Porn bill. Can't get rid of.

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

The only problem is even thinking that a rootkit *might* be present. How would you even know one was there to even think to look for it? Having seen a machine completely *infested* with them, and not being able to realize their presence without the help of one particular isolated app... I'd have never even known they were there. And like you, I tried to use Blacklight and got nothing. After that experience, I'm particularly wary when I see a virused system... I know that I can only remove what I see... but who knows what I'm leaving behind because I *can't* see it?

When I was scanning that doctor's PC, the scan would freeze on all manner of rootkits... keyloggers... habit trackers... you name it. In those cases, there was no payload to remove... it was actively doing those things behind the scenes. Keyloggers are enough to send chills down my back, from a security persepective.

Besides, how can you remove a payload that the rootkit is designed to hide? The rootkit takes control of the OS, and changes it so that the OS can't see what the rootkit doesn't want it to see. And you can't remove what you can't see.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

shambles - in reply to your post. You're not missing anything at all mate. I agree absolutely with you that without training people will still do this, regardless of what security measures you take.

The reason why I do a block flatten and re-install is because the time spent investigating, researching, scanning, testing, rebooting etc only for the same nasty to pop back up, creep back in etc etc means the whole process just isn't time efficient.

Going back to a restore point, as someone said, is also pointless. You'll find most viruses and malware infect restore points!

If I see a reasonably serious infection (down to interpretation obviously), I do a backup to USB hard drive for important docs and apps, then grab my OS re-store cd and slap that in and go for lunch. By the time I'm done my OS is usually back to OEM, I can run any CD's I need and get back up and running and leave windows updates running overnight or whilst I'm having a nice evening in with the other half to finish itself off.

 

Maybe the mistake is to try too hard to please the customer...

My experience has been that getting a 'good' backup of documents, pictures, music is a nightmare. Untrained users will have folders all over the shop with stuff hidden away in them. And you have to be so cautious, just in case you are re-introducing infection... If only they'd back up as they go along...

Then the reinstall itself - you must (obviously) have had that experience where a vital driver, last seen in 1999, is suddenly no longer available, or where the installer for the program that opens that vitally important document is somehow 'missing'... Or bestter still - you are responsible for fixing that thing that hasn't worked in the last 3 years... I've spent hours sometimes trying to sort out what was originally there...

Then they complain because the music they had stored in the system32 folder for some reason is now somewhere else, and their MSN history is gone, along with their Internet Explorer history...

I'd much sooner try to fix. At least I don't need to try and recreate their chaos again...

That's what I like about Bart PE. In theory, because you can examine the registry remotely, so things can't hide, it should be possible to dig stuff out and zap it for good - if you know what you're looking for - and that's a problem in itself.

 

A search for the most common file types will turn up that stuff. But I agree, it is frustrating. I always tell the customer that, if they don't know where their stuff is, I can't guarantee I'll be able to salvage everything. I've not had one to complain after the fact.

That's certainly something you must take into account when assessing whether to surgically cut or indiscriminately nuke.

See above. One workaround is to purchase a hard drive - drives are extremely cheap these days - and do the reinstall. Then, if you missed any data or drivers, you can grab it off the old drive. It's certainly worth the cost of a drive to do, and can save you time, depending on your assessment of the damage.

In theory. But it didn't work, unfortunately... I tried it. It was my first in-the-wild rootkit experience, and I pulled out all the stops in trying to figure out how to discover them. I anticipate that AV companies will learn new ways to start discovering them... I was very disappointed to see Blacklight come up empty-handed.

 

There is this special tool to discover rootkits. It is used by these special companies involved with computer forensics. They revive data of discs which are formatted, burned, been in a crash and so on. I looked at a demo of the program. The demo is a set of data on a CD and screenshots of what the program can do. The program is very expensive (to the extreme in my eyes) and not for sale to the public. I forgot its name.

 

Patriarchs here have deliver their opinion,

I am here to share my practice to prevent this thing happen as, "Prevention is better than cure"

1) After newly installation of a computer, the hardisk has to be cut into 3 partitions(slave hardisk may also be count as a partition).
1.1 The first partiition (size from 20 to 40G) is for System, program install.
1.2 The second partition (size from 5 to 10G) is for GHOST images.
1.3 The third partition (take all the rest of the hardisk).

2) To install the programs, printers, other hardwares, configure users, other applications setting etc. And then,
2.1 To make a GHOST image.
2.1.1 Use today date to name the image.(Reason is you may know what image you adopt when you have several while recover)
2.1.2 The size of an GHOST image usually greater than 1G even after compression, the best size is less than 650M, so cut the image into 640M files each while making. (Reason ? many applications have constrain in handling file size over 1G, sometime you may not be able to copy it or ftp it somewhere else, size of around 640M is the best, as you may burn it in CDs)
2.2 Save the GHOST image in the second partition.(or even more secure, burn it in a DVD and put it in your safe)
2.3 Hidden the partition (It is important as no matter how virus atrocity, it can never contaminate a file in hidden partition)

3) Install a recovery program (I dont trust the recovery function provided by window).
3.1 Set which partition under protection.(for me, I tick only System partition, one may tick also the Data partition, but please dont protect the Hidden partition)
3.2 Set the recovery mode (for me, I tick "No recovery", one may tick "Auto", "Manual", "Time base" what so ever you like)
3.3 Whenever I need a recovery, e.g. suspect contaminate by virus, clean unstalling a trial program etc, all I have to is to reboot, enter the recovery password, select recovery option and enter, all the process can be done in half a minute.
3.4 Beware that, if you select protect the Data partition, you have to copy out the files first before recovery or the files edited,created between the last save and this moment will be lost.

4) Use of virtual machine (Virtual Machine I use is VMware server 10)
4.1 Download the VMware Server 10, Pls visit http://www.vmware.com just apply a free account and download (it is a freeware)
4.2 Install the VMware and also as many different virtual machine you want.
4.3 I use only virtual machine to visit porn or potential dangerous sites, whenever the OS or Browser have been hijact, all I have to do is to delete the VM files of directory.

Precaution

1 To deal with Programs with installation limit(some program can only install one or two times).
1.1 you have to decided where and when to install it, to GHOST recover and before installation, you may keep it forever
1.2 Or to recover by the recovery program and then install, this will keep the program only until your next GHOST recovery.
1.3 To install it in a Virtual Machine, you may use the program only via the Virtual Machine.

2 Uninstall the recovery program before GHOST recovery the System Partition.

The combination use of the captioned measure will surely protect your OS and avoidance of what "Headache" housemate met.

Thanks for reading, comment are welcome !

 

That's all good... unless you have a customer who is not willing to pay for Ghost, and is not willing to pay for you to take the time to take those preventative actions. In those cases, there's not much you can do except get them recovered in the shortest amount of time for this individual occurrence. But if you can get the customer to agree to taking those necessary proactive steps, especially if they're prone to corrupting their install, then you can rack up more billable time now AND make it easy to get them recovered later.

 

now it's my turn to laugh...



I can't even get half of them to tell me the truth about what went wrong in the first place.

Well, I was on google, and suddenly there was a naked person, and I didn't look or click anything, and now my computer doesn't work anymore and it says I have a pirate copy of XP...

 

I considered using a capital IF... cause it IS a big IF, for sure. And that's why I brought up the potential pitfall to begin with... most customers *won't* go for it.