virus removal from within safe mode

jimbo45 · 05 May 2011

Noxiide said:

jimbo45 said:

Hi there
I keep saying to people -- it is UTTERLY NO POINT in using an INFECTED computer to remove any VIRUS -- how can you be sure that the virus removing software itself hasn't been compromised.

Say you were drilling on an Oil Platform and the drill needed sharpening, You wouldn't use a tool which was already worn out to sharpen / renew the bit would you.

Same with Virus removal -- why trust an INFECTED computer to work properly.

The ONLY IMO safe solution is a COMPLETE restore from a KNOWN Virus free backup or a total W7 re-install.

If you have data copy that to an external HDD and run a virus check against the data ON A SEPARATE MACHINE.

AV software is just that -- should protect against getting a virus -- once you have one then ONLY a RESTORE or Re-INSTALL can be guaranteed to be 100% safe.

Forget ANY AV removal software -- once you've BEEN infected it's TOO LATE. You need to catch any virus in Real time then you can take proper action.

MSE does a reasonable job at this once you've got your computer working properly again.

Cheers
jimbo

You don't need to revert back to an image every time you get a virus, usually, if the AV finds the virus it will get rid of all of it, and if it doesn't, then you revert back.

Plus, I don't even have Acronis True Image or any other image program, and I've heard that some virus's implant themselves into system restore points sometimes, so restoring may not work.

People don't want to reformat and clean install often, so of course they are going to try and get rid of it first with AV's.

Hi there
I don't think you read my post properly
I said use a BOOTABLE BACKUP of a known CLEAN IMAGE -- this has 100% NOTHING to do with Windows "Restore points" -- I pointed out in my post that you shouldn't in ANY WAY use ANY PART of the INFECTED OS to repair the computer.

A Bootable restore loaded from a READ ONLY CDROM is not going to be infected. We have to assume that you created the BOOTABLE RESTORE medium from a clean system - but that should be taken as a given.

OK if you want to do post analysis on how or why your computer got infected then use a Virtual Machine as a sandbox.

I'm of the sort of school that just wants to get a machine working again -- I really don't care HOW or WHY it got infected - but if thats your interest then fine.

I still would NEVER EVER trust even a "Cleansed" computer that had been infected - no matter how good the AV removal software is -- and these days restoring a typical home computer W7 partition with something like Acronis True Image only takes around 20 - 40 mins -- so restoring IMO is a "No Brainer" solution.

Cheers
jimbo

eduede · 06 May 2011

Jimbo, I think you're strictly correct. But the computer that I was having problems with was not mine, it was a 14 year old kid. He's not making regular back-ups, he's clearly managed to misplace all of his installation media and so clean restore / installs just arn't an option for him (short of losing all of his stuff). So, I suppose that while you're strictly correct, there's also something essentially limiting about your approach from a practical perspective. I believe that tools like MWB are so useful because they can be used with a good deal of confidence to remove infections using the very same infected machine. Is it an ideal option? No. But for someone who hasn't made any backups and has lost his installation media, it's a good option.

bigcitycat · 07 May 2011

jimbo45 said:

Hi there
I wish NOBODY would be allowed to use a computer until they learned how important it was to take backups regularly AND ACTUALLY DO IT.

However if he doesn't have a backup then the only solution is to do a complete W7 re-install.

He could still copy DATA files (Music, documents, films, photos etc etc) to an external HDD or whatever before doing the re-install . Even with no backup program these can be copied via Windows explorer. ===> BUT VIRUS SCAN THESE ON A SEPARATE MACHINE before copying back to your computer.

As I said previously after you've re-installed W7 install MSE and then take a BACKUP before installing any software etc. This will give you a decent image to recover from in the future without having to re-install again.

Incidentally keep the OS and applications in ONE partition = W7 partition size typically around 35 - 50 GB depending on what applications are installed. Divide the rest of your disc storage up into various partitions such as DATA, scratch volumes, Multi-media etc etc.

Cheers
jimbo

I agree but for me it's easier than that. Keep important files on USB, only use free software that can be re installed for free. Like Lotus Symphony, GIMP, Keepass and MSE. Use noscript. If I have a problem I log in to Ubuntu and use Bitdefender to scan my USB that I know isn't infected. Then remove windows and re install from the installation cd. Update and re install free software.

damien76 · 09 May 2011

Found this one earlier:

13 Antivirus Rescue CDs Software Compared in Search For the Best Rescue Disk

jimbo45 · 10 May 2011

Hi there

Difficult for say a "Kids" computer but its never too early to teach them about making reliable backups --

Since most of them tend to have loads of "Downloaded" music rather than physical media any more you should explain that if they LOSE their computer with the music on it - the music is GONE and can't be retrieved.

For more mature users I'd always recommend them to load software etc on to a "Virtual Machine" as a sandbox and test as decently as possible before migrating it to a real machine.

The current power of even small Laptops makes running and testing on a Virtual Machine quite feasable now and both the major players VBOX (Oracle) and VMWARE have FREE software for creating and running Virtual machines.

However if you really must cleanse a PC then use a BOOTABLE rescue CD (Or USB) such as the previous poster advises.

I would still in NO WAY ever run a Virus removal program on the infected machine itself - the OS might have been so mucked about with who knows what ANY program is really doing.

Cheers
jimbo