Over Christmas, trusty, aging Compaq 1750NX got into trouble. First darling daughter, home for the holidays, websurfed somewhere evil and infected him with a rootkit. After blowing said rootkit away with TDSSkiller, and a second one with Combofix, poor old desktop still ran SLOW. In good shape he used to boot up in 45 seconds. Now he was taking two minutes. And every thing ran SLOW. The audio stuttered while doing the Windows warmup "Ka Ching" sound. Task Manager was showing 80 90 percent CPU usage when nothing was running.
I finally tracked it down and fixed it. I ran Process Explorer, a fancier version of task manager. Process Explorer showed me that hardware interrupts were sucking up all the CPU time. A quick google (Hard ware interrupt virus) got a lot of hits, from which I learned that Windows was shooting itself in the foot.
The disk drive is supposed to transfer disk data to main memory using "direct memory access" (DMA) whereby blocks of data are moved into memory without CPU work. For nostalgia sake there is a primitive mode called programmed I/O (PIO) whereby the CPU has to move disk data byte by byte, (one move instruction per byte) and interrupt the CPU when each byte is ready to move. PIO was used back in the dawn of computing, and the PIO mode is a historical curiosity. Somehow, the disk drive software had put the disk into PIO mode, slowing the entire computer.
How to fix.
Start Device Manager. (Start->Settings->ControlPanel-. System->Hardware->Device Manager). Click on IDE ATA/ATAPI controllers. Click on "Primary IDE Channel". Click on "Advanced Settings". If "Transfer Mode" shows as "PIO", that's your trouble. The three boxes ought to read "Device Type Auto Detect" : "Transfer Mode DMA if available" : "Current transfer mode Ultra DMA mode 5".
If the boxes are wrong, you can fix it by forcing Windows to remove and reinstall the driver. Click on the "Driver Tab". Then click "Uninstall". Windows will then ask to reboot. Let it. That's it. All fixed.
You don't need to get into Process Explorer, that was just the aid that tipped me off to what was happening. Just go to Device manager and inspect the IDE ATA/ATAPI controllers.
This is NOT a virus, it's a bug in Windows.
This blog posts about aviation, automobiles, electronics, programming, politics and such other subjects as catch my interest. The blog is based in northern New Hampshire, USA
Friday, January 3, 2014
Thursday, January 2, 2014
Train Wreck
NPR did a long piece on the North Dakota train wreck where tank cars of petroleum burst into flames. They had a guy from NTSB on wondering if the tank cars that blew had been properly placarded as to hazardous material. I'm sure the proper hazmat placard would prevent a fire. Then they talked about the tank cars themselves, perhaps replacing all the tank cars would prevent another explosion. Then they talked about how petroleum from the Bakken shale might be more hazardous than other petroleum. I got news for them, petroleum from anywhere is fairly dangerous stuff. It gives of flammable vapors that ignite for rubbing two pundits together, and once ignited, it burns furiously.
What they didn't talk about was train wrecks. If you wreck a train full of oil tank cars, you are gonna have one helova fire. Hazmat placards, stronger tanks, tightlok couplers only help a little bit. You gotta work on preventing train wrecks. Nobody has offered any explaination of how this wreck happened. We are just very lucky that nobody got hurt.
To be fair to National Progressive Radio, they did mention the lack of pipelines, such as Keystone XL which Obama has stalled for 5 years.
What they didn't talk about was train wrecks. If you wreck a train full of oil tank cars, you are gonna have one helova fire. Hazmat placards, stronger tanks, tightlok couplers only help a little bit. You gotta work on preventing train wrecks. Nobody has offered any explaination of how this wreck happened. We are just very lucky that nobody got hurt.
To be fair to National Progressive Radio, they did mention the lack of pipelines, such as Keystone XL which Obama has stalled for 5 years.
Wednesday, January 1, 2014
How to Read a ComboFix Log File
Combofix, will zap most malware right of your disk automatically, with no assistance from you, the operator. It also writes a lengthy log file to disk. The log file indicates what was done, and lists some other stuff worth looking at.
"Other Deletions" is a list of files that Combofix has already blown away for you. If later on, you find the Combofix has broken something, you can look to see if it zapped a needed file.
"Drivers/Services" is unknown to me. Combofix did find anything to report on my computer.
"Files Created from yyyy-mm-dd to yyyy-mm-dd " shows all files created in the last month. Virii have to live on disk somewhere. When a virus shows up, it's likely to be living in a newly created file. It's not that new files ARE virii, but they might be.
"Find3M Report" is a list of all files created in the last 3 months. Again, just cause a file is new doesn't make it a virus, but it's worth checking them out. Google will tell you a lot about a filename.
"Reg Loading Points" is a list of registry entries that load and run programs. Look at the program names, you ought to recognize the names as legitimate programs, such as your wireless card driver. Names you don't recognize are worth checking out, they might be virii, but most of 'em will turn out to be legit programs.
IF, and only IF, you recognize a virus loading entry, you need to use regedit to blow the entry out of the registry and then zap the file being loaded off your harddrive with explorer
"Supplimentary Scan" is a more registry keys that seem suspicious to Combofix.
"Orphans Removed" is a list of registry entries that Combofix has blown away.
"Catchme" is a report from the rootkit finder/zapper.
"Locked Registry Keys" is a list of locked registry entries. Locked entries are suspicious because that's how virii protect their registry keys. In my computer the only locked registry key belongs to Internet Explorer, which I think is harmless.
"DLL's loaded under running processes" shows all the dll's currently in memory and doing things, and which programs are using them. Running processes that you recognize are OK. A running process that you don't recognize wants to be checked out. Likewise for dll's.
"Other Running Processes" is all the code in memory and executing. If you recognize the process, fine. Strange processes that you don't recognize again want to be checked out.
"Other Deletions" is a list of files that Combofix has already blown away for you. If later on, you find the Combofix has broken something, you can look to see if it zapped a needed file.
"Drivers/Services" is unknown to me. Combofix did find anything to report on my computer.
"Files Created from yyyy-mm-dd to yyyy-mm-dd " shows all files created in the last month. Virii have to live on disk somewhere. When a virus shows up, it's likely to be living in a newly created file. It's not that new files ARE virii, but they might be.
"Find3M Report" is a list of all files created in the last 3 months. Again, just cause a file is new doesn't make it a virus, but it's worth checking them out. Google will tell you a lot about a filename.
"Reg Loading Points" is a list of registry entries that load and run programs. Look at the program names, you ought to recognize the names as legitimate programs, such as your wireless card driver. Names you don't recognize are worth checking out, they might be virii, but most of 'em will turn out to be legit programs.
IF, and only IF, you recognize a virus loading entry, you need to use regedit to blow the entry out of the registry and then zap the file being loaded off your harddrive with explorer
"Supplimentary Scan" is a more registry keys that seem suspicious to Combofix.
"Orphans Removed" is a list of registry entries that Combofix has blown away.
"Catchme" is a report from the rootkit finder/zapper.
"Locked Registry Keys" is a list of locked registry entries. Locked entries are suspicious because that's how virii protect their registry keys. In my computer the only locked registry key belongs to Internet Explorer, which I think is harmless.
"DLL's loaded under running processes" shows all the dll's currently in memory and doing things, and which programs are using them. Running processes that you recognize are OK. A running process that you don't recognize wants to be checked out. Likewise for dll's.
"Other Running Processes" is all the code in memory and executing. If you recognize the process, fine. Strange processes that you don't recognize again want to be checked out.
Windows XP System File Checker SFC /scannow
SFC comes with Windows. It's a DOS program, you have to click on the start menu, click on :Run, and then type sfc /scannow into the run box. SFC is supposed to check the core windows files and report/replace any that are missing/out-of-date/corrupt. Just how SFC decides that a file is good or in need of replacement is unclear, since Windows Update keeps replacing files with updated versions. Just how SFC keeps up with this is unclear/unknown to me, but I think it works, somehow.
When SFC finds a file that it wants to replace, it will ask you to put your Windows install CD into the CD drive. However, many of us don't have a Windows install CD. We bought new computers that didn't come with Windows CD's.
But there is a fix. Computers without Windows CD's have a hard disk partition, (D: usually) that has all the stuff the Windows install CD has on it. I just burned it into a CD, left the CD in the drive, and then SFC ran to completion. I had to do a little trimming. The D: hard drive had too much stuff to fit onto a 600 MByte CD. I only put the "I386" stuff on the CD, and I even had to trim that a little bit to make it fit.
When SFC finds a file that it wants to replace, it will ask you to put your Windows install CD into the CD drive. However, many of us don't have a Windows install CD. We bought new computers that didn't come with Windows CD's.
But there is a fix. Computers without Windows CD's have a hard disk partition, (D: usually) that has all the stuff the Windows install CD has on it. I just burned it into a CD, left the CD in the drive, and then SFC ran to completion. I had to do a little trimming. The D: hard drive had too much stuff to fit onto a 600 MByte CD. I only put the "I386" stuff on the CD, and I even had to trim that a little bit to make it fit.
Tuesday, December 31, 2013
Stalingrad
The Russians have a security problem. Terrorists bombed a railway station (awful video showing the bomb flash and smoke is on TV) and then bombed a trolley bus. Thirty or forty people dead. These atrocities occured in "Volgograd" , "400 miles south and east of Moscow".
It wasn't until the next day that one newsie finally figured out that Volgograd is better known in the West by it's Word War II name, Stalingrad. The newsie vaguely mentioned that a battle had been fought there.
The newsie didn't mention that the battle of Stalingrad was a turning point in World War II. It was the first time the Russians managed to beat the Germans in a big standup fight. Before Stalingrad, the Germans beat the Russians every time. That turned around after Stalingrad and the Russians beat the Germans every time. The Russian victory at Stalingrad was crushing, they surrounded the German army and took them all captive. Germany lost 250,000 men at Stalingrad. The movie "Enemy at the Gates" was about the battle of Stalingrad.
You would think that after such a legendary victory in the Great Patriotic War, the city would still be known as Stalingrad. But, when "deStalinization" happened under Khrushchev in the late 1950's, part of "deStalinization" involved taking Stalin's name off his city on the Volga.
It wasn't until the next day that one newsie finally figured out that Volgograd is better known in the West by it's Word War II name, Stalingrad. The newsie vaguely mentioned that a battle had been fought there.
The newsie didn't mention that the battle of Stalingrad was a turning point in World War II. It was the first time the Russians managed to beat the Germans in a big standup fight. Before Stalingrad, the Germans beat the Russians every time. That turned around after Stalingrad and the Russians beat the Germans every time. The Russian victory at Stalingrad was crushing, they surrounded the German army and took them all captive. Germany lost 250,000 men at Stalingrad. The movie "Enemy at the Gates" was about the battle of Stalingrad.
You would think that after such a legendary victory in the Great Patriotic War, the city would still be known as Stalingrad. But, when "deStalinization" happened under Khrushchev in the late 1950's, part of "deStalinization" involved taking Stalin's name off his city on the Volga.
Combofix
My computer survived Combofix. This car climbed Mt. Washington. Poor old desktop was still sluggish so I tried the roughest toughest anti virus out there. Combofix, spoken of in awed tones by computer geeks. I downloaded it from Bleeping Computer and turned it loose. It took it's time, made at least two passes. On pass one it reported another rootkit Zero.Layer.something or other, hiding in the TCP-IP stack. Claimed to have killed it. Warned that I might encounter some problems getting back on the internet, but promised a fix.
Any how, after a long run it reported success and printed out a LONG log file. It listed a lot of files that it zapped, all the "run" keys it found in the registry, and a bunch of other Windows files. Surprisingly it didn't list the rootkit it claimed to have zapped. You would think the programmers would be happy to claim a trophy like a root kit. The log file looks a lot like the file created by Hijack This, in fact the Combofix developers may have borrowed all the Hijack This code to print the log. I haven't acted on anything in the log file yet. I recognize all the run keys, they are running legitimate programs like the wireless modem driver.
I'll Google on the windows files it lists, and see if I can find Microsoft certified, pure as the driven snow, replacements, just in case.
But not tonight. It's bed time. And the desktop is running better. Quicker keyboard and mouse response.
Anyhow, if you have a really tough virus that ordinary anti virus programs cannot see or cannot zap, try Combofix. It's powerful. And free. Just running it ain't hard, just click on it and it goes to work.
The log file is kinda cryptic and you do have to know stuff to understand it. Don't blow anything away just cause it shows up in the log file.
Any how, after a long run it reported success and printed out a LONG log file. It listed a lot of files that it zapped, all the "run" keys it found in the registry, and a bunch of other Windows files. Surprisingly it didn't list the rootkit it claimed to have zapped. You would think the programmers would be happy to claim a trophy like a root kit. The log file looks a lot like the file created by Hijack This, in fact the Combofix developers may have borrowed all the Hijack This code to print the log. I haven't acted on anything in the log file yet. I recognize all the run keys, they are running legitimate programs like the wireless modem driver.
I'll Google on the windows files it lists, and see if I can find Microsoft certified, pure as the driven snow, replacements, just in case.
But not tonight. It's bed time. And the desktop is running better. Quicker keyboard and mouse response.
Anyhow, if you have a really tough virus that ordinary anti virus programs cannot see or cannot zap, try Combofix. It's powerful. And free. Just running it ain't hard, just click on it and it goes to work.
The log file is kinda cryptic and you do have to know stuff to understand it. Don't blow anything away just cause it shows up in the log file.
Labels:
Anti Virus,
Bleeping Computer,
Hijack This,
root kit,
Zero.Layer
Monday, December 30, 2013
MSM is STILL out there selling Obama Tales
The New York Times on Sunday published a big story to support the original Obama excuses for the Benghazi disaster. As you might remember, at the time, the Obama folk blamed the attack on the US consulate in Benghazi on an obscure video posted on the Internet. They sent Susan Rice, high ranking adminstration official to appear on all five Sunday pundit TV shows to push the video theory.
Anyhow, the Times just printed a big story retelling the "nasty video caused attack" theory.
And that, ladies and gentlemen, is even handed MSM support for a beleaguered Obama administration.
Anyhow, the Times just printed a big story retelling the "nasty video caused attack" theory.
And that, ladies and gentlemen, is even handed MSM support for a beleaguered Obama administration.
Subscribe to:
Posts (Atom)