new trick from a virus,

edscdk · 20 Apr 2011 at 09:44

steve-h said:
If you're on about me... Wrong!

Smart move on both their parts.

The machines already been compromised... anything could be on it. who is to say your public tools will pick it up? Kaspersky didn't.

It's not worth the hassle to me. I'd rather back up the drive and format. both unattended, both quick... Problem officer?

only format if you are a complete expert, outlook and sage are two programs that love to hid data on your hard drive... (as well as others)

vista / w7 simply reinstall, allow it to move the old files, patch and update, install av, check for autoruns on local drives do a full scan.... dont touch any of the old files unless you need to (exe / driver wise)

though usually the only nasty's left behind are messed up IE security settings... (assuming you manage to remove the virus properly)

Mp4 · 20 Apr 2011 at 09:46

Odd as it seems I enjoy virus removal as its a challenge some of the time! IF a system isn't as it should be after virus removal (slow, odd errors, etc) then i try again to fix this. Format is last resort.

SexyGreyFox · 20 Apr 2011 at 18:56

Mp4 said:
Odd as it seems I enjoy virus removal as its a challenge some of the time! IF a system isn't as it should be after virus removal (slow, odd errors, etc) then i try again to fix this. Format is last resort.

I agree - never formatted in 23 years because I enjoy the hunting & killing.

However, I do agree that if it's your job then you want to spend no time doing it and a quick fix.
Arknor has obviously experienced cowboys like I have who will just format without thinking about what data is on there and it is annoying.

mejinks · 20 Apr 2011 at 19:17

dmpoole said:
I agree - never formatted in 23 years because I enjoy the hunting & killing.

However, I do agree that if it's your job then you want to spend no time doing it and a quick fix.
Arknor has obviously experienced cowboys like I have who will just format without thinking about what data is on there and it is annoying.

Why is it annoying? Would you rather I charge you say £60 to format after backing up your docs, or would you rather I charge you £60 x however long to locate and destroy the virus (or many viruses) If it takes 3 hours, I have made a lot of money. What is so difficult to understand? :confused:

wannabedamned · 20 Apr 2011 at 19:23

steve-h said:
The machines already been compromised... anything could be on it. who is to say your public tools will pick it up? Kaspersky didn't.

It's not worth the hassle to me. I'd rather back up the drive and format. both unattended, both quick... Problem officer?

Yes, a big problem. You're making a backup of an infected drive. Doing a fresh install and then re-adding the backed up content.

if kaspersky doesnt find anything, and you're unwilling to use "public tools" You're essentially running risk of reintroducing the original virus.

Just so you're aware, Malwarebytes and combofix find a lot of malware Kaspersky doesnt. Kaspersky is a brilliant piece of software, but it's a lone soldier with need for comrades.

Also in response to the above, It doesn't take a professional 3 hours to remove an infestation. An hour to 2 hours max depending on spec and scan times, and whether or not there's the need to manually remove nasties using hijackthis or combofix.

Corruption caused by viruses is a different story. If SFC.exe /scannow fails, Then I would format

steve-h · 20 Apr 2011 at 20:20

wannabedamned said:
Yes, a big problem. You're making a backup of an infected drive.

So?

wannabedamned said:
Doing a fresh install and then re-adding the backed up content.

don't re-add binaries?

SexyGreyFox · 20 Apr 2011 at 20:25

mejinks said:
Why is it annoying? Would you rather I charge you say £60 to format after backing up your docs, or would you rather I charge you £60 x however long to locate and destroy the virus (or many viruses) If it takes 3 hours, I have made a lot of money. What is so difficult to understand?

You need to read what I wrote.
Tell you what I'll give you a clue:

dmpoole said:
Arknor has obviously experienced cowboys like I have who will just format without thinking about what data is on there and it is annoying.

Does that sound like you if you save peoples data before formatting?
Thought not.

arknor · 20 Apr 2011 at 20:44

steve-h said:
If you're on about me... Wrong!

Smart move on both their parts.

The machines already been compromised... anything could be on it. who is to say your public tools will pick it up? Kaspersky didn't.

It's not worth the hassle to me. I'd rather back up the drive and format. both unattended, both quick... Problem officer?

smart move to lose someone 6 peices of coursework for his A-levels that he did not have backed up? ARE YOUR TROLLING?

THEY WERE ALL STILL ON THE HARDRIVE JUST FLAGGED WITH THE HIDDEN ATRIBUTE :rolleyes:

HE LOST DAYS WORTH OF WORK ALL BECAUSE OF ONE OF THESE FORMAT CLOWNS....

my son had the exact same virus and i fixed his computer in 10 minutes , he has had no problems since and its been around a week :rolleyes:

he would have lost 3 a level drama essays aswell if i had just formated and been stupid enough to think a whole hardrive can be erased yet the os still works...

steve-h · 20 Apr 2011 at 20:48

arknor said:
smart move to lose someone 6 peices of coursework for his A-levels that he did not have backed up? ARE YOUR TROLLING?

It's called obvious sarcasm LOL?

Son should have backed up regardless of virus, and dad defiantly should have backed up before doing whatever he did.

Tempers are rising ITT!

tntcoder · 20 Apr 2011 at 20:53

This is a pointless argument seriously!

arknor said:
my son had the exact same virus and i fixed his computer in 10 minutes , he has had no problems since and its been around a week

'Format Clowns' have a time and a place. How do you know it was the exact same virus and not a modified variant that has hidden a timed payload in the kernel? Do you have an exact copy of the initial attack (not a quarantined exe) that you have proved (manually) is a direct match to the original and not masquerading as something else or are you relying on the broken methodology of AV systems? A clean reinstall to a trusted state gives you a guarantee so why screw around?

Saying that, if it's important stuff like coursework at stake then obviously some input time to fix the problem or at minimum recover the data is worthwhile.

= Both sides to the argument have a valid place.

wannabedamned · 20 Apr 2011 at 21:10

steve-h said:
don't re-add binaries?

what about the other virus varients? they arent all binaries. even video and images can be infected, which was my point. If you cant trust malware software to remove viruses, how can you trust files at face value when carrying out a backup

arknor · 20 Apr 2011 at 21:11

i know it was the exact same virus because they both got it from the exact same facebook link they clicked

tntcoder · 20 Apr 2011 at 21:18

arknor said:
i know it was the exact same virus because they both got it from the exact same facebook link they clicked

That's hardly certainty though, it could have been modified by another hacker between the two visit times or it could have been polymorphic malware giving out different variants under different circumstances.

wannabedamned · 20 Apr 2011 at 21:26

tntcoder said:
That's hardly certainty though, it could have been modified by another hacker between the two visit times or it could have been polymorphic malware giving out different variants under different circumstances.

I dont get what difference it makes, If its a slightly different virus from the same source, It can still be removed without formatting. And if you know what you're doing you can guarantee a machine clean without the need to go back to a clean install. I know when a system is clean, and I dont need to flatten it to guarantee it.

tntcoder · 20 Apr 2011 at 21:30

wannabedamned said:
I dont get what difference it makes, If its a slightly different virus from the same source, It can still be removed without formatting. And if you know what you're doing you can guarantee a machine clean without the need to go back to a clean install. I know when a system is clean, and I dont need to flatten it to guarantee it.

It makes a difference because it could be more than a slight difference. It's trivial to hide a serious rootkit for example within a relatively innocent virus and make AV only see the innocent virus. The point is unless you catch the virus under lab conditions or have some serious time and skills being 100% sure that virus X matches virus scanner definitions is not trivial. Therefore you cannot just say that after you've removed the virus that the PC is now trusted.

Obviously how much you care about this will affect what you do. I'm just trying to say that the silly arguments in this thread are pointless because both sides are useful under different situations.

arknor · 20 Apr 2011 at 22:08

lets face it most viruses are common enough that once you find out what it is which is usually fairly simple you can find well documented information about the virus , what it effects , which registry keys it adds etc.

http://www.precisesecurity.com/rogue/windows-disk-virus/

some people are just lazy or cant be bothered to spend the time if a system is massively effected by a trojan downloader thats just been downloading all sorts of nasties then yea i would probably just format because they can be a right pain in the arse to get rid of

postmanfw · 20 Apr 2011 at 22:38

Time can be a key factor....if you have 10 computers to repair one day then how many hours can you spend on each one removing a virus?

As i said most if not all of the machines i get needed a reinstall before they got infected anyway.

Both sides are valid for different reasons but until you do it full time your opinion will differ.

Big difference from fixing your own now and again to having to do 10+ in a day.

Maybe someone should do a poll thread so we can all see who thinks what?

Narj · 20 Apr 2011 at 22:42

postmanfw said:
Time can be a key factor....if you have 10 computers to repair one day then how many hours can you spend on each one removing a virus?

I'd also dare to suggest that if a key requirement of your full-time job involves keeping potential threats off the network, then overkill methods would be the norm. I know dealing room support do this at my place - slightest sniff of odd behaviour that can't be accounted for or found in a scan = nuke. It seems that some lessons were learned in the past, according to a few of the veterans.

SexyGreyFox · 20 Apr 2011 at 23:17

postmanfw said:
Maybe someone should do a poll thread so we can all see who thinks what?

But how would you word it because that would depend on my answer?

I know people are having a go at Arknor but I also know exactly where he's coming from.
Over the past 23 years of being a PC enthusiast I've seen so many cowboy computer professionals who will just format to try and fix a problem (not just viruses).
Your average computer owner doesn't understand backups and they will just take their PC to a shop or friend of a friend and suddenly realise their data isn't there anymore.
The blue place was famous for it and got that many complaints that they decided to turn it into a money making opportunity by charging for backups.
Of course any person fixing a PC will ask if all the data has been backed up and it's the first thing I've asked for the last 23 years.
At this very moment somebody, somewhere is formatting a hard drive without backing up data and that's what upsets Arknor (and me).

postmanfw · 21 Apr 2011 at 00:44

I always backup even if the customer says they have done so themselves

No extra charge of course.