Win32/RAMNIT.A Anyone?
David Kaye
out there.
Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a devil of a
time removing it. The only tool the detects it consistently is MS Security
Essentials, and MSSE keeps counting it and "disinfecting" it.
I'm not sure if it's a virus or a worm. MSSE says it's a virus, but I can't
figure out what's launching it.
I have eliminated one rootkit and subsequent scans show no more rootkits.
This thing has dropped startup payloads into the StartUp folder, into the Run
keys, into Prefetch, and it masquerades as everything from random 4-letter
clusters to names like "Microsoft Suite", etc.
It also captures the date when Windows was first installed, so I can't
reliably search for the thing via date, either.
Whenever MSSE detects a new round of infections (15, 78, all kinds of counts)
the infections are in everything from drivers to executables in all kinds of
directories.
At the moment I'm running the computer in safe mode with no Internet and MSSE
is not detecting any more Ramnit. I've scanned it 3 times. But as soon as I
go back into regular mode and get an Internet connection back up it'll start
infecting again.
Oh, and I've reset the Winsock stack twice just in case there's a little
wedgie in there. Still comes back.
Any help would be most appreciated. You can reach me directly by email. The
address is valid.
Thanks.
Roy
A friend of mine that does virus removal as part of his business swears
by MalwareBytes
David Kaye
>A friend of mine that does virus removal as part of his business swears
>by MalwareBytes
I do this professionally as well. I asked *specifically* for comments from
people who have *experience* with this threat. I used MalwareBytes
Antimalware several times including the complete disk scan for 2 1/2 hours.
It did not detect anything.
Again, I'm interested in hearing only from people who have *experience* with
Win32.Ramnit.A
Thank you.
David H. Lipman
| Thanks.
What is the fully qualified name and path to the file deemed infected with RAMNIT.A and
did you capture a copy of this malware ?
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
David Kaye
>What is the fully qualified name and path to the file deemed infected with
> RAMNIT.A and
>did you capture a copy of this malware ?
There are a bunch of folders named such things as FUEM and AVAX, with exes
under them with randomly generated 4 and 5 character letters. These are under
the user's temp folder. They do not occur when using the admin account.
Additionally, there is a folder under Program Files with the name Microsoft,
and the exe is called Desktoplayer.exe. This exe is launched via the same
registry entry that launches UserInit.
Reducing the string so that it launches only UserInit and removing the files
mentioned here under safe mode won't stop them from being re-created the next
time I boot into regular mode.
I removed MSSE and installed Avast instead because MSSE kept noting the
infections, dealt with them, and then more kept appearing seconds later.
Under Avast, a 2-hour scan revealed 4300 infected files. I couldn't move them
all to quarantine so I had to erase some. Unfortunately, this affected some
critical app files (not Windows OS files, though). So, Firefox crashes, IE
wants the Office install disk, Picassa hangs, etc.
Also, the Explorer search feature has the doggie but no text boxes for
searching, and menu items are missing.
Thus, it looks like the OS is hosed, so I'll have to reinstall. Only trouble
is that this customer has a boatload of Word docs, spreadsheets, jpgs, mp3s
and whatnot. I'm hoping that the docs and xls's aren't infected with malware
macros.
This problem was first talked about in January apparently at Trend, but I
don't see much else in reference to it until 3 days ago, and there are a bunch
of forums where people are getting this infection. So, it looks like we're
right at the cusp of a major outbreak.
It's annoying as hell. In over 8 years of doing malware repair this is in the
top 2 for awfulness.
I think the customer got the infection via maybe Limewire, a torrent or
the Bang Bros porn website (or maybe from a link to it) because the logs
indicate similar datestamps to the first date stamps on the malware.
Oh, and the first thing I did was manually roll back the registry using a CD
boot disk. There were about 3 dozen entries. I rolled it back about halfway
(about 15 restore points) earlier, which took it to July 13. So, the
infection must have been there prior to that. When I went back to manually
roll back further, I noticed that the malware had deleted every restore point
(snapshot) except the latest 3. I ran an undelete CD on it and couldn't find
where the other restore points went, so they were probably overwritten.
I'm going to bed.
jcdill
> Sorry about the crosspost to ba.internet, but I know there are malware experts
> out there.
>
> Does anybody have EXPERIENCE with Win32/RAMNIT.A ?
No experience, but if I were in your shoes I'd start here:
<http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html>
jc
~BD~
I saw no answer to the 'Question' - but I did copy and paste the HJT log
into www.hijackthis.de - there were six questionable entries highlighted.
David Kaye
>No experience, but if I were in your shoes I'd start here:
>
><http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html>
Been there, done that. Thanks anyway. I'm reinstalling Windows and the
programs this afternoon. I hate to do that. Oh well.
David H. Lipman
| <http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html>
The problem is that may not be the same based upon the !HTML suffix which infers HTML code
and possibly exploitation rather than the actual infection.
FromTheRafters
news:i2nfo...@news4.newsguy.com...
> From: "jcdill" <jcdill...@gmail.com>
>
> | David Kaye wrote:
>>> Sorry about the crosspost to ba.internet, but I know there are
>>> malware experts
>>> out there.
>
>>> Does anybody have EXPERIENCE with Win32/RAMNIT.A ?
>
> | No experience, but if I were in your shoes I'd start here:
>
> |
> <http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html>
>
> The problem is that may not be the same based upon the !HTML suffix
> which infers HTML code
> and possibly exploitation rather than the actual infection.
It's a shame he couldn't provide you with a sample. His description of
symptoms doesn't exactly match up with what this malware is/does. This
could be new malware worm dropping ramnit.a as it finds new systems.
David Kaye
>It's a shame he couldn't provide you with a sample. His description of
>symptoms doesn't exactly match up with what this malware is/does. This
>could be new malware worm dropping ramnit.a as it finds new systems.
What kind of sample? A sample of the malware? I'm loathe to provide that; I
don't want to be responsible for infecting any computers. I've already given
some filenames and directories.
But regardless of what names I provide, there is still something being
launched that I'm unaware of that is rebuilding the files I see. As
previously stated, I've removed the HD, scanned it for rootkits and malware
and reinstalled it and the stuff comes back.
Well, folks, thanks anyway. I'm just going to reinstall Windows, something I
seldom have to do. It's got me beat and I can't spend any more time on this
issue. I'm backed up in work again.
David H. Lipman
| "FromTheRafters" <err...@nomail.afraid.org> wrote:
Providing a sample of malware to http://www.uploadmalware.com/ will *NOT* cause more
computers to be infected.
On the contrary, people who have access to the files are experienced at handling malware.
The culmination of all submissions get distributed to the listed anti malware companies.
Therefore, sample submission to UploadMalware leads to greater recognition of submitted
samples.
Vendor list:
http://www.uploadmalware.com/vendors.php
russg
I come here to learn, and there are some experts here. The OP
considers himself an expert and only wants
talk to experts. I would say his final approach of wiping and re-
installing the OS (which he didn't mention),
but first trying to save .docs, mp3 and other important files, is the
only solution. I learned that RAMNIT.A
is a PE infector, infects other known files, like IE. Here's some
info at sophos.com:
http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_from=rss
The OP knows the name of the malware, so he must have submitted a
sample somewhere.
NoOp
...
> At the moment I'm running the computer in safe mode with no Internet and MSSE
> is not detecting any more Ramnit. I've scanned it 3 times. But as soon as I
> go back into regular mode and get an Internet connection back up it'll start
> infecting again.
>
> Oh, and I've reset the Winsock stack twice just in case there's a little
> wedgie in there. Still comes back.
>
> Any help would be most appreciated. You can reach me directly by email. The
> address is valid.
As a "professional" you might try eradicating from a standalone bootable
linux CD[1] or scanning via a linux system & use something like
Bitdefender, ClamAV, etc. Most trojans/worms of these types simply block
standard AV's so you end up going round in circles unless you eradicate
using a standalone/non-windows source.
http://download.bitdefender.com/rescue_cd/
http://www.f-secure.com/en_EMEA/security/tools/rescue-cd/
etc., etc.
I find it silly that you try restore points et al to clean the problem.
As you've already discovered, that doesn't work.
David H. Lipman
| http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_from=
| rss
From Dave's first post...
"Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a devil of a
time removing it. The only tool the detects it consistently is MS Security
Essentials, and MSSE keeps counting it and "disinfecting" it."
He didn't submit a sample somewhere, MSE scanned the system, detected it
(Win32/RAMNIT.A ), but MSE failed to full remove and clean the system of it. Dave also
indicated he tried Avast to no avail.
FromTheRafters
news:i2nvud$mfo$4...@news.eternal-september.org...
> "FromTheRafters" <err...@nomail.afraid.org> wrote:
>
>>It's a shame he couldn't provide you with a sample. His description of
>>symptoms doesn't exactly match up with what this malware is/does. This
>>could be new malware worm dropping ramnit.a as it finds new systems.
>
> What kind of sample? A sample of the malware? I'm loathe to provide
> that; I
> don't want to be responsible for infecting any computers. I've
> already given
> some filenames and directories.
Yes, it's clear you have some nasty malware running. It looks like lots
of it goes undetected except the noted ramnit.a.
> But regardless of what names I provide, there is still something being
> launched that I'm unaware of that is rebuilding the files I see.
If I understood the sources I've read, this malware modifies executable
files with the effect of making them "droppers". It could be a new worm
has now adopted that function and you are seeing detections of the
modified files but not the program that's modifying them.
> As
> previously stated, I've removed the HD, scanned it for rootkits and
> malware
> and reinstalled it and the stuff comes back.
>
> Well, folks, thanks anyway. I'm just going to reinstall Windows,
> something I
> seldom have to do. It's got me beat and I can't spend any more time
> on this
> issue. I'm backed up in work again.
You were probably doomed from the get-go to have to flatten and rebuild.
Too many unknowns.
TBerk
David,
READ & RUN ME FIRST. Malware Removal Guide
http://forums.majorgeeks.com/showthread.php?t=35407
Haven't yet found the beastie this procedure wouldn't clean w/o
reformatting a drive.
If I have time, I go though with it. if It's more expedient to wipe
the drive I just harvest data, and reinstall the OS. But I prefer the
'thrill of the hunt' so to speak.
TBerk
Buffalo
Well, have you tried PC Butts' Remove-it software?
Whee Haw!!!
Buffalo
RJK
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:i2o47...@news2.newsguy.com...
Having cast my eye through this post, I think I would have given PrevX a go :-) ...I think (seeing as Sophos is armed against it), I'd try Sophos CLS from Bart PE cd :-)
regards, Richard
John Slade
You may want to try turning off "system restore" in
"system properties". Then reboot. You may also want to make
"system volume information" accessible to your malware scanner.
Then do a scan of that folder. The default setting is "read
only" and "hidden" so if it can be scanned the malware won't be
removed. The malware can reboot that last restore point over and
over and reinfecting your system over and over. A Linux based
scanner can be a way around the permissions but it's probably
better to do the scans within Windows.
John
John Slade
On 7/27/2010 11:17 PM, RJK wrote:
>
>
> "David H. Lipman" <DLipman~nospam~@Verizon.Net
> <mailto:DLipman~nospam~@Verizon.Net>> wrote in message
> news:i2o47...@news2.newsguy.com...
> From: "russg" <russ...@sbcglobal.net <mailto:russ...@sbcglobal.net>>
It seems the information I found on this worm is that it
probably hides in the "system volume information" folder that is
"read only" and "hidden" by default. The worm just keeps getting
reinstalled and can't be cleaned unless the permissions are
changed for that folder. The information on this site links to
instructions for cleaning RAMNIT.A.
http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=81059
This links to information on how to disable "system
restore" in order to remove the infection. It may be possible to
use some offline scanner like BitDefender to remove the worm but
it's better done in Windows.
John
---
* Synchronet * The Whitehouse BBS --- whitehouse.hulds.com --- check it out free usenet!
--- Synchronet 3.15a-Win32 NewsLink 1.92
Time Warp of the Future BBS - telnet://time.synchro.net:24
David Kaye
>Haven't yet found the beastie this procedure wouldn't clean w/o
>reformatting a drive.
I didn't have to reformat; I reinstalled using the file overwrite method (the
one that doesn't destroy the registry) after running several rootkit removers
and being certain there were no rootkits.
Ramnit destroyed over 4000 executables (exe and dll), so it was inevitable
that I'd have to reinstall the OS. Project completed. The computer runs like
new.
>If I have time, I go though with it. if It's more expedient to wipe
>the drive I just harvest data, and reinstall the OS. But I prefer the
>'thrill of the hunt' so to speak.
When one does this professionally it's not the thrill of the hunt but keeping
the client as happy as possible in the least amount of time. This means,
disturbing as little of their experience as possible -- keeping their
wallpaper and all their other user interface experiences as close as to what
they were before infection.
In over 8 years doing this fulltime I've only had to reformat maybe 4 times.
I've had to reinstall the OS about 10 times. But this one really caught me by
surprise.
David H. Lipman
>> |
>>
>> http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_from=
>> | rss
>> regards, Richard
| http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=81059
Sorry, you are mis-interpreting the information.
Malware doesn't "hide" in the "system volume information" folder. That is where the
System Resore cache resides. What they are talking about is removing restore points such
that you won't re-infect the PC if you restore the PC from a restore point that had made
in an infected condition.
Howver, I have learned that ist is NOT a good idea to dump the System Restore cache while
cleaning a PC. It is better to have an infected, working, PC than to have a a PC that may
be unstable and you can't restore the PC to a stable but infected condition. Once the PC
is thouroughly cleaned and verified and is stable then you you can dump the System Restore
cache.
jcdill
> From: "jcdill" <jcdill...@gmail.com>
>
> | David Kaye wrote:
>>> Sorry about the crosspost to ba.internet, but I know there are malware experts
>>> out there.
>
>>> Does anybody have EXPERIENCE with Win32/RAMNIT.A ?
>
> | No experience, but if I were in your shoes I'd start here:
>
> | <http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html>
>
> The problem is that may not be the same based upon the !HTML suffix which infers HTML code
> and possibly exploitation rather than the actual infection.
My point was to use the experts-exchange site to get help if the answers
already posted don't solve the problem. They are amazingly helpful with
providing assistance (for free) to people who follow the recommended
steps (such as running hijackthis and posting the logs etc.). I've
found the answer to solving several pesky virus/worm problems simply by
searching the experts-exchange site without having to post my own query,
but if I couldn't find the answer in the archives then I wouldn't
hesitate to post.
jc
John Slade
Some malware specifically uses the "system volume
information" folder to reinfect the computer. It will infect
multiple restore points even those that were there before the
particular worm was introduced. I've had some experience with these.
>
> Howver, I have learned that ist is NOT a good idea to dump the System Restore cache while
> cleaning a PC. It is better to have an infected, working, PC than to have a a PC that may
> be unstable and you can't restore the PC to a stable but infected condition. Once the PC
> is thouroughly cleaned and verified and is stable then you you can dump the System Restore
> cache.
This is one reason us PROFESSIONALS do a complete drive
backup before we remove the infection in this way. That way if
something goes wrong, you can always go back to the beginning.
It's possible to allow writing to the folder in question.
I have cleaned a few computers in this way and I usually find
that the restore points are not worth saving. I've had
absolutely no systems lost due to cleaning out the system
restore points. Never lost one and never needed to use the
backup on these types of infections. I find it better to have a
professional do the malware removal than someone who risks
loosing everything because they're afraid to remove the restore
caches.
John
David H. Lipman
>>>> |
>>>> http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_
>>>> from=
>>>> | rss
>>>> regards, Richard
>> | http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=81059
| John
You said...
"Some malware specifically uses the "system volume information" folder to reinfect the
computer."
Since you also stated "...us PROFESSIONALS...".
What is that malware spaecifically. You should know it or it should be in your notes.
I'd like to know what it is you are referring to.
David H. Lipman
>> | <http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html>
Ant defined the !HTML suffix (and !INF) as being modified by the Ramnit.
FromTheRafters
news:tE74o.32165$OU6....@newsfe20.iad...
[...]
> It seems the information I found on this worm is that it
> probably hides in the "system volume information" folder that is "read
> only" and "hidden" by default.
Funny, I was led to believe it used the recycle bin.
> The worm just keeps getting reinstalled and can't
> be cleaned unless the permissions are changed
> for that folder. The information on this site links to instructions
> for cleaning RAMNIT.A.
How is it, that a folder remains inaccesible to a scanner?
> http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=81059
>
> This links to information on how to disable "system restore" in
> order to remove the infection. It may be possible to use some offline
> scanner like BitDefender to remove the worm but it's better done in
> Windows.
It is better to clean the malware off the computer, then purge the
system restore thingy. The malware can't act against you actively, when
it is not running. Use drive imaging software, system restore be-damned.
FromTheRafters
news:i2sot...@news4.newsguy.com...
Seems sort of like the old DAM suffix - but instead of being damaged,
these files were modified to act as droppers. Not actual viral
infection, but perhaps infection in the furtherance of the worm. Another
write-up I saw mentioned infection of portable executable files, again
not with copies of itself like a virus, but rather to add dropper
functionality.
So, I'm guessing it could be polymorphic in the way it infects PEs and
the symptoms David Kaye experienced was because some were being missed
by the current definitions supplied for the AV tools he used.
Either that, or there is something *new* about the one he had.
David H. Lipman
>>>> |
>>>> <http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html>
Maybe it is like the Virut in that it modified HTML files in a way that when viewed it
could cause you to download and re-infect the computer.
David H. Lipman
| "FromTheRafters" <err...@nomail.afraid.org> wrote:
>>It's a shame he couldn't provide you with a sample. His description of
>>symptoms doesn't exactly match up with what this malware is/does. This
>>could be new malware worm dropping ramnit.a as it finds new systems.
| What kind of sample? A sample of the malware? I'm loathe to provide that; I
| don't want to be responsible for infecting any computers. I've already given
| some filenames and directories.
< snip >
Samples that I "did" receive from someone who remain anonymous.
FromTheRafters
That's what I gathered. Interesting it not being viral with respect to
exe infection though (if that is indeed the case).
John Slade
Yes that's exactly what I said. One think I've noticed
from 25 years of seeing malware is that the writers of malware
will use anything and everything to infect a system. They will
make it hard as possible to remove them too.
>
> Since you also stated "...us PROFESSIONALS...".
The professional thing to do is make a backup so you can
do what needs to be done to repair the system. I don't usually
hear other professionals say afraid to do something as simple as
removing restore points to repair a system.
> What is that malware spaecifically. You should know it or it should be in your notes.
>
I don't remember the exact name of the worms and trojans
as it was over a year ago when I removed the last one. There are
so many variants of existing malware and new malware out there.
As for my notes, I don't need notes on specific malware I just
do what it takes to remove whatever it is. My notes deal mostly
with behavior of the malware and what it takes to remove it.
However I still have the scanner logs I did then and I'll look
through them. You should also know that scanners can find
malware and not give it a name because it detects signatures and
behavior. The particular malware may not be in the database as yet.
You should know there is malware out there that will
trash the registry and it's backup. It will require some sort of
reinstall to get the system back working. I found it very rare
that I need to do a full reformat and reinstall because of
malware. Some malware will also corrupt system files and when
you remove them with scanners, it will make the installation
unbootable. This is yet another reason professionals will make a
backup if possible before removing infections.
I know there are a lot of fly-by-night computer repair
people who are just there to do a quick fix and get paid, I find
myself cleaning up after a lot of them.
John Slade
> "John Slade"<hhit...@pacbell.net> wrote in message
> news:tE74o.32165$OU6....@newsfe20.iad...
>
> [...]
>
>> It seems the information I found on this worm is that it
>> probably hides in the "system volume information" folder that is "read
>> only" and "hidden" by default.
>
> Funny, I was led to believe it used the recycle bin.
It's entirely possible as they probably have 30 different
variants of the same worm.
>
>> The worm just keeps getting reinstalled and can't
>> be cleaned unless the permissions are changed
>> for that folder. The information on this site links to instructions
>> for cleaning RAMNIT.A.
>
> How is it, that a folder remains inaccesible to a scanner?
It won't allow the removal of the malware because the
folder is read only. It will detect but not clean.
>
>> http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=81059
>>
>> This links to information on how to disable "system restore" in
>> order to remove the infection. It may be possible to use some offline
>> scanner like BitDefender to remove the worm but it's better done in
>> Windows.
>
> It is better to clean the malware off the computer, then purge the
> system restore thingy.
Sometimes the way to remove the malware is to remove the
system restore folders but only after a backup is made of the
entire HD.
> The malware can't act against you actively, when
> it is not running. Use drive imaging software, system restore be-damned.
>
I agree. But some malware needs to be running so it can
be detected and fully removed.
John
TBerk
<snip>
> In over 8 years doing this full time I've only had to reformat maybe 4 times. Â
> I've had to reinstall the OS about 10 times. Â But this one really caught me by
> surprise.
Lets see...
CP/M
8" floppy disks
5 1/4" floppies, but with Hard Sector holes cut in them
Data Storage on Cassette Tape
Soldering together your own Serial Cable to make sure you got the
Handshaking right.
Eight years, heh heh. (Not flam'n,) just ruminating nostalgically.
Hell, 'the Cuckoo's Egg' for that matter.
TBerk
Now I want to pop some corn and go watch a 'Sneakers' & 'Hackers'
double bill...
NoOp
...
> When one does this professionally it's not the thrill of the hunt but keeping
> the client as happy as possible in the least amount of time. This means,
> disturbing as little of their experience as possible -- keeping their
> wallpaper and all their other user interface experiences as close as to what
> they were before infection.
>
> In over 8 years doing this fulltime I've only had to reformat maybe 4 times.
> I've had to reinstall the OS about 10 times. But this one really caught me by
> surprise.
>
Don't put that on your resume and/or marketing materials...
David H. Lipman
| On Jul 29, 12:46 am, sfdavidka...@yahoo.com (David Kaye) wrote:
| <snip>
>> In over 8 years doing this full time I've only had to reformat maybe 4 times.
>> I've had to reinstall the OS about 10 times. But this one really caught me by
>> surprise.
| Lets see...
| CP/M
| 8" floppy disks
| 5 1/4" floppies, but with Hard Sector holes cut in them
| Data Storage on Cassette Tape
| Soldering together your own Serial Cable to make sure you got the
| Handshaking right.
| Eight years, heh heh. (Not flam'n,) just ruminating nostalgically.
| Hell, 'the Cuckoo's Egg' for that matter.
:-)
David Kaye
>Don't put that on your resume and/or marketing materials...
>
Not to worry; I'm the only person I know in my profession giving a 60
guarantee on my work, which is stated in my advertising. I'm not afraid if I
fail.
RJK
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:i2u99...@news5.newsguy.com...
From: "TBerk" <bayar...@yahoo.com>
| Lets see...
:-)
I've got a tape streamer in a jjiffy bag, floating around in a plastic sack
of old spares, out in the garage if you want it :-)
...and the ISA interface card and two or three TR3 tapes to go with it !!
....whilst looking for a picture of it, I found :-
http://cgi.ebay.co.uk/SEAGATE-CTT3200I-F-CTT3200R-F-TAPE-DRIVE-fbc1a8-/350250404498
...same as mine :-)
...I wonder if the vendor will ever sell it ?
I do remember that the chap that bought it paid around £400 if memory serves
!
regards, Richard
RJK
"RJK" <nos...@hotmail.com> wrote in message
news:BlD4o.38017$lS1....@newsfe12.iad...
| Lets see...
:-)
regards, Richard
ps re: CP/M ....LocoSript (word processing application), was quite popular
in its' time, and many years ago, a brief acquiantance and his wife, (many
years ago), used to make quite a nice living, traveling around the UK doing
training courses in it !
Dustin
> On 7/29/2010 1:40 PM, David H. Lipman wrote:
>> From: "John Slade"<hhit...@pacbell.net>
>>
>> | On 7/29/2010 3:24 AM, David H. Lipman wrote:
>>>> From: "John Slade"<hhit...@pacbell.net>
>>
>>>> | On 7/27/2010 11:17 PM, RJK wrote:
>>
>>
>>>>>> "David H. Lipman"<DLipman~nospam~@Verizon.Net
>>>>>> <mailto:DLipman~nospam~@Verizon.Net>> wrote in message
>>>>>> news:i2o47...@news2.newsguy.com...
>>>>>> From:
>>>>>> "russg"<russ...@sbcglobal.net<mailto:russgilb@sbcglobal.n
>>>>>> et>>
>>
>>>>>> | snip stuff about experienced posters only.
>>
>>>>>> | I come here to learn, and there are some experts here.
>>>>>> | The OP considers himself an expert and only wants
>>>>>> | talk to experts. I would say his final approach of
>>>>>> | wiping and re- installing the OS (which he didn't
>>>>>> | mention), but first trying to save .docs, mp3 and other
>>>>>> | important files, is the only solution. I learned that
>>>>>> | RAMNIT.A is a PE infector, infects other known files,
>>>>>> | like IE. Here's some info at sophos.com:
>>
>>>>>> |
>>
>>>>>> http://www.sophos.com/security/analyses/viruses-and-spyware/w32p
>>>>>> atchedi.html?_log_ from=
Wow. I had no idea.. /sarcasm.
> You should know there is malware out there that will
> trash the registry and it's backup. It will require some sort of
> reinstall to get the system back working. I found it very rare
> that I need to do a full reformat and reinstall because of
> malware. Some malware will also corrupt system files and when
> you remove them with scanners, it will make the installation
> unbootable. This is yet another reason professionals will make a
> backup if possible before removing infections.
What software do you use for the backup? Are you storing the backup on
read only media or a hard drive that could fail for any reason?
> I know there are a lot of fly-by-night computer repair
> people who are just there to do a quick fix and get paid, I find
> myself cleaning up after a lot of them.
I've encountered a few of those in my time as well.... I enjoy the work
they provide me tho. Tell me something, John, as a PROFESSIONAL, have
you written any of the tools you use for cleanup; or do you use the
work others have written, such as myself, David lipman and many others?
--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ." - author unknown.
Dustin
news:970494cd-6a7b-436e...@v6g2000prd.googlegroups.com:
Which did you find to be more realistic for it's time? Sneakers or
Hackers?
John Slade
I will either use Acronis' or Paragon's backup software
depending on the situation.
> Are you storing the backup on
> read only media or a hard drive that could fail for any reason?
You mean WORM(Write Once/Read Many) media don't you? That
media can fail also. No media is perfect. I store the backup on
business or enterprise grade HDs and will transfer to other
media if the customer wants that backup. If it's a large backup
they will have to pay me for it. Tell me what software and
hardware would you use to backup your customer's HD before you
start removing malware?
>
>> I know there are a lot of fly-by-night computer repair
>> people who are just there to do a quick fix and get paid, I find
>> myself cleaning up after a lot of them.
>
> I've encountered a few of those in my time as well.... I enjoy the work
> they provide me tho.
Me too. I especially get a kick out of the ones who don't
do backups and leave various screws out.
> Tell me something, John, as a PROFESSIONAL, have
> you written any of the tools you use for cleanup; or do you use the
> work others have written, such as myself, David lipman and many others?
>
For the record, I'm not trying to get into some pissing
contest. I was just making a suggestion as to how to fix the
problem laid out in the OP.
I use software others have written. I'm not a software
engineer. I'm a professional computer repair person. I find that
competence in one profession such as software engineering
doesn't translate into something else like tech support. I've
been repairing computers for close to 25 years and have learned
a lot. One thing I've learned is a backup saves a lot of trouble
and allows for different approaches to be tried.
So tell me what products have you and David Lipman
written and where can I check them out?
John
Dustin
I haven't heard the acronym WORM in years... Damn, you have been around
a long time. :) I was thinking of cd-r or perhaps dvd-r material.
It depends. When I was working at a computer shop; I'd either use
norton ghost corp edition or the hardware drive cloning device we had
at the time. I really didn't see much point in cloning a malware drive
for malware removal; I wasn't stupid enough to trash my backups of the
registry or important files. besides, I wrote several utilities to
assist me in verifying various windows dll/exe files were still intact
and okay for reuse.
We would typically reserve cloning drives for hardware failure signs.
Although, a customer could have us clone a drive for a malware issue if
they so desired. By default, we always copied docs, favorites, emails
etc before doing anything... But, you know, different places have
different policies.
Why do you spend the additional time to clone an entire drive for a
malware removal job?
>>
>>> I know there are a lot of fly-by-night computer repair
>>> people who are just there to do a quick fix and get paid, I find
>>> myself cleaning up after a lot of them.
>>
>> I've encountered a few of those in my time as well.... I enjoy the
>> work they provide me tho.
>
> Me too. I especially get a kick out of the ones who don't
> do backups and leave various screws out.
Or, use the wrong screws and strip one of the drives :)
>> Tell me something, John, as a PROFESSIONAL, have
>> you written any of the tools you use for cleanup; or do you use the
>> work others have written, such as myself, David lipman and many
>> others?
>>
>
> For the record, I'm not trying to get into some pissing
> contest. I was just making a suggestion as to how to fix the
> problem laid out in the OP.
I understand. It just seemed as if you were being a wiseass towards
David, from my POV. I didn't personally see any need in doing that. We
can all be professional and civil here.
> I use software others have written. I'm not a software
> engineer. I'm a professional computer repair person. I find that
> competence in one profession such as software engineering
> doesn't translate into something else like tech support. I've
> been repairing computers for close to 25 years and have learned
> a lot. One thing I've learned is a backup saves a lot of trouble
> and allows for different approaches to be tried.
Well, a backup is a good way of having an escape route should something
go wrong. :) From a software aspect tho, I haven't really encountered
much malware that would justify the time I spent on imaging the drive
first. I wasn't in charge of billing tho, so that may have played a
part in that.
> So tell me what products have you and David Lipman
> written and where can I check them out?
I've written all kinds of old utility style apps, as you've been around
so long you might know a few of them.. Cmoscon, encode, delock, and
various others. If your into crypto/security, you might even know the
old dos file/freespace wiping app called NuKE and/or possibly CryptX.
In more recent times, I developed an antimalware scanner (that's why I
found your description on how they worked amusing. hehehe) called
BugHunter. I did a stint as a malware researcher for an app called
Malwarebytes antimalware..
Like yourself, I've been repairing pcs professionally for over 15 years
now; you have ten years on me, but I have programming skills on you.
*g*.
John Slade
It would be OK for DVD-R if the backup is small. But
swapping 20 or more DVDs is a pain.
>
> It depends. When I was working at a computer shop; I'd either use
> norton ghost corp edition or the hardware drive cloning device we had
> at the time.
I rarely use Ghost these days, it used to be the only
thing I ever used.
> I really didn't see much point in cloning a malware drive
> for malware removal; I wasn't stupid enough to trash my backups of the
> registry or important files. besides, I wrote several utilities to
> assist me in verifying various windows dll/exe files were still intact
> and okay for reuse.
>
Yea that's good for you, but when you're working for
someone else and they have important data they want to save, I
will backup. Most of the time the customer doesn't have a
backup. A lot of times the customer has a HD that's five or six
years old and they really need a backup done. Then there are the
times when I'm working for a young person and they don't want a
backup they just want the drive wiped and they want the OS
installed.
> We would typically reserve cloning drives for hardware failure signs.
> Although, a customer could have us clone a drive for a malware issue if
> they so desired. By default, we always copied docs, favorites, emails
> etc before doing anything... But, you know, different places have
> different policies.
I work mostly with home users and small businesses and a
lot of times they have personal stuff they want to save. So I'll
do a quick backup of that data and then I'll do the full backup.
Sometimes they just want a reinstall. There are times when they
tell me not to backup because the data isn't important. In
David's response he seems worried about saving data so I
wondered why he wouldn't backup.
>
> Why do you spend the additional time to clone an entire drive for a
> malware removal job?
It doesn't take that long most of the time and it's a lot
safer for the user's data. In most cases it actually takes
longer to install, upgrade and reinstall software for the
customer. Most of the time I backup less than 150GB.
>
>>>
>>>> I know there are a lot of fly-by-night computer repair
>>>> people who are just there to do a quick fix and get paid, I find
>>>> myself cleaning up after a lot of them.
>>>
>>> I've encountered a few of those in my time as well.... I enjoy the
>>> work they provide me tho.
>>
>> Me too. I especially get a kick out of the ones who don't
>> do backups and leave various screws out.
>
> Or, use the wrong screws and strip one of the drives :)
>
>>> Tell me something, John, as a PROFESSIONAL, have
>>> you written any of the tools you use for cleanup; or do you use the
>>> work others have written, such as myself, David lipman and many
>>> others?
>>>
>>
>> For the record, I'm not trying to get into some pissing
>> contest. I was just making a suggestion as to how to fix the
>> problem laid out in the OP.
>
> I understand. It just seemed as if you were being a wiseass towards
> David, from my POV. I didn't personally see any need in doing that. We
> can all be professional and civil here.
David was being a wiseass himself and I can understand why
he didn't respond. He seemed worried about losing data by simply
removing the system restore points so I naturally wondered why,
a backup can solve this problem. I guess he realized it was a
good idea so then he got snippy.
>
>> I use software others have written. I'm not a software
>> engineer. I'm a professional computer repair person. I find that
>> competence in one profession such as software engineering
>> doesn't translate into something else like tech support. I've
>> been repairing computers for close to 25 years and have learned
>> a lot. One thing I've learned is a backup saves a lot of trouble
>> and allows for different approaches to be tried.
>
> Well, a backup is a good way of having an escape route should something
> go wrong. :) From a software aspect tho, I haven't really encountered
> much malware that would justify the time I spent on imaging the drive
> first. I wasn't in charge of billing tho, so that may have played a
> part in that.
I don't work for any company I work freelance. Like I said
most backups are small and usually take from 20 minutes to a
couple of hours. I don't charge by the hour I charge by the job.
>
>> So tell me what products have you and David Lipman
>> written and where can I check them out?
>
> I've written all kinds of old utility style apps, as you've been around
> so long you might know a few of them.. Cmoscon, encode, delock, and
> various others. If your into crypto/security, you might even know the
> old dos file/freespace wiping app called NuKE and/or possibly CryptX.
>
I've heard of some of those.
> In more recent times, I developed an antimalware scanner (that's why I
> found your description on how they worked amusing. hehehe) called
> BugHunter. I did a stint as a malware researcher for an app called
> Malwarebytes antimalware..
>
I don't know why you would find it funny because a
virus writer will use anything to hide a virus. What smarter way
is to hide them in each and every folder in "system volume
information"? I do believe that what the system had was a
variant of the Virtumonde trojan. If you did research on malware
then you know virus writers will take existing malware and
modify it. I found one thing to be true in the world of malware,
NOBODY knows everything about every malware variant out there.
You can believe me or not, it doesn't matter.
~BD~
You do appreciate that Dustin Cook was once a virus writer himself,
don't you, John?
There is school of thought that suggests that once a computer has been
compromised, one can never be *certain* that it is clean - and that it
is always best to re-install the operating system ...... on a formatted
hard disk, wiping out all partitions first.
I'm just a user - but that's how I think too! ;-)
--
Dave - I've enjoyed reviewing John's posts!
~BD~
Dustin
Theres your odd attitude again. What makes you think I wasn't working
for someone else when I did those things? Obviously since I didn't own
the shop, I was working for someone else.
Btw, What certifications do you presently hold? I'm just lowly
A+/network+ (back when that stupid thing was still considered worth the
paper it's printed on). Are you MCSE?
I completely understand the backup scenarios..
>> We would typically reserve cloning drives for hardware failure
>> signs. Although, a customer could have us clone a drive for a
>> malware issue if they so desired. By default, we always copied
>> docs, favorites, emails etc before doing anything... But, you know,
>> different places have different policies.
>
> I work mostly with home users and small businesses and a
> lot of times they have personal stuff they want to save. So I'll
> do a quick backup of that data and then I'll do the full backup.
> Sometimes they just want a reinstall. There are times when they
> tell me not to backup because the data isn't important. In
> David's response he seems worried about saving data so I
> wondered why he wouldn't backup.
I see. It's the corp customers who can be.. a bit, on the anal side at
times. At the end of the day tho, you do whatever customer wants.
>>
>> Why do you spend the additional time to clone an entire drive for a
>> malware removal job?
>
> It doesn't take that long most of the time and it's a lot
> safer for the user's data. In most cases it actually takes
> longer to install, upgrade and reinstall software for the
> customer. Most of the time I backup less than 150GB.
I'm just wondering what you mean by safer for the users data then I
guess. If it's a malware issue, the users data itself shouldn't be
affected much if at all; it's the applications and little.. extras that
may be of concern.
>> I understand. It just seemed as if you were being a wiseass towards
>> David, from my POV. I didn't personally see any need in doing that.
>> We can all be professional and civil here.
>
> David was being a wiseass himself and I can understand why
> he didn't respond. He seemed worried about losing data by simply
> removing the system restore points so I naturally wondered why,
> a backup can solve this problem. I guess he realized it was a
> good idea so then he got snippy.
Well, along with potentially good dlls you might want to use to avoid
having to reinstall; comes several stages of the systems registry
hives. All valuable if your into recovering the system, as opposed to
wiping and starting over. I see no reason to obliterate the restore
points right away; They still contain potentially useful data to me.
What seperates some professionals from others is the ability to restore
the system without resorting to wiping and reloading as really, anybody
could do that. In many cases, not all, but many, you don't have to wipe
and reload the entire system to get rid of the malware.
Could you imagine, reloading the system to get rid of antivirusxp2010?
You'd agree, that would be an incompetent action to take?
>>
>>> I use software others have written. I'm not a software
>>> engineer. I'm a professional computer repair person. I find that
>>> competence in one profession such as software engineering
>>> doesn't translate into something else like tech support. I've
>>> been repairing computers for close to 25 years and have learned
>>> a lot. One thing I've learned is a backup saves a lot of trouble
>>> and allows for different approaches to be tried.
>>
>> Well, a backup is a good way of having an escape route should
>> something go wrong. :) From a software aspect tho, I haven't really
>> encountered much malware that would justify the time I spent on
>> imaging the drive first. I wasn't in charge of billing tho, so that
>> may have played a part in that.
>
> I don't work for any company I work freelance. Like I said
> most backups are small and usually take from 20 minutes to a
> couple of hours. I don't charge by the hour I charge by the job.
Ahh, well.. I worked for one shop for just over a decade.. had some
prior real world experience from other shops voc and what I did as a
kiddo... I'll do the freelance thing when it's necessary, but I don't
halfass the job. Like I said, I've been doing this ten years or so less
than you and have yet to lose anyones data; providing they called me in
time...
>>
>>> So tell me what products have you and David Lipman
>>> written and where can I check them out?
>>
>> I've written all kinds of old utility style apps, as you've been
>> around so long you might know a few of them.. Cmoscon, encode,
>> delock, and various others. If your into crypto/security, you might
>> even know the old dos file/freespace wiping app called NuKE and/or
>> possibly CryptX.
>>
>
> I've heard of some of those.
>
>> In more recent times, I developed an antimalware scanner (that's
>> why I found your description on how they worked amusing. hehehe)
>> called BugHunter. I did a stint as a malware researcher for an app
>> called Malwarebytes antimalware..
>>
>
> I don't know why you would find it funny because a
> virus writer will use anything to hide a virus. What smarter way
> is to hide them in each and every folder in "system volume
> information"? I do believe that what the system had was a
> variant of the Virtumonde trojan. If you did research on malware
> then you know virus writers will take existing malware and
> modify it. I found one thing to be true in the world of malware,
> NOBODY knows everything about every malware variant out there.
> You can believe me or not, it doesn't matter.
Well, I found it funny from the point of view of a former virus writer
turned whitehat. Does that make any sense to you?
Why would I spend the time to hide a virus in a folder, when I could
choose files? You could just delete me if I stored myself in a folder
in a binary format alone. If I reside in your files instead, I'm alot
harder to deal with.
I know some virus writers have used existing code and modified that
yes. However, the majority of the crap I've seen passing for malware
these days typically isn't actually viral in nature. A virus is no
accident, ya see.
It's entirely possible the individual does have a virut varient, I
haven't seen the sample to confirm or deny that. Based only on what Ant
has written up about it tho, doesn't seem to indicate virut; but
something possibly forked from the same original codebase.
How as a virus would I be able to hide if you examined the drive from a
system that didn't start off of it? It's a rhetorical question... :)
--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ." - author unknown.
---
Dustin
~BD~ <BoaterDave~no.spam~@hotmail.co.uk> wrote in
news:toGdnU4lcMazdsjR...@bt.com:
>>> We would typically reserve cloning drives for hardware failure
>>> signs. Although, a customer could have us clone a drive for a
>>> malware issue if they so desired. By default, we always copied
>>> docs, favorites, emails etc before doing anything... But, you
>>> know, different places have different policies.
>>
>> I work mostly with home users and small businesses and a lot of
>> times they have personal stuff they want to save. So I'll do a
>> quick backup of that data and then I'll do the full backup.
>> Sometimes they just want a reinstall. There are times when they
>> tell me not to backup because the data isn't important. In David's
>> response he seems worried about saving data so I wondered why he
>> wouldn't backup.
>>
>>>
>>> Why do you spend the additional time to clone an entire drive for
>>> a malware removal job?
>>
>> It doesn't take that long most of the time and it's a lot safer for
>> the user's data. In most cases it actually takes longer to install,
>> upgrade and reinstall software for the customer. Most of the time I
>> backup less than 150GB.
>>
>>>
>>>>>
>>>>>> I know there are a lot of fly-by-night computer repair
>>>>>> people who are just there to do a quick fix and get paid, I
>>>>>> find myself cleaning up after a lot of them.
>>>>>
>>>>> I've encountered a few of those in my time as well.... I enjoy
>>>>> the work they provide me tho.
>>>>
>>>> Me too. I especially get a kick out of the ones who don't
>>>> do backups and leave various screws out.
>>>
>>> Or, use the wrong screws and strip one of the drives :)
>>>
>>>>> Tell me something, John, as a PROFESSIONAL, have
>>>>> you written any of the tools you use for cleanup; or do you use
>>>>> the work others have written, such as myself, David lipman and
>>>>> many others?
>>>>>
>>>>
>>>> For the record, I'm not trying to get into some pissing
>>>> contest. I was just making a suggestion as to how to fix the
>>>> problem laid out in the OP.
>>>
>>> I understand. It just seemed as if you were being a wiseass
>>> towards David, from my POV. I didn't personally see any need in
>>> doing that. We can all be professional and civil here.
>>
>> David was being a wiseass himself and I can understand why he
>> didn't respond. He seemed worried about losing data by simply
>> removing the system restore points so I naturally wondered why, a
>> backup can solve this problem. I guess he realized it was a good
>> idea so then he got snippy.
>>
>>>
>>>> I use software others have written. I'm not a software
>>>> engineer. I'm a professional computer repair person. I find that
>>>> competence in one profession such as software engineering
>>>> doesn't translate into something else like tech support. I've
>>>> been repairing computers for close to 25 years and have learned
>>>> a lot. One thing I've learned is a backup saves a lot of trouble
>>>> and allows for different approaches to be tried.
>>>
>>> Well, a backup is a good way of having an escape route should
>>> something go wrong. :) From a software aspect tho, I haven't
>>> really encountered much malware that would justify the time I
>>> spent on imaging the drive first. I wasn't in charge of billing
>>> tho, so that may have played a part in that.
>>
>> I don't work for any company I work freelance. Like I said most
>> backups are small and usually take from 20 minutes to a couple of
>> hours. I don't charge by the hour I charge by the job.
>>
>>>
>>>> So tell me what products have you and David Lipman
>>>> written and where can I check them out?
>>>
>>> I've written all kinds of old utility style apps, as you've been
>>> around so long you might know a few of them.. Cmoscon, encode,
>>> delock, and various others. If your into crypto/security, you
>>> might even know the old dos file/freespace wiping app called NuKE
>>> and/or possibly CryptX.
>>>
>>
>> I've heard of some of those.
>>
>>> In more recent times, I developed an antimalware scanner (that's
>>> why I found your description on how they worked amusing. hehehe)
>>> called BugHunter. I did a stint as a malware researcher for an app
>>> called Malwarebytes antimalware..
>>>
>>
>> I don't know why you would find it funny because a virus writer
>> will use anything to hide a virus. What smarter way is to hide them
>> in each and every folder in "system volume information"? I do
>> believe that what the system had was a variant of the Virtumonde
>> trojan. If you did research on malware then you know virus writers
>> will take existing malware and modify it. I found one thing to be
>> true in the world of malware, NOBODY knows everything about every
>> malware variant out there. You can believe me or not, it doesn't
>> matter.
>>
>> John
>
> You do appreciate that Dustin Cook was once a virus writer himself,
> don't you, John?
Does it matter that much, BD? Do you feel I haven't been honest with
the fellow and so you need to remind persons of that aspect?
> There is school of thought that suggests that once a computer has
> been compromised, one can never be *certain* that it is clean - and
> that it is always best to re-install the operating system ...... on
> a formatted hard disk, wiping out all partitions first.
That school of thought does exist, yes. I don't subscribe to it tho.
Buffalo
~BD~ wrote:
> ~BD~ forgot to add the link showing support for his view!
>
> http://technet.microsoft.com/en-us/library/cc512587.aspx
Finally, you clipped all the crap!!! Yippee!!!
Buffalo
David H. Lipman
| That school of thought does exist, yes. I don't subscribe to it tho.
It does exist. However first you perform a Cost Benefit Analysis (CBA).
David H. Lipman
< snip >
The important aspect is one of NTFS permissions. More than just the average malware can't
access "system volume information" and certainly NOT the Vundo family (including Virtumone
adware).
@nomail.afraid.org FromTheRafters
news:toGdnUklcMbUccjR...@bt.com...
> ~BD~ forgot to add the link showing support for his view!
>
> http://technet.microsoft.com/en-us/library/cc512587.aspx
He added a qualifier here:
"If you have a system that has been completely compromised, the only thing
you can do is to flatten the system (reformat the system disk) and rebuild
it from scratch (reinstall Windows and your applications)."
I can agree with that. The thing is, what do you consider to be a compromise
and what do you consider to be a complete compromise?
If I discover a downloader downloaded some adware, I might just remove the
adware. If it downloaded some various and sundry other malware then the
"unknown" factor becomes prevalent - and flatten and rebuild becomes the
best route. A known trojan application for fake-AV scareware probably
doesn't require such drastic measures. If I figure the ingress vector was a,
since patched, vulnerability exploit worm, I wouldn't just automatically
assume that hackers have also used that exploits zero-day window to increase
the "unknown" factor - I would just address the worm.
Not that he's wrong, a healthy paranoia is a good security asset. The value
of the protected resource figures in heavily as well.
John Slade
I didn't know Dustin Cook existed until he responded for
you. But I've been reading some in alt.comp.viruses and I find
it well...interesting... If he wrote viruses then he more than
anyone should know that what I said happened is indeed possible.
> There is school of thought that suggests that once a computer has been
> compromised, one can never be *certain* that it is clean - and that it
> is always best to re-install the operating system ...... on a formatted
> hard disk, wiping out all partitions first.
That school of thought is pretty common but I've found
that the vast majority of infected systems can be saved without
reformatting and installing. It all depends on what the malware
is and how much damage has been done. If formatting every
infected HD at the sign of malware, very little data would be
saved unless you backup important data.
>
> I'm just a user - but that's how I think too! ;-)
>
I'm a user and I find that backups save me a lot of
trouble. I know my HD will fail. As a repair tech, I know my
customer's HD will fail so I backup. Some of my customers want
to save the data so I backup before I remove malware. Some don't
care and ask me to format and install.
I've been reading some in alt.comp.virus and it's pretty
amusing.... I'm starting to understand more and more why I'm
getting the responses I'm getting... ;)
John
John Slade
I was thinking the same exact thing.
John
John Slade
Well you made it sound like you were doing it for yourself.
>
> Btw, What certifications do you presently hold? I'm just lowly
> A+/network+ (back when that stupid thing was still considered worth the
> paper it's printed on). Are you MCSE?
>
I took courses and wound up teaching an A+ class. A+ is a
good place to start for someone looking to get certified for
work at some company that requires that cert. I view the MCSE
certification as pretty much a money making scam. I look at MCSE
certifications as a joke in many cases because some courses just
teach people how to pass the certification test. I took a long
MSCE certification course but I never needed to be certified as
I went into business for myself. I found most of the things
covered was knowledge I already had. I also found that many MSCE
"certified" people don't know a lot. Well they do know how to
pass that test!
I don't need any of those certifications, it's a waste of
money.
>>> We would typically reserve cloning drives for hardware failure
>>> signs. Although, a customer could have us clone a drive for a
>>> malware issue if they so desired. By default, we always copied
>>> docs, favorites, emails etc before doing anything... But, you know,
>>> different places have different policies.
>>
>> I work mostly with home users and small businesses and a
>> lot of times they have personal stuff they want to save. So I'll
>> do a quick backup of that data and then I'll do the full backup.
>> Sometimes they just want a reinstall. There are times when they
>> tell me not to backup because the data isn't important. In
>> David's response he seems worried about saving data so I
>> wondered why he wouldn't backup.
>
> I see. It's the corp customers who can be.. a bit, on the anal side at
> times. At the end of the day tho, you do whatever customer wants.
>
>>>
>>> Why do you spend the additional time to clone an entire drive for a
>>> malware removal job?
>>
>> It doesn't take that long most of the time and it's a lot
>> safer for the user's data. In most cases it actually takes
>> longer to install, upgrade and reinstall software for the
>> customer. Most of the time I backup less than 150GB.
>
> I'm just wondering what you mean by safer for the users data then I
> guess. If it's a malware issue, the users data itself shouldn't be
> affected much if at all; it's the applications and little.. extras that
> may be of concern.
It's not JUST the malware issue, I already explained that
often HDs I work on are pretty old. Also when you start cleaning
files the system may not boot, data may be destroyed. There are
lots of reasons to backup and that's what I learned over the years.
>
>>> I understand. It just seemed as if you were being a wiseass towards
>>> David, from my POV. I didn't personally see any need in doing that.
>>> We can all be professional and civil here.
>>
>> David was being a wiseass himself and I can understand why
>> he didn't respond. He seemed worried about losing data by simply
>> removing the system restore points so I naturally wondered why,
>> a backup can solve this problem. I guess he realized it was a
>> good idea so then he got snippy.
>
> Well, along with potentially good dlls you might want to use to avoid
> having to reinstall; comes several stages of the systems registry
> hives. All valuable if your into recovering the system, as opposed to
> wiping and starting over. I see no reason to obliterate the restore
> points right away; They still contain potentially useful data to me.
>
You may or may not have to delete restore points. It
depends on the particular malware.
> What seperates some professionals from others is the ability to restore
> the system without resorting to wiping and reloading as really, anybody
> could do that. In many cases, not all, but many, you don't have to wipe
> and reload the entire system to get rid of the malware.
Yea that's why I find making a backup allows me to make a
mistake if removing the malware causes the installation to be
trashed and it does happen.
>
> Could you imagine, reloading the system to get rid of antivirusxp2010?
> You'd agree, that would be an incompetent action to take?
I've removed that particular infection before and didn't
need to reinstall anything.
Well you could chose particular files in the restore
point folders, you could tell it to create a restore point and
infect the system files. The advantage is the malware scanner
will not clean it because it's a read only folder by default.
>
> It's entirely possible the individual does have a virut varient, I
> haven't seen the sample to confirm or deny that. Based only on what Ant
> has written up about it tho, doesn't seem to indicate virut; but
> something possibly forked from the same original codebase.
>
All I remember is that the many restore points were all
infected with the same malware. Restore points that were there
before the malware was installed by the user. The malware was in
some pirated software that was installed a couple of days before
I was called.
John
John Slade
As far as you know...
John
David H. Lipman
>> < snip>
And I *know* a lot. It is known for hooking into IE through BHO and Winlogon via
Winlogon\Notify and more recently via the Local Security Authority Subsystem Service. And
I know its intial infection vector was through Java Exploits. I remember when they first
hit and I have seen the tools that were used to erradicate up to and including MBAM. You
read where Dustin was an employee of Malwarebytes. Dustin and I were both employee
Malware Researchers for Malwarebytes :-)
{ BTW: I also know I spelled Virtumonde wrong :-) }
@nomail.afraid.org FromTheRafters
news:Xyo5o.41721$OU6....@newsfe20.iad...
[...]
>>> I don't know why you would find it funny because a virus writer will use
>>> anything to hide a virus. What smarter way is to hide them in each and
>>> every folder in "system volume information"?
> I didn't know Dustin Cook existed until he responded for you. But I've
> been reading some in alt.comp.viruses and I find it well...interesting...
> If he wrote viruses then he more than anyone should know that what I said
> happened is indeed possible.
Because he understands true viruses, he knows that they don't need to hide
themselves in folders.
I don't think he would have said what he said if you had said worms, or
malware, instead of viruses.
Some malware sorta infests the "System Volume Information" folder - what
actually happens is that when the AV requests deletion of a detected malware
file, the OS makes a copy and stores it there just in case you didn't
*really* want it deleted.
David H. Lipman
| [...]
It doesn't really have to do with an anti malware application deleting a file. That the
Recycle Bin and only the OS Shell (explorer) will place the files in the Recycle Bin.
In this case the OS will take executable binaries and other OS related files and place
copies in the System Restore Cache. All I have to do is download and EXE or DLL and it
will be in the cache and reference the location of where it was in the OS. And it doesn't
really infest the "System Volume Information\_restore" folder. It lays dormant in there
until the user decides to restore a break point. Then it will take the executable binary
and other OS related files and place them back in the original location thus reviving them
from dormancy. However malware is not know to "hide" itself in "System Volume
Information" while operating within the OS.
John Slade
That's all well and good but as you know there are strains
of trojans and worms that are unknown. It may or may not have
been Virtumonde or a version of it, it very well may have been
some other malware that dropped Virtumonde. I'm sure you know
there is malware out there that will drop multiple trojans and
worms on a system. But whatever it was, I was never afraid to do
what it took to get rid of it. That's why I make a backup before
I clean badly infected systems.
I can tell you this, after I got rid of all the system
restore points, some malware looked for files in the restore
folders and couldn't find them. I got the popup saying the files
were not found in that directory. I did a final scan and when I
removed the malware this time it stayed gone. The system ran
with no problems until the teenager put something else on it
months later.
John Slade
> "John Slade"<hhit...@pacbell.net> wrote in message
> news:Xyo5o.41721$OU6....@newsfe20.iad...
>
> [...]
>
>>>> I don't know why you would find it funny because a virus writer will use
>>>> anything to hide a virus. What smarter way is to hide them in each and
>>>> every folder in "system volume information"?
>
>> I didn't know Dustin Cook existed until he responded for you. But I've
>> been reading some in alt.comp.viruses and I find it well...interesting...
>> If he wrote viruses then he more than anyone should know that what I said
>> happened is indeed possible.
>
> Because he understands true viruses, he knows that they don't need to hide
> themselves in folders.
>
> I don't think he would have said what he said if you had said worms, or
> malware, instead of viruses.
Well "virus" is a generic term these days. I was talking
about worms and/or trojans, I was using "virus" as a generic
term. I guess that clears it up.
John
John Slade
As far as you know, no malware writer used that method.
Nobody knows everything.
John
Dustin
virus isn't a generic term, then or now. As a professional, I think it
unwise of you to generalize what might be ailing the patient.
Dustin
My boss paid for the tests, it just cost me some driving time. As I've
been doing the computer thing since the trash80 series was actually new
and hot stuff to some, I didn't really need to study for the exam.
While tandy's computers were proprietary in nature, they had some
things in common with cp/m and later dos machines. Besides, it beat
tracing a grounding problem on an AT mainboard keyboard port. <G>
The shop I worked at actually fixed problems, we didn't ship to
manufacturer or sell you a new mainboard if components could be
replaced cheaper and still bring the system back to it's original self.
None of us were afraid of soldering pencils or precision electronics,
everyone at the shop had a background in it.
So, as a professional with years on me, do you replace boards or
actually get down and dirty with them?
> "certified" people don't know a lot. Well they do know how to
> pass that test!
I would tend to agree with that statement, based on the future
technicians who will eventually be replacing me. :)
> I don't need any of those certifications, it's a waste of
> money.
It looks nice on paper, tho. :) I like you didn't bother to fork out
the 2grand for the MCSE certs, I watched a friend of mine who knew next
to nothing about computers; get MCSE inside of 3 months time. So, yea,
I'm in complete agreement with you about them. Lots of reading, a very
small amount of practice in the LAN I configured for him, and walla;
MCSE certified; but doesn't know his ass from a hole in the ground.
>> I'm just wondering what you mean by safer for the users data then I
>> guess. If it's a malware issue, the users data itself shouldn't be
>> affected much if at all; it's the applications and little.. extras
>> that may be of concern.
>
> It's not JUST the malware issue, I already explained that
> often HDs I work on are pretty old. Also when you start cleaning
> files the system may not boot, data may be destroyed. There are
> lots of reasons to backup and that's what I learned over the years.
True, plenty of reasons to backup and I certainly don't disagree with
one who is strict with a decent backup policy; I just don't really see
the need to do it for a malware removal job alone.
>>
>>>> I understand. It just seemed as if you were being a wiseass
>>>> towards David, from my POV. I didn't personally see any need in
>>>> doing that. We can all be professional and civil here.
>>>
>>> David was being a wiseass himself and I can understand why
>>> he didn't respond. He seemed worried about losing data by simply
>>> removing the system restore points so I naturally wondered why,
>>> a backup can solve this problem. I guess he realized it was a
>>> good idea so then he got snippy.
>>
>> Well, along with potentially good dlls you might want to use to
>> avoid having to reinstall; comes several stages of the systems
>> registry hives. All valuable if your into recovering the system, as
>> opposed to wiping and starting over. I see no reason to obliterate
>> the restore points right away; They still contain potentially
>> useful data to me.
>>
>
> You may or may not have to delete restore points. It
> depends on the particular malware.
I know of no malware which would force me to toss an entire restore
point. I can just go into the folder from another system and do what
needs to be done; without endangering said system.
>> What seperates some professionals from others is the ability to
>> restore the system without resorting to wiping and reloading as
>> really, anybody could do that. In many cases, not all, but many,
>> you don't have to wipe and reload the entire system to get rid of
>> the malware.
>
> Yea that's why I find making a backup allows me to make a
> mistake if removing the malware causes the installation to be
> trashed and it does happen.
Be careful and take your time. Safety first and all that. :)
>> Well, I found it funny from the point of view of a former virus
>> writer turned whitehat. Does that make any sense to you?
>
>>
>> Why would I spend the time to hide a virus in a folder, when I
>> could choose files? You could just delete me if I stored myself in
>> a folder in a binary format alone. If I reside in your files
>> instead, I'm alot harder to deal with.
>
> Well you could chose particular files in the restore
> point folders, you could tell it to create a restore point and
> infect the system files. The advantage is the malware scanner
> will not clean it because it's a read only folder by default.
Hmm. I'm guessing you don't know how the restore functions in windows
actually works. I'll clue you in.. If I so much as edit a
sys/dll/com/exe file in the windows folders a restore point is
automatically created so long as system restore is turned on. That
restore point will backup the file before my changes are finalized on
disk. Unless, I override system restore and do it directly.
The folder itself isn't exactly read-only by permissions alone, again,
the resident system restore dlls keep you out; but you can still scan
inside with it running if you do low level calls.
>>
>> It's entirely possible the individual does have a virut varient, I
>> haven't seen the sample to confirm or deny that. Based only on what
>> Ant has written up about it tho, doesn't seem to indicate virut;
>> but something possibly forked from the same original codebase.
>>
>
> All I remember is that the many restore points were all
> infected with the same malware. Restore points that were there
> before the malware was installed by the user. The malware was in
> some pirated software that was installed a couple of days before
> I was called.
I don't suppose you kept a sample for analysis?
David H. Lipman
>> [...]
The term "malware" is generic.
The term "virus" is quite specific.
David H. Lipman
| That's all well and good but as you know there are strains
| of trojans and worms that are unknown. It may or may not have
| been Virtumonde or a version of it, it very well may have been
| some other malware that dropped Virtumonde. I'm sure you know
| there is malware out there that will drop multiple trojans and
| worms on a system. But whatever it was, I was never afraid to do
| what it took to get rid of it. That's why I make a backup before
| I clean badly infected systems.
| I can tell you this, after I got rid of all the system
| restore points, some malware looked for files in the restore
| folders and couldn't find them. I got the popup saying the files
| were not found in that directory. I did a final scan and when I
| removed the malware this time it stayed gone. The system ran
| with no problems until the teenager put something else on it
| months later.
I agree, there are "...strains of trojans and worms that are unknown."
However there is a relatively finite capability that they employ. Usually one repeats the
success of another and builds upon that success. What becomes new is not what they do
within the file system, it is what they do in the Registry or employing different
programmng techniques and Kernel constructs.
FromTheRafters
Now, you're just being silly.
FromTheRafters
Yep, clear as rain. You don't know the terminology, don't care, yet we
are supposed to believe that you know what you are talking about.
That's it, huh?
John Slade
I got my start in electronics and have a background in
that too. I took college courses in electronics and am no
stranger to repairing circuit boards. I'm no stranger to
soldering irons. Well that's what we called them. I used to
repair TVs, radios and such years ago.
>
> So, as a professional with years on me, do you replace boards or
> actually get down and dirty with them?
When I need to repair a blown component like a bad sound
card, video card or controller card, I replace it. I haven't
needed to repair an actual circuit board for at least 15 years.
The last component level repairs I did for a computer was
replacing burned out components on my old Amiga computer's
motherboard. But I gave up on all that stuff, just not worth the
hassle any more especially with these newer multilayer boards
with tiny components and surface mounted chips. It can be done
but it's usually not worth it.
>
>> "certified" people don't know a lot. Well they do know how to
>> pass that test!
>
> I would tend to agree with that statement, based on the future
> technicians who will eventually be replacing me. :)
>
>> I don't need any of those certifications, it's a waste of
>> money.
>
> It looks nice on paper, tho. :) I like you didn't bother to fork out
> the 2grand for the MCSE certs, I watched a friend of mine who knew next
> to nothing about computers; get MCSE inside of 3 months time. So, yea,
> I'm in complete agreement with you about them. Lots of reading, a very
> small amount of practice in the LAN I configured for him, and walla;
> MCSE certified; but doesn't know his ass from a hole in the ground.
>
MCSE is pretty useless in my current repair field.
However it's good to learn if you take a proper course such as a
computer science course at a college. I took a three-month MSCE
course and found I had already learned most of the stuff on my own.
I used Bitdefender's bootable CD to remove malware from the
restore point files and it did not solve the problem. I rebooted
and the malware was written there again. Only when I turned off
system restore and when I rebooted, I got a popup stating that
it couldn't find a file in the system restore folders that were
deleted. Then I did a final scan and the malware was gone,
system fixed.
I know how system restore works and I'm 100% sure it can
be exploited by malware writers.
>>>
>>> It's entirely possible the individual does have a virut varient, I
>>> haven't seen the sample to confirm or deny that. Based only on what
>>> Ant has written up about it tho, doesn't seem to indicate virut;
>>> but something possibly forked from the same original codebase.
>>>
>>
>> All I remember is that the many restore points were all
>> infected with the same malware. Restore points that were there
>> before the malware was installed by the user. The malware was in
>> some pirated software that was installed a couple of days before
>> I was called.
>
> I don't suppose you kept a sample for analysis?
No. I just clean them I don't study them. I do this sort
of thing a lot and don't really keep track of each piece of
malware I remove. I remove scores and hundreds of trojans and
worms from systems. I probably still have the scan log though if
I find it I'll post it here. This was more than a year ago when
I removed it.
John
TBerk
> TBerk <bayareab...@yahoo.com> wrote innews:970494cd-6a7b-436e...@v6g2000prd.googlegroups.com:
>
>
>
> > On Jul 29, 12:46Â am, sfdavidka...@yahoo.com (David Kaye) wrote:
> > <snip>
> >> In over 8 years doing this full time I've only had to reformat
> >> maybe 4 ti
> > mes. Â
> >> I've had to reinstall the OS about 10 times. Â But this one really
> >> caugh
> > t me by
> >> surprise.
>
> > Lets see...
>
> > CP/M
> > 8" floppy disks
> > 5 1/4" floppies, but with Hard Sector holes cut in them
> > Data Storage on Cassette Tape
> > Soldering together your own Serial Cable to make sure you got the
> > Handshaking right.
>
> > Eight years, heh heh. Â (Not flam'n,) just ruminating nostalgically.
>
> > Hell, 'the Cuckoo's Egg' for that matter.
>
> > TBerk
> > Now I want to pop some corn and go watch a 'Sneakers' & 'Hackers'
> > double bill...
>
> Which did you find to be more realistic for it's time? Sneakers or
> Hackers?
>
Sneakers, (I'm tempted to add "of course" to that).
'Hacker's was aimed at a younger audience, was 'hip' and 'kool' and so
on*. 'Sneakers on the other hand, while still making concessions to
Hollywood and the necessary evils of getting a story tot he screen,
was sly about dropping insider wink-wink knowledge and wasn't afraid
to talk over the head of the audience, a bit, for what we might take
as authenticity.
Another difference is that 'Hackers' was ladened w/ trying to describe
hacking a system with a graphical interface that looked like
Microsoft Flight Simulator, "but better".
*(Hackers was also infamous for the young Angelina Jolie 'dream
sequence...). hubba, hubba. <--- (gratuitous, rhetorical reference
and requisite response complete.)
Of the two, 'Hackers' is more silly fun & 'Sneakers' is more mature,
serious fun. I make that observation not just based on the ave. age of
the cast btw.
If you care to think about it, both raise interesting questions about
Security vs Freedom, (and Responsibility for that matter).
TBerk
Dustin
Odd. I'm familiar with soldering irons as well as pencils, and we
typically use the pencils for detail work that the iron generates too
much heat for. Irons aren't good for changing out small transistors,
IC's or caps due to the risk of damage, and especially these days with
a pile of components nearby the one that has to be replaced; a pencil
is the only way to safely do it. Lower wattage, less heat.
I got my start outside of my house reparing neighborhood tvs, vcrs,
etc; but I was something like 9 or 10 years old doing that stuff. I
enjoyed it, and I didn't burn anything up that wasn't mine.
>>
>> So, as a professional with years on me, do you replace boards or
>> actually get down and dirty with them?
>
> When I need to repair a blown component like a bad sound
> card, video card or controller card, I replace it. I haven't
> needed to repair an actual circuit board for at least 15 years.
So you haven't seen the leaking capacitor issue in your time
professionally repairing PCs? If you have, did you upsell your client
instead of replacing the caps? You can find them pretty cheap, in 50-
100 packs; enough to do several boards...
> The last component level repairs I did for a computer was
> replacing burned out components on my old Amiga computer's
> motherboard. But I gave up on all that stuff, just not worth the
> hassle any more especially with these newer multilayer boards
> with tiny components and surface mounted chips. It can be done
> but it's usually not worth it.
You don't work with laptops much eh? They're bad about breaking the
power connector on the mainboard. In those cases, what do you do?
>> It looks nice on paper, tho. :) I like you didn't bother to fork
>> out the 2grand for the MCSE certs, I watched a friend of mine who
>> knew next to nothing about computers; get MCSE inside of 3 months
>> time. So, yea, I'm in complete agreement with you about them. Lots
>> of reading, a very small amount of practice in the LAN I configured
>> for him, and walla; MCSE certified; but doesn't know his ass from a
>> hole in the ground.
>>
>
> MCSE is pretty useless in my current repair field.
> However it's good to learn if you take a proper course such as a
> computer science course at a college. I took a three-month MSCE
> course and found I had already learned most of the stuff on my own.
I see no reason to take a college course for material I already know
likely better than the instructor. Nothing beats hands on real world
experience.
>> I know of no malware which would force me to toss an entire restore
>> point. I can just go into the folder from another system and do
>> what needs to be done; without endangering said system.
>>
>
> I used Bitdefender's bootable CD to remove malware from the
> restore point files and it did not solve the problem. I rebooted
> and the malware was written there again. Only when I turned off
If the malware was written back when you rebooted, you missed something
that was being given a chance to run when windows was booted normally.
> system restore and when I rebooted, I got a popup stating that
> it couldn't find a file in the system restore folders that were
> deleted. Then I did a final scan and the malware was gone,
> system fixed.
Again, thats on you for missing the file in the first place... Nobody
said you couldn't store a file in the system restore folder, in fact
you can. Seriously, professional to professional, you should have done
a more thorough check when you booted from a clean disc; and I don't
mean a bootable scanner disc, I mean a clean disc work environment: In
the future, I suggest you give a BartPE disc a try. It's like being in
windows, on cd. You can use console functions if your comfortable (I'm
home in console myself) or windows explorer style. Either way, it gives
you a full view of the contents of the hard disk; and you can come/go
to the system restore folder as you please, no protections preventing
you access will you find.
A file sitting in the root of system restore should NOT ever be
overlooked by a professional. you should notice something like that,
you should be looking for something like that just as you would random
named dlls present in the windows\system32 folder.
I'm not trying to talk down to you or anything like that, so don't
misunderstand me. Alright? I'm just stating some tips for you for
future work with malware.
>> Hmm. I'm guessing you don't know how the restore functions in
>> windows actually works. I'll clue you in.. If I so much as edit a
>> sys/dll/com/exe file in the windows folders a restore point is
>> automatically created so long as system restore is turned on. That
>> restore point will backup the file before my changes are finalized
>> on disk. Unless, I override system restore and do it directly.
>
> I know how system restore works and I'm 100% sure it can
> be exploited by malware writers.
Lemme rephrase myself, I understand how system restore works from the
end user Point of view; which would include yourself as your not a
programmer... And that of the programmer point of view. the way I
explained system restore is how it works behind the screen. What you
don't see as you don't read code, ok?
And what I described is indeed one way to exploit system restore to
your own advantage, by forcing it to do exactly what it's designed to
do. However, you can't claim the system restore folder itself is
infected if a binary file is placed there with a hidden/system
attribute set and you miss it when you boot clean. The folder itself
still isn't infected. It's no different than leaving the binary in the
\windows folder and setting the runkey to it, vs the system restore
folder. The only advantage the malware has by residing in system
restore instead is that windows by default will protect it somewhat
from users trying to mess with that folder contents under normal
conditions. That is the ONLY advantage you get as a malware executable
choosing that location over another; The OS will make some effort to
protect you as a side effect of keeping users from getting themselves
in trouble.
System restore has been well documented and all exploit avenues have
been fully covered in all kinds of various worms, viruses and trojans
at some point or another. Again, the only advantage you have from the
virus point of view is os protection from the user touching you via
normal methods. That doesn't mean you've infected system restore,
you're just abusing windows a little bit.
>> I don't suppose you kept a sample for analysis?
>
> No. I just clean them I don't study them. I do this sort
> of thing a lot and don't really keep track of each piece of
> malware I remove. I remove scores and hundreds of trojans and
> worms from systems. I probably still have the scan log though if
> I find it I'll post it here. This was more than a year ago when
> I removed it.
I see..
Dustin
news:23d28098-fc1b-4fb8...@h17g2000pri.googlegroups.com:
> On Jul 31, 4:23Â pm, Dustin <bughunter.dus...@gmail.com> wrote:
>> TBerk <bayareab...@yahoo.com> wrote
>> innews:970494cd-6a7b-436e-af3e-4e1d5c
> 67c...@v6g2000prd.googlegroups.com:
Hehehe.. And your opinion of wargames?
> If you care to think about it, both raise interesting questions
> about Security vs Freedom, (and Responsibility for that matter).
Yep.. that's true enough.
Steve Fenwick
Dustin <bughunte...@gmail.com> wrote:
> John Slade <hhit...@pacbell.net> wrote in
> news:i37va2$e0f$1...@news.eternal-september.org:
> > I got my start in electronics and have a background in
> > that too. I took college courses in electronics and am no
> > stranger to repairing circuit boards. I'm no stranger to
> > soldering irons. Well that's what we called them. I used to
> > repair TVs, radios and such years ago.
>
> Odd. I'm familiar with soldering irons as well as pencils, and we
> typically use the pencils for detail work that the iron generates too
> much heat for. Irons aren't good for changing out small transistors,
> IC's or caps due to the risk of damage, and especially these days with
> a pile of components nearby the one that has to be replaced; a pencil
> is the only way to safely do it. Lower wattage, less heat.
>
It might be a regionalism, or a Britishism/Americanism. In over 20 years
I've never used, or heard used, "soldering pencil" in a lab in the U.S.,
although I am familiar with the term. It's always been "soldering iron",
whether a giant thing to solder heavy cables, or a tool suited to tiny
ICs and SMT parts. Metcals are generally the best I've seen for small
devices; they put a high temperature (typically 600 to 700F) into a very
very small area very quickly (80W output).
Steve
--
steve <at> w0x0f <dot> com
"Life should not be a journey to the grave with the intention of
arriving safely in an attractive and well preserved body, but rather to
skid in sideways, chocolate in one hand, sidecar in the other, body thoroughly
used up, totally worn out and screaming "WOO HOO what a ride!"
John Slade
> In article<Xns9DC91AB3EAB...@69.16.185.247>,
> Dustin<bughunte...@gmail.com> wrote:
>
>> John Slade<hhit...@pacbell.net> wrote in
>> news:i37va2$e0f$1...@news.eternal-september.org:
>
>>> I got my start in electronics and have a background in
>>> that too. I took college courses in electronics and am no
>>> stranger to repairing circuit boards. I'm no stranger to
>>> soldering irons. Well that's what we called them. I used to
>>> repair TVs, radios and such years ago.
>>
>> Odd. I'm familiar with soldering irons as well as pencils, and we
>> typically use the pencils for detail work that the iron generates too
>> much heat for. Irons aren't good for changing out small transistors,
>> IC's or caps due to the risk of damage, and especially these days with
>> a pile of components nearby the one that has to be replaced; a pencil
>> is the only way to safely do it. Lower wattage, less heat.
>>
>
> It might be a regionalism, or a Britishism/Americanism. In over 20 years
> I've never used, or heard used, "soldering pencil" in a lab in the U.S.,
> although I am familiar with the term. It's always been "soldering iron",
> whether a giant thing to solder heavy cables, or a tool suited to tiny
> ICs and SMT parts.
Yea I've always used "soldering iron" as well no matter
the size.
John
Buffalo
Steve Fenwick wrote:
> In article <Xns9DC91AB3EAB...@69.16.185.247>,
>
> It might be a regionalism, or a Britishism/Americanism. In over 20
> years I've never used, or heard used, "soldering pencil" in a lab in
> the U.S., although I am familiar with the term. It's always been
> "soldering iron", whether a giant thing to solder heavy cables, or a
> tool suited to tiny ICs and SMT parts. Metcals are generally the best
> I've seen for small devices; they put a high temperature (typically
> 600 to 700F) into a very very small area very quickly (80W output).
>
> Steve
C'mon, you never heard of a soldering pen?
Buffalo
John Slade
Well most people I know call all of them "soldering irons"
no matter the size.
>
>>>
>>> So, as a professional with years on me, do you replace boards or
>>> actually get down and dirty with them?
>>
>> When I need to repair a blown component like a bad sound
>> card, video card or controller card, I replace it. I haven't
>> needed to repair an actual circuit board for at least 15 years.
>
> So you haven't seen the leaking capacitor issue in your time
> professionally repairing PCs? If you have, did you upsell your client
> instead of replacing the caps? You can find them pretty cheap, in 50-
> 100 packs; enough to do several boards...
I've seen just about everything that can cause a MB or card
to fail. I swap it out. I don't whip out a soldering iron at a
client's house to fix a throw-away component like a mother board
or card these days. It's just not worth the effort to get the
actual schematics and replace a teeny tiny resistor that has no
marking on it. You do of course know that not all components
exhibit actual visual signs of failure so you have to get a
meter to go in and test with a schematic on components. There is
other test equipment for motherboards Basically it would cost
the client lots of money and time. Today's components are best
replaced. Would you actually repair a $30 sound card?
>
>> The last component level repairs I did for a computer was
>> replacing burned out components on my old Amiga computer's
>> motherboard. But I gave up on all that stuff, just not worth the
>> hassle any more especially with these newer multilayer boards
>> with tiny components and surface mounted chips. It can be done
>> but it's usually not worth it.
>
> You don't work with laptops much eh? They're bad about breaking the
> power connector on the mainboard. In those cases, what do you do?
I do some repairs on laptops like replace bad components. I
don't do component level repairs when I can save time and money
buying a replacement part. I let the good folk who make the
laptop components to the refurbishing work.
>
>>> It looks nice on paper, tho. :) I like you didn't bother to fork
>>> out the 2grand for the MCSE certs, I watched a friend of mine who
>>> knew next to nothing about computers; get MCSE inside of 3 months
>>> time. So, yea, I'm in complete agreement with you about them. Lots
>>> of reading, a very small amount of practice in the LAN I configured
>>> for him, and walla; MCSE certified; but doesn't know his ass from a
>>> hole in the ground.
>>>
>
>>> I know of no malware which would force me to toss an entire restore
>>> point. I can just go into the folder from another system and do
>>> what needs to be done; without endangering said system.
>>>
>>
>> I used Bitdefender's bootable CD to remove malware from the
>> restore point files and it did not solve the problem. I rebooted
>> and the malware was written there again. Only when I turned off
>
> If the malware was written back when you rebooted, you missed something
> that was being given a chance to run when windows was booted normally.
>
No that's not what happened. This conversation is going
in circles, I told you what happened more than once.
>> system restore and when I rebooted, I got a popup stating that
>> it couldn't find a file in the system restore folders that were
>> deleted. Then I did a final scan and the malware was gone,
>> system fixed.
>
> Again, thats on you for missing the file in the first place... Nobody
> said you couldn't store a file in the system restore folder, in fact
> you can.
Well I'm glad we agree on something, it is possible for
the malware to behave like I said it did. Now that we've got
that cleared up. There is no need to waste my time explaining
what happened yet again.
John
Dustin
news:nospam-9B8B6B....@62-183-169-81.bb.dnainternet.fi:
80watts output would burn an IC up on a wave soldered board...
David H. Lipman
| In article <Xns9DC91AB3EAB...@69.16.185.247>,
| Dustin <bughunte...@gmail.com> wrote:
>> John Slade <hhit...@pacbell.net> wrote in
>> news:i37va2$e0f$1...@news.eternal-september.org:
>> > I got my start in electronics and have a background in
>> > that too. I took college courses in electronics and am no
>> > stranger to repairing circuit boards. I'm no stranger to
>> > soldering irons. Well that's what we called them. I used to
>> > repair TVs, radios and such years ago.
>> Odd. I'm familiar with soldering irons as well as pencils, and we
>> typically use the pencils for detail work that the iron generates too
>> much heat for. Irons aren't good for changing out small transistors,
>> IC's or caps due to the risk of damage, and especially these days with
>> a pile of components nearby the one that has to be replaced; a pencil
>> is the only way to safely do it. Lower wattage, less heat.
| It might be a regionalism, or a Britishism/Americanism. In over 20 years
| I've never used, or heard used, "soldering pencil" in a lab in the U.S.,
| although I am familiar with the term. It's always been "soldering iron",
| whether a giant thing to solder heavy cables, or a tool suited to tiny
| ICs and SMT parts. Metcals are generally the best I've seen for small
| devices; they put a high temperature (typically 600 to 700F) into a very
| very small area very quickly (80W output).
| Steve
I've always known the as "soldering irons" which goes back to the days prior to when the
were heated by and elecetric current when you put the iron in the fire, so to speak.
The best I ever had was powered by butane and used a catalyst to flamlessly burn the gas.
Great soldering iron, grat heat shrink device.
Dustin
That's like some electricians I know that call all 9" linemans pliers
klein, even tho they aren't. As klein is actually a company name.
While both are soldering irons, the smaller more detailed one is
commonly called a pencil and the other, for heavier soldering work; a
gun. For pretty obvious reasons; one looks like a gun, the other a big
fat crayon size pencil <G>
http://www.cooperhandtools.com/brands/weller/index.cfm?model_list=1
&att_id=WEL012%20%20%20%20%20%20%20%20%20%20%20%20&att1=Soldering%
20Stations%20%20%20%20%20%20%20%20%20%20%20%20&att2=Replacement%
20Soldering%20Pencils
Soldering pencils by weller...
http://www.cooperhandtools.com/brands/weller/index.cfm?model_list=1
&att_id=WEL001%20%20%20%20%20%20%20%20%20%20%20%20&att1=Soldering%
20and%20Heat%20Guns%20%20%20%20%20%20%20&att2=Soldering%20Gun%20Kits
Soldering gun by weller. Obviously, pictures alone show you why they
are called the respective things.
>>> When I need to repair a blown component like a bad sound
>>> card, video card or controller card, I replace it. I haven't
>>> needed to repair an actual circuit board for at least 15 years.
>>
>> So you haven't seen the leaking capacitor issue in your time
>> professionally repairing PCs? If you have, did you upsell your
>> client instead of replacing the caps? You can find them pretty
>> cheap, in 50- 100 packs; enough to do several boards...
>
> I've seen just about everything that can cause a MB or card
> to fail. I swap it out. I don't whip out a soldering iron at a
> client's house to fix a throw-away component like a mother board
> or card these days. It's just not worth the effort to get the
> actual schematics and replace a teeny tiny resistor that has no
I was talking specifically about the bad leaking capacitors; it takes
less than 10 minutes to determine what the board needs as far as those
go. Considering mainboards back when this was still a new issue were
atleast a bill for AT class, It was cheaper to replace the caps than
sell the customer a new mainboard. Not all shops did that route tho,
some would gladly take another bill or two from the customer to replace
a faulty component the store sold the customer just a few months back.
In some cases, an RMA was possible so the store wasn't out anything,
but in other cases, the store and the customer both lose if you can't
RMA the bad board.
> marking on it. You do of course know that not all components
> exhibit actual visual signs of failure so you have to get a
> meter to go in and test with a schematic on components. There is
I know that many components don't display visual failure signs, but in
fairness, I did cite a specific example; and a visual inspection would
clearly tell you if a cap suffered from this or not.
> other test equipment for motherboards Basically it would cost
> the client lots of money and time. Today's components are best
> replaced. Would you actually repair a $30 sound card?
A sound card isn't a mainboard. It really depends. If I can fix the
issue in a few minutes and not have to reinstall drivers or anything
else that goes along with swapping parts out, sure I would. Unless I
have an identical (right down to the revision and eeprom) card to go in
it's place; otherwise I have to get drivers and deal with windows
possibly being unhappy about the previous cards drivers, ad nausem.
>> You don't work with laptops much eh? They're bad about breaking the
>> power connector on the mainboard. In those cases, what do you do?
>
> I do some repairs on laptops like replace bad components. I
> don't do component level repairs when I can save time and money
> buying a replacement part. I let the good folk who make the
> laptop components to the refurbishing work.
Most of the time the component that needs replacing is a swap out, plug
and play kinda deal; even the cpu is this way most of the time. What
isn't that way is the little wire connectors on the laptops mainboard;
that will require a soldering pencil, or passing it off to be done by
someone else.
>>> I used Bitdefender's bootable CD to remove malware from the
>>> restore point files and it did not solve the problem. I rebooted
>>> and the malware was written there again. Only when I turned off
>>
>> If the malware was written back when you rebooted, you missed
>> something that was being given a chance to run when windows was
>> booted normally.
>>
>
> No that's not what happened. This conversation is going
> in circles, I told you what happened more than once.
You already explained you found a registry key pointing to starting the
missing file up. So if you didn't miss this, how else did it get there?
>>> system restore and when I rebooted, I got a popup stating that
>>> it couldn't find a file in the system restore folders that were
>>> deleted. Then I did a final scan and the malware was gone,
>>> system fixed.
>>
>> Again, thats on you for missing the file in the first place...
>> Nobody said you couldn't store a file in the system restore folder,
>> in fact you can.
>
> Well I'm glad we agree on something, it is possible for
> the malware to behave like I said it did. Now that we've got
> that cleared up. There is no need to waste my time explaining
> what happened yet again.
Have a good day John with your professional work n all.
Buffalo
Dustin wrote:
> That's like some electricians I know that call all 9" linemans pliers
> klein, even tho they aren't. As klein is actually a company name.
Hey, how did you know I am a licensed electrician?
And yes, it is common in the trade to call them 'kleins', like in, 'can I
borrow your kleins?'
Buffalo :)
Dustin
news:i3a2qi$h1q$1...@news.eternal-september.org:
Yep. Dykes as well, linemans, whatever. :) I have the kobalt set right
now; as I killed my GB ones; they won't even cut romex now without
putting up a fight. I'm not sure yet if I like the spring loaded kobalt
ones I'm using now, but they sure do making cutting wire a since. They
even cut MC cable now, without me snapping it in the place I want to cut
first. Love em, and affordable at Lowe's.
I didn't know your a licensed electrician. Are you a holding a
journeymans license at present, or outright master electrician?
I'm just a lowly apprentice with no official licensing yet.
Steve Fenwick
"Buffalo" <Er...@nada.com.invalid> wrote:
I've heard the term, but never used by me or techs in a lab.
Steve Fenwick
Dustin <bughunte...@gmail.com> wrote:
Nope. Use it all the time that way. Melts the solder super-fast, keeps
the leads from getting hot. Try one if you get a chance.
Buffalo
Journeyman license. Never went for the Masters since I don't contract.
Buffalo
PS: When I ask for a liney, I usually mean a beer (Leinenkugel). :)
John Slade
It's like people calling powdered drink mix from Flavor
Aid, "Kool-Aid". I'm sure we've all heard the expression,
"Drinking the Kool-Aid" when talking about someone who follows
something or someone blindly. Well it came from the Jim Jones
tragedy in Jonestown, Guyana. They drank poisonded Flavor Aid
but most people still call it Kool-Aid.
They just wrote me an essay trying to explain why some
people call them soldering pencils and soldering guns rather
than irons. I've heard those expressions before, it's just a
matter of the person's background and doesn't really mean much.
John
John Slade
> John Slade<hhit...@pacbell.net> wrote in
> news:8ND5o.33941$o27....@newsfe08.iad:
>
>> On 8/1/2010 6:57 PM, FromTheRafters wrote:
>>> "John Slade"<hhit...@pacbell.net> wrote in message
>>> news:Xyo5o.41721$OU6....@newsfe20.iad...
>>>
>>> [...]
>>>
>>>>>> I don't know why you would find it funny because a virus writer
>>>>>> will use anything to hide a virus. What smarter way is to hide
>>>>>> them in each and every folder in "system volume information"?
>>>
>>>> I didn't know Dustin Cook existed until he responded for you.
>>>> But I've
>>>> been reading some in alt.comp.viruses and I find it
>>>> well...interesting... If he wrote viruses then he more than anyone
>>>> should know that what I said happened is indeed possible.
>>>
>>> Because he understands true viruses, he knows that they don't need
>>> to hide themselves in folders.
>>>
>>> I don't think he would have said what he said if you had said
>>> worms, or malware, instead of viruses.
>>
>> Well "virus" is a generic term these days. I was talking
>> about worms and/or trojans, I was using "virus" as a generic
>> term. I guess that clears it up.
>
> virus isn't a generic term, then or now. As a professional, I think it
> unwise of you to generalize what might be ailing the patient.
>
"Virus" is both a generic term and a specific term. Why do
you think they call the software used to clean trojans and
worms, "Anti-Virus" software? I'm sure you don't think that they
only clean viruses and leave trojans and worms alone. It's all a
matter of semantics. Just about all of the major anti-malware
vendors have products that they call Anti-Virus. This is because
it just stuck. You're a professional and you don't know this?
John
John Slade
"Virus" is both a generic term and a specific term. Why do
John Slade
"Virus" is both a generic term and a specific term. Why do
you think they call the software used to clean trojans and
worms, "Anti-Virus" software? I'm sure you don't think that they
only clean viruses and leave trojans and worms alone. It's all a
matter of semantics. Just about all of the major anti-malware
vendors have products that they call Anti-Virus. This is because
it just stuck. You're a professional and you don't know this?
I know exactly what I'm talking about. So tell me what
tools do you use to remove worms and trojans from computers? Are
any of them called "Anti-Virus" software?
I also know that words can have dual meanings.
John
David H. Lipman
>> The term "malware" is generic.
>> The term "virus" is quite specific.
| "Virus" is both a generic term and a specific term. Why do
| you think they call the software used to clean trojans and
| worms, "Anti-Virus" software? I'm sure you don't think that they
| only clean viruses and leave trojans and worms alone. It's all a
| matter of semantics. Just about all of the major anti-malware
| vendors have products that they call Anti-Virus. This is because
| it just stuck. You're a professional and you don't know this?
Sorry John - No.
Virus is specific and is INCORRECTLY used way too often. That's what the term malwrae is
for.
The reason they call anti virus software that is due to its legacy. At one time there
were only viruses.
Anyone who calls any/all malicious software a virus without specifically knowing what it
is is just plain wrong.
FromTheRafters
[...]
> "Virus" is both a generic term and a specific term.
> Why do you think they call the software used to clean
> trojans and worms, "Anti-Virus" software?
Generally, they call it antimalware unless it is also effective against
viruses and worms (which are self-replicators). If it is effective
against viruses, they call it an antivirus. Antivirus programs can also
detect some non-replicating malware.
> I'm sure you don't think that they only clean viruses
> and leave trojans and worms alone. It's all a matter
> of semantics.
Of course it is, but semantics shouldn't be a dismissive word. The
meanings of words are *important* to effective communications.
> Just about all of the major anti-malware vendors have
> products that they call Anti-Virus. This is because it just
> stuck. You're a professional and you don't know this?
We all know this, and we don't like it one bit. The fact remains that
viruses are a special case requiring more than what many antimalware
applications are equipped to handle.
FromTheRafters
[...]
> I know exactly what I'm talking about. So tell me what tools do
> you use to remove worms and trojans from computers? Are any of them
> called "Anti-Virus" software?
Yes, but that is beside the point.
Some antimalware applications rely on cryptographic hash algorithms to
identify known malware. This doesn't work very well with some
polymorphic self-replicating malware (viruses and worms). Some
antimalware applications check autostart methods as a way to detect that
malware is installed - true viruses don't need any autostart mechanism
at all (they start when an *infected program* runs as a matter of
course. The methods needed to detect, identify, and remove malware
generally, and replicating malware specifically are *different*.
David H. Lipman
| [...]
Eactly and is why Malwarebytes' Anti Malware (MBAM) is not an "anti virus" product. MBAM
can NOT remove viral code such as Virut and (in this thread) Ramnit from a file that has
prepended, inserted or appended its code to the binary.
FromTheRafters
news:NXi6o.35931$F%7.1...@newsfe10.iad...
> On 8/3/2010 2:47 PM, Buffalo wrote:
>> Dustin wrote:
>>> That's like some electricians I know that call all 9" linemans
>>> pliers
>>> klein, even tho they aren't. As klein is actually a company name.
>>
>> Hey, how did you know I am a licensed electrician?
>> And yes, it is common in the trade to call them 'kleins', like in,
>> 'can I
>> borrow your kleins?'
>> Buffalo :)
>>
>>
>
> It's like people calling powdered drink mix from Flavor Aid,
> "Kool-Aid". I'm sure we've all heard the expression, "Drinking the
> Kool-Aid" when talking about someone who follows something or someone
> blindly. Well it came from the Jim Jones tragedy in Jonestown, Guyana.
> They drank poisonded Flavor Aid but most people still call it
> Kool-Aid.
Same sort of thing applies to crescent wrench (Crescent is a brand name
of a very popular open end adjustaqble wrench). Crowbar is another,
where a wrecking bar is almost always incorrectly called a crowbar.
Dykes are a misnomer for the shortening of the tool known as a "diagonal
cutter".
Most people don't care about using correct terminology, and so there is
often confusion and shouts of *mere semantics* when someone tries to
inform them.
~BD~
I'm gonna have to go get my vacuum cleaner and Hoover up some of the
debris here!
David H. Lipman
RJK
...when someone dumps a system box in my lap, or pleads down the 'phone, he
or she often suspects that "...there's a virus in it."
:-)
regards, Richard
FromTheRafters
news:JJm6o.931$1v3...@newsfe20.iad...
Calling self-replicating programs "viruses", coupled with the fact that
almost all malware in existence at one time were indeed
self-replicating, led to the popular lexicon's adoption of the term
"virus" to mean the same as "malware". The idea that a computer could
catch a cold virus is *too damned sexy* an idea for the populous to let
go of - they 'prefer' to call any 'bad computer stuff' a virus now.
Be that as it may, three of the groups posted to are technical in nature
(even have "virus" in their names). Ask a question about whether a virus
could infect a data store (no, it cannot), you might get a wrong idea
about where *malware* can be hiding. Viruses are rather unique, and
despite Aunt Polly's refusal to use the term *malware* - there *are*
important differences in the terms, and people should be educated as to
that fact.
FromTheRafters
news:i3cqv...@news6.newsguy.com...
:oD
David H. Lipman
>> Mom always told me not to be anti semantic :-)
::oD
But then again...
Maybe Mom meant not to be anti Symantec ;-)