[Dshield] A few strange exe's

Kenneth Coney superc at visuallink.com
Tue Jan 13 05:55:37 GMT 2004

When they have a CD RW drive that is compatible with mine, sure I bring the 
CD.  Note the catch 22.., "compatible with mine."  One of my CD USB 
rewriter drives uses it's own software which generally speaking can only be 
read on a CD machine loaded with the proprietary interpreter program. 
Therefore useless when I arrive at a house with a sick PC unless I bring 
the drive with me.  For some of the machines with no USB connection even 
that wouldn't help.  Even if I have the interpreter program so their own CD 
could, in theory be used, first I have to deal with the virus that caused 
the service call.  Likewise the people who own the ill machines I see very 
rarely have the newest and the latest.  If they could afford that, they 
would have also purchased an AV program and I don't get the call.  I have 
yet to be called upon to tend to one of the newer machines with no 3.5 
drive.  More common is for me to be visiting a machine possessing a 5" and 
an added on 3.5 with an occasional external CD.

[BTW, Steve Gibson's fix CH Virus patch works.  Ran it on a 3.1 machine 
that wouldn't boot.  Although the machine had no modem, the history 
included a grandson playing games when he visited..  Norton Rescue showed 
bad FAT.  Had a hunch..  Tried Gibson's fix CH.  Took two runs with three 
(as the owner failed to follow directions and didn't write down the 
displayed message resulting (Fix CH is SLOW, or maybe it was the 286, 
either way I gave instructions pen and paper and left while..) before 
rebooting the first time) visits over 5 weeks.  Eventually the owner wrote 
down the error code for me and a repair was made.]

My point is each infected/sick PC visited is different.  Some are old 286s 
someone was allowed to keep when they retired, some were gifts and will be 
only two or three years old.  The next one might be a surplus LAN unit sold 
as surplus and being used as a standalone in a home, but equipped with 
Ethernet cards and what not.  Once I visited a home and found an infected 
old SUN station filling a corner.  I know someone who has an acoustic 
coupler (but so far as I know their machine has never been infected).  By 
all means prepare a fix all CD if you want, just don't assume the next 
infected PC you get a call on can read the CD.  Can you say, 8 inch disk? 
Ever try to get a new 2004 printer to work with Win 95 on a machine with no 
USB or CD drive?  Actually the biggest problem I hit a lot is the HDs in 
the infected units don't have enough space to hold the full AV programs nor 
enough RAM to run the firewalls.  20 megs on the HD was considered pretty 
big back in  93.  Can't swap them all out or add mega-RAM because the new 
connectors are wrong and the old CPUs can't address the RAM or track huge 
HD FATS.  For this reason we come back to the tool kit on the second visit 
with specific virus killers on disk to be used once the specific virus is 
identified in the first visit.

I don't like Dell or Compaq machines as they are not "mechanic" friendly. 
If you have ever dealt (battled) with a Compaq machine that lost it's D 
(restore) drive and needed Windows reinstalled after a virus was removed 
you would know why.

Subject: Re: [Dshield] A few strange exe's
From: "Doug White" <doug at clickdoug.com>
Date: Mon, 12 Jan 2004 08:31:22 -0600
To: "General DShield Discussion List" <list at dshield.org>

Those are good observations:

By having to rescue any number of Windows systems, I use the applications much
the same as you do, HOWEVER, it is a good argument for using a CD-RW which will
hold all the patches and updates (including OFFICE patches, A/V solutions,
Trojan hunters, and Symantec removal tools. for Win XP, 2k, and Win2003.
Before making the house call, I will update the CD-ROM ( prefer to use
re-writable media when possible) and have all the tools available.   Many new
computers (Dell comes to mind) do not come standard with floppy drives any 
and one can boot from a CDROM.
My Laptop has a CD-RW drive with which I can check for any updates I may have
missed during the preparation stage.
I have learned from experience that it is a best practice to install all the
service packs, security updates, A/V solution, as well as firewall 
prior to allowing the new system a connection to the internet.
One of the features in ZoneAlarm Pro (the paid edition) is the mailsafe which
will rename executable extensions as mail attachments even before the A/V can
scan the mail, is one I recommend to everyone.

The realization that there is no one perfect bullet-proof solution to 
infections, as technology becomes more sophisticated, one can only try to stay
as current as possible.


More information about the list mailing list