Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

consrv.dll

160 views
Skip to first unread message

Dennis

unread,
Jan 8, 2012, 1:38:07 PM1/8/12
to
Can someone point me to a good set of instructions on how to remove the
consrv.dll (detected by MBAM) on my daughter's Win7/64 system? The MBAM
screen is still sitting there waiting for me to quarantine it, but I
don't want to do that until I am sure that it is the correct procedure.

--

Dennis

Dustin

unread,
Jan 8, 2012, 1:41:12 PM1/8/12
to
Dennis <nob...@nowhere.invalid> wrote in
news:ceojg75skii13ucqq...@4ax.com:
I hope she doesn't need the computer anytime soon. :) You are literally
waiting for someone to tell you what to do eh? How techie.

Here's a small suggestion.. Google.


--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

FromTheRafters

unread,
Jan 8, 2012, 1:52:29 PM1/8/12
to
Quarantine is almost always the correct choice, it allows you a way back
if you 'remove' something legitimate that is really needed.

David H. Lipman

unread,
Jan 8, 2012, 1:57:10 PM1/8/12
to
From: "Dennis" <nob...@nowhere.invalid>
Just let MBAM do its thing which includes quarantining the DLL.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Dennis

unread,
Jan 8, 2012, 2:06:53 PM1/8/12
to
On Sun, 8 Jan 2012 13:57:10 -0500, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "Dennis" <nob...@nowhere.invalid>
>
>> Can someone point me to a good set of instructions on how to remove the
>> consrv.dll (detected by MBAM) on my daughter's Win7/64 system? The MBAM
>> screen is still sitting there waiting for me to quarantine it, but I
>> don't want to do that until I am sure that it is the correct procedure.
>
>Just let MBAM do its thing which includes quarantining the DLL.

OK. I see lots of links to SpywareDoctor for removing this. I vaguely
recall some people saying SpywareDoctor was itself malware. Is this
true?

Thanks, David and FromTheRafters...

--

Dennis

Dennis

unread,
Jan 8, 2012, 2:12:41 PM1/8/12
to
I guess I was concerned because it seems that removing this file has
caused problems with systems not being able to boot.

--

Dennis

Dennis

unread,
Jan 8, 2012, 3:02:49 PM1/8/12
to
On Sun, 8 Jan 2012 13:57:10 -0500, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "Dennis" <nob...@nowhere.invalid>
>
>> Can someone point me to a good set of instructions on how to remove the
>> consrv.dll (detected by MBAM) on my daughter's Win7/64 system? The MBAM
>> screen is still sitting there waiting for me to quarantine it, but I
>> don't want to do that until I am sure that it is the correct procedure.
>
>Just let MBAM do its thing which includes quarantining the DLL.

Just out of curiosity, besides quarantining the dll, will MBAM perform
any other steps icw this malware? For example, will it remove any
malicious registry entries? And other things like that...

--

Dennis

Bear

unread,
Jan 8, 2012, 4:46:18 PM1/8/12
to
Make an image of the system with EaseUS Todo Backup or Macrium Reflect.
Then try to remove it. If you bork it, you can reinstall the image and
try to clean it again.

You should have a current image of your clean system at any rate and you
wouldn't care if it got infected.

--
Bear
http://bearware.info
Must Do: System image and automatic real-time off-site data backup
Recommended tools: EaseUS Todo Backup and SugarSync

Bear

unread,
Jan 8, 2012, 4:50:37 PM1/8/12
to
Go here and read the Comprehensive Security Plan:

http://bearware.info/security.html

VanguardLH

unread,
Jan 8, 2012, 6:25:19 PM1/8/12
to
Where did you find info that said consrv.dll was part of Windows 7?

http://www.cleanpcguide.com/remove-consrv-dll-removal-guide-how-to-remove-consrv-dll/

Did you submit the file to virustotal.com yet? Here's someone prior
submission of that file:

http://www.virustotal.com/file-scan/report.html?id=5611fddc5046fce5bbd4d1c1779df429a217b1f952ec973059f7c67e4dfdd46f-1310865513

The problem with not rebooting after removal is that removal hasn't been
complete. consrv.dll is just a DLL file storing a library of functions.
Something ELSE has to call the methods (functions) defined in that DLL.
Once it has done its work, it may no longer be needed. For example, in
the thread below is described how it replaces a random system driver and
once done it's the driver you need to target and not the remnant
file(s). Once infected, disinfection may not be possible without some
manual work after eradication.

http://forum.avast.com/index.php?topic=81720.0

In the following thread, the user found the winsrv got replace with the
malicious consrv.dll (so you need the original winsrv.dll file):

http://www.bleepingcomputer.com/forums/topic400730.html/page__st__15__p__2271737#entry2271737

So after eradicating the consrv.dll file, you need to replace the
registry entries that pointed to it and have them use the original
handler program. Disinfection is an iffy solution as the anti-malware
program may not completely eradicate all changes made by the malware.
They may only target the malware files and not everything they changed.

If the *only* action MBAM will commit is to quarantine a malware file
then that action is incomplete and can render unwanted behavior in apps
or the OS. You sure the only action MBAM will do is quarantine a file?
You might want to search their forums (http://forums.malwarebytes.org/)
on "consrv" to see what others have encountered when using MBAM. One
tool is to use HijackThis to look at a scan of key areas of your OS to
find infections. This requires you (or someone helping you) to decipher
all the information it presents. Another is to use ComboFix but only
something familiar with it should use it.

www.bleepingcomputer.com/download/anti-virus/combofix
www.bleepingcomputer.com/combofix/how-to-use-combofix
http://www.infospyware.net/antimalware/combofix/

http://www.youtube.com/watch?v=7PRWXVD_8-8
(for other YouTube videos, search on "combofix")

Personally I don't waste more than a couple hours trying to eradicate a
pest and any artifacts in behavior left behind after the eradication.
If the disinfection isn't easy, I just restore to an image backup that
isn't infected. If your daughter is going to just download anything to
install it, perhaps it's time to consider using Returnil. Configure it
to load on every bootup and password protect its configuration. On a
reboot, all the changes she made, like installing malware, gets
discarded. When active, Returnil virtualizes all disk I/O so no changes
are made to the real disk (which you get back on a reboot). Microsoft
has their SteadyState but I find Returnil easier to use.

Of course, you, er, she is doing periodic image backups to restore her
host not only from malware but also if the hard disk crashes, right?

David H. Lipman

unread,
Jan 8, 2012, 7:13:15 PM1/8/12
to
From: "Dennis" <nob...@nowhere.invalid>
Yes. They too would be quarantined.

Dennis

unread,
Jan 8, 2012, 9:12:37 PM1/8/12
to
On Sun, 8 Jan 2012 19:13:15 -0500, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "Dennis" <nob...@nowhere.invalid>
>
>> On Sun, 8 Jan 2012 13:57:10 -0500, "David H. Lipman"
>> <DLipman~nospam~@Verizon.Net> wrote:
>>
>>> From: "Dennis" <nob...@nowhere.invalid>
>>>
>>>> Can someone point me to a good set of instructions on how to remove the
>>>> consrv.dll (detected by MBAM) on my daughter's Win7/64 system? The MBAM
>>>> screen is still sitting there waiting for me to quarantine it, but I
>>>> don't want to do that until I am sure that it is the correct procedure.
>>>
>>> Just let MBAM do its thing which includes quarantining the DLL.
>>
>> Just out of curiosity, besides quarantining the dll, will MBAM perform
>> any other steps icw this malware? For example, will it remove any
>> malicious registry entries? And other things like that...
>>
>
>Yes. They too would be quarantined.

Well, my daughter finally finished what she was doing on her PC and
turned it over to me. I let MBAM quarantine the file (only gave me the
one message) and then rebooted. The system started up just fine. I then
ran an MBAM quick scan and no problems were reported. I just completed
an SAS complete scan and only tracking cookies were found. I plan on
running an MBAM full scan overnight. I hope that took care of the
problem.

--

Dennis

Dennis

unread,
Jan 8, 2012, 9:54:20 PM1/8/12
to
On Sun, 8 Jan 2012 17:25:19 -0600, VanguardLH <V...@nguard.LH> wrote:

>Disinfection is an iffy solution as the anti-malware
>program may not completely eradicate all changes made by the malware.
>They may only target the malware files and not everything they changed.

Is there anything I can run that will look for remnants that MBAM did
not remove?

>Personally I don't waste more than a couple hours trying to eradicate a
>pest and any artifacts in behavior left behind after the eradication.
>If the disinfection isn't easy, I just restore to an image backup that
>isn't infected.

I have an image from abt 7 months ago just after I first setup her new
PC. I warned her that if she gets infected and it isn't easy to fix that
I will just restore to that image and she will have to deal with it.

--

Dennis

Bear

unread,
Jan 8, 2012, 10:02:49 PM1/8/12
to
On 1/8/2012 8:54 PM, Dennis wrote:
> On Sun, 8 Jan 2012 17:25:19 -0600, VanguardLH<V...@nguard.LH> wrote:
>
>> Disinfection is an iffy solution as the anti-malware
>> program may not completely eradicate all changes made by the malware.
>> They may only target the malware files and not everything they changed.
>
> Is there anything I can run that will look for remnants that MBAM did
> not remove?

There is nothing short of the expertise of knowledge and file by file
inspection of a system that can surely remedy a cleansing. Barring that,
a reversion to a known clean system is the only remedy.
>
>> Personally I don't waste more than a couple hours trying to eradicate a
>> pest and any artifacts in behavior left behind after the eradication.
>> If the disinfection isn't easy, I just restore to an image backup that
>> isn't infected.
>
> I have an image from abt 7 months ago just after I first setup her new
> PC. I warned her that if she gets infected and it isn't easy to fix that
> I will just restore to that image and she will have to deal with it.
>
Such as is to be. Learn from the situation and fix that in the future.

Bear

unread,
Jan 8, 2012, 10:03:59 PM1/8/12
to
Once a system is infected, review my reply to you in a recent post to you.

VanguardLH

unread,
Jan 9, 2012, 1:40:15 AM1/9/12
to
Dennis wrote:

> VanguardLH wrote:
>
>>Disinfection is an iffy solution as the anti-malware
>>program may not completely eradicate all changes made by the malware.
>>They may only target the malware files and not everything they changed.
>
> Is there anything I can run that will look for remnants that MBAM did
> not remove?

Before removing, and if the malware doesn't prevent you from editing the
registry, often I go hunting for references to the file(s) for the
malware. As with this one, a search on "consrv" will probably show
where it replaced other system files.

I haven't used ComboFix. Hopefully before doing any cleaning, it shows
you what it plans to do.

A filename really doesn't mandate what malware you have. You need to
use the identity of the malware as shown my MBAM or after submitting the
file to virustotal.com to see what type of malware is in that file.
Then you can go hunting around for info on how to best eradicate the
pest not only in deleting its files but undoing any registry changes and
replacing any other files it modified.

> I have an image from abt 7 months ago just after I first setup her new
> PC. I warned her that if she gets infected and it isn't easy to fix that
> I will just restore to that image and she will have to deal with it.

Better would be to get another hard disk onto which you can save images
are regular intervals, like weekly. There are plenty of free imaging
programs: Easeus Todo, Macrium Reflect Free, Paragon Backup & Restore.
Macrium (free) only lets you save full images. B&R lets you do
differentials to reduce the size of your backups (so you can save more
of them on your backup hard disk). ToDo does differential or
incrementals (which are even smaller). You can schedule regular backups
so you have more than just a really old initial image which means you
lose everything since then. While an initial image is okay, it's not a
whole lot better than just doing a fresh install of the OS and apps.

VanguardLH

unread,
Jan 9, 2012, 1:42:27 AM1/9/12
to
If the pest got onto her host, it's likely to happen again. Same user,
same behavior, same result. Time for another image backup.

Dustin

unread,
Jan 11, 2012, 2:58:39 PM1/11/12
to
Dennis <nob...@nowhere.invalid> wrote in
news:n0jkg7pe5i40v3536...@4ax.com:
Hi Dennis.

I suspect you didn't like my initial post to you. Ignoring me tho, isn't
always in your best interest. The scans you've performed will eliminate
the issue you presently have, but it's not fixing the problem. The
problem is the malware getting on the machine in the first place.

Spend a little time on google looking up "safer hex" and implement those
practices. While I'm a smartass at times, it's really for your benefit.

Dustin

unread,
Jan 11, 2012, 2:58:44 PM1/11/12
to
Dennis <nob...@nowhere.invalid> wrote in
news:n0jkg7pe5i40v3536...@4ax.com:

Dustin

unread,
Jan 11, 2012, 2:56:51 PM1/11/12
to
VanguardLH <V...@nguard.LH> wrote in news:jee249$4n8$1...@news.albasani.net:

> I haven't used ComboFix. Hopefully before doing any cleaning, it
> shows you what it plans to do.

It doesn't. It does it's thing, and if it made a mistake, and you don't
read the logs and you reboot, you're dead in the water. Don't recommend it
to be run by novices. It's automated.

Dustin

unread,
Jan 11, 2012, 3:00:53 PM1/11/12
to
VanguardLH <V...@nguard.LH> wrote in news:jee28d$4qf$1...@news.albasani.net:
Neither of you seem to be concerned with the potential for malware to be
backed up on those images. Neither of you have recommended he teach his
daughter better computer use practices. I would almost be willing to
wajor that if she isn't practicing safer-hex, she'll find the backups
"inconvenient" and not do them. What do you think?

Dustin

unread,
Jan 11, 2012, 2:59:31 PM1/11/12
to
Bear <bearbott...@gmail.com> wrote in
news:4f0a591f$0$291$1472...@news.sunsite.dk:
infected=virus. Trojan<>infected. One a system is trojanized, it's easy
enough to repair. Depending on the virus, it can also be repaired.
That's the lack of knowledge you have on this field rearing it's ugly
head on you again.

David H. Lipman

unread,
Jan 11, 2012, 3:16:17 PM1/11/12
to
From: "Dustin" <bughunte...@gmail.com>

>> Once a system is infected, review my reply to you in a recent post to you.
>>
>
> infected=virus. Trojan<>infected. One a system is trojanized, it's easy
> enough to repair. Depending on the virus, it can also be repaired.
> That's the lack of knowledge you have on this field rearing it's ugly
> head on you again.
>
>

I wouldn't agree there. Once malware is resident and acting upon a host that host is
infected.
In animal hosts they can be infected by; yeasts/molds, parasites, bacteria and viruses.
It is no different than with a computer host.

So I don't think; infected=virus Trojan<>infected is apropos.

Dustin

unread,
Jan 11, 2012, 3:27:32 PM1/11/12
to
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:jekqm...@news2.newsguy.com:

> From: "Dustin" <bughunte...@gmail.com>
>
>>> Once a system is infected, review my reply to you in a recent post
>>> to you.
>>>
>>
>> infected=virus. Trojan<>infected. One a system is trojanized, it's
>> easy enough to repair. Depending on the virus, it can also be
>> repaired. That's the lack of knowledge you have on this field
>> rearing it's ugly head on you again.
>>
>>
>
> I wouldn't agree there. Once malware is resident and acting upon a
> host that host is infected.
> In animal hosts they can be infected by; yeasts/molds, parasites,
> bacteria and viruses. It is no different than with a computer host.

No. It's a resident trojan. Still, not infected. Unless said trojan is
patching files to continue it's own existance. If not, then it's not
actually "infecting" anything. Creating an exe and a registry key to
load it later isn't infecting a machine.

> So I don't think; infected=virus Trojan<>infected is apropos.

Well, I hail from the virus/trojan terminology. Although I'm retired, I
still prefer to use the correct terminology when discussing them.

Dustin

unread,
Jan 11, 2012, 3:57:23 PM1/11/12
to
Dustin <bughunte...@gmail.com> wrote in
news:Xns9FD79EE7895D0HHI2948AJD832@no:

> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
> news:jekqm...@news2.newsguy.com:
>
>> From: "Dustin" <bughunte...@gmail.com>
>>
>>>> Once a system is infected, review my reply to you in a recent post
>>>> to you.
>>>>
>>>
>>> infected=virus. Trojan<>infected. One a system is trojanized, it's
>>> easy enough to repair. Depending on the virus, it can also be
>>> repaired. That's the lack of knowledge you have on this field
>>> rearing it's ugly head on you again.
>>>
>>>
>>
>> I wouldn't agree there. Once malware is resident and acting upon a
>> host that host is infected.
>> In animal hosts they can be infected by; yeasts/molds, parasites,
>> bacteria and viruses. It is no different than with a computer host.
>
> No. It's a resident trojan. Still, not infected. Unless said trojan
> is patching files to continue it's own existance. If not, then it's
> not actually "infecting" anything. Creating an exe and a registry key
> to load it later isn't infecting a machine.
>
>> So I don't think; infected=virus Trojan<>infected is apropos.
>
> Well, I hail from the virus/trojan terminology. Although I'm retired,
> I still prefer to use the correct terminology when discussing them.

I've got to retract this. I spoke with David via IM and I was unclear on
what he meant by host. My bad. Should have read then replied. :)

if we're discussing a host as a whole, then it's infected via a trojan
which overwhelmes the systems defences and takes hold via a load point or
residency. While it's not infecting files, it does have the system.

Sorry for any confusion I've caused.

David H. Lipman

unread,
Jan 11, 2012, 4:10:15 PM1/11/12
to
From: "Dustin" <bughunte...@gmail.com>
Thanx Dustin ! :-)

Bear

unread,
Jan 11, 2012, 7:04:37 PM1/11/12
to
On 1/11/2012 1:56 PM, Dustin wrote:
> VanguardLH<V...@nguard.LH> wrote in news:jee249$4n8$1...@news.albasani.net:
>
>> I haven't used ComboFix. Hopefully before doing any cleaning, it
>> shows you what it plans to do.
>
> It doesn't. It does it's thing, and if it made a mistake, and you don't
> read the logs and you reboot, you're dead in the water. Don't recommend it
> to be run by novices. It's automated.
>
>
>
But extreme novices are directed to run it all the time from afar. You
can counter with it is directed to be run by a 'helper' but they give
you a few basic things to do prior and set you onto the download link
and tell you to run it and then post the log if you can.

You should always have at the very least an image of the infected system
before you attempt any cleaning. IMO, if you become infected and you
don't have a clean system image to restore...you have no one to blame
but yourself and you should give easy money to someone who claims to
know how to fix it...though you can never be sure it's fixed/clean
unless you restore a know clean state.

Bear

unread,
Jan 11, 2012, 7:10:13 PM1/11/12
to
There is nothing anyone can do to be absolutely certain they will not
gain infections. Your statement to him is obtuse. Some people have
better understanding than others as to how best to reduce the
opportunity of infections...but even the best laid plans fall to prey.

You then are only left with fixing the problem and hope it doesn't
happen again.

The best thing to advise the OP is to learn how to image his system and
protect his data. That way, if infection does happen...he can recover
easily without bothering with cleaning.

For the OP, thoroughly read:
http://bearware.info/security.html especially the Comprehensive Security
Plan.

Bear

unread,
Jan 11, 2012, 7:16:28 PM1/11/12
to
You like to make that claim even though you are very wrong...it boosts
your own ego. You can't be sure that a variety of infections haven't
happened or that you have found them all or the remants of same. Of
course it is possible to perform a complete file by file thorough
inspection which takes hours...when it could be remedied easily in minutes.

You also like to preach cleaning and telling people how stupid they are
and you are the only one with the knowledge to clean.

What you should be doing is telling them how to protect themselves and
restore quickly and easily to a known clean state. Those that haven't
learned how or done so fall prey to your abuse.

http://bearware.info/security.html

Bear

unread,
Jan 11, 2012, 7:20:34 PM1/11/12
to
On 1/11/2012 2:27 PM, Dustin wrote:
> "David H. Lipman"<DLipman~nospam~@Verizon.Net> wrote in
> news:jekqm...@news2.newsguy.com:
>
>> From: "Dustin"<bughunte...@gmail.com>
>>
>>>> Once a system is infected, review my reply to you in a recent post
>>>> to you.
>>>>
>>>
>>> infected=virus. Trojan<>infected. One a system is trojanized, it's
>>> easy enough to repair. Depending on the virus, it can also be
>>> repaired. That's the lack of knowledge you have on this field
>>> rearing it's ugly head on you again.
>>>
>>>
>>
>> I wouldn't agree there. Once malware is resident and acting upon a
>> host that host is infected.
>> In animal hosts they can be infected by; yeasts/molds, parasites,
>> bacteria and viruses. It is no different than with a computer host.
>
> No. It's a resident trojan. Still, not infected. Unless said trojan is
> patching files to continue it's own existance. If not, then it's not
> actually "infecting" anything. Creating an exe and a registry key to
> load it later isn't infecting a machine.
>
>> So I don't think; infected=virus Trojan<>infected is apropos.
>
> Well, I hail from the virus/trojan terminology. Although I'm retired, I
> still prefer to use the correct terminology when discussing them.
>

...and telling people how stupid they are without the slightest
knowledge of their actual expertise nor does it matter with the
simplicity of the right knowledge of easy means to protect yourself.

Common discussion always includes "My machine is infected with...." and
whether terminology is correct or not, that is how it is generally
discussed. Get over yourself.

Bear

unread,
Jan 11, 2012, 7:23:09 PM1/11/12
to
For one so concerned with correct terminology, you certainly aren't
concerned with spelling. She will either learn or continue to have
problems...certainly no reason not to try and teach her better ways of
all sorts.

FromTheRafters

unread,
Jan 11, 2012, 8:42:18 PM1/11/12
to
David H. Lipman wrote:
> From: "Dustin"<bughunte...@gmail.com>
>
>>> Once a system is infected, review my reply to you in a recent post to you.
>>>
>>
>> infected=virus. Trojan<>infected. One a system is trojanized, it's easy
>> enough to repair. Depending on the virus, it can also be repaired.
>> That's the lack of knowledge you have on this field rearing it's ugly
>> head on you again.
>>
>>
>
> I wouldn't agree there. Once malware is resident and acting upon a host that host is
> infected.
> In animal hosts they can be infected by; yeasts/molds, parasites, bacteria and viruses.
> It is no different than with a computer host.
>
> So I don't think; infected=virus Trojan<>infected is apropos.
>
Yeah, I often see "infected" used even with non-replicating malware. The
term 'infected' is used wherever malicious code attaches to other
(preexisting) code even if such code doesn't itself replicate.

I'm okay with that, but if there are no programs being modified
(trojanized) then I agree with Snapper's suggestion of "infests" rather
than "infects".

As for Bear, I agree with imaging being one of the best ways to restore
your system after an infection introduces 'unknowns' to your system. A
downloader for instance that may have downloaded and executed a variety
of malware 'unknown to detectors'. OTOH, if you know what you've got, it
may be overkill to resort to restoration when a removal tool will get
the job done.

FromTheRafters

unread,
Jan 11, 2012, 8:52:13 PM1/11/12
to
Bear wrote:
[...]

> The best thing to advise the OP is to learn how to image his system and
> protect his data. That way, if infection does happen...he can recover
> easily without bothering with cleaning.

It's good advice, but doesn't go far enough.

While restoring (to a previous state) or recovering (eliminating the
malware while retaining the current state) is good, it does nothing as
far as prevention is concerned. One must also be aware of what malware
can do *between* such cleanings. Malware isn't always about persistence.

it is best to not get infected/infested in the first place.

Bear

unread,
Jan 11, 2012, 9:10:53 PM1/11/12
to
Of course it's best. Tell me all about your silver bullet.

FromTheRafters

unread,
Jan 11, 2012, 9:20:16 PM1/11/12
to
Bear wrote:
> On 1/11/2012 7:52 PM, FromTheRafters wrote:
>> Bear wrote:
>> [...]
>>
>>> The best thing to advise the OP is to learn how to image his system and
>>> protect his data. That way, if infection does happen...he can recover
>>> easily without bothering with cleaning.
>>
>> It's good advice, but doesn't go far enough.
>>
>> While restoring (to a previous state) or recovering (eliminating the
>> malware while retaining the current state) is good, it does nothing as
>> far as prevention is concerned. One must also be aware of what malware
>> can do *between* such cleanings. Malware isn't always about persistence.
>>
>> it is best to not get infected/infested in the first place.
>
> Of course it's best. Tell me all about your silver bullet.
>
I said nothing of silver bullets, but you said nothing of prevention.

Bear

unread,
Jan 11, 2012, 9:29:56 PM1/11/12
to
I wasn't writing a book either. Read my Comprehensive Security Plan:
http://bearware.info/security.html

There is a helluva lot more to it than you mentioned in passing also.

Most people can easily learn how to image, and most do not do it. It is
the single most important thing a person can do to be self
supportive...therefore the most important to talk about.

Cleaning an infected computer is the worst thing one can do.

Learning as much as you can in best practices to prevent infection is
important...but there are no silver bullets. Best to learn how to recover.

Restoring an image is not time consuming at all and takes about the same
amount of time (and usually much less) than finding and eradicating
malware though without certainty.

Bear

unread,
Jan 11, 2012, 9:50:09 PM1/11/12
to
There are many more people who can more easily and more reliably learn
how to image and recover, than can reliably clean an infected computer.
If you aren't an expert at cleaning infected computers (and few are)
it's much more reliable to re-image...are you getting it?

It seems the very few purported experts in this group have more of a
tendency to berate than help...and I suppose the reason is they really
can't help that much - reliably...besides, their egos are more important
it seems.

Polk Salad

unread,
Jan 11, 2012, 11:02:26 PM1/11/12
to
In article <4f0e27f3$0$288$1472...@news.sunsite.dk>,
bearbott...@gmail.com says...

>For one so concerned with correct terminology, you certainly aren't
>concerned with spelling.

I would wajor you start fights with your playmates at recess.

FromTheRafters

unread,
Jan 11, 2012, 11:35:28 PM1/11/12
to
Bear wrote:
> On 1/11/2012 8:20 PM, FromTheRafters wrote:
>> Bear wrote:
>>> On 1/11/2012 7:52 PM, FromTheRafters wrote:
>>>> Bear wrote:
>>>> [...]
>>>>
>>>>> The best thing to advise the OP is to learn how to image his system
>>>>> and
>>>>> protect his data. That way, if infection does happen...he can recover
>>>>> easily without bothering with cleaning.
>>>>
>>>> It's good advice, but doesn't go far enough.
>>>>
>>>> While restoring (to a previous state) or recovering (eliminating the
>>>> malware while retaining the current state) is good, it does nothing as
>>>> far as prevention is concerned. One must also be aware of what malware
>>>> can do *between* such cleanings. Malware isn't always about
>>>> persistence.
>>>>
>>>> it is best to not get infected/infested in the first place.
>>>
>>> Of course it's best. Tell me all about your silver bullet.
>>>
>> I said nothing of silver bullets, but you said nothing of prevention.
>
> I wasn't writing a book either. Read my Comprehensive Security Plan:
> http://bearware.info/security.html

No.

> There is a helluva lot more to it than you mentioned in passing also.

I'm sure there is.

> Most people can easily learn how to image, and most do not do it. It is
> the single most important thing a person can do to be self
> supportive...therefore the most important to talk about.

Indeed, and when they get accustomed to how it is done, it is a far less
onerous job than some 'cleaning' operations are.

> Cleaning an infected computer is the worst thing one can do.

No,it isn't.

> Learning as much as you can in best practices to prevent infection is
> important...but there are no silver bullets. Best to learn how to recover.

Indeed, and harddrives can fail too. Best to have a restore plan of some
sort anyway.

> Restoring an image is not time consuming at all and takes about the same
> amount of time (and usually much less) than finding and eradicating
> malware though without certainty.

True.

FromTheRafters

unread,
Jan 11, 2012, 11:49:46 PM1/11/12
to
Bear wrote:
[...]

> it's much more reliable to re-image...are you getting it?

Implying that your opponent in a debate is dense only shows that your
stance is weak.

[...]

> It seems the very few purported experts in this group have more of a
> tendency to berate than help...and I suppose the reason is they really
> can't help that much - reliably...besides, their egos are more important
> it seems.

Maybe if you didn't act like such a condescending asshole you wouldn't
come up against so many bruised egos. I only added just a little advice
is all, even stated my agreement with you when I did. Then you get all
upset over nothing.

The OP's daughter would be best served by learning how to avoid malware
as much as possible, otherwise the next time may well be impossible to
recover from even *with* a good restore plan in effect.


Bear

unread,
Jan 12, 2012, 5:17:07 AM1/12/12
to
That I do when I see a reason.

Shadow

unread,
Jan 12, 2012, 9:01:32 AM1/12/12
to
On Thu, 12 Jan 2012 04:17:07 -0600, Bear wrote:

> On 1/11/2012 10:02 PM, Polk Salad wrote:
>> In article<4f0e27f3$0$288$1472...@news.sunsite.dk>,
>> bearbott...@gmail.com says...
>>
>>> For one so concerned with correct terminology, you certainly aren't
>>> concerned with spelling.
>>
>> I would wajor you start fights with your playmates at recess.
>>
> That I do when I see a reason.

Sorry about the late reply. Couldn't find the keyboard, it was
hidden under some DVDs. Just finished my 478 Gb data backup I started
three days ago. Now to label the DVDs. (actually, I did a double burn,
just in case) = 233 DVDs.
I'm afraid I can't use your infallible cloud solution, my
connection is too slow.
Shit ! Just found a trojan on one of the backups. Bloody antivirus
updated it's refs. Will restore my previous image and reply ASAP. Three
days time ? God I'm tired.....
[]'s

Bear

unread,
Jan 12, 2012, 5:42:21 PM1/12/12
to
People with older systems and slow Internet connections are definitely
at a disadvantage. Others shouldn't be penalized for it however.

Buffalo

unread,
Jan 12, 2012, 7:19:57 PM1/12/12
to


Bear wrote:
>
> People with older systems and slow Internet connections are definitely
> at a disadvantage. Others shouldn't be penalized for it however.
You sound just like an irresposible Republican.
Blame others. Yes!
Buffalo


Dustin

unread,
Jan 12, 2012, 8:36:55 PM1/12/12
to
Bear <bearbott...@gmail.com> wrote in
news:4f0e239c$0$284$1472...@news.sunsite.dk:

> On 1/11/2012 1:56 PM, Dustin wrote:
>> VanguardLH<V...@nguard.LH> wrote in
>> news:jee249$4n8$1...@news.albasani.net:
>>
>>> I haven't used ComboFix. Hopefully before doing any cleaning, it
>>> shows you what it plans to do.
>>
>> It doesn't. It does it's thing, and if it made a mistake, and you
>> don't read the logs and you reboot, you're dead in the water. Don't
>> recommend it to be run by novices. It's automated.
>>
>>
>>
> But extreme novices are directed to run it all the time from afar.
> You can counter with it is directed to be run by a 'helper' but they
> give you a few basic things to do prior and set you onto the download
> link and tell you to run it and then post the log if you can.

Yes, one of those things being the recovery console (wonder why?) and
erunt (although combofix will run this as well).

Dustin

unread,
Jan 12, 2012, 8:39:41 PM1/12/12
to
Bear <bearbott...@gmail.com> wrote in
news:4f0e2759$0$288$1472...@news.sunsite.dk:

> ...and telling people how stupid they are without the slightest
> knowledge of their actual expertise nor does it matter with the
> simplicity of the right knowledge of easy means to protect yourself.

Hi bear.

First, I didn't call David stupid. Second, I have a very good idea of his
expertise; I've known him a very very long time. Third, you're talking
from your ass again regarding me. Still licking your wounds from last time
you wanted to play with me? :)

David and I are actually friends, Bear. Just so you know. Everyone else
here does.

> Common discussion always includes "My machine is infected with...."
> and whether terminology is correct or not, that is how it is
> generally discussed. Get over yourself.

I see no issue with offering correct terminology when possible. Education
is the key and it never takes a day off.

Dustin

unread,
Jan 12, 2012, 8:42:29 PM1/12/12
to
Bear <bearbott...@gmail.com> wrote in
news:4f0e2662$0$288$1472...@news.sunsite.dk:
I'm sure you probably do wish this was true, but the facts are simple. I
am an expert in malware. Your personal distaste for the way in which I
carry myself here doesn't matter.

> haven't happened or that you have found them all or the remants of
> same. Of course it is possible to perform a complete file by file
> thorough inspection which takes hours...when it could be remedied
> easily in minutes.

As you're a non coder, You would obviously spend hours and hours
analyzing files. I, OTH, being able to read/write software; isn't
hamstrung by this. I have written apps which do this for me. ;p

> You also like to preach cleaning and telling people how stupid they
> are and you are the only one with the knowledge to clean.

I'd like for you to cite even one message ID where I'm calling someone
stupid AND that I'm claiming I and only I am the one who can cure their
illness. Show me the fucking Message ID. Please.

> What you should be doing is telling them how to protect themselves
> and restore quickly and easily to a known clean state. Those that
> haven't learned how or done so fall prey to your abuse.

I'm not a teacher Bear, I'm a doer.

Dustin

unread,
Jan 12, 2012, 8:43:04 PM1/12/12
to
Bear <bearbott...@gmail.com> wrote in
news:4f0e27f3$0$288$1472...@news.sunsite.dk:
A grammar lame? Really?

Dustin

unread,
Jan 12, 2012, 8:47:21 PM1/12/12
to
Bear <bearbott...@gmail.com> wrote in
news:4f0e24ec$0$284$1472...@news.sunsite.dk:

> There is nothing anyone can do to be absolutely certain they will not
> gain infections. Your statement to him is obtuse. Some people have

Not exactly true. Let's demonstrate. First, we run with no administrator
user. Second, we have IP policy settings which forbid installation of
new software, non admin or admin. We disable autorun.

We force noscript on firefox and disallow adobe,explorer,javascript,
etc.

Now....

Since you wanted to play games... Provide a viable example of a malware
getting free and fucking the user under those conditions. Those
conditions, btw, are some of that "safer-hex" I was talking about.

> better understanding than others as to how best to reduce the
> opportunity of infections...but even the best laid plans fall to
> prey.

I don't understand why you feel the need to attack me here. I suggested
they google safer hex and follow it. You seem to be in agreement here.

> You then are only left with fixing the problem and hope it doesn't
> happen again.

hope? Ehh... That's a stopgap fix then.

> The best thing to advise the OP is to learn how to image his system
> and protect his data. That way, if infection does happen...he can
> recover easily without bothering with cleaning.

That's not the best thing. The OP doesn't understand how the machine was
compromised in the first place. While a system image is nice,
responsible computing is even nicer. Not only for them, but for you and
me as well.

Bear

unread,
Jan 12, 2012, 9:04:18 PM1/12/12
to
On 1/12/2012 7:39 PM, Dustin wrote:
> Bear<bearbott...@gmail.com> wrote in
> news:4f0e2759$0$288$1472...@news.sunsite.dk:
>
>> ...and telling people how stupid they are without the slightest
>> knowledge of their actual expertise nor does it matter with the
>> simplicity of the right knowledge of easy means to protect yourself.
>
> Hi bear.
>
> First, I didn't call David stupid. Second, I have a very good idea of his
> expertise; I've known him a very very long time. Third, you're talking
> from your ass again regarding me. Still licking your wounds from last time
> you wanted to play with me? :)
>
> David and I are actually friends, Bear. Just so you know. Everyone else
> here does.
>
I know well of you and David...he being the better. I referred to your
dealings with others...and think you may know this but deferring and
denying.

>> Common discussion always includes "My machine is infected with...."
>> and whether terminology is correct or not, that is how it is
>> generally discussed. Get over yourself.
>
> I see no issue with offering correct terminology when possible. Education
> is the key and it never takes a day off.
>

I see no issue either. I do take issue with using such to boost your own
ego especially out of context as I have already explained. I've watched
you stomp around for quite some time...dude.

Bear

unread,
Jan 12, 2012, 9:04:26 PM1/12/12
to
On 1/12/2012 7:42 PM, Dustin wrote:
> I'm not a teacher Bear, I'm a doer.

But you aren't doing anything...except flapping at the mouth.

Bear

unread,
Jan 12, 2012, 9:05:43 PM1/12/12
to
On 1/12/2012 7:43 PM, Dustin wrote:

>>> Neither of you seem to be concerned with the potential for malware
>>> to be backed up on those images. Neither of you have recommended he
>>> teach his daughter better computer use practices. I would almost be
>>> willing to wajor that if she isn't practicing safer-hex, she'll find
>>> the backups "inconvenient" and not do them. What do you think?
>>>
>>>
>>>
>>>
>> For one so concerned with correct terminology, you certainly aren't
>> concerned with spelling. She will either learn or continue to have
>> problems...certainly no reason not to try and teach her better ways
>> of all sorts.
>
> A grammar lame? Really?
>
>
>

LOL...you think there is a difference between the two? My my!

Bear

unread,
Jan 12, 2012, 9:19:09 PM1/12/12
to
On 1/12/2012 7:47 PM, Dustin wrote:
> That's not the best thing. The OP doesn't understand how the machine was
> compromised in the first place. While a system image is nice,
> responsible computing is even nicer. Not only for them, but for you and
> me as well.

I have the tools I need to prevent issues with malware as well as other
issues...but there you go again claiming 'he doesn't understand' (he's
stupid.) You're smart. Barf.

I can take my machine on any excursion I want right now. Intentionally
load it up with malware...and fix it in less than 30 minutes with a
fresh image. Responsible computing is much more difficult for people to
achieve than learning how to image well...you don't get this. I prefer
to point folks in the quickest direction of covering their ass and
becoming self reliant and imaging and data protection are the first and
foremost as well as quickest method to achieve this. Then direct them to
work on their knowledge. Responsible computing takes a lot more depth of
knowledge and experience to achieve...surely you know this...being as
smart as you are. That is your bane...I detest such behavior...you blind
yourself with your own mind. You stomp around trying to proclaim
dominance in an area you can't dominate.

Responsible computing is no silver bullet as you profess it to be.

Dustin! There are no silver bullets, and authors of malware are always a
step ahead of you and others like you and me. It puts you on the same
playing field as you would like to elevate yourself from. You sound like
an egomaniac with a huge complex. Folks well more at expertise than you
are defeated all the time...certainly you know this.

Dustin

unread,
Jan 12, 2012, 9:23:12 PM1/12/12
to
Bear <bearbott...@gmail.com> wrote in
news:4f0f912a$0$291$1472...@news.sunsite.dk:

> I know well of you and David...he being the better. I referred to
> your dealings with others...and think you may know this but deferring
> and denying.

Sure you do. This is why you had to be told who I was.... Dude, you can
stop the bullshit anytime. I don't take this personally with you.

deferring and denying? Denying what? Is this your best trollish manuever?
Oh, don't bother answering. I'm debating killfiling you anyhow.

> I see no issue either. I do take issue with using such to boost your
> own ego especially out of context as I have already explained. I've
> watched you stomp around for quite some time...dude.

What is it with you and this ego thing? For someone who "knows well of
me" you sure don't know much at all. stomp around? Listen, mr ex drug
runner, anytime you want to debate/question/get a 2nd opinion of my
technical expertise.

Dustin

unread,
Jan 12, 2012, 9:24:35 PM1/12/12
to
Bear <bearbott...@gmail.com> wrote in news:4f0f9132$0$291$14726298
@news.sunsite.dk:

> On 1/12/2012 7:42 PM, Dustin wrote:
>> I'm not a teacher Bear, I'm a doer.
>
> But you aren't doing anything...except flapping at the mouth.
>

Read the initial post I made before you wasted time attacking me..
I said, and I'll quote for.. posterity.. "safer hex". that's not flapping
at the mouth, that's trying to help the poor bastard before his daughter
fucks the machine up (again).

David H. Lipman

unread,
Jan 12, 2012, 9:26:08 PM1/12/12
to
From: "Bear" <bearbott...@gmail.com>

| On 1/12/2012 7:39 PM, Dustin wrote:
>> Bear<bearbott...@gmail.com> wrote in
>> news:4f0e2759$0$288$1472...@news.sunsite.dk:
>>
>>> ...and telling people how stupid they are without the slightest
>>> knowledge of their actual expertise nor does it matter with the
>>> simplicity of the right knowledge of easy means to protect yourself.
>>
>> Hi bear.
>>
>> First, I didn't call David stupid. Second, I have a very good idea of his
>> expertise; I've known him a very very long time. Third, you're talking
>> from your ass again regarding me. Still licking your wounds from last
>> time
>> you wanted to play with me? :)
>>
>> David and I are actually friends, Bear. Just so you know. Everyone else
>> here does.
>>
| I know well of you and David...he being the better. I referred to your
| dealings with others...and think you may know this but deferring and
| denying.

I am not "better" than Dustin, only different with different skills and many
of Dustin's skills are better than mine.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

Dustin

unread,
Jan 12, 2012, 9:26:33 PM1/12/12
to
Bear <bearbott...@gmail.com> wrote in news:4f0f9180$0$291$14726298
@news.sunsite.dk:

> On 1/12/2012 7:43 PM, Dustin wrote:
>
>>>> Neither of you seem to be concerned with the potential for malware
>>>> to be backed up on those images. Neither of you have recommended he
>>>> teach his daughter better computer use practices. I would almost be
>>>> willing to wajor that if she isn't practicing safer-hex, she'll
find
>>>> the backups "inconvenient" and not do them. What do you think?
>>>>
>>>>
>>>>
>>>>
>>> For one so concerned with correct terminology, you certainly aren't
>>> concerned with spelling. She will either learn or continue to have
>>> problems...certainly no reason not to try and teach her better ways
>>> of all sorts.
>>
>> A grammar lame? Really?
>>
>>
>>
>
> LOL...you think there is a difference between the two? My my!
>
>

So that's a "Yes, all I had was a grammar lame.".. I gotcha..

Bear, stick to what you're somewhat okay at, reviewing software. I enjoy
reading some of your commentary.

Dustin

unread,
Jan 12, 2012, 9:30:55 PM1/12/12
to
Bear <bearbott...@gmail.com> wrote in
news:4f0f94a5$0$291$1472...@news.sunsite.dk:

> On 1/12/2012 7:47 PM, Dustin wrote:
>> That's not the best thing. The OP doesn't understand how the machine
>> was compromised in the first place. While a system image is nice,
>> responsible computing is even nicer. Not only for them, but for you
>> and me as well.
>
> I have the tools I need to prevent issues with malware as well as
> other issues...but there you go again claiming 'he doesn't
> understand' (he's stupid.) You're smart. Barf.

He doesn't. Obviously, the machine is infected. He has no clue how it
happened nor how to prevent it from happening again. "Barf." on
yourself.

> I can take my machine on any excursion I want right now.
> Intentionally load it up with malware...and fix it in less than 30
> minutes with a fresh image. Responsible computing is much more

Hmm. So, if the malware sample reflashed your BIOS with garbage data,
you'd be back up and going in 30 minutes with a system image? LOL!, I
don't fucking think so.

Like I said, you don't know half as much as you think you do about this.

> Dustin! There are no silver bullets, and authors of malware are

Bear!

I *WAS ONE OF THOSE AUTHORS*. I don't speak from my ass dude, I speak
from 1st hand experience writing them. I don't claim any silver bullet,
I simply suggested a more responsible idea; safer hex, googling it. Feel
free to do that sometime, yourself. Your idea of a system image isn't a
bad one, but it's far from perfect. It deals with the infection after
such has occured. It's better to prevent it in the first place, and most
of the time reasonable steps can be taken to do so.

> always a step ahead of you and others like you and me. It puts you on

Always a step ahead of you and people like you yes, We will be. It's
hard to be a step ahead of myself tho....

> You sound like an egomaniac with a huge complex. Folks well more at
> expertise than you are defeated all the time...certainly you know
> this.

I do, I've been responsible for many system compromisings throughout the
years. I turned a new leaf tho.

Bear

unread,
Jan 12, 2012, 9:35:21 PM1/12/12
to
On 1/12/2012 8:24 PM, Dustin wrote:
> Bear<bearbott...@gmail.com> wrote in news:4f0f9132$0$291$14726298
> @news.sunsite.dk:
>
>> On 1/12/2012 7:42 PM, Dustin wrote:
>>> I'm not a teacher Bear, I'm a doer.
>>
>> But you aren't doing anything...except flapping at the mouth.
>>
>
> Read the initial post I made before you wasted time attacking me..
> I said, and I'll quote for.. posterity.. "safer hex". that's not flapping
> at the mouth, that's trying to help the poor bastard before his daughter
> fucks the machine up (again).
>
>
So you think he can teach her safe hex faster than he can teach her
imaging? I'm only attacking you because I see you stomping and thrusting
out your chest. Being a coder makes you only that, a coder...it gives
you a skill which many people who visit these groups don't have though
they have skills you don't have. Beating them over the head with how you
think that makes you more of an expert doesn't help them. Giving them
the best advice that suits their abilities does help. I see you do
little of that, and yes it irks me. I can accept you for what you
present yourself to be and even how you behave, but I am pointing it out
now. We can move on.

Bear

unread,
Jan 12, 2012, 9:38:11 PM1/12/12
to
On 1/12/2012 8:26 PM, Dustin wrote:
> Bear<bearbott...@gmail.com> wrote in news:4f0f9180$0$291$14726298
> @news.sunsite.dk:
>
>> On 1/12/2012 7:43 PM, Dustin wrote:
>>
>>>>> Neither of you seem to be concerned with the potential for malware
>>>>> to be backed up on those images. Neither of you have recommended he
>>>>> teach his daughter better computer use practices. I would almost be
>>>>> willing to wajor that if she isn't practicing safer-hex, she'll
> find
>>>>> the backups "inconvenient" and not do them. What do you think?
>>>>>
>>>>>
>>>>>
>>>>>
>>>> For one so concerned with correct terminology, you certainly aren't
>>>> concerned with spelling. She will either learn or continue to have
>>>> problems...certainly no reason not to try and teach her better ways
>>>> of all sorts.
>>>
>>> A grammar lame? Really?
>>>
>>>
>>>
>>
>> LOL...you think there is a difference between the two? My my!
>>
>>
>
> So that's a "Yes, all I had was a grammar lame.".. I gotcha..
>
> Bear, stick to what you're somewhat okay at, reviewing software. I enjoy
> reading some of your commentary.
>
>
>
Oh relax. There is no difference between the two and a point well made.
You know it.

I'm pretty much done with voicing my distaste for your behavior and you
do have skills that present knowledge many don't have. I enjoy that. I
prefer less of the other...but I can live with it :)

Bear

unread,
Jan 12, 2012, 9:42:38 PM1/12/12
to
...and many of your skills are better than Dustin's...as so with many
who frequent these groups which creates a wealth of diverse knowledge.
Even the least knowledgeable folks many times provide valuable insight.
You most definitely have better people skills...which is very important
if you want to make a point. Dustin's OK though, and I do value his
knowledge.

Bear

unread,
Jan 12, 2012, 9:54:02 PM1/12/12
to
On 1/12/2012 8:30 PM, Dustin wrote:
> Bear<bearbott...@gmail.com> wrote in
> news:4f0f94a5$0$291$1472...@news.sunsite.dk:
>
>> On 1/12/2012 7:47 PM, Dustin wrote:
>>> That's not the best thing. The OP doesn't understand how the machine
>>> was compromised in the first place. While a system image is nice,
>>> responsible computing is even nicer. Not only for them, but for you
>>> and me as well.
>>
>> I have the tools I need to prevent issues with malware as well as
>> other issues...but there you go again claiming 'he doesn't
>> understand' (he's stupid.) You're smart. Barf.
>
> He doesn't. Obviously, the machine is infected. He has no clue how it
> happened nor how to prevent it from happening again. "Barf." on
> yourself.

I know...everybody knows that is your position. If he first learns how
to image, he can easily become self reliant while he learns other tools
of knowledge which takes a lot more effort, time, and experience.
>
>> I can take my machine on any excursion I want right now.
>> Intentionally load it up with malware...and fix it in less than 30
>> minutes with a fresh image. Responsible computing is much more
>
> Hmm. So, if the malware sample reflashed your BIOS with garbage data,
> you'd be back up and going in 30 minutes with a system image? LOL!, I
> don't fucking think so.

You don't think a bios can be restored? A MBR? Anything that happens to
the firmware or software?
>
> Like I said, you don't know half as much as you think you do about this.

You don't have a clue what I know.
>
>> Dustin! There are no silver bullets, and authors of malware are
>
> Bear!
>
> I *WAS ONE OF THOSE AUTHORS*. I don't speak from my ass dude, I speak
> from 1st hand experience writing them. I don't claim any silver bullet,
> I simply suggested a more responsible idea; safer hex, googling it. Feel
> free to do that sometime, yourself. Your idea of a system image isn't a
> bad one, but it's far from perfect. It deals with the infection after
> such has occured. It's better to prevent it in the first place, and most
> of the time reasonable steps can be taken to do so.

Of course it's better to prevent...but THERE ARE NO SILVER BULLETS no
matter how good you are. Folks can protect themselves faster and better
with learning how to image which take minutes, compared to many hours,
days, months, years, to gain the level of expertise to prevent, and many
will never put forth enough effort. Those that do will gain skills, but
it takes time and much effort and the malware authors will still be
ahead of them...you don't get that.

That you *were* one of those authors means nothing in light of the fact
that there *are* malware authors in action now and constantly evolving
well beyond your knowledge. That is a fact you resist.
>
>> always a step ahead of you and others like you and me. It puts you on
>
> Always a step ahead of you and people like you yes, We will be. It's
> hard to be a step ahead of myself tho....
>
>> You sound like an egomaniac with a huge complex. Folks well more at
>> expertise than you are defeated all the time...certainly you know
>> this.
>
> I do, I've been responsible for many system compromisings throughout the
> years. I turned a new leaf tho.
>
>


--

Dustin

unread,
Jan 12, 2012, 10:25:03 PM1/12/12
to
Bear <bearbott...@gmail.com> wrote in
news:4f0f9873$0$294$1472...@news.sunsite.dk:

> On 1/12/2012 8:24 PM, Dustin wrote:
>> Bear<bearbott...@gmail.com> wrote in
>> news:4f0f9132$0$291$14726298 @news.sunsite.dk:
>>
>>> On 1/12/2012 7:42 PM, Dustin wrote:
>>>> I'm not a teacher Bear, I'm a doer.
>>>
>>> But you aren't doing anything...except flapping at the mouth.
>>>
>>
>> Read the initial post I made before you wasted time attacking me..
>> I said, and I'll quote for.. posterity.. "safer hex". that's not
>> flapping at the mouth, that's trying to help the poor bastard before
>> his daughter fucks the machine up (again).
>>
>>
> So you think he can teach her safe hex faster than he can teach her
> imaging? I'm only attacking you because I see you stomping and

It's not about doing something faster, atleast it isn't to me. I feel
that if he is able to teach her safer hex and she follows it, she can
keep the machine reasonably safer from such issues in the future. Your
suggestion of imaging is sound for data backup purposes. Hardware
failure is still more likely to take your valuable data; and for that,
nothing beats a good image. As you know. It's just not the solution in
my opinion, as nothing actually is, but you can use a multi layered
approach to the problem. Imaging and safer hex make a good combination.

Dustin

unread,
Jan 12, 2012, 10:35:35 PM1/12/12
to
Bear <bearbott...@gmail.com> wrote in
news:4f0f9cd5$0$282$1472...@news.sunsite.dk:

> You don't think a bios can be restored? A MBR? Anything that happens
> to the firmware or software?

I know firmware can be restored. It's a programmable EEPROM (I'm
simplfying). I was being cheeky to your image and it'll all be okay
statement (paraphrased).

> You don't have a clue what I know.

Ok. I've written 3 BIOS reading utils and two writers for some
experimental projects. And you?

> That you *were* one of those authors means nothing in light of the
> fact that there *are* malware authors in action now and constantly
> evolving well beyond your knowledge. That is a fact you resist.

I understand where you're going with this. I'm not a washed up has-been.
Although I no longer write destructive code, I do still
write/debug/disassemble code. The majority of the malware you see on
machines today are glorified trojans; hardly the type of stuff I and
many of my peers once were responsible for creating. I spent a great
deal of time at malwarebytes and on my own disassembling and otherwise
analyzing stupid trojans which didn't do anything special really, except
try to steal somebodies credit card information with a bogus "Your
infected, register me to clean these viruses! Have your credit card
handy." message. Some more creative than others, but I digress.

the tricks and technologies being employed are still based on the same
principles any programmer/coder worth her/his salt should know (lest
they be any good). Take a rootkit for example. On a windows machine,
it's actually a stealth trojan. I kid you not. Stealth from TSR days,
being dubbed a rootkit. A real rootkit tries to breach the root user on
a unix system; Windows doesn't even have root user! :( Another shameful
punishment of incorrect terminology; this one stuck tho. Everybody uses
it. It's just stealth. It hides, it helps other programs to hide while
it's running. It's NOT new technology.


Anyways, I mean no disrespect with my bluntness, but please don't
confuse the eyecandy for something new under the hood. The concepts
aren't.

Bear

unread,
Jan 13, 2012, 5:08:36 AM1/13/12
to
On 1/12/2012 9:25 PM, Dustin wrote:
> It's not about doing something faster, atleast it isn't to me. I feel
> that if he is able to teach her safer hex and she follows it, she can
> keep the machine reasonably safer from such issues in the future. Your
> suggestion of imaging is sound for data backup purposes. Hardware
> failure is still more likely to take your valuable data; and for that,
> nothing beats a good image. As you know. It's just not the solution in
> my opinion, as nothing actually is, but you can use a multi layered
> approach to the problem. Imaging and safer hex make a good combination.

Imaging is for recovery. Data backup is best done real-time,
automatically, and off-site. Such will also automatically restore your
most recent data to a restored image for a complete recovery.

Once that is accomplished, you can then start learning as much as you
can about prevention and protection.

Bear

unread,
Jan 13, 2012, 5:10:28 AM1/13/12
to
On 1/12/2012 8:23 PM, Dustin wrote:
> What is it with you and this ego thing? For someone who "knows well of
> me" you sure don't know much at all. stomp around? Listen, mr ex drug
> runner, anytime you want to debate/question/get a 2nd opinion of my
> technical expertise.

Here you are making a false allegation in a public forum. That is called
slander. Tread lightly. It's also demeaning to you.

Bear

unread,
Jan 13, 2012, 5:17:37 AM1/13/12
to
I'm not inferring you are a has-been. The game is one that the good guys
are always one step behind the bad guys...hence zero day attempts at
catching up, hourly signature updates, cloud sourced networks, etc. etc.
It's not personal Dustin. So no matter how good you are, you are always
one step behind.

FromTheRafters

unread,
Jan 13, 2012, 2:41:33 PM1/13/12
to
Bear wrote:
> On 1/12/2012 8:23 PM, Dustin wrote:
>> What is it with you and this ego thing? For someone who "knows well of
>> me" you sure don't know much at all. stomp around? Listen, mr ex drug
>> runner, anytime you want to debate/question/get a 2nd opinion of my
>> technical expertise.
>
> Here you are making a false allegation in a public forum. That is called
> slander.

No, it's called 'libel'. I do believe it has to be untrue to be
successfully proven as defamation.

Are you saying that you are not an *ex* drug runner?

FromTheRafters

unread,
Jan 13, 2012, 3:02:12 PM1/13/12
to
Bear wrote:
[...]

> The game is one that the good guys
> are always one step behind the bad guys...hence zero day attempts at
> catching up, hourly signature updates, cloud sourced networks, etc. etc.
> It's not personal Dustin. So no matter how good you are, you are always
> one step behind.

This is true, it is the difference between the proactive approach and
the reactive approach. Scanning programs for known malware does indeed
require that the malware exist prior to the detection capability. You
need a signature for signature based scanning, and behavior for behavior
based detection.

Safe-Hex is not reactive, it is proactive.

Imaging is restoration or even recovery (if the image is 'current') and
should be done *anyway* even if malware didn't exist. What if a
satellite should fall from the sky and land on your harddrive? Yes, an
off-site image is a good thing and is proactive risk mitigation.

[...]

Bear

unread,
Jan 13, 2012, 3:13:09 PM1/13/12
to
Yes, I am saying that. It's been bantered around here a bit which I've
always ignored. Time to set the record straight.

Libel it is then...meaning criminal accusation. It's the last I will say
on the subject in this forum.

Dustin

unread,
Jan 13, 2012, 5:08:59 PM1/13/12
to
Bear <bearbott...@gmail.com> wrote in
news:4f109060$0$283$1472...@news.sunsite.dk:

> On 1/13/2012 1:41 PM, FromTheRafters wrote:
>> Bear wrote:
>>> On 1/12/2012 8:23 PM, Dustin wrote:
>>>> What is it with you and this ego thing? For someone who "knows
>>>> well of me" you sure don't know much at all. stomp around? Listen,
>>>> mr ex drug runner, anytime you want to debate/question/get a 2nd
>>>> opinion of my technical expertise.
>>>
>>> Here you are making a false allegation in a public forum. That is
>>> called slander.
>>
>> No, it's called 'libel'. I do believe it has to be untrue to be
>> successfully proven as defamation.
>>
>> Are you saying that you are not an *ex* drug runner?
>
> Yes, I am saying that. It's been bantered around here a bit which
> I've always ignored. Time to set the record straight.

You fucking liar. It's all over alt.comp.freeware, and you provided the
information for us to lookup. You used to fly a plane smuggling drugs.

> Libel it is then...meaning criminal accusation. It's the last I will
> say on the subject in this forum.

See above. Then, lookup libel and read the definition SLOWLY. I have to
knowingly be saying things which AREN'T true, stupid fucker.

Dustin

unread,
Jan 13, 2012, 5:12:20 PM1/13/12
to
Bear <bearbott...@gmail.com> wrote in
news:4f1004cb$0$282$1472...@news.sunsite.dk:

> It's not personal Dustin. So no matter how good
> you are, you are always one step behind.

Only due to statistical volume bear am I behind. Not in the technology,
but simply the detection signature(s). I know how it goes dude, as I tried
to explain previously.. I just didn't write stupid trojans. I wrote things
that kept on giving. :) My viewpoint comes from seeing things from both
sides of the fence. I know the greener looking grass is spraypainted.
*grin*.

FromTheRafters

unread,
Jan 13, 2012, 5:25:49 PM1/13/12
to
Dustin wrote:
> Bear<bearbott...@gmail.com> wrote in
> news:4f109060$0$283$1472...@news.sunsite.dk:
>
>> On 1/13/2012 1:41 PM, FromTheRafters wrote:
>>> Bear wrote:
>>>> On 1/12/2012 8:23 PM, Dustin wrote:
>>>>> What is it with you and this ego thing? For someone who "knows
>>>>> well of me" you sure don't know much at all. stomp around? Listen,
>>>>> mr ex drug runner, anytime you want to debate/question/get a 2nd
>>>>> opinion of my technical expertise.
>>>>
>>>> Here you are making a false allegation in a public forum. That is
>>>> called slander.
>>>
>>> No, it's called 'libel'. I do believe it has to be untrue to be
>>> successfully proven as defamation.
>>>
>>> Are you saying that you are not an *ex* drug runner?
>>
>> Yes, I am saying that. It's been bantered around here a bit which
>> I've always ignored. Time to set the record straight.
>
> You fucking liar. It's all over alt.comp.freeware, and you provided the
> information for us to lookup. You used to fly a plane smuggling drugs.
>
>> Libel it is then...meaning criminal accusation. It's the last I will
>> say on the subject in this forum.
>
> See above. Then, lookup libel and read the definition SLOWLY. I have to
> knowingly be saying things which AREN'T true, stupid fucker.
>
Saying defamatory things about another can be slander, writing them can
be libel.

Dustin

unread,
Jan 13, 2012, 6:19:03 PM1/13/12
to
FromTheRafters <err...@nomail.afraid.org> wrote in
news:jeqb1e$et4$1...@dont-email.me:
Yes, on the condition both aren't true. When he admits to doing it on
numerous occasions.. he hasn't got a pot to piss in or a window to
throw it out of.

Bear

unread,
Jan 13, 2012, 7:08:04 PM1/13/12
to
On 1/13/2012 4:08 PM, Dustin wrote:
> Bear<bearbott...@gmail.com> wrote in
> news:4f109060$0$283$1472...@news.sunsite.dk:
>
>> On 1/13/2012 1:41 PM, FromTheRafters wrote:
>>> Bear wrote:
>>>> On 1/12/2012 8:23 PM, Dustin wrote:
>>>>> What is it with you and this ego thing? For someone who "knows
>>>>> well of me" you sure don't know much at all. stomp around? Listen,
>>>>> mr ex drug runner, anytime you want to debate/question/get a 2nd
>>>>> opinion of my technical expertise.
>>>>
>>>> Here you are making a false allegation in a public forum. That is
>>>> called slander.
>>>
>>> No, it's called 'libel'. I do believe it has to be untrue to be
>>> successfully proven as defamation.
>>>
>>> Are you saying that you are not an *ex* drug runner?
>>
>> Yes, I am saying that. It's been bantered around here a bit which
>> I've always ignored. Time to set the record straight.
>
> You fucking liar. It's all over alt.comp.freeware, and you provided the
> information for us to lookup. You used to fly a plane smuggling drugs.
>
>> Libel it is then...meaning criminal accusation. It's the last I will
>> say on the subject in this forum.
>
> See above. Then, lookup libel and read the definition SLOWLY. I have to
> knowingly be saying things which AREN'T true, stupid fucker.
>
>
All you have to do is spread lies without proof of knowledge. I'll let
you talk to my attorney...email me and I'll send you his phone number.

There are a lot of falsehoods all over the Internet.

Bear

unread,
Jan 13, 2012, 7:10:25 PM1/13/12
to
I've never admitted to any such. I've never been convicted of any crime.
You my friend are committing a criminal offense and it's time to for you
to understand that you have liability for it. Let's put this to the test.

Dustin

unread,
Jan 13, 2012, 7:57:53 PM1/13/12
to
Bear <bearbott...@gmail.com> wrote in
news:4f10c774$0$284$1472...@news.sunsite.dk:

> All you have to do is spread lies without proof of knowledge. I'll
> let you talk to my attorney...email me and I'll send you his phone
> number.

Oh... Big threats, Bear. My email address is valid. Unlike you, I don't
hide my contact information. ;p

Bear

unread,
Jan 13, 2012, 8:23:05 PM1/13/12
to
On 1/13/2012 6:57 PM, Dustin wrote:
> Bear<bearbott...@gmail.com> wrote in
> news:4f10c774$0$284$1472...@news.sunsite.dk:
>
>> All you have to do is spread lies without proof of knowledge. I'll
>> let you talk to my attorney...email me and I'll send you his phone
>> number.
>
> Oh... Big threats, Bear. My email address is valid. Unlike you, I don't
> hide my contact information. ;p
>
>
Jesus Dustin...it is not a threat and I don't hide my contact information.

It is a simple fact you are conducting liable and/or slander against me
and I have the right to legally pursue it. As you seem to wish to
persist in that conduct, I am intent to follow up.

I will email you.

Bear

unread,
Jan 13, 2012, 8:32:02 PM1/13/12
to
On 1/13/2012 7:23 PM, Bear wrote:
> On 1/13/2012 6:57 PM, Dustin wrote:
>> Bear<bearbott...@gmail.com> wrote in
>> news:4f10c774$0$284$1472...@news.sunsite.dk:
>>
>>> All you have to do is spread lies without proof of knowledge. I'll
>>> let you talk to my attorney...email me and I'll send you his phone
>>> number.
>>
>> Oh... Big threats, Bear. My email address is valid. Unlike you, I don't
>> hide my contact information. ;p
>>
>>
> Jesus Dustin...it is not a threat and I don't hide my contact information.
>
> It is a simple fact you are conducting liable and/or slander against me
> and I have the right to legally pursue it. As you seem to wish to
> persist in that conduct, I am intent to follow up.
>
> I will email you.
>
>
Email sent!

Ant

unread,
Jan 13, 2012, 9:53:09 PM1/13/12
to
"Dustin" wrote:

> Bear wrote:
>> On 1/13/2012 1:41 PM, FromTheRafters wrote:
>>> Are you saying that you are not an *ex* drug runner?
>>
>> Yes, I am saying that. It's been bantered around here a bit which
>> I've always ignored. Time to set the record straight.
>
> You fucking liar. It's all over alt.comp.freeware, and you provided the
> information for us to lookup. You used to fly a plane smuggling drugs.

Do you believe everything you read on the internet - especially in
said newsgroup where trolls and imposters abound?

And anyway, who gives a shit? I believe you like a puff yourself.


Dustin

unread,
Jan 13, 2012, 10:15:33 PM1/13/12
to
Bear <bearbott...@gmail.com> wrote in
news:4f10d905$0$295$1472...@news.sunsite.dk:

> On 1/13/2012 6:57 PM, Dustin wrote:
>> Bear<bearbott...@gmail.com> wrote in
>> news:4f10c774$0$284$1472...@news.sunsite.dk:
>>
>>> All you have to do is spread lies without proof of knowledge. I'll
>>> let you talk to my attorney...email me and I'll send you his phone
>>> number.
>>
>> Oh... Big threats, Bear. My email address is valid. Unlike you, I
>> don't hide my contact information. ;p
>>
>>
> Jesus Dustin...it is not a threat and I don't hide my contact
> information.

Bear.. Either I just haven't smoked enough today (just kidding!) or one
of us is having a bad day...

> It is a simple fact you are conducting liable and/or slander against
> me and I have the right to legally pursue it. As you seem to wish to
> persist in that conduct, I am intent to follow up.

Alright then. If the stories (which afaik, you've never declined until
now?) aren't true, then I won't mention them anymore. Fair enough?

> I will email you.

That's fine too.

Dustin

unread,
Jan 13, 2012, 10:17:23 PM1/13/12
to
Bear <bearbott...@gmail.com> wrote in
news:4f10db1e$0$295$1472...@news.sunsite.dk:

> On 1/13/2012 7:23 PM, Bear wrote:
>> On 1/13/2012 6:57 PM, Dustin wrote:
>>> Bear<bearbott...@gmail.com> wrote in
>>> news:4f10c774$0$284$1472...@news.sunsite.dk:
>>>
>>>> All you have to do is spread lies without proof of knowledge. I'll
>>>> let you talk to my attorney...email me and I'll send you his phone
>>>> number.
>>>
>>> Oh... Big threats, Bear. My email address is valid. Unlike you, I
>>> don't hide my contact information. ;p
>>>
>>>
>> Jesus Dustin...it is not a threat and I don't hide my contact
>> information.
>>
>> It is a simple fact you are conducting liable and/or slander against
>> me and I have the right to legally pursue it. As you seem to wish to
>> persist in that conduct, I am intent to follow up.
>>
>> I will email you.
>>
>>
> Email sent!
>

Yea, about that.. I read your email. I didn't like the tone.

So... It's time to enlighten you about something. Is Bear Bottoms your
full and legal name? As that's the persona I've accused of being an ex
drug runner based on posts from alt.comp.freeware. Be sure and tell your
lawyer that, fucktard.

Dustin

unread,
Jan 13, 2012, 10:18:52 PM1/13/12
to
"Ant" <n...@home.today> wrote in news:Sp-
dnbqD_YXvc43Sn...@brightview.co.uk:

> "Dustin" wrote:
>
>> Bear wrote:
>>> On 1/13/2012 1:41 PM, FromTheRafters wrote:
>>>> Are you saying that you are not an *ex* drug runner?
>>>
>>> Yes, I am saying that. It's been bantered around here a bit which
>>> I've always ignored. Time to set the record straight.
>>
>> You fucking liar. It's all over alt.comp.freeware, and you provided the
>> information for us to lookup. You used to fly a plane smuggling drugs.
>
> Do you believe everything you read on the internet - especially in
> said newsgroup where trolls and imposters abound?

Of course not. Does it matter that some thing known as Bear Bottoms (hehe)
has been unjustly accused? Nope.

> And anyway, who gives a shit? I believe you like a puff yourself.

I'd be a liar if I said I didn't appreciate the stuff. [g]

Bear

unread,
Jan 13, 2012, 10:27:08 PM1/13/12
to
On 1/13/2012 9:17 PM, Dustin wrote:
> Bear<bearbott...@gmail.com> wrote in
> news:4f10db1e$0$295$1472...@news.sunsite.dk:
>
>> On 1/13/2012 7:23 PM, Bear wrote:
>>> On 1/13/2012 6:57 PM, Dustin wrote:
>>>> Bear<bearbott...@gmail.com> wrote in
>>>> news:4f10c774$0$284$1472...@news.sunsite.dk:
>>>>
>>>>> All you have to do is spread lies without proof of knowledge. I'll
>>>>> let you talk to my attorney...email me and I'll send you his phone
>>>>> number.
>>>>
>>>> Oh... Big threats, Bear. My email address is valid. Unlike you, I
>>>> don't hide my contact information. ;p
>>>>
>>>>
>>> Jesus Dustin...it is not a threat and I don't hide my contact
>>> information.
>>>
>>> It is a simple fact you are conducting liable and/or slander against
>>> me and I have the right to legally pursue it. As you seem to wish to
>>> persist in that conduct, I am intent to follow up.
>>>
>>> I will email you.
>>>
>>>
>> Email sent!
>>
>
> Yea, about that.. I read your email. I didn't like the tone.

I don't like slanderous or libelous accusations! I meant what I said.
>
> So... It's time to enlighten you about something. Is Bear Bottoms your
> full and legal name? As that's the persona I've accused of being an ex
> drug runner based on posts from alt.comp.freeware. Be sure and tell your
> lawyer that, fucktard.
>
>
Of course it isn't. Would you think it is? You are basing your
slanderous or libelous accusations on Usenet posts? At any rate, I'll
take that as a withdrawal...move on.

Bear

unread,
Jan 13, 2012, 10:29:09 PM1/13/12
to
On 1/13/2012 9:15 PM, Dustin wrote:
> Bear<bearbott...@gmail.com> wrote in
> news:4f10d905$0$295$1472...@news.sunsite.dk:
>
>> On 1/13/2012 6:57 PM, Dustin wrote:
>>> Bear<bearbott...@gmail.com> wrote in
>>> news:4f10c774$0$284$1472...@news.sunsite.dk:
>>>
>>>> All you have to do is spread lies without proof of knowledge. I'll
>>>> let you talk to my attorney...email me and I'll send you his phone
>>>> number.
>>>
>>> Oh... Big threats, Bear. My email address is valid. Unlike you, I
>>> don't hide my contact information. ;p
>>>
>>>
>> Jesus Dustin...it is not a threat and I don't hide my contact
>> information.
>
> Bear.. Either I just haven't smoked enough today (just kidding!) or one
> of us is having a bad day...
>
>> It is a simple fact you are conducting liable and/or slander against
>> me and I have the right to legally pursue it. As you seem to wish to
>> persist in that conduct, I am intent to follow up.
>
> Alright then. If the stories (which afaik, you've never declined until
> now?) aren't true, then I won't mention them anymore. Fair enough?
>

Fair enough. Let's get past this hate shit and do our best to help or
offer what information we can. You've got a lot to offer and so do I.

Dustin

unread,
Jan 13, 2012, 11:00:01 PM1/13/12
to
Bear <bearbott...@gmail.com> wrote in
news:4f10f61a$0$282$1472...@news.sunsite.dk:

> Of course it isn't. Would you think it is? You are basing your

I would hope your parents didn't think that low of you, no. :) The main
point I was cheekily trying to make tho is that well, from a legal
(ethical I suppose you've got me) standpoint you haven't a leg to stand
on. Unless! You really were Bear Bottoms. hehehe.

> take that as a withdrawal...move on.

Bear,

You really need to relax a little bit. I'm not your enemy. I'm not here to
antagonize you. Perhaps a slight jab or witty remark on occasion, but
that's about the jest of it. I mean you no harm.

Ant

unread,
Jan 14, 2012, 8:18:33 AM1/14/12
to
"Dustin" wrote:

> "Ant" wrote:
>> "Dustin" wrote:
>>> Bear wrote:
>>>> On 1/13/2012 1:41 PM, FromTheRafters wrote:
>>>>> Are you saying that you are not an *ex* drug runner?
>>>>
>>>> Yes, I am saying that. It's been bantered around here a bit which
>>>> I've always ignored. Time to set the record straight.
>>>
>>> You fucking liar. It's all over alt.comp.freeware, and you provided the
>>> information for us to lookup. You used to fly a plane smuggling drugs.
>>
>> Do you believe everything you read on the internet - especially in
>> said newsgroup where trolls and imposters abound?
>
> Of course not. Does it matter that some thing known as Bear Bottoms (hehe)
> has been unjustly accused? Nope.

Then why call him a liar in such strong terms?

>> And anyway, who gives a shit? I believe you like a puff yourself.
>
> I'd be a liar if I said I didn't appreciate the stuff. [g]

So what was the point of mentioning drug running?


Dustin

unread,
Jan 14, 2012, 11:24:30 PM1/14/12
to
"Ant" <n...@home.today> wrote in
news:0r6dnZH2TaidHIzS...@brightview.co.uk:

> "Dustin" wrote:
>
>> "Ant" wrote:
>>> "Dustin" wrote:
>>>> Bear wrote:
>>>>> On 1/13/2012 1:41 PM, FromTheRafters wrote:
>>>>>> Are you saying that you are not an *ex* drug runner?
>>>>>
>>>>> Yes, I am saying that. It's been bantered around here a bit which
>>>>> I've always ignored. Time to set the record straight.
>>>>
>>>> You fucking liar. It's all over alt.comp.freeware, and you
>>>> provided the information for us to lookup. You used to fly a plane
>>>> smuggling drugs.
>>>
>>> Do you believe everything you read on the internet - especially in
>>> said newsgroup where trolls and imposters abound?
>>
>> Of course not. Does it matter that some thing known as Bear Bottoms
>> (hehe) has been unjustly accused? Nope.
>
> Then why call him a liar in such strong terms?

strong terms? Hmm. Seemed fairly straightforward to me.

> So what was the point of mentioning drug running?

Amusement?

Ant

unread,
Jan 15, 2012, 12:12:56 PM1/15/12
to
"Dustin" wrote:

> "Ant" wrote:
>> "Dustin" wrote:
>>> "Ant" wrote:
>>>> Do you believe everything you read on the internet - especially in
>>>> said newsgroup where trolls and imposters abound?
>>>
>>> Of course not. Does it matter that some thing known as Bear Bottoms
>>> (hehe) has been unjustly accused? Nope.
>>
>> Then why call him a liar in such strong terms?
>
> strong terms? Hmm. Seemed fairly straightforward to me.

"Fucking liar" is a bit strong. Alright then, why call him a liar at
all?

> So what was the point of mentioning drug running?
>
> Amusement?

Why the question mark - are you saying you don't know?


eric x

unread,
Jan 18, 2012, 3:58:33 AM1/18/12
to
On Jan 12, 4:57 am, Dustin <bughunter.dus...@gmail.com> wrote:
> Dustin <bughunter.dus...@gmail.com> wrote innews:Xns9FD79EE7895D0HHI2948AJD832@no:
>
> > "David H. Lipman" <DLipman~nosp...@Verizon.Net> wrote in
> >news:jekqm...@news2.newsguy.com:
>
> >> From: "Dustin" <bughunter.dus...@gmail.com>
>
> >>>> Once a system is infected, review my reply to you in a recent post
> >>>> to you.
>
> >>> infected=virus. Trojan<>infected. One a system is trojanized, it's
> >>> easy enough to repair. Depending on the virus, it can also be
> >>> repaired. That's the lack of knowledge you have on this field
> >>> rearing it's ugly head on you again.
>
> >> I wouldn't agree there.  Once malware is resident and acting upon a
> >> host that host is infected.
> >> In animal hosts they can be infected by; yeasts/molds, parasites,
> >> bacteria and viruses. It is no different than with a computer host.
>
> > No. It's a resident trojan. Still, not infected. Unless said trojan
> > is patching files to continue it's own existance. If not, then it's
> > not actually "infecting" anything. Creating an exe and a registry key
> > to load it later isn't infecting a machine.
>
> >> So I don't think;  infected=virus Trojan<>infected  is apropos.
>
> > Well, I hail from the virus/trojan terminology. Although I'm retired,
> > I still prefer to use the correct terminology when discussing them.
>
> I've got to retract this. I spoke with David via IM and I was unclear on
> what he meant by host. My bad. Should have read then replied. :)
>
> if we're discussing a host as a whole, then it's infected via a trojan
> which overwhelmes the systems defences and takes hold via a load point or
> residency. While it's not infecting files, it does have the system.
>
> Sorry for any confusion I've caused.
>
> --
> Character is doing the right thing when nobody's looking. There are too
> many people who think that the only thing that's right is to get by,
> and the only thing that's wrong is to get caught. - J.C. Watts




Hello,

Would you like to try this , I am not sure you have eradicate the
consrv.dll virus ?

I got banned from bleepingcomputer.com when I post this article
regarding the simplest method of removal which I have successfully
help so many of them infected with consrv.dll virus .

The article below is taking sophos antivirus as example , you can try
others , even microsoft security essential is able to kill them , to
fully recover you need to do some extra job on the registry after
removal.




I would like to share how I manage to resolve consrv.dll virus found
on windows 7 which hijack the browser .
The sophos found the following
User: NT AUTHORITY\SYSTEM
Scan: On-access
File "C:\Windows\System32\consrv.dll" belongs to virus/spyware 'Troj/
ZAccess-L'.
User: NT AUTHORITY\SYSTEM
Scan: On-access
File "C:\Windows\assembly\GAC_32\Desktop.ini" belongs to virus/spyware
'Mal/Generic-L'.
For those using windows 7 you can try your luck by using system
restore point to earlier recovery before the infection .
If you can not recover using the above method I would suggest the
following method that I have tried.
0. let the antivirus programme kill whatever consrv.dll virus that
found , or using miscrosoft Security essential to kill the trojan ,
once this is done AND after you execute the reboot you will never be
able to boot the windows because the registry still need to repair .
1. To be safe , Go to control panel, select backup and restore.
2. choose Create a system repair disc to create a cd or dvd window
recovery disc
3.Do a clean bootup using the system repair disc which is bootable .
4. Select the command prompt offer by the window recovery .
5 Once in command prompt , usually drive X:, type regedit to call up
registry editor.
6 Navigate to web site http://4sysops.com/archives/regedit-as-offline-registry-editor
to have clear understading how to do so would greatly help.
7 the %windir% usually refer to D:\windows\ or where is your physical
disk that contain the windows operating system
Use regedit as offline Registry editor
1.Launch regedit on the command prompt.
2.Click HKEY_LOCAL_MACHINE.
3.In the File menu, click “Load Hive.”
4.Open the database file that contains the Registry hive you need:
HKEY_LOCAL_MACHINE \SYSTEM = %windir%\system32\config\SYSTEM
%windir%\system32\config\SYSTEM= D:\windows\system32\config\SYSTEM
Some other portion of the registry that you may need are located
under :
HKEY_LOCAL_MACHINE \SAM = %windir%\system32\config\SAM
HKEY_LOCAL_MACHINE \SYSTEM = %windir%\system32\config\SYSTEM
HKEY_LOCAL_MACHINE \SOFTWARE = %windir%\system32\config\SOFTWARE
HKEY_USERS \.Default = %windir%\system32\config\DEFAULT
HKEY_CURRENT_USER = %userprofile%\ntuser.dat
5.Enter an arbitrary key name when prompted , example test .
A new node with your key name appears under
HKEY_LOCAL_MACHINE \SYSTEM
8. To carry out with the registry repair
select the note load hive under test
navigate to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session
Manager\Subsystems
and also
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager
\Subsystems
select Name "Windows" and edit .
Replace whatever consrv to winsrv
original
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows
SharedSection=1024,20480,768 Windows=On SubSystemType=Windows
ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3
ServerDll=consrv:ConServerDllInitialization,2 ServerDll=sxssrv,4
ProfileControl=Off MaxRequestThreads=16
to
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows
SharedSection=1024,20480,768 Windows=On SubSystemType=Windows
ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3
ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4
ProfileControl=Off MaxRequestThreads=16
9 Once the above two steps are done , unload the hive to write back
the offline windows registry.
10 you should be able to reboot after this , remember to do a full
scan to confirm again.
Thanks ,













David H. Lipman

unread,
Jan 18, 2012, 9:18:11 AM1/18/12
to
From: "eric x" <tsg...@gmail.com>
Reading that brings up memories.

First this is NOT a virus. It is a SubSys trojan named aafter the way the DLL is loaded
on a CSRSS DLL chain.

I wrote about it concerning the possible ill-effects of taking a drive and putting it on a
surrogate computer and the scanning it and removing files. In what I wrote I noted an
example SubSys trojan being removed and causing a BSoD condition. The following is what I
wrote and based upon what I have read it is just like the "basevml32.dll" in the below
example as in the above "consrv.dll".

The key I am thinking about will not be shown in AutoRuns. The DLL would be named such
as; base????32.dll (ex. basevml32.dll)
This is a SubSys trojan and with this trojan, it would be inserted into the following
registry key;
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\windows
and would become part of a DLL load chain. The name of malware DLL would be inserted ito
the registry key (such as; ServerDll=basevml32) . If you deleted the trojan by putting
the drive in a surrogate PC or by using the Recovery Console the PC would boot into a BSoD
complaining that the DLL could not be found.

Example NT Stop Error:
STOP: c0000135 {Unable To Locate Component}
This application has failed to start because basevml32 was not found.
Re-installing the application may fix this problem.

It loads via...
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\windows

Example of text in an infected PC:
-----------------------------------
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512
Windows=On SubSystemType=Windows ServerDll=basevml32,1
ServerDll=winsrv:UserServerDllInitialization,3
ServerDll=winsrv:ConServerDllInitialization,2
ProfileControl=Off MaxRequestThreads=16

Example of correct text:
----------------------------
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512
Windows=On SubSystemType=Windows ServerDll=basesrv,1
ServerDll=winsrv:UserServerDllInitialization,3
ServerDll=winsrv:ConServerDllInitialization,2
ProfileControl=Off MaxRequestThreads=16

The above is a real world example taken from my notes. AutoRuns and the System File
Checker are useless in the above scenario. The ONLY way to fix it is either copy
basesrv.dll to basevml32.dll in the Recovery Console or preferrably load the infected OS
and edit the registry and reboot then delete basevml32.dll.

I mention the above because many presume placing an affected drive in a surrogate PC is
one of the best ways to deal with removing malware that may be loaded at run-time.
However, if you do, when you run the Anti malware software it will not correct the
registry of the OS of the affected drive and may leave the OS of the affected drive
impotent. I am NOT saying placing an affected drive in a surrogate PC is not a good
methodology. I am saying that it can have drawbacks and you must be prepared for them.




--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


David H. Lipman

unread,
Jan 18, 2012, 9:21:54 AM1/18/12
to
From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>

BTW:
Message-ID: <eBR9CshJ...@TK2MSFTNGP06.phx.gbl>

Posted 10/4/2008
microsoft.public.security.virus
Subject: Re: my besieged by ie pop-up ads post 01/10/2008 16:21

eric x

unread,
Jan 18, 2012, 10:59:59 AM1/18/12
to
On Jan 18, 10:21 pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:
> From: "David H. Lipman" <DLipman~nosp...@Verizon.Net>
>
> BTW:
> Message-ID: <eBR9CshJ...@TK2MSFTNGP06.phx.gbl>
>
> Posted 10/4/2008
> microsoft.public.security.virus
> Subject:  Re: my besieged by ie pop-up ads post 01/10/2008 16:21
>
> --
> Dave
> Multi-AV Scanning Tool -http://multi-av.thespykiller.co.ukhttp://www.pctipp.ch/downloads/dl/35905.asp

Hello,

The method suggested does not necessarily mean you must use a
surrogate PC to do the job , what I did was quite simple , even on
the infected PC , one can still boot into recovery console under win 7
OS by pressing F8, select command prompt to start recovery.


Most of the antivirus programme would keep on complaining trojan pc
was infected with trojan or xxx malware, from my experience , it is
fine for them to kill whatever they found on the infected PC . These
nasty trojan just alter windows registry , that is why after cleaning
and when one attempt to reboot , windows would never boot, because it
play trick on windows registry.
Using offline registry repair method , those issue could be simply
overcome , it does not matter which part of the registry was altered
by those nasty trojan , one just need put back the original registry
setting and the windows would be happy to boot without any complain!

The only way why the forum did not favour this method is because these
people like to complicate the matter or think too much before
suggesting a workable solution to help poor infected pc user!


David H. Lipman

unread,
Jan 18, 2012, 11:26:02 AM1/18/12
to
From: "eric x" <tsg...@gmail.com>
Yes that's correct. My post in Oct '08 wasn't specifically about dealing
with this malware. That post was nspecifically about the negative
consequences that is possible by using a surrogate machine. My example was
a SubSys trojan that if removed, without modifying the Registry of the
affected hard disk's OS, would end up in a BSoD, NT Stop Error: STOP:
c0000135, condition.

It just so happens that the SusSys trojan exampled in 2008 mirrors that of
the SubSys trojan that may be associated with the MAX++ RootKit infection
associated with "consrv.dll".

It just goes to show that my example, and it solution, shown in Oct '08 is
still valid Today.

The reason why "the forum did not favour this method" because it was coming
from an unknown entity in a fashion that may have violated the BC ToS. I am
sure that if it is warranted, and I provided this information to Lawrence
Abrams, it could be made a SOP at BleepingComputer.

--
Dave

Dustin

unread,
Jan 18, 2012, 8:17:44 PM1/18/12
to
eric x <tsg...@gmail.com> wrote in
news:8ee154db-0cc2-43b0...@n7g2000pbd.googlegroups.com:

> Hello,
>
> Would you like to try this , I am not sure you have eradicate the
> consrv.dll virus ?

It's not a virus. :) It's a trojan. Spend a little time on google and
you'll have the information you need to thoroughly remove it. You should
follow up with an antivirus scan (I'd recommend MultiAV) at this point
tho.

> I got banned from bleepingcomputer.com when I post this article
> regarding the simplest method of removal which I have successfully
> help so many of them infected with consrv.dll virus .

Please stop calling it a virus. It's not infecting anything. :)
I know, terminology, but damnit, terminology is important!

> The article below is taking sophos antivirus as example , you can try
> others , even microsoft security essential is able to kill them , to
> fully recover you need to do some extra job on the registry after
> removal.

You could also boot the system in BartPE, mount it's registry, fix the
load point(s), then remove (I like to rename and move to another folder
for later analysis) the offending dll file. Problem resolved, with this
particular trojan. A followup scan using other tools to ensure it didn't
bring friends is also a good idea. I'd continue with an sfc run to
verify windows files are still digitally signed and valid.

> For those using windows 7 you can try your luck by using system
> restore point to earlier recovery before the infection .

System restore is NOT a good way to recovery from a trojan. You can
actually re-introduce other aspects of said trojan(s).

> 2. choose Create a system repair disc to create a cd or dvd window
> recovery disc

One should have this handy in any event. It's useful for repairs, even
non virus/trojan ones.

> 10 you should be able to reboot after this , remember to do a full
> scan to confirm again.
> Thanks ,

Your advice is sound, although you should put the standard disclaimer,
playing with the registry can kill your box. Perhaps a suggestion to
download and run ERUNT prior to tinkering with the registry would be
best. This gives the user a way to go back (or undo if you prefer)
should they mess up. :)

David H. Lipman

unread,
Jan 18, 2012, 8:36:26 PM1/18/12
to
From: "Dustin" <bughunte...@gmail.com>

| eric x <tsg...@gmail.com> wrote in
| news:8ee154db-0cc2-43b0...@n7g2000pbd.googlegroups.com:
|
>> Hello,
>>
>> Would you like to try this , I am not sure you have eradicate the
>> consrv.dll virus ?
|
| It's not a virus. :) It's a trojan. Spend a little time on google and
| you'll have the information you need to thoroughly remove it. You should
| follow up with an antivirus scan (I'd recommend MultiAV) at this point
| tho.
|

Read the rest Dustin ;-)

Dustin

unread,
Jan 19, 2012, 1:45:17 AM1/19/12
to
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:K6CdnWq2iJAF7orS...@giganews.com:

> From: "Dustin" <bughunte...@gmail.com>
>
>| eric x <tsg...@gmail.com> wrote in
>| news:8ee154db-0cc2-43b0...@n7g2000pbd.googlegroups.com
>| :
>|
>>> Hello,
>>>
>>> Would you like to try this , I am not sure you have eradicate the
>>> consrv.dll virus ?
>|
>| It's not a virus. :) It's a trojan. Spend a little time on google
>| and you'll have the information you need to thoroughly remove it.
>| You should follow up with an antivirus scan (I'd recommend MultiAV)
>| at this point tho.
>|
>
> Read the rest Dustin ;-)

Additional keys have to be removed so that windows doesn't puke.. I know.
I'm just doing this quickly and thus are leaving out some details I
normally consider to be minor. lol. My bad.

eric x

unread,
Jan 19, 2012, 6:09:05 AM1/19/12
to
On Jan 19, 9:17 am, Dustin <bughunter.dus...@gmail.com> wrote:
Hello ,
Please do not be too particular on trojan jargon workable solution
is what an infected and helpless pc user wish for , anything that
help although phrasing may be different but all are done with the
same objective , we are all trying our best to help them.

Forget about those SOP , rule are rule , it need to be flexible
sometime , some nasty people out there could even charge for the
simple advice , try "justanswer.com " website and see what I meant by
this !

FromTheRafters

unread,
Jan 19, 2012, 10:14:43 AM1/19/12
to
eric x wrote:
[...]

> Please do not be too particular on trojan jargon workable solution
> is what an infected and helpless pc user wish for , anything that
> help although phrasing may be different but all are done with the
> same objective , we are all trying our best to help them.

While this is true, it is also true that getting users to use correct
terminology also helps. "Help me, my computer is sick" will get
different answers than "Help me my computer has a virus".

Please do not insist that experts 'dumb down' their responses in the
face of such illogical resistance to the use of correct terminology.

Have you ever searched a machine to see what is being started from the
registry or any of the many other autostart methods? Many times this is
done so that one can disable the startup of the malware so that
investigation can proceed without interference from the malware still
running. This could be a monumental waste of time if you are dealing
with a virus, as a virus will start when its host program is run and
doesn't need the other autostart methods that you can search for in that
manner.

Sure, the 'victim' doesn't care - but they *should*. If it weren't for
antivirus scanners being able to find known viruses within infected
files, the standard answer to victims of viral attack would be to
flatten and rebuild and *do not* reload your image or any backed up
*programs* you may have. This is not so for most other malware types
because they don't infect preexisting programs with copies of themselves
and insinuate themselves into your backups.

[...]

eric x

unread,
Jan 25, 2012, 1:54:43 AM1/25/12
to
Hello,

I agree , I think the most important is to help the victim and educate
them about the offline registry editing method to resolve the
malwares or trojan depending to what extend the window registry is
being corrupted.

Take a look at those famous antivirus forum , most of them felt very
reluctant to suggest this approach , even those top antivirus
programme only good at nothing but only kill trojan or malwares /
virus found , did nothing to help the poor user when they can not
reboot windows .
Some said can use bartPe , linux boot , this sort of linux recovery
most of time failed when certain device drivers not found ,
especially on notebook with oem windows 7 OS .



It is loading more messages.
0 new messages