Infected, back-doored Windows 7, is it safe to keep it using after Kaspersky Anti-Virus clean up?

Question

So I got this computer from my cousin. As far as I can tell, it has LOTS of back-doors, trojans etc. installed. You can see the installed programs as below w/ lots of activeX:

enter image description here

I fear these backdoors would be integrated to the OS via updates (if such thing is possible). So is the safest course a fresh install or would Kaspersky do just enough so that I tell my cousin that she can use without any concerns?

Edit: What are we looking at?

The OS is in Turkish, this is the Uninstall Program window. The other languages: I don't know. The computer has only Turkish language installed as OS's native language.

What is this a screenshot of? What are we staring at? Windows Live Mesh does have an ActiveX component. Are you concerned by the number of these that are installed? It looks to be one for each language. How many languages are configured on the computer? — Darth Android, Feb 18 '14 at 17:35
@DarthAndroid Oh yeah, sorry about the missing info and language stuff. The computer is in Turkish, this is the Uninstall Program window. The other languages, I don't know. The computer has only Turkish language installed as OS's native language. — Varaquilex, Feb 18 '14 at 17:37
"In summary, it's unfortunate, but if you have a confirmed malware infection, a complete re-pave of the computer should be the first place you turn instead of the last." — Ƭᴇcʜιᴇ007, Feb 18 '14 at 17:37
All the above text on the screenshot is the same. Only languages differ. — VL-80, Feb 18 '14 at 17:43
@techie007 Is there any infection chance via USB to my clean computer? I plugged a thumb drive to install anti virus to the infected computer. I have anti virus on my clean pc, would it be safe to re-use it ? (I assume it would be safe) — Varaquilex, Feb 18 '14 at 17:50
There's always a chance, depending on your setup. it boils down to: If you don't trust the AV then the only way to ensure any potential malware is gone is to perform a full format of the drive and reinstall of the OS. — Ƭᴇcʜιᴇ007, Feb 18 '14 at 17:52
Perhaps check out this (closed) SU question: Can Windows based computers ever be secured? — Ƭᴇcʜιᴇ007, Feb 18 '14 at 17:55
@Varaquilex I agree with techie007. Pave it. The machines integrity has been compromised. Even after cleaning it up you can no longer guarantee the machine is secure and safe. — AtomicPorkchop, Feb 18 '14 at 19:11
@techie007 no no, I will definitely re-install OS. Sorry for the lousy sentences: what I meant was would it be safe to use the USB stick plugged out from the infected computer? I need to backup a few things from the infected. I will run scans on them but would it hurt my clean system that badly? That was my question:) — Varaquilex, Feb 18 '14 at 19:28
The screenshot you added doesn't show any back-door/trojan/etcetc. — m4573r, Feb 21 '14 at 09:04

score 5 · Accepted Answer · edited Feb 20 '14 at 09:57

5

Using any of the Antivirus software is no guarantee that they keep your PC clean.

I am not an antivirus expert, but when a virus can breach your system, then there is the chance too it could hide itself from the Antivirus software(s).

E.g. There are a lot of rootkits out there which you can't remove, because they integrated your system such a low level. (You even don't know them, because they are not visible to you or your antivirus)

So I advice you to complete reformat your drive and reinstall your system. And if you don't have any super important data then do not make a backup because if the virus is smart enough it will copy itself to your backup, and infect your system again.

And if you use this computer to buy on the internet or use your net bank, then you definately SHOULD reinstall your system.

+1 Advice: If you connected this computer to your home network, and you use a bad firewall (eg: Microsoft default firewall) then you should inspect your other PC on your network.

edited Feb 20 '14 at 09:57

Jan Doggen

4,218

answered Feb 18 '14 at 17:38

NoNameProvided

2,380

1

What makes the Windows Firewall a "bad" firewall? – Darth Android Feb 18 '14 at 17:40
Basic, almost no option. (and I know about the advanced filter editor window) Permissive, most of the outbound traffic is not filetered. Give a try to Comodo Firewall, hack around a bit and you will see the differences. :) – NoNameProvided Feb 18 '14 at 19:38
I will re-install the OS. Although I wonder, would an infected external HDD that contains executables cause problems when I plug in and scan on my clean system (I do not click on anything in the drive) ? – Varaquilex Feb 18 '14 at 20:15
Outbound isn't filtered by default, but you can turn it on: Step 1: Configuring the Default Outbound Firewall Behavior to Block You ever given an outward blocking firewall to a neophyte computer user? Oh my goodness! They freak out because every time something happens that required some internet usage a popup they don't understand comes up, talking about blocking and allowing suspicious things, possible infections, etc. And then they're on the phone with you telling you they're infected and/or can't get on the Internet. :) – Ƭᴇcʜιᴇ007 Feb 18 '14 at 20:16
@NoNameProvided It's not a fully-featured heavyweight firewall solution... but it's a very solid general/basic firewall. And as techie007 said, I would not filter outbound data by default as a general Windows default, because that would just result in people turning the firewall completely off. – Darth Android Feb 18 '14 at 21:29
Sure, Windows Essential is a fully-featured heavyweight antivirus solution too.. with 80% reactive and 55% proactive detection rate... (https://www.virusbtn.com/vb100/RAP/RAP-quadrant-Aug-Dec13-1200.jpg)
Windows Firewall is a dead-simple firewall, but it is in the Windows by default because lot of user dont care about firewalls. And a bad is better than nothing. Search for a comparsion test about e.g Comodo (best free solution) and Windows Firewall. Windows firewall is just not enough for that work which it should do.

An simple example: W.F. easily could be terminated by other applications.
– NoNameProvided Feb 18 '14 at 21:49
@NoNameProvided I have taken the liberty of editing your answer to include reformatting the drive; I'm afraid that suggestion will not come across strongly enough if I just comment that. Feel free to revert the edit. – Jan Doggen Feb 20 '14 at 09:27
And after cleaning the machine the user should change all his passwords. It's all a lot of work but that's the price to pay for getting his system infected. – Jan Doggen Feb 20 '14 at 09:31
@NoNameProvided If you don't trust the software on your PC, why do you trust a software firewall on the very same PC? The Windows Filtering Platform rivals IPTables in features, and no one ever complained about the latter. – Daniel B Feb 20 '14 at 10:06

score 1 · Answer 2 · answered Feb 18 '14 at 17:53

Due to the intrusive and stealthy nature of viruses, your best option is probably to reinstall the OS.

Back up any necessary files (Only take what is ABSOLUTELY NECESSARY, as the virus can replicate using most files and file types, and you don't know the exact location or spread of the virus), and wipe the HDD. Reinstall the OS, and move from there.

Ideally, if you can create an Ubuntu (or other OS that can zero a HDD) boot disk, use the command:

sudo dd if=/dev/zero of=/dev/sda

MAKE SURE THAT sda IS THE HARD DRIVE IF YOU DO THIS!

which completely overwrites the hard drive with 0's. You WILL lose ALL data on the drive, and completely remove the virus from the hard drive. Then reinstall Windows. Make sure to use a clean computer to create the boot disk.

If you deal with sensitive information (finances (such as credit cards), or other information that could be used in identity theft), then I would highly recommend a full wipe and reinstall.

If the computer is completely offline, ideally with the network cable unplugged, then you could probably get away with cleaning up the PC and continuing use on the same OS. I still do not recommend this action, as the virus could travel over removable media that you use.

And as NoNameProvided said, inspect other computers connected to the infected computer. Although they may not seem infected, there are multiple types of infections that are near impossible to detect until it's too late.

While I don't think applies but it should be noted. DO NOT DO THIS METHOD TO AN SSD DRIVE You can cause excess wear to and SSD by zeroing it out like this. — AtomicPorkchop, Feb 18 '14 at 19:13
@Solignis: Reinstalling the OS is going to be another write cycle over much of the SSD anyway. I agree that SSDs have limited write life, but I think this is a situation where burning one of those writes is much more than fully justified. — keshlam, Feb 18 '14 at 23:24
Yes reloading this OS is another write cycle. But writing over the data on the disk is different than filling the disk with zeros. You do not treat an SSD like you treat a traditional hard disk. When you format an SSD you have to use software that is SSD aware. dd with /dev/zero is not one of those methods. — AtomicPorkchop, Feb 19 '14 at 22:53

Infected, back-doored Windows 7, is it safe to keep it using after Kaspersky Anti-Virus clean up?

2 Answers2