Feedback needed on virus removal plan.

Sorry if this this somewhat OT here. Mods - feel free to delete this thread if this is the case.

To clarify: my neighbor got computer infected by PWS:win32/zbot.gen!ap

More info here:

http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FZbot.gen!AP

http://malwaretips.com/blogs/remove-pws-zbot-virus/

The way I see it - there is no way to tell if you ever cleaned your system completely after it was infected by that.

So my plan is to:

a) Try to clean it from bootable anti-virus CD
b) Backup user-created content (how)
c) Re-install Windows and reformat HD (full format (or whatever it is called) as opposed to quick) in the process.

Does this sound like a good plan?

I have several questions:

1) What bootable anti-virus CD is considered the best as far as detection and removal go? I found this list:

http://www.raymond.cc/blog/13-antiv...-compared-in-search-for-the-best-rescue-disk/

and I have heard about most of them.

2) Is it safe to use CD-RW or DVD-RW for bootable AV disc ( as opposed to -R)? I think yes, because not only rootkit will not be in memory when I boot from CD/DVD, but nothing can be written on finalized DVD-RW without overwriting the whole disc if I am not mistaken. The reason I want to use -RW is because I am not sure that ISO I pick will have network drivers for this laptop and then it will not be able to update itself, so if I use -R it will just be wasted.

3) What is the safe method of backing up user files? I was thinking about uploading them to neighbor's Gmail account. Or burning them to CD but is it safe to do under OS that is possibly infected? I do not intend to backup any executables. Another approach I thought about is to boot from Linux Live CD and copy files to flash drive.

4) Is full format during Windows reinstall a sure way to get rid of whatever he has lurking there? Does it take care of boot sectors or whatever other place rootkit can hide? Or are some other additional steps needed to "zero out" whole disc?

 

Hi Joe,
some answers / my opinion:

1) Yes, once your system has been infected, you better wipe the entire drive. Don't just delete any partitions, there may be hidden ones. I only know "Derek's boot and nuke" but Rescue CDs may can do this as well.
2) Booting from a Rescue CD, you should be able to copy any user files to a second drive / media. Do not backup user files from the infected OS.
3) I'd recommend Kaspersky Rescue CD, Avira Rescue CD but others should work as well. They are usually based on Linux.
4) Yes, it should be safe using RWs as any malware isn't active within the original OS.

 

1) Since you're planning on doing a clean install anyway, is there a need to do this? You could instead run an AV scan on the user's data files after doing a clean OS install and restoration of data files.

2) Yes, assuming you made the bootable AV disc on a clean computer.

3) In addition to using a boot CD to copy files in the manner you described, you could use a program such as UltraSearch that can search and sort files by extension, in order to make sure you got all common file formats. If you have space available somewhere, you could make an image of the computer's partition(s) before wiping using a program such as Macrium Reflect; by doing this, you can recover any user files that you missed after you wipe the drive. You can recover individual files from an image if the imaging program allows mounting an image; Macrium Reflect allows mounting an image.

4) It's probably best to use gambla's suggestion of Darik's Boot And Nuke to wipe the drive.

Some possibly useful links:
http://www.tested.com/tech/pcs/1508-the-essential-files-to-back-up-before-formatting-your-pc/
http://superuser.com/questions/12027/what-do-i-have-to-back-up-before-i-re-install
http://superuser.com/questions/8417...efore-reinstalling-windows-7-off-my-hard-disk

 

If it happened to me and I didn't have a clean image on an offline external drive, I would probably shoot myself j/k. Nuke it like MrBrian said; reinstall Windows; image it with a good free imager like Macrium or Backupper to a external drive; add back the programs needed/wanted; image the drive again on an external drive; unhook the external drive and put it somewhere safe like your auntie's hat box in the attic.

the end.

nozzle

 

Personally I would just run an antivirus to clean the infection, and then verify it with several scanners to see if they report the system as being clean now.

I never do a clean install when I get infected.

 

Just to share what worked for me in this case:

Kaspersky Rescue Disk detected and removed muliple trojans. After that system seemed back to normal.

We backed up user files to DVD-R. I then ran D-Ban and am now re-installing Windows.

 

Perfect, i'd now recommend to set up windows incl. all SPs and updates, add security software. Finally do an image of the disk (windows vhd) and save it to a separate hdd.