Dwarf said:
Thanks for the prompt reply. This has eliminated one possibility that I was
thinking of - the possibility that you had a machine with SP1 on it despite
the code only being released to manufacturers on Feb 4th. A few questions.
What is the name of the task concerned? What is making it run now? What other
things appear to be causing problems? Have you tried recovering your machine
to its original condition - and if so, did you DISCONNECT the machine from
the Internet during the procedure?
To answer your last two questions, yes the computer has been restored to
original condition and yes, it was disconnected at the time. The only time
the machine is connected to the internet is for a specific purpose. We do not
have an "always on" connection and the computer is always disconnected after
use. I address the other questions below.
From the beginning, and this will be very long, I bought a laptop computer
as a Christmas present for my wife with the plan of setting her up with
secured wi-fi and air card service so she could easily connect to her company
network when out of the office. I set it up, did all the updates and packed
it away until Christmas. After this, I installed all the software she needed
and got rid of all the many gigabytes of promotional trashware that installed
with the OS. I quickly learned it had horrible security problems. Among
other things, on Jan 30 at 9:18 PM, it woke itself from sleep mode with the
screen folded down, dialed up and connected to the internet and began
transmitting data back and forth between it and some unknown site. The
computer was still officially asleep when I raised the lid to begin
investigating. I had to wake it up and enter the password to gain access.
After trying every way possible to break the connection by using software
controls, the only way I to break it was to yank the modem line. By the time
I did that it had transmitted 240 kb of data and had received over 50 kb.
According to my ISP, the computer did was not not logged on to my account.
The tech support for the computer company said the computer was infected
with a virus and had to be restored from the recovery partition. When I
explained that was impossible since it was firewalled, fully protected, had
only connected to Windows Update and Norton Live Update and didn't even have
an email client set up yet, the blame was placed on a bug in Vista. I was
advised to wait for the release of the upcoming Vista service pack that
should solve the problem. I formatted the drive, reinstalled and reupdated
the system and once again removed all the trashware. A week later, it did it
again..When it happened the second time, I returned the computer to the
retailer and that's when I made my second mistake. In exchange, I accepted an
apology and an upgraded model made by the same company.
I originally set up this second machine on Jan 11. The first thing I did was
get all the Windows and Norton updates. On the morning of the 12th, I burned
my recovery set to dvd's and began uninstalling all the trashware that came
preloaded into the system. At a certain point, the computer became unhappy
and displayed serious problems so I restored the computer from the recovery
disks I made. Due to the previous experience, I was expecting trouble. Then I
learned that contrary to published information, the recovery manager did not
take an image from the newly configured and updated installation on the C:
drive, but simply burned the image from the existing recovery partition. So I
started over.
This time I initially uninstalled the gigabytes of trashware (very
carefully) to ensure system stability before I went through the ordeal of
doing all the updates over our dial-up connection, which is the only type of
internet service available to us where we live. On the13th I did all the
updates and all went well except for the Windows Defender update. No matter
what I tried, that update would not install. Following a lot of research, I
began working with Microsoft security engineers on the 14th, attempting to
find a resolution to the problem. After more than eight hours on the phone
with them over a three day period, there was no solution to be found. I had
to reinstall and reupdate the system again. I did this on the 16th..This time
the only update that failed to install was MSXML Core Services SP2 but after
numerous attempts, it finally took.
On the 17th, I once again began uninstalling the trashware and made it all
the way though without incurring any problems. After that the computer was
good until Feb 2 when a very peculiar IE browser window was called after
resuming the computer from a two day hibernation. The browser had no
controls, no menu, no context menu (either from the window or the taskbar
button) and no way to close it except terminate it in Task Manager under the
Applications tab. This concerned me but I wasn't able to duplicate the error.
It concerned me a lot more deeply when it reappeared on Feb 23, again after
resuming from a lengthy hibernation. This time I began looking more closely.
The computer was squeaky clean. No virus, worm, trojan, adware, spyware or
anything else to be found by Norton Internet Security, Spybot S&D or Windows
Defender. Malicious script was not a possibility since that's blocked in
Firefox, the browser that's used on the machine. The January and February
Malicious Software Removal Tool had found nothing. Manipulating startups and
processes would not allow for duplication
That night, I contacted the tech support for the computer company via their
internet chat facility with a full description of the problem and was told
the computer was infected by a virus and it must be restored from the
recovery partition. That wasn't a satisfactory solution because I knew it
wasn't true.
The next day I contacted their email support division and went through it
all again. Again, the only solution was restore the computer from the
recovery partition because the computer was infected with a virus. Over the
course of the week, I received 11 different emails that all said the same
thing, that it is infected by virus and must be restored to factory original
condition as the only possible solution. By this time I'm becoming well aware
that these computers are subject to serious problems as a consequence of
uninstalling all the promotional software they try to sell with the machine
and am rather certain that all problems are caused by manufacturer reverse
engineering. I've been using Microsoft operating systems since DOS 4 was
released and never experienced anything like this before.
After the appearance of the browser again on the 23rd, I assumed the
condition required to call the "virus" browser was hibernation of two days or
better because that was the condition of the computer both times it appeared.
On the evening of Feb 27. I disabled all non-microsoft services and startup
programs and let it hibernate in an attempt to recreate and isolate the
problem. I resumed the computer on Saturday morning, Mar 1, at the same time
of day as the Saturday before and the browser appeared. This meant it wasn't
being called by an application or a non-microsoft service.
After searching through various areas of the system I finally found the
cause in Task Scheduler. It has very little to do with my original assumption
that the computer must be hibernated for two days to make the bug pop. The
actual requirement is the computer must be hibernated at the time the task is
scheduled to run. Otherwise, the window of opportunity is so limited it would
take a very odd set of circumstances for the result to ever be seen with a
normal laptop power management setup.
The task is called "InternetServiceOffers" and was described as "At 7:59 AM
every 5 days - After triggered, repeat every 30 minutes indefinitely".
The parameters are:
Start the task only if the computer is idle for 10 minutes
Wait for idle 1 hour
Start task only if computer is on AC power
Stop if the computer switches to battery power
Wake the computer to run this task=NO
Allow the task to be run on demand
Stop the task if it runs longer than 3 days
If the running task does not end when requested, force it to stop
If the task is already running, then the following rule applies: Do not
start a new instance.
Running it manually revealed the the trigger and execution time changes with
every run.
The net effect of these parameters are:
The successful and visible execution of the task (the "virus" browser") only
occurs when resuming the computer from extended hibernation when the computer
is hibernated at the scheduled runtime of the task.
The execution of the task has never been visible after starting the computer
from a Shut Down state although the "History" indicates it an execution on
schedule and the schedule is updated.
The result of task execution never appears when using the computer although
given the exact right circumstance, it possibly could.
The Microsoft-Windows-TaskScheduler%4Operational log indicates the program
initiated on Jan 22 and ran successfully eight times between Jan 22 and Mar
1.The log also indicates the only times the program ran off the regular five
day schedule are the three times the computer was hibernated at the scheduled
run time. For these executions, the history shows execution of the task
occurred at six, six and seven days. Each of these times the "virus" browser
was called approximately 30 minutes after resuming from hibernation.
In simplification, the task is designed to call a browser window that mimics
a virus only when the computer resumes from hibernation and only when very
restrictive criteria are met and as a consequence, it rarely happens. Of the
dozens of times the computer hibernated between Jan 22 and Mar 1, the
criteria were met only three times..
The alleged purpose of the task is to provide a reminder to take advantage
of the Easy Internet Sign up program. I imagine it's supposed to nag the user
for permission to connect the computer to an array of ISP's for the purpose
of contracting for internet service . The rub is, when the Easy Internet
Sign-up program is uninstalled, the task functions in a completely different
manner. In fact, I believe the requirement for activating the task is
uninstalling the Easy Internet Sign-up program itself.
The reason I believe this is: the program itself was originally installed
along with the OS on the 16th, about 9 PM. If installation of the program
activated the task, the first execution would have occurred at around 9 PM on
the 21st, five days later. Instead, the first logged execution occurred at
8:29 AM on the 22nd which was five days after I uninstalled the program. I
believe the actual uninstall is what activated the task. This, however, is
something I cannot prove without finding the programming that activated the
task it or finding uninstall information in Vista that recorded the date and
time Easy Internet Sign-up was uninstalled. This would also verify the
uninstall was the event that activated the task.
The reason I say this task is malicious is because it's designed to mimic a
virus and at a dozen of the company's tech support personnel insisted it was
indeed a virus. They all said the only possible solution to the problem was
using their Recovery Manager to restore the computer to factory original
condition. Of course, this only serves to recycle the programming that's
designed to scare the user into restoring the computer from the recovery
partition, thus causing reinstallation of the promotional software. It's a
penalty imposed upon those who refuse to play the game and uninstall the
unwanted and unneeded software.
Finding this task planted in the system by the software engineers, combined
with all the other erratic behavior displayed by both computers (including
autodialing and connecting to an unknown point on the internet from sleep
mode) makes me wonder what other little bombs they have planted such as
keyloggers and botnet clients.