This is maybe old news, but I think it's important enough to warrant a post of its own.
http://windows.microsoft.com/en-US/windows/wh … efender-offline
This tool is very useful to remove those annoying rootkits that are impossible to clean on an infected and running operating system.
Is it good? Anyone tried it?
Old news, well at least I heard of it already.
Doom isn't just a game, it's an apocalypse survival simulator.
eL_PuSHeR,
I have tested it, and it's certainly useful, but in the end is just another weapon in our virus-killing arsenal.
Yesterday I had to fight a horrible infection by ZeroAccess:
http://blogs.mcafee.com/mcafee-labs/zeroacces … gned-installers
Boy, malware is getting REALLY REALLY sofisticated. It's becoming so hard to remove them, and then repair the enormous amount of damage that they inflict to the operating system, that I'm starting to think we've already lost the battle.
All the hours I've lost trying to disinfect a single computer are not economically worth their while.
The drastic approach (backup, format and reinstall) seems to be the only sane option left 🙁
PS: Take a look at the techniques used by ZeroAccess. They are frighteningly clever:
https://kc.mcafee.com/resources/sites/MCAFEE/ … -ZeroAccess.pdf
I agree that reformatting instead of disinfecting is less time consuming and you get better results.
wrote:eL_PuSHeR, […]
eL_PuSHeR,
I have tested it, and it's certainly useful, but in the end is just another weapon in our virus-killing arsenal.
Yesterday I had to fight a horrible infection by ZeroAccess:
http://blogs.mcafee.com/mcafee-labs/zeroacces … gned-installers
Boy, malware is getting REALLY REALLY sofisticated. It's becoming so hard to remove them, and then repair the enormous amount of damage that they inflict to the operating system, that I'm starting to think we've already lost the battle.
All the hours I've lost trying to disinfect a single computer are not economically worth their while.
The drastic approach (backup, format and reinstall) seems to be the only sane option left 🙁
PS: Take a look at the techniques used by ZeroAccess. They are frighteningly clever:
https://kc.mcafee.com/resources/sites/MCAFEE/ … -ZeroAccess.pdf
This sounds like a veeery nasty infection.
What I often do is slave the infected drive to another rig and scan from there (though usually I just do the reformat thingy)
wrote:This sounds like a veeery nasty infection.
What I often do is slave the infected drive to another rig and scan from there (though usually I just do the reformat thingy)
I did just that. And passed a full scan of Kaspersky (fully updated), Microsoft Security Essentials (fully updated) and McAfee Command line scanner (fully updated).
I thought that doing 3 full passes with 3 different antivirus would be enough, but... sadly, no.
It seemed to had cleaned most of the malware, but ZeroAccess was still there, and still managed to reinstall itself a few minutes later 🙁
Had to remove it manually. It was laborious and cumbersome. And hiding itself in a reparse point is really clever. You cannot remove its folder using normal windows commands or the Windows Explorer.
The only way to remove it is to first unlink the reparse point, using the fsutil tool.
Afterwards, you have to change the folder NTFS permissions, and then finally you can remove it.
A pain in the ass, believe me!
Is there a "best approach" to reformatting? For example, should I wipe the MBR? Is there a tool that I can use, from a bootable CD, to completely reformat a HDD, so that there is no chance there could be something lurking on it, before I reinstall an OS?
You could use DBAN to overwrite the whole drive with 0's.
Wafflenet OPL Archive - Preserving MS-DOS music in a unified format!
I use ATA secure erase.
*Also do ATA secure erase from the CLI NOT the GUI
1. Exit X
2. sudo passwd password
3. switch to su
4. Type in "pm-suspend" to suspend the computer
5. Resume from suspend
6. Type in "hdparm -I /dev/sdx" to verify that HD is NOT frozen
7. Type in hdparm --user-master u --security-set-pass pass /dev/sdx (to set the HD password)
8. Type in time hdparm --user-master u --security-erase pass /dev/sdx (to time how long it takes to wipe the HD)
Much faster than other wiping solutions and more secure.
If hdparm won't work (seen this with some SAS controllers\hard drives) then I'll use dd if=/dev/urandom of=/dev/sda bs=1M
This program is also worth checking:
http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml
Remember that it must be run from DOS, though.
Thanks a lot for the advice! BTW, what do you guys think about making a SSD safe? I understand that these devices behave differently to "normal" HDDs, when applying erasing techniques. Thanks.
AFAIK using ATA secure erase wipes SSD too.
but you can always use Bitlocker or Truecrypt as well.
Regarding ATA secure erase & SSDs, you may wish to study this document.
Boot and Nuke also works quite well for erasing drives. If you had a nasty infection, rewriting the MBR is a good idea also. There are tons of good utilities for such things. I believe the legal version of hirens boot cd has a lot of nice tools on it still.
Malware removal can be a pain in the arse... I've gone so far as debugging things myself and some stuff is VERY VERY clever, to the point you wouldn't even know it's there... There are SO many good tools for removing infections it's hard to keep up on all of it. But sysinternals tools, combofix, rootkit unhooker, tools and scripts available on bleeping computer from oldtimer, MRT, and plenty of other good tools are available. If you want to be hardcore you can always grab ollydbg and some plugins for it and get really deep if you like... but you need something else for ring0 stuff.
