoppix, etc).
    • Back up data to external media (virus scan data files)
    • FFR (Fdisk, Format, Reinstall)
    • Reconfigure with safe defaults (firefox, thunderbird, etc)
    Quit wasting your time trying to save windows from itself, all windows techs try it for awhile until they realize it's a lost battle.

    You said it. (none / 1) (#81)
    by RatOmeter on Thu Aug 12, 2004 at 11:51:39 AM EST

    After about the 1st paragraph of the story, I yawned and thought,

    (a) boot Knoppix

    (b) copy data files to USB drive or similar

    (c) clean install

    (d) full patches

    (e) make sure automatic updates in ON and finally,

    (f) buy T-shirt that says "No, I will NOT fix your computer"

    [ Parent ]

    forgot just one thing... (none / 1) (#88)
    by bobzibub on Thu Aug 12, 2004 at 05:10:01 PM EST

    clamd the USB drive.

    Cheers,
    -b


    [ Parent ]

    Author should become a book author .. (none / 1) (#80)
    by Highlander on Thu Aug 12, 2004 at 11:22:51 AM EST

    You should write books, really, I probably would have tried to sum it up in a short paragraph, like:

     "burn readonly images of an OS with every scanning tool you need and use the images to scan the infected system, hopefully catching every problem."

    Moderation in moderation is a good thing.

    Wow, this is stupid. (3.00 / 2) (#90)
    by wji on Thu Aug 12, 2004 at 05:46:51 PM EST

    Why would anyone do this? Why on earth would you not recover the files that were actually needed, virus scan them, and copy them to a fresh install? What possible advantage can there be to keep an old install that's probably full of useless crap dlls installed by useless crap programs? I simply do not understand.

    In conclusion, the Powerpuff Girls are a reactionary, pseudo-feminist enterprise.
    Yeah it is. (none / 0) (#101)
    by miah on Sun Aug 15, 2004 at 02:31:13 PM EST

    But there are alot of businesses that cannot retain the talent needed to keep their systems running. So, they use consultants. When that person leaves you need to have a plan on how to reproduce his work even if he dies in a reasonable amount of time. And, without having to call him out to redo work you already paid for.

    Computers should be a 'set it and forget it' ordeal. But, they are not. You have to patch, patch, and patch your patches ad nauseum. If the average Joe is capable of thinking, "Why didn't <insert software vendor here> just write the program like this in the first place?" then why isn't any software vendor?

    Picture a world where software was written like old cartridge based video games. You had to get it right the first time because you weren't ever going to see those carts again.

    So, to make this short, what you want to do with your systems is make them so you can unfuck them quickly. And then patch them. There are things that are more complex than reinstalling office...

    Religion is not the opiate of the masses. It is the biker grade crystal meth of the masses.
    SLAVEWAGE
    [ Parent ]

    XP is a losing proposition...for users (none / 0) (#93)
    by ewe2 on Fri Aug 13, 2004 at 02:36:50 AM EST

    This article and the ensuing discussion demonstrates most clearly what users are being forced to accept with Microsoft OS products:

    • An OS, that even with the latest security patches, is untrustworthy on networks.
    • An OS that doesn't give users the option of a recovery bootdisk (why? show me the benefit of 3rd-party dependence over in-house solution)
    • An OS dependent on Linux solutions. And why? Because you can reliably fix passwords, read the filesystem and troubleshoot without being affected by whatever's there. Sure, you can spend the money on a 3rd-party solution if you wish, it may even be better. But you shouldn't have to.

    This short list demonstrates the stark reality most computer users face. The most vulnerable OS is also the least-recoverable. Unless you're a maniac, like the poster, or a Linux guru, like many commentators. Where would the consulting industry be without it?

    --
    I may not be cute, but I'm intelligent. So I'm an ugly smartass. Yay me.


    a few points (none / 0) (#96)
    by ShaggyBofh on Fri Aug 13, 2004 at 11:03:06 AM EST

    known good CD, of Windows XP (SP2)

    cat phrases be an oxymoron? and where did you get a WindersXP Service Pack2 CD...didn't SP2 just get released?

    Also, anyone competent enough to follow your advise, is not going to need it.

    Finally, anything not backed up to an "off-site" location is not important.

    ---begin linux plug---

    Linux gets better with age. The more you install, the more dependencies you satisfy which makes it easier to install more. Needing to reinstal Windows is just a fact of using Microsoft products.

    ---end linux plug---


    Just say NO to negativity.

    Slipstreaming (none / 1) (#100)
    by fortytwo on Sun Aug 15, 2004 at 02:05:38 PM EST

    It's called "slipstreaming", here's how.

    [ Parent ]
    Holy shit that is brilliant nt (none / 0) (#97)
    by The Muffin on Fri Aug 13, 2004 at 06:23:26 PM EST



    - This is the end.
    Reinstall (none / 1) (#98)
    by calumny on Sat Aug 14, 2004 at 12:38:32 PM EST

    The last time I had to save Windows from itself was back when 98 was state of the art, and for all the braindead nonsense Microsoft has engineered, at least saving a broken installation was easy back then. Boot from the CD, choose a clean install and the entire system folder was replaced without touching the user's files. Before really persistent spyware it was a great one-step solution. Does XP still work this way?

    Demons of stupidity... (none / 0) (#102)
    by trezor on Mon Aug 16, 2004 at 06:08:56 AM EST

    For reinstalling a stupid OS like Windows there's this thing called fdisk which should be run prior to the first installation.

    The trick, which should allwyas be applied, is to create one system disk (max 10 GB) and the rest is for data. Then alter all the user-specific files to be stored on the second partition, not the first. I'm quite sure Microsoft Powertoys for Windows allows this. Otherwise you can do it by registry.

    If you don't mind using warez, you could even set up a third partition and immidiatly ghost the completed and clean re-install to this partition. And when the system gets hosed, you're up and running with a clean, complete and correctly configured system in a few minutes without any user-interaction. Without any document or data-loss. Wow.

    Ofcourse, for the "hardcore", Linux and GNU ff does the same job without the compression.

    It really isn't that hard.


    --
    Richard Dean Anderson porn? - Now spread the news

    Bah! (none / 0) (#104)
    by mcgrew on Mon Aug 16, 2004 at 07:34:38 PM EST

    1. Save all bastard data (code and data mixes, such as word or excel) as text. You will have to reimport and reformat all of your documents and spreadsheets, but saving them as text is the only way to ensure you kill all viruses.

    If you have WMA files, the only way to save them is conversion to a data-only (meaning no DRM) format, such as ogg or mp3.

    This is a failing of Microsoft, as well as about everyone else, but Microsoft is the worst. It is absolutely stupid to have a mix of code and data, where data can be executed as if it were code.

    Someone please explein to me why Word Processing macros are necessary? And why a spreadsheet should have the ability to reformat your hard drive?

    2. Back up these data to another medium

    3. Shut down teh PC

    4. Insert a boot diskette or boot CD

    5. Reformat your hard drive

    6. Reinstall everything from original media

    7. Restore all your backups

    Now, if you're pretty sure you don't have viruses in your data (say, for instance, you use Word Perfect and Excel, which have very few viruses because nobody uses these packages) there is a short way:

    1. Start the computer with a bootable floppy in DOS mode

    2. DELTREE Y C:\WINDOWS/*.* /s

    3. ATTRIB *.*

    you will have a directory listing of all files, including hidden and system, with their attributes. DELTREE any hidden or system files in the root (C:\)

    4. Reinstall windows and all your apps.

    What, XP can't boot from a floppy? Well, I guess you're screwed aren't you? Next time you upgrade, UPGRADE. To a non-MS OS. Any of them, from BSD to Mac, are superior. If you must have windows (for special purpose programs not available on other platforms, like DOOM 3) set up a dual boot intel system. Windows can't read your Linux files.

    "The entire neocon movement is dedicated to revoking mcgrew's posting priviliges. This is why we went to war with Iraq." -LilDebbie

    conversion (none / 0) (#108)
    by Frank Grimes on Tue Aug 17, 2004 at 12:54:05 PM EST

    Save all bastard data (code and data mixes, such as word or excel) as text. You will have to reimport and reformat all of your documents and spreadsheets, but saving them as text is the only way to ensure you kill all viruses.
    This has the added advantage of saving space. Five years ago I converted all of my old .doc files to .txt and on average reduced file size by a factor of 20. Makes backups a lot simpler if everything fits on a CDR.

    [ Parent ]
    Formatting is important (none / 0) (#110)
    by Rhodes on Wed Aug 18, 2004 at 05:57:09 PM EST

    Saving to HTML will save much more information than saving as text. Word documents are better archived as rtf. Formatting is important- it can be as imporatant to understanding as grammar.

    [ Parent ]
    Uhm... knoppix std (3.00 / 2) (#105)
    by niku on Mon Aug 16, 2004 at 09:36:32 PM EST

    Why the second computer? Just boot off of an OS like knoppix-std (knoppix, security toolkit distibution) mount the windows drives, copy the data to somewhere safe, reinstall the OS, run a virus-scanner on the data, if it comes up clean, put it back.

    What's the big deal?


    --
    Nicholas Bernstein, Technologist, artist, etc.
    http://nicholasbernstein.com
    Banishing the demons of stupidity from a system that has been owned | 111 comments (86 topical, 25 editorial, 0 hidden)
    Display: Sort:

    kuro5hin.org

    [XML]
    All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
    See our legalese page for copyright policies. Please also read our Privacy Policy.
    Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
    Need some help? Email help@kuro5hin.org.
    My heart's the long stairs.

    Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!