RE: System Restore and Scareware
Yep already seen that one in action here, a bugger to clean up. Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: Mike Gill [mailto:lis...@canbyfoursquare.com] Sent: Tuesday, May 24, 2011 7:57 PM To: NT System Admin Issues Subject: RE: System Restore and Scareware Saw this the other day: http://tech.slashdot.org/story/11/05/20/2334259/New-Malware-Simulates-Ha rd-Drive-Failure -- Mike Gill From: Bob Hartung [mailto:bhart...@wiscoind.com] Sent: Friday, May 20, 2011 12:47 PM To: NT System Admin Issues Subject: System Restore and Scareware I've had a couple of recent cases of scareware infecting some Windows XP Pro systems here. One reported lots of virus infestations and prevented the user from accessing the internet and, for a low price, would fix all. The other reported that the hard drive had tons of errors and the boot sector was gone, etc. And for a small fee, their utility could fix it. This system was unusable. Maybe this is pretty basic but I haven't seen mention of it but in both cases, Window's System Restore easily removed both. I've seen descriptions of fixing infected systems involving fairly complex procedures and multiple utilities. I guess I just wanted to recommend giving System Restore a try first before resorting to the heavy artillery. On the system that had the failed hard drive scareware, it was impossible to access System Restore in normal windows. I figured Safe Mode was the way to go but I discovered System Restore is not available in Safe Mode. I did learn that you can run System Restore in Safe Mode with Command Prompt. Just enter %systemroot%\system32\restore\rstrui.exe at the command prompt and you're in System Restore. Not sure why regular Safe Mode wouldn't have that command available. Hope that's of help to someone else. -- Bob Hartung Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: System Restore and Scareware
Sound like the malware we got. Re-emphasizing my original post, System Restore made the removal easy. -- Bob Hartung Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com _ From: Ziots, Edward [mailto:ezi...@lifespan.org] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Thu, 26 May 2011 06:53:25 -0500 Subject: RE: System Restore and Scareware Yep already seen that one in action here, a bugger to clean up. Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: Mike Gill [mailto:lis...@canbyfoursquare.com] Sent: Tuesday, May 24, 2011 7:57 PM To: NT System Admin Issues Subject: RE: System Restore and Scareware Saw this the other day: http://tech.slashdot.org/story/11/05/20/2334259/New-Malware-Simulates-Hard-Drive-Failure -- Mike Gill From: Bob Hartung [mailto:bhart...@wiscoind.com] Sent: Friday, May 20, 2011 12:47 PM To: NT System Admin Issues Subject: System Restore and Scareware I've had a couple of recent cases of scareware infecting some Windows XP Pro systems here. One reported lots of virus infestations and prevented the user from accessing the internet and, for a low price, would fix all. The other reported that the hard drive had tons of errors and the boot sector was gone, etc. And for a small fee, their utility could fix it. This system was unusable. Maybe this is pretty basic but I haven't seen mention of it but in both cases, Window's System Restore easily removed both. I've seen descriptions of fixing infected systems involving fairly complex procedures and multiple utilities. I guess I just wanted to recommend giving System Restore a try first before resorting to the heavy artillery. On the system that had the failed hard drive scareware, it was impossible to access System Restore in normal windows. I figured Safe Mode was the way to go but I discovered System Restore is not available in Safe Mode. I did learn that you can run System Restore in Safe Mode with Command Prompt. Just enter %systemroot%\system32\restore\rstrui.exe at the command prompt and you're in System Restore. Not sure why regular Safe Mode wouldn't have that command available. Hope that's of help to someone else. -- Bob Hartung Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: System Restore and Scareware
If this has been posted I apologize. I've been reading a lot on this lately and I'm starting to forget where I got which links. http://www.symantec.com/connect/fr/blogs/trojan-feigns-failures-increase-rog ue-defragger-sales?API1=100 http://www.symantec.com/connect/fr/blogs/trojan-feigns-failures-increase-ro gue-defragger-sales?API1=100API2=4176444 API2=4176444 System Restore won't fix that. This is a mess really as variants pop up and the location for the stored files get more random or better yet, encrypted. -- Mike Gill From: Bob Hartung [mailto:bhart...@wiscoind.com] Sent: Thursday, May 26, 2011 5:12 AM To: NT System Admin Issues Subject: RE: System Restore and Scareware Sound like the malware we got. Re-emphasizing my original post, System Restore made the removal easy. -- Bob Hartung Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com _ From: Ziots, Edward [mailto:ezi...@lifespan.org] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Thu, 26 May 2011 06:53:25 -0500 Subject: RE: System Restore and Scareware Yep already seen that one in action here, a bugger to clean up. Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: Mike Gill [mailto:lis...@canbyfoursquare.com] Sent: Tuesday, May 24, 2011 7:57 PM To: NT System Admin Issues Subject: RE: System Restore and Scareware Saw this the other day: http://tech.slashdot.org/story/11/05/20/2334259/New-Malware-Simulates-Hard-D rive-Failure -- Mike Gill From: Bob Hartung [mailto:bhart...@wiscoind.com] Sent: Friday, May 20, 2011 12:47 PM To: NT System Admin Issues Subject: System Restore and Scareware I've had a couple of recent cases of scareware infecting some Windows XP Pro systems here. One reported lots of virus infestations and prevented the user from accessing the internet and, for a low price, would fix all. The other reported that the hard drive had tons of errors and the boot sector was gone, etc. And for a small fee, their utility could fix it. This system was unusable. Maybe this is pretty basic but I haven't seen mention of it but in both cases, Window's System Restore easily removed both. I've seen descriptions of fixing infected systems involving fairly complex procedures and multiple utilities. I guess I just wanted to recommend giving System Restore a try first before resorting to the heavy artillery. On the system that had the failed hard drive scareware, it was impossible to access System Restore in normal windows. I figured Safe Mode was the way to go but I discovered System Restore is not available in Safe Mode. I did learn that you can run System Restore in Safe Mode with Command Prompt. Just enter %systemroot%\system32\restore\rstrui.exe at the command prompt and you're in System Restore. Not sure why regular Safe Mode wouldn't have that command available. Hope that's of help to someone else. -- Bob Hartung Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: System Restore and Scareware
Saw this the other day: http://tech.slashdot.org/story/11/05/20/2334259/New-Malware-Simulates-Hard-D rive-Failure -- Mike Gill From: Bob Hartung [mailto:bhart...@wiscoind.com] Sent: Friday, May 20, 2011 12:47 PM To: NT System Admin Issues Subject: System Restore and Scareware I've had a couple of recent cases of scareware infecting some Windows XP Pro systems here. One reported lots of virus infestations and prevented the user from accessing the internet and, for a low price, would fix all. The other reported that the hard drive had tons of errors and the boot sector was gone, etc. And for a small fee, their utility could fix it. This system was unusable. Maybe this is pretty basic but I haven't seen mention of it but in both cases, Window's System Restore easily removed both. I've seen descriptions of fixing infected systems involving fairly complex procedures and multiple utilities. I guess I just wanted to recommend giving System Restore a try first before resorting to the heavy artillery. On the system that had the failed hard drive scareware, it was impossible to access System Restore in normal windows. I figured Safe Mode was the way to go but I discovered System Restore is not available in Safe Mode. I did learn that you can run System Restore in Safe Mode with Command Prompt. Just enter %systemroot%\system32\restore\rstrui.exe at the command prompt and you're in System Restore. Not sure why regular Safe Mode wouldn't have that command available. Hope that's of help to someone else. -- Bob Hartung Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: System Restore and Scareware
I had one of these last night. When I ran regedit (having logged in normally) it opened and then promptly closed down. Booted into safe mode and checked the software\windows\currentversion\run runonce keys for anything that looked suspect (running from temp, app data, etc. Removed those keys, and the random named .exe they launched. Rebooted back into windows, cleaned up the host files, and then downloaded the latest version of MalwareBytes. 90 minutes later and the machine reported itself as clean. I need to run another scan to check and then work out what AV package is on there, as there were shortcuts for Norton, AVG and MacCr@ppy on the desktop. From: Rankin, James R [mailto:kz2...@googlemail.com] Sent: 20 May 2011 20:51 To: NT System Admin Issues Subject: Re: System Restore and Scareware Some of these little beasties are easy to beat - I've seen ones where deleting a file did the trick. Unfortunately at the other end of the scale live some crafty process-injection nasties that are a veritable nightmare to find. Fortunately MalwareBYtes has a good track record of pulling them out for you. Typed frustratingly slowly on my BlackBerry(r) wireless device From: Bob Hartung bhart...@wiscoind.com Date: Fri, 20 May 2011 14:47:23 -0500 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com ReplyTo: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Subject: System Restore and Scareware I've had a couple of recent cases of scareware infecting some Windows XP Pro systems here. One reported lots of virus infestations and prevented the user from accessing the internet and, for a low price, would fix all. The other reported that the hard drive had tons of errors and the boot sector was gone, etc. And for a small fee, their utility could fix it. This system was unusable. Maybe this is pretty basic but I haven't seen mention of it but in both cases, Window's System Restore easily removed both. I've seen descriptions of fixing infected systems involving fairly complex procedures and multiple utilities. I guess I just wanted to recommend giving System Restore a try first before resorting to the heavy artillery. On the system that had the failed hard drive scareware, it was impossible to access System Restore in normal windows. I figured Safe Mode was the way to go but I discovered System Restore is not available in Safe Mode. I did learn that you can run System Restore in Safe Mode with Command Prompt. Just enter %systemroot%\system32\restore\rstrui.exe at the command prompt and you're in System Restore. Not sure why regular Safe Mode wouldn't have that command available. Hope that's of help to someone else. -- Bob Hartung Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. QinetiQ may monitor email traffic data and also the content of email for the purposes of security. QinetiQ Limited (Registered in England Wales: Company Number: 3796233) Registered office: Cody Technology Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: System Restore and Scareware
I suspect regedit will be among the list of window titles that the malware will check and terminate if it sees them run. A trick to get around this is to run the regedit window on a different desktop (not monitor - use something like http://technet.microsoft.com/en-us/sysinternals/cc817881). Malware generally only detects windows running on the primary desktop. On 23 May 2011 07:26, Matthew B Ames matthew.a...@qinetiq.com wrote: I had one of these last night. When I ran regedit (having logged in normally) it opened and then promptly closed down. Booted into safe mode and checked the software\windows\currentversion\run runonce keys for anything that looked suspect (running from temp, app data, etc. Removed those keys, and the random named .exe they launched. Rebooted back into windows, cleaned up the host files, and then downloaded the latest version of MalwareBytes. 90 minutes later and the machine reported itself as clean. I need to run another scan to check and then work out what AV package is on there, as there were shortcuts for Norton, AVG and MacCr@ppy on the desktop. *From:* Rankin, James R [mailto:kz2...@googlemail.com] *Sent:* 20 May 2011 20:51 *To:* NT System Admin Issues *Subject:* Re: System Restore and Scareware Some of these little beasties are easy to beat - I've seen ones where deleting a file did the trick. Unfortunately at the other end of the scale live some crafty process-injection nasties that are a veritable nightmare to find. Fortunately MalwareBYtes has a good track record of pulling them out for you. Typed frustratingly slowly on my BlackBerry® wireless device -- *From: *Bob Hartung bhart...@wiscoind.com *Date: *Fri, 20 May 2011 14:47:23 -0500 *To: *NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com *ReplyTo: *NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com *Subject: *System Restore and Scareware I've had a couple of recent cases of scareware infecting some Windows XP Pro systems here. One reported lots of virus infestations and prevented the user from accessing the internet and, for a low price, would fix all. The other reported that the hard drive had tons of errors and the boot sector was gone, etc. And for a small fee, their utility could fix it. This system was unusable. Maybe this is pretty basic but I haven't seen mention of it but in both cases, Window's System Restore easily removed both. I've seen descriptions of fixing infected systems involving fairly complex procedures and multiple utilities. I guess I just wanted to recommend giving System Restore a try first before resorting to the heavy artillery. On the system that had the failed hard drive scareware, it was impossible to access System Restore in normal windows. I figured Safe Mode was the way to go but I discovered System Restore is not available in Safe Mode. I did learn that you can run System Restore in Safe Mode with Command Prompt. Just enter %systemroot%\system32\restore\rstrui.exe at the command prompt and you're in System Restore. Not sure why regular Safe Mode wouldn't have that command available. Hope that's of help to someone else. -- Bob Hartung Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. QinetiQ may monitor email traffic data and also the content of email for the purposes of security. QinetiQ Limited (Registered in England Wales: Company Number: 3796233) Registered office: Cody Technology Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com. http://www.qinetiq.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana
RE: System Restore and Scareware
Cool, nice one. I'll download that for later use. As it was hopefully I have cleaned up the lodgers' girlfriends computer, however that should mean the lodger won't mind paying this weeks rent, as he has gained some additional services from me for free! Cheers, Matt From: James Rankin [mailto:kz2...@googlemail.com] Sent: 23 May 2011 10:07 To: NT System Admin Issues Subject: Re: System Restore and Scareware I suspect regedit will be among the list of window titles that the malware will check and terminate if it sees them run. A trick to get around this is to run the regedit window on a different desktop (not monitor - use something like http://technet.microsoft.com/en-us/sysinternals/cc817881). Malware generally only detects windows running on the primary desktop. On 23 May 2011 07:26, Matthew B Ames matthew.a...@qinetiq.commailto:matthew.a...@qinetiq.com wrote: I had one of these last night. When I ran regedit (having logged in normally) it opened and then promptly closed down. Booted into safe mode and checked the software\windows\currentversion\run runonce keys for anything that looked suspect (running from temp, app data, etc. Removed those keys, and the random named .exe they launched. Rebooted back into windows, cleaned up the host files, and then downloaded the latest version of MalwareBytes. 90 minutes later and the machine reported itself as clean. I need to run another scan to check and then work out what AV package is on there, as there were shortcuts for Norton, AVG and MacCr@ppy on the desktop. From: Rankin, James R [mailto:kz2...@googlemail.commailto:kz2...@googlemail.com] Sent: 20 May 2011 20:51 To: NT System Admin Issues Subject: Re: System Restore and Scareware Some of these little beasties are easy to beat - I've seen ones where deleting a file did the trick. Unfortunately at the other end of the scale live some crafty process-injection nasties that are a veritable nightmare to find. Fortunately MalwareBYtes has a good track record of pulling them out for you. Typed frustratingly slowly on my BlackBerry(r) wireless device From: Bob Hartung bhart...@wiscoind.commailto:bhart...@wiscoind.com Date: Fri, 20 May 2011 14:47:23 -0500 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com ReplyTo: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: System Restore and Scareware I've had a couple of recent cases of scareware infecting some Windows XP Pro systems here. One reported lots of virus infestations and prevented the user from accessing the internet and, for a low price, would fix all. The other reported that the hard drive had tons of errors and the boot sector was gone, etc. And for a small fee, their utility could fix it. This system was unusable. Maybe this is pretty basic but I haven't seen mention of it but in both cases, Window's System Restore easily removed both. I've seen descriptions of fixing infected systems involving fairly complex procedures and multiple utilities. I guess I just wanted to recommend giving System Restore a try first before resorting to the heavy artillery. On the system that had the failed hard drive scareware, it was impossible to access System Restore in normal windows. I figured Safe Mode was the way to go but I discovered System Restore is not available in Safe Mode. I did learn that you can run System Restore in Safe Mode with Command Prompt. Just enter %systemroot%\system32\restore\rstrui.exe at the command prompt and you're in System Restore. Not sure why regular Safe Mode wouldn't have that command available. Hope that's of help to someone else. -- Bob Hartung Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.comhttp://wiscoind.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender
System Restore and Scareware
I've had a couple of recent cases of scareware infecting some Windows XP Pro systems here. One reported lots of virus infestations and prevented the user from accessing the internet and, for a low price, would fix all. The other reported that the hard drive had tons of errors and the boot sector was gone, etc. And for a small fee, their utility could fix it. This system was unusable. Maybe this is pretty basic but I haven't seen mention of it but in both cases, Window's System Restore easily removed both. I've seen descriptions of fixing infected systems involving fairly complex procedures and multiple utilities. I guess I just wanted to recommend giving System Restore a try first before resorting to the heavy artillery. On the system that had the failed hard drive scareware, it was impossible to access System Restore in normal windows. I figured Safe Mode was the way to go but I discovered System Restore is not available in Safe Mode. I did learn that you can run System Restore in Safe Mode with Command Prompt. Just enter %systemroot%\system32\restore\rstrui.exe at the command prompt and you're in System Restore. Not sure why regular Safe Mode wouldn't have that command available. Hope that's of help to someone else. -- Bob Hartung Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: System Restore and Scareware
Some of these little beasties are easy to beat - I've seen ones where deleting a file did the trick. Unfortunately at the other end of the scale live some crafty process-injection nasties that are a veritable nightmare to find. Fortunately MalwareBYtes has a good track record of pulling them out for you. Typed frustratingly slowly on my BlackBerry® wireless device -Original Message- From: Bob Hartung bhart...@wiscoind.com Date: Fri, 20 May 2011 14:47:23 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com Reply-To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.comSubject: System Restore and Scareware I've had a couple of recent cases of scareware infecting some Windows XP Pro systems here. One reported lots of virus infestations and prevented the user from accessing the internet and, for a low price, would fix all. The other reported that the hard drive had tons of errors and the boot sector was gone, etc. And for a small fee, their utility could fix it. This system was unusable. Maybe this is pretty basic but I haven't seen mention of it but in both cases, Window's System Restore easily removed both. I've seen descriptions of fixing infected systems involving fairly complex procedures and multiple utilities. I guess I just wanted to recommend giving System Restore a try first before resorting to the heavy artillery. On the system that had the failed hard drive scareware, it was impossible to access System Restore in normal windows. I figured Safe Mode was the way to go but I discovered System Restore is not available in Safe Mode. I did learn that you can run System Restore in Safe Mode with Command Prompt. Just enter %systemroot%\system32\restore\rstrui.exe at the command prompt and you're in System Restore. Not sure why regular Safe Mode wouldn't have that command available. Hope that's of help to someone else. -- Bob Hartung Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: System Restore and Scareware
I've used SR several times to recover from malware. It's always good, though, to run a scan or two in Safe Mode after just to be sure. Roger Wright ___ I'm out of bed and dressed... what more do you want? On Fri, May 20, 2011 at 3:47 PM, Bob Hartung bhart...@wiscoind.com wrote: I've had a couple of recent cases of scareware infecting some Windows XP Pro systems here. One reported lots of virus infestations and prevented the user from accessing the internet and, for a low price, would fix all. The other reported that the hard drive had tons of errors and the boot sector was gone, etc. And for a small fee, their utility could fix it. This system was unusable. Maybe this is pretty basic but I haven't seen mention of it but in both cases, Window's System Restore easily removed both. I've seen descriptions of fixing infected systems involving fairly complex procedures and multiple utilities. I guess I just wanted to recommend giving System Restore a try first before resorting to the heavy artillery. On the system that had the failed hard drive scareware, it was impossible to access System Restore in normal windows. I figured Safe Mode was the way to go but I discovered System Restore is not available in Safe Mode. I did learn that you can run System Restore in Safe Mode with Command Prompt. Just enter %systemroot%\system32\restore\rstrui.exe at the command prompt and you're in System Restore. Not sure why regular Safe Mode wouldn't have that command available. Hope that's of help to someone else. -- Bob Hartung Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: System Restore and Scareware
I've had some good luck with system restores, but it doesn't seem to reliably work against a root kit. Those that didn't I took care of with combofix. From: Rankin, James R [mailto:kz2...@googlemail.com] Sent: Friday, May 20, 2011 2:51 PM To: NT System Admin Issues Subject: Re: System Restore and Scareware Some of these little beasties are easy to beat - I've seen ones where deleting a file did the trick. Unfortunately at the other end of the scale live some crafty process-injection nasties that are a veritable nightmare to find. Fortunately MalwareBYtes has a good track record of pulling them out for you. Typed frustratingly slowly on my BlackBerry(r) wireless device From: Bob Hartung bhart...@wiscoind.com Date: Fri, 20 May 2011 14:47:23 -0500 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com ReplyTo: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Subject: System Restore and Scareware I've had a couple of recent cases of scareware infecting some Windows XP Pro systems here. One reported lots of virus infestations and prevented the user from accessing the internet and, for a low price, would fix all. The other reported that the hard drive had tons of errors and the boot sector was gone, etc. And for a small fee, their utility could fix it. This system was unusable. Maybe this is pretty basic but I haven't seen mention of it but in both cases, Window's System Restore easily removed both. I've seen descriptions of fixing infected systems involving fairly complex procedures and multiple utilities. I guess I just wanted to recommend giving System Restore a try first before resorting to the heavy artillery. On the system that had the failed hard drive scareware, it was impossible to access System Restore in normal windows. I figured Safe Mode was the way to go but I discovered System Restore is not available in Safe Mode. I did learn that you can run System Restore in Safe Mode with Command Prompt. Just enter %systemroot%\system32\restore\rstrui.exe at the command prompt and you're in System Restore. Not sure why regular Safe Mode wouldn't have that command available. Hope that's of help to someone else. -- Bob Hartung Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: System Restore and Scareware
In the context of system restore, a virus is just for xmas, but a rootkit is for life Typed frustratingly slowly on my BlackBerry® wireless device -Original Message- From: Maglinger, Paul pmaglin...@scvl.com Date: Fri, 20 May 2011 15:03:46 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com Reply-To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.comSubject: RE: System Restore and Scareware I've had some good luck with system restores, but it doesn't seem to reliably work against a root kit. Those that didn't I took care of with combofix. From: Rankin, James R [mailto:kz2...@googlemail.com] Sent: Friday, May 20, 2011 2:51 PM To: NT System Admin Issues Subject: Re: System Restore and Scareware Some of these little beasties are easy to beat - I've seen ones where deleting a file did the trick. Unfortunately at the other end of the scale live some crafty process-injection nasties that are a veritable nightmare to find. Fortunately MalwareBYtes has a good track record of pulling them out for you. Typed frustratingly slowly on my BlackBerry(r) wireless device From: Bob Hartung bhart...@wiscoind.com Date: Fri, 20 May 2011 14:47:23 -0500 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com ReplyTo: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Subject: System Restore and Scareware I've had a couple of recent cases of scareware infecting some Windows XP Pro systems here. One reported lots of virus infestations and prevented the user from accessing the internet and, for a low price, would fix all. The other reported that the hard drive had tons of errors and the boot sector was gone, etc. And for a small fee, their utility could fix it. This system was unusable. Maybe this is pretty basic but I haven't seen mention of it but in both cases, Window's System Restore easily removed both. I've seen descriptions of fixing infected systems involving fairly complex procedures and multiple utilities. I guess I just wanted to recommend giving System Restore a try first before resorting to the heavy artillery. On the system that had the failed hard drive scareware, it was impossible to access System Restore in normal windows. I figured Safe Mode was the way to go but I discovered System Restore is not available in Safe Mode. I did learn that you can run System Restore in Safe Mode with Command Prompt. Just enter %systemroot%\system32\restore\rstrui.exe at the command prompt and you're in System Restore. Not sure why regular Safe Mode wouldn't have that command available. Hope that's of help to someone else. -- Bob Hartung Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin