The Case of the Unknown Autostart

re: The Case of the Unknown Autostart

Pam Maynard — Thu, 28 Apr 2011 05:50:03 GMT

I know this is an old blog but I just had to comment on what you said about your heart stopping when you suspected something bad in your system. You were lucky that it was not bad. But for me and others like me, certainly know that feeling that you get when you are suddenly no longer in control of your machine. In fact it was only 2 days ago when clicking on a google search result suddenly my screen flickered and 5 pop ups were atop my screen asking permission to run an unknown setup application which each one had a mix of numbers before the word "setup" and even though I ALWAYS keep task manager open to close items that appear bad I was unable to close them or the process which was a consent.exe process. I was not about to shut my PC down as that may have given it a chance to download somehow. The first thing I did was go to MSE and did a quick scan which turned up nothing then did a deep scan while running that I went to start/search put %temp% then opened temp file.I selected all then deleted all that would let me some said the program was in use . meanwhile MSE detected a Java virus, cleaned all except 2 were not found maybe I had deleted them in the %temp% folder. but meanwhile I went back to clicking no after no on those pop ups asking permission to change till they finally were gone from my task manager. I searched Google regarding my situation with no luck. No one seems to have encountered what I went through. The Google search I clicked on was a website from ihav.com so anyone reading this DO NOT go there or maybe you will be next. The point to my post is that when you search online using Google or whatever search engine you like, you are doing so at your own risk and it could be fatal or detrimental to your health! I really do not understand with today's technology how these people who create this viruses, worms and Trojans are able to get away with it. Certainly they can be caught and prosecuted unless they are being paid to do it by either software companies that sell antivirus programs Not just the fake ones but ones like Norton /McAfee or maybe the government. Am I crazy for thinking this? Lets, just take a look ... If you have a virus what do you do? You try to get the best software to get rid of it. And yes there are free ones but they just don't seem to work as well and besides they are useless for large companies. And then you have those Trojans and worms that are there to track what you do. That would be useful to the government and companies looking to sell you products that you just happened to be searching for. I find it very hard to believe that these complicated nasties are spread by people just for kicks.Personally I am sick of it. I spend about 1/3 of my computer time trying to fix problems that others have created. A personal computer should be enjoyed ,not a hassle. It is about time someone did something to stop this. Like Microsoft , Google, Sun Java, Yahoo & Bing ( that's Microsoft too) and anyone else in the "cookie" jar.I think everyone who has a home PC iPhone or anything like those should go on a strike, even just for one day. See how many stocks fall that on that day! C'mon ,we can do it! Mankind has survived in the past without those things so there should be no excuses.

A better icon editing program

Alex Railean — Mon, 15 Oct 2007 11:59:55 GMT

Hi, I have been facing the same [original] problem - find a good icon editor which can make nice icons for Vista. I found a free program that matches the flexibility of various shareware tools I tried; look for "IcoFX".

I also have some things to say about the other problem discussed here - folder paths. Mark, you mentioned two methods of accessing the Program Files directory, one is "%programfiles%" and the other is to use ShGetFolderPath.

Is there any set of circumstances in which the two methods will return a different result? I know that it sounds stupid, but I have been facing a problem on a person's computer: using %programfiles% to access a third party program in Program Files, but I always get a file not found error. The guy swears the file is there.

re: The Case of the Unknown Autostart

Mihai — Sun, 01 Jul 2007 22:02:55 GMT

Let's say the company does not care about foreign markets, so localized folders don't matter (ok, I don't say is right, but bear with me :-)

But an application designed "to edit hi-resolution Vista-style icons" will not work on Vista! (because "Program Files" is "Programs" in Vista)

re: The Case of the Unknown Autostart

Igor — Fri, 29 Jun 2007 17:27:36 GMT

IMO, you should have asked the author for the justification of autostart component for an Icon Editor. I don't see any possible reason why that crap could be needed to slow down each computer startup.

There is an increasing number of applications which use autostart or even worse system notification area for purposes which are dubious to say the least.

Those practices should be loudly discouraged by Microsoft in MSDN and in Designed for Windows logo program. I would even vote for hampering their ability to do it because 90% of software vendors just abuse it.

/rant on

I just hate it when they work against the system. Prime example would be well known disk defragmenter utility which in its latest version has no less than 4 processes running all the time. One of them is scheduler which could have been replaced by system's own Task Scheduler use. There is also some "agent" and then the engine. Why they need to be running all the time when defragmentation is something you perform once in a few weeks is really unexplainable.

Even worse the same utility has the self-repair system -- if you terminate any of those processes they come to life again in no time. If you delete the executable, it will invoke setup to repair the installation without asking you a single thing. If you remove installation cache then it will make your system unusable in an suicidal attempt to find it. That is the same mechanism malware uses to stay on your computer against your will.

In other words, every program should do what I tell him to, without asking me "do you want fries with that?" or even worse stuffing my face with fries without asking.

/rant off

re: The Case of the Unknown Autostart

Calum Grant — Wed, 20 Jun 2007 13:55:54 GMT

It's definitely good for applications to have proper resource information - since I would expect good quality software to follow those guidelines. Anything that fails to follow simple guidelines is suspect.

Another crime is services with no apparent purpose, and no description of what suite they are part of. Even respectable software in the install/remove programs sometimes has cryptic names from 3rd party publishers. Sony installed a lot of such rubbish on my Vaio laptop. I have no idea what I can disable without suddenly breaking functionality.

However, malware/spyware should fake something plausable, and a casual user would have no chance of distinguishing malware from legitimate software.

re: The Case of the Unknown Autostart

Ruben — Tue, 19 Jun 2007 14:48:51 GMT

In Spanish %ProgramFiles" is "Archivos de programa" and so on. Most system folders are localized, but surprisingly, "Documents and settings is not.

That aside, I fully second Mark's suggestions.

"Mark's recommendations to the author of IconEdit2 can just as easily be adopted by every malware author"

That's where digital signatures come in.

"The solution of using certificates could effectively mitigate the risk, I suppose, except I'm not sure how easily malware-writers or suspect ware-writers could obtain one."

Not easily. The problem with that is not that malware writers can obtain or forge a Microsoft certificate. The problem is they don't need to. All they need is a certificate that "looks" like the real thing and most end users will accept it as real without bothering to check.

re: The Case of the Unknown Autostart

James — Mon, 18 Jun 2007 11:18:06 GMT

"IEcheck" does sound like the typical malware trick of masquerading as a part of Windows, and putting itself in %WINDIR% rather than its own application directory doesn't help; then again, at least it didn't have a valid MS signature: if seeing "iecheck.exe" made Mark's heart stop, imagine my reaction when I saw a *signed* 'services.exe' sitting there, merrily probing port 25 on remote machines! (Needless to say, that was indeed malware; I'm actually quite impressed by the lengths it went to to escape detection, hiding most of its antics within services.exe *without* compromising the MS signature!)

re: The Case of the Unknown Autostart

.jon — Tue, 12 Jun 2007 02:00:25 GMT

> Actually, %ProgramFiles% is called "Program

> Files" on all the languages versions I've been

> given an occasion to work with (that said, I'm

> far to pretend I've touched all the localized

> versions of Windows yet).

With a german system I have of problems with about 10% of all installed applications.

On a German XP it is not "Program Files" but "Programme". And not "Documents and Settings" but "Dokumente und Einstellungen" and not "ApplicationData" but "Anwendungsdaten". Just to name a few. They are (luckily) totally localized.

One thing as important as this is people (including me) who absolutley hate the MS way to throw all into a single root and install Program Files, Documents and Settings, $TEMP% and maybe even others on seperate partitions, which makes backing up the system, re-installing it etc. much more easy.

re: The Case of the Unknown Autostart

Alice Chang — Thu, 31 May 2007 00:33:25 GMT

I think I agree with Mr. Maletic about the proposed solution, up to a point. In my job as a network analyst, I often have to analyze concurrent HIDS events as well; seeing suspicious traits like "no icon, description, or company name, and [..] in the Windows directory" definitely raise red flags with me. But then I think about all the stuff that *don't* raise red flags -- and sometimes I wonder if there aren't malware that are being blissfully ignored because they simply appear to be an unusual, but legitimate application with all the right markings. (The markings in this case being some sort of author, some sort of company, some sort of icon...)

The solution of using certificates could effectively mitigate the risk, I suppose, except I'm not sure how easily malware-writers or suspect ware-writers could obtain one...

re: The Case of the Unknown Autostart

Tim Maletic — Wed, 30 May 2007 23:26:38 GMT

Mark's recommendations to the author of IconEdit2 can just as easily be adopted by every malware author, so I don't see the point. But I must be missing something or someone would have pointed this out already...