Wednesday, February 10, 2010

The tale of the HP Pavilion, part 2.

After Alexa's HP desktop computer got a brand new power supply, I suspected the computer to be a happy piece of machinery for a long time to come. (Ref. The tale of the HP Pavilion, below) But I was wrong. Last Friday I got another phone call from Alexa, and she could tell that the computer had got a bad virus and it was now impossible to use. I offered to help once again, and went over to her house last Saturday.

I have always run some sort of anti virus software on my computers, everything from expensive (and overpriced?) Norton, to good freeware like AVG and Avast. This has probably saved me from ever having to deal with any really bad virus infections. But Alexa definitely had a virus or some bad malware running. Pop-ups telling me that the computer was infected kept popping up, and if I clicked them, an interface popped up and told me that the computer was being scanned, and recommended me to buy some kind of software. This was of course fake alerts generated by the virus, so I never clicked the link. I don't know what you could actually find there, but probably nothing that could solve this problem. IE also kept popping up from time to time, telling me where to find and buy adult entertainment. Nice..

The fake antivirus popups seemed to come from a little icon on the notification area, so there was obviously some process going on. I tried to find out more about it, but no matter what I tried to run, MRT (Malicious Software Removal Tool), taskmanager, search, etc, I just gor error messages telling me that the process was infected and could not be executed.

I suspect that there had been no working anti virus software on the computer, so after getting the virus, Alexa had bought and downloaded some software. But the install was corrupted, probably because of the virus, and the application would not start. So I went round and round with the anti virus software and different anti malware software for a while, both in safe mode and normal mode. Some of them could not be installed in safe mode, while others could be installed but would not perform scans in safe mode. Back in normal mode, the applications were corrupt and would not start. At last I managed to install Malware Bytes, and perform a full scan, but it didn't find anything.

So I took the HP back home, and started looking carefully into it. Without network it took a while for the virus to start, so I got task manager opened, and took notes of the processes running. After the virus started sending pop ups, I discovered a process named "xydisftav". I didn't find any information online, but both Jenn and I agreed that this seemed suspicious, so we stopped the process. That seemed to halt the virus , so I did a file search, and found the file xydisftav.exe under C:\Documents and Settings\user\Application Data. The file got deleted, and I was happy to see that the pop ups didn't show up again. The virus was gone!

I decided to put some kind of basic anti virus on the computer, but the AVG download process caused me two BSODs and I don't like the Avast user interface, so I decided to go with Avira Antivir. A lightweight free anti virus application that has a decent interface and does a good job according to online sources. For the next days, I let the computer run day and night, performing various virus and malware scans. In the end nothing more was found, and a happy Alexa could stop by and pick up her computer again. The poor HP has had some unfortunate experiences lately, but I hope life will treat it better now, and that I won't have to see it again for a while.

Bjørn Sveigdalen

Monday, February 8, 2010

Malware and slow bootup

One of my concerns when it comes to my computers is the bootup time. Sometimes when I have borrowed other people's computers (particularly laptops, it seems) I experience devices that use several minutes to boot up and load Windows. I don't know why this annoys me so much, but I guess the combination of impatience and seeing a poorly maintained system might be the reason. Bootup isn't supposed to take that long, and it can be a sign of an overfilled harddrive or that something is wrong with the installation.

My IBM T43 has always had a fairly quick bootup, and I have always made sure to take actions if any changes I do seem to affect the bootup time. If it does, I take a quick peek into msconfig/startup to see if some strange process is suddenly added to the list. So far, the thing that has affected the bootup time the most is actually my AVG antivirus. Especially the upgrades to newer versions. But I guess that's the price to pay for being up to date. New antivirus applications are created to take advantage of newer computers’ increased processing capabilities, to offer the best possible protection. Which means that older computers, like my T43, get a harder time dealing with these applications.

But I shouldn't complain. It only takes 70 seconds from I push the button and turn the T43 on, until I see my desktop with the icons. When my XP installation was new it did the same in between 40 and 50 seconds, but after going through a whole bunch of upgrades, installations and uninstallations during 3 years, 70 seconds is still not too bad.

So what happened last weekend really gave me a headache for a while...

My wife was using the T43, when she suddenly lost internet access. It later turned out that our Packet8 phone modem caused that, but we didn't know that then. Jenn does IT support and computer troubleshooting for a living, so she knows what she's doing, but this time she had to deal with a computer that had menus in norwegian. So instead of disconnecting from the wireless network, she ended up disabling the T43’s wireless card. It took me a while before I figured out why I couldn't see my wireless connections anymore, but I got it enabled again and did a reboot. Then I suddenly noticed that the T43 took forever to reboot. Between 2 and 3 minutes would be my estimate. Wow, what had happened?

Usually, the root cause of a problem is the most recent change you have done to the system. Could a bad driver cause Windows to look for my wireless card as a missing hardware component? After trying to update the driver, I realized that could not be the case. So I took a quick peek into msconfig/Startup, and noticed there were a couple of new entries there. Most of the names doesn’t really explain much, so I did an online search for all of them. A site that returned good search results was bleepingcomputers.com, and I indetified two entries as “Undesireable programs” . These two were ld08 and mstre18, pointing to the ld08.exe and mstre18.exe files in the C:\Windows folder. The ld08 is described as a Trojan that displays fake antivirus messages.

The actual .exe files were no longer in the Windows folder, so I have no idea if they have ever been there at all. I suspect they have been there at one point, even though I have never had problems with fake antivirus popups. But as soon as I unhooked these two startup items, bootup was back to it’s old, and maybe even slightly faster than it’s been for the last two months or so. Windows apparently spent time looking for these two files, and that caused the slow bootup.

If you are curious, and want to check this on your own computer, the Startup Items menu is found by opening Run (Kjør), and running the commando msconfig. The window named System Configuration Utility will appear, and you select the tab Startup. My startup list contains 39 items, of which 8 are now disabeled. But be very careful! Some of these are processes needed to make your computer and operating system work. So make sure to do a search, with the search text msconfig, followed by the name from the column Startup Item. An example of a search term from my computer is “msconfig syntplpr”. SynTPLpr is a process needed to make the T43’s touchpad work, so this can not be disabeled. In my case, the search results from bleepingcomputer.com gave me the answers what the items were, and if they should be disabeled or not.


Bjørn Sveigdalen