Sampson Info Systems

A client gave me a call. He just couldn’t get this HP printer that he bought to work properly. It worked, then it wouldn’t. This was on a pretty brand new Windows 7 Home system. I suspected that he might have plugged it in before installing the drivers for the printer. That could be a huge mistake. These things are supposed to be plug and play, but the driver needs to be available when it  is attached for the first time. Otherwise, you can end up with some funky, dead devices out in device manager.
So, I popped over and messed with it for too long (uninstalling/reinstalling/fixing spooler corruption, etc)  before deciding that this was just a flawed printer model. I told him to return it, and then I gave him an alternative printer and left. The next day I got an email thanking me that I thought I’d share:

————————————————————————————————————–
Jeff,

Nice to see you today as always.  Thanks for defining the mess and cleaning it up.  It was actually rather impressive to observe.

FYI I bought the Canon XX printer you recommended and installed it carefully following the instructions step by step (which took about a half hour as predicted in the manual!) with complete success.  Or so it would seem thus far!   Printer installed without a hiccup, printing fine, no delays or hang-ups along the way, printer/device folder opens instantly w/ the XX happily taking its place among the others.  I hope all stays peaceful.  I expect it will.  After what I went through during the last 5 days it was a welcome relief to have such a systematic, uneventful install process.

In all I spent at least 13 hours on that damned HP not to mention what I incurred with S.I.S. today.  You think HP will sympathise?  Nevertheless, I’m going to inform them.

Thank you again.  Be well.  Go Giants.  (I’m pretty sure you’re not a Giants fan but I had to add that anyhoo)

A client brought over a Dell Inspiron Duo netbook telling me  it was Virused and running slowly. I agree – it ran like a dog. Because the initial problem had started about two months ago using system restore wasn’t a good alternative. This system presented an interesting challenge or two since it had no CD/DVD drive. I had to transfer things using a USB flash drive.

Before this system was finally clean and virus free I went through an amazing number of steps. In retrospect it would have been much faster to simply restore the system to the factory issued state using the built in recovery partition. However, the education was worth it, and I hope you find the journey interesting, too.

As always the utilities from Mark Russinovich at Sysinternals played a huge role in helping sort out what was going on with this system, primarily Process Explorer, Process Monitor, and Autoruns.

Here are the steps I followed:
System File Checker helped restore several files that were corrupted.
Two runs of Malwarebytes and the system was getting a bit less cumbersome to work on.
Ccleaner removed almost 3 GB of trash.
Hijack This showed me that the browser should be operating normally. Hmmm. Something’s still not right since there are some browser redirects going on. I better file that away for later and possible Rootkit activity.
There was a version of McAfee Internet Security on the system, but I ran Trend Micro’s Housecall. It came up clean.
I noticed that the McAfee was using between 30-50% of the Atom processor in the netbook and that it was an expired trial version anyway! Time to uninstall it.
Pieces of that darned McAfee remained so it was time to use the McAfee remover.
Then I applied all Windows 7 updates, Service Pack 1, and Internet Explorer 9 which is getting to be a pretty good version. Since all systems should have at least two browsers handy I installed Firefox, too.
I noticed that this system hadn’t EVER been defragmented, so I did that. Then, I defragged the Windows 7 boot files, too.
Next, I installed the free version of AVG 2012 and did a full system scan. I think it’s great that AVG offers a very complete version for free – especially since their paid version is so reasonable. I always encourage my clients to pay for a version. (Disclaimer: I think highly enough of AVG to be a reseller. Contact me to purchase)
Well, the full AVG scan said that a system driver file netbt.sys was infected. By the way the full system scan examined over 1 million items.

but that it couldn’t remove it. I tested this file at Virustotal, where it got mixed reviews and sent it off to AVG research, too. It turned out that this was the ZeroAccess Rootkit.
TDSSKiller to the rescue. It cured this file.
Finally, another full AVG scan that came up clean. Yay!!!

The reasonable bill that the client received was much less than the time I spent on this project. Even expert consultants sometimes end up taking the long way around…

Wednesday, January 4, 2012 I received a voice mail: “Jeff I need you. My computer has a virus. Please come ASAP!” Since it was pretty late in the day I made arrangements to come over first thing Thursday. When I arrived I discovered that this system had a case of the disgusting fake antivirus XP Antivirus 2012. What’s really annoying about this particular infestation is its effectiveness in preventing you from running any programs that might be helpful. It does this through some fancy registry editing. It also deactivates all the major antivirus programs. A pretty nasty visitor that can be installed through a single prompt or even through no prompting if you visit a compromised website. This scam like a number of others wants to coerce you into purchasing their removal program. Once you pay up the program stops its fake warning messages. But, is it really gone? If you have paid this extortion, please dispute the charge with your credit card company. Rewarding evil doers only encourages them.

Generally, when trying to assess a new security problem one of the first steps is to use a clean system for some research. You will quickly discover a number of things: You aren’t the first to become infected; There is a lot of information about this malady; Other people want to make money off of you, and; While there is a lot of helpful information some of it does not match your specific situation. What this means is that you need to be careful about what information you trust, and be careful about what you do. As a rule of practice I generally ignore the ad sponsored results. Keeping a list of the steps followed and findings can be helpful, too.

In this case I had a couple of good alternatives to clean up this problem: Safe Mode which helped stop the main executable from running, and; System Restore and a good selection of restore points to chose from. The date of the main executable told me when the system was initially infected so that I could do a restore from prior to that. While a bit tedious this process went well. Even so, it took about an hours time over a three hour period to do the clean up and system scans. I left a thorough scan running when I left which would take a couple more hours to run.

As always, having done a little preparation prior to the problem can be the difference between being able to fix the problem and recover the system or being forced to reinstall the system from scratch. Having use of all the built in tools like System Restore as well as a solid disk imaging program is extremely helpful. Please don’t neglect these basics.

This was about my fifth rematch against the XP Antivirus opponent and I was successful in removing it in all cases. However, in one case the end result was a corrupted user profile which required setting up a new user on the system. Still, that was a better outcome than having to reload Windows and all applications on the system.

One of my good clients gave me a call. One of the workstations on their network refused to start. The message was direct and to the point: STOP: C0000218 {Registry file failure} The Registry cannot load the hive (file): \SystemRoot\System32|Config\SOFTWARE or its log or alternate. This computer happens to be a Dell Optiplex, and at this time 4 months out of its three year warranty.

I popped by for a look see and booted from one my favorite recovery disks – The Ultimate Boot CD for Windows. I use a modified one, but the generic version had the basic tools in this case: CHKDSK c: /R, and Registry Restore. There were a number of disk errors on this neglected system. Unfortunately, one of the bad spots was over one of the five registry hive files. The CHKDSK ran for quite awhile, but finally finished up. The display from the utility ran about two screenfuls with notes about moving bad clusters to spares. Then, the registry was restored from an earlier version and we were back in business. At least for phase one of this project.

So, I ordered a replacement hard drive and discovered that prices had spiked due to the major floods in Thailand where most drive makers have manufacturing facilities.

The next week I came back and cloned the drive with Acronis True Image. Then I sealed the box up and things were running as good as new. Well, as goo as that machine could. Unfortunately, this model had just two RAM slots, and each could support a maximum of 1GB for a total of 2GB. Not quite enough to run a mature Windows XP system to the full capacity of the processor. So, I helped them spec out a more current system which should give them a better service life.

Since moving to outside of New York City from San Francisco in 2000 I have seen more power problems caused by lightning than I did in the previous 25 years. In San Francisco we did not get such great displays as we do here. The show can be really incredible. Originally, I was a bit surprised that this area seemed so “country” and a bit rural. A fair number of power outages, and going back to a dial up internet connection for over two years were a couple symptoms. Power outages have become less common, but can happen in any good storm. The internet connection has gotten a lot better too, and my cable provided service now tests regularly at 30 Mbps download and 5 Mbps upload.

Anyway, last Sunday, 8/21/11 we experienced an especially lively display with flashes and several BOOMS that made you jump due to their closeness. I was expecting it to, but the power never went out, and the lights had one good flicker. The UPSs never started their chriping. All four of them seem to sing in disharmony when we are without power.

As a result of this minor power event two pieces of equipment were damaged. Apparently, this surge came in over the phone line. One of the 1500va UPSs was being used to shield the phone line. Now, there is a phone signal on the input side at the UPS, but nothing on the output side. Also, I had foolishly not shielded the phone line that goes to my Plantronics portable headset. It took a hit too, and the power switch became inoperable with the unit stuck in the “on” position. First, I had a bit of fun looking for the failed phone device among the 9 extensions.

This points out the fact that power surges and undesirable electrical events can come in over a number of avenues: Electrical circuits, the most common; cable coaxial; and phone lines. For the most complete coverage all of the paths need to be protected from surges. Many surge protectors and UPS batteries have the capability to surge protect coax and phone connections in addition to the common one we all take for granted – electrical plugs. Please use power protection before your delicate equipment gets fried. I have reconfigured the perimeter to use a front end surge protector to surge protect the coaxial cable, and the initial phone connection. This is in front of the UPS battery that protects the cable modem and networking router and switch.

You should also remember that the surge protector you use is being used up while it is silently protecting you. These generally have a life of from 3-5 years and should be replaced. UPS batteries get weak, and the protection circuitry can also be damaged so they should be self tested and replaced at intervals too.

As in many things a little bit of advance planning and preparation can save you lots of aggravation and substantial money, too. Please pay attention to these details.

Yesterday, I got a call from a client. His neighbor in the office building told him that he could see all his files! Now that was a true kindness because there were several glaring security issues in play and the neighbor wasn’t required to speak up. Most obviously, they were using a wireless router without any security on the wireless. In fact they hadn’t considered that they were using a wireless router since the stations in the office were all wired.

I popped by and quickly upgraded the firmware in the router and set up reasonable wireless security. I chose WPA2 for its quality and wide acceptance. I also changed most of the defaults which is something I always try to do.

There were also a couple of other issues I brought to the clients attention: Default passwords, subnetting, and sharing more than required – in this case the root of the system drive, and a terrible option that Microsoft defaulted XP systems with – “Simple File Sharing“. For those of you who don’t know about simple file sharing – it’s basically sharing without any security. Its the only choice with XP Home, but you can turn it off in XP Professional.  Maybe, we’ll address these on a future visit.

Another very happy client. A little surprised at the reasonableness of the bill for the prompt service, quick fix, and free advice about other potential security issues in the office.

Sunday, July 3rd was a funny day. First, the phone rang at 9 am. A friend had an offer that I couldn’t refuse: A ticket to the Yankees-Mets crosstown series. I’m not a big baseball fan, but was getting excited to go. He’d pick me up at 10. At 9:10 the phone rang – this time with a client who wanted to work, but his computer, the server in the office wouldn’t start. I raced over there to see if this could be instantly fixed. No soap, so I called my benefactor and begged off of the game. Here, if a client wants to work on Sunday and has problems we support them. That’s one way we provide super service.
I was able to take the hard drive from his AMD based system and put it into an Intel based system and get him going. While I worried that there would be problems that part went seamlessly. Then I started the push to fix his system. Because of the July 4th holiday I wasn’t able to start that process until Tuesday. The motherboard was out of it’s three year warranty by a month and the manufacturer wouldn’t cover it. Even though an identical system had had a motherboard failure after one year. That’s probably the last time I’ll by a _______ motherboard. I mail ordered a compatible replacement motherboard so that the CPU, and memory could be reused.
It was after I reassembled the AMD based system and fired up the hard drive from the Intel based system that the real aggravation, I mean fun began.

First up was the Blue Screen of Death (BSOD) 0x0000007e, with the first parameter 0xc0000005. When, I started in safe mode however Windows Product Activation noticed the hardware changes and required immediate activation. Catch 22 #1: Windows cannot be activated in safe mode. Using the recovery console I disabled some drivers & services to solve the BSOD as advised by KB330182 without complete success. Then, I decided to do a repair install. Now, this step often helps, but in this case it introduced a new wrinkle by reverting to Internet Explorer version 6 from the v8 that was installed. More on that aggravation later. Further research led me to this article that pointed to the intelppm driver. Hey! I had already turned that one off, but the repair install brought it back. Yay, now I got past the BSOD only to run into:

“This copy of Windows is not activated. In order to be properly licensed this copy must be activated.” When you log on in normal startup mode you get prompted to activate now, and the only choice is Yes, because No logs you off. However, the activation process does not proceed. It turns out that activation uses some pieces from IE8, but downloading it is not an option on a system that is forced to run without internet access until it is activated. Thank you, Microsoft! While the clever article quoted above used the scheduler in a novel way my approach was slightly different. I downloaded IE8 on another computer, and installed it in safe mode without getting updates, etc. Once it was installed, I was able to activate it in normal mode.

All this fun did take about 5 hours, but really it’s only worth about 1 to the client. Now, I have the satisfaction of passing another course at Microsoft University under my belt.

One of my clients clicked on the wrong “OK to let this program update your system” prompt and inadvertantly installed the Windows XP Repair Virus.  This delightful variant of the fake antivirus extortion scam has the charming behaviors of: Dimming links on the desktop, emptying the Program Files menu, disabling Task Manager. Even so, on the surface this doesn’t seem to be a terribly difficult one to remove. A woman in this office is extremely knowledgeable about computers and was working to remove this. Over the course of a day she asked a couple questions which I was happy to answer, but after spending close to a day trying to remove this malware without success she sent me an email “crying Uncle” and asking me to come in.

Well, this is a very good client and several years ago they had me set up weekly imaging of desktop computers and retaining several generations of image sets for each. This client is using Norton Ghost and some others are using Acronis True Image.  I was able to come in, restore the image over the network to a pre-infection state and leave within an hour!

If you don’t have a backup plan this good please contact us to help you set one up inexpensively.

A client gave me a call to clean up some major annoyances. Someone in their office had clicked on an innocuous link on a website. You know the kind – Your system has been infected or Boost performance by cleaning your registry. Some look pretty authentic.

Now, their system had a case of the “Windows Security Center” malware! This version looks almost identical to the genuine article found in the XP control panel. This obnoxious window covering a large part of the screen: Can’t be closed, Prevents you from running anything of value and EVEN RUNS IN SAFE MODE! Purchase the fake antivirus software it is touting, and it will remove its fake “your system is infected” notices. What a scam! After some aggravation I was able to remove this scummy software and the system was running somewhat better.

However, it turned out that an even more insidious problem had infested this system. Search results were being redirected to other advertising sites. This system had a nasty Rootkit, win32.tdss.tdl4! Rootkits are difficult to detect, identify and remove because they actively hide their presence. They are invisible to most anti-virus and anti-malware software. This rootkit has these charming behaviors: “It’s a type of malicious software that tries to enable backdoor access to your computer making it more vulnerable and allowing others to manually control your computer via the internet.”, tainted search results & some random pop-ups.

Fortunately, I had  good outcome for this client. I was able to remove the Rootkit without further damage to the installed software. The system’s performance has been restored, and with the new memory we ordered should really fly.

SPAM is a huge problem for every email user. It is estimated that worldwide about 97% of email is SPAM, and in the US about 90%! I will leave the subject of filtering out the bad without losing the good email for another time as it is a large subject in its own right. But, what if YOUR ACCOUNT is the apparent source of some of this email? The embarrassment of having this happen will be small in comparison with the feeling of being victimized. This is a mugging as serious as any street crime, but without the bruises and bodily injury they often come with.

Over the last couple of weeks the email accounts of 3 people I know have been compromised. Two people had AOL accounts and one had a Hotmail address. The biggest reasons that a web based email account like this becomes compromised is because of a weak password. A weak password is often Short – under 6 characters, or a common word that is subject to being broken by a dictionary attack.

How can you tell that your account has been compromised as opposed to your email address just being conveniently scapegoated as the sender of SPAM? Probably the single distinguishing characteristic is if these emails are going to people in your address book. If you are beginning to get calls from people in your address book or these emails have an alphabetic group of address book entries, then your account has been compromised. Other evidence is if the emails show up in your “sent” folder.

If your account has become compromised your should immediately change the password to a good one. If possible, you should use a different computer from your main one in case that computer has been compromised too. You should scan your main computer to verify that it is clean from viruses, spyware and malware.

For one of my clients I was able to demonstrate that it was his account that had been compromised and not his computer by analyzing the email header which traces the path of the message. The following is a sample of the SPAM that was issuing from the account:

Hi ********,

As an FYI here is the header from the single “I need your help” spam I received. To let you follow this here are the steps this particular message traveled along the way to me. My markers are to the right and look like 1*, etc.

Headers are accumulated from the bottom up. Each time the message is “handled” a new wrapper is added at the top.

1*                           The visible headers that we get to see. These are “comment” only and as you have learned easily forgeable. This case was slightly more clever than most by not putting the recipients in the To or CC fields, and sending them back to you.

2*                           Message originated at IP 41.205.174.131 and was given to Yahoo email. As I mentioned on the phone this IP is in Nigeria, and this particular message was not handled or processed through AOL at all. The only AOL reference here is your email address. The originating IP can also be forged but that is substantially harder to do.

3*                           Yahoo passed the message to my email handler, Dreamhost

4*                           My SPAM scoring of this message for later automatic disposition

5*                           The message was queued awaiting my pickup

Sorry that your email address was used in this way. Also, note that this is not a strong piece of evidence that your AOL account was compromised. Only, that your email address got into the hands of bad people. A heads up from many people in your address book is better evidence that the account was compromised.

Please let me know if I can help you further.

Best,

Jeff

X-Antivirus: AVG for E-mail
Return-Path: <**********@aol.com>
X-Original-To: ******@********.com 5*
Delivered-To: x10674009@ommail-mx4.g.dreamhost.com
Received: from dieharder.dreamhost.com (fltr-in2.mail.dreamhost.com [208.97.132.72])
by ommail-mx4.g.dreamhost.com (Postfix) with ESMTP id 02F3270826A
for <******@*****.com>; Tue,  8 Feb 2011 10:17:22 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
by dird.dreamhot.com (Postfix) with ESMTP id F1D7E17BC05F
for <******@******.com>; Tue,  8 Feb 2011 10:17:21 -0800 (PST)
X-DH-Virus-Scanned: Debian amavisd-new at doesboard.dreamhot.com                  4*
X-Spam-Flag: NO
X-Spam-Score:
X-Spam-Level:
X-Spam-Status: No, score=x tagged_above=-999 required=3 WHITELISTED tests=[]autolearn=unavailable
Received: from wishonastar.dreamhot.com ([208.97.132.72])
by localhost (doesgoodard.dreamhost.com [208.97.132.157]) (amavisd-new, port 10024)
with ESMTP id jvcLqO+zN34u for <******@******.com>;
Tue,  8 Feb 2011 10:17:21 -0800 (PST)
Received: from web8052.mail.md.yahoo.com (web8052.mail.md.yahoo.com [209.191.72.55])          3*
by doesgoodard.dreamhost.com (Postfix) with SMTP id BE87E94020
for <******@******.com>; Tue,  8 Feb 2011 10:17:14 -0800 (PST)
Received: (qmail 96197 invoked by uid 60001); 8 Feb 2011 18:17:21 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1297189041; bh=yJEPBujlm/1RP9i/5glH3McEpcDZxWEyDs4frU5skiM=; h=Message-ID:X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=aD9tIzQT/f9IrnqYYS0rdplVvkSe8JdmxhNktRrRv+y+LeqcdqvZlloNkfleQ4E+5vcP5/IXYkBHfBfnTyRKlGR5vbLM1G/Y8MrhkMDSVNWSCSs+c0A7MKmLLtl0PEfUtZJoRSoPvkjaBP7BafaesksE0BiCZ31rhZ3xkb5Jg+Y=
Message-ID: <93435.69149.qm@web02.mal.mud.yahoo.com>
X-YMail-OSG: yQMeRGMVM1mdmgMjzLgNylvoye3i6_1_dg2gRJBgxcTkQfi
CLk1nFO06KLTb5Dy3wf5fnN7qlkAG3ToAv0ZwWO_jSutxuhYi251TWaKXDCf
a8tNrV_H2shRX3CLtIknM4pnKWuvwXl8aJ4FBcBCw4oRd6htQtXa4A1tdE1W
07F36NY_5fs65pZHMjpI_VhNDByDr3lTtt0YsoKhlEtY3v5SaKCOAz.uI45c
_ijNtBpqu8sTtsf8sQ__meWAdsHW6mcTykk0-

Received: from [41.205.174.131] by wb002.mal.mud.yahoo.com via HTTP; Tue, 08 Feb 2011 10:17:21 PST       2*
X-RocketYMMF: whies@s***obal.net
X-Mailer: YahooMailClassic/11.4.20 YahooMailWebService/0.8.108.291010

Date: Tue, 8 Feb 2011 10:17:21 -0800 (PST)
From: ********  ******@aol.com 1*
Reply-To: ******@aol.com
Subject: I need your help.
To: ******@aol.com

MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=”0-804695509-1297189041=:69149″

From: **********  [mailto:*******@aol.com]
Sent: Tuesday, February 08, 2011 1:17 PM
To: ******@aol.com
Subject: I need your help.