248GB discrepancy between space used by all files and free space on 452GB drive win7

[Johny B Good]

Hi, experts,

A customer brought his Acer win7 home premium laptop in to remove
remote access software that had been installed by the scam merchants
""online pc care" an indian cold calling centre that claims to be a
part of microsoft tech support.

The story he gave was that shortly after purchasing the laptop he got
a call from them and, because they knew all his details (phone number
address and name etc) and sounded convincing they persuaded him to
install "Teamviwer" (or some such) software on the laptop and they've
basically had access ever since, apparently for the past two or three
years if I've remembered correctly (he's an elderly computer
illiterate with barely enough knowledge to run the Photoshop Software
he uses to edit his photos).

Recently, he finally discovered that this company was simply a
scamming operation that had tricked him into signing a maintenance
contract by the usual tricks typical of this scam and tried to stop
the drain on his credit card by having his bank cancel the existing
card and re-issuing a new one.

This, strangely, wasn't enough since "online pc care" were still
taking large sums out of his credit card account (around �140 at a
time, afaicr).

Whilst he was speaking to me on the phone to arrange an appointment,
"online pc care" were in charge of his laptop, via their remote access
software, playing Youtube videos and raising the volume every time he
tried to turn it down (he'd been on the phone to them to cancel the
'maintenance contract' and request a refund back to his account at
which point they started threatening him and messing with his laptop).

I did eventually get him to pull the plug on his talktalk router to
put a stop to their shenanigens (an obvious measure to you and I but
not to my customer - he really is the greenest of newbies when it
comes to this stuff, sadly he's in a majority of the consumers
targetted by Microsoft).

The very low disk space was noted, as an aside comment by my customer
when he delivered the laptop to me. I initially assumed it was just
because of the kakameemee fileview options hiding system and hidden
files from view. However, with the disk pulled from the laptop and now
attached to my win2k box (e-SATA docking station), I see the problem
goes way beyond this simple explanation.

For reference, here's a chkdsk report:

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\John>chkdsk N:
The type of the file system is NTFS.
Volume label is Acer.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
File verification completed.
CHKDSK is verifying indexes (stage 2 of 3)...
Index verification completed.
CHKDSK is verifying security descriptors (stage 3 of 3)...
Security descriptor verification completed.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.

474650623 KB total disk space.
392001716 KB in 170254 files.
112756 KB in 32444 indexes.
0 KB in bad sectors.
355195 KB in use by the system.
65536 KB occupied by the log file.
82180956 KB available on disk.

4096 bytes in each allocation unit.
118662655 total allocation units on disk.
20545239 allocation units available on disk.

C:\Documents and Settings\John>

CHKDSK reports correctly, the space in use but this doesn't help me
identify the files responsible. I've considered 'sparse files' but
that seems to be the opposite of my problem. I'm familiar enough with
Alternate Data Streams to consider that this may be the more likely
mechanism involved but at this stage, I'm really not sure, hence this
call for help and advice.

--
J B Good

[Jaimie Vandenbergh]

On Thu, 17 Jul 2014 13:15:55 +0100, Johny B Good
<johnny...@invalid.ntlworld.com> wrote:

>I'm familiar enough with
>Alternate Data Streams to consider that this may be the more likely
>mechanism involved but at this stage, I'm really not sure, hence this
>call for help and advice.

ADS seems most likely. The only other way to hide stuff easily is for
the running OS to be rootkitted, which isn't the case here as you're
mounted on a known clean one.

Tool for scanning for ADS and digging into them:
http://www.nirsoft.net/utils/alternate_data_streams.html

I'm sure you know that removing the Teamviewer software will just leave
the poor punter's laptop rootkitted and heavily virused - nuke the disk
from orbit is the only way to be sure.

Cheers - Jaimie
--
It is better, of course, to know useless things than to know nothing.
- Lucius Annaeus Seneca, 'Epistles'

[GlowingBlueMist]

On 7/17/2014 7:41 AM, Jaimie Vandenbergh wrote:
> On Thu, 17 Jul 2014 13:15:55 +0100, Johny B Good
> <johnny...@invalid.ntlworld.com> wrote:
>
>> I'm familiar enough with
>> Alternate Data Streams to consider that this may be the more likely
>> mechanism involved but at this stage, I'm really not sure, hence this
>> call for help and advice.
>
> ADS seems most likely. The only other way to hide stuff easily is for
> the running OS to be rootkitted, which isn't the case here as you're
> mounted on a known clean one.
>
> Tool for scanning for ADS and digging into them:
> http://www.nirsoft.net/utils/alternate_data_streams.html
>
> I'm sure you know that removing the Teamviewer software will just leave
> the poor punter's laptop rootkitted and heavily virused - nuke the disk
> from orbit is the only way to be sure.
>
> Cheers - Jaimie
>

I agree with Jamimie's suggestion about nuking the hard drive. I like
to boot a CD copy of Darik's Boot and Nuke (http://www.dban.org/) and
let it totally erase the drive before starting a rebuild. Especially on
machines that have been messed about with like this one. Just be sure
you put the "infected" drive back into the original PC before you start
up DBAN since it blindly tries to erase all drives it can physically
find on a PC.

To be really safe you may want to consider flashing the BIOS from the PC
makers web site in case they loaded a modified version while they had
total control of the box, even if it claims to already have the current
version.

[Johny B Good]

On Thu, 17 Jul 2014 13:41:25 +0100, Jaimie Vandenbergh
<jai...@sometimes.sessile.org> wrote:

>On Thu, 17 Jul 2014 13:15:55 +0100, Johny B Good
><johnny...@invalid.ntlworld.com> wrote:
>
>>I'm familiar enough with
>>Alternate Data Streams to consider that this may be the more likely
>>mechanism involved but at this stage, I'm really not sure, hence this
>>call for help and advice.
>
>ADS seems most likely. The only other way to hide stuff easily is for
>the running OS to be rootkitted, which isn't the case here as you're
>mounted on a known clean one.
>
>Tool for scanning for ADS and digging into them:
>http://www.nirsoft.net/utils/alternate_data_streams.html
>
>I'm sure you know that removing the Teamviewer software will just leave
>the poor punter's laptop rootkitted and heavily virused - nuke the disk
>from orbit is the only way to be sure.
>
>

Thanks Jamie.

I meant to mention I'd already scanned for malware using Avast and
Malwarebytes and, surprisingly, found no signs of anything bad. I've
checked for a hidden rootkit partition but the only hidden partition
is the normal 13GB fat32 one used for the factory restore along with
the 100MB boot partition.

Before I removed the drive to scan with AV from a clean system, I did
take a look in the installed software list for TeamViewer or
equivilent or any other suspicious s/w. No signs of anything obvious
and I'd already disabled 'Remote Desktop' support in system
properties.

I've not allowed it to connect to the internet via my lan as yet
until I can be confident there isn't a really clever rootkit
installed. It booted up ok and showed no obvious signs of malware but,
having heard my customer's tale of woe, I thought it would be more
productive to pull the HDD and analyse it from another clean system.

I'm going to copy my folder full of AV and utilities installers onto
the disk whilst it's still plugged into my win2k box and then fit it
back into the laptop so I can run stuff like Combofix and instal MBAM
and SpyBot S&D which need to be run from the affected system itself
for full efficacy.

Although, discretion is the best part of valour and I'll likely just
backup the user's data and do a factory restore as you suggested, I
would like to know a little bit more about what "online pc care" have
been up to (the apparent lack of any installed remote desktop s/w is a
little puzzling to say the least).
--
J B Good

[Jaimie Vandenbergh]

Indeed - and to me, it suggests that they've installed it in a way
hidden from the software list to avoid removal. It'll be interesting to
hear what you find!

Cheers - Jaimie
--
On diving in UK waters:
'Sharp edges? Must be the wreck.'
'It's moving? Must be supper.'
'Too big to go in the goodie bag? Must be my buddy.' - nigelH, ukrs

[Johny B Good]

Thanks, GBM. I've just downloaded alternativestreamview (and checked
it for viruses with Avast and MBAM!) before copying to my programs
folder and creating a desktop shortcut (which I'll copy into the
program files for good measure). It's scanning the drive as I type.
:-)

I appreciate the DBAN suggestion (and the warning) but I think it's a
little ott. If I have to wipe a drive, I prefer to use the zero fill
'LLF" option in the disk manufacturer's diagnostics utlity since this
will also give an indication of the state of the drive's health. I'm
pretty sure it's one of the many useful utilities on the UBCD so it's
not as if I don't already have access to dban if I can't persuade the
disk diagnostics to 'wipe' the disk for me.

As I explained to Jamie, I didn't see a hidden rootkit partition when
I checked and I do want to try SpyBot and MBAM scans before resorting
to nuking the disk.

>
>To be really safe you may want to consider flashing the BIOS from the PC
>makers web site in case they loaded a modified version while they had
>total control of the box, even if it claims to already have the current
>version.

That's actually a good point. It's certainly worth checking whether
Acer have a BIOS update on offer, preferably one that's self contained
on its own boot media (i.e. NOT a windows flash updating program!).

I've seen hardware damage that could only really be explained by
mis-flashing HDD, DVD writers, LAN card bioses where the MoBo bios
was, strangely, left alone (I suspect because the hackers Catch 22'd
themselves when it came to the MoBo bios's turn to be mis-flashed).

It's a possibility that can't be excluded since we have the precedent
of the Chernobil virus to inform us of the risk. The fashion by MoBo
makers to offer a windows based flashing tool plays right into the
hands of the scumbags, making this risk even greater (no need to
socially engineer the sucker into inserting a special floppy disk, or
more realistically, create a bootable CDROM or USB pen drive and boot
the PC up from that, re-configuring the bios to change the device boot
order or getting them to press the right hot key at boot up for the
boot device selection menu).

The ADS scan has completed. It found 81 items with less than 60KB's
worth of hidden stream data in total. So, ADS doesn't seem to be the
explanation for the huge discrepancy. Never mind, I'll copy my
'Toolstore' folder's worth of diagnostics and AV installers onto the
victim disk and put it back into the laptop and take it from there
after I've tried Acer's website for a BIOS update that I can run from
a self contained boot disk.

Thanks once again to both you and Jamie.
--
J B Good

[GB]

Do you need to get hold of his router and reset that? ISTR that they can
alter the DNS settings, so it points to their own 'modified' server.

[Jaimie Vandenbergh]

On Thu, 17 Jul 2014 17:31:31 +0100, Johny B Good
<johnny...@invalid.ntlworld.com> wrote:

> The ADS scan has completed. It found 81 items with less than 60KB's
>worth of hidden stream data in total. So, ADS doesn't seem to be the
>explanation for the huge discrepancy.

Hum.

Have you run a chkdsk over it yet? Maybe the free space count is just
mildly corrupted.

Cheers - Jaimie
--
The person who says it cannot be done should not interrupt the person doing it.

[Johny B Good]

On Thu, 17 Jul 2014 18:34:15 +0100, GB <NOTso...@microsoft.com>
wrote:

>Do you need to get hold of his router and reset that? ISTR that they can
>alter the DNS settings, so it points to their own 'modified' server.
>

That's on my "To Do" list when I'm ready to contact him to collect
his laptop.

I've been able to run a Combofix scan which removed some elements of
malware. I've installed MBAM free, SpyBot and Avast Free and all scans
found more 'left overs' to be cleaned up.

Right now, it looks to be malware free but I wouldn't want to stake
my life on such a proposition, especially as the 240 odd GB
discrepency still remains to be solved. :-(

One thing that occurs to me is to convert it to FAT32 and back to
NTFS again but I'd really need to backup the user's data to be safe.
I'm not sure how the NTFS 2 FAT32 conversion will handle 4GB and
larger files though.

I've just googled for NTFS to FAT32 converter and came across such a
utility (free) called "AOMEI Partition Assistant Standard Edition" and
downloaded it to my disk utilities folder where I discovered an
earlier, smaller version (3.66MB as opposed to 7.69MB self extracting
archive installer exe file). I'm sure there are other similar tools
out there and my copy of Paragon Hard Disk Manager might even include
such a feature (I haven't checked this option just yet).

The AOMEI utility promises to be able to swiftly make such
conversions safely, implying that it avoids moving any data back and
forth, just creating the necessary FS metadata structures and
importing from the exisiting FS metadata structure.

It might be worth a go (but only after backing up the user's data).

BTW, I deleted all 60KB's worth of ADS data hidden in those 81 files
to, seemingly, no ill effect. I'm assuming the StreamData Viewer
utility is actually fully functional in this regard.
--
J B Good

[Johny B Good]

On Thu, 17 Jul 2014 23:21:04 +0100, Jaimie Vandenbergh
<jai...@sometimes.sessile.org> wrote:

>On Thu, 17 Jul 2014 17:31:31 +0100, Johny B Good
><johnny...@invalid.ntlworld.com> wrote:
>
>> The ADS scan has completed. It found 81 items with less than 60KB's
>>worth of hidden stream data in total. So, ADS doesn't seem to be the
>>explanation for the huge discrepancy.
>
>Hum.
>
>Have you run a chkdsk over it yet? Maybe the free space count is just
>mildly corrupted.
>

Yeah, twice with the /R switch specifically to eliminate this
possibility and a final fourth one to take a second look at the report
to see that it correctly accounts for the used space which is
invisible to explorer's view (presumably due to security flags
preventing access from win2k, even after 'taking ownership'.

I've probably overlooked something simple that a seasoned MCE hacker
would regard as a 'no brainer' series of actions to properly reveal
_all_ files and folders or at least identify how the data has been
hidden (encrypted folders?).

As you can see, I'm flailing about in the mire with this one. :-(
--
J B Good

[Johny B Good]

On Thu, 17 Jul 2014 16:57:23 +0100, Jaimie Vandenbergh
<jai...@sometimes.sessile.org> wrote:

>On Thu, 17 Jul 2014 16:47:08 +0100, Johny B Good
><johnny...@invalid.ntlworld.com> wrote:
>
>>(the apparent lack of any installed remote desktop s/w is a
>>little puzzling to say the least).
>
>Indeed - and to me, it suggests that they've installed it in a way
>hidden from the software list to avoid removal. It'll be interesting to
>hear what you find!
>

As I've already mentioned, I've been able to install and run a
selection of antimalware tools and found remarkably little, more like
unwanted 'left-overs'. I did spot a service running from the Citrix
folder which I disabled, then removed from the registry before
blitzing the Citrix folder (no show in the installed programs list).

I ran an updated TDSS Killer scan, no objects found. Another look
with explorer only accounts for 125GB (was 127GB when looked at in
win2k) so the huge discrepency still remains. I've just run unpnp to
disable uPnP on the laptop (uPnP is normally enabled by default on any
version of windows from winXP on so that isn't unusual, sadly).

I'm considering using the 'trick' of converting the disk volume from
NTFS to FAT32 and back again. Just need to do a little more research
on this before I go off 'half cocked' on this method of madness.
--
J B Good

[Johny B Good]

On Thu, 17 Jul 2014 16:57:23 +0100, Jaimie Vandenbergh
<jai...@sometimes.sessile.org> wrote:

>On Thu, 17 Jul 2014 16:47:08 +0100, Johny B Good
><johnny...@invalid.ntlworld.com> wrote:
>
>>(the apparent lack of any installed remote desktop s/w is a
>>little puzzling to say the least).
>
>Indeed - and to me, it suggests that they've installed it in a way
>hidden from the software list to avoid removal. It'll be interesting to
>hear what you find!
>

===============STOP PRESS===============

I've been looking to using the Acer Backup Manager installed on the
laptop (I'm fed up with trying to deal with showstopping errors when
just using cut 'n' paste (or drag 'n' drop) in explorer) and I noticed
a rather curious anomoly when I selected the app data folder in the
user's folder.

According to the backup manager, there's some 600 odd GB's worth in
that folder (the total to backup figure drops back to... 46.54GB when
I deselect that folder).

After some more investigation it seems to be down to an infinite
recursion of a shortcut link in the appdata folder pointing back on
itself! I'm now rerunning a scheduled chkdsk session using the
laptop's installed win7 (it might see a problem that escaped win2k's
version of chkdsk)....

False alarm. It turns out that Acer Backup Manager is simply
"Shite"(tm). It's getting well confused by the recursive shortcut. Not
only that, it demands I insert a USB drive before I can try to select
a DVD writer (the local drive target option is greyed out, even after
mapping a network attached drive to a local drive letter).

It's really so feckin' useless, it's going to be removed as yet
another piece of Acer crapware (I thought it perhaps might have been a
useful utility when I first eyed up the Acer crapware).

I've had to resort to copying the user folders to the mapped drive
via explorer's copy function. Thankfully, the laptop sports a Gbit lan
interface so the 20 odd GB's worth of user crap is only going to take
ten minutes or so to copy ( the transfer speed crept up to 38MB/s -
not bad for a laptop).

Well, I've got a backup copy of the user's data safely tucked away on
the NAS box so I can experiment with NTFS 2 FAT32 2 NTFS conversions.
If it all goes tits up, I've still got the factory restore option to
hand.
--
J B Good

[GB]

You seem to be going to enormous lengths. Why not simply nuke the HDD
and reinstall from scratch?

[Johny B Good]

On Sun, 20 Jul 2014 00:29:33 +0100, GB <NOTso...@microsoft.com>
wrote:

Believe me, many's the time, in retrospect, that I wish I'd "Taken
the easy way out" (but then I remember the pain of the endless windows
updates that usually follows such a course of action).

As it happens, I finally got access to the "System Volume
Information" folder and discovered the missing 248GB in the form of
system recovery files.

When I checked the settings I [1] discovered the disk usage limit had
been set to 300 odd GB, I turned it down to 2% (a more reasonable
9GB's worth) and 'deleted' all the restore points (I'd already deleted
the files whilst connect to the win2k box, it just didn't seem to
realise that fact).

Quite possibly one of the tricks used by the scumbags at "online pc
care". They don't appear to have inflicted any out and out malware of
their own on the system. More likely the stuff I found would have
arrived anyway without their help.

I've been in touch with my customer and gave him the 'good news'.
He'll be calling in Monday morning with his talktalk router for me to
check out.

[1] I'd forgotten that win7 had restored access to these settings
which had been removed (or at least, really well hidden away) in Vista
otherwise I'd have been onto this a lot sooner.
--
J B Good

[Johny B Good]

On Sat, 19 Jul 2014 01:48:56 +0100, Johny B Good

As per my other post, I never got that far, the AOMEI utility refused
to convert the C drive. Not too surprised at this since it would have
been akin to tree surgery whereby you attempt to cut off the limb
you're standing upon.

With that in mind, I installed the AOMEI utility on my own PC and
re-attached the laptop drive, taking one final look at the totals in
explorer which now matched the discrepency! The extra 248GB had been
hidden in the "System Volume Information" folder as restore points,
all of which I deleted before fitting it back into the laptop.

Mystery solved! Basically, some idiot (or Cunt at "online pc care")
had 'turned the wick up" on the restore point space allocation limit.

I'd forgotten that this wasn't like Vista where there's no obvious
option to control this default (used to be 12% of the disk in winXP -
Gawd knows what it was in Vista but I wouldn't have expected a 50% or
larger allocation). Win 7 has reinstated the disk space usage option
in the restore points control panel, it's a pity I'd forgotten this
little factoid. :-( Doh!
--
J B Good

[Jaimie Vandenbergh]

On Sun, 20 Jul 2014 18:16:29 +0100, Johny B Good
<johnny...@invalid.ntlworld.com> wrote:

> As it happens, I finally got access to the "System Volume
>Information" folder and discovered the missing 248GB in the form of
>system recovery files.

Hurray!

Now the only mystery is why the machine wasn't riddled with malware. But
that's a human thing rather than a software thing.

Speaking of which, your friend does know that all his Internet accounts
are to be considered compromised? And anything else private that was on
the machine?

Cheers - Jaimie
--
"The idea that Bill Gates has appeared like a knight in shining armour to
lead all customers out of a mire of technological chaos neatly ignores
the fact that it was he who, by peddling second-rate technology, led them
into it in the first place." - Douglas Adams

[GB]

On 20/07/2014 18:16, Johny B Good wrote:

>> You seem to be going to enormous lengths. Why not simply nuke the HDD
>> and reinstall from scratch?
>
> Believe me, many's the time, in retrospect, that I wish I'd "Taken
> the easy way out" (but then I remember the pain of the endless windows
> updates that usually follows such a course of action).

Given that you can't find malware, I'd still be highly suspicious and
would prefer the formatting disk option. I don't find windows updates
all that 'endless'. Of course they would be if you sat over the machine
watching them, but I just leave it to get on with them, wander back a
couple of hours later and restart or whatever's needed. User time needed
on the process is far from endless.


You can also download the service pack and install that manually IIRC.
Or do you have to slipstream it? It's been a while and it wasn't painful
enough to keep me awake at nights.

Reinstalling the apps is more time-consuming. I have a directory with
copies of all the install CDs and serial keys, but I expect your friend
did not do that.

[Johny B Good]

On Sun, 20 Jul 2014 22:10:22 +0100, Jaimie Vandenbergh
<jai...@sometimes.sessile.org> wrote:

>On Sun, 20 Jul 2014 18:16:29 +0100, Johny B Good
><johnny...@invalid.ntlworld.com> wrote:
>
>> As it happens, I finally got access to the "System Volume
>>Information" folder and discovered the missing 248GB in the form of
>>system recovery files.
>
>Hurray!
>
>Now the only mystery is why the machine wasn't riddled with malware. But
>that's a human thing rather than a software thing.
>
>Speaking of which, your friend does know that all his Internet accounts
>are to be considered compromised? And anything else private that was on
>the machine?
>

Thanks for that reminder. I don't recall specifically mentioning this
risk when I was discussing the question of setting nice long passwords
for logging into different accounts when I asked him about changing
the default admin password on his talktalk router (it's "admin" by
default!).

He really is a total Newbie and he was starting to find it all rather
confusing by the time I was checking out the confusing (to me!)
advanced options in the router setup menus. I'll give him a call to
make sure he knows about this risk as soon as I've posted this.

Strangely, after forcing the router back to defaults, I had to untick
the uPnP enable box which had already been left unticked so if
anything, it was in a more secure state than the default!

I guess "online pc care" didn't need to do anything nastier than
having remote access to his system to carry on the scam of charging
for almost zero effort. They may even have helped keep the system
clean of competing malware that could have cut short their ride on
this gravy train (three years worth, from what my customer told me).

He only became concerned when they started abusing this power of
access to squeeze more payments out of him after he tried to terminate
the 'service contract'.

It all highlights the cavalier attitude Microsoft have towards the
'safety' of their 'consumer' customers in the implied "Don't worry!
We've made using a comuter so simple (and safe to use) that you don't
need to know anything whatsoever about how computers actually work"
approach to 'selling' their windows product to the great unwashed
masses.

"online pc care" may simply be guilty of nothing more than applying
the same basic principles as their 'Hero' Microsoft in their business
practices (and letting this power go to their head).
--
J B Good

[Johny B Good]

On Mon, 21 Jul 2014 11:05:33 +0100, GB <NOTso...@microsoft.com>
wrote:

>On 20/07/2014 18:16, Johny B Good wrote:
>
>>> You seem to be going to enormous lengths. Why not simply nuke the HDD
>>> and reinstall from scratch?
>>
>> Believe me, many's the time, in retrospect, that I wish I'd "Taken
>> the easy way out" (but then I remember the pain of the endless windows
>> updates that usually follows such a course of action).
>
>Given that you can't find malware, I'd still be highly suspicious and
>would prefer the formatting disk option. I don't find windows updates
>all that 'endless'. Of course they would be if you sat over the machine
>watching them, but I just leave it to get on with them, wander back a
>couple of hours later and restart or whatever's needed. User time needed
>on the process is far from endless.

It's quite rare these days that I feel the need to to resort to a
factory restore on account of not being able to find malware to
account for suspicious behaviour. If the various AV and malware scans
clean up and confirm an absence of malware and the system shows no
suspicious behaviour, I'm happy to accept that it is malware free (and
I do know how to check for a 'hidden 2MB partition' which would be
used by the more pernicious of rootkit infections).

>
>You can also download the service pack and install that manually IIRC.
>Or do you have to slipstream it? It's been a while and it wasn't painful
>enough to keep me awake at nights.

I've already got the service packs downloaded to deal with such
situations. The main virtue of using a downloaded service pack isn't
so much the saving of the download time so much as to avoid the need
to connect to the internet (and disable automatic updates). The time
to allow updates is _after_ applying the latest service pack. It
minimises the time spent in getting windows fully up to speed.

>
>Reinstalling the apps is more time-consuming. I have a directory with
>copies of all the install CDs and serial keys, but I expect your friend
>did not do that.

If I had to resort to a factory restore (usually due to replacing a
buggered HDD rather than due to malware), I'll normally leave the
problem of re-installing the software in the hands of my customer.

I normally install Avast, SpyBot, MBAM and the Opera web browser
v12.16, and place a copy of the user files backup into a restore
folder for him to pick over at his leisure. The rest is up to the
customer. As you pointed out, reinstating software can be the most
time consuming element of all.
--
J B Good

[GB]

On 22/07/2014 00:14, Johny B Good wrote:

> If I had to resort to a factory restore (usually due to replacing a
> buggered HDD rather than due to malware), I'll normally leave the
> problem of re-installing the software in the hands of my customer.
>
> I normally install Avast, SpyBot, MBAM and the Opera web browser
> v12.16, and place a copy of the user files backup into a restore
> folder for him to pick over at his leisure. The rest is up to the
> customer. As you pointed out, reinstating software can be the most
> time consuming element of all.
>

Presumably, at �XX per hour, there is a limit to what customers will pay
you to do.