Malware Slayer

Jay Tea describes an experience cleaning up malware, that is, adware and spyware, on an extended family computer. There’s that family tech support thing again. I can’t blame him for feeling dirty, as it was a particularly bad infestation.

He took a somewhat different approach from the hardcore one here and for that matter, here. Yahoo’s toolbar? I’d never have thought to do that.

One thing though; installing Firefox is priceless. It goes most of the way toward preventing the problem from happening again. And again and again and again.

Speaking of Tech Support for Friends and Family…

I just received an entertaining plea for computer help from a friend. The subject? “Bill Gates sucks wet farts out of dead pigeons.” Alrighty then.

Now, this is a great guy, tops at what he does, but sometimes surprising when it comes to computers, given how long he’s been using them. His first paragraph:

I can’t access the internet. My IE (windows?) is corrupt, the DNS doesn’t work. The only reason I can get mail is the nice (and smart) guy at verizon diagnosed my problem and walked me through typing my numerical address into OE.

So far so good, except my answer to the IE part was that he’s crazy not to be using Firefox and to start ASAP, because he is susceptible to malware (adware/spyware), almost definitely has malware, and possibly can blame either that or an attempted removal of that on the problem.

I centered my advice around the possibility of malware corrupting networking on the machine, though there’s also the standard thought of trying a different DNS address or two.

The next three paragraphs:

None of the stores sells browsers because you can download them so easily from the net (you can’t get there from here).

Talked to a guy at circuit city who told me how to do a system restore, got the “I’m sorry Dave” response from windows.

He also gave me a AOL disc and told me how to bypass the AOL crap and try to install netscape from it but it didn’t work or I couldn’t work it.

The browser observation is amusing. That’s when you have a friend download and burn one for you. Or you have someone obtain the IP address of a site where you want to download a browser. All of which is moot, because the chances of it being solved by a different browser are vanishingly remote. That’s like saying “my car can’t back out of the driveway because there’s a concrete barrier between the driveway and the road, so give me another car in my driveway so I can back that out instead.”

Last time I had a similar problem, system restore was a wonderful thing. I think that was a fine approach, assuming there were saved checkpoints and he went back far enough. Chances are something is corrupted in regard to network components, and a restore would set things back. I also suggested safe mode with networking support, or running msconfig and disabling all startup items as a test.

Finally, the OS rant:

I always hated XP, but this takes the cake. Do I have to buy a new computer? If I do, will it have something better than XP in it? As far as I can see, microsoft gets it right every other time. I loved 3.1. I hated 95. I loved 98. I hate hate hate XP. At least on my machine its less stable than 95 dreamed of being.

I love XP. More XP Pro than Home edition, and more on a workstation than a laptop, but I have had fine luck with it. I just hate hate hate product activation. Yet even that hasn’t been as painful or tragic as it could have been. You can use XP into the ground like any other OS. You can fail to have a firewall, keep using IE, surf in bad neighborhoods, fail to check for malware, and so forth, until you think your OS sucks dead pigeons out of Bill Gates or something.

Windows 3.1 better than 95? In sheer usability there was no contest, and I am still supporting an install of original 95 that is absurdly stable dating back to 1996. On a crappy quality computer, no less.

I will grant that I hate the new Start menu and some other details in XP, so the first thing I do is change back to the old style menu and so forth. I hate that everything in XP and 2003 is wizardy and wants to treat you like a novice even if you’ve been doing it forever. Some of the things I’ve seen wizards for are absurd and simply cause tasks to take more time. However, ordinary usage it’s fine, and XP Pro is rock stable in every install I have encountered on a reasonably quality machine.

Is my experience unusual, would you say?

I believe what the situation includes is a computer of questionable quality, probably with Home rather than Pro edition of XP. It includes being loaded with tons of stuff that loads at startup, mostly superfluous, bogging the machine down. It may or may not be checked in a cursory way periodically and cleaned up at all. Surfing is with IE and unconstrained. A firewall doesn’t exist on a DSL connection. There is probably virus scanning taking place. Something like that. Take away quality ingredients, crud it up, minimize servicing, and you are bound to have problems after a while.

This and That

I’ll be away for the weekend, and don’t know whether I will get to post anything here. It’s possible, since I’ll have dialup on both my laptop and the “family tech support” computer there. If I don’t, perhaps some of the other contributors will have something to say.

For the server with the bad 1/3 of a RAID 5 array, I ordered a replacement server. It was time anyway. If I mess around with the old computer, or risk using it with a bad drive, there are completely non-critical uses to which it can be put. Meanwhile, the client gets a jump on upgrading I plan for the upcoming year. All the current server has to do is hold out until the weekend of the 4th.

Meanwhile, the same client uses e-mail gateway scanning by Sybari Antigen, but has declined to purchase antivirus software for the workstations. Tonight I found my first virus on a workstation since getting Sybari Antigen following the infamous Nimda and Code Red outbreaks. Three years ago? Something like that.

This was a variant of Bagle that runs an executable file called Wingo that is visible in processes. The virus made itself obvious by generating an error dialog consisting of a list of e-mail addresses. I cleaned it manually in the same way I would malware of the adware or spyware variety, though I noticed it didn’t bother to set the files it used as hidden, the way malware frequently does.

The virus can spread through network shares, apparently, so I am moderately worried about it being elsewhere in the building. On the other hand, there have been no obvious signs. In any event, it has to wait for my return from the extra long weekend. I also have to wonder how it got in. Did it sneak in via e-mail that went undetected through failure of the gateway scanner? Or before the scanner was updated with the definitions for that variant? Did it come in via the web? Via the network itself? I may never know, but it’s all the more to keep me busy.

Anyone Remember…

I did an unexpected bit of malware cleanup today, and in the process found myself in the windows and then the system32 directory identifying offending DLL, EXE, DAT, INI, LOG and TXT files, primarily the first three, using old-fashioned DOS commands. You know, dir/ah for hidden files, dir/ah/p to pause if too many for one screen, dir/ah *.dll for the hidden DLL files, and also dir/od or dir/o-d/p in whatever combinations, to show newest files last, or first and pause after a screen, respectively.

Since it was clear that the bunches of oddly named files that had hidden and system attributes and very recent dates were put there by malware, active currently or not, but in case of errors, I was renaming them.

After a bit of:
attrib -s -h malfile.dll

ren malfile.dll malfiledll.not

I got tired of typing so much. So I spontaneously remembered my batch file skills, duh, and went to town. Better yet, I used the first way I ever learned of creating a new batch file, before I even learned (for shaky values of “learned” since it was so tricky) to use Edlin for editing them.

Anyone remember “copy con”?

It’s just the copy command, but applied to the “console to write a file. So at the prompt I typed:
copy con atsh.bat

After pressing enter, the regular prompt, C:yada yada>, goes away. Continuing, I typed:

attrib -s -h %1
ren %1 %1.not

Then pressed Ctrl-Z, which displays as ^Z, and pressed enter to save the file.

%1 Is the parameter passed into the batch file. So at the command prompt I could then type:

atsh aq6zyd.dll

That removed the system and hidden attributes and renamed the file to aq6zyd.dll.not, which is not precisely the naming convention I’d been using, but it still makes them of a nonsense “type” and clearly indicates they are the ones I renamed, whether for renaming back if mistaken, or deletion when clearly not needed.

The system in question was a serious mess. At first I couldn’t get into Control Panel. I never could get into Services, because it thinks IE 5.5 or higher is not installed.

Of course, this system is weird in that it’s XP Home and even when I am in safe mode command prompt as administrator, it locks me out of accessing some files and has some of the malware files in memory. The machine needed to be back in a hurry, so I returned it with no apparent malware running, but without certainty that it’s not there or isn’t going to come right back. It’s just not crippled and ought to go for a while. The thing really should be fdisked and reinstalled fresh.

The whole thing brought back memories of my early computer usage and messing with batch files. When the OS was DOS, or DOS and Windows 3.1, batch files really mattered. Before DOS Edit, I used copy con all the time.

Buh-Bye Passwords

Tony reports that Microsoft plans to wean itself from passwords and move to smart cards, both for their own benefit and to help nudge along the increasing interest in biometrics and smart cards.

That would certainly help with the problem of people using spouses, pets and kids as their easily guessed passwords. On the other hand, it’ll be just like having to remember your discount card to go to the local supermarket or pharmacy, only worse. Leave one home and you can’t get the sale prices. Leave the other home and, oops, you can’t work. Heh.

An Oddity

I may edit this to flesh out the details later, like maybe camera model and exploit details. I’ve been encountering the strangest thing with pictures taken by a digital camera. Some of them, and it always seems to be the last ones on the memory stick in the particular batch, if they are e-mailed as-is get flagged by the web host’s mail scanning program as being infected with the recently uncovered JPEG exploit. Now, I know they aren’t affected by the exploit. The problem with the scans is that a slight internal defect in the JPEG file can mimic the way the exploit reads when the file is examined. This means the camera itself, or the storage medium it uses, is creating malformed JPEG files. Not good. It’s gotten old, not being able to e-mail the original graphics without the risk of having them purged.