News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • What would you have done?

    Home » Forums » AskWoody blog » What would you have done?

    • This topic has 43 replies, 22 voices, and was last updated 2 months ago.
    Author
    Topic
    #2382694

    The other day I was working on a laptop and ended up rebuilding it. I discuss what I did over on Computerworld.com. I am reminded of this old and real
    [See the full post at: What would you have done?]

    Susan Bradley Patch Lady

    Viewing 24 reply threads
    Author
    Replies
    • #2382703

      If you grant the point in your reference article that “How can you tell when the original attack took place? The event logs cannot be trusted to tell you.”, then you in all likelihood cannot trust a reload of last month’s routine Macrium Reflect clone of the boot partitions as a potential resolution, so yes a bare metal reinstall would be needed.  The last Reflect clone could still be useful (mounted on an isolated, then wiped drive) as a reference cross-check for apps, data, desktop/registry  personal/custom configuration details, etc., while rebuilding.

      • #2382708

        There was no backup of the laptop for me to restore from in my case.

        Susan Bradley Patch Lady

    • #2382719

      Not to second guess the decision to re-install. If Chrome was the only issue, you could have tried the Portable Chrome browser at PortableApps.com. Even if it would not have installed on the bad PC, it can be “installed” (really just unzipped) on another PC and copied over.

      As for apps that run at system startup, shout out to the excellent and free Autoruns program from Microsoft.

      Another guess I would have made was to logon to Windows as a different userid. If nothing else, it changes the list of apps that run automatically at startup.

      As for Chrome, we see again that the price of free software is no tech support.

      Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

      • #2382722

        Forgot to put in the article that I tried the other user profile – no go.  Tried also enabling the Administrator profile, no go.  In this case we needed full google, not just portable… and by this time I did not trust the OS anymore so it was really more of a stubborn geek trying to see if I COULD repair it (man versus machine and all that).

        Susan Bradley Patch Lady

        1 user thanked author for this post.
    • #2382726

      No doubt, re-install.  But also a few other things you could do is backup the disk with dd, for future investigations, or bootup kaspersky rescue disc > free top notch AV scan, not attached to your OS. You can argue that it’s russian, but it’s pretty damn good at what it does.

      • #2382752

        An AV scan from bootable media (typically called a Rescue Disc, I think) is an excellent idea.

        Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

    • #2382739

      After deciding the OS was compromised, this would be the procedure:

      1. Run Belarc Advisor, Speccy – print out results. This should give a record of hardware and software if/when you go looking for drivers/program installers.
      2. Copy User data (only) to external media. Scan external media.
      3. Collect all possible IDs and passwords and software installers from the User.
      4 Download drivers from the OEMs ahead of time if necessary (on another computer, of course).
      5. Replace the drive with the SSD.
      6. Reinstall the OS, update, and activate.
      7. Create a restore Point and make an image backup. Base Win installation backup.
      8. Install software – Restore Points as necessary.
      9. Carefully restore User data, then run an anti malware scan.
      10. Create a restore Point and make an image backup. Finished Win installation backup.

      • #2382750

        No argument with the list, but take a look at it. A full days work, if not more. At some point, anyone has to think “Chromebook”.

        Would it not be smart for a company to do run all their copies of Windows in a VM so they can be checkpointed and recovered back to a known good state? And store files in a system that also allows for checkpoints and rollbacks, something like ZFS.

        Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

        • #2382768

          The user uses Word/types and trust me the Chromebook version of Word is severely lacking.

          Susan Bradley Patch Lady

          • #2383302

            Chromebook version of Word?

            Do you mean Google docs or the online Word at office.com or the Android version of Word?

            Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

      • #2382779

        An exact list, though adding to this list by experience are these perpetual steps.

        A user should set aside time to backup files plus a few versions of known good essential program installers available for immediate use. (If one version is known to become untrustworthy you may have a fallback for your use and protection.)

        Keep on a separate offline drive a mirror copy of those program installers. (Gold copies as Susan described them a few days ago).

        Capture a complete drive image at least monthly.

    • #2382751

      What would you have done?

      First, I would create a full drive image (in case the troubleshooting pooches Windows, restore the image and try again).  Then I would use my Power Tools to find in the registry the locations of the offending files, scrub the registry and then delete the offending files.

      Then another drive image, restart (cold start, not a warm reboot), scan again.  It has been my experience when rooting out malware/viruses that a seed (something as simple as a text file) can be left behind, or created during boot, and re-infect the system.  If three restarts remain clean, run a full scan with Defender, and a full scan with Malwarebytes.

      This method is also helpful for reinstalling HP printer software when it glitches.

      Another technique is to make room (if possible) on the drive for a dual boot of Windows.  Boot into the clean Windows and run scans on the old installation.  The malware’s built-in protections don’t work when they are not booted.  You can load the registry hives into the new Windows and go through them looking for troublesome entries.

      Once the drive is clean, the dual boot can be deleted and the drive space reclaimed.

      Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
      "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
      "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

    • #2382755

      NB: Previous message sent (same content) was me … I forgot to login. Sorry about that guys.  It’s Monday!

      So you did not try to get rid of Fast Browser when you discovered it?    I assume you thought there was more than one devil inside your downloaded software package, due to the extent to which the registry was hacked.

      The Fast Browsing Search browser hijacker will change your browser search provider to http://media.eanswers.com, which will redirect to search result pages from http://search.yahoo.com. This is most likely done to generate advertising revenue by using Yahoo Search for its search results.

      When the Fast Browsing Search browser hijacker is installed on a PC, common symptoms include:

      • Changing the web browser’s default homepage to Fast Browsing Search
      • Changing the browser’s search provider, built-in search box to Fast Browsing Search
      • Ability to modify the ‘new tab’ functionality to launch the modified search portal page
      • Loads into the web browser via an extension or add-on

       

      You can get rid of it …

      How to remove Fast Browsing Search redirect (Virus Removal Guide)

       

    • #2382764

      Your specific questions were ‘What would you have done? What tools did I miss trying?’.

      Before the decision to clean install (which I would have done too), I would have tried a couple of other things (using small, free, portable tools so no installation overhead) which are quick and easy to carry out:

      “I downloaded both the stub installer and the enterprise installer and the installers would flash a window up, then close down and not install. (The event viewer indicated that the installation was failing, but gave no clue about why.)”

      I often find Event Viewer unhelpful or just blind to problems. At this point I would have used Sysinternals/TechNet’s Process Monitor (ProcMon), filtering on the installer executable (and with the view set to just File System and Process/Thread activities initially), to capture what was happening, and looking for CloseFile and ThreadExit events to perhaps explain the window that flashed up. (But *don’t* use the current version of ProcMon OR the one before if you can help it. They both have known – and reported – issues. I’ve reverted back to using v3.50.) Some malware watches out for the use of ProcMon so if it didn’t run then this would be another clue that something fishy was going on.

      “Next, I used the registry editor to scan for all locations of Chrome in the registry.”

      By this time you already knew something fishy was going on, e.g. “evidence of a past program whose goal was to disable Microsoft Defender”.

      I use Nir Sofer’s RegScanner. IMO it’s *much* faster and easier than continually hitting F3 in the built-in Registry Editor. Run it using Run as administrator to scan the registry. Use CTRL+DEL to delete found keys/values. If you run into keys you cannot delete then re-run RegScanner as TrustedInstaller using Sordum.org’s PowerRun.

      “msconfig showed that the system was set to do a selective startup, and nothing I tried would allow it to change to normal startup.”

      Again, try running msconfig from within PowerRun.

      Some people prefer to only use Microsoft tools, and I understand that. However, if they were both efficient and effective then there should be no need for the plethora of third-party utilities available, many of which offer considerable improvements IMO. 🙂

       

    • #2382769

      I bumped into this article about a month ago. Now, during the one last month, two of my computers misbehaved, where my 40+ years of computer fixing experience did not help. This article in Tom’s Hardware helped me to fix both computers easily.

      https://www.tomshardware.com/how-to/fix-windows-10-repair-install

      “How to Fix Windows 10 with a 30-Minute Repair Install”

      1 user thanked author for this post.
      • #2382773

        Tried that as well, didn’t work.  I honestly thought it would and it didn’t (should have put that in the article as well).

        Susan Bradley Patch Lady

    • #2382802

      I would have screamed and shouted and jumped up and down, then called Geek Squad.

      Don’t ask me – you’re the expert. 😉

       

    • #2382806

      I have been faced with that on too many occasions. I think there is more value to the client (generally) to repair the computer than to “nuke and pave.” The frustrating thing about that is that there are often so many ways to fix things, and one failure leads to another fix to try. I have spent many evenings & all-nighters going down that rabbit hole. It is very frustrating letting the computer win, but sometimes you have to let go. Given your situation – the opportunity to replace a spinner with an SSD – i agree, it was a a great time to “nuke and pave.” Another benefit might be updating the OS to 21H1 if not there already, as well as disappearing any other unwanted junk that you haven’t found yet. I concur with your final choice.

      I’d back up with Fab’s autobackup, install the current release of Win 10 on the new SSD and go forward, hoping I have all the install media and license info. There is always one proprietary program that eludes me. Maybe I’d have considered an in-place upgrade, but given the uncooperative malware, that might be a bad choice. Also, the malware might block the upgrade install.

      I wish I had a magic buzzer that would go off at the perfect time – when I have put enough effort into it that I can feel like I gave it a good try, but in time to stop me from chasing my tail and making up new cuss words. Note to self – invent a new app. Call it timer.

      • #2382814

        I have been faced with that on too many occasions. I think there is more value to the client (generally) to repair the computer than to “nuke and pave.” The frustrating thing about that is that there are often so many ways to fix things, and one failure leads to another fix to try. I have spent many evenings & all-nighters going down that rabbit hole.

        Note the bold.  I see it more as climbing out of that rabbit hole.  I learned early in my tinkerin’ with Windows, my slicing and dicing and sewing back together,  judicious use of drive images is the secret sauce.  Each small level of success means a new drive image.  If the next couple of steps are inhospitable, just restore the drive image to the last successful plateau, and go at it on a slightly different tack.

        Running a clean install teaches one how to run a clean install.  Digging a mess out of Windows’ registry and other innards and getting a final result that’s clean and tidy teaches one a good deal more.

        Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
        "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
        "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

    • #2382808

      I am prone to running Malwarebytes in situations like that. I wonder what it would have said. But I am impatient and would have just clean re-installed. But never had a situation like that that I can recall.

      - ThinkPad T570-20HA, i7-7600U, 2.8GHz, UEFI/GPT, 16GB, Sammy 256GB M.2 NVMe PM961. -

    • #2382815

      Hey Susan.

      Completely agree. I had a situation once where a bad installer messed up Windows. Reinstalled but, had lots of programs that I didn’t have installers for. Since that experience, I always copy the installer, after seeing that it is a good one, on a separate HDD. All of my installers and licenses are on that external HDD.

      Since 2017 I have a MSI GT73vr Titan. It came with a 256 GB Nvme. About two years ago, I opted to upgrade the Nvme to a 1GB Samsung.

      I have cloned the original Nvme with Reflect to the 1GB and kept the original as a back up if something went sideways. It’s a matter of a few minutes to simply exchange the SSDs. I also keep it up to date with new programs and Windows updates. I know, you might think this is a hassle but, it could/will save me lots of time if I do have to reinstall.

      This , I think , is simplest way to get you back up and running in no time.

      You can now scrub the bad drive and do a clone.

      Just the way I do it.

    • #2382837

      That’s clearly a case of malwate infection. Maybe a better way would have been to use a free av like kaspersky to disbinfect

    • #2382849

      Back in my Windows days, I used to use a little command line utility called PSExec, from Sysinternals (now part of Microsoft). It allows you to run RegEdit with system privileges, which is a step higher than administrator.

      Just a nitpick: IDE is an older standard that was superseded by SATA about 15 years ago. If you put in a SSD, the hard drive it replaced would not have been IDE, but SATA.

      Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
      Dell G3 15/3579, i7-8750H/16GB, KDE Neon
      Asus P8P67 Deluxe, i5-2500k/16GB, KDE Neon

      • #2382893

        Just a nitpick: IDE is an older standard that was superseded by SATA about 15 years ago. If you put in a SSD, the hard drive it replaced would not have been IDE, but SATA.

        There are a number of IDE/SATA adapters readily available.  I used one when I upgraded my Dell Latitude D800 to SSD.  It has an mSATA SSD connector in an IDE-connected 2.5″ tray.  Works quite well.

        IDE-mSATA

        Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
        "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
        "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

        • #2383540

          She didn’t mention using an adapter, but she did mention that the unit in question was an HP Envy– none of which have ever, to my knowledge, ever used IDE. The very first one (2009), the Envy 13, was a SATA device with a Core 2 Duo CPU (as does my 2008 Asus F8Sn laptop, also with SATA).

          Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
          Dell G3 15/3579, i7-8750H/16GB, KDE Neon
          Asus P8P67 Deluxe, i5-2500k/16GB, KDE Neon

    • #2382899

      Given the time spent fixing vs. rebuilding, and nowadays a rebuild generally taking less time than a fix, I would have rebuilt as well.

      However, (as a techie) before the rebuild, I would have used Disk2VHD to make a VHD of the disk so I could “play” with the old system to see if I could fix it, offline, in Hyper-V on a healthy host system. With the infection tied to a VHD and not an online mounted disk, the chance of cross-contamination is effectively 0%.

      • #2382925

        That is a GREAT idea.  My linear brain does not think like that.  I’d be imaging and reimaging.

    • #2382906

      During the re-build, I’d have removed the CR2023 battery from the mobo prior to installing storage for 10mins to kill off any residues contained within the chipset followed by a BIOS re-flash for sure. Some malware and viruses are known to stay resident with a low voltage supply to the chipset/ components.

      | Quality over Quantity |
      2 users thanked author for this post.
      • #2382911

        Good point.

        - ThinkPad T570-20HA, i7-7600U, 2.8GHz, UEFI/GPT, 16GB, Sammy 256GB M.2 NVMe PM961. -

    • #2382910

      Hi Susan,

      A truly heroic and harrowing story of battling the evil that can creep in and lurk in the shadows of Windows!

      As a veteran of the computer repair wars (and former business owner), I learned early on to be skeptical in situations like yours. Erring on the side of caution, if I can’t get something back into the fray quickly, say within an hour, then the effort is no longer viable. Clients are seldom patient as I’m sure you are aware.

      At the point where you noticed something was truly funky with this laptop is when I would have stopped, backed up user files and started the reinstall process. It is commendable that you battled on to try and find the culprit. For me, alarm bells would be ringing as to the security and stability of the machine at that point. Only the computer gods truly know what damage was done to the OS at that point and what other demons are lurking. They rarely travel alone.

    • #2382918

      I had a simular problem some time back where chrome would not open so I uninstalled and tried to reinstall but no dice. I suspected a registry problem so as the PC had a backup image from the day before I decided to throw everything at it. I didn’t care if it nuked itself. I have spyhunter in my tool box so I decided to attack it with the built in reg hunter. I was sure it was going to really brake it as it had done so before but after an hour scanning under admin it had finished all clear. I downloaded chrome again and to my supprise it installed and opened. Got to go home early that day…….Ps that was 8 months ago and still going strong..

    • #2382926

      I think you did the right thing Susan. I would only offer the suggestion of picking up a copy of Fab’s AutoBackup

       

      Fab’s AutoBackup (fpnet.fr)

       

      That tool makes it easy to extract all the user’s data from an offline drive and restore it any place you’d like. I use it in addition to the Belarc Adviser to ensure I don’t miss anything the user might want later.

       

      I keep the Professional version on my flash drive with all my other computer repair software tools.

    • #2382941

      Years ago I would troubleshoot and try to solve every problem. Sometimes I would win the battle and be able to charge someone for my time, but sometimes I would end up wasting several hours and not have any billable hours. Along the way I realized that even if I solved every problem, I would still have doubts that I had found and removed every bug.

      Lately, I have trimmed down my troubleshooting to running Malwarebytes a couple times, and upgrading to the latest semi-annual Windows 10 version. If a Windows system is still behaving badly at that point, I have other things to spend my time on.

      So I admire you for taking the troubleshooting farther than I would have. I would have bailed out before you did. I usually explain the trust problem to the customer with an older system. And I total up an estimate of the time involved and parts needed to upgrade to SSD, and people usually decide that it’s time for a new PC or laptop.

    • #2383152

      Sometimes its just better to wipe and install a clean OS and only keep file you are sure have been properly scanned for malware. Seems like the consensus lately is just to salvage what is safe and erase the rest. I end up doing this a few times a year anyway just to get that clean new OS feeling of performance. Maybe that’s just because its what I always had to do years ago back when Win 95 and 98 were just time bombs waiting to crash and burn.

      • #2383582

        Seems like the consensus lately is just to salvage what is safe and erase the rest. I end up doing this a few times a year anyway just to get that clean new OS feeling of performance. Maybe that’s just because its what I always had to do years ago back when Win 95 and 98 were just time bombs waiting to crash and burn.

        It used to be a regular thing to reinstall 95… I remember. I haven’t had the need to do it since, though. My oldest Windows XP installation was more than 8 years old when I retired it (and it was still running fine). If you’re careful and don’t let the gunk build up, it doesn’t get slow.

        Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
        Dell G3 15/3579, i7-8750H/16GB, KDE Neon
        Asus P8P67 Deluxe, i5-2500k/16GB, KDE Neon

    • #2383176

      During the re-build, I’d have removed the CR2023 battery from the mobo prior to installing storage for 10mins to kill off any residues contained within the chipset followed by a BIOS re-flash for sure. Some malware and viruses are known to stay resident with a low voltage supply to the chipset/ components.

      Most viruses now hide in TPM. Before they hide in RAM and  low volt chips. There is no easy way to clear TPM. Hackers will be happy when Windows 11 forces everyone to use it.

      1 user thanked author for this post.
    • #2383399

      Some malware and viruses are known to stay resident with a low voltage supply to the chipset/ components

      Evidence please.

      Most viruses now hide in TPM

      Ditto.

      cheers, Paul

      2 users thanked author for this post.
    • #2383508
      1 user thanked author for this post.
      • #2383528

        Malware hidden in a TPM was extremely theoretical when that paper was published ten years ago:

        Our attack requires that the malware platform knows SRK and owner AuthData values for the TPM. The danger of malware using TPM functionality could be mitigated by careful control of AuthData. Existing software that uses the TPM takes some care to manage these values. For instance, management software used in Microsoft Windows prevents the user from storing owner AuthData on the same machine as the TPM. Instead, it can be saved to a USB key or printed in hard copy.

        Any evidence that such an attack has ever been perpetrated in reality during the last decade?

        A theoretical possibility in exceptional circumstances is remarkably different from the astounding anonymous assertion that “Most viruses now hide in TPM.”

        Windows 10 Pro version 21H2 build 19044.1319 + Microsoft 365 (group ASAP)

        2 users thanked author for this post.
    • #2383541

      The one thing I would have tried that I didn’t see in your list was something along the lines of Windows Defender Offline – a malware scan that runs pre-Windows. I’ve had good results by booting with WDO, then running a more traditional malware scanner within Windows after WDO does its job.

      I had a similar situation as yours once. The only way my customer could surf the web was when I brought a full install copy of Firefox with me and installed it from DVD; I was blocked from installing it via mozilla.org.

      I ended up wiping the drive and doing a clean install, because my customer said he didn’t need anything that was on the drive. I then set up some anti-malware software on his computer, to try to prevent the same from happening in the future.

      Group "L" (Linux Mint)
      with Windows 8.1 running in a VM
      • #2384580

        WDO would never complete on my old Skylake Intel NUC-PC. It would go to about 95% or a certain number of files scanned, then quit without finishing or producing a report. I found that the Microsoft Safety Scanner (MSERT) can be run as a stand-alone application, from a Macrium Reflect WinPE or WinRE bootable USB Rescue Media USB Flash Drive. Same scanning engine as WDO.

        The report would reside initially in RAM as I recall, so it needed to be copied or moved to a physical drive — either the Flash Drive or another external drive. Never allow an AV scan report to be written to a drive which may have been infected! The same MR-WinRE drive could also be used to run any number of portable AV scanners, including Kaspersky.

        I have yet to scan my new Panther Canyon Intel NUC, so I don’t know whether WDO would work on it or not.

        -- rc primak

    Viewing 24 reply threads
    Reply To: What would you have done?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.