Removing Antivirus 2009 and its ilk

I get messages like the following one from CK at least a few times every week:

I don’t know if you can help me but I don’t know where else to go. I have Vista on my computer. I use Norton as my antivirus. Yesterday I got this other system security site that keeps popping up. The icon looks like a shield. Background is yellow with black stripes. I went to add remove programs and removed it from there. I went to all programs and system security and deleted it from there. But the icon stays on the right hand side of my computer and keeps popping up when I am on the computer telling me there is 17 threats. I ran Norton and it was OK. This system security firewall alert tells me of the threats. If you go through to try and remove them it ask for a credit card number. I don’t know how to get this off. Do you have any suggestions?

(Frankly, my first suggestion is to get rid of Norton and replace it with a smaller, free alternative, but if you’ve read my books, you know all about it. That doesn’t solve your problem, but it makes me feel better.)

From your description it’s hard to tell for sure, but it sounds to me like you’ve been infected with a piece of cr*pware similar to Antivirus 2009. Norton doesn’t prevent you from installing Antivirus 2009. You get it when you install a program that says it’s detected a gazillion viruses on your computer, and for a nominal fee it’ll remove them all.

Brian Krebs at the Washington Post has a slew of articles about this scummy program and others like it. The worst ones encrypt all of the files in your My Documents folder, and refuse to open them unless you pay a ransom.

To get rid of it, there’s a removal program from PC Tools (a very reputable scum-busting company) that’s explained on the 2-spyware site. That’s a good place to start.

Unfortunately, I don’t know of any product that will remove all of the Antispyware 2009 clones. You may have to re-format your hard drive and start all over.

That’s the price you pay for believing the scare tactics these companies use. A good, free antivirus program will protect you from some of the pernicious scum. But even the most bloated and expensive antivirus programs (I won’t mention Norton and McAfee by name) won’t always save you from shooting yourself in the foot.

Microsoft plans major Windows 7 announcement – urp

Okay, so I’m seeing notices all over the Internet that Microsoft is going to make a “major” Windows 7 announcement shortly. InfoWorld said:

Microsoft will make “major new announcements” relating to its forthcoming Windows 7 operating system when it launches the Release Candidate of the OS, according to a British technology news site.

Well, of course Microsoft will make major new announcements when the RC ships. It’s another non-news event that doesn’t even rise above the background level – one of the reasons why I haven’t posted anything about it.

That was until I read Paul Thurrot’s take on the topic:

I do know what at least one of these big surprises is. And no, I’m not talking. But let’s just say I’ve been hinting at it for a while now.

Gad.

My guess is that Microsoft will announce some sort of Windows XP emulator that runs under Windows 7 Enterprise Edition. (No, they won’t call it an emulator, they’ll call it “Enterprise Desktop Virtualisation” but – with apologies to the developers who hate the term – it’s basically a fancy emulator.) That’ll make a lot of companies happy. But it’s not something I would call major.

Major would be an announcement about Morro. You may recall that Morro is the promised FREE Microsoft antivirus/antimalware program that’s supposed to ship in “the second half of 2009.” Ryan Naraine has a good write-up on his ZDNet blog.

I’d stand up and cheer for Morro – if only because it’d reduce the cries of pain from Norton and McAfee users.

MS-DEFCON 4: Apply all outstanding patches except 951847 and 960715, and watch out for other problems

It’s time to get patched up.

Last month’s crop of Black Tuesday patches turned out pretty good. One of them, KB 959772, is a CYA patch that lets people play music they’ve already bought from Microsoft. None of the three seems to be causing undue heartache.

I still recommend that you HOLD OFF on these patches:

KB 951847 is a mess of a patch of a patch of a patch of the .NET Framework in Windows XP. I’m beginning to think that it’ll never get fixed – you’re better off waiting until you upgrade to Vista or (better) Windows 7, which have .NET baked in.

KB 960715, the ActiveX killbit update, still breaks many programs. I don’t think the cure is any better than the disease. Of course, you’re using Firefox (or Chrome) – or any Web browser that doesn’t directly expose your machine to ActiveX infections, right?

KB 967715, the Conficker-killer that doesn’t work, is worth installing, but make sure you understand its limitations, as I posted in mid-March.

I’m still ambivalent about Windows XP Service Pack 3, KB 936929. If you’ve been keeping up on all of your patches, it’s a toss-up. If you decide to install it, and you have problems, be sure to check out Microsoft’s Knowledge Base article KB 950718.

I’m also ambivalent about Internet Explorer 8. Mark Edwards has a good analysis of the situation on the Windows Secrets web site.

That brings us down to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.

To get patched up, click Start, All Programs. Near the top of the list you see either Windows Update or Microsoft Update. Click on that and tell Windows Update that you want to perform a “Custom” update. Be prepared to spend ten to fifteen minutes – longer, if you haven’t patched in a while. When you’re done, make sure you have Automatic Updates set to “Notify but don’t download or install” by clicking Start, Control Panel, Security Center.

My general admonition about applying hardware driver patches still applies: Ain’t broke, don’t fix. That is, unless you have a very specific reason for installing a new driver, don’t do it.

How Google serves servers: shipping containers

I’m not sure how long it will take for Google to force this one off the air, but right now you can see a hand-held camera recording of a presentation that shows how Google uses 40-foot shipping containers to house server farms – up to 1,160 servers per container, according to the presentation.

Fascinating stuff.

Google to Twit?

Man, the merger rumors are out in full force.

The New York Times reports that IBM is poised to pay $7 billion for Sun.

And TechCrunch says they have reports from two independent sources that Google is close to buying Twitter.

Must be something in the water.

UPDATE: Kara Swisher at All Things Digital says, “In fact, Twitter and Google (GOOG) have simply been engaged in “some product-related discussions,” according to one source, around real-time search and the search giant better crawling the microblogging service.”

So why does the rumor get such traction? Because Google buying Twitter makes a whole lotta sense, for both sides.

So what happened to Conficker?

Lesley Stahl notwithstanding (don’t get me started – I saw the coverage on CNN, too, and was ready to throw my shoe through the TV), Conficker Day came and went with nary a peep.

That’s reason to forget about Conficker, right?

Well,  no. Actually, more than anything, it shows that the person (or people) behind Conficker is (are) very smart. They’ve changed their infection mechanism, making it much harder to crack, and they managed to slip in the update without triggering any alarms.

You need to be very aware of Conficker. Some day, somebody is going to offer the person (people) who controls Conficker a great deal of money, and there’s no telling what they will do.

So test your machine. Follow Brian Livingston’s advice and scrub your system. In the same way that I advised you to not worry about April 1, I’m also telling you that Conficker is a formidable problem that hasn’t gone away.

It’s just sleeping. On about one million Windows XP PCs.

Another PowerPoint 0day

Microsoft just posted Security Advisory 969136, which talks about a newly discovered 0day security hole in PowerPoint. If you use PowerPoint 2000, 2002 (the version in Office XP) or 2003, you’re vulnerable. PowerPoint 2007 dodges the bullet.

If you open a malevolent PPT file – whether you downloaded it, or the file came attached to an email message – PowerPoint’s input routine (called a “parser”) can be made to hiccup, and run a program buried in the slideshow. You won’t even know that it’s happening.

Quoth Microsoft: “So far we’re aware of several distinct exploit files which have been used. They all seem to be used only in targeted attacks and therefore the number of affected customers is very low.”

Microsoft recommends that you use MOICE to automatically convert files to PowerPoint 2007 format (PPTX) and back. The round-trip plugs this security hole. For more info, see Security Advisory 969136.

There’s a detailed discussion of the hole on the MS Security Research Center blog. You can see several examples on the Microsoft Malware Protection Center blog.

In general, you don’t need to worry about it at home, but if you work for a large company – or one with systems worth cracking – it would be wise to avoid opening PPT files unless you know their precise pedigree. Even better, install MOICE. It’s relatively painless.

Running the Malicious Software Removal Tool while keeping it from phoning home

With the Conficker scare finally behind us (see! I toldja so!), I got an interesing message from an old friend who ran Microsoft’s Malicious Software Removal Tool, but figured out how to keep the MSRT from phoning home during the run.

Here’s what he says:

The Malicious Software Removal Tool EULA tries to get you to give permission for MSRT to “phone home”, in order to give MS a feel for how many infections, and on which versions of Windows, are out there in the wild. Sadly, MS has SUCH a bad track record about saying one thing and doing quite another– reporting home with ALL software names (not just the apps being updates nor just MS’s apps– ALL software and version #s on your PC get reported) and version numbers during a software patch, for example– that MS can’t be trusted to be telling the truth in their EULA.

The EULA also warns that the MSRT won’t work after 60 days, and that sharing/redistributing/copying the file is prohibited.

Interestingly, deeply buried in one of the support the website, there’s a way for PC nerds to block MSRT’s phone-home. It involves entering two new keys in the Windows registry: definitely not something for a n00b to do. Strangely, MSRT has a lot of command-line switches like “find but don’t fix malware”, but MS didn’t bother to make “don’t phone home” one of those command-line switches.

Anway, I didn’t connect my Wi-Fi, thus eliminating the possibility that MSRT could phone home. I then ran MSRT twice, first using “rapid scan” and then “complete scan”. It took 5 minutes to do a simple scan, and found nothing. It took 8 hours to do a complete scan of 1 terabyte of data in 14 partitions, during which it discovered and “partly uninstalled” three viruses. During the procedure, Avira’s resident shield twice popped up to deal with those viruses. One “virus”, by the way, was a fragment of the driveby malware that sat on AskWoody.com early last year, and which I’d stored in email and in a text file. Avira routinely finds the fragment in the text file, but had never before spotted the code in my email.

Clearly, MSRT found and somehow “revealed” these viruses in such a way that Avira could find and delete’em.

MSRT appeared to complete normally, and –again– was fully prevented from phoning home by the simple expediency of shutting off the WiFi during that Windows session.

MSRT created several randomly named, easily deleted folders with hidden files, branching off the root directories, on at least two of my partitions.

Just one note from me: Microsoft is allowing Web sites to distribute the MSRT. If you look at Knowledge Base article 890830, MS says, “Per the terms of this tool’s license terms, the tool can be redistributed. However, make sure that you are redistributing the latest version of the tool.”

Microsoft too big to fail – asks for $20 Billion

OK. I couldn’t resist.

Check out the InfoWorld article, and be sure you make note of the filing date.

MS-DEFCON 2: Where we stand

Sanda posted this:

What about KB960715 which was on hold awhile back. It is still being “offered” to me. Do we “do it” or let it still stay on hold? (I may have missed a post about it.)

I still say hold off. KB 960715 – the killbit patch – breaks many programs. It isn’t worth installing. Microsoft’s next gigantic IE patch should eliminate the need for setting the killbits.

Bottom line: If you’ve been following along here, and you applied the February patches, hold off on everything available, except the Windows Defender update, the Junk Mail Filter update(s), and the Malicious Software Removal Tool.

Reader JS writes:

Woody, I have been slow to move on SP3. Now with this new virus, I wondering whether I should go ahead with the update? I’ve also held off certain updates in the past based on your “stop-light system” and your update listings. I’m not a major computer user….just email, web searches, word processing…the basic stuff. What you think? Love your tech books !!!

If you haven’t been following along here, and you haven’t applied patches (such as Windows XP Service Pack 3) for a long time, get patched up. Apply every patch out there. And do it now. It’s better to get completely patched than to have one of the “low hanging fruit” security holes present on your system.

I’m still ambivalent about Windows XP Service Pack 3, in particular: if you’ve been keeping your system patched, it has very little to offer. But if you haven’t patched in many months, you should apply SP3 and everything else you can get your hands on. (Except for hardware driver patches, which are a different can of worms entirely.)

Once you’ve gotten your system patched, keep an eye out here for the latest updates. It could save you a lot of headache.

Hold off on KB 958690, 960225, 959772

The other patch Tuesday has come and gone, and there’s a bunch of patches waiting for your approval.

As usual, I advise you to hold off on all of the patches, except the Junk E-Mail Filter, any Windows Defender updates and the Malicious Software Removal Tool, KB 890830.

Yes, that means you should apply Junk E-Mail Filter updates, Windows Defender updates, and you should run the latest Malicious Software Removal Tool (which may or may not remove the latest version of Conficker).

Speaking of which… It’s April 1, Conficker has turned over a new leaf, and the earth is still spinning. Amazing.

MSN Encarta bites the dust

MSN Encarta, the CD/shrinkwrapped/online encyclopedia that Microsoft bought from Funk & Wagnalls in 1993, is about to kick the bit bucket.

The official announcement states:

On October 31, 2009, MSN Encarta Web sites worldwide will be discontinued, with the exception of Encarta Japan, which will be discontinued on December 31, 2009. Additionally, Microsoft will cease to sell Microsoft Student and Encarta Premium software products worldwide by June 2009.

I’ve wondered for many years how Microsoft could keep Encarta afloat, with so much more information available, free, to anyone who learned how to use Google or dabbled with Wikipedia.

The other for-pay online encyclopedias must be counting the days. It’s sad in many ways, but inevitable – and good for the consumer.

Suckers, er, customers who actually paid for Encarta will get a pro-rated refund applied directly to their credit cards. That part probably cost Microsoft $100.