A Recent Event

Recently a customer came to me with a laptop running Vista.  Neither the keyboard nor the touchpad worked.  That was the simple part.  I plugged in an external USB keyboard and mouse, then, after they had been discovered and installed, I went to the Device Manager and removed the keyboard and touchpad.  After a reboot the OS found the built-in keyboard and touchpad and installed them and everything was hunky-dory in that respect.

That is not why I’m writing this entry.  Shortly I received an email from my ISP that said they suspected that I had a bot, or a computer that had been compromised by malware to fall under the control of an outside source, on my home network.  Some of these bot-nets as they are called are supposedly composed of millions of PCs.  First there were things that the owner had done that he should not have done and there were things left undone that he ought to have done.  Somewhere in this system’s past UAC or user account control had been turned off.  That is what causes a pop-up in Vista and Windows 7 that asks you if you really meant to do that.  Don’t turn it off.  Also a real-time anti-virus program with an up-to-date set of virus definitions is a cost of doing business in the PC world.  Don’t go out on the network without it.  I used the usual off-line tools such as Spybot Search & Destroy under UBCD4Win, but that didn’t find anything.  The machine felt sluggish so I looked at the Task Manager and lo and behold there was a process called PING.exe, that’s right in CAPS, that shouldn’t have been running and an svchost.exe process that was eating up CPU cycles and memory.  I managed to get the old, crufty sixty-day licence anti-virus uninstalled and went with AVG Free.  A scan with AVG Free indicated that there were two drivers associated with TCP/IP networking that were suspect, but it couldn’t cure the problem.  I went back to UBCD4Win and looked at the two drivers.  Sure enough the two drivers that AVG had fingered were not digitally signed.  In other words some virus had replaced Microsoft drivers with rogue ones.  I found several versions of these two drivers in WINsxs that were digitally signed by Microsoft and copied in the most recent versions I found after renaming the rogue ones.  A reboot and everything was good.  The machine felt like a big load had been taken off its back.  The PING.exe process never reappeared and none of the svchost.exe processes misbehaved.  A scan with AVG found the two renamed drivers and quarantined them.

Problem solved and the owner was able to take his PC on a trip Europe the next day.

Leave a Reply

Your email address will not be published. Required fields are marked *