Do I have a virus?
Symptoms
For a couple weeks, from time to time, the Windows XP SP3 PC is freezing and the user is being bumped out of programs.
From time to time, Symantec.cloud reports it has “Blocked” a “High-Risk Intrusion Detected” (Once on my bench, I figured out it was, twice, every time the user logs in.)
Task Manager shows a svchost.exe is leaking memory
First actions
Check Symantec Health, Update and Full Scan – No items found, analyze history
MSCONFIG – nothing unusual is listed
System Restore back a month– Did not help
Thoughts
The Symantec warning is really just reporting that it is doing its job. (Hmm, but inbound web traffic is always a response to an outbound request.) Plus, now it’s repeatable each time the user logs on. The memory leak could be one of a half dozen Windows issues, not to mention, an indication of a virus. The memory leak could be causing the performance issues… err. A couple weeks ago, Symantec reports that it found, blocked and removed “A program that was behaving suspiciously.” OK. I am going to look for malware until that memory leak and inbound “Block” go away.
I will use all free utilities and software, here…
My approach
Process Explorer – short of the leak, all looks normal
Hijackthis – looks ok
Internet Explorer – Restore Default settings and Delete all personal settings and data. Empty recycle bin
Run Disk Cleanup – select all options. helps to increase speed of scans
Eset Online Scan – would not run
TrendMicro HouseCall – 2 items removed. issue continues
Malwarebytes – 55 items removed. issue continues
SpyBot – 1 item removed. issue continues
Windows Update fails
More thoughts
OK. I am pretty sure this is a virus, but nothing is detecting/killing it. I am about four hours in and know I could just Format, reinstall everything and configure in less than eight. Other than the memory leak, the system is pretty stable. And Windows hasn’t really been “broken”. If stuff like System Restore, Task Manager and Control Panel were not working, I would Format… But what the heck, I think I can fix this. I will look for another couple hours.
Next actions
Created a new Local Admin and logged in to see if bad guy was associated with user’s profile – No help
GMER – identified Rootkit TLD4 Gotcha, sucka!
Use Symantec Backdoor.Tidserv Removal Tool (FixTDSS.exe) to remove rootkit – Successful! Run again, and it is gone! No more memory leak! No more Symantec alerts!
System Restore – Disable System Restore, then re-enable to clean out any possibility of anyone else restoring the malware
Windows Updates installed. And Updates and Updates until there are no more…
System File Checker – Go to Start, then to Run, and type in “SFC.EXE /SCANNOW”
Run Windows Update again – no new items found
Ccleaner Free – re-run until no items found
Ad-Aware Free – no items found. Remove Ad Aware
Run catchme.exe – no items found
Run mbr.exe – no items found
Run Power Eraser within Symantec Endpoint Protection Support Tool – no probs
Check the health of Symantec software with Symantec Endpoint Protection Support Tool – all good
System Restore – Create a good restore point
Run Hijackthis and compare – rootkit doesn’t appear before or after…
Deliver to user
Have her change her system password and any other passwords she has used in her recent web travels on this machine!
Rootkit Defined -from Wikipedia
A rootkit is a stealthy type of malicious software (malware) designed to hide the existence of certain processes or programs from normal methods of detection and enables continued privileged access to a computer.
Typically, an attacker installs a rootkit on a computer after first obtaining root-level access by exploiting a known vulnerability. Once a rootkit is installed, it allows an attacker to mask the ongoing intrusion and maintain privileged access to the computer by circumventing normal authentication and authorization mechanisms. Although rootkits can serve a variety of ends, they have gained notoriety primarily as malware, hiding applications that misappropriate computing resources or steal passwords without the knowledge of administrators and users of affected systems. Rootkits can target firmware, a hypervisor, the kernel, or—most commonly—user-mode applications.
Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. Detection methods include using an alternative, trusted operating system; behavioral-based methods; signature scanning; difference scanning; and memory dump analysis. Removal can be complicated or practically impossible, especially in cases where the rootkit resides in the kernel; reinstallation of the operating system may be the only available solution to the problem.
Rootkit, kicked your ass!
Lost your Windows discs? How to get replacement media, legally
C:\System Volume Information is not accessible. Access is denied.
How to recover from a corrupted registry that prevents Windows XP from starting
Free ZIP Utility
Free and without gimmicks. Highly Recommend 7-Zip
I really like the Right Click menu additions:
And handles lots of format choices.
Data Recovery
Data recovery
If you have a lost partition or strange problem with your hard disk partitions, run TestDisk to recover your data. TestDisk can also undelete files from FAT, NTFS, exFAT and ext2 filesystem.To recover your lost digital pictures or lost files, try PhotoRec.
Password recovery
BIOS setup can be password protected. You can get back your password with CmosPwd.
(Personally, I would go for the password reset jumper.)
Thank you www.cgsecurity.org
iTunes tips and utilities
Sync your Android phone to iTunes.
Grab the Desktop client application at www.doubletwist.com, then install the doubleTwist Android app on your phone. Hook ‘em up and good to go. Sync and make playlists too!
thank you MaximumPC
RIP Steve Jobs
Excel Slow to Open Network Files
After you install MS11-021 and the Office File Validation (OFV) Add-in for Office 2003 (KB 2501584), workbooks stored in a network location open slower over the network in Excel 2003 than they did without the OFV installed. The decrease in performance depends on the size of the workbook and bandwidth of the network and in some scenarios can seem to hang Excel.
Fix is here: http://support.microsoft.com/kb/2570623
I actually ran the above fix, then I got an error that the OFV.msi had to be found. So I had to complete the installation with OFV.exe, then run the OFV Add-in Fix again. All better now!
Who killed the fake-antivirus business?
ChronoPay Co-Founder Vrublevsky
By Ed Bott | August 29, 2011
Summary: The fake-antivirus business was a big money-maker in the first half of this year. Then, at the end of June, fake-AV products practically disappeared from the web. Was it technology, or does traditional law enforcement deserve the credit?
The fake-antivirus business went from boom to bust in record time. [more]
3.8L Coolant Leak
2002 Pontiac Grand Prix with 3.8L Series II SFI OHV V6
EATING ANTI-FREEZE!
Well known issue with these. The Upper Intake Manifold Gasket melts in close proximity to the EGR stove pipe allowing coolant and oil to get in bad places. My upper was leaking, but the Lower Intake Manifold Gaskets were a mess!
Click on pic to get a closer look. Yikes!
For about a month, it was eating antifreeze. I kept topping it off, until the inevitable, it overheated. Water started pouring from broken Upper and Lower Heater Bypass Pipes (Video) and oil mixed with the antifreeze through the intake gaskets. For the first time, it was now running rough. Feared the worst.
After a good compression check, I replaced all the gaskets from the lower intake manifold on up, the water pump, plugs and wires. Fired right up! All good! AHOO!
Parts:
Redesigned Lower Intake Gasket Set from GM 89017816 ($65 dealer)
Improved Design Upper Intake Manifold and Gaskets from Dorman 615-180 ($130 autozone)
Dorman Heater Pipes 47065 ($5 autozone)
Heater Adapter O-Rings 24502375 ($10 dealer)
Redesigned gasket is now aluminum with molded seal
Tips:
Disconnect the wire harness from the ICM before running a compression check!
To replace the water pump, you must remove the power steering pump. Not the PS pulley! (Video)
Do not use Carburator Cleaner on the throttle body and Emission Sensors! They make special cleaners for throttle body and MAF Sensor.
Wish I had used a little Permatex on the Heater Pipe O-Rings. They weep a little.
The upper and lower gaskets go on without dressing! Just a dab of Gasket maker in the corners of the lower (above and below).
The UIM comes with a new vacuum port and o-ring, but it felt loose to me. I added the old o-ring to the upper shoulder to snug it up to the manifold.
Step by Step help at www.AllDataDIY.com
Very happy with this fix. About 75 people read this post every day. Give me some feed back! Did I help?
Most Valuable Blogger
Vote for DailyTweak as Most Valuable Blogger 2011.
Takes just one click and no registration required. Won’t even ask for your email address.
Thank you!
You can vote more than once. Once each day, through September 9.
Ford Freestyle Surge
The National Highway Traffic Safety Administration is investigating the Ford Freestyle for complaints that it surges forward at low speeds.
From AutoWeek.com More than 200 complaints have been lodged about the issue, alleging that the Freestyle jumps forward at low speeds even when the accelerator isn’t pressed.
NHTSA is investigating about 170,000 Freestyles in model years 2005 through 2007. So far, 18 crashes have been attributed to the issue, with only one minor injury, according to the agency.
Example of my issue… as I would pull into a parking space, I would be rolling in with my wheel turned and my foot covering the brake. As I turn to straighten into the spot, it would lurch forward. Not good! It became obvious that any turn of my wheel, at idle, would goose the RPM.
Easy fix… the mechanic explained… there is no cable connecting my gas pedal to the throttle. It is an electronic signal. A flap in the throttle body was sticking and the computer was getting confusing data. A light cleaning of a little carbon build up did the trick. He warned you shouldn’t physically force the flap open and closed, but a spray cleaner and gentle touch got it to move freely.
Best Free Antivirus
The Best Free Antivirus Software from PCMag.com
Editors Choice Ad-Aware FREE Internet Security 9.0
My Malware Removal scribble
Another chart I check, from www.virusbtn.com
MP Navigator scan failed
Installed MP Navigator from Canon PIXMA MP830 setup CD on a Windows 7 workstation. First error indicates I need a driver. Go out to Canon’s site and download and install the driver. Now the good one… Launch MP Nav to Scan and get scan failed error. Simple fix
Identify the twain_32 folder on your system. Example C:\Windows\twain_32.
Find the subfolder for the device that isn’t working. Mine is c:\windows\twain_32\mp830.
Edit your Environment Variables and Add a New System Variable named Path.
No reboot required.
Free EASEUS Partition Management Tool
Windows has its own built-in partition management tool, but sometimes you need a tool that’ll handle a sequence of changes or copy bit-by-bit one partition (or disk) to another.
Sorry, 64-bit and server versions are not free
Right Click crashes Windows
Free fix for you
Something in your Context Menu is locking you up when it tries to display. Download and run ShellExView. Sort the list by Type and look at the items listed as Context Menu. Disable anything related to a recent install. One of the items in the list is screwing you up. Trial and error will narrow it down. At first, assume Windows and Microsoft items are not the problem. In my case, HP Instant Printing was locking me up.
ALLDATAdiy.com is awesome!
By spending $26, ALLDATAdiy.com saved me $1000!
ALLDATA is the leading source of Professional Automotive Diagnostic and Repair Information used by 75,000 repair professionals.
The Pro’s pay $2100 for this, but car owners can get access to their specific car for $26! It’s got step by step instructions to fix just about anything, WITH diagrams! Better yet, it gives you all the Letters, Notices and Recalls associated with the repair you are looking up! Pepboys wanted $1000 to replace the catalytic converter on a 9 year old car. On ALLDATAdiy.com, I found a GM Notice informing me there was a defect and GM would cover the cost of replacement for up to 10 years! AHOO!
Corrupted Registry prevents XP from Starting
So infected I can’t boot?
Avast! Rescue Disc can scan and clean any Windows installation, including one on a drive removed from another PC. No other product I’ve seen can do that. Its cleanup wasn’t the most thorough, but it would probably be sufficient to revive a system rendered unbootable by malware.
First, I would try System Restore from Safe Mode – Command Prompt. Found elsewhere in this blog.
Lock down Windows configuration
Windows SteadyState helps you keep shared computers in a school computer lab, an Internet café, a library, or even your home running the way that you want them to, even when many people regularly use them.
Note: As of December 31, 2010, Windows SteadyState is no longer available for download through Microsoft. Microsoft will continue to provide support until June 30, 2011. After that, support will be limited to the resources that are listed in the “Related Resources” section of their support article linked below.
Microsoft Support Article on SteadyState
Download SteadyState 2.5 from cnet
A few alternatives: Faronics Deep Freeze costs $45 per PC for a one-year package. HDGUARD takes a more hard-drive-centric approach to the problem, from $34 per PC.
