Good job on the new look for your blog, Suzanne.
A couple weeks ago my sister-in-law brought me her PC that would no longer boot. These things get dumped on me from time to time with a request to recover all their documents, make it work, and tune it up so that it runs faster than it ever ran before. My sister-in law is a sweetheart, so I figured I would have a go at it.
I started by trying a variety of the boot options provided through the F8 boot menu. Mostly the boots just ended at the same blank screen, but one presented the BSOD, otherwise known as the Blue Screen of Death. The BSOD is an error screen that happens so frequently on MS operating systems that it has its own acronym. The error message on my sister-in-law’s machine suggested some sort of video problem.
So I’m figuring the PC is dead, I’m going to have to do a fresh install of Windows XP and maybe replace the video card, but I want to save whatever I can from the disk so she can get her documents back. So I pull out the Windows PE disk.
The windows PE disk is something I have just started using, but I can already see that it will be a common tool for a variety of tasks managing a Microsoft environment. Have a look at www.windowspe.com or just search “Windows PE” to find out more. It’s an operating system on a CD. You put it in your CD drive, you boot it, and you have a MS environment to work in. It’s just a command line, but there is a lot you can do with this. Here is what I did with this troublesome PC.
I intended just to copy the entire contents of the hard drive to an external drive. I booted Windows PE to the command prompt, plugged in the external drive, and copied the entire hard drive successfully to a folder on the external drive. I was then free to do a fresh install on the PC’s hard drive because I had captured all my sister-in-law’s documents.
But my sister-in-law has kids, and there is a general principle known to people who manage PCs that PCs don’t work for very long in households with kids in them. So I plugged the external drive into my own PC and ran a virus and spyware scan on the folder of files copied from the offending PC. I found a couple dozen hits. I then went back to my sister-in-law’s PC and, using Windows PE, manually deleted all the couple dozen files that my scanner had identified as malware on the external drive. When I booted her PC off the hard drive again, after deleting those couple dozen files, the PC booted just fine. I then updated her virus scanner, installed and ran the Spybot spyware scanner, and presto she has her PC back.
I have been doing some other things with the Windows PE disk as well. Most interesting is that the Windows PE disk has enabled me to stop using Ghost to image and deploy PCs. More on that later.
Showing posts with label spybot. Show all posts
Showing posts with label spybot. Show all posts
Friday, October 31, 2008
Thursday, September 18, 2008
Security Tip - Renaming Tools
Some malware is smart enough to recognize its enemies. I ran across one of these this week cleaning up an infected PC. The PC had a recent version of the Spybot anti-spyware tool (www.safer-networking.org/en/index.html) on it so I started that up to run a scan. Nothing happened. I tried again but still nothing.
So then I downloaded Autoruns from Sysinternals (technet.microsoft.com/en-us/sysinternals/default.aspx). I started that up and again nothing happened. So what can you do when you can't even open your tools to try to get rid of some malware?
In this case, I renamed my tool and ran it under the new name and it worked. The executable at the core of the Spybot version I was using is a file called "spybotSD.exe". I renamed it to some arbitrarily chosen name. I called it "bobo.exe". Then when I double-clicked on that file I just renamed, it opened the Spybot program. I ran my scan. It found the malware and removed it.
So if it seems like one of your scanning tools isn't working, this is one thing to try. Be careful out there.
So then I downloaded Autoruns from Sysinternals (technet.microsoft.com/en-us/sysinternals/default.aspx). I started that up and again nothing happened. So what can you do when you can't even open your tools to try to get rid of some malware?
In this case, I renamed my tool and ran it under the new name and it worked. The executable at the core of the Spybot version I was using is a file called "spybotSD.exe". I renamed it to some arbitrarily chosen name. I called it "bobo.exe". Then when I double-clicked on that file I just renamed, it opened the Spybot program. I ran my scan. It found the malware and removed it.
So if it seems like one of your scanning tools isn't working, this is one thing to try. Be careful out there.
Tuesday, August 26, 2008
Security Tip - XP Antivirus 2008 - BAD!!
XP Antivirus 2008 is NOT the latest antivirus tool we should all be using. It is malware. It’s starting to get a fair bit of traction too. If you get infected, you will find extremely annoying fear-mongering popups urging you to purchase the product. Here is a description from an infected user:
"Last week a pop-up appeared that landed on my icon line.... xpantivirus2008. Thinking that it was another security alert from windows, I clicked on it. It proceeded to "scan" my hard drive and inform me that I had 90+ security "issues" that needed to be addressed..... while the scan was underway, a windows msg appeared saying that it did not recognize the program source. I found that odd... but, as a result, did not buy the xpantivirus2008 program. Now, one week later, I am constamtly being asssaulted by never-ending pop-ups, regisdtry scans, bubbles, etc. I followed a suggested uninstall (though I never installed the program) plus all of the usual ateps in detecting and removal of unwanted programs... but, although I removed everything that I was able to find via search commands, and using the process recommended by TomT (using regedit, hkey current user, msconfig, and unchecking "xpa" at the startup file, the program continues to reappear, pop-up every 2 minutes and at every start up.... Although I finally succeeded, attempting to delete xpantivirus.exe would not allow me to delete saying that it was being used by another user or runniong in another program which, obviously, it was not.... Even with all of it apparently gone, it still reappears and performs its maddening process. Even a file search at this point does not detect xpantivirus.... HELP!!!!!"
One of my library clients recently found this on one of their staff PCs. The popup window cannot be moved, minimized, or closed, and you can't see anything behind it of course. Luckily, Spybot 1.52 (http://www.safer-networking.org/en/download/) found and removed it. More recent versions of Spybot would probably also remove it. Trend Micro antivirus did not find it. This PC had a couple other infections on it as well. That PC was setup a few years ago and we have had no trouble with it until this. What had changed? Not the antivirus on it. Not the applications on it. Not the firewall for the library. The only thing that changed is one user’s lack of restraint. User restraint is one of your best protections.
My spam filter blocked a message that is probably the infecting source. The message is shown below. I have removed all the hyperlinks from the text. The first line is linked to an IP address in Moldova (That’s a country in eastern Europe) with an executable called Install.exe. It looks like this: http://555.555.555.555/install.exe. I have changed the actual numbers in the IP address. That line then is asking you to install software from a site that it will not even identify in English (or any other human language). There are also three links at the bottom: Unsubscribe, More Newsletters, and Privacy. They all link to msn.com which would seem to lend an air of authenticity. This email is a good example of what you should never ever do, should you run across something like this.
_________________________________________________________
Free Update Windows XP,Vista
About this mailing: You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service advertised. Prices and item availability subject to change without notice.©2008 Microsoft Unsubscribe More Newsletters PrivacyMicrosoft Corporation, One Microsoft Way, Redmond, WA 98052
________________________________________________________
Moral: Use spam filters. Use Spybot. Keep it updated. Exercise restraint. Be paranoid about links presented to you in email. Have a nice day.
"Last week a pop-up appeared that landed on my icon line.... xpantivirus2008. Thinking that it was another security alert from windows, I clicked on it. It proceeded to "scan" my hard drive and inform me that I had 90+ security "issues" that needed to be addressed..... while the scan was underway, a windows msg appeared saying that it did not recognize the program source. I found that odd... but, as a result, did not buy the xpantivirus2008 program. Now, one week later, I am constamtly being asssaulted by never-ending pop-ups, regisdtry scans, bubbles, etc. I followed a suggested uninstall (though I never installed the program) plus all of the usual ateps in detecting and removal of unwanted programs... but, although I removed everything that I was able to find via search commands, and using the process recommended by TomT (using regedit, hkey current user, msconfig, and unchecking "xpa" at the startup file, the program continues to reappear, pop-up every 2 minutes and at every start up.... Although I finally succeeded, attempting to delete xpantivirus.exe would not allow me to delete saying that it was being used by another user or runniong in another program which, obviously, it was not.... Even with all of it apparently gone, it still reappears and performs its maddening process. Even a file search at this point does not detect xpantivirus.... HELP!!!!!"
One of my library clients recently found this on one of their staff PCs. The popup window cannot be moved, minimized, or closed, and you can't see anything behind it of course. Luckily, Spybot 1.52 (http://www.safer-networking.org/en/download/) found and removed it. More recent versions of Spybot would probably also remove it. Trend Micro antivirus did not find it. This PC had a couple other infections on it as well. That PC was setup a few years ago and we have had no trouble with it until this. What had changed? Not the antivirus on it. Not the applications on it. Not the firewall for the library. The only thing that changed is one user’s lack of restraint. User restraint is one of your best protections.
My spam filter blocked a message that is probably the infecting source. The message is shown below. I have removed all the hyperlinks from the text. The first line is linked to an IP address in Moldova (That’s a country in eastern Europe) with an executable called Install.exe. It looks like this: http://555.555.555.555/install.exe. I have changed the actual numbers in the IP address. That line then is asking you to install software from a site that it will not even identify in English (or any other human language). There are also three links at the bottom: Unsubscribe, More Newsletters, and Privacy. They all link to msn.com which would seem to lend an air of authenticity. This email is a good example of what you should never ever do, should you run across something like this.
_________________________________________________________
Free Update Windows XP,Vista
About this mailing: You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service advertised. Prices and item availability subject to change without notice.©2008 Microsoft Unsubscribe More Newsletters PrivacyMicrosoft Corporation, One Microsoft Way, Redmond, WA 98052
________________________________________________________
Moral: Use spam filters. Use Spybot. Keep it updated. Exercise restraint. Be paranoid about links presented to you in email. Have a nice day.
Subscribe to:
Posts (Atom)