In performing my part-time job (PC Service Technician) I'm often asked to clean such thing as malware, adware, spyware, key loggers, worms, trojans, etc... The simplest recourse is to Wipe-and-Reload the system, but no one, in their right mind, wants to inform a customer that they stand to lose everything on their system. So I end up spending an ungodly amount of time using tools such as SpywareEliminator, HiJackThis, PestControl, SpyWareS&D, NAV, McAfee, etc...: all of which require you to install the program on the customer's machine, but none of which is capable of identifying all offending programs or even eradicating the ones that are found.

At $50 per hour, there is no way on earth I can charge a customer for the six to ten hours I spend cleaning their system. Often time I charge for two hours and swallow the rest.

This said I am seriously in need of a program that traverses the registry and other system files (ie system.ini, win.ini, etc...) and remove references to all "pests" and subsequently remove said program from the hard disk: All without booting up the system from the internal drive. The thought is that I should be to load a bootable floppy or cd and remove all "pests" from the system prior to booting the pc to install the necessary security provisions.

My first question is: Is the registry (Win9x, WinME, Win2K, WinXP) accessible without booting from the internal hard disk?

If so can someone provide a small "D" example of how to access the registry, search for a given entry and remove it if it exists?

TIA
Andrew

Andrew Edwards wrote:
> In performing my part-time job (PC Service Technician) I'm often asked to clean such thing as malware, adware, spyware, key loggers, worms, trojans, etc... The simplest recourse is to Wipe-and-Reload the system, but no one, in their right mind, wants to inform a customer that they stand to lose everything on their system. So I end up spending an ungodly amount of time using tools such as SpywareEliminator, HiJackThis, PestControl, SpyWareS&D, NAV, McAfee, etc...: all of which require you to install the program on the customer's machine, but none of which is capable of identifying all offending programs or even eradicating the ones that are found.
> 
> At $50 per hour, there is no way on earth I can charge a customer for the six to ten hours I spend cleaning their system. Often time I charge for two hours and swallow the rest.
> 
> This said I am seriously in need of a program that traverses the registry and other system files (ie system.ini, win.ini, etc...) and remove references to all "pests" and subsequently remove said program from the hard disk: All without booting up the system from the internal drive. The thought is that I should be to load a bootable floppy or cd and remove all "pests" from the system prior to booting the pc to install the necessary security provisions.
> 
> My first question is: Is the registry (Win9x, WinME, Win2K, WinXP) accessible without booting from the internal hard disk?
> 
> If so can someone provide a small "D" example of how to access the registry, search for a given entry and remove it if it exists?
> 
> TIA
> Andrew

Here are my thoughts about that:

On Win2K and WinXP you will have to access NTFS file systems. You should use linux with captive ntfs to access it.
It should be possible to access the registry form such an offline system. I've seen an bootable cd that can change xp passwords. The registry should not be a problem, if you know its binary layout....

Stephan

Andrew Edwards wrote:

> In performing my part-time job (PC Service Technician) I'm often asked to clean such thing as malware, adware, spyware, key loggers, worms, trojans, etc... The simplest recourse is to Wipe-and-Reload the system, but no one, in their right mind, wants to inform a customer that they stand to lose everything on their system. So I end up spending an ungodly amount of time using tools such as SpywareEliminator, HiJackThis, PestControl, SpyWareS&D, NAV, McAfee, etc...: all of which require you to install the program on the customer's machine, but none of which is capable of identifying all offending programs or even eradicating the ones that are found.
> 
> At $50 per hour, there is no way on earth I can charge a customer for the six to ten hours I spend cleaning their system. Often time I charge for two hours and swallow the rest.
> 
> This said I am seriously in need of a program that traverses the registry and other system files (ie system.ini, win.ini, etc...) and remove references to all "pests" and subsequently remove said program from the hard disk: All without booting up the system from the internal drive. The thought is that I should be to load a bootable floppy or cd and remove all "pests" from the system prior to booting the pc to install the necessary security provisions.
> 
> My first question is: Is the registry (Win9x, WinME, Win2K, WinXP) accessible without booting from the internal hard disk?
> 
> If so can someone provide a small "D" example of how to access the registry, search for a given entry and remove it if it exists?
> 

I think you may be barking up the wrong tree. (I will explain why in a moment). In my opinion your time would be better spent solving a far simpler problem. Identify the important user data like Word documents and the like and yank those from a drive before wipe+restore. You do not even need to be very judicous in pruning files not to save.

It would be helpful in this process to automate discovery of the most used applications which is possible in WinXP. In prev. version you can look at the last accessed time of all the executables in Program Files. Then find the file types associated with the applications that have been used in the past few months. Find the documents these types have been registered to work with. Then copy everything of those those file types to another hard drive. Most of the D stuff that you will use you can find in the Phobos runtime library section under std.file or std.c.windows.

Now for the reasons trying to track down registry entries is might be barking up the wrong tree. My opinion is that:

1) NAV and McAfee have some very smart people working for them and some of these very smart people are paid to apply their smarts full time to these problems. If they have not sufficiently solved the problem you are unlikely to do so using less resources. I am by no means suggesting you are not sufficiently smart. I am saying that you probably do not want to invest yourself in this area because you will never 'solve' the problem. Which leads us to the second reason registry searching may not be the way to go.

2) Most of the stuff you want to kill right now will be changing the way it works very soon. As you said the registry identification tools are prolific.  As they become more effective and (more importantly) as people use them with greater frequency it will result in more stuff being found and eliminated. The people writing the software you want to remove will simply make it more difficult to find. Consider their position at the moment. For years now their crude methods have resulted in a quickly growing installed base. The growing installed base however quickly generates people who have to learn how to deal with the problem. However the population is limited and soon the crude software writers will see the growth of their installed base stall and possibly even shrink. The result will be they must either write slicker software or risk becoming extinct. The malware issue is very similar to the spam issue for this reason.

In article <ceirjp$233v$1@digitaldaemon.com>, Andrew Edwards says...
>
>but no one, in their right mind, wants to inform a customer that they stand to lose everything on their system.

If I were a customer, I would want to be told /the truth/. If the truth was that I stood to lose everything on my system, I would want to be told that.

Just out of curiousity, are there any customers on this NG who would prefer to be told a lie, if it were more palatable than the truth?

Jill

(PS. I speak out of genuine ignorance here, not being a company or anything).

Arcane Jill wrote:

> In article <ceirjp$233v$1@digitaldaemon.com>, Andrew Edwards says...
> 
>>but no one, in their right mind, wants to inform a customer that they stand to lose everything on their system.
> 
> 
> If I were a customer, I would want to be told /the truth/. If the truth was that
> I stood to lose everything on my system, I would want to be told that.
> 
> Just out of curiousity, are there any customers on this NG who would prefer to
> be told a lie, if it were more palatable than the truth?

I'm by no means suggesting that I _LIE_ to my customers. Rather, I am saying a vast majority of my customers would prefer a route that does not require them to sit down and re-install and re-configure the software after I've wiped+reloaded the OS. I do not want to be the one to tell them they have no other choice. Obviously this would be the easy way out for _me_ but. But I do not pride myself in taking the easy route and hang my customers out to dry.

Andrew

> Jill
> 
> (PS. I speak out of genuine ignorance here, not being a company or anything).
> 
> 
> 

Andrew Edwards wrote:
> 
> I'm by no means suggesting that I _LIE_ to my customers. Rather, I am saying a vast majority of my customers would prefer a route that does not require them to sit down and re-install and re-configure the software after I've wiped+reloaded the OS. I do not want to be the one to tell them they have no other choice. Obviously this would be the easy way out for _me_ but. But I do not pride myself in taking the easy route and hang my customers out to dry.

As a point of interest, Microsoft has effectively deprecated the registry with the next version of Windows and is going back to initialization files.  The registry is one instance where I think customers should be told the truth, as it's a cause for all sorts of problems everyday users just don't understand.  Doesn't mean you have to say "it's not my fault if I kill your computer," but they might learn something from a bit of background.


Sean

Stephan Wienczny wrote:
> 
> On Win2K and WinXP you will have to access NTFS file systems. You should use linux with captive ntfs to access it.
> It should be possible to access the registry form such an offline system. I've seen an bootable cd that can change xp passwords. The registry should not be a problem, if you know its binary layout....

... and where it's stored.  The registry stinks.  I've never seen a tool that can actually manipulate it offline.


Sean

Sean Kelly wrote:

> Stephan Wienczny wrote:
> 
>>
>> On Win2K and WinXP you will have to access NTFS file systems. You should use linux with captive ntfs to access it.
>> It should be possible to access the registry form such an offline system. I've seen an bootable cd that can change xp passwords. The registry should not be a problem, if you know its binary layout....
> 
> 
> .... and where it's stored.  The registry stinks.  I've never seen a tool that can actually manipulate it offline.
> 
> 
> Sean

http://www.cs.mun.ca/~michael/regutils/doc/regedit.html

This link gives a synopsis for a tool that looks like it makes that claim it can do that.

"Arcane Jill" <Arcane_member@pathlink.com> wrote in message news:cej1bi$25qj$1@digitaldaemon.com...
> Just out of curiousity, are there any customers on this NG who would
prefer to
> be told a lie, if it were more palatable than the truth?

Sure. "Am I good looking?"