Anyway, yesterday and today I've been re-installing XP on the neighbours
laptop AGAIN as the teenager girl to whom it belongs can't seem to use it
for a day without getting infected. 74 infections this time. Both last month
and this month I've just wiped it ("are my songs and stuff still there?"
Ha!) and reinstalled.
Last month I installed MS Security Essentials (previous to that I'd put AVG
free on it). When I got it bak yesterday they'd put a trial version of
Antivir that would point out infections but not remove them. It was
literally impossible to do anything without a warning popping up.
So I've reinstalled XP again, using a bunch of my bandwidth to update it...
I've also installed MS-SE, AVG Free and Malwarebyte's Anti-Malware but I
fear that it's all going to be pointless. (I could have done what I"ve tried
before, pout th HDD in an external enclosure and scan it from a
'sacrificial' computer, then repair XP but frankly I'm sick of this. I don't
get paid, I get little gifts now and then, a tray of eggs the other week, a
flower arrangement at Xmas...)
So to the question: I've used Acronis to image the HDD and have set a 7GB
partition after the OS partition and put the image file of the clean install
there. (Then uninstalled Acronis. They didn't pay for it...) I've then
removed the drive letter in computer management so that it doesn't show up
and the only way to access it again in Windows is to assign it a letter
again.
What are the chances of it staying un-infected? I'm pretty sure that I'm
going to get this machine back again in the not-too-distant-future and it
would be nice to be able to boot from an Acronis CD and simply restore it.
Thanks for any input. (I'm keeping a copy of the image myself anyway but I
find that I have images of most people's computers that I've 'fixed up' and
I don't even know which ones I need to keep anymore... (It's not like I'm
going to invite 'work' by asking folks if they still own the computer in
question.)
Again, TIA...
--
Cheers,
Shaun.
"Give a man a fire and he's warm for the day. But set fire to him and he's
warm for the rest of his life." Terry Pratchet, 'Jingo'.
What about setting the DNS to OpenDNS or some such so that the malware
sites will simply be harder to get to...
Does she have Admin rights...?
> Thanks for any input. (I'm keeping a copy of the image myself anyway but I
> find that I have images of most people's computers that I've 'fixed up' and
> I don't even know which ones I need to keep anymore... (It's not like I'm
> going to invite 'work' by asking folks if they still own the computer in
> question.)
Given what you've outlined above, I'd say the chances are extremely
high that she'll re-infect the machine.
IMO there's not easy technical solution, aside from addressing the
layer-8 cause. Are you able to work out what sites she's visiting
regularly that are causing the infection? Or perhaps she's downloading
software?
From a personal perspective, I have been known to become ultra-
paranoid and start using a VM to browse the net, reverting back to a
saved image when closed. I don't know how useful or appropriate that
would be in the current situation though.
Yeah, I agree. Even with AVG's 'linkscanner' (that I usually disable on my
own machines) I think she'll reinfect it. Hell, it only took three weeks to
go from pristine to unusable last time.
When I took it back today her father put his hand in his pocket and asked
what he owed. I told him nothing this time (I'm on an invalid's benefit
anyway) but if it happens again it'll cost, not him but his daughter. He
said thanks muchly and that she doesn't have a source of money other than
him anyway (she's at school).
> IMO there's not easy technical solution, aside from addressing the
> layer-8 cause. Are you able to work out what sites she's visiting
> regularly that are causing the infection? Or perhaps she's downloading
> software?
I couldn't tell. It was unusable with the trail of Antivir throwing up
warning windows on top of warning wondows every time I moved the mouse.
> From a personal perspective, I have been known to become ultra-
> paranoid and start using a VM to browse the net, reverting back to a
> saved image when closed. I don't know how useful or appropriate that
> would be in the current situation though.
Not very really. Hopefully the image on the 'hidden' partition stays clean
and I'll just give them an Acronis boot CD if I get asked again and tell
them how to do it.
Honestly, that's above my pay-grade. (Read: I'm not that smart. <g>) I'm
hoping that AVG linkscanner will shut her down from bad sites. I didn't
install it last time, just MS-SE.
> Does she have Admin rights...?
Yeah. That was a mistake, I know. I didn't think about it until after
dropping it off. I just naturally install XP like that on my own machines. I
suppose that if it comes back soon I can restore and change that? It's
something I've never tried. Would it make much difference do you think? I
might go and change it anyway if you think it would. However, wouldn't that
stop her installing stuff on her own machine?
>
> So to the question: I've used Acronis to image the HDD and have set a 7GB
> partition after the OS partition and put the image file of the clean install
> there. (Then uninstalled Acronis. They didn't pay for it...) I've then
> removed the drive letter in computer management so that it doesn't show up
> and the only way to access it again in Windows is to assign it a letter
> again.
>
> What are the chances of it staying un-infected?
Dunno, but there is a way to keep it uninfected. Use partimage on the
System Rescue CD to save and restore the Windows partition. Format
the 7GB partition as a Linux ext3 partition. Windows will leave it
alone (unless special drivers are installed).
Yep all software that has to change system settings but not everything.
Should stop registry invasions though.
As to not installing on her own machine tough titties, I would already
have given her the boxes and said pack it up and return it your too
stupid to own a computer
Hey Shaun, I am currently running the combo of avast! on access scanner
and Sunbelt/Kerio firewall, and that makes for one tough security combo.
Nothing gets installed without my giving approval explicitly, and at
times even that is not enough .... I actually had to turn both firewall
and avast! off in order to get a certain game to patch correctly earlier
this month, the patch simply could not get access to registry nor touch
services ;-)
Of course, who knows what that kid does when nobody is watching. If she
opens any attachment her mates send her and downloads malware executable
files and runs them and god knows what -- I'm sure you know the old
chestnut about making things 'foolproof'. There's so much social
engineering going on that I can just see a 14 year old girl falling for.
Anyway, wishing you a happy new year and all that ;) -P.
And why would that be ??
Interesting, thanks Peter.
--
Exactly. And there's no way I'm going to (attempt to) teach her how to use
teh intarwebs. I've already tried giving her guidelines but I see her eyes
glaze over pretty quickly. If her parents weren't such good neighbours....
> Anyway, wishing you a happy new year and all that ;) -P.
Thank you Peter, the same to you mate. :-)
--
Yeah... I know. However her parents are excellent neighbours and having good
neighbours is very valuable in an area like this one.
--
Cheers, and Happy New Year.
Yep, I have the same problem with the sister-in-law.... my solution is
to give them an old eMac for doing all the crap on the web, it has thus
proved to be an easy solution and has cut down my support time by about
100%.... they still have the PC for games etc but the internet no longer
seems to work on it... that last virus must have killed it...Oh no, woe
is me...lol.
Thanks Nighthawk. I know about that as I use Acronis T.I myself. However,
two things. a) They're barely computer literate and I'd rather not have to
tutor people who frankly aren't interested. (They just want it to work, like
a TV or stereo.) b) I'm pretty sure they wouldn't stump up with the price of
Acronis (well, they might if I told them that it was essential, which takes
us back to a).
While I'm not as pure as the driven snow myself when it comes to only using
software that I've paid for (being on an invalid's benefit will do that to
you. It truthfully makes me feel bad if/when I 'pirate' software that I
think is worth the money [some stuff is outrageously priced but other
stuff...]). I feel that 'pirating' (I hate that term) something, usually an
older unsupported version for myself is one thing but to distribute it is
another thing entirely. Actually I got this old version of Acronis when they
did a one-day giveaway a while back, hoping that folks would love it and
upgrade to the latest version.
I put T.I on that thing (incidently an Alienware M5500 Area51, quite good in
it's time, it cost them over $5K, bought it for her as a reward for passing
exams a few years back) only long enough to image the drive, then
uninstalled it. Actually, in retrospect I think that I may have been able to
image it from the bootable CD without even having to install it.
Anyway, with cheap storage and my USB / SATA docks and 2.5TB of drive space
(about 1TB free) left over from when I was a desktop man it's not a huge
deal to keep the image and a folder with the laptop-specific drivers that
took me an age to find in the first instance.
Still, it'd be nice to know if that partition is essentially untouchable.
That way I could just 'lend' them an Acronis boot CD and show them how to
restore it themselves (kinda like a Compaq, Lenovo or HP except the image
they have is updated to last week. LOL, an XP sp3 install disk wouldn't work
with their COA number so I had to use an sp2 disk. Even after applying sp3,
.NET 3.5 and IE8 from my files Windows update found 118 patches. Wow! That
and the Alienware drivers cost me a fortune in bandwidth, hence the image).
Actually, to be honest I don't know if I'll see it again. The father is a
really nice guy (kept trying to pay me this last time even though I refused)
but told me that if she can't learn to 'keep it clean' he'll put the fucking
hammer through it (his words).
I hope that I haven't put him off asking me again to be honest. Now I have
it imaged it's only 20 minutes work to restore it. He was just a bit freaked
when I told him that I spent somewhere between eight and 10 hours on the
thing the first time. They have no restore / Windows media and, as it was
about the last Alienware machine that was produced before Dell bought the
brand, drivers are a real bitch to find. In fact it took several attempts to
find the right one for some devices. The later machines that are essentially
tarted-up Dells are well supported.
Anyway, this Lindauer is bloody good. We don't know how lucky we are. ;-)
(I'm normally a red wine / scotch whisky man but I get evil hangovers and
I'm hoping that white wine, with one dram of Single Malt at midnight will
leave me at least partly functional tomorrow.
Cheers mate, all the best for 2010.
--
If only I had that much control. This is neighbour helping neighbour. I
can't tell them what to do (especially in this neighbourhood), I'm just
trying to make it as easy on myself as possible
--
Cheers,
Shit mate, I'm an Aussie big Shiraz man too most of the time. (It makes my
head hurt.)
> but I like the Lindauer Special Reserve
> Curvee Riche. Their sparkling Sav Blanc is good in the cheaper price
> range too.
I seriously find it hard to understand how they can sell their bottle
fermanted wines as cheaply as they do. It's a freakin' mystery.
> Cheersh to you too, all the best for '10!
Thanks. 3:23am and probably time I switched offf the PC and went to bed.
--
Cheers,
Could she get along with a linux distro?
If its typical teenage girl stuff, shes doing a bit of web browsing
(facebook/youtube etc.),
the occasional school project in an office package, listening
to/downloading music and videos,
and some sort of instant messaging client (AIM/MSN etc.)
All of that can be done in Ubuntu, and will solve 100% of the malware
issues.
The only thing that would be a problem would be any games, and if she is
using
something in windows that has no suitable alternative in linux.
Installing Ubuntu is a painless process these days, and most common
hardware is supported.
Return PC with ubuntu installed, and her windows media, then tell her if
she wants windows back
she can google how to reinstall it :)
Heh! A novel (but not unexpeced) approach. I know Jack about Linux myself
and am not really sure what she uses the computer for. It's an Alienware
with dual graphics switchable with a front-mounted switch. It either has
Intel integrated graphics or an upgradeable graphics card. Hers is a nVidia
Go6600 I believe. Safe to assume that she plays a few games.
Oh, they don't have any reinstall media, said that none came with it. It had
a restore partition originally but, when I replaced the seriously dead HDD a
while ago I saw that it had already been replaced and asked. It had been
done under warranty (which is now run out). It was an IDE 7200rpm Seagate as
per the original spec but as two had already failed I replaced it with a
5400rpm drive, hoping that it'll last longer.
Oh, my point... When I got it with the dying drive it really was dying.
Windows wouldn't boot normally but would into safe mode and I managed to do
a checkdisk but it was finding bad sectors everywhere and didn't complete. I
tried copying off the restore partition (with the HDD in a USB enclosure)
but to no avail.
Leaving that aside - other Linux distributions are available - my
preference is to put Windows XP onto a 15 gigabytes partition plus
space for a hibernation file but NOT page file which is 4000 megabytes
on the /next/ partition because it might as well be, /disable/
hibernation, and use "partimage" to back up XP into around 650 MB
split archive files - and put those files onto CD or DVD. I reckon 15
gigabytes compressed is about one DVD full, and /that's/ where I store
this recovery snapshot. Could take an hour or three to create.
Vista, now... do you have Blu-ray? ;-)
Restoring the machine normally from there should just be a matter of
using the same tools to restore only the MBR and the 15 gigabytes XP
partition, and you could just about train a teenager to perform the
backup or the restore exercise ;-)
I assume that the viruses come with bootlegged software, or music, or
videos... or AutoPlay devices...
I also haven't managed to make SystemRescueCD work from a USB stick
although it can be done, but it also has a mode that copies its CD
into RAM and allows you to use the optical drive for backup or restore
- at its boot prompt you type "rescuecd docache" quickly before it
goes ahead without you. Several other Linux CDs have a copy-Linux-to--
USB-stick option. So does SRCD but it didn't work for me... partly,
I've found, because I tried it several times on a USB device that
actually won't boot. And partly just because computers hate me. They
hate me because they fear me.
I don't trust a virus, hypothetically, not to infect any and all data
partitions on the computer - with or without drive letter, access
permission, and even file system compatibility. Basically I think
that the virus doesn't have to understand the data that it's looking
at to interfere with it. Just find somewhere fundamental, like the
boot sector that each partition has, and install itself in there.
> ... I've recently had a scare with it
> that I haven't resolved yet - either that or something else I've done
> recently has re-enabled Windows AutoPlay (on XP SP3 with a presumed
> authentic and relevant disable-AutoPlay patch), which should not have
> happened.
Disabling autorun is known to be unreliable
<http://blogs.zdnet.com/security/?p=2410>.
Thanks - however, I have previously installed the fix from
<http://support.microsoft.com/kb/967715>
which was mentioned there, so it "should" be working after all - that
is, not working. For instance, upon inserting an SD card, it should
do nothing except add its drive letter to the desktop folder. And
until recently, that's what happened.
It's possible that I've confused the system by creating and deleting
hard disk partitions and changing /their/ letters.
On the other hand, if someone /did/ hack SystemRescueCD to become,
secretly, a hack tool, quite a few people would be bitten.
> For instance, upon inserting an SD card, it should
> do nothing except add its drive letter to the desktop folder. And
> until recently, that's what happened.
>
> It's possible that I've confused the system by creating and deleting
> hard disk partitions and changing /their/ letters.
It’s bad, isn’t it. The system is supposed to fail into a /safe/ mode, not a
dangerous one. If it forgets what autorun settings are associated with which
drive letters, that should cause it *not* to autorun from a drive. Instead,
in spite of all the so-called security updates and patches, the underlying
Dimdows default is still for autorun to be on, not off.
Sorry if I am sounding dumb, but if one has Acronis is it not expected that
one can reimage the drive?
Hi Gordon. I'm not sure exatly what you mean by this. I didn't leave Acronis
on this machine as they haven't bought it. I (probably illegally*) installed
my copy only long enough to make an image of a clean, Windows updated,
drivers installed XP install so that it could go back to that if they get
infected again. Then I uninstalled it.
*I probably could have simply booted from the Acronis CD and imaged the HDD
from there but I didn't think of that. :-(
So they can't make a new image each week or whatever, they don't have
Acronis (if that's what you meant). They would also need teaching how to use
it and I don't get paid that much (or anything for that matter).