February 11th, 2005


Maggie, Emily and my mother in law are off to Germany tonight to visit Maggie's sister there. They'll be there through Feb 28 and then returning. I'm not going because I've got plenty of traveling of my own to do coming up.

First I'm going to Japan Feb 20-25. I'll be going to Kyoto to the APRICOT2005 conference to talk about spam issues as part of my chair of APCAUCE duties. While I'm there I'll take the Shinkansen over to Nagoya for a Dreams Come True concert on Feb 23. Then there's the LONGEST TRAVEL DAY EVER on Feb 25 where I will start from the hotel in Kyoto in the morning, take the subway and train to Kansai International Airport (Osaka), fly to Taipei, go home and repack, clean up and grab a bite, then back to the airport that night to fly to San Francisco, getting there in the evening (still the same day but much later), drive down to Santa Clara and in all likelihood collapse into a puddle for a couple of days. The next week I'm off to Kansas for classes Mar 1-4, back to Santa Clara, followed by a drive down to Santa Barbara after that and return back to Taipei on March 13 (really it's late night on March 12, but since it is just past midnight departure, it says March 13 on the ticket), arriving on March 14 early morning.

I'm getting tired just thinking about all that. Whew.

Oh, and more cookies too...

Maggie wanted me to make some cookies to take to Germany with her for her sister, so I made today:

2 dozen green tea shortbread
2 dozen oatmeal pecan chocolate chip

Seems like a lot of effort to carry cookies all the way to Germany, but I'm getting to be a very lean traveller. I hardly take anything not strictly necessary. On the other hand my wife, daughter and mother in law had 3 big suitcases and 2 medium suitcases plus a few carry-ons for this trip. Now I do tend to bring a fair bit of stuff back to Taiwan with me when I go to US, but otherwise I don't bring much. And even coming back to Taiwan I set a strict limit of 2 bags, and if it doesn't fit it gets left behind.

Maggie just called that her plane is boarding soon. She said one of the bags was too heavy so she had to move some stuff to carry ons. :(

Delousing a windows box

Maggie's coworker's son got his Windows XP box 0wn3d quite well recently and they asked me to come take a look at it and fix it up. He had been running XP SP1 and had only a couple of additional patches installed, so it was pretty ripe for the picking. He didn't want to upgrade to SP2 because he was worried it would make his computer too slow. He *was* running an Norton anti-virus, but still got loaded up with spyware, adware, clickbots, trojans and ratware. Why anti-virus stuff refuses to handle anything except viruses remains a mystery to me. Anti-virus stuff should block ANY malicious software. He was probably being used to send spam too, because his first-hop ping round trip was 2 seconds almost immediately on bringing up the net connection.

Usually to clean up a box I'd run McAfee Stinger, AVG Free Edition, Ad-Aware SE, and Spybot Search & Destroy and that'd take care of things. Not in this case.

I ran McAfee Stinger which was able to find a couple of copies of Korgo in the cache, but they didn't look like they were active infections. Ad-Aware and Spybot both found tons of malware and AVG found a few, but a lot of it kept re-appearing after being removed. I found that a program called Golden Retriever Cash Back was reinstalling new malware each time. I was able to find registry entries to disable it, and then it was easier to make progress. Ad-Aware and Spybot were able to clean up many of the rest but there were still a few things that they and AVG still didn't find. So then I went through Task Manager to look at each process name in google and see whether it was friend or foe. The bad stuff I'd kill and then search for their files and registry entries and manually remove it.

The real break-through was finding out about a program called Hijack This. It's not for the novice, but it was able to find out how some of the stuff I couldn't find with search were getting invoked and was able to disable them. The ones they couldn't find were running as winx69.exe, ryhpka.exe, winagent.exe, mcafee32.exe and navprotect.exe. Some of the other malware running that I removed included clfmon.exe, Sygate.exe, elitevcy32.exe, pwn.exe, mssce.exe, msfwel.exe, gamma.exe, jah.exe, mssw32.exe, istsvc[1].exe. And that's just the stuff that they could find but couldn't remove automatically.

All in all this took most of the afternoon and evening on New Years Day (Feb 9). At the end, updated all security patches through present including SP2, and he had a well machine and good network performance again.

I dunno how regular people are able to get rid of this crap when they get infected this badly. The easy to use "click here" software was easily fooled, and several of the infestations were able to elude me for a while. And on top of that, five of them weren't caught at all by anything except me manually going through Task Manager and cleaning up startup programs.

For those of you who aren't being careful, here's some advice:

1) Run good anti-virus software that updates *at*least* once a day. Make sure your mail server uses anti-virus software as well. (I use the pay version of AVG7 and have it set to update every 6 hours. My mail server runs ClamAV and clamassassin and updates every hour.)

2) Have a hardware firewall, or at least a software firewall. (I use a unix box as a firewall, but a USD30 broadband router is usually pretty good as a hardware firewall.) XP SP2's firewall is getting better, but there's still better options.

3) Don't use Internet Explorer. Mozilla Firefox has had much less frequent and less serious security bugs than Internet Explorer. There's a reason IE has the nickname Internet Exploiter. Whatever you do, make sure popups are disabled and ActiveX is highly restricted.

4) Don't use Outlook Express. Also avoid Outlook, or at least make sure it is Outlook 2003 and is patched to latest update. The Outlook mail readers make it way too easy for malware to get through. If you insist on using these programs, you must disable the preview pane, and don't click on any attachments you didn't expect to come. Even if you get something from someone you know, if you weren't expecting it, don't open the attachments until you've confirmed that the sender actually sent it.

5) If you get a message from your bank, auction web site, personal payments site, or any other sensitive service saying you need to do something, don't click on any links in the email. Instead, manually go to their website and see if there's something there you really need to do. If in doubt, call them up and ask before you do anything.

6) Don't respond to, or click on any links in any spam messages -- messages you did not request from companies you don't have a business relationship with. Just don't. They are either gonna rip you off or infect you.

7) Run Ad-Aware SE and Spybot Search & Destroy regularly. Make sure Spybot immunizes your system each time. If you are technical enough, run Hijack This as well.

8) Run Windows Update frequently and always keep up to date with all critical patches. Better yet, set Windows Update to run automatically. (However, be aware that it will automatically reboot your system after being patched, so you don't want to do this if you run things continuously.)

9) If you have any part of Office/Word/Excel/Powerpoint/Outlook installed, you'll need to keep it updated separately at http://office.microsoft.com/officeupdate/

10) Be careful about pirated software, p2p downloads and porn. Some of it includes malware.