Monday, February 27, 2012
Sunday, February 26, 2012
Windows restart hangs on zombie process
Thanks to the indefensibly badly written drivers in QuickUSB, the workstation froze when I tried to reboot it. Here are the spoils of a half a day trying to find some solution. The short answer is that I was hosed without any recourse the moment the driver failed to get a response. All I have to console myself with is having learned a few things.
First off, taskman fails to kill the process that calls the QuickUSB libraries; the process just continues on.
The basic alternative tools available apparently do the same things that taskman would try, so they don't work either. Here's a few forums that pointed the start of this path.
This author suggested pskill, and the remainder of the post is frustrated users hurling insults at the author when it didn't work.
http://www.watchingthenet.com/how-to-kill-windows-processes-that-wont-die-or-terminat.html
This author suggested taskill, and the remainder of the post is frustrated users hurling insults at the author when it didn't work.
http://www.tech-recipes.com/rx/446/xp_kill_windows_process_command_line_taskkill/
pskill and taskkill are very nice utilities, however, and ship standard with XP pro. I tried using taskkill with parameters to operate on all processes for my userID and it still wouldn't kill the dead I/O processes; it killed everything except those. I eventually got taskman to launch, and used it's "run" function to get some IE's, cmd windows, and file explorers going even without a desktop! At some point the desktop just magically reappeared.
One of the commenters in the above threads suggested a fancy piece of freeware that has something like 16 kill methods, called apt for Advanced Process Termination. I tried it but it didn't work for me.
http://www.pendriveapps.com/advanced-process-termination-kill-running-processes/
Here is the best forum thread that I found on the topic, containing some actual signal. Some commenters futilely attempt to explain how a driver that's waiting on a response causes this problem (which matches what I'm dealing with) and exactly why normal process killing tools don't affect it. The thread is several dozen pages long and I was hoping that somebody somewhere would reveal a magic bullet for this kind of "zombie thread" but sadly nobody seems to have anything aside from cursing microsoft up and down.
http://social.technet.microsoft.com/Forums/en-US/w7itproperf/thread/598fe2b4-844d-412d-b195-5fa53dc62661
Someone mentioned Process Explorer, which suspiciously somebody before me had already put in the downloads folder on this workstation. I tried it, it could find the zombie thread, but it couldn't terminate it. Hoever, Process Explorer sure is gorgeous.
http://social.technet.microsoft.com/Forums/en-US/w7itproperf/thread/598fe2b4-844d-412d-b195-5fa53dc62661
Oh yeah, I also tried attaching debuggers to the processes, calling the debugger from a cmd window using the -p option but they said access denied.
First off, taskman fails to kill the process that calls the QuickUSB libraries; the process just continues on.
The basic alternative tools available apparently do the same things that taskman would try, so they don't work either. Here's a few forums that pointed the start of this path.
This author suggested pskill, and the remainder of the post is frustrated users hurling insults at the author when it didn't work.
http://www.watchingthenet.com/how-to-kill-windows-processes-that-wont-die-or-terminat.html
This author suggested taskill, and the remainder of the post is frustrated users hurling insults at the author when it didn't work.
http://www.tech-recipes.com/rx/446/xp_kill_windows_process_command_line_taskkill/
pskill and taskkill are very nice utilities, however, and ship standard with XP pro. I tried using taskkill with parameters to operate on all processes for my userID and it still wouldn't kill the dead I/O processes; it killed everything except those. I eventually got taskman to launch, and used it's "run" function to get some IE's, cmd windows, and file explorers going even without a desktop! At some point the desktop just magically reappeared.
One of the commenters in the above threads suggested a fancy piece of freeware that has something like 16 kill methods, called apt for Advanced Process Termination. I tried it but it didn't work for me.
http://www.pendriveapps.com/advanced-process-termination-kill-running-processes/
Here is the best forum thread that I found on the topic, containing some actual signal. Some commenters futilely attempt to explain how a driver that's waiting on a response causes this problem (which matches what I'm dealing with) and exactly why normal process killing tools don't affect it. The thread is several dozen pages long and I was hoping that somebody somewhere would reveal a magic bullet for this kind of "zombie thread" but sadly nobody seems to have anything aside from cursing microsoft up and down.
http://social.technet.microsoft.com/Forums/en-US/w7itproperf/thread/598fe2b4-844d-412d-b195-5fa53dc62661
Someone mentioned Process Explorer, which suspiciously somebody before me had already put in the downloads folder on this workstation. I tried it, it could find the zombie thread, but it couldn't terminate it. Hoever, Process Explorer sure is gorgeous.
http://social.technet.microsoft.com/Forums/en-US/w7itproperf/thread/598fe2b4-844d-412d-b195-5fa53dc62661
Oh yeah, I also tried attaching debuggers to the processes, calling the debugger from a cmd window using the -p
Friday, February 10, 2012
Total Ghost -> The Nix Brothers
From this ridiculous video:
http://boingboing.net/2012/02/10/your-weekend-space-jam-spac.html
To this background info:
http://www.westword.com/2011-02-17/music/total-ghost/
To this interview:
http://blogs.westword.com/showandtell/2011/11/the_nix_bros_on_comedy_short_f.php
Magic demystified.
Also this:
http://blogs.westword.com/backbeat/2011/02/behold_the_awesome_absurdity_of_total_ghost.php
http://boingboing.net/2012/02/10/your-weekend-space-jam-spac.html
To this background info:
http://www.westword.com/2011-02-17/music/total-ghost/
To this interview:
http://blogs.westword.com/showandtell/2011/11/the_nix_bros_on_comedy_short_f.php
Magic demystified.
Also this:
http://blogs.westword.com/backbeat/2011/02/behold_the_awesome_absurdity_of_total_ghost.php
Tuesday, February 7, 2012
Windows detected a hard disk problem
This morning, Lisa's laptop was thoroughly hosed. After the initial alarm wore off, it was clear that this was just another fake "error fixer" virus like Windows 7 Security 2012. Here are some of the plethora of error messages from this virus:
Windows detected a hard disk problem
Windows - Delayed write failed to save all the components for the file \\System32\\0005382. The file is corrupted or unreadable. This error may be caused by a PC hardware problem
System Error - Critical Error. hard drive critial error. Start a system diagnostics application to scan
Critical error Windows OS can't detect a free hard drive space. Hard drive error (This one is my favorite)
Clicking the Windows Detected a hard disk problem balloon gets:
System Check - with 4 categories including My computer Relate Problems. HDD related Problems. It "scans" and produces a results window with nearly laughable over-the top error messages.
Another clue: Task manager is suppressed when summoned using ctl-alt-del.
Anyhow, this here is definitely the one. Looks nasty:
http://www.bleepingcomputer.com/virus-removal/remove-system-check
The cleaning procedure involves MalwareBytes tools and looks pretty similar to the removal instructions for the Windows 7 Security 2012 virus.
Windows detected a hard disk problem
Windows - Delayed write failed to save all the components for the file \\System32\\0005382. The file is corrupted or unreadable. This error may be caused by a PC hardware problem
System Error - Critical Error. hard drive critial error. Start a system diagnostics application to scan
Critical error Windows OS can't detect a free hard drive space. Hard drive error (This one is my favorite)
Clicking the Windows Detected a hard disk problem balloon gets:
System Check - with 4 categories including My computer Relate Problems. HDD related Problems. It "scans" and produces a results window with nearly laughable over-the top error messages.
Another clue: Task manager is suppressed when summoned using ctl-alt-del.
Anyhow, this here is definitely the one. Looks nasty:
http://www.bleepingcomputer.com/virus-removal/remove-system-check
The cleaning procedure involves MalwareBytes tools and looks pretty similar to the removal instructions for the Windows 7 Security 2012 virus.
Google redirect virus TDSS
After a few funny redirects, I began to suspect that Lisa's laptop had another virus, and sadly found it to be true. Not only is this a virus, but it's an extremely dangerous rootkit and proving difficult to remove.
First, I keyed in some searches to the sites that I was being redirected to. Many of the results identified the virus as TDSS and revealed that it's more than just your average values. Many victims complained that their virus detection and removal software was not working on it. I got the following two links:
This one seems a little too simple to be correct, it just says to turn off JavaScript and then runTDSSKiller. Later it suggests hints to thwart DNS redirections:
http://www.computing.net/howtos/show/how-to-remove-the-google-redirect-virus/415.html
This link is also untrustably simple sounding, claiming that TDSSserve.sys will be hiding in the device manager and you can just disble it? Then just install your favorite antivirus tools and declare victory? Apparently there's something called "Google-Redirect-Virus-Remover' by name? MalwareBytes and SuperAntiSpyware were both famililar names recommended. Then it also goes into hints for thwarting redirection, particularly in checking for proxy server settings. The final hint, however looks useful, an also-familiar package called "UnHackMe" which apparently detects rootkits.
http://www.ehow.com/how_5842581_remove-google-redirect-virus.html
After refining my searches better, I began to get more serious postings on the topic.
The following link is to 6 pages of directions with screenshots of each step, most of which concern checking for DNS redirection, false host tables, Proxy servers, etc. Then it recommends TDSSKiller.exe. Then it recommends resetting the router, which I can believe although it would make me sad to have to figure out how to re-setup my network afterwords. After the post though are 32 pages of comments full of other hints and tips which I've only skimmed through so far. After reading this, I did everything up to TDSSkiller.exe. The name of the identified virus came back as Win32.ZAccess.k. After running, I rebooted, ran TDSSkiller again, and it found it again, probably indicating that it's refreshing itself through the registry or Master Boot Record.
http://deletemalware.blogspot.com/2010/02/remove-google-redirect-virus.html
I also kept getting results back for the "atechjourney" blog's posts about this, which seemed knowlegable but was vague and seemed to be hawking "optimizer" tools. The same vague hints were reiterated in other posts which also seemed like a bad sign. Lastly, it recommends a paid online removal service, also a bad sign but which has also been echoed by other blogs:
http://atechjourney.com/google-redirect-virus-remove-manually.html/
Hints in this forum about what to do if TDSSkiller not working include renaming TDSSKiller (doesn't seem to be something I need), run Hitman and/or ComboFix (both highly recommended on other forums too), and running TDL-4 from bitdefender:
http://answers.yahoo.com/question/index?qid=20110726110537AADZ9zp
Holy how, here's a video by a guy who did it. I know that getting rid of this thing would make anybody want to put in the extra hours to help others do it too. The comments are the usual mix of thanks and unsatiated frustration. I expect that I would find several dozen videos on this topic on youTube:
http://www.youtube.com/watch?v=N4zs42gO_fs
Update: I removed the most recent "scareware" but the rootkit seems to still remain. VERY interesting links from searching on the rootkit's name:
First off, this forum, where a user gets superlative service and is talked through a bunch of fancy ComboFix moves with log after log posted, and the "Kiss ZeroAccess Goodbye" tool is mentioned:
http://www.bleepingcomputer.com/forums/topic413198.html
Here's the link to KISS. It also mentions having to fix ACLs (Access Control Lists) which I guess I'm going to have to learn what those are:
http://blog.webroot.com/2011/08/03/new-tool-released-kiss-or-kick-zeroaccess-goodbye/
The comment section at the bottom of the release announcement lead to another page where the authors of the Anti-ZeroAccess tool revealed how much work they've put into decompiling and understandig how the malware works.
http://blog.webroot.com/2011/07/19/zeroaccess-gets-another-update/
and
http://blog.webroot.com/2011/08/08/tdl3-and-zeroaccess-more-of-the-same/
Anyhow, about to try this webroot tool, since ComboFix continues to be too scary lookng to try.
Ok, it found it in netbt.sys, which I recall seeing mentioned somewhere else regarding this rootkit. Rebooting now.
Still there. Now it's in cdrom.sys I think that I followed this one around this path before.
Here's an AMAZING link from a guy who has to fix this all the time. This is clearly a lot of work and I'm going to have to try this later. Definitely dreading the moment this leads to loss of network access which seems to be the hell that many users end up encased in when they scrub this bug out:
http://remove-malware.com/malware/rootkits/rootkit-zero-access-max-notes/
First, I keyed in some searches to the sites that I was being redirected to. Many of the results identified the virus as TDSS and revealed that it's more than just your average values. Many victims complained that their virus detection and removal software was not working on it. I got the following two links:
This one seems a little too simple to be correct, it just says to turn off JavaScript and then runTDSSKiller. Later it suggests hints to thwart DNS redirections:
http://www.computing.net/howtos/show/how-to-remove-the-google-redirect-virus/415.html
This link is also untrustably simple sounding, claiming that TDSSserve.sys will be hiding in the device manager and you can just disble it? Then just install your favorite antivirus tools and declare victory? Apparently there's something called "Google-Redirect-Virus-Remover' by name? MalwareBytes and SuperAntiSpyware were both famililar names recommended. Then it also goes into hints for thwarting redirection, particularly in checking for proxy server settings. The final hint, however looks useful, an also-familiar package called "UnHackMe" which apparently detects rootkits.
http://www.ehow.com/how_5842581_remove-google-redirect-virus.html
After refining my searches better, I began to get more serious postings on the topic.
The following link is to 6 pages of directions with screenshots of each step, most of which concern checking for DNS redirection, false host tables, Proxy servers, etc. Then it recommends TDSSKiller.exe. Then it recommends resetting the router, which I can believe although it would make me sad to have to figure out how to re-setup my network afterwords. After the post though are 32 pages of comments full of other hints and tips which I've only skimmed through so far. After reading this, I did everything up to TDSSkiller.exe. The name of the identified virus came back as Win32.ZAccess.k. After running, I rebooted, ran TDSSkiller again, and it found it again, probably indicating that it's refreshing itself through the registry or Master Boot Record.
http://deletemalware.blogspot.com/2010/02/remove-google-redirect-virus.html
I also kept getting results back for the "atechjourney" blog's posts about this, which seemed knowlegable but was vague and seemed to be hawking "optimizer" tools. The same vague hints were reiterated in other posts which also seemed like a bad sign. Lastly, it recommends a paid online removal service, also a bad sign but which has also been echoed by other blogs:
http://atechjourney.com/google-redirect-virus-remove-manually.html/
Hints in this forum about what to do if TDSSkiller not working include renaming TDSSKiller (doesn't seem to be something I need), run Hitman and/or ComboFix (both highly recommended on other forums too), and running TDL-4 from bitdefender:
http://answers.yahoo.com/question/index?qid=20110726110537AADZ9zp
Holy how, here's a video by a guy who did it. I know that getting rid of this thing would make anybody want to put in the extra hours to help others do it too. The comments are the usual mix of thanks and unsatiated frustration. I expect that I would find several dozen videos on this topic on youTube:
http://www.youtube.com/watch?v=N4zs42gO_fs
Update: I removed the most recent "scareware" but the rootkit seems to still remain. VERY interesting links from searching on the rootkit's name:
First off, this forum, where a user gets superlative service and is talked through a bunch of fancy ComboFix moves with log after log posted, and the "Kiss ZeroAccess Goodbye" tool is mentioned:
http://www.bleepingcomputer.com/forums/topic413198.html
Here's the link to KISS. It also mentions having to fix ACLs (Access Control Lists) which I guess I'm going to have to learn what those are:
http://blog.webroot.com/2011/08/03/new-tool-released-kiss-or-kick-zeroaccess-goodbye/
The comment section at the bottom of the release announcement lead to another page where the authors of the Anti-ZeroAccess tool revealed how much work they've put into decompiling and understandig how the malware works.
http://blog.webroot.com/2011/07/19/zeroaccess-gets-another-update/
and
http://blog.webroot.com/2011/08/08/tdl3-and-zeroaccess-more-of-the-same/
Anyhow, about to try this webroot tool, since ComboFix continues to be too scary lookng to try.
Ok, it found it in netbt.sys, which I recall seeing mentioned somewhere else regarding this rootkit. Rebooting now.
Still there. Now it's in cdrom.sys I think that I followed this one around this path before.
Here's an AMAZING link from a guy who has to fix this all the time. This is clearly a lot of work and I'm going to have to try this later. Definitely dreading the moment this leads to loss of network access which seems to be the hell that many users end up encased in when they scrub this bug out:
http://remove-malware.com/malware/rootkits/rootkit-zero-access-max-notes/
Sunday, February 5, 2012
tar for windows, windows cannot fork
So, I wanted to duplicate my trick of using os.system calls in python to tar, gzip, and delete some files on my Windows filesystem. Leaving aside how completely ignorant this idea was since both things can be done from within python and platform independently, the story of the problem that I encountered and its solution is worth remembering.
Since I totally use the "GNU for windows" utilities to do things in windows when I don't want to step into Cygwin, I just downloaded GNUWin tar and tried it out:
http://gnuwin32.sourceforge.net/packages/gtar.htm
http://gnuwin32.sourceforge.net/packages/gzip.htm
http://gnuwin32.sourceforge.net/packages/coreutils.htm
However, when I blithely fed my first tar command into it using the gzip option and wildcards, I got an error "Windows cannot fork". So sad. It turns out that it looks like the GNU tar port can't call gzip to do the -z option or something?
http://osdir.com/ml/lang.ruby.rake/2006-11/msg00014.html
http://www.worthinstalling.com/2006/06/command-line-compression-for-windows.html
http://stackoverflow.com/questions/1437875/tar-on-windows-a-list-of-files-in-c-sharp
As indicated in the first two links above, the answer is to use bsdtar, which is just a different GNU utility that's compatible with everybody else in my GNU installation folder and installs exactly the same way but with a different picture in the install window:
http://gnuwin32.sourceforge.net/packages/libarchive.htm
Beautiful.
Since I totally use the "GNU for windows" utilities to do things in windows when I don't want to step into Cygwin, I just downloaded GNUWin tar and tried it out:
http://gnuwin32.sourceforge.net/packages/gtar.htm
http://gnuwin32.sourceforge.net/packages/gzip.htm
http://gnuwin32.sourceforge.net/packages/coreutils.htm
However, when I blithely fed my first tar command into it using the gzip option and wildcards, I got an error "Windows cannot fork". So sad. It turns out that it looks like the GNU tar port can't call gzip to do the -z option or something?
http://osdir.com/ml/lang.ruby.rake/2006-11/msg00014.html
http://www.worthinstalling.com/2006/06/command-line-compression-for-windows.html
http://stackoverflow.com/questions/1437875/tar-on-windows-a-list-of-files-in-c-sharp
As indicated in the first two links above, the answer is to use bsdtar, which is just a different GNU utility that's compatible with everybody else in my GNU installation folder and installs exactly the same way but with a different picture in the install window:
http://gnuwin32.sourceforge.net/packages/libarchive.htm
Beautiful.
Thursday, February 2, 2012
python struct.pack
Victor's code uses this very cool-looking method struct.pack to build data into a buffer. What is up with all the fancy format charaters. It turns out that the > means BigEndian, and the H and i are unsigned short and int respectively. Here is a great reference:
http://www.python.org/doc//current/library/struct.html
http://www.python.org/doc//current/library/struct.html
Subscribe to:
Posts (Atom)