Dealing with what creeps and crooks put on your computer

“Hi, Dad,” said elder daughter Elizabeth on the phone,* “could you come over and look at my computer?” Well, I knew right away that she wanted me to do more than just gaze at the monitor, keyboard, mouse, or case. “The guy at Roadrunner thinks there's spyware on it.”

*A dramatization. Actually she typed it
on IM to younger daughter Kaydee
who passed the message to me.

Indeed there was.

I showed up with a little SanDisk Cruzer 1GB drive in my pocket, plugged it in, and installed some applications. I started by pulling the network cable to take the machine off the Internet so that I could remove the Kerio Personal Firewall (too chatty, in my opinion) and Avast's free antivirus application (entirely too odd an interface). I replaced these with the free Zone Alarm firewall from ZoneLabs and the free version of Grisoft's AVG Antivirus. Then I plugged the network cable back in.

Whatever had taken over the computer made sending or receiving e-mail impossible and also eliminated website access.

People who install these things generally want to do so without raising suspicion. They want to use your computer, but they want you to be able to use it as if everything was normal. This is true whether the crook wants to send spam from your computer or steal your information. Either way, I was dealing with somebody who wasn't too bright.

Next I loaded Spybot Search & Destroy, Spyware Blaster, Spyware Guard, Codestuff's Starter, and Crap Cleaner. Some of the applications picked up indications of problems and either removed them or directed me to them so that I could remove them. Using the Task Manager, I also identified some suspicious processes and eliminated them.

In the final analysis, the solution involved using System Restore to move the computer back in time two days. And after about two hours, the computer seemed clean. I headed for home.

That wasn't the end of it.

Another phone call began with “The antivirus program says a file is infected.” Usually that's not a big deal; you have the antivirus program delete the file and that's the end of it. “But when I tell the program to delete the file, it says that it did and then it tells me the same file is infected.”

Uh-oh. That means the idiot who wrote this particular Trojan, even though he wasn't smart enough to make the program get out of its own way, was at least smart enough to run a service that made it possible for the application to regenerate itself after it's been deleted.

I did some Internet research on the file name and came up with a list of files needed to correct the problem. The thing had taken over the Internet connection again, so Elizabeth couldn't download the files. I downloaded them, e-mailed them to Elizabeth, and had her start the long process that was supposed to fix the problem.

Ninety minutes later, things appeared to be going badly. “Reboot once again,” I said. “You'll probably see another virus warning from AVG. I'm on the way, but if you don't get an error message, call me and I'll turn around and go home.” There was no call.

During the time I'd been guiding the operation by phone, I had also been conducting additional research on the problem. I knew we were looking for something that ran as a service and I knew that would make getting rid of it difficult. The machine would have to be running in safe mode and I would have to identify and stop the process.

As it turned out, additional applications suggested by many of the antivirus sites weren't needed. All that was needed was a little patience, the ability to figure out how the creep's software worked, and time. About three hours.

Looking for the problem behind the problem.

The visible part of the problem was “rdriv.sys” in the windows\system32\ directory. Delete the file and it immediately returned. So I started by turning off System Restore. Yes, this is the service that had saved the day previously, but at this moment it was not my friend.

I ran MSConfig and disabled all services and all startup applications. Then I rebooted the computer.

With Windows running in normal mode, I started the Registry Editor (RegEdit). I was looking for any instance of “rdriv” or “wscsvc”. This is a bit more tricky than it sounds because the letters “rdriv” occur in a lot of Registry keys. I needed to be certain that the ones I deleted (after exporting the key to a file, of course) were ones that had something to do with “rdriv.sys”.

Because the rogue service was no longer running, I could delete windows\system32\rdriv.sys and it would stay deleted!

I ran MSConfig again and re-enabled all but two of the services and all but two of the items listed in StartUp. These were the ones I suspected as the cause of the problem.

This time rebooting the system created no warnings from AVG, but I ran a full scan anyway. The scan found one additional infected file that AVG deleted. It has not, so far, returned, but it's a file that I had found and deleted the previous day.

As the scan was running, I started Internet Explorer and visited WindowsUpdate.Microsoft.com and, as the site updated its ActiveX application (not a good sign because that particular update happened quite some time ago) I checked Automatic Update in the Control Panel. Updates were turned off! Not "download and advise", but OFF. How did this happen? I don't know and neither does Elizabeth. She and I both remember that I turned it on after installing Service Pack 2. I can't find any online description of malware that turns off Automatic Updates, but that's possibly what happened.

Lots of critical updates had been missed.

Thirteen critical updates were waiting to be installed. I ran those, rebooted again (no virus warnings again), and then downloaded some new driver applications.

The machine is now scheduled to check for updates every day, to check for antivirus updates every day, and to do a full virus scan every day.

This time I think the problem is solved. But my fingers are still crossed.

Where did it come from and what did it want?

Finding the source of the infection wouldn't be easy and probably isn't possible. The two most likely sources are Instant Messenger and a rogue website. Elizabeth and Rusty use Gaim instead of AOL's Instant Messenger application. Because a lot of security patches were missing, I'm inclined to think it was a rogue website – maybe one that was the result of mistyping a URL or maybe a link in an e-mail message.

I'm not sure what the author's intent was, either. The malware had a "backdoor" component, so it made the computer available for use by somebody else. Given the quality of work evident in the malware, the backdoor component probably didn't work.

Starter

What applications are starting when your computer starts? When you log on? How are they starting? These are just a few of the questions you might have about applications that start automatically. Other questions you might have include: How can I keep some of these applications from running? If I stop an application from running, how do I start it again if I decide that I need it? CodeStuff's Starter answers all these questions.

Starter reveals and allows you to manage all the programs that start automatically Windows boots. You'll see items that are started with Registry entries as well as those in the Startup Folder, either your Startup Folder or the one for all users.

You can temporarily disable an application if you're not sure what it does. Or, if you're absolutely certain that the application is something you don't want to start with Windows, you can delete an entry. There's no documentation with the program, but it's really not needed anyway.

	Here's a list of everything that starts when the computer starts. By selecting one of the categories on the left, I can narrow down what's displayed to applications that are started in specific ways (Registry, Startup, and even win.ini).
	If I select one of the entries, the status bar at the bottom of the frame provides information about the application.
	And if I want to know more, I can have Starter show me the file's properties.

Technology corner rating for CODESTUFF STARTER

9 CATS: Starter is an outstanding tool to use if you want to stop an application that starts whenever Windows starts and you're not sure how to turn it off. It's also useful for those who are nosey enough to want to know what's going on. Oh – it's also free.

How the Technology Corner rating system works.

Canada must be larger than I thought

I received (at the Technology Corner address) this week an offer for various medicines at "My Canadian Pharmacy". But, as it turned out, My Canadian Pharmacy is in Sofia, Bulgaria. Maybe. That's where the domain registrar says the domain holder is located, but that may not be the case.

Click the image for a larger view.

That's the problem with spam. If you click a link that claims to be from Canada, it might really go to a website in Bulgaria or China. And the owner of the website might actually be in Viet Nam, Australia, the United States, or Libya.

You're foolish if you click on any link in any spam because the spam is, by definition, a lie from the outset. I followed the link (which may make me, by definition, foolish) but I wasn't planning to buy anything. I wanted to find out something about the outfit.

What do you receive if you place an order with "My Canadian Pharmacy"? It's anybody's guess. You might receive a generic equivalent drug, but – because most of the drugs these folks advertise have no generic equivalents – you'll probably receive a placebo that's designed to look like the medication you ordered.

If you're lucky, you'll receive a placebo that's in a counterfeit package. But you might also receive a forged medication that's stronger or weaker than the real product. Or you might receive something that's truly dangerous. If you're taking the medication for something serious, any deviation from the real thing would be dangerous.

What else might happen? Identity theft is a possibility when you're dealing with spammers. Additionally, the website could be booby trapped with spyware that exploits a browser bug. There's no way to know. As far as I'm concerned, spam gets deleted without question.

For your amusement.

(VIEW LARGER IMAGES BY CLICKING THE SMALL IMAGES)

	MyCanadianPharmacy claims accreditation, but ...
	... if you click any of the logos, you're not taken to VeriSign or to the Better Business Bureau. You may think that's where you are, but open the larger version of the image at the left and notice the URL in the title bar.
	The "About Us" section tells about the "pharmacy" and about the doctors. In both cases, the text is badly written.
	The site says "Dr. Jack Poppins studied reanimatology at Ontario Medical State University in 1969." Perform a Google search for "Ontario Medical State University" and you'll find exactly 2 references: Both are on the MyCanadianPharmacy website. What the writer seemed not to know is that Canada has provinces, not states. The site also says "Dr. Paul Newman graduated from the faculty of psychiatry of the University of Ottawa." Better guess this time. The University of Ottawa exists and even has a medical school.
	This document is represented to be the organization's "Drug Reselling Licence" but it lists the state of Ontario as the issuing authority. A Google search for +"ontario health and safety code" +"division 104" found nothing. "The license is required by law to immediately notify the Department of Health Services," but the Oxford Canadian Dictionary reveals that Canadian English makes a distinction between "license" and "licensee", so "license" is a spelling error. A search for "Department of Health Services" turns up no references in Ontario, but a search for the "Ministry of Health Services" does. And finally, the form uses both "licence" and "license". Both spellings are accepted in Canada, but not within a single document.
	Where exactly is 1592 Wilson Ave, Toronto, Ontario? The website operator selected a believable location. It seems to be an address in the Sheridan Shopping Mall, just off highway 401 (a major road) and not far from the airport. Do you think "MyCanadianPharmacy", licensed by the "state" of Ontario, and operated by a "doctor" who attended a medical school that doesn't exist, is located here? It may be, but the operators have already stretched the truth just a little too far for my comfort .

I asked a friend who lives in Toronto about the address. "What a ratty part of town! Just north of there is Jane and Finch, the really scary part of the city. The address they give seems to be in a strip mall right beside the Sheridan Mall. Stores with adjacent addresses include a video store, a tattoo place, and a Jamaican savings and loan. I'm guessing the address they give is a cheap office above one of those stores."

But wait, there's more!

Later in the day, I heard from other Toronto residents. Here's what I learned:

• You're correct that Ontario Medical State University does not exist, and never has.
• The only medical schools in Ontario are at McMaster U. (in Hamilton), Queen's U. (in Kingston), the University of Western Ontario (in London), the University of Toronto, the U. of Ottawa, and the Northern Ontario School of Medicine, which is a brand-new joint venture between universities in Sudbury and Thunder Bay.
• Ontario does have a Ministry of Health, not a Department of Health. Ontario's ministries used to be referred to as departments, but that's outmoded usage.
• Here's something that those characters overlook: in Ontario, you can't operate a pharmacy unless you're a pharmacist.
• Dr. Poppins (wonder if he thinks a spoonful of sugar helps the medicine go down in the most delightful way?) claims to be the founder of the Canadian International Pharmacy Association. Turns out that there is such a body. The outfit claims to certify online pharmacies. MyCanadianPharmacy isn't listed.
• The Better Business Bureau in Kitchener, Ontario, has checked into complaints related to this outfit. The investigations were both "closed as unpursuable. Company cannot be located. Mail returned and phone disconnected." See here.
• They don't even get their postal code right: the code for 1592 is M3L 1A3. The code they give, ending in 1A6, seems to link up to the beer store at 1718 Wilson Avenue.
• As a practicing Ontario physician, I can assure you there's no Ontario Medical State University.
• The "certificate" has a watermark logo from Ontario County. Interestingly, there used to be an Ontario county in the province of Ontario until it was adsorbed into the Regional Municipality of Durham in 1972.

Nerdly News

Firefox hits 100 million as Flock (almost) arrives

The Mozilla Corporation says 100 million people have downloaded Firefox as the browser approaches its first anniversary (November). That's more that expected, but Firefox still has a tiny bit of market share compared to Internet Explorer. And now another niche player is approaching launch: Flock.

More about Flock in a moment. Firefox's success is attributed to volunteers who have been part of the "Spread Firefox" community. Their efforts set a new standard for viral marketing. The group is expected to remain busy later this year when Firefox 1.5 is released. (Soon.)

Flock is another cross-platform browser that's being marketed heavily by bloggers even before it's released. If you know the right people, you can download a copy of Flock now, even though it's only at version 0.4.9 (yes, that's still a long way from version 1.0).

What does Flock look like? It looks a lot like Firefox, really. That may be because many of the developers have worked on Firefox. Some primary differences that Flock brings to the table: Bookmarks are stored on-line instead of on your computer and this means that you have access to other people's bookmarks, Flock deals with RSS feeds (of course), blogging is a built-in function of the browser (which makes commentary, sharing, and community easier to achieve). And that's just the beginning.

At pre-0.5 version, this is still an application with a lot of shortcomings. But it's also an application with a lot of promise. If you want to take a look, first keep in mind that "This preview ain't for the faint of heart! If you're the bleeding-edge type and don't mind a few scrapes and busted knees from time to time, feel free to give it a whirl." That's what the developers have to say, but they're looking for input from real users. "We've got interesting ideas in this thing. We want to know what we've done right how we could improve. And we've got a lot of work ahead of us!"

So if you want to take a look, visit the Flock website.

Open Office 2.0 "ships"

If it's just a downloadable product, can it ship? If the the version 1.9 beta code doesn't differ a lot from the version 2.0 code, is it a big deal? Is Microsoft concerned that a "free" office suite is nearly as good as Microsoft Office?

If you're on a dial-up connection, you probably won't want to grab the 75MB download of Open Office 2.0 but if you like the idea of open-source code, visiting www.OpenOffice.org might be on your to-do list.

OpenOffice is what we've been waiting for. Earlier versions were buggy and slow, but version 2.0 is impressive. I wrote the article above ("Dealing with what creeps and crooks put on your computer") with a late beta version of OpenOffice. The full 2.0 release offers advanced XML capabilities and native support for the OASIS Standard OpenDocument format.

OpenOffice is finally "good enough". I've used it occasionally for a few months and it's a good alternative to Microsoft's suite. I've also seen Microsoft's plans for the next version of Office and they blow OpenOffice away. But if you need basic word processing and spreadsheets, Open Office has everything you need.

For details, visit http://www.openoffice.org/.

Let us know what you think. Write to:
Bill Blinn --
Joe Bradley --

Have a question? Ask it and you might pick up a prize for stumping the chump. Send your question to . And ... good luck!

Privacy Guarantee:

I HATE SPAM and will not sell, rent, loan, auction, trade, or do anything else with your e-mail address. Period.

Is this information useful?
If so, consider making a contribution, please.

Joe

(Photo by Sally)

Bill

(Photo by Scampi)

As if you didn't already get enough weather on the radio!

If you do not see a Weather Underground banner above and you use ad-blocking software, please set your application to allow images from "www.wunderground.com" to appear.

This is the only ad you'll ever see on this site. It's for my website host, BlueHost in Orem, Utah. Over the past several years, they have proven to be honest, reliable, and progressive. If you need to host a website, please click the banner below to see what BlueHost has to offer.

TechByter Worldwide receives a small advertising payment for each new client that signs up with BlueHost but I would make the same recommendation even if the affiliate program didn't exist. (If you don't see a banner ad above and you would like to know more, this link takes you to BlueHost.)

Annoying legal disclaimer
My attorney says I really need to say this: The Technology Corner website is for informational purposes only. Neither Joe nor I assume any responsibility for its accuracy, although we do our best. The information is subject to change without notice. Any actions you take based on information from the radio program or from this website are entirely at your own risk. Products and services are mentioned for informational purposes only and their various trademarks and service marks are the property of their respective owners. Technology Corner cannot provide technical support for products or services mentioned on the air or on the website.