Deeply Hidden, and Heavily Protected, Malware

Some malware, besides making it impossible for you to interrupt its processes, will make it impossible for you to even locate on your computer. This is called rootkit protection.

Any program that lists ("enumerates") objects on your computer, for instance,

each of these programs depends upon system functions to tell it what is on your computer. None of these programs gets its list straight from system inventories, they ask system functions for a copy of those lists. Why is this relevant? Because, like any copy, things can be omitted when copying.

If your computer is infected by malware that's using rootkit protection, the system functions that enumerate processes and services, or those that enumerate files and folders, may have been customised. When Process Explorer asks for a list of processes, or Windows Explorer asks for a list of folders in storage, the list returned by the system may be filtered by the rootkit function.

Knowing what folders and processes are related to the protected malware, the rootkit function will simply not list those items. If "C:\Malware" contains the program library for the malware that has infected your computer, "C:\Malware" simply won't be listed by Windows Explorer. You can't delete what you can't see.

That's the bad news. Now the good news.

Any file, folder, process, or service, that isn't enumerated by a system function, is quite likely malware. There are several special programs, distributed by security experts, that enumerate system objects by bypassing the rootkit functions. They compare the results with a normal enumeration, calling the standard (and possibly rootkitted) system functions. If there are objects in the former list, that are not in the latter list, those objects are quite possibly rootkit protected malware.

Two of these special programs are

That's the good news. Now for the bad news, again. Many experts believe, that if Blacklight, RootkitRevealer, or a similar program, identify unknown system objects, your computer is probably compromised beyond reliablity. In this case, the only option is to nuke and pave.

>> Top

Patience, Persistence, and Publicity

When you're trying to diagnose and solve a networking problem, these are three qualities that you need.

Be patient - with yourself, and with others. Accept the fact that you don't know what's going on, and move ahead.

Be persistent - with yourself, and with others. If one diagnostic procedure doesn't tell you anything useful, try another. If one solution doesn't produce the results you hope for, look somewhere else for another. Ask questions - of yourself, and of others.

Provide, and seek, publicity. Let others know what works - and what doesn't. Use the Internet for what it is - a gigantic reservoir of knowledge. But be selective in where you seek advice.

>> Top

Identifying The Cause Of STOP Errors Using Pstat & Excel

Microsoft Windows NT in general, and Windows 2000, XP , and now Vista in particular, are increasingly more "user friendly". Continually, Microsoft adds wizards to help us do things, or to help us figure out why something didn't work the way that it should have. But all the wizards imaginable can not cover every possible problem; and occasionally our computer will encounter a problem that leaves no recourse other than for it to simply shut down.

This shut down condition is commonly referred to as a STOP error, or a Black (Blue) Screen of Death, aka BSOD.

Many times, looking at the contents of the STOP error message will show the address where the error occurred. First look up the detailed information about the specific STOP code in order to determine if the address is included, and if, so where in the error message might the address be found.

You can identify the meaning of each of the parameters for your specific STOP code, using the Microsoft Developer Network: Bug Check Codes as a reference. For an example, we might look at the 0xA: IRQL_NOT_LESS_OR_EQUAL STOP, which tells us that the address of the offending module can be found in the fourth parameter. Note this address, for later reference.

Having noted the address of the offending module, now list the addresses at which each active process is being loaded. The Pstat utility will provide this information. On some systems the Pstat utility may already be present. Check this by opening a Command Prompt window, and entering the following command:

C:\>pstat /?

If Pstat is not on your computer, you can download it free from Microsoft, as part of the
Microsoft Windows XP Service Pack 2 Support Tools.

With Pstat installed on your computer, next open a Command Prompt window, and generate a report. Because you need only a part of the information from this report, it is best to create the report as a text file. In the Command Prompt window enter the following command:
C:\>pstat > C:\temp\pstat.txt

You may change c:\temp to whatever drive and folder that you want to save the report into.

Now open the saved file in Notepad.
C:\>notepad c:\temp\pstat.txt

Scroll down the file, about 80% of the way to the end of the file and you will find a header line:

ModuleName Load Addr Code Data Paged LinkDate

Delete everything above the header line. Save this file under a different name. I use pstat2.txt, and put it into the same c:\temp folder.

Now launch Microsoft Excel, and do File - Open, to bring the pstat2.txt file into Excel. Excel will parse the file into columns. Once this is done, do Data - Sort, and sort the entire spreadsheet based on the value in Column B (Load Addr).

Now, simply read Column B, until you find the highest value that is less than the address noted above. That module name, in column A, is the prime suspect for the cause of your error.

Instructions courtesy of Ron Martell, MVP.

>> Top

Bad Websites? Don't Go There

One of the best ways of protecting your computer from websites which serve malicious content is not to go to those websites. If their content includes malicious code, why would you think that any of their content is desirable? Don't go there, or if you do, go armed with knowledge.

If you must surf to dodgy web sites, know which web sites are known to be malicious. The power of the Internet includes online, real time advice from the good guys.

Besides online malicious web site analysis, the classic protection strategy was plain old avoidance. Various security experts provide lists of websites that you should avoid, and they distribute the lists on the web. These lists are pretty big, and change frequently - generally each month. And, to prevent you from having to examine a list, by hand, each time you consider following a given link, you put these lists into the Hosts file on your computer, and let the computer do the work for you.

You can get a Hosts file from several trusted sources.

The Hosts file is a simple text file, stored in a recognised location on your computer. The operating system finds it from registry entry [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath]. Generally, this entry points to "%SystemRoot%\System32\drivers\etc", though malicious software, if installed on your computer, may change this entry.

If you use a Hosts file from only one of the above sources, you'll simply copy the file into the folder, as discussed above. If you do as I do, and use combined sources (since each source has different criteria what undesirable content is out there), you'll not want to edit and merge the file by hand. So there are several tools for doing this.

All of the above are free, and reliable. But, if you're skeptical about whether to trust any of the sources listed above, that's good. Do some research.

With exception to the issue below, using a Hosts file, as part of a layered security strategy, is simple yet effective. Use of the Hosts file is built in to every network operating system that uses Internet Protocol. Installing the Hosts file simply consists of merging entries into the existing file (as described above), or copying a file into the folder, if there is none in use right now.

Now, using a Hosts file is not without cost. A Hosts file entry identifies one individual subdomain, in any given domain. If "" has separate addresses for "servera", "serverb", and "serverc", you'll need

and this can make the Hosts file pretty large. With the HPGuru Hosts file, the file is well over 1M in size.

If you're running the DNS Client service, which provides a centrally managed DNS / Hosts lookup, the Hosts file is cached automatically. When the system starts up, and anytime you update the Hosts file, the DNS Client service will recache the file. This is a very CPU intensive process - on my computer (the last time I used it), the service would take 10 - 15 minutes to cache the file; during that time, the computer was pretty useless.

The solution, in that case, is to Stop and Disable the DNS Client service.

This should be a relevant issue only on small LANs that don't have a dedicated DNS server. If your domain includes a DNS server for local name resolution, you need to setup both the clients and the server very carefully. In that case, you'll want to centralise your website blocking, not have separate files on each client. If you don't have a dedicated DNS server, there are free DNS server utilities, that will provide local caching of DNS information, without having to precache the Hosts file.

Note one of the downsides of Hosts file based protection is latency. For you to surf safely, you have to be using the most up to date Hosts file. How often do you intend to update yours? If your Internet activity consists mainly of browsing, a browser add-on that references an online database makes much more sense.

>> Top

Layered Testing In Windows Networking

When you're working in Windows Networking - that is, the ability to share files, using named resources, between computers - you'll find sometimes that you can't access the files on one computer. Sometimes, you can't even see the files on another computer.

The challenge here is that the inability to see the files on another computer might be something as simple as your having kicked the network cable loose - or it might come from your having given a different workgroup name to the other computer. But how are you going to diagnose the problem?

Some folks will tell you, immediately

If you don't see the other computer in My Network Places, go to Entire Network - Microsoft Windows Network, and look there.

Now, if your physical network is solid, and the Internet Protocol is properly configured, then checking in Entire Network for a missing computer name is one of the next logical steps. But be aware of the lower layers, and check them, at least briefly. Maybe your network cable is broken, AND your computers are in different workgroups.

As I point out in Solving Network Problems - A Tutorial, Windows Networking is based on the OSI Network Model.

  • Windows Networking, in its default state, uses an application interface called NetBIOS Over TCP.
  • NetBIOS Over TCP, aka NetBT, uses TCP/IP for the logical network.
  • And in your home or small office, you'll likely have either Ethernet or WiFi. TCP/IP uses Ethernet, WiFi, and similar transports for physical connectivity.

When you test, observe those layers. Test from the bottom up.

  • Test Layers 1 & 2 - Physical & Data Link. If you have Ethernet, you'll have an Ethernet cable connecting either 2 computers, or one computer and a hub / switch / router. If you have WiFi, you'll have a computer connected to another computer, or to a similar WiFi hub / switch. Physical devices like Ethernet adapters, WiFi adapters, and hubs / switches / routers have diagnostics. Most have multi-colour lights. Find out about the diagnostics for each device. Learn what each colour means, and how it tells you that it detects a connection (or not).

  • Test Layer 3 - Network. If you verify that your computer is physically connected to another computer, or to the hub / switch / router, next check your IP settings. First, verify that the settings are good, using "ipconfig /all". Next, ping the other computer, or the router, and make sure that you get a consistent reply. If you get a partial reply (with some dropped packets), or if the reply time from the other device varies widely, do some more research. Here's where PingPlotter may come in handy.

  • Test Layer 7 - Application. If IPConfig and Ping indicate a good, solid, logical connection, look in My Network Places. If you don't see what you're hoping for, a combination of "browstat status" and "net config server" / "net config workstation" is a good diagnostic here. Coupled with "ipconfig /all", and compared against the same from the other computers involved, you can figure out just about any network problem.

  • Finally, if neither "ipconfig /all", "browstat status", "net config server", nor "net config workstation" indicates a problem, then do relational analysis using CDiag and CPSServ.

I'm aware that this just scratches the surface. But it's a start.

>> Top

Solving Problems - A Lightweight Tutorial

Everybody with a computer has experienced this - sometimes regularly.

It doesn't work today. It did yesterday. What now?

Is this funny? I think so; if you have any sense of humour, or are experienced in troubleshooting, you'll probably agree. That doesn't make it totally irrelevant. Sometimes, humour is based on truth.

Experience is a hard way to learn, but sometimes, it's the best way. If you need more insightful instruction, see Solving Network Problems - A Tutorial

If you make mistakes with your computer, you're using your computer. If you don't make mistakes, you have a computer.

>> Top

Analyse Your WiFi Environment Objectively

When you setup a network of computers, in your home or small office, a mass of Ethernet cables running everywhere can be a problem. WiFi, or Wireless networking, can provide relief from the mass of cables. But WiFi is not an effortless replacement for Ethernet. Installing a WiFi network takes careful preparation.

There are many reasons why you won't get the expected bandwidth from any WiFi network. Some of them you can correct, others you can't. And sometimes, even without you making any changes, you'll have problems. All the planning you do is useless when your neighbours install a WiFi LAN next door.

With all of that in mind, you need to evaluate your WiFi environment objectively, both before setting up a WiFi LAN, and after. When "it stops working", find out why. When your Ethernet network stops working, you can start with a simple IP scan of the subnet. With a WiFi network, you have to go a level deeper than Internet Protocol (sometimes, IP may not even be relevant).

There are many tools to objectively analyse your WiFi network; some are free, others cost good money. Here are but two.

Netstumbler makes a free, lightweight WiFi spectrum analyser from your computer and WiFi adapter of your choice. Netstumbler continuously scans the WiFi spectrum covered by your WiFi adapter, identifying each WiFi network device (whether access point / router, or client), and recording a dozen or so metrics about each network device found.

NetStumbler has two displays, both very useful. The display that you see immediately is the AP inventory, which enumerates each AP observed, and includes over a dozen very useful details about each. But you can discover more.

If you identify an interesting AP from the main list, you can find the MAC address for that AP. From a tree entry in the left column, you select a specific MAC address, and you can observe a running signal to noise graph for that network device.

Netstumbler, though free, and easy to use, has disadvantages.

  • It does not work with every known WiFi adapter.
  • It does not analyse non WiFi signals. If you have a cordless phone, microwave oven, or nearby ham radio operator, NetStumbler will show those merely as "noise", as part of the signal to noise ratio for any WiFi network device.
  • NetStumbler binds to the WiFi adapter just like any other WiFi client. If you run NetStumbler while you're attached normally to your network, using WiFi, you'll experience the same instabilities as when when you run multiple WiFi client managers.
  • It's not compatible with Windows Vista.

The Wi-Spy Spectrum Analyzer overcomes some of the disadvantages of Netstumbler. The Wi-Spy is a USB dongle / WiFi receiver, that will receive and analyse signals in the WiFi spectrum.
  • It does not require an add-on WiFi adapter, and has no compatibility problems like NetStumbler.
  • It provides the same sort of analyses about all detectable WiFi network devices, as NetStumbler. Also, it analyses the noise (signals from non-WiFi devices) in the spectrum, and attempts to identify the device producing the noise, from a database of known interference sources.
  • It works with Linux, Mac, and Windows (Windows 2000 or XP, and yes, Vista).
  • It is not inexpensive, but it is worth the price.

Note that NetStumbler has its shortcomings, in lack of support for new technology. Fortunately, alternative products are available.

>> Top