softlay.net

From: CHYRON (DSMITHHFX)22 Jul 2017 12:55
To: ALL1 of 7
http://softlay.net

Anyone had any truck with this outfit?

I found it from a search for windows 7 iso. MrsD succumbed to a fake virus scam and some douchebag she phoned and allowed to connect up hosed her pc and asked for $100 for a firewall, at which point she hung up and unplugged her pc (yay). She has a coa install, and MS's official dl says her product # can't be used for the retail oem iso. So anyhoo I'm dl the iso from softlay and hoping it's not packed out with malware so I can essay a repair install. That's iffy anyway because her pc will only boot into safe mode, and from what I've read repair install only works from normal mode.  :-( Anyone knows different I'd love to hear about it.
From: graphitone22 Jul 2017 14:07
To: CHYRON (DSMITHHFX) 2 of 7
I can get you a kosher image of (some flavours of) Windows 7 - what version are you looking for?
From: CHYRON (DSMITHHFX)22 Jul 2017 14:45
To: graphitone 3 of 7
home premium 32-bit
From: CHYRON (DSMITHHFX)22 Jul 2017 16:09
To: ALL4 of 7
so I ran an SFC from a known good (purchased) installer dvd (but Pro version) from work, and it returned "Windows Resource Protection did not find any integrity violations".

Still only boots into Safe Mode. Hmph.

Gonna burn the softlay iso next and might essay a scan from that. Probly looking at the oem nuke & reinstall thingy though. :-(
From: CHYRON (DSMITHHFX)22 Jul 2017 16:53
To: ALL5 of 7
OK, so after going through msconfig and setting it to boot normally it... booted normally. I'm guessing dickwad mcfuckface on the phone had set for safe mode and then wanted a hundred bucks to unset it.

I also disabled remote desktop connection in msconfig.

Fuck you, mcfuckface.

I may test out the softlay offering in a virtual machine at work next week. Glad I didn't have to use it.
From: CHYRON (DSMITHHFX)24 Jul 2017 18:33
To: ALL6 of 7
A fresh softlay-sourced Windows 7 install in virtualbox passed a MS Malicious Software Removal Tool scan, so I installed Firefox (which Mrs.D uses) and opened the site she said was the last one she browsed before the attack: http://arizonamountaineeringclub.org.

Nothing happened. I suppose it's possible another malware-infected web site she had browsed earlier was the culprit.

I also opened the actual web page the attack apparently came from, based on her ff history:
http://187679863776586953687908945.win/?a=10012294&offer_key=d26a2baaa128ee148b74161dcfb52443&nrid=3

which (unsurprisingly) returned a 404 not found

Another scan with the Microsoft tool after browsing these sites also turned up nothing.

Conclusion: attack vector unknown.
EDITED: 24 Jul 2017 18:35 by DSMITHHFX
Message 41996.7 was deleted