What next?

[Li'l Abner]

I have a little HP laptop here with Windows 7 Starter Editon. It's badly
infected with who knows what. I have only booted it in Safe Mode (with
networking) and find that IE is redirecting Google Searches. By typing in
the URLs for Malwarebytes and SuperAntiSpyware I was able to get them
downloaded. I tried MBAM first. It actually allowed me to install it and
get the updates. When the main screen came back up I clicked to do a quick
scan. About 5 seconds later, MBAM disappeared. When I tried to run it
again, it was corrupted. So I renamed a good copy and transferred it to the
laptop via memory stick. I ran it under the renamed name. Again, the
program opened and shortly after I clicked "scan" it disappeared again.
Then basically the same thing happened with SuperAntiSpyware. It installed
and updated. In the process of the final installation steps, I checked the
option to send information to SAS for analysis (forget just how that's
worded). Midway through the send, SAS disappeared from the screen.
Corrupted. The logos on both the MBAM and the SAS desktop icons went away.
The exe files still existed and were both the exact same size as the valid
ones.
ComboFix is not recommended on Windows 7. So I downloaded the Sophos
rootkit remover on my computer and transferred it to the laptop. It
installed and ran OK, but everything it found (a lot of unknown hidden
files and two hidden registry entries) it recommended to leave alone. So it
did nothing. I managed to get CCleaner installed and it ran OK. It cleaned
out about 240Mb of stuff, but it didn't help any.
I have copied all the documents to a portable hard drive and am considering
restoring it back to factory installation (it has a restore partiton).
Is there any other malware tool besides MBAM and SAS that I might be able
to get to run?

--
--- Everybody has a right to my opinion. ---

[David H. Lipman]

From: "Li'l Abner" <blvstk@dogpatch.com>

| I have a little HP laptop here with Windows 7 Starter Editon. It's badly
| infected with who knows what. I have only booted it in Safe Mode (with
| networking) and find that IE is redirecting Google Searches. By typing in
| the URLs for Malwarebytes and SuperAntiSpyware I was able to get them
| downloaded. I tried MBAM first. It actually allowed me to install it and
| get the updates. When the main screen came back up I clicked to do a quick
| scan. About 5 seconds later, MBAM disappeared. When I tried to run it
| again, it was corrupted. So I renamed a good copy and transferred it to the
| laptop via memory stick. I ran it under the renamed name. Again, the
| program opened and shortly after I clicked "scan" it disappeared again.
| Then basically the same thing happened with SuperAntiSpyware. It installed
| and updated. In the process of the final installation steps, I checked the
| option to send information to SAS for analysis (forget just how that's
| worded). Midway through the send, SAS disappeared from the screen.
| Corrupted. The logos on both the MBAM and the SAS desktop icons went away.
| The exe files still existed and were both the exact same size as the valid
| ones.
| ComboFix is not recommended on Windows 7. So I downloaded the Sophos
| rootkit remover on my computer and transferred it to the laptop. It
| installed and ran OK, but everything it found (a lot of unknown hidden
| files and two hidden registry entries) it recommended to leave alone. So it
| did nothing. I managed to get CCleaner installed and it ran OK. It cleaned
| out about 240Mb of stuff, but it didn't help any.
| I have copied all the documents to a portable hard drive and am considering
| restoring it back to factory installation (it has a restore partiton).
| Is there any other malware tool besides MBAM and SAS that I might be able
| to get to run?

Remove the hard disk, put it on a surriogate PC and then scan the affected hard disk.



--
Dave
New, Multi-AV v7.03
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

[Beauregard T. Shagnasty]

David H. Lipman wrote:

> From: "Li'l Abner" <blvstk@dogpatch.com>
>> I have a little HP laptop ...
>
> Remove the hard disk, put it on a surriogate PC and then scan the
> affected hard disk.

Wouldn't it be easier to simply reformat the badly infected drive,
rather than trying to pull it out of a _laptop_?

Especially since Abner says:
>> I have copied all the documents to a portable hard drive and am
>> considering restoring it back to factory installation (it has a
>> restore partiton).

Abner, scan the "documents" too, before attempting to copy them back.

Make sure the Windows 7 "Starter" has its firewall turned on. (Does
"Starter" even have a firewall?)

--
-bts
-Four wheels carry the body; two wheels move the soul

[Li'l Abner]

"Beauregard T. Shagnasty" <a.nony.mous@example.invalid> wrote in
news:i91e6k$ja1$1@news.eternal-september.org:

> David H. Lipman wrote:
>
>> From: "Li'l Abner" <blvstk@dogpatch.com>
>>> I have a little HP laptop ...
>>
>> Remove the hard disk, put it on a surriogate PC and then scan the
>> affected hard disk.
>
> Wouldn't it be easier to simply reformat the badly infected drive,
> rather than trying to pull it out of a _laptop_?
>
> Especially since Abner says:
>>> I have copied all the documents to a portable hard drive and am
>>> considering restoring it back to factory installation (it has a
>>> restore partiton).
>
> Abner, scan the "documents" too, before attempting to copy them back.
>
> Make sure the Windows 7 "Starter" has its firewall turned on. (Does
> "Starter" even have a firewall?)

Yes it does. I went ahead and ran ComboFix since I really don't have
anything to lose. It did indeed find rootkit activity and required two
reboots. It also prompted me to write down a filename in case I needed to
manually remove it. But the last time it ran it finished OK and generated
the text file. After that, I was able to download and install Avira. Got it
updated but the initial quick scan didn't happen. I can open the Avira
Control Center and click on "scan system now" but nothing happens. So
whatever I've got it also corrupting Avira.
More later. I have to leave for a while.


--
--- Everybody has a right to my opinion. ---

[David H. Lipman]

From: "Beauregard T. Shagnasty" <a.nony.mous@example.invalid>

| David H. Lipman wrote:

>> From: "Li'l Abner" <blvstk@dogpatch.com>
>>> I have a little HP laptop ...

>> Remove the hard disk, put it on a surriogate PC and then scan the
>> affected hard disk.

| Wouldn't it be easier to simply reformat the badly infected drive,
| rather than trying to pull it out of a _laptop_?

< snip >

Actually many hard disks in notebooks are easy to remove. Albeit some like Vaio are PITA.


--
Dave
New, Multi-AV v7.03
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

[Dustin]

"Beauregard T. Shagnasty" <a.nony.mous@example.invalid> wrote in
news:i91e6k$ja1$1@news.eternal-september.org:

> David H. Lipman wrote:
>
>> From: "Li'l Abner" <blvstk@dogpatch.com>
>>> I have a little HP laptop ...
>>
>> Remove the hard disk, put it on a surriogate PC and then scan the
>> affected hard disk.
>
> Wouldn't it be easier to simply reformat the badly infected drive,
> rather than trying to pull it out of a _laptop_?

What do you mean? Most modern laptops have two screws holding the drive
in place; remove them and tug.


--
Some people are like a Slinky. Not much good for anything, but you can't
help but smile when one tumbles down the stairs.

[Menno Hershberger]

Dustin <bughunter.dustin@gmail.com> wrote in
news:Xns9E0F835B61E81HHI2948AJD832@no:

> "Beauregard T. Shagnasty" <a.nony.mous@example.invalid> wrote in
> news:i91e6k$ja1$1@news.eternal-september.org:
>
>> David H. Lipman wrote:
>>
>>> From: "Li'l Abner" <blvstk@dogpatch.com>
>>>> I have a little HP laptop ...
>>>
>>> Remove the hard disk, put it on a surriogate PC and then scan the
>>> affected hard disk.
>>
>> Wouldn't it be easier to simply reformat the badly infected drive,
>> rather than trying to pull it out of a _laptop_?
>
> What do you mean? Most modern laptops have two screws holding the drive
> in place; remove them and tug.

This one is an HP Mini 210-1U80NR.

I haven't looked up the manual yet, but I don't see a screw on it anywhere.
The bottom is perfectly smooth (no covers, etc.) The battery attaches to
the back between the hinges. It was behind the battery that I finally found
the model and serial numbers.

I've had plenty of laptop hard drives out, both IDE & SATA. Most were easy
but a couple of them were quite a challenge. If I decide to pursue that on
this one I'll definitely have to do some studying... :-)
According to the device manager, it's a ST9250410AS which translates to a
Seagate Model ST9250410AS SATA 3Gb/s 250GB 16MB 7200. So there's one in
there somewhere. Theres no CD/DVD rom though.
I had a helluva time finding the switch to turn it on!

--
--- Long live Fat32! ---

[Mike Easter]

Menno Hershberger wrote:

> This one is an HP Mini 210-1U80NR.
>
> I haven't looked up the manual yet, but I don't see a screw on it anywhere.
> The bottom is perfectly smooth (no covers, etc.) The battery attaches to
> the back between the hinges. It was behind the battery that I finally found
> the model and serial numbers.

I think that if you remove the battery, you will find two buttons that
help you remove - release - that smooth service plate on the bottom.


--
Mike Easter

[Li'l Abner]

Mike Easter <MikeE@ster.invalid> wrote in
news:8hjnc9F6tiU1@mid.individual.net:

> Menno Hershberger wrote:
>
>> This one is an HP Mini 210-1U80NR.
>>
>> I haven't looked up the manual yet, but I don't see a screw on it
>> anywhere. The bottom is perfectly smooth (no covers, etc.) The
>> battery attaches to the back between the hinges. It was behind the
>> battery that I finally found the model and serial numbers.
>
> I think that if you remove the battery, you will find two buttons that
> help you remove - release - that smooth service plate on the bottom.

Yes, you're right. I finally got the manual downloaded. I did get that
cover off and the stuff is there. I'm not too sure about the SATA 3Gb thing
and I'm not sure if that drive would be compatible with anything I have to
slave it to. I finally called the owner and he OK-ed putting the factory
image back on it, so that's what I'm currently doing.

It's one of those Best Buy specials. The Geek Squad wanted more than what
it cost new to fix it.

Thanks to all who offered suggestions in this thread!
And sorry about the Menno Hershberger / Li'l Abner mixup... :-)

--
--- Don't get me started on Best Buy and their "gook" squad! ---

[Mike Easter]

Li'l Abner wrote:

> It's one of those Best Buy specials. The Geek Squad wanted more than what
> it cost new to fix it.

Ha. Or rather, oops. Or maybe, Ack!

--
Mike Easter