Malware infection question

[Shane Nokes]

Wow...

I'm exiting the thread before I **** anyone off.

I didn't know we had this many professionals that didn't know how to properly clean a system without either blowing the whole thing away, or not being dead certain of their work.

That is just scary...

[xWhiplash]

Wow...

I'm exiting the thread before I **** anyone off.

I didn't know we had this many professionals that didn't know how to properly clean a system without either blowing the whole thing away, or not being dead certain of their work.

That is just scary...

This post was just a simple question about the Windows 8 upgrade process. Do not turn this into a My methods are better than yours. This thread was about Windows 8, not my malware methods so please just stop it with saying my methods are horrible.What is so damn hard to understand that for me formatting is a faster choice? Maybe you should have thought of this before entering the thread which was just a damn Windows 8 upgrade question.

[+Warwagon MVC]

Wow...

I'm exiting the thread before I **** anyone off.

I didn't know we had this many professionals that didn't know how to properly clean a system without either blowing the whole thing away, or not being dead certain of their work.

That is just scary...

So how do you clean a computer?

The fact you say an external scan from outside of windows is not necessary is already scary, but go head!.

[Shane Nokes]

So how do you clean a computer

The fact you say an external scan from outside of windows is not necessary is already scary, but go head!.

I didn't say that anywhere. I was referring to reverse engineering of files.

I start out by doing the system sweep from outside the OS, it saves a ton of time, and avoids redundancy.

I won't go into more detail though as the OP is already ****ed that I discussed malware infection removal in his malware infection removal post, that evidently was really supposed to only be about how to do a windows 8 upgrade.

I guess I need to learn how to avoid reading thread titles, and a majority of the content of that users posts...since evidently it takes them multiple paragraphs to ask what they really want to know, and ignore the rest as it is fluff...according to the poster themselves.

[Nerd Rage]

I work for a fortunate 500 company that has about 30,000 or so employees. Our IT department is absolutely huge. In our environment, if McAfee (not my choice, don't blame me, haha) flags malware, even if it successfully cleans it, we wipe the computer and reimage to ensure no baddies have been left behind. As mentioned previously in the thread, reimage/formatting is the only way to be 100% sure that no remnants of malware have been left behind.

That being said, if I had a small computer repair shop with customers that I wanted to keep happy, formatting would be my last resort.

[xWhiplash]

I didn't say that anywhere. I was referring to reverse engineering of files.

I start out by doing the system sweep from outside the OS, it saves a ton of time, and avoids redundancy.

I won't go into more detail though as the OP is already ****ed that I discussed malware infection removal in his malware infection removal post, that evidently was really supposed to only be about how to do a windows 8 upgrade.

I guess I need to learn how to avoid reading thread titles, and a majority of the content of that users posts...since evidently it takes them multiple paragraphs to ask what they really want to know, and ignore the rest as it is fluff...according to the poster themselves.

Geez it is called background information. That way I do not get posts like "Just clean the system before you upgrade" which will require me to say WHAT I SAID IN POST 1. It saves time giving background information.

No this thread was "Will malware remain if a Windows 8 upgrade is performed" Which was in my post if you read it. Not a "Here is what I do, criticize me please and tell me I am horrible horrible horrible for formatting!" thread

[Shane Nokes]

I work for a fortunate 500 company that has about 30,000 or so employees. Our IT department is absolutely huge. In our environment, if McAfee (not my choice, don't blame me, haha) flags malware, even if it successfully cleans it, we wipe the computer and reimage to ensure no baddies have been left behind. As mentioned previously in the thread, reimage/formatting is the only way to be 100% sure that no remnants of malware have been left behind.

That being said, if I had a small computer repair shop with customers that I wanted to keep happy, formatting would be my last resort.

Bingo. Working IT for a huge company is different than handling a customers PC in a shop. In a huge company there's not really a need for personal file storage as things should be on a file server, or stored on a thumb/external drive generally if you're following best practices.

From there you just flatten the machine and kick the image down from the server.

A regular PC repair shop though...you can take the time to properly clean the machine. I can be done with that even in the worst of cases within a couple hours.

Geez it is called background information. That way I do not get posts like "Just clean the system before you upgrade" which will require me to say WHAT I SAID IN POST 1. It saves time giving background information.

No this thread was "Will malware remain if a Windows 8 upgrade is performed" Which was in my post if you read it. Not a "Here is what I do, criticize me please and tell me I am horrible horrible horrible for formatting!" thread

I was responding to specific cases that were posted by other users. Heck I didn't even say anything to you at all...and wasn't even referring to you as the person that I was worried about ****ing off. I hadn't even said anything to you until you said something to me.

That said, evidently you have a problem with anyone disagreeing with you. Good luck getting anywhere with that.

[xWhiplash]

Bingo. Working IT for a huge company is different than handling a customers PC in a shop. In a huge company there's not really a need for personal file storage as things should be on a file server, or stored on a thumb/external drive generally if you're following best practices.

From there you just flatten the machine and kick the image down from the server.

A regular PC repair shop though...you can take the time to properly clean the machine. I can be done with that even in the worst of cases within a couple hours.

And in the same amount of time with less overall work* which lets you charge less and a more guarantee, a format is a better option. I do not have to much around in the registry which I had to do before, I do not need to run several tools, I do not have to bother removing stuff in safe mode, and I have seen stuff actually run in safe mode.

I just put the windows disc in, hit install, and do something else for an hour. Come back and get windows update going, do something else for an hour. Once the first batch is done, then I sit down and monitor the progress.

I only consider it an hours worth of work because that is how long it usually takes.

*Overall work meaning you are actively doing something. Most of the time I am usually just sitting there waiting for the install to finish or updates to finish.

[Gotenks98]

Geez it is called background information. That way I do not get posts like "Just clean the system before you upgrade" which will require me to say WHAT I SAID IN POST 1. It saves time giving background information.

No this thread was "Will malware remain if a Windows 8 upgrade is performed" Which was in my post if you read it. Not a "Here is what I do, criticize me please and tell me I am horrible horrible horrible for formatting!" thread

First off you don't ever want to do an upgrade, you want to do a custom install from starting the install from booting from dvd or usb. That ensures a clean install.

[xWhiplash]

First off you don't ever want to do an upgrade, you want to do a custom install from starting the install from booting from dvd or usb. That ensures a clean install.

Yes...which is why I started this thread because there still is a Windows.Old folder even when you choose clean install right? Would malware still be there?

[+Warwagon MVC]

Yes...which is why I started this thread because there still is a Windows.Old folder even when you choose clean install right? Would malware still be there?

Doesn't windows 8 tout a wonderful put your computer back to factory settings feature?

[xWhiplash]

Doesn't windows 8 tout a wonderful put your computer back to factory settings feature?

Would that keep the Windows.Old folder though?

[+Warwagon MVC]

I don't see why you would keep it. I would just recommend copying the software registry hive out of c:\windows\system32\config before you nuke it. So you can extract some product keys to help you reinstall some of your customers applications.

[xWhiplash]

I don't see why you would keep it. I would just recommend copying the software registry hive out of c:\windows\system32\config before you nuke it. So you can extract some product keys to help you reinstall some of your customers applications.

The actual upgrade process though, it creates a Windows.Old on clean installs right? Wouldn't that infect the Windows 8 install before I get the chance to delete it?

[+Warwagon MVC]

The actual upgrade process though, it creates a Windows.Old on clean installs right? Wouldn't that infect the Windows 8 install before I get the chance to delete it?

I don't see how. Most of the infections have to be referenced in the registry to point to a certain infected file. Even if their was an infected file in that windows directory just having it sit there won't infected the system. Only way that would happen is if you had some vulnerability on the system that infects the system just by looking at a file. Even then you would have to open the directory up. Seeing how the new windows folder has a clean registry the system wouldn't even be pointing to any infected files, but even if the registry was pointing to infected windows files A) the ones in the new windows directory would be clean (if they were bad system files) and B) If it was new files in c:\windows it wouldn't be able to find them because now they are in c:\windows.old.

At this point it would be no different than hooking that hard drive up to a different windows machine. But I would really make sure first and for most that your MBR is clean and not still infected with a MBR rootkit, that could reinfect the machine or at the very least keep the system infected. So I would run tdsskiller and to really be sure also scan the MBR from an external kaspersky rescue disc. Just tell it to do a boot sector scan, takes just a few seconds.

[Gotenks98]

The actual upgrade process though, it creates a Windows.Old on clean installs right? Wouldn't that infect the Windows 8 install before I get the chance to delete it?

No, it just moves all the files it does need to that folder. Its safe to delete it once you do it. Personally I prefer just doing a format because doing the install over the same partition takes longer because windows has to move the files.

[Shane Nokes]

The actual upgrade process though, it creates a Windows.Old on clean installs right? Wouldn't that infect the Windows 8 install before I get the chance to delete it?

No. A clean install is literally a format and install...which is why it's called a clean install.

The problem is that some infections also go the route of creating a hidden partition on the hard drive to hide themselves. So unless you know to look for that you can reinstall and get infected all over again.

warwagon touched on that a bit in the post above.

That's why I've specifically brought up the whole doing things right post. There's a lot of ways to get it wrong, which is why it's important to learn how to do it right. Once you know how to actually secure the system and clean it properly you can do it very quickly with almost no time needed actually doing things.

You mentioned the walk away factor. I can walk away while the scans run just as easily as I can walk away during an install. I also like the fact that when I ran my business I usually had a ton of customers due to referrals since I was literally the only place in town that took the time to do non-destructive system cleaning.

Everyone else went with the easy method...and a lot of them didn't survive. The weird thing I spotted though is the people saying that I would make less by doing my work this way. I charged by the hour...which means I would make the same regardless of what machine I was working on.

Almost any smart tech I know charges for their time, not for the specific service. If you're charging for the specific service you're normally selling yourself short.

[goretsky Supervisor]

Hello,

If you are planning on performing a clean install from a Windows installation disc and do not care about preserving the contents of the hard disk drive, you can erase the beginning of the hard disk drive by performing the following steps:

1. Boot from the Windows installation disc as you normally would.
   
2. When you see the Install Windows dialog, press the Shift+F10 keys together to open a Command Prompt.
   
3. At the Command Prompt, type "DISKPART" (sans quotes) and press Enter to start the DiskPart program.
   
4. At the DISKPART> prompt, type "LIST DISK" (sans quotes) and press Enter. A list of currently attached hard disk drives will be displayed.
   
5. At the DISKPART> prompt, type "SELECT DISK n" (sans quotes) where n is the number of the hard disk drive to which Windows will be installed and press Enter. For example, if only a single hard disk drive is present, use the command "SELECT DISK 0".
   NOTE: The next step erases the beginning of the disk. Proceed with caution.
   
6. At the DISKPART> prompt, type "CLEAN" (sans quotes) and press Enter. This will erase the beginning of the hard disk drive that contains the master boot record (MBR) or GUID Partition Table (GPT). Any malicious code such as a bootkit will be erased from the hard disk drive when this operation is performed.
   
7. At the DISKPART> prompt, type "EXIT" (sans quotes) and press Enter. This will exit the DiskPart program.
   
8. Close the Command Prompt as you normally would.
   

At this point, you can continue with the installation. The disk drive will show up as uninitialized when you go to install Microsoft Windows.

I used a virtual machine with a Windows 7 Ultimate (x86) installation ISO to verify this, but the process should be about the same for Microsoft Windows Vista and Microsoft Windows 8.

Regards,

Aryeh Goretsky

[Haggis Veteran]

As sais before there is a massive difference between a production machine that should have nothing personal store don it that can just be wiped and an image restored to doing that with a home machine

Its not hard to remove malware it can be challenging sometimes but i find that all part of the fun

If i sent my pc to a shop to be cleaned and all they did was format it i would be raging

[xWhiplash]

As sais before there is a massive difference between a production machine that should have nothing personal store don it that can just be wiped and an image restored to doing that with a home machine

Its not hard to remove malware it can be challenging sometimes but i find that all part of the fun

If i sent my pc to a shop to be cleaned and all they did was format it i would be raging

You guys can say that all you want, but I have NEVER had somebody rage at me, they all thanked me because they were more comfortable doing their baking and taxes on their computer after a format.

[Haggis Veteran]

If the user is having to bring a computer to you to remove an infection a user will beleive almost anything you tell them

[xWhiplash]

If the user is having to bring a computer to you to remove an infection a user will beleive almost anything you tell them

So....it is a lie to say formatting gives more of a guarantee? Shane himself even said if there are rootkits or if it is severe, formatting is a better way to go.....I just tell them the truth, I do not say "Oh I am the best malware removal expert EVER and can make sure your computer is NOT infected when it leaves here". Nobody is perfect at their jobs, and if you are having an off day, you can really mess up a client if you miss something. It not just because "you cannot do your job", some people just have off days.

A format eliminates that, so please stop getting on my butt about choosing to do a format, geez.

[+Warwagon MVC]

This was recorded back in 2008. Back then and early the infections really did seem to do a lot more to your system than today's infections. Today's infections usually put an exe file and run it on startup and give you a rootkit, but all of these seem far easier to remove than some infections previous to 2008, where even after the malware was removed redirection were still occurring.

[Haggis Veteran]

As sais before there is a massive difference between a production machine that should have nothing personal store don it that can just be wiped and an image restored to doing that with a home machine

Its not hard to remove malware it can be challenging sometimes but i find that all part of the fun

If i sent my pc to a shop to be cleaned and all they did was format it i would be raging

So....it is a lie to say formatting gives more of a guarantee? Shane himself even said if there are rootkits or if it is severe, formatting is a better way to go.....I just tell them the truth, I do not say "Oh I am the best malware removal expert EVER and can make sure your computer is NOT infected when it leaves here". Nobody is perfect at their jobs, and if you are having an off day, you can really mess up a client if you miss something. It not just because "you cannot do your job", some people just have off days.

A format eliminates that, so please stop getting on my butt about choosing to do a format, geez.

lol i am not getting on your butt about formatting i was just giving my view/opinion on it, thats allowed right?

General malware i would remove but yeah as you say more advanced stuff a format could well be better

[xWhiplash]

One thing I will say, that back in 2008 and early the infections really did seem to do a lot more to your system than today's infections. Today's infections usually put an exe file and run it on startup and give you a rootkit, but all of these seem far easier to remove than some infections previous to 2008, where even after the malware was removed redirection were still occurring.

I would still format even with today's infections. As Steve says, you can never trust the machine again once it gets infected. And giving that back to a client that does their banking and taxes is just being risky.