Atribune.org > Sorry start to what should have been good

Full Version: Sorry start to what should have been good

thanks_in_advance

Mar 3 2010, 11:37 PM

I work in the embedded software industry and was recommended this community by a college because of it’s reputation.

I have had my topic closed in forum "HijackThis and Malware Removal". I completely understand the moderator’s decision as it is reasonable to assume that anyone found in possession of a set of lockpicks is a burglar but occasionally they are a locksmith. I do not wish to promote argument with the referee but I believe knowledge of the full facts will be worthy of reconsideration of his decision. As this thread is very likely to be read by people without the background knowledge of the moderator it will be verbose so any level of reader can follow my argument for the decision to be reviewed.

When you buy a PC from a “Royalty OEM” (Original Equipment Manufacturer), such as Dell & HP, they have an agreement with Microsoft to buy licences at less than the retail price (hence the designation royalty). These have a method of activation called SLP (System Locked Pre-installation) and are tied to a particular PC Motherboard. When you have a retail version you are not constrained to any particular set of hardware so it costs more for the privilege. However when you change too much hardware at any one time Windows insists on being re-activated and displays a phone number after you enter your key. When you phone you explain what you have done and they give you further information to get you re-activated. This is in order for them to confirm your key is genuine, you are not attempting to use the same key on two different machines and other things that are in breach of the retail licence conditions. In theory they can refuse, but I have never known this to happen when you are polite and completely honest in the phone call.

I admit I have only ever bought 1 key from Microsoft. Up until Windows XP SP1 (Service Pack 1) you only needed the installation media and a valid key. My Genuine Installation Media and keys for DOS, Windows 3.1, 3.11, 95, 95 OSR2.5, 98, 98SE, 98ME & 2000 were all gifted to me after self built PCs with retail licences were scrapped. My self build PC was initially activated with XP Pro SP2. I changed the motherboard and processor and re-activated. I added a gifted hard drive with XP Pro SP1 from another scrapped PC and re-activated. I changed the motherboard after a lightening strike and re-activated both partitions. I upgraded my motherboard and processor and re-activated both partitions. SP3 came out and my SP1 partition was upgraded. I was gifted 2 more sets of installation media and keys from scrapped self build PCs. I put my SP3 partition in a ghost image (ghost is a utility that allows you to make an image of a partition and restore it completely) and used one key to install XP Pro with no service packs and activated it. I then put my base XP into an image and used the second key to install XP SP1. Again this was imaged and my SP3 partition restored. I was gifted a Vista installation disk with no key by our site computer services from work. I then had the capability to test everything I wrote on 3.1 to XP SP3 by restoring the relevant ghost image to my software test disk. Vista and service packs involved an install without activation. I upgraded my motherboard and processor to one that supported hardware virtualisation and added ram to make a total of 4G over the Christmas holidays and was able to re-activate all 4 versions of XP. I therefore believe the advice on obtaining genuine Windows is inappropriate in my case as by my arithmetic there were eleven checks made on my licences.

The cheapest way of buying a PC for children to do homework on is to buy a second hand PC with Office already installed. One of my colleagues did this and noticed that Windows Defender, Microsoft Security Essentials and Media Player 11 were all installed. These all need to pass Genuine checks to install so he bought it only to find it had a cracked LegitCheckControl.dll Vn 1.7.36.0 four months later. I was asked if I could think of anything that could help prevent this so I knocked up a cheap and dirty program that took MD5 hashes (a rather complex checksum i.e. a number that can uniquely identify a file with a probability of a false match being roughly equivalent to winning the lottery twice in a row) of key Windows and Office files and compared them with a list of known working cracks. It also checks the registry to confirm Windows has not been activated with a Volume Licence Key (as a private sale almost certainly is an OEM or Retail Key). In order to generate my blacklist (list of numbers for bad files) I had to hunt down the files in the same way as an anti-virus researcher has to get a virus infected file to generate a signature.

Also Children have a habit of downloading cracks (method of bypassing legitimate activation) to try to get stuff for free. These usually contain malware and it takes a while for the scanners to produce signatures to detect them. When colleagues suspect this because new software appears, I tend to hunt down the ones that work and wait for a scan to tell me what the malware is. I also sometimes disassemble them or load them into the debugger when the disassembly does not make sense, out of intellectual curiosity.

I admit to having an OGA (Office Genuine Advantage) and J. River Media Centre crack in My Documents area with a WGA (Windows Genuine Advantage) in the same place as the OGA crack. Now I have the Packed.Win32.TDSS.z and Trojan.Win32.Buzus.dgba names from the Kaspersky online scanner, I was able to use the manual removal instructions to sort out 5 laptops (hence the delay to this post). I have given them a link to a page with the PayPal button as my time was freely given but you need funds to keep this organisation going. I would also like to pass on the thanks for identifying these problems. Now the controversial downloads have outlived their usefulness by giving up the information on their infections, I have deleted them.

If you still believe that you can not help me with a cross partition contamination (running one version of an operating system on the machine means all operating systems on the machine then show symptoms even when they worked perfectly after a re-install) that does not show up in Malwarebyte’s Anti-Malware, SuperAntiSpyware and HijackThis, would you kindly direct me to where I can find out how to remove my membership. Note: using the mvps hosts file does stop the porn if I forget and click on a link instead of copying the link to the navigation bar.

I was looking forward to moving to Windows 7 as it has some beneficial feature for the end user, especially being able to Set Affinity (choose which cores in the processor the program runs on) without having to start older programs and use the task manager when there is problems with multi-core processors. It will take time to install my software (I bought ghost after taking a week of work and spending 6 days re-installing Windows + Software from 08:00 to 18:00 with a half hour lunch break but the image I took of my SP2 partition with the drivers for my current motherboard is corrupt so I can only restore my SP3 partition) so I will need to use my SP2 partition before I am finished. I will also need ultimate so I can use XP mode as there are 15 applications I use regularly documented to not work with 7 whatever settings you apply. The initial delay was just saving for the licence. Now I need to identify what I have caught so I can guarantee it will be gone if I re-format and re-install and not just re-appear after all the effort. When I first noticed the non-requested disk accesses it was to my source code disk so I re-formatted it. I am not looking forward to re-loading 1.3T in approximately 4.65G backup chunks whatever happens.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.