pc repair help or advice. ransomware

Phil dublin

hi all.

im a pc tech, looking for new ways to repair machines.

im wondering if its possible to put a hard drive into a usb dock.

connect it to my main pc.

while its connected can i access things like msconfig? admin options ect ect.

or even create a new user.

looking to get the most benifit from using the dock to repair cmoputers with out just reinstalling the os.


a few recent repairs of nasty ransomware have me looking for new ways to save peoples data.


any ideas or suggestions would be great.

cheers phil.

chin_grin

"ransomware" that's a new one on me.

You can put a hdd in a case and hook it via usb but it will only show it up as an external drive (so no access to create a new user or msconfig).

If you hooked it up as a slave and booted from it or even put it in to a new pc and booted you could.

deconduo

You can make a linux USB boot drive pretty easily, which will allow you to access most of the information on a drive safely. I think you can then use regedit via WINE, though I don't know what you'd do about msconfig etc.

Ctrl Alt Del

strange question...hmmm.let me think !?

I'm using Paragon Go Virtual as main application if i have to format and reinstall OS-es !!

I'm connecting hard drive to my PC and convert P2V on to my lab server.
Basically,I'm creating an exact copy of the customer hdd on my server and from there,with the image created i'm opening as i'm opening on the physical PC:copy data,check licenses and files ,check emails settings and...most important,i can prove that end user didn't have that photo or file or application installed prior doing any work on the computer !

I hope it answers your question !!

Phil dublin

chin_grin wrote: »

"ransomware" that's a new one on me.

You can put a hdd in a case and hook it via usb but it will only show it up as an external drive (so no access to create a new user or msconfig).

If you hooked it up as a slave and booted from it or even put it in to a new pc and booted you could.

its nasty stuff, locks up the users pc, cant access anything, unless using a live cd. or via usb dock.

google it. it asks the user for 50 euro to unclock the pc. ill upload a screen shoot i took before i fixed it.

Phil dublin

deconduo wrote: »

You can make a linux USB boot drive pretty easily, which will allow you to access most of the information on a drive safely. I think you can then use regedit via WINE, though I don't know what you'd do about msconfig etc.

yea im not great with linux, but i do use pc linux live cd to gain access if my win 7 live cd hits problems.

the hirens boot cd 15 has mini xp and mini win 7, handy.

but id like to gain more access to the admin tools on the users os.

i never really tried before.there must be a way.

Phil dublin

Ctrl Alt Del wrote: »

strange question...hmmm.let me think !?

I'm using Paragon Go Virtual as main application if i have to format and reinstall OS-es !!

I'm connecting hard drive to my PC and convert P2V on to my lab server.
Basically,I'm creating an exact copy of the customer hdd on my server and from there,with the image created i'm opening as i'm opening on the physical PC:copy data,check licenses and files ,check emails settings and...most important,i can prove that end user didn't have that photo or file or application installed prior doing any work on the computer !

I hope it answers your question !!

wow. had to read that twice. lol.

so ur creating an image of the os, them mounting the image from ur os.
yea good idea, but if the users os is locked by the ramsonware, or locked by anything, and i mount the image of the locked os, ill only end up with the same problem. a locked virtual os. of which i still cant access the files i want to.

i was able to save all the users data by means of liveCD and the usb dock. then removed the issue.

but what i want is to hook the hard drive or virtual hard drive up.
then from my pc, my c drive, access admin tools on the docked drive. access the start up files from msconfig if you get me.

i know what i want is not really needed, i can fix most probs with the live cds.
its more just, i want to be able to do this. there must be a way.
and its bugginf the **** outa me.

its also kinda hard to ask google. :cool:

Khannie

Ransomware. That's a new one for me. Seems some of them encrypt the hard drive contents. Absolutely genius to be honest (though complete scumbags).

Phil dublin

Khannie wrote: »

Ransomware. That's a new one for me. Seems some of them encrypt the hard drive contents. Absolutely genius to be honest (though complete scumbags).

ah its nasty stuff. fair enuff that kind of people are in the world.

but do they really have to be so destructive, its one thing to scam.but its another thing to destroy there life long photos and information.

the_syco

These tojans have been around since 2010/2011, it seems.

For high level targets, it would encrypt someones entire HDD, and demand money for it. A very lucrative business as it mostly contained no risk for the hacker, but maximum reward. It doesn't make the news, as no-one wants the world to know if they got hacked, as the people that are targeted would usually work in a large corporation with specific project important data on it.

Another version locks your profile, and display a pornographic image that states you've browsed some gay site for 3 hours and now owe $400 - they hope that you'll be too embarrassed to seek help, and just pay the money.

If you boot up their machine, what happens, and how far do you get?

Phil dublin

the_syco wrote: »

These tojans have been around since 2010/2011, it seems.

For high level targets, it would encrypt someones entire HDD, and demand money for it. A very lucrative business as it mostly contained no risk for the hacker, but maximum reward. It doesn't make the news, as no-one wants the world to know if they got hacked, as the people that are targeted would usually work in a large corporation with specific project important data on it.

Another version locks your profile, and display a pornographic image that states you've browsed some gay site for 3 hours and now owe $400 - they hope that you'll be too embarrassed to seek help, and just pay the money.

If you boot up their machine, what happens, and how far do you get?

i got access to files thru a live cd. so that wasnt a problem.

but when i removed the virsu with kaspersky windows unlocker it destroyed

all the partitions!

i have to reformat and reinstall.

heres the tool i used http://support.kaspersky.com/faq/?qid=208285998
creates a bootable cd/usb.

ressem

What I think you were asking for was a way to modify the registry of the infected computer using the tools on your own computer.

I.e. msconfig is used as a simple interface to set and unset registry entries.
The registry is stored in files such as
c:\windows\system32\config\software and c:\windows\system32\config\system

also each user has their own registry settings ntuser.dat that is loaded into HKCU upon logon.

If you connect the hard drive to your own running system, then you can use regedit to open and change these files.

http://smallvoid.com/article/winnt-offline-registry-edit.html

But it's really advisable to create a full image of the disk as the first step of fixing on your own machine. Time consuming (so as a PC tech, helps to have a spare second-hand/cheap machine for this sort of thing), but gives you a safety harness for all the files that might exist in unusual locations in stupid Windows.

Sparks43

I have used Virtualbox for reading HDDs and im sure there is a way of booting from the hdd in a virtual environment.


I will try it in the next day or so and come back with full details

Phil dublin

ressem wrote: »

What I think you were asking for was a way to modify the registry of the infected computer using the tools on your own computer.

I.e. msconfig is used as a simple interface to set and unset registry entries.
The registry is stored in files such as
c:\windows\system32\config\software and c:\windows\system32\config\system

also each user has their own registry settings ntuser.dat that is loaded into HKCU upon logon.

If you connect the hard drive to your own running system, then you can use regedit to open and change these files.

http://smallvoid.com/article/winnt-offline-registry-edit.html

But it's really advisable to create a full image of the disk as the first step of fixing on your own machine. Time consuming (so as a PC tech, helps to have a spare second-hand/cheap machine for this sort of thing), but gives you a safety harness for all the files that might exist in unusual locations in stupid Windows.

ill play around with this later. thanks .

Phil dublin

Sparks43 wrote: »

I have used Virtualbox for reading HDDs and im sure there is a way of booting from the hdd in a virtual environment.


I will try it in the next day or so and come back with full details

looking forward to hearing how you get on, ill download the software and have go myself.

cheers phil.

harney

Why would you trust a compromised system? Personally I would be looking to get the data off and wipe the system.

Phil dublin

harney wrote: »

Why would you trust a compromised system? Personally I would be looking to get the data off and wipe the system.

i will alwasys back up and reinstall an infected system.

i was just thinkning out side of the box, looking for other ways to regain acess.

_AVALANCHE_

Look at the new type. LOL.

http://www.networkworld.com/news/2012/053112-citadel-259739.html?hpg1=bn

Myrddin

Phil dublin wrote: »

i will alwasys back up and reinstall an infected system.

i was just thinkning out side of the box, looking for other ways to regain acess.

Do you not run the risk of a reinfection, if say a personal file has been compromised?

the_syco

Note: sounds like the partition table got wiped. Been there, done that. Was only a single partition in my case, so was able to remake the file table easily.

Phil dublin wrote: »

but when i removed the virsu with kaspersky windows unlocker it destroyed

all the partitions!

Hrm. I think Knoppix is able to recreate the partition table using gpart.

Try booting Knoppix, getting the partition sizes, remove the virus, recreate the partition table using gpart, and booting back into Windows.

_AVALANCHE_

_AVALANCHE_ wrote: »

Look at the new type. LOL.

http://www.networkworld.com/news/2012/053112-citadel-259739.html?hpg1=bn

And it's here (in euros:pac:)

Computer users warned to be on alert for 'police trojan' scam

Computer users have been put on alert for a scam that attempts to trick them into paying out a €100 'fine'.

Fraudsters are sending out messages, accompanied by a good imitation of the garda logo, telling users that their computers have been locked by an automated information control system.

Users are told that this action has been taken because the computer has been used to view banned websites, including those showing child pornography, or for storing or viewing pirated content.


Trojan
They are then faced with a demand for a €100 'fine' to unlock the computer.
The scam, known as the police trojan, has already been operating successfully across Europe and victims have been handing over the money without checking whether the message is legitimate.


The computers are hit by a virus, which affects Windows only, after malicious software detects where they are located and downloads a localised graphic with the message and locks the screen.
Gardai in the national fraud bureau have now received intelligence indicating that the scam is on its way here and messages containing the garda logo have been prepared.


A senior fraud officer told the Irish Independent last night: "There is no evidence that the police trojan has hit here yet but we have reliable intelligence that it is coming and we want to launch a pre-emptive strike."
Gardai pointed out that the force would never contact the public in that way and said computer users should not share their bank details or pay out any money.


"If your computer becomes infected by this malicious software, it should be repaired by a reputable person," a spokesman said.


"Where a person has been deceived into paying money, a report should be made to the local garda station.


"It is important that computer users run anti-virus software and keep it as up to date as possible," he added.

Who is gonna go to a repair show (not knowing about this virus) with a pop up on the screen saying you've been locked out for looking at child porn!!!:pac:

People are either gonna cop on really quick to reinstalling windows themselves or theirs gonna be a sale increase as people throw out their "broken" computers. Probably the latter since the other scam is still going years later.


LOL at making a report at your local garda station, they really cared about the scam phonecalls.

RUCKING FETARD

How to remove from Microsoft.

Manual instructions down bottom.