Sunday, January 27, 2008

Thrash No More / I'm A Dufus (Again)

I told you about how my hard drive started constantly thrashing a while back. While I was preparing to downgrade to Windows XP, I thought it was some piece of software I had loaded. As it turns out, it wasn't. Since shortly after loading Windows XP, the thrashing started up again. I was bothered by the thrashing but didn't know exactly what to do about it. I generally ignored it, hard as that was to do, while I searched for my antivirus software.

Eventually, the excessive mechanical movement began to take its toll. A couple of times in the span of a week, my system rebooted because of a disk error, then threw me a BSOD indicating a disk problem. I used the manufacturer's diagnostic tools and found that the drive was, in fact, failing.

I did a little bit of research on the web and learned how to get task manager to show me read and write access tied to processes (go to View-> Select Columns and you can add columns for I/O Read and I/O Write). Once I did that, I discovered that what was constantly accessing my disk was a process called lsass. This is a legitimate system process called the Local Security Authentication Service. Back in the day, it was associated with the Sasser worm but the vulnerability for that particular nasty was addressed in Windows XP Service Pack 2. I loaded from a CD with SP2 already applied.

Nonetheless, that's where I started my search. I tried a couple of sasser removal tools and, of course, didn't find anything. I continued my search and came across a site called Geeks to Go which includes security forums that help people with particularly sticky virus, spyware and malware troubles... like me.

I was looking through the messages and they prefer you to take some self-help steps prior to asking them for help. As they say, they're just going to ask you to do all that first anyway.

When I found the site, it was a bit late so I left it for later. When I finally had time this saturday, I started going through some of the steps. I went through a couple of the one-off removal tools and decided that was just too much trouble. I skipped right down to the antivirus part and went to download the free version of AVG. I was unable to find the free version so I popped out to Staples and bought an antivirus/antispyware package from CA. I normally prefer Norton/Symantec but didn't want to pay the price.

I brought it home, installed it, and ran the antivirus scan. No viruses found. I then ran the antispyware scan. The quick scan found a handful of tracking cookies but nothing more harmful than that. When I ran a full scan, I found a bunch more but, again, nothing too serious. The thrashing continued so I went back to the list and started my way down. I, again, skipped the individual guides for removing common infections.

Step one, or three if you count the commercial AV and AS scans, was the ATF cleaner. I cleared out all of my temporary files, cookies, history, etc. This didn't fix anything but it can make some of the scans go faster. Same thing with step four, creating a current system restore point then removing all but the last one. Again, not a fix but makes the scans more efficient.

On to step five, another antispyware scan. It may sound redundant but I've read plenty of articles where product A finds a few things that product B misses and product C finds stuff they both missed. Again, lots of tracking cookies but nothing serious. The advice for this particular product was to scan in safe mode so I took the opportunity to run another virus scan while I was at it. Again, no viruses found.

Step six, spyware scan three, more tracking cookies, still thrashing.

Step seven, an online antivirus scan (requires Internet Explorer). This would include antivirus scan three from antivirus product two and antispyware scan four. In short order, the spyware detected count started rising. Not surprising, probably more tracking cookies. I find tracking cookies somewhat innocuous but I would check the report when it was done and see if there was anything I needed to worry about.

When I came back to check on it later, the virus detected count had risen to 1. Fortunately, the virus disinfected count was also at 1. Unfortunately, the hard drive was still thrashing. As it says in the self-help posting, the line between spyware and trojan horses is sometimes blurred so I wondered if this was the case. I would have to check the report and see exactly what it thought it found and corrected.

As I watched the scan run, amid fiddling with my music collection, I saw the virus detection count rise to three, then four, then five and saw the disinfection count rise as it cleaned everything up. As with a regular, organic headache, I don't know exactly when it stopped but I suddenly noticed it was much quieter. The thrashing had stopped. The count was at 5 and 4 or maybe it was 6 and 4 but I was so excited that I wanted to tell all of you about it right away. This is where the dufus part comes in.

The only open browser at the time was IE. In my excitement, rather than opening Firefox, I clicked on the "new tab" tab and another tab obediently opened. As it was accessing my home page (a blank page), it froze. Within seconds I received that "Internet Explorer has encountered a problem and needs to close..." window. [GASP!] No. No, not that. I winced and reluctantly clicked the "don't send" button hoping beyond hope that the separate window that was actually running the scan would stay open... it didn't.

I'm re-running the scan now - and using Firefox to type up this entry - but since the offending infections were cleaned, I may never know exactly what was causing my woes. If it happens again, though, I'm definitely going straight to the Panda Online Scan. This time I'll leave it be and wait to see what the report says. I could just kick myself - dufus dufus dufus.

No comments: