Get Reliable Online Malware Advice

Usenet will always be the best place, for many, for looking for help. The true geeks hang out in the forums there, because Usenet (or its predecessors, the dialup bulletin boards) has been around before the Web.

The attractions of Usenet are several.

  • Easy access. Anybody with a computer, and either a newsreader (like Forte Agent or Mozilla Thunderbird), or with a browser and access to Google Groups, can access Usenet. Many people have no idea where Google Groups started.
  • No authenticated registration or identity verification required. Just read and write. Or just write (as the trolls and spammers will do).
  • No obligations incurred. You can write what you wish, and nobody will ever hunt you down in person to discuss your mistakes.

And there is a summary of the problems of getting advice from Usenet, without researching each forum carefully.

If you have a malware problem, you absolutely need reliable advice. Ask for help in Usenet, and you may well get advice from one of the trolls that hang out there. For reliable malware analysis and removal, get advice from a reliable forum which requires identity verification. All such forums are web accessed, and require authenticated registration, which is generally free, and should offer posting history with the helpers.

These are but 7 forums which help with malware in general, and HijackThis logs in particular. There are several others, too. You may find still more on your own. I will describe my favourites, 3 of the above 7.

BBR Security Cleanup has a very dynamic mix of helpers. With BBR Forums (of which the BBR Security Cleanup Forum is but a part), the experienced helpers there, like the other forums, are registered (thus have verifiable identity). With BBR Forums, though, there's a much wider range of expert knowlege; and with the helpers being registered, you can cross-reference all previous posts made by each helper. So it's easy to note which helpers are more trustworthy, and have more complete knowlege of what they write. To start asking for help in BBR Security Cleanup, you will do well to start with their FAQ: Mandatory Steps Before Requesting Assistance.

Conversely, I have watched SpywareInfo develop over the past few years. They have a management structure there, with a training and certification process, and very professional behaviour. That's not a place of frivolity, nor flaming, so anybody fearing Usenet (everybody posting to Usenet gets flamed eventually) need not fear SWI Forums. SWI Forums is very narrowly focused, on malware detection and removal, and they do a very good job of both. To start asking for help in SWI Forums, you will do well to start with their FAQ: How to remove spyware or a hijacker.

And Tom Mercado has been working with security for a good while, and is well known in the above forums. In TeMerc's Internet CounterMeasures, Tom offers a personalised approach, with same day response on HijackThis logs.

Whichever forum you choose, though, note that each forum has procedures which they want you to follow, which help the helpers there interpret your log accurately and consistently. That's to everybody's benefit. So be very diligent - read, and follow, the instructions they provide.

Work with the helpers, and they will work with you.

LSP / Winsock Analysis Using "netsh"

The LSP / Winsock component in the Internet Protocol network stack is complex. It's used by the Windows OS, and by malware and anti-malware alike, to allow, and to affect, your access to the network.

Problems with the LSP / Winsock layer can be a lot of fun to diagnose. Generally, the problem is termed "corruption", and you are urged to use any of several tools / procedures to simply reset it. But what if you suspect a problem, but a simple reset isn't possible? Or what if you want to make an educated decision about a problem, or to help somebody else do the same?

Hoping that the operating system on your computer is Windows XP with Service Pack 2 (which is where you should be for so many reasons), Microsoft has provided a native Windows command, "netsh". This command is one of the procedures used to reset Winsock.

A variation on the netsh Winsock reset provides an inventory of Winsock. In this case, please DO NOT type, into a command window:

netsh winsock reset catalog

but instead type:

netsh winsock show catalog

To create text to be posted online:

netsh winsock show catalog >c:\winsock.txt
notepad c:\winsock.txt

The DNS Server Settings On Your Computer

Domain Name Services, or DNS, is a critical service on almost all Local and Wide Area Networks. DNS is used for host name to IP address resolution of all Internet hosts, many WAN hosts, and may be used for address resolution of LAN hosts too. DNS resolution is so important that Windows supports configuration of 2 DNS servers in basic IP configuration; with more work, you can define even 3 or more DNS servers. Many NAT routers will let you define up to 3 DNS servers.

Any time you try to access a server on the Internet, and get "server not found" or "unknown host", check your DNS server settings. Run "ipconfig /all", and look for the DNS servers entry, such as:

DNS Servers . . . . . . . . . . . :

The DNS server sequence is important. When DNS resolution is needed, server #1 is queried first. If server #1 is busy or otherwise unavailable, server #2 is used in that query, and all subsequent queries. If server #2 is needed to provide a backup to server #1, server #1 may not be used again, until you reset the computer or router. This behaviour is not consistent, though, some DNS clients may always try DNS Server #1 first, then #2, and finally (if defined), #3.

If you're researching a problem where the symptoms indicate a DNS issue, and the problem isn't consistent between computers, compare the DNS server settings on each computer.

If all DNS servers in the sequence don't have balanced ability (availability, capacity, connection to higher level DNS server), you can get to a situation where the next server in the sequence is used, and won't provide consistent service. Resetting the DNS client, generally by restarting the computer or router, after DNS server #1 is returned to service, is the normal recovery from this problem.

Recognising a DNS problem may not be easy, though. Without some minimal diagnosis, a DNS problem can be confused with a physical connectivity problem, a security problem, or even a simple CKI fault.

The long term solution, for a DNS server sequence problem, is to have a properly balanced DNS server sequence. Many networks plan their primary DNS server very carefully, and throw a surplus (generally old and underpowered) computer in as the secondary. Some networks may even have 2 primary servers (with the clients split between the two), and an single, surplus, secondary.

What happens when the primary DNS server goes down? If your clients are using the secondary server suddenly, and it doesn't have the same capacity as the primary server, you're going to have performance problems. Make sure that your backup server is equal to the task of replacing, even temporarily, the primary server. Remember that the clients will be using the backup server, after the primary server comes back online. And if there's a chance that a secondary DNS server will be in use during an outage of other equipment, don't compound the stress. The stress that your clients experience will be passed on to you, generally doubled.

If you relay DNS requests to external DNS servers, and ones that you don't control, again try to specify servers of equal ability. Also, make sure that both external servers have good servers feeding them, and that they are secured against exploits that would permit pharming. If, for any reason, some of your clients are using the backup external server, and others the primary, both servers need to be able to resolve your DNS queries properly. If either server filters addresses differently, for instance, you'll have some clients able to access websites that other clients can't. Again, more stress for you.

If you're using DNS for address resolution on your LAN, make sure that both the server and all clients are setup properly.

If your Internet service goes thru a NAT router, you may be using the NAT router as a DNS relay.

If you think that you have a DNS problem, but aren't quite sure, read Identifying A DNS Problem In Your Internet Service.

>> Top

Malware Detection and Removal - Version 2

Many best known malware detection and removal processes focus on using automatic processes to detect and remove the adware, spyware, trojans, viruses, and worms from your computer. There are many tools - some are free, others are not - that will automatically detect, and remove, malware. Here is a sample list of the many available products.

For endless hours of discussions about the merits of each (and many complementary and competitive products), see the Alt.Comp.Virus and Alt.Privacy.Spyware forums.

The way most of these tools work is:

  • You update a malware signature database on your computer, identifying each known malware.
  • You scan each file on your computer.

    • Each file is examined against the malware database.
    • If something is found, which matches an entry in the database, it is removed.

Simple, right? But there are several problems with this procedure.

  1. It requires an up to date malware signature database on your computer, before the process is started.
  2. It is prone to false negatives - if the database isn't up to date, malware might not be detected.
  3. It is prone to false positives - sometimes you remove something that should not be removed.
  4. Because of the false positive threat, you have a quarantine area - anything removed is not really deleted, it is simply moved to an area on the computer by the malware scanner. To recover something mistakenly removed, you must run the malware scanner again, and have it intentionally replaced.
  5. It requires intensive scanning of each file on the computer. The more files in your system, times the larger the signature databases, equals long scanning times. This discourages frequent and regular scans. Malware that matures, and propogates, between scanning cycles is uncontrolled.

There has to be a better way. So let's try one. Here are three possible tools.

  1. HijackFree.
  2. HijackThis.
  3. Silent Runners.

  • Scan the computer for active signatures of all processes - good and bad. Look at all active processes, and at the various databases in your system that control processes, and present you with a log.
  • You can scan the log by hand, and look for obvious entries.
  • You can submit a HijackThis log to any of dozens of expert forums, where real human experts will examine your log and offer legitimate advice.
  • You can submit a HijackThis log to any of several online services, that will check it against their databases.
  • HijackFree will analyse its log for you, against the online SysInfo databases, and present you with a nice GUI display.
  • If any suspicious entries are found, you locate the file, that's suspicious, on your computer.
  • You copy the suspicious files to any of a couple online file scanning services. Those services run the file thru a dozen different malware scanners, doing an intensive analysis. If the file contains any malware - trojan, virus, worm - it should be detected by at least one of the engines.
  • Any file that contains malware, that fits a known entry in an online database, is immediately identified to you. You compare the findings from each of the scanning engines, from the log displayed.
  • Any file containing unknown malware is further analysed, and entries are made to add to the online databases.
  • You can get instructions on removing the malware found, by querying an online database of instructions, provided by the vendor of the online scanner that identified the malware.
  • When you identify specific malware on your computer, continue with an intensive whole computer malware analysis.

There are several advantages to this approach.

  1. Scanning is by known malware traces, not by individual file. This is a much quicker process, which makes it more likely to be used regularly.
  2. The log analysis databases are online, which makes it likely that you'll start from more up to date information.
  3. The online file analysis services provide multiple malware scanners. Scanners specifically sensitive to adware, spyware, trojans, viruses, and worms will be used, complementing each other, to analyse any suspicious file.
  4. When heuristic analysis of a suspicious file indicates malware, but it's not known malware, deeper analysis of your submitted malware can be done by the operators of the online scanning engines. The results of the deeper analysis can be fed back into the online malware databases. The next person with your malware will benefit from your participation. Everybody benefits from this collaboration.

You're welcome to continue using the current, well known strategy of individual file heuristic and signature based analyses, if you wish. But if you're serious about the security of your computers, you'll want to complement that strategy with whole computer scanning.