Anti-virus failure leaves XP broken, DNS hijacked, user frustrated

A colleague had some problems with his Windows XP laptop while I was away last week, and I promised to look at it on my return. It’s a sad story, particularly as he is doing everything Microsoft recommends (aside from upgrading to Vista). His HP laptop was fully patched with SP3, and he had a commercial license for AVG anti-virus. He noticed that his system started running slowly when connected to a network, though it worked fine offline, and suspected a faulty network card. It sounded suspicious to me. I wondered if malware was causing heavy network traffic, and advised him to check that his anti-virus was up-to-date and to scan his machine.

It got worse. He ran AVG, which discovered two viral autorun.inf files that it quarantined, but the machine still did not work right. The AVG tech support could not see what was wrong, and suggested reinstalling AVG. Reinstallation failed because AVG could not get updates (this was actually a good clue). Tech support said maybe a firewall problem. Hmm.

The best solution in cases like this is to flatten the machine and reinstall everything, but I was intrigued. I booted from the Ubuntu 8.10 live CD and confirmed that the hardware was fine. I then tried a couple of anti-virus scans that run from boot CDs, which is safer than running from within an infected operating system – the Kapersky rescue disk and the Avira Rescue System. Kapersky identified and removed Trojan-Downloader.Win32.Agent.ahcg somewhere in temporary files. Antivir found nothing. I also ran the Malicious Software Removal Tool which found Trojan: win32/Alureon.gen. Funny how all these tools find different things. No, I don’t find that reassuring.

At this point I connected the machine to the internet. Tried re-installing AVG but it still would not update. Tried downloading a more recent AVG build. However, when I clicked to download, I got an advertisement page instead. Aha! I checked the DNS settings. Instead of being set to obtain the DNS automatically, it was hard-coded to a pair of DNS servers in Ukraine. Clearly the AVG download site was among the ones privileged with an incorrect entry.

Things looked up after I fixed that. Spybot found evidence of Zlob.DNSChanger.Rtk: a registry entry pointing winlogon\system to an executable with a random name somewhere in Windows\system32, but the file itself was not present. Fixed that entry, and Spybot was happy. AVG installed and updated sweetly and found nothing wrong.

I also noticed a hidden directory called resycled (sic) on the root of both partitions, containing the single file Has to be a virus, and seems to be associated with the autorun.inf infection; but none of the clean-up tools detected it.

The machine seems fine now, though it should still be flattened as a precaution. I do find the DNS hijack spooky though. It means you can visit safe sites but get dangerous ones. Nasty.

What all this illustrates (again) is that even users who do everything as recommended still get viruses – in this case, probably from an infected USB stick, though I can’t be sure. Why didn’t AVG catch it? Good question. Why didn’t AVG tech support advise how to fix it? Another good question. Vista would have been a little more robust – you would have to pass a UAC prompt to write to the root of drive C, or to HKLM – but I imagine some users would click OK to a prompt after connecting a USB stick, presuming it to be a driver install or something like that.

And if you get ads or porn sites appearing unexpectedly when you browse the web, yes you should be worried.


I sent the suspect file to Sophos for analysis. I would have sent it to AVG as well, but could find no easy way of doing so. I received an email informing me that this is a worm called W32/Autorun-NX. A filter to detect it was added to Sophos on 7th November at 20.27, which is about 4.5 hours after I submitted it. If mine was the first report, that is impressive speed; but bear in mind that the infection was over a week old when I encountered it, and had circulated for an unknown length of time before my colleague picked it up. Anti-virus software offers only limited and inadequate protection from malware.

Technorati tags: , , , ,

Microsoft’s new .NET logo

One thing I forgot to mention from PDC 2008: the new .NET logo:

Note the visual link to the Silverlight logo; the ribbon (I may be reading too much into this); and the soft brushwork that is meant to evoke “designer” as well as “developer”.

The .NET part has changed from lower case to upper case. This was the old logo:


Since as far as I’m aware Microsoft has always preferred .NET to .net or .Net (except in the logo) I guess this makes sense. Must remember to type it that way.

In which I ask Marc Benioff, CEO, if his platform is a lock-in

Moving from Microsoft’s PDC last week to Dreamforce (the conference) this week has been an interesting experience. Microsoft is the giant still trying to come to terms with the new world of the Internet; is the young upstart convinced that it has the future computing platform in its grasp. is a much smaller company – revenue of just over $1 billion versus Microsoft’s $60 billion – though oddly Dreamforce is a larger conference, with nearly 10,000 attending, compared to 6,500 at PDC (numbers very approximate). Being small means greater opportunity for growth, and reported 49% year on year  revenue growth in the last quarter for which figures are available [PDF], ended July 2008.

As for the actual conference, Monday was great, with an upbeat keynote and a fascinating press Q&A with CEO Marc Benioff; Tuesday failed to sustain the momentum with a disappointing keynote (people were leaving in droves as Michael Dell attempted to pitch storage servers to this on-demand crowd), and today is wind-down day.

The press Q&A covered most of the interesting questions about this company. Is it a lock-in? Will it move beyond CRM to a total cloud platform? Will it be bought by Oracle? How is the platform (called different from Microsoft’s Azure? Benioff has a great talent for sound bytes, and made endless digs at Microsoft and its new platform which he called “Azoon”. Microsoft developers are in a black room, he said, but walking out into the bright light of cloud computing – by which he means not Azure, but his stuff, naturally.

I got to ask the lock-in question. Benioff had already observed that making the platform programmable increased his hold on this customers. “It’s exactly the same thing that happened when Oracle moved from version 5 to version 6 with PL/SQL,” he said. “The database became programmable. Customers became customers for life.” Incidentally, Benioff talks a lot about Oracle, which is the database on which itself runs, and refers to Larry Ellison as his mentor. I asked whether he was now asking his customers to repeat the mistakes of the past, when they locked themselves to Oracle or Microsoft or IBM, and I am going to quote his answer nearly in full:

It’s not a question of repeating the past, it’s just an aspect of our industry that it’s important for vendors to offer customers solutions that give them the ability to fully integrate with the platform. It benefits the customer and it benefits the vendor, and every major vendor has done it. That’s really the power.

I think that it’s true whether you’re writing with Google today and you’re building on the Google AdWords and AppEngine, you have to make the choice as the developer, what’s the right thing? Portability of code is just not something that we have ever got to in our industry. As a developer you want to make the right choice … but the reality is that the customers who are doing deep integration with us, those are customers who are going to be with us for a long time and we’re a strategic solution to them.

It’s not a commodity product. It never has been. If you think of it as a commodity product it’s a mistake … I’m completely honest and open about it, which is you’re making a strategic relationship decision, and you need to look at your vendor deeply, and choose what is the right thing for you. When customers bought Sybase SQL and they wrote Transact SQL, or they bought Oracle and wrote PL/SQL, or they’re writing in Visual Studio, well Visual Studio does not port over to HTML. You’re making a strategic decision …I think that’s important, that you research everything, evaluate everything … you do as a vendor end up with a very loyal customer base over time.

Are you familiar with the iPhone? [sure] So iPhone has a development environment that’s called Cocoa. So you have all these apps now on AppStore, which is a name that we used to have and we’ve given it to them, so when you write on AppStore, when you write on Cocoa, guess what, those apps are in Cocoa. And there’s nothing wrong with that.

I followed up by asking whether Sun’s Java experiment, including the idea of code portability between vendors, was an impossible dream.

If you’re writing in Java, you’re betting on Java. It’s a totally reasonable decision. You make that choice. It’s not portable away from Java, that I know of. I just think it’s an aspect of our industry. You should not avoid it, and vendors should not say something like, oh, we’re gonna offer some level of portability, just be honest about what our strategies are. When you’re writing on SQL Server, when you’re writing on Visual Studio, when you’re writing on Oracle, when you’re writing on DB2, when you’re writing on, you’re gonna be writing natively to a platform, and then the more open that platform is, the more connections there are to that platform, the more powerful that is for you. But you are making a platform decision, and our job is to make sure you choose our platform and not another platform, because once they have chosen another platform, getting them off it is usually impossible.

I give him credit: he could not be more clear. Even so, if you follow his reasoning, developers have an impossible decision at this point of inflexion in the industry. It is all very well researching, or other vendors, but we cannot know the future. For example, may become Oracle (an outcome that analysts I spoke to here see as very plausible), in which case you researched the wrong company.

On balance I doubt that the platform will go away, but its future cost and evolution is all a matter for speculation. That said, I do think it is an interesting platform and will be posting again about it; I’ve also made some comments on Twitter which you can find on my page there. linking with Facebook, Amazon

I’m at the Dreamforce conference in San Francisco, where Marc Benioff, CEO of, and co-founder Parker Harris, are presenting new features in the platform.

The first is a built-in ability to publish your data as a public web site. The service is currently in “developer preview” and set for full release in 2009. Even in preview, it’s priced per page view on your site. For example, if you have the low-end Group Edition, you get 50,000 page views free; but if you exceed that limit, you pay $1000 per month for up to 1,000,000 further page views. It would be unfortunate if you had 50,001 page views one month.

The second announcement relates to Facebook integration. This is a set of tools and services that lets you use Facebook APIs within a application, and create Facebook applications that use data. Sheryl Sandberg, Facebook COO, says this is “Enterprise meets social”. The problem: Facebook is consumer-focused, more play than work. Sandberg says this deal will launch Facebook into the Enterprise. This will be an interesting one to watch.

Third, there are new tools linking with Amazon’s S3 and EC2. Tools for S3 wrap Amazon’s API with Apex code (Apex is the language of so you can easily add unlimited storage to your application. Tools for EC2 delivers pre-built Amazon Virtual Machines (AMIs) that have libraries for accessing data and applications. The first AMI is for PHP, and simplifies the business of building a PHP application that extends a solution.

Interesting that is providing two new ways to build public web sites that link to – one on its own platform, the other using PHP and in future Ruby, Java (I presume) etc.

It’s worth noting that you could already do this by using the SOAP API for, and there are already wrappers for languages including PHP. This is mainly about simplifying what you could already do.

More information is at