Creating your own installation distribution from a factory WIM image of a laptop. Why is it dangerous

Considering that the total volume of the “screw” is only 200GB, this fact was immediately recognized as a problem. Further investigation revealed that c:\recoveryimage hasn't been updated since April and the files it contains are mostly drivers. In particular, several were discovered Nvidia drivers more than 300 megabytes each, as well as a text file DONOTREPLACE, which indicated the system build number.

In this regard, to me, as a user with the rank, c:\recoveryimage did not seem super important, but it was not entirely clear whether it was used new for operations related to restoration, or whether it could still be considered a residual phenomenon and removed.

After some deliberation, the last option was chosen and “ Disk Cleanup". After the command to clean up system files and the scan was completed, it produced a list of old files, but nothing like recoveryimage it wasn't in it.

At this point, we also managed to find out that Windows 10 does not use c:\recoveryimage for recovery, and the directory is used only by WindowsRE (see Recovery content) for the so-called clean installation of the assembly from install.esd. Therefore, if you are confident that in the future there will be no need to go through Recovery, then recoveryimage can be demolished.

Which is what was done. But, of course, only after a backup. After removing recoveryimage there are no visible changes and/or problems in Windows work 10 is not observed, and 27 gigabytes of free space have been added to the laptop’s hard drive.

And a little later the following information caught my eye:

c:\RecoveryImage is a very useful feature of the assembly installer. If you convert install.esd to iso, you can do a clean installation, or use this ISO to update the system build by running Setup from the ISO or flash drive.

Competent comments on the topic are welcome.

Recently one of my colleagues came to me and said that he had picked up a virus on his flash drive, which appeared in the form of a folder called images. When you try to delete this folder, the folder is deleted and immediately appears again. Formatting a flash drive also does not help get rid of this viral images folder.

Let me start with the fact that the Windows 7 operating system is installed on the computer. A free antivirus is installed, which does not detect this virus when scanning. Antivirus is also installed USB program Disk Security, which is also bypassed by this virus.

First of all, I went to the office. Dr.Web website and downloaded the Dr.Web Curelt antivirus program. I scanned my computer with this program and was glad that the virus was detected as Trojan.Siggen4.36517 and was successfully removed. But for complete removal virus required a reboot.

Before rebooting, I opened the flash drive and was surprised that the folder with the virus called images was still on the flash drive and did not want to be deleted, because this virus sits in the computer and is automatically registered on any USB drives connected to the computer. After rebooting, I scanned the computer again with Dr.Web Curelt. The virus was indeed removed. But after I inserted the flash drive into the USB slot, the virus again entered the computer from the flash drive.

Then I decided to trust this flash drive using a Live CD with the operating Windows system XP. After inserting this flash drive into the computer, to my surprise, the images folder was successfully removed from the flash drive. After scanning this computer with the Dr.Web Curelt anti-virus program, the images.scr, images.exe virus was not detected.

This moment alarmed me and puzzled me at the same time, and I went online for more information. detailed information. It turns out that this virus relevant for Windows 7 and possibly subsequent ones Windows versions. The images virus does not work on Windows XP and is therefore not dangerous.

After removing the virus from a Windows 7 computer again using Dr.Web Curelt, I inserted a flash drive and was finally convinced that I got rid of the images.scr, images.exe virus.

Read also:

  1. Cryptowall is a virus that can encrypt all your files. Everyone is susceptible to its harmful activities. OS Windows family. You can not...
  2. Today, the topic of Vault viruses is quite relevant. Many users often wonder what to do if their personal...
  3. How to protect your website from intruders - this question probably arises for every novice blog or website owner. In the Internet...
  4. Antivirus program For home computer– is it necessary or not? How much am I willing to pay for it? In my opinion, what is the answer...
  5. DoS attacks The Internet is an aggressive environment: websites are constantly under attack. DoS attack (Denial of Service) or “denial of service”, overload of the server, element...

IN Image The tool falls under the advertising umbrella. It pretends to be a useful application, but it is not. This is far from true. In fact it is potentially unwanted programs. It slides into your system through cunning and subtlety. Then, once in, it spreads its claws all over, and ruins everything. Image makes a colossal mess. The adware gets into your settings and forces unwanted changes on you. It redirects you to suspicious websites. None of which are reliable! It bombards you with an avalanche of advertisements. The program turns your browsing experience into a complete nightmare. Every time you love your browser so much, get ready. You get constantly interrupted. And, it doesn't take long for these outages to take effect. Your system starts crashing more often. Your computer slows to a crawl. It's a mess. And, the more advertising remains, the more he receives. Don't let the situation escalate beyond your control. Do what's best for you and your PC, and deal with the problem before it gets too late. Do it sooner rather than later. Any delay in removing the tool leads to more problems. Discover your secret hideout, and remove it as soon as you do. This best course actions you can take.

How could I get infected?

Image uses the usual antics to invade. He turns to an old but gold means of penetration. Most often, free programs and spam attachments Email. But there is more. He can choose from a number of methods. On the one hand, it can also hide behind damaged sites or links. And it can also pose as fake updates. Like in Java or adobe flash player. So, you may believe that you are updating your computer, but that is not the case. In effect, you are giving the green light to a dangerous infection. You don't understand, he was at his time due to a lack of caution. Most users are quite careless when installing tools or updates. They are in a hurry and don't bother to read the terms and conditions. They agree to everything and hope for the best. This is a strategy you will come to regret not long after. Don't choose carelessness. Don't let gullibility and haste. Choose vigilance. Even a little extra attention can save you a lot of problems. Remember that next time you install updates or tools. And, do your due diligence!

Why is this dangerous?

Once the adware invades and takes hold, prepare yourself. You're in a bad time, full of resentment and headaches. They start with little, but only disappointment and annoyance. But over time, they develop in both quantity and severity. What started out as intrusive browsing turns into a serious security threat. Yes, among other things, the Image tool also threatens your privacy. Should be programmed to steal your personal data. Only then, expose him to strangers. Let's go into detail. Once the adware invades, it starts spying on you. It tracks and records every move you make online. Once it deems it has collected enough data, it sends it. To whom? Well, unknown to the third parties who released it on the web. In other words, cyber criminals are the order of the day. Those people you want to have access to your private life? Don't let this happen! Protect your personal and financial details. As soon as you become aware of the presence of adware, take action. Find where it is hiding on your computer and remove it as soon as you do. The sooner he leaves, the better. The Image tool does not deserve to remain on your computer. This only brings trouble your way. So, delete it. Do it quickly. Do it now.

Warning, multiple virus scanners have detected possible malware in Image.

Antivirus software VersionDetection
Qihoo-3601.0.0.1015 Win32/Virus.RiskTool.825
VIPRE Antivirus22224 MalSign.Generic
Kingsoft AntiVirus2013.4.9.267 Win32.Troj.Generic.a.(kcloud)
Tencent1.0.0.1 Win32.Trojan.Bprotector.Wlfh
Malwarebytes1.75.0.1 PUP.Optional.Wajam.A
Dr.Web Adware.Searcher.2467
Malwarebytesv2013.10.29.10PUP.Optional.MalSign.Generic
NANO AntiVirus0.26.0.55366 Trojan.Win32.Searcher.bpjlwd
McAfee-GW-Edition2013
Baidu-International3.5.1.41473 Trojan.Win32.Agent.peo
McAfee5.600.0.1067 Win32.Application.OptimizerPro.E
VIPRE Antivirus22702 Wajam (fs)
K7 AntiVirus9.179.12403 Unwanted-Program (00454f261)

Image behavior

  • General behavior Image and some other text emplaining som information related to behavior
  • Image connects to the Internet without your permission
  • Internet connection slows down
  • Image deactivates installed software.
  • Browser redirection to infected pages.
  • Integrates into the web browser via the Image browser extension
  • Installs itself without permissions
  • Steals or uses your confidential data
  • Download MalwareBytes
  • Download Plumbytes
  • Download Spyhunter

Image carried by Windows OS versions

  • Windows 10 26%
  • Windows 8 38%
  • Windows 7 23%
  • Windows Vista 7%
  • Windows XP 6%

Geography Image

Eliminate Image from Windows

Remove from Windows XP Image:

Remove Image from your Windows 7 and Vista:


Erase Image from Windows 8 and 8.1:


Remove Image from your browsers

Image Removal from Internet Explorer


Erase Image from Mozilla Firefox


Stop Image from Chrome


Threat Information

Threat name: Image Editor Packages

Executable file: uninstaller.exe

Threat type: Adware

Affected OS: Win32/Win64 (Windows XP, Vista/7, 8/8.1, Windows 10)

Affected browsers:Google Chrome, Mozilla Firefox, Internet Explorer, Safari


Image Editor Packages infection method

installed on your computer along with free programs. This method can be called "batch installation". Free programs offer you to install additional modules (Image Editor Packages). If you do not decline the offer, the installation will begin in the background. Image Editor Packages copies its files to your computer. This is usually the uninstaller.exe file. Sometimes a startup key is created with the name Image Editor Packages and the value uninstaller.exe. You will also be able to find the threat in the list of processes named uninstaller.exe or Image Editor Packages. a folder called Image Editor Packages is also created in the C:\Program Files\ or C:\ProgramData folders. After installation, Image Editor Packages starts showing promotional banners and pop-up ads in browsers. It is recommended to remove Image Editor Packages immediately. If you have additional questions about Image Editor Packages, please contact us. You can use programs below to remove Image Editor Packages from your browsers.




We noticed that you are on smartphone or tablet now, but you need this solution on your PC. Enter your email below and we’ll automatically send you an email with the downloading link for Image Editor Packages Removal Tool, so you can use it when you are back to your PC.


Our technical service support will remove Image Editor Packages right now!

Contact our service technical support with a problem related to Image Editor Packages. Describe all the circumstances of the Image Editor Packages infection and its consequences. The team will provide you with solutions to this problem for free within a few hours.


Description of the threat and removal instructions provided by the company's analytical department Security Stronghold.

Here you can go to:

How to remove Image Editor Packages manually

The problem can be resolved manually by deleting files, folders and registry keys belonging to the Image Editor Packages threat. Damaged Image Editor Packages system files and components can be restored if your operating system installation package is available.

To get rid of Image Editor Packages, you need to:

1. Stop the following processes and delete the corresponding files:

  • uninstaller.exe

Warning: You only need to delete files with the names and paths specified here. The system may contain useful files with the same names. We recommend using for safe solution Problems.

2. Remove the following malicious folders:

  • C:\users\user\appdata\roaming\image editor packages\

3. Remove the following malicious registry keys and values:

Warning: if the value of a registry key is specified, then you need to delete only the value and not touch the key itself. We recommend using for these purposes.

Uninstall Image Editor Packages and associated programs through Control Panel

We recommend that you review the list installed programs and find Image Editor Packages as well as any other suspicious and unfamiliar programs. Below are instructions for different versions Windows. In some cases, Image Editor Packages is protected by a malicious process or service and prevents you from uninstalling itself. If Image Editor Packages is not uninstalled or gives an error that you do not have sufficient rights to uninstall, perform the following steps in Safe Mode or Safe mode with boot network drivers or use .


Windows 10

  • Click on the menu Start and select Options.
  • Click on the item System and select Applications and features in the list on the left.
  • Find Image Editor Packages in the list and click on the button Delete near.
  • Confirm by pressing the button Delete in the opening window, if necessary.

Windows 8/8.1

  • Click right click mouse in the lower left corner of the screen (in desktop mode).
  • In the menu that opens, select Control Panel.
  • Click on the link Remove a program In chapter Programs and components.
  • Find in the list Image Editor Packages and other suspicious programs.
  • Click the button Delete.
  • Wait for the uninstallation process to complete.

Windows 7/Vista

  • Click Start and select Control Panel.
  • Select Programs and components And Remove a program.
  • In the list of installed programs, find Image Editor Packages.
  • Click on the button Delete.

Windows XP

  • Click Start.
  • From the menu, select Control Panel.
  • Select Install/Remove programs.
  • Find Image Editor Packages and related programs.
  • Click on the button Delete.

Remove Image Editor Packages add-ons from your browsers

Image Editor Packages in some cases, installs add-ons in browsers. We recommend using free feature"Delete toolbars" in the "Tools" section in the program to remove Image Editor Packages and related add-ons. We also recommend that you conduct a full scan of your computer using Wipersoft and Stronghold AntiMalware. To remove add-ons from your browsers manually, do the following:

Internet Explorer

  • Launch Internet Explorer and click on the gear icon in the upper right corner
  • From the drop down menu select Configure add-ons
  • Select a tab Toolbars and Extensions.
  • Select Image Editor Packages or other suspected BHO.
  • Click the button Disable.

Warning: This instruction only deactivates the add-on. To completely remove Image Editor Packages, use .

Google Chrome

  • Launch Google Chrome.
  • IN address bar enter chrome://extensions/.
  • In the list of installed add-ons, find Image Editor Packages and click on the trash can icon next to it.
  • Confirm deletion Image Editor Packages.

Mozilla Firefox

  • Launch Firefox.
  • In the address bar, enter about:addons.
  • Click on the tab Extensions.
  • On the list installed extensions find Image Editor Packages.
  • Click the button Delete near the extension.

Protect your computer and browsers from infection

Adware like Image Editor Packages is very common, and unfortunately, most antivirus programs do a poor job of detecting such threats. To protect yourself from these threats, we recommend using it, it has active computer protection modules and browser settings. It doesn't conflict with installed antiviruses and provides an additional layer of protection against threats such as Image Editor Packages.

I hope the information is useful!

Application

Installing the update: WinPE 5.0 --> WinPE 5.1

Let's move on to creating WinPE and updating it. In principle, you can first simply create WinPE, try to boot the target computer with it and check its version. However, here I will show the entire process of creating the image.
A working copy must first be created Windows files P.E.
Let's mount Windows image P.E.
Dism /Mount-Image /ImageFile:"C:\WinPE_amd64\media\sources\boot.wim" /index:1 /MountDir:"C:\WinPE_amd64\mount"
Add update packages to the Windows PE image. The set of update packages is the same as that used to update the Windows 8.1 image, you can download it. Important when downloading a package KB2919355 download also packages KB2919355, KB2932046, KB2934018, KB2937592, KB2938439, And KB2959977. Packages must be installed in order and separately.
-
Optimizing the image
Dism /Image:С:\WinPE_amd64\mount /Cleanup-Image /StartComponentCleanup /ResetBase
Unmount the Windows PE image
Dism /Unmount-Image /MountDir:"C:\WinPE_amd64\mount" /commit
Export and convert the Windows PE image into a new wim file
Dism /Export-Image /SourceImageFile:C:\WinPE_amd64\media\sources\boot.wim /SourceIndex:1 /DestinationImageFile:C:\WinPE_amd64\media\sources\boot2.wim
Replace the file boot.wim new file boot2.wim
del C:\WinPE_amd64\media\sources\boot.wim rename C:\WinPE_amd64\media\sources\boot2.wim boot.wim


Checking the WIMBoot image

Now I will give the commands to check the WIMBoot image, which must be executed in the wpeinit environment.

  • Checking for the presence of System, MSR, Windows and Images partitions
diskpart select disk 0 select partition 3 assign letter C select partition 4 assign letter M list partition exit
Expected Result:

  • Checking Images Section Attributes
diskpart select disk 0 select partition 4 detail partition exit
Expected Result:

  • Checking files in the Images section and recovery files
dir "M:\Windows Images" dir M:\Recovery\WindowsRE
Expected Result:



  • In the environment Windows recovery The location of a valid recovery image must be specified correctly.
C:\Windows\System32\Reagentc /Info /Target C:\Windows
Expected Result:




Installing updates on a Windows 8.1 image

Let's mount the Windows image
md C:\mount\Windows Dism /Mount-Image /ImageFile:"C:\Images\install.wim" /Index:1 /MountDir:C:\mount\Windows
Installing updates KB2919442 And KB2919355. These packages are available for various processor architectures: x86, x64 And arm. You can download packages. The service packs must be installed in order and separately.
Dism /Add-Package /PackagePath:C:\MSU\Windows8.1- -.msu /Image:C:\mount\Windows /LogPath:AddPackage.log
Here and further - package name, and - processor architecture.
Mounting the Windows RE image
md C:\mount\WinRE Dism /Mount-Image /ImageFile:"C:\mount\Windows\Windows\System32\Recovery\winre.wim" /Index:1 /MountDir:C:\mount\WinRE
We update the WinRE image using the same packages that were used when updating the Windows image
Dism /Add-Package /PackagePath:C:\MSU\Windows8.1- -.msu /Image:C:\mount\WinRE /LogPath:AddPackage.log
Additionally, we will perform image cleanup in order to remove some elements and reduce the final size of the image. This step is optional, but can only be performed at this stage: once launched, it will not be possible to clean the image.
Dism /Cleanup-Image /Image:C:\mount\WinRE /StartComponentCleanup /ResetBase
You can now unmount the Windows RE image
Dism /Unmount-Image /MountDir:C:\mount\WinRE /Commit
In order to see changes in file size, the image must be exported.
Dism /Export-Image /SourceImageFile:C:\mount\Windows\Windows\System32\Recovery\winre.wim /SourceIndex:1 /DestinationImageFile:C:\Images\winre_updated.wim
After export, you need to replace winre.wim new version.
attrib –s -h C:\mount\Windows\Windows\System32\Recovery\winre.wim Del C:\mount\Windows\Windows\System32\Recovery\winre.wim copy C:\Images\winre_updated.wim C:\ mount\Windows\Windows\System32\Recovery\winre.wim
After the updates are installed, you can unmount the Windows image
Dism /Unmount-Image /MountDir:C:\mount\Windows /Commit

Tags:

Add tags