This page contains a single entry from the blog posted on November 12, 2010 10:27 PM. The previous post in this blog was Have a great weekend. The next post in this blog is City leaf removal tax falls apart. Many more can be found on the main index page or by looking through the archives.

E-mail, Feeds, 'n' Stuff

Friday, November 12, 2010

Just another day in Windows hell

Before I begin this post, let me state that I do not want to read about how I should buy a Mac. Thank you.

Early this morning -- too early -- my main home computer became infected by "malware" -- the psycho destructo computer crud formerly known as a "virus." Suddenly the computer was not recognizing familiar domain names (like bojack.org and wweek.com) when it was connected to the wireless router. It was also going haywire when clicking on Google search results -- stalling out or sending me to crazy commercial sites that had nothing to do with my searches. The problem spanned all three of the internet browsers on the computer; curiously, however, the situation was A-OK on all browsers when the computer was tethered to the iPhone. The rest of the computers in the house (there are three) worked fine.

After 45 minutes with a Comcraptastic guy who was actually pretty helpful, it was on to Malware Removal City. First I installed and ran the Windows Malicious Program Removal Tool, which of course found and did nothing. The AVG program that I paid good money for was also completely worthless. Finally, something called Malwarebytes Anti-Malware and another free program called Super Anti-Spyware found the DNS-name-changing Trojan and got rid of it, as far as I can tell.

But one problem remains. On starting up the computer and every once in a while thereafter, I get a warning box in the middle of the screen, along with the sickening Windows "clank" sound that means something is seriously fubarred. It says "GoogleUpdate.exe - Bad Image," and then tells me that there's something wrong with a program called C:\Windows\System32\mstask.dll. When I "explore" over to that location, there's a file there, but it's showing 0 bytes.

I think this is part of the malware infection, but it could have been something I did with the Comcraptastic guy, who had me reset a couple of files (from an extremely scary command line) having to do with IP addresses. My hunch is that it's the malware, but I honestly don't know what to do about it. The computer's running OK now, as far as I can tell, but the whole "clanking" thing makes me slightly nauseous.

In the course of the day's agony, I've downloaded a program called HijackThis, which produces some sort of log of what's going on in the bowels of the computer, but I can't make heads nor tails of it. And the "mstask.dll" file doesn't show up in the log anywhere, although Google Updater's in there a few times.

Is there anybody out there who can help me fix whatever the heck has happened? The operating system is the dreaded Vista. A free bojack.org bumper sticker or a nice beverage is waiting as a reward for information leading to the destruction of this annoying, and distressing, bug. Have moicy, and e-mail me here.

UPDATE, 11/13, 2:02 a.m.: The D Man has come to my rescue, and with his help, I've managed to replace the corrupted .dll file, and now all seems to be well. In the course of prowling around with him, figuring out a fix, I discovered that the evil malware -- a terrifying rootkit -- had weaseled its way onto the computer early this morning by placing an executable file in a temporary folder, then sneaking into the automatic task scheduler that comes on Windows, and scheduling a task. The task instructed Windows to run the executable file, which in turn made my internet connection act stoned. Apparently, to get this to work, it had to gut the .dll file -- leaving it on the computer but having it be empty.

Anyway, the D Man and I copied a wholesome version of the .dll file from another computer, figured out how to get Vista to let us copy over the blank file, and then, with fingers crossed, overwrote the corrupted file. Lawrence, in the comments to this post, had exactly the same idea and provided invaluable moral support. I next discovered that the evil task was still in the task scheduler, and even though the executable program had already been deleted by Malwarebytes, I deleted the task nonetheless. It had given itself the name "7uOCEI3," although I'll bet it goes by a different name with every infection.

Hoping that is the end of this latest adventure in computing, I say thanks to the D Man, and to Lawrence. And I'm reminded once again of what a great gift the readership of this blog is.

Comments (33)


Go here


Join up, find the correct subforum and post your Hi Jack this

Some geek will help you out

I have sent two emails and have a geek standing by until after 1 am (geek hours)

Our first look shows that .dll is "the Task Scheduler interface library" (dll=Library). My XP pro box shows it's 256K and XP home shows 268k in size. My geek says "His must've been truncated to 0 bytes, Google Update is trying to schedule itself to run at a certain time but it can't load the library because it's 0 bytes"

A first check is search for a mstask.* (dot wild card) or open c:\Windows\System32\ and look for it there. This is because it may have had the ext changed by the virus.

There's only one mstask dot anything in the System32 folder -- mstask.dll, size 0kb. Can't seem to find an mstask anywhere else on the computer, either.

Opening it in Notepad, it's completely blank.

I sent you an e-mail with something to try. However, if the dll is blank, then it will have to be replaced. You may be able to do it using the Repair function on the Vista installation disk.

Try my suggestion and see if it helps.

I am also wondering id there are any other errors as well.

Here's another thought. Since that file is blank, you can get a copy of that dll from another computer running Vista with the same service pack and replace the blank with that file.

To fix one of the problems, go to control panel-> internet options-> connections and uncheck proxy server. There is a new bug that causes your computer to access all internet sites through it's "portal" of spam via a proxy server. This would not be triggered when accessing through the iPhone tethering. Hope this helps.

Best bet is to reinstall the OS, or, barring that, revert to a previous restore point. Any unauthorized program that is able to overwrite DLLs has surely installed undetectable rootkit.

Oh, instead of swapping to a Mac, why not swap to Linux?

Have been in deep transplant surgery.

we tried Lawrence's suggestion- Since that file is blank, you can get a copy of that dll from another computer running Vista.
The permissions is a major PITA

If you won't buy a Mac then maybe we could all chip in and give you one as a Holiday gift.

Root kit! Duh! They are still around? I haven't seen this one show up for several years. Not here but in other people's computer problems.

I'm glad you are up and running. I was pretty sure replacing the dll would help, but that would be insufficient to completely solve the problem.

On Vista, if permissions are a problem, you need to right click the task and use "Run as Administrator". There are two levels of Admin in Win7 for sure and I also believe it's true in Vista. That normally is all you need.

Of course, normal is a weasel word!

Windows is like owning a Yugo.

Vista is like owning a Yugo that was made by drunken Serbians at midnight after covering their hands in duct tape.

HEY! I protest on behalf of drunken Serbians!

To overcome permission problems you can boot from a live CD.
I use a Fedora live CD. The latest is here:

Each OS has its purpose. No one needs to abandon one to occasionally use another.

It is useful to have a Live CD at hand so that if your Windows OS goes batty that you can boot from the Live CD and access the internet to search for answers.

It is useful for looking at hard drive partitions and managing them, if use wish. There is a convenient graphical interface (for common disk tasks). A geek can use ntfsclone (from the command line of a terminal window) to backup/restore a windows system partition (while paying very close attention to the source and destination parameters).

It seems to be the easiest way, for example, to locate and delete the hiberfil.sys file from the C drive. Or to get a copy of a .dll from one computer (copy to a flash drive) and copy it to another.

My work laptop got this same rootkit about a month ago now. I was able to clean it up and figured out which website I got it from. It's hit me 3 more times from that website so no more going back.

Unfortunatly my IT guy wont let me download the programs that would keep me from getting infected again. Symantec is what we get and nothing more and it is useless.

It had given itself the name "7uOCEI3," although I'll bet it goes by a different name with every infection.

Jeez, all it wanted was money to get back to Welches.

And Flynn wins the morning!

To give some feedback to those interested, I will give some of my own observations. The situation is late evening, 250 miles away. It appears from his post the main problem was removed but the damage done was not repaired. After a few web postings and emails we were connected through instant messaging. On this side are two geeks with over lapping skills surrounded by several computers running several OS's.

On Jack's side was the ability to use the computer and also showing a lot of ability.
For those in the know, sometimes you have to pull the HDD and use a separate computer to run a lot of different scanners to flush the "stuff" out. (Is nothing to find 30 to 60 Separate/different infections)

Also you have to take in the "ability" of your person at the keyboard. Jack is very bright and picked up things very quick and didn't need to be nursed along.
So on this side we started burning up the search engines I going one way and my co worker going the other. I feed Jack questions and instructions. Like some of you figured out, we couldn't just take a common name for the virus and get a pre made fix. We were not sitting in front of the puter with our bag of disks and hardware. We certainly didn't want to risk an overwrite of his data. After determining the use of the blanked file, we looked on replacement possibility's, install files and cache files. He had another system with vista and little of our intervention he was able to find the file and have it thumb drived to the ill computer. When he tried copy paste we discovered and had to quickly research the joy of "trusted installer" used in vista and win7
So we walked him through that, and "ta da" the new file pasted in. He rebooted and no error window. On his own he did some research through his logs and found traces of the culprit. He cleaned out the recycle file in case it was hanging there.

Some additional observations.
If you know computers you know there are 7 different ways to basically do the same thing. Afterwards we know what one was the fastest and easiest.
Before you recommend a OS, have you taken the time to see the what, when, where, and why of the user? Then what is the support? Ive built custom puters for friends and then figured out that the replacement should be a simple plug it in and turn it on from a big box store.

Great job, dman. Next time I am in a jam with a user, I'll send 'em to you!

My preferred working method is to sit by the machine and let me do my job. I would do poorly as phone support, although with someone like Jack, it would be a piece of cake!

A nagging issue still left is exactly what did it have? Was it a rootkit and could it be at least classified?

I went on line and looked at the whole rootkit problem, which I thought had been put to bed, but it hasn't. So I downloaded a rootkit revealer for Win7 64 and had a look at my system. No problems, as I expected, but I did find quite the collection of "hidden" files, a great many from Adobe. Nothing needed to be done with them, fortunately.

My recommend to Jack is that he upgrade to Win7. It's very stable even before any service packs and such. I used a Win 7 RC doing software validation and couldn't wait for the final release to update my box.

I also use MS Security Essentials and a router which functions as a hardware firewall and so far, so........uh oh!

No, just kidding!

Perfect skill set for a lawyer: an aptitude for cleaning up stuff that shouldn't have happened in the first place.

you need to right click the task and use "Run as Administrator".

It was harder than that. To overwrite that .dll file, you have to first "own" it, then give the administrator permission to mess with it. The way it was set up, the only person who had permission to write on it was "Trusted Installer," which I believe is Microsoft. The D Man walked me through it.

I was able to clean it up and figured out which website I got it from. It's hit me 3 more times from that website so no more going back.

Which site was that?

BTW, I don't do instant messaging, but then I remembered Facebook Chat! The D Man and I are now Facebook friends.

Never heard of trusted installer, Jack. It sounds like perhaps it was the builder of the computer, like Dell, although I don't see it on my second computer, which is a Dell.

I do know about taking ownership, and had to do that sometime back. It was a mess, I figured it out but then promptly forgot how! (old age I guess!).

I"m googling Trusted Installer now.

Happy it worked out and that Facebook Chat will do the job.

Ok, the way to take ownership from Trustedinstaller is exactly what I had to do:


This is for Win7 but I think if you check the website, Vista version should show up.

It's added to my kit of tools.

Drudge, IT says ads are being hijacked on multiple news sites to inject the rootkit.

First time it happened I had just updated flash so I'm guessing that's where the security hole is.

a curse on those worthless bas-stids that create malware,viri ( plural of virus??) and adware. And bountious blessings to those who know enough to spare us from the scourge of digital hell.
What makes someone want to create a virus or malware, anyways? Unloved as a child? Bedwetters?

Unfortunately I happen to know a lot about that the type of sociopath that is wired to crave negative feedback. Think fire starters and the person that shouts POOP in a crowded restaurant...

Think fire starters and the person that shouts POOP in a crowded restaurant...

Think Russian and living the dream with several M3s and paid-off law enforcement...


I've had continual problems with eastern Europeans for >10 years due to software piracy, both from myself and clients. Sadly, there is next to nothing that can be done to reach them.

PJB.. Word.

Well, there are several things to notice about malware. Maybe for now I can put a sock in it, but ....

Yeah, what somebody said, in your situation, Jack, get Win 7.

Someone else said get Linux, some version. That's best. ... but, there's that learning curve thingie

Either way, get to gathering a toolbox, bag o' tricks, like dman and Lawrence gather for themselves and their clients -- arm yourself with know-how or else hire someone 24/7 who knows how, (like what you are saying about "the great gift the readership" support network is, just that hiring a steady 'cornerstone' person to facilitate the support, and network, makes it formal and better ... and it decrements joblessness by 1 ... maybe its even non-profit tax-deductible although I am sure that you will look at that angle first of all).

You don't have to get a mac, but I do wonder why someone who loves them some iPhone doesn't want that same sort of experience in their computer.

Clicky Web Analytics