Halleynet Headspace

Posts Tagged ‘IT’

A client asked me to look at a PC that had been infected by a “virus”. In fact what it had been infected by was a particularly abhorrent bit of malware called Ant Spyware Soft.

It was probably inadvertantly installed by my client by clicking on one of thos warning boxes that splash up in some browser windows warning you you have an infected machine- the box looks very like a windows error but its actually not.

An article in PC Pro recently was saying this type of malware is serviced by Russian Mafia types as a way to effectively extort sums from web users by installing their dodgy AV software which then watches their internet history recoding Credit card numbers etc and relaying to the ” mother ship”.

The PC was installed with F Secure 2010 AV but the damage was done probably byt he client authorising the install unwittingly. F Secure could detect the system modification attempt by a service effectively a random string name. But it could not detect the virus it seemed nor stop its troublesome attempts to scare the user.

It did a number of bad things.

1) It kept warning that it had detected an intrusion attempt- funny as when I had the machine it was not even connected to the internet- worth a test if you ever see such a warning- disconnect and see if it persists. I always disconnect any infected machines when I am awar eof them and recommend you do too.

2)It kept flagging up spurious process crashes.

3) It disabled access to services.msc- the control panel services applet and taskmgr.exe (so you could neither id or disable it by conventional means)

4) Once you opened a IE8 browser window it went mental – constant alerts resulting in many red shields inthe system tray, and sometimes a Windows AV type window saying AntiSpyware Soft – click to purchase and enable- to sort tht eproblem. of course you would be mental to. It also sent the web browser to dodgy websites like p*rno.com and vi*gra.com (and probably others) Heightening the fear factor or the client!

5) I did a bit research onthe web (as you do and the best info i found was on www.spywareremove.com) It gae free, manual removal instructions which were spot on and worked a treat. I would say – you need to use Safe Mode to do the steps listed and be happy inthe registry. I found a couple of key s that differed from their instructions but they were easy to spot and I put it down to the variable behaviour of the malware)

6) With the files deleted its back t normal, but I have installed Google Chrome on the machine as its less susceptible to some of the aspects of such malware.

I noticed a “Chip fan” warning on my sons PC this morning at boot time and decided to investigate. Looks like it was as well I did as the fan that cools the northbridge/sli chip on the motherboard itself (an Asus A8N Sli Deluxe)  was not running.

I tried giving ht emachine a good dust out including the fan but no life was seen. You could smell burning though when it was switched on, so I pretty well gave up hope for the fan and was cursing the whole thing, as it coul dmean a complete motherboard/CPU/RAM upgrade to sort. Not a big deal technically but a pain in the backside financially when the PC is otherwise fine.

I decided to have a look see if I could fix it.

Its a bit tricky to get out and basically I needed to remove all the motherboard securing screws to get to the back of the board and the two retaining plugs that hold the fan on the chip. The only way I could see to remove them was to pull each plug out from the borad one at a time against the spring tension of the securing pillars on the front of the board, and cut them with side cutters.

This causes the retaining pillars to ping off  so watch out for losing them and the springs. Its going to be hard to resuse them but watch the springs don’t end up trapped in amongst the components onthe bard and cause further problems.

The Fan comes out once the pins are released and the power plug needs to be removed from the board.

Its held closed by 4 tiny cross head screws (a very small phillips will be required) then once the cover is off the fan is secired to the bottom of the heatsink with three further similarly sized screws.

I got these out and gave the whole assembly a really good dowse in Electrical Solvent cleaner. This certainly got it clean but it did not feel especially free spinning.

I had a wee trawl on the web and it seems this is a very common fault and the general recommendation is to replace it with a Zalman ZM-NB47J Passive cooler you can get them at micro direct here in the UK. Most appear to fail early in the life of the PC, so I guess we have been luck as this board is a few years old now.

They only cost a few pounds so I decided to order one though have to admit I have doubts its going to fit as my sons PC has a pair of NVidia  graphics cards in SLI mode that are very long and I think they are going to impede the cooler. However the cooler is rotateable so I might be able to make it fit…nothing ventured nothing gained.

Anyway I decided to have a go at getting the fan going again if I could, so after the liberal cleaning in Solvent gave it another good dose of WD40 lubricant.

I cleaned off the excess, set the motherbaord back to at least power up (plugged the atx connector in) and connected the fan – just holding it in my hand. I could feel it wanted to go – it pulsed but did not turn, so I had another wee look at it, and it seemed to be a bit squint on its axis. I applied a bit pressure to try make it look more evenly mounted, and this time it fired up.

I gave it another oil and tried again, this time it seemed much faster. So time to put it all back together, connect up and apply a bit heat paste to the chip . Now I don’t have any screw to fix the cooler back to the chipset so am kind of counting on the paste and the friction of the graphics cards above the fan holding it all in place, but the warning is gone and the fan is working fast and smoothly.

I will report on the cooler when it arrives but this might have saved things for now.

I downloaded the latest Windows Live! Messanger (version 9). Unfortunately I cannot get it working and it seems many other users have the same issue- the error message Windows Live Communications Platform Has Stopped Working.

The details of this error seem to point to the F Secure Firewall I run ( the 2008 version in my case) However even disabling this failed to resolve issues (if only to debug- I strongly recommend you don’t disable security measures to enable messenger apps!)

I found various purported solutions to the problem but none worked for me.

Remove any custom themes from Vista (ie. Windowblinds) – I don’t use this so not applicable to me.

Delete the contacts directory in the Windows live folder (you can find this in Vista by going to your user profile folder (usually C:\Users\<your login name> and then ensuring you have set “show hidden folders” go to App Data\Local\Microsoft\

In here you will find a Windows Live Contacts directory- you can either delete it (or like me if your less trusting of such advice- rename it to something like Windows Live Contacts.bak)  and then try your messenger again.

This has apparently worked for many users- but alas not for me. In case you are worried the program recreates the directory if it cannot find it- like so many microsoft programs.

So you can then persevere with trying to find your own solutions- if you get it sorted be free to comment on it here, but in my case I chose to uninstall it and try to get back to an older version. These are a bit more tricky to find as any normal searches for them turn up the latest problematic one.

I found the last version ( I think its the last version 8.5.1302.1018) – it looks Ok to me – here ( be warned there are a lot of Shareware apps using the messenger name that appear when you search in Google) . While they may be harmless I have a degree of concern that other apps use similar names to confuse users and may ultimately end up with you either a paid for program you did not want or possible spyware or malware you did not ask for.

This link takes you to the 8.5 version on microsoft.com

Just encountered an issue with the Transcend JF220 Secure USB stick. This stick uses a finger print reader to secure the partitioned USB stick.The stick works fine in my Windows XP system but once used with my Vista system I noticed that the main icons off the Start button stopped working. How odd?

I got hold of a utility called ShellExView from Nirsoft which allows you to see which shell extensions are running on your platform and to selectively disable them. Be warned disable them one at a time and only those you suspect. If your not sure ask a PC savvy friend!

Anyway working chronologically backwards- ie newest first I noticed an Icon Handler extension supplied by Arachnoid Biometrics Identification Group Corp. Disabling this restored the icon function onthe start button.

Unfortunately I see no easy way to uninstall this as it has no entry in the Control Panel. Looks like a manual/ registry hack job for later.

I need to look into if there is a fix for this first though. Perhaps an updated driver for the Transcend USB stick.