System Integrity Scan Wizard eats hard drive
(No film at 11.)
I was experimenting with things I knew would be volatile, so I made a copy of my primary (boot) partition, then deactivated and hid the original. No way could it be touched by any malware save for that which can scan beyond registered drives and understand the NTFS file system without using system calls. Maybe this will some day be a problem, but for today, doing this bullet-proofs the partition that is deactivated and hidden.
The copy partition received a rather small file which despite its name, was stored on disk as a .txt file. I knew it to be an executable, so I renamed the extension, acknowledged the warning, and then had to open properties of this file to "unblock" its execution. Herein lies the typical barriers put in the path of some malware by IE7 and the Windows OneCare anti-virus/spyware protector.
When I ran the program, a few requests to access the net were reported by Windows Defender, I allowed a couple but refused the rest. Windows defender was able to find and remove 2 spyware offenders, but one remained. This one could not be discovered by 2 other spyware scanners I tried, including one that is rootkit-savvy. Actually, I ran the Microsoft rootkit finding program as well.
When running IE, you get what looks like a fairly typical Microsoft alert, with the title "System Integrity Scan Wizard." Inside this alert is information that your registry has critical problems that need repair. If you click NEXT> as prompted, a program calling itself "System Doctor 2006" asks to be downloaded and installed. It has a link for its agreement.
This program scans, reports, but does not remove, problems. It requires you register it to proceed with repairs. I elected to un-install it. I also gave them some choice words on their feedback form as to what I thought of this heavy-handed, unasked for, irremovable, nagging alert message associated with them. I also said regardless of who's at fault for this feature, I will permanently be prejudiced against any of their products and will unrecommend them to everyone.
This pop-up alert has a CANCEL button that doesn't work (figures). But its close box makes it go away for a while, but it returns, usually in sync with a web page reload. I discovered by looking at the Enable or Disable Add-Ons feature IE has, some undescribed Browser Helper Object (BHO) was installed called iasnap32.dll.
Unfortunately, disabling it didn't help, nor did removing all references to it from the registry. All these unusual behaviors made me believe I've found a new rootkit. However, since a fix was not found from all the various forum posts I've discovered on the subject, I erased that partition (including data destruction of previous contents) and reactivated my original partition, unhiding it as well as expanding it to engulf the deleted, infected one.
There are people who either lack the up-to-date execution protection and spyware tools I have, or will in ignorance repeat what I did. The fact that you can get even the smartest computer user to take the steps to allow malware to run is what will allow these nuisances to procreate indefinitely. There may never be a solution to always intercepting malware.
What computers need more than ever these days, is better and more sophisticated tools for restoring a previous state, restoring a whole partition (boot sector and all), and a more heuristic means of detecting malware habits - creating hidden files, stitching information into the IE home page, fiddling with the HOSTS file, cheesing up the boot.ini, rootkitting, BHO additions, etc.
It seems, for better or worse, we may have to ultimately turn to authenticated executables and only very carefully, perhaps in a "sand box" virtual environment, examine the behaviors of all other executables of unknown origin. Only after some simulated use of the app be monitored and its affect on the virtual system be recognized might you get a temporary authorization or limited execution privilege.
I was experimenting with things I knew would be volatile, so I made a copy of my primary (boot) partition, then deactivated and hid the original. No way could it be touched by any malware save for that which can scan beyond registered drives and understand the NTFS file system without using system calls. Maybe this will some day be a problem, but for today, doing this bullet-proofs the partition that is deactivated and hidden.
The copy partition received a rather small file which despite its name, was stored on disk as a .txt file. I knew it to be an executable, so I renamed the extension, acknowledged the warning, and then had to open properties of this file to "unblock" its execution. Herein lies the typical barriers put in the path of some malware by IE7 and the Windows OneCare anti-virus/spyware protector.
When I ran the program, a few requests to access the net were reported by Windows Defender, I allowed a couple but refused the rest. Windows defender was able to find and remove 2 spyware offenders, but one remained. This one could not be discovered by 2 other spyware scanners I tried, including one that is rootkit-savvy. Actually, I ran the Microsoft rootkit finding program as well.
When running IE, you get what looks like a fairly typical Microsoft alert, with the title "System Integrity Scan Wizard." Inside this alert is information that your registry has critical problems that need repair. If you click NEXT> as prompted, a program calling itself "System Doctor 2006" asks to be downloaded and installed. It has a link for its agreement.
This program scans, reports, but does not remove, problems. It requires you register it to proceed with repairs. I elected to un-install it. I also gave them some choice words on their feedback form as to what I thought of this heavy-handed, unasked for, irremovable, nagging alert message associated with them. I also said regardless of who's at fault for this feature, I will permanently be prejudiced against any of their products and will unrecommend them to everyone.
This pop-up alert has a CANCEL button that doesn't work (figures). But its close box makes it go away for a while, but it returns, usually in sync with a web page reload. I discovered by looking at the Enable or Disable Add-Ons feature IE has, some undescribed Browser Helper Object (BHO) was installed called iasnap32.dll.
Unfortunately, disabling it didn't help, nor did removing all references to it from the registry. All these unusual behaviors made me believe I've found a new rootkit. However, since a fix was not found from all the various forum posts I've discovered on the subject, I erased that partition (including data destruction of previous contents) and reactivated my original partition, unhiding it as well as expanding it to engulf the deleted, infected one.
There are people who either lack the up-to-date execution protection and spyware tools I have, or will in ignorance repeat what I did. The fact that you can get even the smartest computer user to take the steps to allow malware to run is what will allow these nuisances to procreate indefinitely. There may never be a solution to always intercepting malware.
What computers need more than ever these days, is better and more sophisticated tools for restoring a previous state, restoring a whole partition (boot sector and all), and a more heuristic means of detecting malware habits - creating hidden files, stitching information into the IE home page, fiddling with the HOSTS file, cheesing up the boot.ini, rootkitting, BHO additions, etc.
It seems, for better or worse, we may have to ultimately turn to authenticated executables and only very carefully, perhaps in a "sand box" virtual environment, examine the behaviors of all other executables of unknown origin. Only after some simulated use of the app be monitored and its affect on the virtual system be recognized might you get a temporary authorization or limited execution privilege.