Blog, Computer Aid, Page 85

Worst malware infection yet!

Posted on 13 December, 2005 by Luigi Martin13 December, 2005

Customer calls saying that his computer stops working once windows starts & he thinks its because of spyware.

I think: Hmm, sound like a slight exaggeration. Malware will usually slow down your computer, or break something so it wont start at all.

But no, he was right… windows would start and run (albeit slowly), but once I click on the start button, the start menu would appear, then click on any item and then: nothing! The mouse cursor would still move on the screen, but no more screen updates. The HDD light indicates that something is still running.

I try ctrl-alt-del & run, but anything I ran would only partly start & then freeze.

I try safe mode: same thing!

I try Bart PE, but I don’t get very far…

I get somewhere by: starting in safe mode, start task mgr, select file -> run, then run the Ewido setup program from the CD (I had to remember the name of the setup .exe, as doing “browse” would lock up the PC), once Ewido was installed ( http://www.ewido.net), I could start the long and difficult task of removing a LOT of different Malware software.

What makes this even more amazing is that the PC was using dialup to connect to the internet!

Windows 98 problem

Posted on 8 December, 2005 by Luigi Martin8 December, 2005

Customer calls, saying he might need a new PC, as it won’t boot up.

Since I’ve dealt with him before, I know his PC is a bit old & rusty, so it might have finally bit the dust.

When I get there, the windows 98 boot logo comes up, but the scrolling line at the bottom stops after a while. So I switch off the pretty windows startup screen & also enable boot logging.

It turns out that the sound driver that loads within autoexec.bat was corrupt somehow. So I disable it, & the PC boots correctly.

Since this only took me 10 minutes, I spend another 20 minutes doing some fine-tuning & disabling HP “additional” useless background programs.

Look2me malware

Posted on 21 November, 2005 by Luigi Martin21 November, 2005

Another Client with a spyware infection… This lady uses a dialup connection & eventually couldn’t do any web browsing.

Funnily enough, she had norton interner security (and anti virus) running, but this malware ran rings around it… the second computer in 2 weeks with norton helpless at stopping spyware.

Anyway, I spend 90 minutes doing the usual: disable malware startups within the registry, startup folder, etc. but every few minutes, a web page would spontaneously pop up anyway… At least the computer was mostly working, but if I left it as is, it would have gotten worse over time anyway.

Client agrees I can take the computer & work on it from the office.

After a lot of investigation, I find I’m dealing with “look2me”… & all the forums are full of helpful suggestions, none of which seem to work for my particular situation… run programs like adaware, ewido, spybotSD, etc, start in windows safe mode, blah blah blah.

No matter what I did, the spyware was re-appearing. I even knew which file was the culprit, but it was “in use by windows” from when windows starts, so it cannot be deleted, & it changes name after every reboot… so deleting it at reboot time is no use… and of course any deleted files or registry entries would get re-created (sometimes within a matter of seconds)

I got a good idea of what was going on by using hijackthis (http://www.spywareinfo.com), regedit, l2mfix, and the symantec page on look2me.

I even upgrade XP from SP0 to SP2

I also found that there are so many variants of this little critter… no wonder anti-spyware programs can’t control it… antispyware rely on malware “signatures”… similar antivirus programs… the malware people can generate new variants faster than any anti-malware company can keep up… maybe someone should tell them to adopt a heuristic approach… so that all current & future variants can be dealt with.

Anyway, I figure out how to interpret the output from l2mfix, & tell the difference between legitimate files & registry entries, & bad ones.

It seems like L2M rotates between 4 different (seemingly random) filenames after every reboot. The registry entry for the current active dll file can be deleted, but it gets recreated.

But there are 8 other registry entries, which seem to “control” the 4 dll files… So I delete these 8 entries while in safe mode (I wouldn’t have been happy if there were 200 entries!). They don’t reappear, so I empty out the temp, prefetch, & ie cache folders. Then I schedule killbox to delete any undeletable “bad” dll at booot time.

I’m not sure what else I can do… its 4am, & I’m a wee bit tired, so I decide to reboot into safe mode again & see what happens… I notice that my deleted entries have remained deleted, the “reappearing” registry entry is gone, and there are no bad dll files left in the system32 folder…

I run ewido, spybot & adaware, just to be sure, then I reboot to normal windows mode. Still no signs of L2M, so I do a defrag & let the computer (with Maxthon running) go for the rest of the night. The next morning, there are no signs of malware, so I declare the computer exorcised of deamons, & return it to its family.

Can someone please make a decent anti-malware program?

I hope future malware problems I encounter will be easier… otherwise I might have to take the “lazy” way out & recommend system rebuilds as a solution… not the most elegant solution, but it make better use of my time.

New HP Laptop

Posted on 16 November, 2005 by Luigi Martin16 November, 2005

Client needs help setting up a brand new computer & multifunction printer/scanner

She doesn’t know much about computers, so I startup the laptop & go through the windows “configuration” screens, nothing unusual.

She wants to setup the internet… but has no broadband modem… So I ask her to call the ISP.

In the meantime I check the wireless connection, & it looks like someone nearby has an unsecured wireless connection to the internet… So I tell her she can use it occasionally, but needs to get her own internet connection.

I enable norton, since it was already installed with windows.

I then install the HP printer software.

The HP software take 30 minutes to install… wow is it slow.

I also notice that the wireless network is still visible, but I can’t browse anymore.

By the time the printer is fully running, I have used up my allotted time, so I leave. But later, I start thinking: enabling norton might start blocking the wireless internet access… I’ll need to investigate this Norton software some more… Lots of people out there are using it (perhaps they shouldn’t), but I need to become familiar with how it works. Looks like I’ll be spending some time “playing” with this monster.

HP Media Centre PC (part 2)

Posted on 15 November, 2005 by Luigi Martin15 November, 2005

I return the laptop & I get the printer going with no further issues. I also did some tuning & installed some utilities to minimise the occurrence of popup ads, malware etc, & since Norton didn’t do a good job, I also installed AntiVir (www.free-av.com).

I also installed Maxthon (www.maxthon.com), as I’ve found the tabbed browsing helps to control popup ads (but maxthon also has built-in popup & ad removal capabilities, as well as many other nice features)

He also wants me to get his media centre PC & the laptop networked, so that he can share files between the 2 systems.

Here is where it starts getting time consuming, as I make sure both systems use the same workgroup, & both systems have the same usernames. I eventually get the HP to read/write files to the laptop, but not vice-versa… I disable norton on the HP, & I can now “find” the PC with windows’ find computer, but still no sharing of drives…

We agree to leave it as is, as the client knows a network expert who should be able to fix the networking a lot faster than me.

Although I got a lot done, I hate leaving loose ends.

HP Media centre PC (and Yellow pages)

Posted on 10 November, 2005 by Luigi Martin10 November, 2005

Client calls wanting some help setting up a HP media centre PC into his home theatre. My number was given to him indirectly via my yellow pages listing.

I won’t say exactly how, because:

a “competitor” might be reading
this might lead to an increase in high income customers being directed towards Computer Aid.

The yellow pages were distributed only a few weeks ago, & I chose just the minimum free ad, since the category is swamped with large colour ads.

But I will purchase a larger image ad in the local area Yellow pages (due out in about 4 months time).

Anyway, I setup the Media centre software. The client is computer savvy, & learns enough that he is happy to “play” with the system over the weekend & learn its full capabilities.

He also wants me to help with a printer problem on another PC upstairs: He has 2 PC networked (an IBM, and a Dell laptop with a printer), but the IBM cannot print… I do the usual ping tests (all fine), do a windows “find computer” but the laptop doesn’t show up when the IBM searches….but the IBM shows up when the laptop searches…. hmmm.

I look at the laptop more closely, & notice that its quite slow… I check the background processes & see a lot of spyware running… Given that it has Norton running, I assume that 1 or 2 malware infections have slipped through, so I disable most from starting, but after a reboot, there are still some popups & printer doesn’t work.

Client agrees I can take the laptop for a careful cleanup & tuneup.

$20 PC (Linux)

Posted on 31 October, 2005 by Luigi Martin31 October, 2005

Got a call: “I’ve just bought a PC for $20, but I can’t get past the password prompt”. He spoke to the “vendor” who gave him the password, and said something about resetting the bios setting…

Anyway, It sounds like a bios password… it should just be a matter of shorting a jumper.

When I get there, it turns out to be a large tower, running a pentium 2 & 64 Mb ram… Nothing wrong with the bios.

I let the PC boot normally, & I see it starts running redhat linux (my first in-the-field encounter with linux since I started my business). I like unix/linux, so I’d like to see more of these systems out there one day…

It gets to the linux login prompt & now I understand the problem: Client knows the password, but not the userid… I type in “root” and then password, & everything works fine.

I help out getting the sound plugged in correctly.

Client wants to try playing some windows games… I tell him its not possible (linux cannot run games designed for pentium 4 windows systems, and also: a pentium 2 has no chance of running the latest games).

Client then says: “maybe I should get my pentium 4 system out of storage”… I agree with him.

CDrom failing?

Posted on 27 October, 2005 by Luigi Martin27 October, 2005

Client rang with a problem: she runs win98 & is getting a lot of drwatson errors (system file not found).

Now I know this client, & she tends to experiment with her computer & it is very likely that she unintentionally deleted or moved some system files. So I quote her to re-install win98 (plus I throw in some free games, defrag the hard drive, & clean out a few years worth of dust).

Now, the CPU fan & video card fan are spinning slowly & there is very little airflow due to the dust.

At some point during the cleaning, the computer refuses to boot… no bios messages, monitor doesn’t get out of power saving mode, & the HDD light is permanently on. Now I’m pretty sure I didn’t damage anything, so I start unplugging components (HDD, cdrom, sound card, etc.) eventually, it looks like it might be the video card. I try a few spare cards, & they seem to work. I then try the original card, & it also works… how strange!

I complete the reinstall without any further problems, & then I go to install some freeware games (from a CD), and during the copy process, the computer locks up… hit the reset button, and the PC refuses to boot again (just like before). I get out my spare video cards again, & none of them work…

At this stage, I decide to pop the CD out & try another card: it works!

Its the CDROM drive! The PC won’t boot if there is a CD in the drive (and after win98 starts, the pc will still lockup (occasionally). With no CD in the drive, everything works fine.

I tell the customer that the CDROM (liteon 52X max drive) might only last a few more months (maybe 1 month, maybe 12 months).

Another mystery solved.

CDROMs do some very strange things when they fail!

Freezing win98 and broadband

Posted on 17 October, 2005 by Luigi Martin17 October, 2005

Client calls, needs to have computer (a HP Pentium3) fixed urgently, it keeps locking up & runs very slowly. I think: sounds like another spyware problem.

Turns out the client already has spybot installed & running correctly, however, their virus checker had ended its free trial period, so they had installed another virus checker… Now this could be the problem… I’ve heard that its usually a very bad idea to run 2 virus checkers at the same time, so I eventually manage to disable all virus checkers (as well as usual startup crud from the registery). I also clean up the temp folders and install antivir.

I also installed a webcam for him.

The really weird thing is that the CDROM drive wouldn’t close, it would open at boot time & then stay open. I eventually figure that it must be broken. Client wants it fixed, so the next day, I quote him the cost of a new drive, plus installation & configuration (and a small amount of training on the DVD software).

Client agrees, I buy a DVD burner, & go to install it…

When I get there the second time, client say he is very pleased… He has had the computer since new, & since I fixed the lock-up problem, apparently the computer is faster than when it was new.

If more people realised that some fine-tuning can make a big difference to their computer speed, I reckon computer sales would drop.

Opening a name-brand PC is sometimes like a puzzle, & this HP was one of the trickier ones. but I eventually manage to swap over the optical drive, install the software & do a test burn of a DVD.

Client loves, the new drive & has lots of questions, & wants to know how to copy CD music to the PC, how to download movies, etc, etc. Since some of this is getting uncomfortably towards illegal downloads, etc, I politely say I cannot install that stuff, but I can give him some pointers… & he can decide what to do. I make sure he knows that downloading music & movies without paying for them is illegal.

All the extra questions & demonstrations take an extra 40 minutes (and the previous visit also went about 40 minutes over, so I tell hime I need to charge for an extra hour.

He writes a check, but says he wasn’t expecting to pay so much. I counter with: he is actually getting great value, as he has gotten a lot of extra help & information, which few other “computer repairers”. would have been able/willing to deliver in such a short period of time. He certainly got his money’s worth.

Parallel port weirdness

Posted on 10 October, 2005 by Luigi Martin10 October, 2005

Clients printer (Canon BJ series) had suddenly stopped working. It was weird, since win98 detected the printer & installed the driver, but couldn’t print to it.

The printer itself would do self-diag, so it was either a windows/computer issue, or a cable issue.

I decided to take the printer home & test it in a known environment. It worked perfectly.

So I went back to the client with a spare LPT card, a spare cable, & a plan to maybe play with the bios settings.

Found the bios setting for the printer was “EPP”, so I tried changing it to “SPP” (standard PP). The driver re-installed automatically & the printer then worked…

Oh well, I probably should have checked the bios settings first.

Dust on SATA plug

Posted on 10 October, 2005 by Luigi Martin10 October, 2005

A business client I had dealt with previously, called to say their new computer is no longer starting (something about IDE drive not found).

These people have a 2 month old computer & I previously helped them migrate their outlook settings & fixed a faulty modem, so I had previously opened up the box.

Got there & it looked like the bios couldn’t detect the hard disk… I told them it might be a simple fix, but worst-case, the HDD might have failed, which would probably involve a very tedious re-install of most applications, & a total loss of old emails (they only backup their accounting data). This generated a few shocked looks, but I hope it motivates them to moving to a more comprehensive backup strategy (I’m happy to help them implement a simple DVD backup, but the important thing is to get a good backup happening, regardless who does it).

Fortunately, I just had to unplug & re-insert the SATA plug, & everything was back to normal.

Its just odd that this happened soon after I had fix another problem for them (i had swapped modem cards, but didn’t touch the SATA cords).

I just hope they are not the “suspicious” types and think I had sabotaged their computer the first time, in order to get a second callout. I prefer to do just 1 good job, in order to maximise referrals.

Anyway, I did my best, so I’m not going to worry much about what others might think of me.