For the last week (actually 9 days now), I’ve been working on and off cleaning up the PC of a friend. It’s shocking how much malware is out there right now and how easy it is for folks who think they are doing the right thing to be tricked by these “friendly” popups that offer to clean your PC. My friend’s PC had several rogue spyware cleaners on it, and gosh knows what else. It scares me that he’s been doing his taxes, etc. on this box for years. Anyway, I have put about 15-20 hours into cleaning it, and I think (knock on wood) that it’s clean. Here’s what started it, and what I did:

This is a Win2000 machine, and it’s about 8 years old, but still a usable computer…P4, 256MB RAM, 40GB disk. It does what he and his wife want. However, he called when it started crashing (BSOD). At first, I thought it might be a hardware problem, but determined after I put another NIC in the box that it was software. When I got it, the copy of Norton Anti-virus on it hadn’t updated defs in 4 years, and you can guess what that allowed. So, here’s what I did:

1) Took it offline;

2) Ran Combofix.exe;

3) Ran “HiJackThis” and deleted any obviously bad items (but there’s a lot I don’t know off the top of my head);

4) Ran current versions of AdAware and SpybotS&D;

5) Loaded a current version of Norton (virus defs were 9/2007, but still cleaned a lot of stuff);

6) Ran Activeports, saw that there was still spurious activity with IE processes getting kicked off going to places like “cookingluck.com” and “network.upl.cz”. Not what you wanted to see.

At this point I had taken a bunch of stuff off the box and it was working better, but was still no way trustworthy. However, it was working well enough to put back online for a short while and update the patterns on AdAware & SpybotS&D and Norton AntiVirus. Downloaded Win2000 SP4. Took it back offline. Installed Win2000 SP4. Ran scans with new definitions on all tools, and cleaned off more. When it was online, Norton was stopping the things the downloaders were trying to drop, so it was getting better.

I then put on ZoneAlarm. This is something I wanted on the box since my friend doesn’t have a router, and consequently is exposed to the cable net. This a couple of side effects that helped. First, I could now see and log the IE probes. Also, I set it to not allow IE to access the internet.

So, at this time, things are reasonably clean, and the rogue IE processes getting spawned couldn’t get to where they wanted to go, so I could put it on the ‘net and things would not get worse. However, it wasn’t fixed. I spent several hours trying to figure out where IE was getting launched, but couldn’t make any progress.

Then, in reading some entries on bleepingcomputer.com, I saw a reference to “Anti-malware” by Malwarebytes. I started to read up on it a bit, since there’s a lot of disinformation out there, seemingly placed by the rogue spyware authors. I added up the trustworthy and non-trustworthy references, and felt like it was worth a try. I downloaded v1.05 of Anti-malware, and ran it. It picked up 124 objects, including a couple of memory modules, that nothing else had found. I removed the objects it found (some obviously required a reboot), and now, it’s been nearly an hour and the spurious IE activity is nowhere to be found, per the ZoneAlarm logs. I believe it’s fixed!

I’ll check tomorrow, and if it’s still clean, I’ll re-enable IE, and make sure MS updates, etc. are working like it’s supposed to…

Stay tuned, but things are very promising!

Wow…I’d naively thought (though I don’t use one on my Macbook) that using a disk encryption tool (such as comes with Vista or OS X) was a pretty good level of security, unless the spooks were after you. Well, that’s not so! I try to not have my blog be a blog of links to other blogs 😉 but here’s a very informative case where I’ll put in this link to this page on Engadget. The video clip is 5 minutes long, but it’s time well spent as you’ll not look at disk encryption in the same way again!

On my commute from Chapel Hill to Greensboro, I listen to the podcast of The Economist. Today, I heard a very interesting article from the current print issue of the magazine on Femtocells. Reflecting on this while driving down the highway, I was thinking that I really agreed with the article assertion that this could be a disruptive technology. Today, we think of network-attached devices typically as either cellular capable, or 802.11x capabile (though certainly many devices now have both capabilities). With pervasive rollout of picocells and femtocells, we’ll move closer to ubiquity in coverage in cellular radio networks and the architecture also provides for higher speed connectivity than in the wide area coverage environments, allowing a richer set of applications and media on mobile devices.

As we shrink our laptops and “supersize” our phones, might this provide a means for connectivity to that converged device? That iPhone is looking better and better 😉

I saw an interesting quote in an Educause Review article from the November/December 2007 issue. In a compilation of opinions from 13 CIO’s in higher education, John Bielec from Drexel University said “Why would an institution provide … wireless service five years from now?” Hmmmm….

I was reading the technology section of NYTimes.com, and came across an article on a Microsoft project called “Popfly“. This is apparently a “no programming” mashup creation tool. It looks kinda interesting, but the performance of the Silverlight development plugin seems to be very sluggish (at least on a Mac w/Firefox or Safari).

I’m hoping that this below this verbiage you’ll see an example (a rotating sphere with trout pictures):

example is no longer working…oh well

This type of tool is, I think, important for all of us to wrap our heads around as we contemplate the move away from desktop software into the cloud…

This evening, I’ve been participating in a meeting of the Chapel Hill Carrboro City Schools Technology Advisory Committee meeting. Interesting discussions, and a “caucus” to work toward prioritizing what can be done with the resources available. This school system is the best-performing one in the state, and the parents are highly educated and affluent. However, it’s still challenging to get the resources needed to get the things needed to do the job. This evening we’ve discussed:

• Providing teachers with a multi-media laptop
• Creating a 21st century classroom (projectors, whiteboards, etc.)
• Refresh student instructional computers
• Provide 1:1 computing access for all students
• Installing secure wireless access through all schools

A tough set of choices as all need to be done…

So, I’ve been running Mac OS X 10.5 (aka Leopard) on my work MacBook and my home iMac for over a week now…I’m pleased. A very smooth transition. I like the new features, like Time Machine, the Mail.app notes/to do’s, Spaces, and iChat enhancements. I have had one crash (the Mac equivalent of BSOD) on my MacBook, but it’s had maybe 2 or 3 of those crashes in the 7 months I’ve used that MacBook. I don’t think my iMac has ever crashed (I’ve had this one about 8 months).

I didn’t do a Leopard upgrade on my Intel-based Mini (den media center PC) nor my wife’s PowerPC PowerBook. I’d recommend that all my Mac buddies that have new generation Intel Macs give it a go!

My Apple stock will be happy if you do ;-).

So, Google now supports IMAP for Gmail! Fantastic! I’m testing it right now with mail.app on my Mac running Leopard (I’ll do a blog post on Leopard later). It seems to work well. Because of the nature of Gmail, it does some things differently. Here’s a chart that describes common IMAP actions and what happens in Gmail. There is one thing that it does that doesn’t seem to be described in the Gmail documentation. It’s not a problem, just undocumented. When you delete a message from the IMAP Inbox, it removes it from the Gmail inbox, which you expect…it leaves it in any other labels where the message may appear. However, it also creates a new Gmail label “deleted messages” and puts the message there, as well. It’s not really deleted (in the Gmail trash), apparently just flagged.

I’ll keep on using it a bit. I’ve gotten really used to the Gmail web interface, however. The one thing that this does, though, is reenable use of X.509 certificates for digital signatures/encryption, as that’s handled in the client.