Wednesday, July 28, 2004
Insidious Technical Crud
A while back I mentioned a laptop that will not respond to ctrl-alt-del at the login prompt screen for XP Pro. I still haven’t solved that, or nuked it by wiping and reinstalling the machine, which is pending.
You hit ctrl-alt-del and the screen just sort of blinks at you. In safe mode, it works. Ditto for the login prompt in command prompt safe mode. I was getting a funky RPC (remote procedure call) error at some point after logging in when in either safe mode I mentioned, but that seems to be gone after much futzing around, killing potential sources of trouble. I never needed to use shutdown -a or whatever the command is to abort the RPC shutdown.
The problem began when the user, who is on DSL now and is insane to have AOL of any kind installed, apart from AIM, installed an AOL upgrade.
Quick! Any thoughts before I whip out the magic fdisk WMD?
I have not been back to Google for the problem recently. The things I found that seemed promising either turned out not to be applicable, or not to work at all. I may check that again, in addition to booting from the XP CD and attempting a recovery.
On a slightly different note, I fought with malware on another laptop, this one borrowed by the same user. The time I devoted would have been enough to fdisk and reinstall, and I ended up not being able to defeat the CoolWebSearch variant that afflicted it.
As it turns out, the guy who bravely and generously made cwshredder has given up on doing any further updates, so there exist CW variants that cannot be removed short of heroic, highly technical efforts, some of which I did not go so far as to try. Or by fdisking. Or, as one site described, replacing the registry with an old backup.
The fascinating thing was Ad-Aware kept finding it, in the form of one file and five registry entries, and removing it. After rebooting, it would be back, despite all the ordinary means for something to return at startup being absent. I tried removing the file in command prompt safe mode. I tried replacing it with an innocuous file of the same name. Going through info on the web regarding many variants of CW, I was finding nothing there to fit. The one I did not end up pursuing before I had to go home was the winsock variant, which sounded nasty.
Another fascinating thing was what I found after Ad-Aware cleaned up. You delve into these things enough and you can tell when there are files that don’t belong, that could have been placed there as part of malware, or spawned to create new instances and make it harder to kill. Ad-Aware doesn’t necessarily see those, active or not. I wiped out dozens of DLL, EXE and DAT files in the windows and system32 directories that were bogus. What I look for is those extensions, with a recent file date, crazy file names, and multiple with the same date and size. It’s a dead giveaway when you turn on the computer on, say, July 20, only for a little while to work on the malware problem. Then on the 26th you see a bunch of files with names like uim6x9mt.dll, dated the 20th, with identical sizes. No doubt a binary comparison would find them identical. Purged many of those, to no avail.
Since it was not my place to reinstall the borrowed laptop (and I didn’t have any of the accompanying software), I returned it to the user and cautioned him to use Firefox, which I installed, instead of IE. Doing so kind of defeats the purpose of CW, even if it remains on the system. I left it for the owner of the machine to be made aware of the problem and act on it as he saw fit.
This stuff is really getting out of hand.