Re: I'm stuck - Windows Stable Work

Discussion in 'Spyware' started by David H. Lipman, Jun 24, 2011.

  1. Have you tried removing the hard disk from the affected computer and placing on a
    surrogate computer ?

    Then you can scan the affected hard disk and/or manually cleanout TEMP folders, EXE files
    that don't belong in %appdata%, etc....
    David H. Lipman, Jun 24, 2011
    1. Advertisements

  2. That's the spirit :)
    David H. Lipman, Jun 24, 2011
    1. Advertisements

  3. David H. Lipman

    Whoever Guest

    Since you're going to back up the data anyway, Dave's suggestion is
    probably best. For my own part, I'm kind of partial to downloading an
    up-to-date Avira Rescue CD and tackling these types with it. Keeping the
    regfix for .exe's for XP and Vista/Win7 on hand doesn't hurt either.
    Whoever, Jun 24, 2011
  4. Bwahahahahahahahas ;-)

    BTW: %appdata%, %temp% are a couple of examples. I hoped you SERIOUSLY looked at the
    MBAM & SAS logs to see WHERE the files were found so you can use that information in the
    David H. Lipman, Jun 24, 2011
  5. David H. Lipman

    Aardvark Guest

    Why bother doing that? Booting into a live Linux distro and fixing the
    problem using that will save all that trouble.
    Aardvark, Jun 24, 2011
  6. David H. Lipman

    Aardvark Guest

    No, you don't.
    Aardvark, Jun 24, 2011
  7. Vy placing the drive in a surrogate PC you have access to a wealth of software available
    on said surrogate computer to examine, scan, verify and correct malware and malware
    related anomolies on the affected hard disk. At best, booting off a live Linux distro
    would be a limited subset of that surrogate computer's capability.
    David H. Lipman, Jun 24, 2011
  8. Indeed, but it is a well known almost sure-fire method of
    ensuring that the malware isn't running while you do.

    Cryptovirological ransomware could ransom your backups
    FromTheRafters, Jun 24, 2011
  9. David H. Lipman

    Peter Foldes Guest

    Not a very good idea Aardvark. As David pointed out there would be limitations as to
    what you can access on the infected drive

    Peter Foldes, Jun 24, 2011
  10. But that's not what he said, he said you would have the added resources
    of the host machine at your fingertips as opposed to whatever tools you
    could cram on the Live CD.

    Soon, there could be victimized firmware to consider as well.
    FromTheRafters, Jun 24, 2011
  11. From: "FromTheRafters" <>

    I doubt "soon".
    David H. Lipman, Jun 24, 2011
  12. David H. Lipman

    Aardvark Guest

    I didn't suggest running the OS which is installed on the HD being
    examined/cleaned. I just said that it isn't necessary to remove the HD.

    Boot CDs come in very handy, you know.
    Aardvark, Jun 24, 2011
  13. David H. Lipman

    Aardvark Guest

    I've never had any trouble accessing/cleaning everything on a HD using a
    number of different boot discs, fuckwit.
    Aardvark, Jun 24, 2011
  14. I know you didn't.
    It's nice to have alternatives that support whatever filesystem you
    need to access. Linux discs are especially good about that.
    FromTheRafters, Jun 24, 2011
  15. David H. Lipman

    Aardvark Guest

    My point exactly. Some in this group behave as if M$ OSen are the only
    thing out there to do stuff with PCs. Understandable, as a number of them
    have letters after their name beginning 'MS' or simply 'M'. IMO that will
    have a tendency to blind them to alternatives.

    I merely wanted to point out alternatives which are just as, or more,
    Aardvark, Jun 24, 2011
  16. I'm not at all familiar with this group.
    I often point that out myself. There's often no need to do
    that, just boot a different OS instance from read-only
    media and have at it.

    If you are working on someone elses computer, you will be
    taking it apart to clean it anyway, so why not swap it out to
    your bench machine which has all of the tools installed on it?
    FromTheRafters, Jun 25, 2011
  17. David H. Lipman

    Aardvark Guest

    I often do it in other peoples' homes,the software side anyway. I always
    turn up with a few boot CDs or live CDs to do the initial testing.What
    comes after that- fix it in situ as it's a software thing, or take it
    home with me- depends on the tests.
    Aardvark, Jun 25, 2011
  18. David H. Lipman

    G. Morgan Guest

    I use a combination of PE, XP-Lit\h e, and Linux on my rescue media. I
    prefer a flash drive over a cd/dvd (if the computer is new enough to
    boot from USB).

    If MBAM and SaS worked, they could have been run from the start-up flash
    drive in XP-Lite. If all he wanted to do was access the admin account,
    a Linux tool for resetting the Admin account would have worked.

    For a back-up and reload, the start-up media can be used to make a new
    partition on the HDD, then move the user's files there. I don't like
    taking apart other peoples lappies, unless the HDD is easily accessible
    physically. I took apart a HP Mini the other day to remove the SSD and
    replace with a HDD, only to find I need a special connector from HP to
    do so. It said that in the service manual, but I wanted to see for
    myself. Had to remove the KB just to get at the SSD.

    I prefer the flatten and rebuild method for a badly infected unit. I
    want it leaving the bench knowing with 100% certainty it is clean.

    I batch install my basic apps.of choice for the customer (Foxit Reader,
    Premo PDF printer, Winrar, Firefox, Thunderbird (optional), Ccleaner,
    SIW, Avira free, Revo uninstaller, Logmein, VLC, Winpatrol,
    LibreOffice (or MS office if they have a key). Plus whatever else they
    want (commercial SW) re-installed that I grabbed the key for before
    wiping or they have a sticker for a key.

    Fab's autobackup works good for transferring the settings and docs.

    Nirsoft and SIW have all the tools needed to get saved passwords and
    product keys before the wipe.

    So, I guess I'm in agreement with you. Taking the time to remove and
    reinstall the HDD on another host would work, but then I can not have
    the 100% certainty required. And the time it takes to do it with my
    preferred method is not that long. Once the OS is re-installed, the
    batch installer does the rest. Then just re-run Fab's autobackup to
    move the docs and pics, dl's back to the c: drive. Or try to convince
    them to keep docs and pics on the separate partition. Windows 7 makes
    it a cakewalk to re-assign the "libraries" directories.

    Plus, it's a chance to sell them an upgrade for the new OS (i.e. XP to
    Win 7). Oops, need more RAM now! I sell RAM too.

    Don't get me wrong, I don't operate like 'Geek Squad' and push upsells
    when it's not needed. I know they will call me back if I am fair, and
    tell them to try it for a few days and I'll come back with RAM if it's
    too slow.

    Also, I save an HTML report from SIW before I do anything. I've heard
    of guys getting accused of stealing RAM and HDD's from pc's and
    replacing them with less. The report covers my ass if that ever
    happened to me (which it hasn't) because I don't work for scummy people.
    I fired a client 2 months ago because he kept expecting free service ( I
    did a few courtesy calls for him).

    That's partially my fault because in a sense I devalued my services in
    his eyes, I was trying to be nice on the freebies because he has bought
    so much from me in the past. The straw that 'broke the camel's back'
    was the day I drove all over town looking for some outdoor patio
    speakers for him. I called him from 3 stores before I found a set he
    liked, and bought a VGA cable for his DVR. Dumb me, I bring in the
    merchandise in a bag with the receipts. Put the receipts out in the
    open, and that's exactly the amount he wrote a check for. Pissed me
    off, no markup on the goods for my time and gas getting the damn
    speakers and no labor $$ for replacing the speakers (it only was 15
    minutes, but still). I took the check, walked out, and never returned
    his calls again.
    G. Morgan, Jun 25, 2011
  19. David H. Lipman

    Peter Foldes Guest

    <rest of drivel snipped>

    LOL. Are you really serious? I would not give you anything computer wise to touch
    after reading your post.

    Peter Foldes, Jun 25, 2011
  20. That's harsh Peter. :-(
    David H. Lipman, Jun 25, 2011
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.