Archive for the 'Your Company’s Computer Guy' Category
Tales from reddit: Crazy Cat Lady
Published July 14, 2010 IT , Personal , Your Company's Computer Guy Leave a CommentMake spyware your bitch.
Published October 15, 2008 Internet , IT , Your Company's Computer Guy Leave a CommentEver wonder why viruses are so hard to get rid of? I mean, you spent the f’n 50 bucks or whatever on Norton/McAfee/PCTools/whatever……so WHY ARE THESE POPUPS STILL CRUSHING MY SOUL, SYMANTEC SUPPORT TEAM????
I know why.
It’s because those big companies suck are too mainstream to be very effective in a culture where the mainstream software out there is the most easily exploitable angle for anyone trying to subvert your defense against attacks. It really is that simple. Yes, your heuristics analysis engine is doing it’s level best to detect new attacks as they come in, but there really is no magic killer app out there for preventing cutting edge (what we call “0-day”) exploits. So, you find yourself with a MOSTLY effective tool against well-defined attacks, but one that is sorely lacking on 0-day defense. Don’t let their marketing fool you. It can take days or even weeks for a new exploit to be fully countered in ANY of the mainstream products out there.
Granted, you still have to have those protections, and this is not a bash against the AV industry in general. But what do you do when you inevitably find Norton has been yet again caught with its pants down, and suddenly your computer has lately taken a keen interest in selling you Viagra or DonkeyLovinCuties.com memberships?
You gotta get out of the mainstream.
There are three very simple tools I use at work, all the time, to get me out of the messes I see everyday. There is a more exhaustive list, but these three programs have saved me literally hours of work, and made a small hero at many offices, time and time again.
Here’s my standard operating procedure, just three small downloads that can save you from, god forbid, calling GeekSquad or some other high-priced horror:
First a small preface, before you get started: Safe Mode with Networking is your friend and ally in this crisis.
“But hey, smarmy tech guy, I don’t know to get into that mode, and even if I did, I might mess something up!”
Well, that’s not a problem, because I’ll tell you right now. Safe Mode (w/ Networking) is both very easy to access and very safe to use, even for novices. Just shut down your computer, start her back up, and as soon as you see your screen turn on, start tapping F8, until you get the Windows boot menu.
Just use your arrow keys to scroll up until you reach the second choice from the top and then hit enter. That’s it! Next you’ll see windows start up in a somewhat tacky looking but recognizable way, and then just click YES when it asks if you want to start in Safe Mode. Done and done.
Now that you are in Safe Mode with Networking, what do you do? Well, you’ve started in this mode because just starting in Safe Mode alone would not give you any access to the internet at all, and you’re going to need that functionality to get the three programs you need. So let’s go anti-spyware hunting!
- Combofix – this program has been around awhile, and though not a fix-all program, I’ve found that it easily surpasses most of the paid programs out there in terms of addressing the more heinous problems I’ve seen. Just look down the page til you see the link for download, then download this puppy to your desktop. Now, ignore it for a minute while we go get the next proggy which will help you.
- SDFix – another direct and very effective program for getting rid of the more obscure mini-atrocities I see every single day. Again, download from the link provided, then forget about it and move on to the pièce de résistance:
- Superantispyware – Free Version – this program with the really bad marketing department and yeah, a really dull name, also happens to be a very effective program to use, particularly when used in tandem with the first two. It is included last in the list because it is the last program you will use in the cycle. However, I strongly recommend you keep it. Just scroll down the page, and download the free version of the program, and then again, forget about it for a minute. Note: there is also a paid version of the program that includes resident protection, but truth be told, its not much more effective than something like Adaware 200X Pro
Now that you’ve got your three juggernauts sitting pretty on your desktop, it’s time to start letting them go to work for you. Start with Combofix: just double-click, agree to the various disclaimers that pop up (yes, there are warnings involved with the use of this program – but I have not had a single experience in which this process failed. Now, it may not have always taken care of the problem in its entirety, but it has NEVER crashed any system I’ve worked on, and we are talking about HUNDREDS of systems. Therefore: doubleclick, agree to disclaimers, and then just go get a coffee, a crabcake, and a good Rolling Stone article to read, because it’s going to take upwards of twenty minutes for it to go through its various motions. Note: it may ask you to reboot; when it does, to steal a phrase from the marketing geniuses at Selsun Blue, “that just means it’s working.” Just reboot as normal and let it finish the job it has started. Once all is said and done, it will pop up a logfile which will describe everything it has (or hasn’t) found. Since this program has run its course, your final step is to shut down the computer and restart in safe mode again, just like the instructions above illustrated. But, all told, that’s the end of step one.
Step two is SDFix. Next verse, same as the first, with a little difference at the beginning. This time, when you double-click this file, and it will pop up a little self-extraction dialogue asking you to choose where to dump the working files of the program, i.e. where on your system you want the program to be located. Just click next and it will send the program by default to a directory called SDFix on the root of your C drive. So once that is done, open up My Computer and simply doubleclick on the C drive. The SDFix folder will usually appear in alphabetical order along with all the other usual directories (e.g, “Documents and Settings”, “Windows”, “Programs Files”, among others). Doubleclick on the SDFix folder and doubleclick on the file called RunThis. Again, dialogue boxes will pop up and a command prompt telling you to choose Y to being scanning and N to exit the program. Select Y and then see procedure above regarding coffee, crabcakes, etc. It will take awhile, almost always at the end of the process it will ask for a reboot. Just Say Yes, and then, again, wait awhile for it to finish up. Once again, the process ends, we get a log file pop-up, and hopefully by this time a more stable system.
But, um, well, you may still see evidence of problems. It happens, and when it does, that’s when we break out the secret weapon: Superantispyware will almost always clean up all the loose ends. Note: do not restart into Safe Mode again just yet. We need to install Superantispyware from the regular mode of Windows. I’m not sure why, but when installing in safe mode I have always gotten permissions errors. I think it’s probably a small glitch in the program, but hey, even pretty girls can have sharp knees, and programs are not perfect either. Anyway, just install the program as you normally would any other, then let it update itself from its own servers. After this has completed, you have two choices: you can then start in Safe Mode to do the scan, or just go ahead and run it. Personally, I just go for it right then, because it usually is able to to the job just fine. Run it, select Full Scan, let it whistle, whir, & wheeze its way about for twenty minutes, and when the job is complete, it will present you with a list of remaining spyware on the system. Just hit next to get rid of it, and then at this point it will probably ask you to reboot. FOLLOW THIS ADVICE, because it is key: every file that has been identified as troublesome will likely not be able to be deleted until the system is restarted, because of the way locked files are handled in Windows. So, just reboot as normal, and when your PC lurches out of its temporary slumber, you SHOULD have a fully working PC again.
Your welcome. /obligatory Nick Burns catchphrase
Now, what if scenarios abound here that I’m not going to get too deep into, but I’ll mention a couple that have dogged me in my time as a field tech.
- What if the process completes, but it’s the same as before? In that case, you have two options. Either take it to a pro, someone like me who can actually manually edit your registry hive, and seek out the uncommon .dll and .tmp files in your system32 directory that have slipped past even these stalwart response programs. It’s rare but it does happen, and when it does, it’s usually too much for a novice to handle. At the very least you can say you practiced due diligence before handing your money over to some geek with bad breath and low social ability. The other options is to run the whole process again. For some reason, it just seems to work, I guess because maybe since you have just gotten rid of some of the more obvious things, a second round of scans can sometimes pickup extra goods.
- What if something goes wrong during the process, and one of the scans doesn’t complete? That’s usually not a problem, just start over from step one, and the next time should be the charm. If that still doesn’t work, then, again, you probably have acquired a piece of malware that simply doesn’t have an easy fix, or you might have a broken piece of spyware in the system that is locking up the “catchme scanners” – the realtime in-memory malware locators that are the central reason these programs work so well. This scenario is RARE, and when it does happen, you can rest assured that when you call a tech to help you out, your money will be well spent – just try to spend it on a local company though, as opposed to the big box stores, because chances are, you’ll get a better deal and a better technician.
- What if when you start combofix or sdfix, you can’t even get these programs to run at all in safe mode? This is something I DO run into a bit, and it usually just means that you have a piece of malware that includes a scanner blacklist. It’s like an antivirus program for viruses that comes along with the malicious code. To simplify: your particular virus/spyware may have within it a separate process that is constantly screening defensively for files that are known to be capable of destroying it. When this happens (and it does), it will disallow you to run that program at all, but the fix is usually amazingly stupid simple: just rename the file you are trying to run – if combofix.exe won’t start, just rename it to combofix2.exe, and chances are you will have gotten around the blacklist. Likewise for sdfix.exe and superantispyware.exe. Some of these programs may have blacklisting enabled, but in my experience it is a piss-poor implementation, and one that can easily thwarted.
So give it a shot. You can turn that frown upside down!
Caveat: this tutorial is only approved (as yet) for Windows XP machines running SP2 or above. I do not recommend using Combofix or SDFix on Vista as yet, as there are still some kinks to be worked out in my experience, but Superantispyware DOES work just fine in all flavors of Vista, so just start with it if you have Vista. Thanks for reading and if you find any of this useful to you, consider donating to this blog, but if you don’t care to do that, at least give me some comments on how this worked out for you, and I’ll try to keep new procedures up to date in the future.