Righteous Wrath Online Community

I came in to work this morning to find my manager stuck with a laptop that is locking up and not booting three out of four tries.  Fun.  So now I'm running hardware tests and will be running virus scans if the hardware is fin.  Remember my thread about what antivirus to recommend at work?  Yeah, they "haven't decided yet".  I'm biting my tongue, trying not to say, "I told you so", until I actually find a virus.

Anyway, looking online for possible troubleshooting guides for the problems this laptop is experiencing, I came across this rather well-written checklist: http://ask-leo.com/my_computer_locks_up_and_wont_boot_what_do_i_do.html (http://ask-leo.com/my_computer_locks_up_and_wont_boot_what_do_i_do.html).

The cool part is the guy wrote it backwards, starting at a successfully booting Windows and working backwards to a completely dead machine.  It reminded me how quick most IT guys are to dive into checking the hardware, before checking just how far the computer is getting.

Quote from: Thorin on April 09, 2010, 11:15:30 AM
I came in to work this morning to find my manager stuck with a laptop that is locking up and not booting three out of four tries.  Fun.  So now I'm running hardware tests and will be running virus scans if the hardware is fin.  Remember my thread about what antivirus to recommend at work?  Yeah, they "haven't decided yet".  I'm biting my tongue, trying not to say, "I told you so", until I actually find a virus.

Anyway, looking online for possible troubleshooting guides for the problems this laptop is experiencing, I came across this rather well-written checklist: http://ask-leo.com/my_computer_locks_up_and_wont_boot_what_do_i_do.html (http://ask-leo.com/my_computer_locks_up_and_wont_boot_what_do_i_do.html).

The cool part is the guy wrote it backwards, starting at a successfully booting Windows and working backwards to a completely dead machine.  It reminded me how quick most IT guys are to dive into checking the hardware, before checking just how far the computer is getting.

I'm probably guilty of that sometimes.. But most times I only start looking into hardware first off if its not even making it into the OS, or if it is, and locks up with obvious HW errors (IRQ_NOT_LESS_OR_EQUAL or what have you, and memory errors). In fact I've had to scold myself several times for not even thinking to look at the hardware, and spending too much time trying to figure out what is wrong with a perfectly good OS and software install.

So I told my manager, "Told you so".  He's got 39 reported infections so far, although a bunch of them are copies of a handful of trojans.

Yeah, so I started off thinking the hardware was bad, when it turns out it's really just a simple THEY DON'T USE ANTIVIRUS PROGRAMS.

The particular trojan that sticks out as probably having started it is Katusha, found mostly in his internet temp folder.  So it was a drive-by.  They've already spent more on my hours today for trying to fix this than a three-year subscription to AVIRA would've cost.

Ever hear the expression, "Penny-wise, but pound-foolish"?

FYI I noticed that the Kasparsky sold retail in futureshop has a licence for 3 PCs, not just one....

Any one of the previous recommended AV solutions would be a good idea.... Do you guys take software to clients ? Wouldn't that be great to show up with infected media!

That's nuts Thorin, makes me wonder what they're using that laptop for as well ;)

Quote from: Mr. Analog on April 10, 2010, 03:03:49 PM
That's nuts Thorin, makes me wonder what they're using that laptop for as well ;)

If the patches aren't kept up on, its likely the computer was automatically infected the moment it connected to the lan, and or the internet.

I once accidentally started up a XP SP3 install (sans firewall) and WHAMO, instant infection. And by instant, I mean within seconds, to maybe a couple minutes (close enough to instant to qualify for me).

Oh yeah, direct connection to the net will get an XP machine hit within minutes (if not seconds) though for the variety of uglies it sounds like were on this PC I'd wager there was more than a bit of crapola downloadin' from less than trustworthy sites.

Dunno about the patching, I'm still trying to remove the rootkit and the trojans and the worms and the spyware and the exploit code that was found on it.

Yeah, Lazy, that particular laptop is a manager's laptop so it doesn't normally see software for clients.  But still...

Wanna know the latest?  My ESET firewall has been recording ARP Cache Poisoning Attacks (http://www.watchguard.com/infocenter/editorial/135324.asp) emanating from one of the workstations.  Basically, that means that someone has gotten through to our LAN and is now able to record all network traffic, plus they'll be able to remotely control the machine at will!  Woohoo! Maybe it's just a false positive.

I feel like just disconnecting the network cable from my workstation and buying a Rogers mobile internet stick...

Oh, and I'm a developer not the network admin.  Why am I the one discovering all this?!

Quote from: Thorin on April 10, 2010, 10:58:49 PM
Oh, and I'm a developer not the network admin.  Why am I the one discovering all this?!

Can you count the staff in your office using your fingers and toes? Thats why... I worked for two employers in were there were only a hand full of staff.. I started out as a developer and migrated over into the being a jack of all trades.. I eventually migrated all the way over to network support.

Ick, the story just keeps getting better doesn't it?

Hopefully you're happy doing this (it sounds like you are to me heh).

No, I'm not particularly happy doing this work.  In my office I can count the employees on my hands, but the company has one- and two-person offices spread around North America.  One of those offices is a couple of networky-types that build custom ruggedized touchscreen devices for us.  It's supposed to be their job, but they're clearly not interested in checking our LAN.

If it isn't your job and you hate doing it... ???

I think you secretly like doing it ;)

Knowing that something needs to be done because no one else is doing it and actually liking doing it are two different things.

For instance, I absolutely despise digging rotten food out of the sink, but if I don't dig it out, that food'll just stay there and stink up the house.  I didn't put it there, and I'm constantly telling people not to put their dirty dishes in the sink, but they don't listen and it ends up there.  So I have a choice - live with the stink of rotten food permeating the house, or clean up other people's mess.

No, it's not my job, but the people who should be cleaning up the network are not doing their job.  And I don't want the delivery of infected software stinking up my reputation as a developer.

You've talked to them I take it?? Does Martin know what's going down? Does it get in the way of your actual tasks?

It just seems stupid and unfair actually.

Quote from: Mr. Analog on April 12, 2010, 06:46:47 AM
You've talked to them I take it?? Does Martin know what's going down? Does it get in the way of your actual tasks?

You know me, I'm good at making noise.  Yes, I've been telling them since I started that they need to run proper, licensed, paid-for antivirus software.  Ever since the other guy quit (the developer who preferred to work on hardware), I've been making sure to say I'm not going to be the new hardware guy (especially what with me sitting in his old desk).

Martin and Jason both know (Martin being my project manager, Jason being the director of software development) what's going on.

Yes, it's gotten in the way of my actual tasks.

An' yeah, as much as I don't want to do this, I know it needs to be done at the moment, and I really really don't like the idea of us delivering software that could have various infections pre-loaded in it.  Thats the kind of thing I would leave a company for.

So AVIRA AntiVir found 54 items related to about 20 viruses, trojans, worms, exploits, and a rootkit.  Unfortunately their Rescue Disk had some run-time exception that caused it not to fix anything.  ESET Nod32 found 19 items, although it bunched things together.  It missed the rootkit, though.

After running these two, the machine was supposedly clean, but still locked up randomly and wouldn't run Disk Defragmenter.

Enter Trojan Remover (http://www.simplysup.com/) from Simply Super Software!  It found the rootkit, disabled it, and found the other trojans that had been stealthed by the rootkit.  Suddenly, Disk Defragmenter started working and the laptop stopped locking up.

So there's a new one for you all to use, once you've been infected.  There's a 30 day trial, but it's pay for use.  It did what it advertises - found rootkits and trojans and disabled/deleted them.  And it did it quickly.  Four and a half minutes, then a reboot, and it was done.  I'm pretty sure it doesn't scan files for viruses as you access them, though, so a good virus scanner is still required.

Another good one for the trojan, spyware, and rootkit stuff has been MalwareBytes.  We've used it numerous times at work, and it usually can clean a system while the offender is even in active ram, which we are very impressed with.  No requirement for that Safemode boot.

Man, that Chinese curse "may your life be interesting"? Thorin's picture right next to it.

Sorry to hear about all the headaches buddy, we can pummel those in with some sweet, sweet MSG on Friday though!

MSG, thy will be mine!
For I have missed a taste of thine,
Since squirreled in the hinterlands.
I shall eat thee with mine hands!

Or maybe chopsticks.

Quote from: Thorin on April 12, 2010, 11:48:47 PM
MSG, thy will be mine!
For I have missed a taste of thine,
Since squirreled in the hinterlands.
I shall eat thee with mine hands!

Or maybe chopsticks.

LOL!!

Quote from: Mr. Analog on April 13, 2010, 06:38:04 PM

Quote from: Thorin on April 12, 2010, 11:48:47 PM
MSG, thy will be mine!
For I have missed a taste of thine,
Since squirreled in the hinterlands.
I shall eat thee with mine hands!

Or maybe chopsticks.

LOL!!

I thought you might like that :)  Damn, I can taste it already...

Quote from: Melbosa on April 12, 2010, 06:16:35 PM
Another good one for the trojan, spyware, and rootkit stuff has been MalwareBytes.  We've used it numerous times at work, and it usually can clean a system while the offender is even in active ram, which we are very impressed with.  No requirement for that Safemode boot.

Now you tell me!  Just kidding :)  Trojan Remover is specifically meant to catch stuff that's running and active, also no booting into Safe Mode.

Speaking of Safe Mode, apparently you can stop an XP computer from booting into Safe Mode by deleting the following registry key:

  HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot

If this is missing, booting into any kind of "Safe Mode" causes a Blue Screen of Death, because Windows tries to read it and can't and doesn't know what to do next.  And of course, one of the pieces of malware on the laptop had removed this key.  Thank god I found a fix on Didier Steven's blog (http://blog.didierstevens.com/2007/02/19/restoring-safe-mode-with-a-reg-file/).

Funny how this post transformed from being about an article that I found well-written to surprising things that malware can do these days.

That's actually pretty handy there, thanks!

Its for stuff like this that I wish the wiki was still open. Theres been the occasion that I wanted to write some Linux related stuff (network tuning, KVM/LVM/RAID setup) some place, and I don't have a private wiki atm, so no place to put any of it.

If you want access, let me know, as the wiki still exists.  https://wiki.servuit.com

I have it open to many for updating.  There is Linux, Windows, Games, etc all in one place ;)

Thats the problem, Id have had to ask... Normally its not worth the trouble ;) But sure I'll take an account.. and book mark it so I remember the address...

PM me a username and password ;)

Quote from: Tom on April 14, 2010, 02:42:50 AM
Its for stuff like this that I wish the wiki was still open. Theres been the occasion that I wanted to write some Linux related stuff (network tuning, KVM/LVM/RAID setup) some place, and I don't have a private wiki atm, so no place to put any of it.

related "how to clean yer infected compyooter" thread:
http://pokerforums.fulltiltpoker.com/how-to-clean-your-computer-of-keyloggers-spywares-t100021.html

Hah, they finally decided to buy antiviral software!  We are now (well, will soon be) the proud new owners of ESET Smart Security 4.  Hopefully I never have to fix another laptop again.

Of course, someone's gotta manage uninstalling all the old, expired, no-longer-updating antiviral scanners and firewalls and spyware finders.  I DON'T WANT THAT TO BE ME.

But yeah, I was surprised as hell that they actually listened.  Maybe I should tell them about this new technology called "backups", and how off-site backups are used by EVERYONE ELSE BUT US.

Quote from: Thorin on April 21, 2010, 12:14:21 AM
Hah, they finally decided to buy antiviral software!  We are now (well, will soon be) the proud new owners of ESET Smart Security 4.  Hopefully I never have to fix another laptop again.

Of course, someone's gotta manage uninstalling all the old, expired, no-longer-updating antiviral scanners and firewalls and spyware finders.  I DON'T WANT THAT TO BE ME.

But yeah, I was surprised as hell that they actually listened.  Maybe I should tell them about this new technology called "backups", and how off-site backups are used by EVERYONE ELSE BUT US.

Most people don't understand how important it is till they loose all their data :( so good luck trying to push that through :(

So funny story (http://isc.sans.org/diary.html?storyid=8656) about McAfee...

I always knew Windows was a virus!

Great, so they've bought a license of ESET Smart Security for each computer at the office, and about half of the computers now have it installed (the rest of the people just don't want to, I guess?).

So now one of 'em keeps getting popups.  I narrowed it down to one or more of the following three Browser Helper Objects:

  voguecash
  adshothlpr
  moigh

So I disabled them and told her to run a virus scan.  Of course, BHOs don't show up in virus scans.  But I don't want to be Tech Support, so I'm just giving a quick instruction and then getting the hell back to my desk.

Anyway.  Maybe they should force everyone to run under non-privileged accounts so that no new software could be installed.  But that's not for me to decide, otherwise they'll consider me responsible when something else goes wrong.

Sitting at the desk of the developer who used to do all the in-house tech support apparently means I'm expected to do in-house tech support.

Suggest they run a malware or spyware scanner. Like Spybot or something similar.

I've been telling people Trojan Remover (http://www.simplysup.com/) and Malware Bytes Anti-Malware (http://www.malwarebytes.org/mbam.php).  Both of those have worked well for me recently.

My post was more just whining about their lack of desire to employ or contract an actual sysadmin/netadmin to do this kind of work.

Quote from: Thorin on May 31, 2010, 12:28:42 PM
I've been telling people Trojan Remover (http://www.simplysup.com/) and Malware Bytes Anti-Malware (http://www.malwarebytes.org/mbam.php).  Both of those have worked well for me recently.

My post was more just whining about their lack of desire to employ or contract an actual sysadmin/netadmin to do this kind of work.

Ah. Yeah that would be whine worthy.