Who are you talking to?

I was little under the weather over this last holiday weekend and spent most of it resting and feeling generally crummy. In the meantime, I picked up the laptop (gotta love WiFi) and spent some hours whittling away at the vast no-man's land of the Web. Not to be totally unproductive, I was also updating the virus definitions, getting the latest patches for Windows, running utilities to clean up old files and more or less organizing and optimizing my setup. There are dozens of enigmatic little files constantly running in the background, some of them apparently work very hard at something. I found a cool site called File.Net that gives the "face behind the mask" to all those little processes and how to tell if they are actually legitimate or useful. For example I found a few that were diligently slaving away for applications that I don't even use anymore - in the trash they went.

The bad guys who inflict viruses, trojans, spyware and other malicious programs onto the rest of us have a trick - they give their poisonous progeny the same name as a legitimate file and put it in a similar looking location - for example

"c:\windows\system32\crsrss.exe" or "c:\windows\system\csrss.exe" instead of "c:\windows\system32\csrss.exe".

While it reclines comfortably, hidden in plain sight, the infection spreads and eats up precious resources like CPU time and bandwidth, sometimes cannibalizing other files. This was my first personal lesson in the fallibility of Anti Virus protection.

Of course Windows XP won't plainly tell me in a simple way where a program that is currently running and in use came from and who started it, but I found an application that would tell me. Task Manager is a nifty little thing that looks a lot like Windows' Task Manager (the old cntrl/alt/del) except that it actually gives you information that you can use!! It even has a shortcut when you right click on something - BOOM!! Instant Google search.

And File.Net was usually right near the top of the results where I needed it.

Even armed with that information I barely chipped away at the iceberg underneath. Not to mix my metaphors, but I couldn't see the forest through the trees. I was keeping an eye on the chatter between my computer and the rest of the semi-anonymous world as I scoured Dell, Symantec, and Microsoft for some sense and reason. Ya right, who'd think the biggies on the scene would be the least helpful? The frenetic babbling machines seemed to have a lot to say to each other, ignoring me and keeping me out of the conversation. Through the morass of remote and local addresses, process names, TCP, UDP, ICMP protocols, netbios, ports (open, closed or stealthed), known hazards and potential vulnerabilities, IPs and subnet masks, inbound, outbound, localhost, firewall rules (and the occasional online backgammon game), I began to notice patterns.

Some talkers were more active than others-no problem, gag it with a firewall rule. After some trial and error (a few actually did need to communicate for me) and some more investigation it began to make sense. It felt like staring at one of those posters that don't look like a picture of anything until you stand back to look at it cross-eyed and out of focus.

That's when a three dimensional image of a whale jumping over a boat materializes.

I found some great help in the form of free and trial software such as WinXP running services, CCleaner, Spyware-Net, RegistryFix, Error Killer, PC Pitstop, Uniblue and dozens of other sites that each added their piece to the puzzle. Microsoft actually did make a contribution to me with utilities that I would recommend like Port Reporter, Baseline Security Analyzer, Tweak UI and Bootvis. By far the most easy-to-use, informative and repeatedly clicked tool was called ShieldsUP! - written and narrated by an old-timer in the code biz that had some illuminating history to share. He also shared his experiences of Microsoft's lax approach to internet security and "designed" flaws. Put it this way - if freshly shipped Windows XP operating systems were like new cars rolling off the transport truck at the auto dealership, each one would have the keys in it with the engine running.

It was those vulnerabilities and "look the other way security" that allowed my expensive hi-tech gadgetry to fall victim to a very subtle and potentially horrible sickness. In the end, it was something very simple and plain as day that led me to a solution - just like your house keys are always in the last place you look. I was combing through system files, web forums and alphanumeric gobbledygook when I opened a familiar folder: Network Connections. You see, I use my laptop with a wireless internet connection - I'm on the couch, in bed, at the table, etc. The only cord I use occasionally plugs into the power outlet. Yet right there in the Network Connections folder next to the usual trio of the 1394 Net Adapter, 10/100 Integrated Controller and the Intel PRO/Wireless Network Connection was something I had never seen before. A "Local Area Connection" (hardwired, tethering, land-line type connection) on "Linux IGD" (an operating system I have never used before). Even stranger still, it was chugging away at a decent pace sending something, I don't know what, but alot of it off into the Never Never Net Land of the WWW. A quick Google took me here and I learned that this is not a new problem for MS WinXP users.

So I squished it like a big juicy bug.

I have yet to see whether it caused permanent damage (besides my fried eyeballs) and its also possible that whatever spawned it is still fertile and reproductive. What I do know, besides some fresh techno-jumbo, is that where previously there had been unlocked doors, open windows and unsecured vaults within my trusty laptop, I still have my same old mutt for a guard dog - but he has a few new tricks.