From: John Slade on
On 7/31/2010 4:21 PM, Dustin wrote:
> John Slade<hhitman86(a)pacbell.net> wrote in
> news:L0p4o.32466$OU6.4877(a)newsfe20.iad:
>
>> On 7/29/2010 1:40 PM, David H. Lipman wrote:
>>> From: "John Slade"<hhitman86(a)pacbell.net>
>>>
>>> | On 7/29/2010 3:24 AM, David H. Lipman wrote:
>>>>> From: "John Slade"<hhitman86(a)pacbell.net>
>>>
>>>>> | On 7/27/2010 11:17 PM, RJK wrote:
>>>

>
>> You should know there is malware out there that will
>> trash the registry and it's backup. It will require some sort of
>> reinstall to get the system back working. I found it very rare
>> that I need to do a full reformat and reinstall because of
>> malware. Some malware will also corrupt system files and when
>> you remove them with scanners, it will make the installation
>> unbootable. This is yet another reason professionals will make a
>> backup if possible before removing infections.
>
> What software do you use for the backup?

I will either use Acronis' or Paragon's backup software
depending on the situation.

> Are you storing the backup on
> read only media or a hard drive that could fail for any reason?

You mean WORM(Write Once/Read Many) media don't you? That
media can fail also. No media is perfect. I store the backup on
business or enterprise grade HDs and will transfer to other
media if the customer wants that backup. If it's a large backup
they will have to pay me for it. Tell me what software and
hardware would you use to backup your customer's HD before you
start removing malware?

>
>> I know there are a lot of fly-by-night computer repair
>> people who are just there to do a quick fix and get paid, I find
>> myself cleaning up after a lot of them.
>
> I've encountered a few of those in my time as well.... I enjoy the work
> they provide me tho.

Me too. I especially get a kick out of the ones who don't
do backups and leave various screws out.

> Tell me something, John, as a PROFESSIONAL, have
> you written any of the tools you use for cleanup; or do you use the
> work others have written, such as myself, David lipman and many others?
>

For the record, I'm not trying to get into some pissing
contest. I was just making a suggestion as to how to fix the
problem laid out in the OP.

I use software others have written. I'm not a software
engineer. I'm a professional computer repair person. I find that
competence in one profession such as software engineering
doesn't translate into something else like tech support. I've
been repairing computers for close to 25 years and have learned
a lot. One thing I've learned is a backup saves a lot of trouble
and allows for different approaches to be tried.

So tell me what products have you and David Lipman
written and where can I check them out?


John




From: Dustin on
John Slade <hhitman86(a)pacbell.net> wrote in
news:i32s10$653$1(a)news.eternal-september.org:

> On 7/31/2010 4:21 PM, Dustin wrote:
>> John Slade<hhitman86(a)pacbell.net> wrote in
>> news:L0p4o.32466$OU6.4877(a)newsfe20.iad:
>>
>>> On 7/29/2010 1:40 PM, David H. Lipman wrote:
>>>> From: "John Slade"<hhitman86(a)pacbell.net>
>>>>
>>>> | On 7/29/2010 3:24 AM, David H. Lipman wrote:
>>>>>> From: "John Slade"<hhitman86(a)pacbell.net>
>>>>
>>>>>> | On 7/27/2010 11:17 PM, RJK wrote:
>>>>
>
>>
>>> You should know there is malware out there that will
>>> trash the registry and it's backup. It will require some sort of
>>> reinstall to get the system back working. I found it very rare
>>> that I need to do a full reformat and reinstall because of
>>> malware. Some malware will also corrupt system files and when
>>> you remove them with scanners, it will make the installation
>>> unbootable. This is yet another reason professionals will make a
>>> backup if possible before removing infections.
>>
>> What software do you use for the backup?
>
> I will either use Acronis' or Paragon's backup software
> depending on the situation.
>
>> Are you storing the backup on
>> read only media or a hard drive that could fail for any reason?
>
> You mean WORM(Write Once/Read Many) media don't you? That
> media can fail also. No media is perfect. I store the backup on
> business or enterprise grade HDs and will transfer to other
> media if the customer wants that backup. If it's a large backup
> they will have to pay me for it. Tell me what software and
> hardware would you use to backup your customer's HD before you
> start removing malware?

I haven't heard the acronym WORM in years... Damn, you have been around
a long time. :) I was thinking of cd-r or perhaps dvd-r material.

It depends. When I was working at a computer shop; I'd either use
norton ghost corp edition or the hardware drive cloning device we had
at the time. I really didn't see much point in cloning a malware drive
for malware removal; I wasn't stupid enough to trash my backups of the
registry or important files. besides, I wrote several utilities to
assist me in verifying various windows dll/exe files were still intact
and okay for reuse.

We would typically reserve cloning drives for hardware failure signs.
Although, a customer could have us clone a drive for a malware issue if
they so desired. By default, we always copied docs, favorites, emails
etc before doing anything... But, you know, different places have
different policies.

Why do you spend the additional time to clone an entire drive for a
malware removal job?

>>
>>> I know there are a lot of fly-by-night computer repair
>>> people who are just there to do a quick fix and get paid, I find
>>> myself cleaning up after a lot of them.
>>
>> I've encountered a few of those in my time as well.... I enjoy the
>> work they provide me tho.
>
> Me too. I especially get a kick out of the ones who don't
> do backups and leave various screws out.

Or, use the wrong screws and strip one of the drives :)

>> Tell me something, John, as a PROFESSIONAL, have
>> you written any of the tools you use for cleanup; or do you use the
>> work others have written, such as myself, David lipman and many
>> others?
>>
>
> For the record, I'm not trying to get into some pissing
> contest. I was just making a suggestion as to how to fix the
> problem laid out in the OP.

I understand. It just seemed as if you were being a wiseass towards
David, from my POV. I didn't personally see any need in doing that. We
can all be professional and civil here.

> I use software others have written. I'm not a software
> engineer. I'm a professional computer repair person. I find that
> competence in one profession such as software engineering
> doesn't translate into something else like tech support. I've
> been repairing computers for close to 25 years and have learned
> a lot. One thing I've learned is a backup saves a lot of trouble
> and allows for different approaches to be tried.

Well, a backup is a good way of having an escape route should something
go wrong. :) From a software aspect tho, I haven't really encountered
much malware that would justify the time I spent on imaging the drive
first. I wasn't in charge of billing tho, so that may have played a
part in that.

> So tell me what products have you and David Lipman
> written and where can I check them out?

I've written all kinds of old utility style apps, as you've been around
so long you might know a few of them.. Cmoscon, encode, delock, and
various others. If your into crypto/security, you might even know the
old dos file/freespace wiping app called NuKE and/or possibly CryptX.

In more recent times, I developed an antimalware scanner (that's why I
found your description on how they worked amusing. hehehe) called
BugHunter. I did a stint as a malware researcher for an app called
Malwarebytes antimalware..

Like yourself, I've been repairing pcs professionally for over 15 years
now; you have ten years on me, but I have programming skills on you.
*g*.

--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ." - author unknown.
From: John Slade on
On 8/1/2010 8:24 AM, Dustin wrote:
> John Slade<hhitman86(a)pacbell.net> wrote in
> news:i32s10$653$1(a)news.eternal-september.org:
>
>> On 7/31/2010 4:21 PM, Dustin wrote:
>>> John Slade<hhitman86(a)pacbell.net> wrote in
>>> news:L0p4o.32466$OU6.4877(a)newsfe20.iad:
>>>
>>>> On 7/29/2010 1:40 PM, David H. Lipman wrote:
>>>>> From: "John Slade"<hhitman86(a)pacbell.net>
>>>>>
>>>>> | On 7/29/2010 3:24 AM, David H. Lipman wrote:
>>>>>>> From: "John Slade"<hhitman86(a)pacbell.net>
>>>>>
>>>>>>> | On 7/27/2010 11:17 PM, RJK wrote:
>>>>>
>>
>>>
>>>> You should know there is malware out there that will
>>>> trash the registry and it's backup. It will require some sort of
>>>> reinstall to get the system back working. I found it very rare
>>>> that I need to do a full reformat and reinstall because of
>>>> malware. Some malware will also corrupt system files and when
>>>> you remove them with scanners, it will make the installation
>>>> unbootable. This is yet another reason professionals will make a
>>>> backup if possible before removing infections.
>>>
>>> What software do you use for the backup?
>>
>> I will either use Acronis' or Paragon's backup software
>> depending on the situation.
>>
>>> Are you storing the backup on
>>> read only media or a hard drive that could fail for any reason?
>>
>> You mean WORM(Write Once/Read Many) media don't you? That
>> media can fail also. No media is perfect. I store the backup on
>> business or enterprise grade HDs and will transfer to other
>> media if the customer wants that backup. If it's a large backup
>> they will have to pay me for it. Tell me what software and
>> hardware would you use to backup your customer's HD before you
>> start removing malware?
>
> I haven't heard the acronym WORM in years... Damn, you have been around
> a long time. :) I was thinking of cd-r or perhaps dvd-r material.

It would be OK for DVD-R if the backup is small. But
swapping 20 or more DVDs is a pain.

>
> It depends. When I was working at a computer shop; I'd either use
> norton ghost corp edition or the hardware drive cloning device we had
> at the time.

I rarely use Ghost these days, it used to be the only
thing I ever used.


> I really didn't see much point in cloning a malware drive
> for malware removal; I wasn't stupid enough to trash my backups of the
> registry or important files. besides, I wrote several utilities to
> assist me in verifying various windows dll/exe files were still intact
> and okay for reuse.
>

Yea that's good for you, but when you're working for
someone else and they have important data they want to save, I
will backup. Most of the time the customer doesn't have a
backup. A lot of times the customer has a HD that's five or six
years old and they really need a backup done. Then there are the
times when I'm working for a young person and they don't want a
backup they just want the drive wiped and they want the OS
installed.

> We would typically reserve cloning drives for hardware failure signs.
> Although, a customer could have us clone a drive for a malware issue if
> they so desired. By default, we always copied docs, favorites, emails
> etc before doing anything... But, you know, different places have
> different policies.

I work mostly with home users and small businesses and a
lot of times they have personal stuff they want to save. So I'll
do a quick backup of that data and then I'll do the full backup.
Sometimes they just want a reinstall. There are times when they
tell me not to backup because the data isn't important. In
David's response he seems worried about saving data so I
wondered why he wouldn't backup.

>
> Why do you spend the additional time to clone an entire drive for a
> malware removal job?

It doesn't take that long most of the time and it's a lot
safer for the user's data. In most cases it actually takes
longer to install, upgrade and reinstall software for the
customer. Most of the time I backup less than 150GB.

>
>>>
>>>> I know there are a lot of fly-by-night computer repair
>>>> people who are just there to do a quick fix and get paid, I find
>>>> myself cleaning up after a lot of them.
>>>
>>> I've encountered a few of those in my time as well.... I enjoy the
>>> work they provide me tho.
>>
>> Me too. I especially get a kick out of the ones who don't
>> do backups and leave various screws out.
>
> Or, use the wrong screws and strip one of the drives :)
>
>>> Tell me something, John, as a PROFESSIONAL, have
>>> you written any of the tools you use for cleanup; or do you use the
>>> work others have written, such as myself, David lipman and many
>>> others?
>>>
>>
>> For the record, I'm not trying to get into some pissing
>> contest. I was just making a suggestion as to how to fix the
>> problem laid out in the OP.
>
> I understand. It just seemed as if you were being a wiseass towards
> David, from my POV. I didn't personally see any need in doing that. We
> can all be professional and civil here.

David was being a wiseass himself and I can understand why
he didn't respond. He seemed worried about losing data by simply
removing the system restore points so I naturally wondered why,
a backup can solve this problem. I guess he realized it was a
good idea so then he got snippy.

>
>> I use software others have written. I'm not a software
>> engineer. I'm a professional computer repair person. I find that
>> competence in one profession such as software engineering
>> doesn't translate into something else like tech support. I've
>> been repairing computers for close to 25 years and have learned
>> a lot. One thing I've learned is a backup saves a lot of trouble
>> and allows for different approaches to be tried.
>
> Well, a backup is a good way of having an escape route should something
> go wrong. :) From a software aspect tho, I haven't really encountered
> much malware that would justify the time I spent on imaging the drive
> first. I wasn't in charge of billing tho, so that may have played a
> part in that.

I don't work for any company I work freelance. Like I said
most backups are small and usually take from 20 minutes to a
couple of hours. I don't charge by the hour I charge by the job.

>
>> So tell me what products have you and David Lipman
>> written and where can I check them out?
>
> I've written all kinds of old utility style apps, as you've been around
> so long you might know a few of them.. Cmoscon, encode, delock, and
> various others. If your into crypto/security, you might even know the
> old dos file/freespace wiping app called NuKE and/or possibly CryptX.
>

I've heard of some of those.

> In more recent times, I developed an antimalware scanner (that's why I
> found your description on how they worked amusing. hehehe) called
> BugHunter. I did a stint as a malware researcher for an app called
> Malwarebytes antimalware..
>

I don't know why you would find it funny because a
virus writer will use anything to hide a virus. What smarter way
is to hide them in each and every folder in "system volume
information"? I do believe that what the system had was a
variant of the Virtumonde trojan. If you did research on malware
then you know virus writers will take existing malware and
modify it. I found one thing to be true in the world of malware,
NOBODY knows everything about every malware variant out there.
You can believe me or not, it doesn't matter.

John
From: ~BD~ on
John Slade wrote:
> On 8/1/2010 8:24 AM, Dustin wrote:
>> John Slade<hhitman86(a)pacbell.net> wrote in
>> news:i32s10$653$1(a)news.eternal-september.org:
>>
>>> On 7/31/2010 4:21 PM, Dustin wrote:
>>>> John Slade<hhitman86(a)pacbell.net> wrote in
>>>> news:L0p4o.32466$OU6.4877(a)newsfe20.iad:
>>>>
>>>>> On 7/29/2010 1:40 PM, David H. Lipman wrote:
>>>>>> From: "John Slade"<hhitman86(a)pacbell.net>
>>>>>>
>>>>>> | On 7/29/2010 3:24 AM, David H. Lipman wrote:
>>>>>>>> From: "John Slade"<hhitman86(a)pacbell.net>
>>>>>>
>>>>>>>> | On 7/27/2010 11:17 PM, RJK wrote:
>>>>>>
>>>
>>>>
>>>>> You should know there is malware out there that will
>>>>> trash the registry and it's backup. It will require some sort of
>>>>> reinstall to get the system back working. I found it very rare
>>>>> that I need to do a full reformat and reinstall because of
>>>>> malware. Some malware will also corrupt system files and when
>>>>> you remove them with scanners, it will make the installation
>>>>> unbootable. This is yet another reason professionals will make a
>>>>> backup if possible before removing infections.
>>>>
>>>> What software do you use for the backup?
>>>
>>> I will either use Acronis' or Paragon's backup software
>>> depending on the situation.
>>>
>>>> Are you storing the backup on
>>>> read only media or a hard drive that could fail for any reason?
>>>
>>> You mean WORM(Write Once/Read Many) media don't you? That
>>> media can fail also. No media is perfect. I store the backup on
>>> business or enterprise grade HDs and will transfer to other
>>> media if the customer wants that backup. If it's a large backup
>>> they will have to pay me for it. Tell me what software and
>>> hardware would you use to backup your customer's HD before you
>>> start removing malware?
>>
>> I haven't heard the acronym WORM in years... Damn, you have been around
>> a long time. :) I was thinking of cd-r or perhaps dvd-r material.
>
> It would be OK for DVD-R if the backup is small. But swapping 20 or more
> DVDs is a pain.
>
>>
>> It depends. When I was working at a computer shop; I'd either use
>> norton ghost corp edition or the hardware drive cloning device we had
>> at the time.
>
> I rarely use Ghost these days, it used to be the only thing I ever used.
>
>
>> I really didn't see much point in cloning a malware drive
>> for malware removal; I wasn't stupid enough to trash my backups of the
>> registry or important files. besides, I wrote several utilities to
>> assist me in verifying various windows dll/exe files were still intact
>> and okay for reuse.
>>
>
> Yea that's good for you, but when you're working for someone else and
> they have important data they want to save, I will backup. Most of the
> time the customer doesn't have a backup. A lot of times the customer has
> a HD that's five or six years old and they really need a backup done.
> Then there are the times when I'm working for a young person and they
> don't want a backup they just want the drive wiped and they want the OS
> installed.
>
>> We would typically reserve cloning drives for hardware failure signs.
>> Although, a customer could have us clone a drive for a malware issue if
>> they so desired. By default, we always copied docs, favorites, emails
>> etc before doing anything... But, you know, different places have
>> different policies.
>
> I work mostly with home users and small businesses and a lot of times
> they have personal stuff they want to save. So I'll do a quick backup of
> that data and then I'll do the full backup. Sometimes they just want a
> reinstall. There are times when they tell me not to backup because the
> data isn't important. In David's response he seems worried about saving
> data so I wondered why he wouldn't backup.
>
>>
>> Why do you spend the additional time to clone an entire drive for a
>> malware removal job?
>
> It doesn't take that long most of the time and it's a lot safer for the
> user's data. In most cases it actually takes longer to install, upgrade
> and reinstall software for the customer. Most of the time I backup less
> than 150GB.
>
>>
>>>>
>>>>> I know there are a lot of fly-by-night computer repair
>>>>> people who are just there to do a quick fix and get paid, I find
>>>>> myself cleaning up after a lot of them.
>>>>
>>>> I've encountered a few of those in my time as well.... I enjoy the
>>>> work they provide me tho.
>>>
>>> Me too. I especially get a kick out of the ones who don't
>>> do backups and leave various screws out.
>>
>> Or, use the wrong screws and strip one of the drives :)
>>
>>>> Tell me something, John, as a PROFESSIONAL, have
>>>> you written any of the tools you use for cleanup; or do you use the
>>>> work others have written, such as myself, David lipman and many
>>>> others?
>>>>
>>>
>>> For the record, I'm not trying to get into some pissing
>>> contest. I was just making a suggestion as to how to fix the
>>> problem laid out in the OP.
>>
>> I understand. It just seemed as if you were being a wiseass towards
>> David, from my POV. I didn't personally see any need in doing that. We
>> can all be professional and civil here.
>
> David was being a wiseass himself and I can understand why he didn't
> respond. He seemed worried about losing data by simply removing the
> system restore points so I naturally wondered why, a backup can solve
> this problem. I guess he realized it was a good idea so then he got snippy.
>
>>
>>> I use software others have written. I'm not a software
>>> engineer. I'm a professional computer repair person. I find that
>>> competence in one profession such as software engineering
>>> doesn't translate into something else like tech support. I've
>>> been repairing computers for close to 25 years and have learned
>>> a lot. One thing I've learned is a backup saves a lot of trouble
>>> and allows for different approaches to be tried.
>>
>> Well, a backup is a good way of having an escape route should something
>> go wrong. :) From a software aspect tho, I haven't really encountered
>> much malware that would justify the time I spent on imaging the drive
>> first. I wasn't in charge of billing tho, so that may have played a
>> part in that.
>
> I don't work for any company I work freelance. Like I said most backups
> are small and usually take from 20 minutes to a couple of hours. I don't
> charge by the hour I charge by the job.
>
>>
>>> So tell me what products have you and David Lipman
>>> written and where can I check them out?
>>
>> I've written all kinds of old utility style apps, as you've been around
>> so long you might know a few of them.. Cmoscon, encode, delock, and
>> various others. If your into crypto/security, you might even know the
>> old dos file/freespace wiping app called NuKE and/or possibly CryptX.
>>
>
> I've heard of some of those.
>
>> In more recent times, I developed an antimalware scanner (that's why I
>> found your description on how they worked amusing. hehehe) called
>> BugHunter. I did a stint as a malware researcher for an app called
>> Malwarebytes antimalware..
>>
>
> I don't know why you would find it funny because a virus writer will use
> anything to hide a virus. What smarter way is to hide them in each and
> every folder in "system volume information"? I do believe that what the
> system had was a variant of the Virtumonde trojan. If you did research
> on malware then you know virus writers will take existing malware and
> modify it. I found one thing to be true in the world of malware, NOBODY
> knows everything about every malware variant out there. You can believe
> me or not, it doesn't matter.
>
> John

You do appreciate that Dustin Cook was once a virus writer himself,
don't you, John?

There is school of thought that suggests that once a computer has been
compromised, one can never be *certain* that it is clean - and that it
is always best to re-install the operating system ...... on a formatted
hard disk, wiping out all partitions first.

I'm just a user - but that's how I think too! ;-)

--
Dave - I've enjoyed reviewing John's posts!
From: ~BD~ on
~BD~ forgot to add the link showing support for his view!

http://technet.microsoft.com/en-us/library/cc512587.aspx