Ask DACS
October 2011

Moderated and reported by Jim Scheef.

Ask DACS is a Question and Answer session before the main presentation at the monthly General Meeting. We solicit questions from the floor and then answers from other audience members. My role as moderator is to try to guide the discussion to a likely solution to the problem.

Q – A question submitted by email: A currently "popular" type of spam is an email addressed to you and some of your friends that seems to have been sent by someone you know and includes a link sometimes without any text, sometimes there is a sentence recommending whatever is in the link. What is going on? Has the apparent sender's computer or email been hacked? What, if anything, can I do to stop this?

A - This topic could fill an entire general meeting program. First, do not click on the link in that email; it will surely infect your computer with malware. This malware will then run with your security privileges (do you run as an administrator on your system?) and thus have complete control of everything on your computer. Second, the odds are that the email did not come from your friend. The sender email address is almost certainly spoofed. Rather than summarize material from various websites, I will send you to a couple of resources I found while investigating this question:

• Someone's sending from my email address! How do I stop them?! (tinyurl.com/3wmy9)

Open this webpage and then explore the "variations on a theme" to see the many ways this type of spam is created and sent. At the meeting I implied that the problem emails were coming from a DACS member's computer and, as stated above, this may not be the case.

Q - There are many programs such as media players, Java, Adobe Flash, Acrobat Reader, etc., that all need to be updated once they are installed. I just moved to Windows 7 and don't want to install any more of these programs than necessary. How should one decide which program(s) to install? Some of these programs are redundant, so which media player is best and how should they be configured?

How to configure multiple media players to your order of preference

Over time you may come to prefer one media play over the others and would prefer to use that program when you open a media file. The first step in this procedure is to
1. Decide which media player is your favorite, 2nd favorite, 3rd, etc.
2. In Win7, open the Default Programs applet in Control Panel. Then click the link for "Set Default Programs".
3. In the list of program on the left, click your least favorite media player. (Which programs are the media players? Well you need to know that in step #1.)
4. Click the link for "Set this program as default". This will set this program to handle every media type of which it is capable.
5. Click your next least favorite media play and set it as the default.
6. Do this for each player installed on your machine, so you set your most favorite media player as the default program last. Now when you click on each media player in the list, you will see a message that the selected program has some number of its defaults set. On my machine I find that QuickTime has "57 out of 83 defaults" but when I click on Windows Media Player, I see "This program has all of its defaults".

There is no equivalent dialog in Windows XP although the "Set Program Access and Defaults" might work (this is untested).

A - This is another excellent question that all of us confront when we buy a new computer or do a clean install of Windows. Once again, this could be an entire presentation and there was some excellent discussion. Here is a scenario: you turn on your new computer and copy your personal files and documents over from the old machine and click on a document to read it. Windows pops up a dialog asking you which program should be used to open the file. Since there are many file formats that can be opened/played by many programs; it is up to you to decide which program best meet your needs. For example, Microsoft Word files (the DOC file type) can be opened and edited by many word processing programs. Corel WordPerfect 10 is a competitive word processor that can open and edit the DOC file format. There several free, open source programs such as Open Office (openoffice.org) that will also work. There is no one "best" program; the choice is yours. Plus, the overly generous size of today’s hard drives makes it easy to install several programs in case you can't narrow it down to a single choice. With this in mind, some discussion hilites follow:

• While Windows includes programs to view or play many different file types, many file formats are proprietary and require that you install a specific program.
• Adobe Flash is a good example of a proprietary format. If you want to be able to view the content on many websites, you must install the Adobe Flash player. I know of no alternative.
• Adobe Acrobat files (the ubiquitous PDF file type) are also a proprietary file format but there are now many alternatives to the Adobe Acrobat Reader program. Because Acrobat files can carry executable code, I feel it is best to use a program that gets regular updates to plug newly discovered security holes. A third-party viewer may or may not have the same flaws as the Acrobat Reader program, but at least Adobe provides regular updates.
• Once place where it would seem you could make a choice is sound and video files. Windows includes the Windows Media Player that handles many such formats - except for a few that belongs to Apple. Those formats require Apple QuickTime which can also play many of the same formats as Windows Media Player. And then there is the RealPlayer from Real Networks, Inc (www.real.com). As long as these programs are updated regularly, I see no harm in installing them all, plus it is nearly impossible to actually remove Media Player.
• In addition to proprietary media players, naturally there are a multitude of open source players. One member mentioned the VLC media player (www.videolan.org). When choosing programs from open source projects, make sure the program is supported and updated. Media files can all introduce malware into your computer and open source programs offer no freedom from such vulnerabilities.
• A member offered a great suggestion on how to configure media players (see side bar) that makes your favorite player play every file that it is capable of playing while QuickTime handles the remaining formats that it can play while the Creative MediaSource 5 Player plays the 5 formats that of the three players, only it can play. I have no idea what those formats might be, and I don't need to know.

Q - I had an unfortunate confrontation with a rootkit. The malware hidden by the rootkit disabled my AVG anti-virus program. Can anyone recommend a program to remove the rootkit? Note: I could not hear on the recording the name of the scanner used to find the rootkit or the name of the rootkit.

A - My somewhat flippant answer was Darik's Boot 'n Nuke, also known as DBAN (www.dban.org). As someone quickly pointed out, DBAN is a program to completely wipe a hard drive of everything. When DBAN completes, your hard drive will be as clean as it was the day it left the hard drive assembly line. Then you need to reinstall Windows and hopefully follow the procedure outlined last month. Here is why I recommended DBAN: once the bad guys run codes on your computer, you no longer own that machine - they do. In Internet slang, you have been "pwned". You may be able to find and remove the rootkit and any obvious files it was hiding, but how can you ever be sure you found and removed every bad program? When Windows is first installed, your hard drive has 20-40 thousand files. The bad guys are deviously clever in hiding their malware amongst those thousands of programs. That said, there are AV programs that claim to find rootkits and maybe even remove them. None of these are the free versions. Also, remember that anti-virus programs can only find things that are know and are included in the signature files. Since many malware programs disable AV updates (but not the messages the "Update successful" messages), this type of malware is super difficult to even find. As noted last month, there are malware programs that can survive a normal drive reformatting as done in the Windows installation. The bad code lives in the partition table that is not rewritten even when you delete the partition. DBAN wipes the partition table and the master boot record (everything really means everything).

This is the only procedure that I guarantee will rid your machine of all malware. You then must use care to prevent reintroducing the same malware when you reinstall your applications and restore your data files, documents, pictures and music, etc.

A member suggested buying a new hard drive and installing Widows to the new drive. When Windows is completed updated and your AV program installed and updated, you can install the old drive as a second drive and copy your files to the new drive. Once you are sure you have moved all your old files, run DBAN on the old drive. This is an excellent suggestion and well worth the extra cost.

In my research on this question, I found a rootkit scanner that is new to me: QMER (www.gmer.net) which I have not yet tried, but have many recommendations. Other scanners: Root Kit Revealer (Microsoft SysInternals), Sophos, and McAfee, I have tried with indeterminate results. Most AV companies offer a free standalone scanner.

Q - Occasionally I receive duplicate copies of email messages. What causes this and how can I prevent it? I use the Macintosh Mail application on an EarthLink account using the POP3 protocol. The duplicates actually exist on the server where I can see the duplicate message when using webmail.

A - No one had a really definitive answer. One member suggested that the anti-spam practice of "greylisting" might be the cause, but it would not explain the duplicates you see when you copy yourself as there would be no grey-listing. It is very difficult to diagnose a problem that is intermittent and thus cannot be reliably reproduced. I suggested switching to the IMAP4 protocol but, while this is a good idea, it does not address the fact that you see the duplicates on the server. You could do some sleuthing when this happens again on an email you copied to yourself: contact the person to whom you sent the message and ask that person if s/he received it twice. If he did, it would point to the originating server (EarthLink) as the culprit. Richard offered to show how to turn on the detailed headers in Mac Mail at the next Apple SIG meeting.

 
Questions for the upcoming meeting can be emailed to askdacs@dacs.org.
 
Disclaimer: Ask DACS questions come from members by email or from the audience attending the general meeting. Answers are suggestions offered by meeting attendees and represent a consensus of those responding. DACS offers no warrantee as to the correctness of the answers and anyone following these suggestions or answers does so at their own risk. In other words, we could be totally wrong!