Ask DACS
September 2011

Moderated and reported by Jim Scheef.

Ask DACS is a Question and Answer session before the main presentation at the monthly General Meeting. We solicit questions from the floor and then answers from other audience members. My role as moderator is to try to guide the discussion to a likely solution to the problem.

Q – DACS.doc ran a series of articles on computer health (see the July, August and September, 2011, issues at dacs.org). In Part 3 (September) the author mentioned a program called CCleaner. Has anyone had experience with this program and is it any good? Does the free version do anything at all?

A - One member said that he does use the product and the free version does clean out temporary files. The only possible side effect he has noticed is that the schedule of future programs in his Media Center PC will disappear but he had no hard evidence that this was caused by CCleaner. He also noted that there are many options in the program that he does not use. My observation with such programs is that if the free version detects something that can only be removed or fixed by the pay version, the program will make this abundantly clear. Another caveat would be that a 64-bit version of Windows will require a program that understands the 64-bit registry format.

D - Another member recounted that his antivirus program detected something questionable so he took the opportunity to do a clean reinstall of Windows. This would be an alternative to using a registry cleaner product that can only find anomalies in the registry like references to files that no longer exist. The result is a Windows installation without all the old programs that are no longer used and a much smaller registry. The downside is that all application must be reinstalled and reconfigured. He stated his computer had (almost) all data on a separate partition and he had backups of things like Outlook mailbox (pst) files that normally reside on the C-drive. This process requires that you find all of the installation media for all of the application you plan to reinstall which can be a deal-breaker for some.

Q - Recently I had a situation where my email program mysteriously sent out copies of an email to everyone in my address book. What happened?

A - This problem is caused by malware that reads your address book and uses that list to propagate to more computers. You need to run a thorough antivirus scan using up-to-date virus signatures which will (hopefully) find and remove the problem malware. Until then your computer is still infected. The first such program was the Melissa virus in 1999 that clogged corporate email systems for several days as it propagated wildly. This proof of concept led to more nefarious email worms over the years.

D - The discussion then evolved into a discussion of rootkits that can hide the existence of files on the computer. The reader is directed to the Wikipedia entry for rootkits.

Q - Sometimes while browsing the New York Times website (and possibly others) my computer will become sluggish and I'll see references to Google Analytics in the status bar. Is Google mucking around in my computer? What's happening?

A - The NY Times, like many other websites, uses tools from Google and other places to build the final page that you see. You can see more clearly by installing the Firefox add-on NoScript. NoScript (noscript.net) is a "script firewall" that runs in Firefox. By default NoScript prevents all JavaScript from running when you open a webpage. What you see is a list of the domains (such as googleanalytics.com, or doubleclick.com) that have scripts embedded in the webpage you just opened. Generally, these scripts are not malware but were placed there by the web developer to format the page to suit your browser, track your visit, display advertising, run a shopping cart, etc. NoScript then allows you to authorize each script (or all at once) either forever or just for this visit. This process will drive most people nuts but I've grown used to it. In my case I have blocked some domains permanently - like doubleclick.com - and some domains, like googleanalytics.com, are whitelisted so they always run automatically. Occasionally I'll see a script referenced from a server identified only by an IP address. This is not always something nefarious, but I generally just ignore those so they cannot run. NoScript has many, many options that are beyond the scope of this discussion.

Here is what NoScript shows on my machine when I open nytimes.com.

Note that nytimes.com, nyt.com and googlesyndication.com have already been enabled, while chartbeat.com and others are blocked. Three domains have been marked as "untrusted" which means that NoScript blocks those scripts while tricking the webpage into thinking that they ran successfully. The price for this can be a slight delay in loading the webpage.

Q - I use Norton Anti-Virus; is that or MacAfee the best and will it prevent me from getting a keylogger, rootkit or similar program?

A - My view on this is that picking an anti-virus program is like choosing between a Ford and a Chevy. The various anti-virus or anti-malware programs are constantly changing as they adapt to the threats out in the world. One member gave good advice when he suggested the need to read the feature lists of any such program you consider for your computer. Some programs have a limited feature list and do not attempt to detect rootkits. These limited anti-virus programs are typically the free versions with more extensive detection reserved for the "pay" version. The bottom line is that no anti-virus or anti-malware program will detect everything. All of these programs are "reactive" in that they cannot protect against unknown threats. This is why it is critical to keep your virus definitions up to date. A program that does not check for and install updates automatically is worthless because it will out of date tomorrow. A member suggested AV-Comparatives.org where they offer: "independent comparatives of Anti-Virus software. All products listed in our comparatives are already a selection of some very good anti-virus products. In order to get included in our main tests, vendors must fulfill various conditions and minimum requirements."

Q - Will reinstalling Windows 7 get rid of a rootkit? What about deleting the partition?

A - There is malware that installs a stub in the area of the hard drive where the master boot record and partition table are stored. Since the partition table is not destroyed when a partition is deleted, these malware programs can survive not only a conventional reformat but even deleting the partition. This was demonstrated at the Black Hat Security Conference a couple years ago. The only sure way to eliminate such malware is to totally wipe the hard drive using a tool like Darik's Boot 'n Nuke that totally writes over every sector of every track on the disk. When I use this tool I just write 0's to the disk in one pass. DBAN offers wiping routines that will overwrite the disk so thoroughly that even the NSA can't recover the data. These routines will run for days and are not worth the trouble. With just a single pass, the computer will think the disk just came from the factory and write a new partition table during disk initialization and format. A member cautioned that if your malware came from something that you reinstall, you will reinstall the malware. So be use care when choosing what you reinstall.

D - The discussion then moved to suggested methods to rebuild the computer "clean" of malware. Rob suggested buying a new hard drive and installing that in place of the original drive. After installing Windows and your chosen anti-virus program, you can install the old drive as a second drive and gradually move your data files over to the new drive. When you have recovered all your data, wipe the old drive.

When installing Windows, I suggest the following procedure:

1. Install Windows from the CD that came with your machine. For some manufacturers, this is the only way you can reinstall Windows due to limitations in the BIOS. The CD is often called a "restore disk" because it puts your machine back to the way it came out of the box from the factory.
2. Install the latest Service Pack for your version of Windows. The best way to do this is to download the SP and burn it to a CD prior to starting the rebuild.
3. If the manufacturer's CD did not install all the device drivers, do that now. These may be on a separate CD.
4. Run Windows Update multiple times until it says there are no more updates for your machine. This can require as many as four passes to get all the updates.
5. Install the anti-virus program of your choice and run its update procedure until it says your AV is up to date. Again, this may require more than one pass to update both the program and the thread definitions.
6. Install the old drive as a secondary drive and scan it with the freshly installed and newly updated anti-virus program. Delete anything found to be infected.
7. Make a backup of the new hard drive at this point while it is still "pristine". Just be sure you never boot the computer off the old hard drive, or all your work could be for naught.
8. Begin the process of reinstalling your applications under the new Windows installation.

Q - I'm finding that fewer and fewer laptops offer a FireWire port. What's happening?

A - Richard suggested that as the industry moves to USB 3.0 the extra speed makes FireWire superfluous. Even Apple seems to be phasing out support for FireWire. Rob added that as devices like camcorders have internal hard drive (or flash drive) storage, there is no longer a need to transfer at full uncompressed video speed.

Q - There is a "mystery partition" on one of my machines. It's about 50 GB. Fdisk reports that it is formatted NTFS, but Windows says it's "empty". Is there something like an editor that can look at this space to see if there is anything on it?

A - Rob suggested installing EXT2IFS to see if the partition is actually formatted for Linux using the EXT2 file systems. Another tool is one of several GUI-based clones of Partition Magic called QtParted or GParted that runs under Linux. The easiest way to use it is to boot your machine using a Linux "live CD" such as Knoppix and look for the partition program included with your particular Linux distribution. Both of these tools use the same partitioning software under the covers and only the GUI varies.

Q - Last was my question: does anyone know of a light-weight reminder program that runs on Windows 7? I need to replace a program called XReminder that will not install on Win7. XReminder could display a small desktop clock, although that is not critical, the critical part is the ability to display an alarm at 10:03pm every weekday or at 6pm on the third Sunday of each month or... you get the idea. It must be light weight so it can start automatically with Windows and not use a lot of resources and a simple interface is, of course, a plus. The alarm function must be sufficient to get my attention even in another room, which means it must sound until acknowledged. I paid for XReminder so cost is not a factor.

 
Questions for the upcoming meeting can be emailed to askdacs@dacs.org.
 
Disclaimer: Ask DACS questions come from members by email or from the audience attending the general meeting. Answers are suggestions offered by meeting attendees and represent a consensus of those responding. DACS offers no warrantee as to the correctness of the answers and anyone following these suggestions or answers does so at their own risk. In other words, we could be totally wrong!