The customer settled on a newer refurbished Dell model, paid and left. The following day she called me and said that the computer would not start. The lights were on but the screen was dark. Plus it would not shut down. Oh great–just what I want to hear.

But through a series of questions I determined that the actual situation was this: She had been using the computer at a public wireless access point, and had then put the computer away in its bag without first shutting it down. She had just closed the lid. Meanwhile, the laptop kept running, got hot in the enclosed space of the bag and locked up due to overheating. It had not been set to go into standby mode when its lid was closed. (Standby is a special low-power state).

This explains things, I thought. That’s most likely why her one laptop was a source of so much trouble for her. She probably never, ever actually shut it down. She just closed the lid and forgot about it. Meanwhile the laptop was running the whole time and she didn’t even know it.

I am perhaps a tad unreasonable on this subject, but my opinion is this: If you aren’t going to use an appliance (like a computer) for a while, SHUT IT OFF. At the end of every day, I power off all my computers, printers, monitors, test equipment, anything that draws power. Not only that, I turn off the surge protectors they are plugged into so that the devices receive no current whatsoever. The reasoning is this:  less energy wasted, less chance of damage due to a power surge, less heat that has to be removed by the AC system–a major consideration what with our lengthy warm season here in central Texas. The only downside is that I have to wait maybe 60 seconds for the systems to power on in the morning. Even on the busiest day, I can spare 60 seconds.

Somehow the idea has gotten entrenched in the public mind that it is damaging to computers and other electronic devices to turn them off and on. At some level this is potentially true, because there is an initial thermal shock as power floods through the cold circuits when you hit the start button. But it’s OK, they can take it. Modern electronic devices are designed to handle thousands of startup/shutdown cycles. Look at it this way: If you follow the conventional reasoning, then you should never turn off the lights, never turn off your television or stereo, never turn off your car’s engine (90% of engine wear takes place in the first half-second of operation). Obviously that would be just silly. By not turning off unused electronic devices, you trade the small possibility of a slightly shortened lifespan for the device for the certainty that a lot of energy will be wasted. And that’s not a very good bargain. So if you aren’t going to use that computer for a while, go ahead–turn it off.

This malware is the latest generation of a family of rogue software known by many names going back to at least 2006. The basic MO remains the same: On startup an infected computer’s desktop is taken over by a legitimate-looking program that seems to be finding all manner of malware. As this is unfolding, the software also declares that the computer has been hacked and that the user’s identity is at risk of being stolen, among other messages. The software almost completely monopolizes the system, essentially making it unusable. The hook comes when the program informs you that to get rid of the problem, all you have to do is to register this trial version. Simply click on this link (and pay $49.99) . . .

The perpetrators of this scam have so far kept things fresh by releasing new variants every few days to stay ahead of traditional, database-based antiviral programs. These variants continue to add charming new features, such as routines that block or hide all other executables, layered service protocols that block network activity (except a connection to their server to process payment), and the ability to run in safe mode. Some variants apparently block safe-mode operation altogether. New Vista-specific versions are beginning to gain traction as well. Up to now, primarily machines running Windows XP have been affected.

The infection usually occurs when the user interacts with a bogus (but official-looking) security alert claiming to have found malware. These messages may appear when the user visits a compromised website. ANY interaction with this message typically triggers a surreptitious download of the infectious software. The only safe way to close such a message is to use the task manager (ctrl-alt-delete). Internet connections not filtered through a router are especially at risk.

The reach and sophistication of this scam are surprising and disturbing. Millions of users have been infected, many more than once, and the end is nowhere in sight.

I had heard the call when it came in, on a Saturday about lunchtime, but had chosen not to answer because the special ring identified it as anonymous. It was an easy call (no pun intended). At Computer Medic we generally don’t answer unknown or anonymous calls for all the usual reasons. It’s policy. We are hardly alone in this.  It is, in fact,  a very common (and common-sense) policy.

Apparently, this fellow had called previously, although he had never bothered to leave a message or a callback number.  This isn’t the first time this sort of thing has happened to us. Over the years this scenario has been repeated often enough for us to recognize it as a syndrome. The callers are almost always male, young to early middle age. The messages usually include a profanity or two, and never, ever include a callback number. Most of the time, the caller clearly intends to be insulting.  Based on what they say and how they say it,  I can only surmise that these people are expecting special treatment, and are annoyed at not getting it. Unfortunately, we’ve learned the hard way that people who expect special treatment tend to be difficult customers.

Then of course there is always the odd case. Once, an anonymous caller left a message saying, “I realize you’re probably not answering because of the blocked number. I’m sorry, but I just got this phone and somehow turned on that feature by accident and can’t figure out how to turn it off.  I’ll call you back in five minutes.” I answered the second call, we had a good conversation, and he turned out to be a pretty good customer. And we figured out how to turn off the number block.

So if you call from an anonymous number and we don’t answer, please don’t take it personally. It’s just policy. Just leave us a callback number and we’ll get back to y0u.

We recently encountered two separate cases of Security 2010 that were, apparently, successfully removed. Yet the users continued to experience frequent browser redirects and tainted search results. Exhaustive examinations of each machine revealed no suspicious executables. Yet in monitoring the IP traffic,  we could see the computers consistently connecting to an address in Eastern Europe immediately before each redirect. How this was happening was a mystery. On a hunch I checked some settings and solved the mystery. The solution actually turned out to be simple. The malware had manually reset DNS primary and secondary values to the aforementioned Eastern European address.

DNS stands for Domain Name Server, and Domain Name Servers are the giant databases that resolve the familiar domain names (e.g. www.yahoo.com) into IP addresses (e.g. 69.147.125.65), which actually define addresses in cyberspace, and which the many routers that make up the Internet actually understand.  Each time you type in a web address into your browser or click on a link, your computer must contact a Domain Name Server to turn that collection of words into an IP address. And each time my customers’ computers attempted to connect to a requested address, the computers would contact the rogue Domain Name Server, which would then falsely resolve the domain name to another unrelated site. Presumably, the owners of the redirecting website were paying the rogue DNS for the redirects. In a way you have to admire their entrepreneurial spirit.

In this case, simply setting the DNS values to default (Obtain DNS address automatically) solved the problem. This setting, the most commonly used, allows your router or Internet Service Provider to connect you to a default DNS.

It turns out that he had carelessly dropped the laptop from a height, severely damaging the case. He said it ran, sort of, but clearly had some problems. He wanted me to replace the parts bearing obvious damage so that he could take it back to Apple and, claiming ignorance, have it fixed under warranty.

Now I’m no saint, but I know a bright ethical line when I see one. This was no more a warranty issue than if the young man had worked over his laptop with a ballpeen hammer. I was genuinely offended that he had tried to recruit me into what was, in effect, a scam. I paused a beat and then said something like:  “I am not going to be a part of that deception. You were careless with your laptop and broke it, and it’s your responsibility to fix it.” The young man seemed shocked that a business would turn down the chance to make a buck. I was shocked that he was shocked. Is that what our society has come to?

I have no great love for Apple. I think their products are overpriced and overrated, and I think Steve Jobs is a dictatorial prick who would take out his grandmother if she somehow threatened share price. And don’t even get me started about the uber-irritating, cooler-than-thou Apple mythos. But none of that matters a bit because fair is fair. Period.

This is the work of highly skilled, well-funded actors. The authors of Security 2010 have managed to infiltrate large numbers of legitimate, heavily visited websites with their infectious mother-ship software. Simply visiting a compromised website is often enough to deliver the malware. In other cases the user will receive an official-looking message stating that spyware has been detected, and that the user should download software to remove it. Following the attached link delivers the malware to the unsuspecting user.

Infected machines will display an legitimate-looking program that runs on startup bearing the name Security 2010, Antivirus Pro 2010, or any of a number of variations on this theme. The program appears to be scanning for, and finding, malware. The software also displays a rotating menu of  scary messages about dangerous malware supposedly found lurking on the system. The whole display is completely bogus. The software also displays a message that the user has an unregistered version installed, and offers a link to register the software, for a hefty fee of course. However, paying these extortionists will NOT make the problem go away. It is all simply a scam intended to separate the user from his or her money. Unfortunately, lots of people have taken the bait and handed over their credit card numbers to these criminals.

Security 2010 thoroughly monopolizes the user’s computer, rendering it essentially useless. The software also employs a number of defensive strategies to defeat removal, including deactivating firewalls, turning off anti-malware software, and disabling standard system-management tools such as the task manager and, more rarely, regedit. It may also disrupt the .exe file association, making it difficult to run executable files.

Beyond rendering your computer unusable, Security 2010 does not appear to be actively malicious. But it opens security holes that leave the computer vulnerable to other malware infections. Left unattended the problems could grow even worse. At Computer Medic, we have developed very effective methods for dealing with the Security 2010 software, and would be happy to assist you if you should become infected by it.

Malware (”malicious software“) has been around almost as long as computers have. But it has changed drastically changed over the years. Once upon a time, most malware was basically digital vandalism, whose purpose was to wreak general havoc, as well to call attention to its creator and show off his programming skills. The programs were simple, easily defeated, and generally speaking, fairly harmless. But with the rise of the Internet, criminals became aware of the vast possibilities for making money using various forms of malware. The schemes have gotten progressively more sophisticated as the stakes have risen. Now, the making and distribution of malware is a multibillion-dollar business, controlled by international criminal syndicates. It is a virtual arms race, and the end is nowhere in sight.

“How DOES this happen?” I often hear. Most malware arrives via the Internet, as you might imagine. Viruses typically arrive in infected email attachments, or buried in programs downloaded from non-legitimate sites. Much of the malware that travels via infected email practically announces itself; it comes from someone you don’t know, or have no reason to hear from. The subject line doesn’t quite make sense or is poorly written, contains an unseemly invitation, or demands that you do something RIGHT NOW. And there is always an attachment. It’s the attachment that contains the tainted payload. As long as the attachment is unopened, nothing happens. Viruses and worms are spread in this way. A virus replicates by infecting executable programs on the host computer, whereas a worm propagates from computer to computer across a network connection, typically in a work environment.

Viruses and worms require some action by a user to spread. But more and more, malware is delivered surreptitiously, without any overt action by the recipient. NEXT Stealth Infections: Trojans, Rootkits, and Backdoors.

RAM (Random Access Memory) is temporary storage that the computer uses as workspace. If a hard drive, discussed in our last post, is like a file cabinet, RAM is like a desk–the larger the desk’s surface, the more projects you can work on at a time. The more RAM, the more workspace, the more data available to be worked on immediately.

A common perception is that adding RAM to a computer will increase its speed. This is sort of true, but only up to a point. To properly function, a computer needs a certain amount of temporary storage that it can use as working memory to store the data it is working on. The computer uses a mix of actual RAM and virtual memory for this purpose. Virtual memory is dedicated space on the hard drive that acts like RAM, hence “virtual” memory. A computer with insufficient actual RAM to carry out all its tasks will need to use virtual RAM in its place.  Which is fine, except that a hard drive, being a mechanical device, stores and retrieves data perhaps 100 times slower than RAM, which is entirely electronic. The result is a major slowdown.

If, like most people, you are still using Windows XP you probably need less RAM than you think. If all you do is surf the web, do email, occasionally listen to Itunes, and run Microsoft Office, you can get by with 512 megabytes (MB) of RAM. If you have less RAM than that, then you probably need to add a little more in any case. If you like to have lots of programs open at once, or use resource-intensive programs like Photoshop, then you probably need a gigabyte (GB) of RAM or more. Adding more memory than your system needs will not increase its performance, but not having enough will slow it down.

Note that unless you are running a “64-bit” operating system, your system will not be able to make use of more than 3 GB of RAM. Any more than that is just wasted. (A 64-bit operating system is one that moves data in 64-bit chunks, as opposed to the more common 32-bit.)  Only a couple of versions of Windows are 64-bit: Vista Ultimate and XP Professional 64-Bit. Most versions of Linux, as well as Mac OS 10, are 64-bit. Upcoming Windows 7 will also be 64-bit.

The first thing you need to know is that a hard drive is a mechanical device, consisting of  a glass or metal disk honed to a microscopically smooth finish and coated with magnetic material (the same stuff that audio and video tape are made of). The alignment of the crystals in the magnetic material determines whether a given chunk is read as a 0 or as a 1. All digital data consists of strings of 0s and 1s arranged into meaningful patterns. A read/write head pivots back and forth over the drive surface to encode and decode the magnetic signals on the disk. Data is recorded as a series of concentric rings (tracks) centered around the drive spindle.

Second, not all parts of the hard drive deliver data to the system at the same speed. The outer edge of the spinning hard drive moves at a faster actual speed than the inner part, and therefore can deliver data faster. For this reason, the system preferentially writes data to that part of the drive. The system also typically makes every effort to write data into continuous stripes within a given track. However, if a track gets filled up before a block of data can be completely written, then the system must find another track on the drive to write the remaining data. The system has no way of knowing how much space it will need to record a given chunk of data, so it frequently has to break the data into separate pieces to make it all fit. “Fragmentation” occurs when data that logically belongs together becomes physically separated as it is written to the hard drive. Fragmentation slows the process of data retrieval down because it requires a certain amount of time to reposition the read/write head as it scans across the various tracks of the hard drive. “De-fragmentation” is the process of assembling all of those separated pieces of data into continuous blocks, preferably in the faster part of the disk.

Fragmentation really becomes a problem as the drive approaches capacity. The available blocks of free space become few in number and widely scattered, forcing the hard drive to work constantly even under periods of low demand. Long before the typical system displays the “disk full” error message, it has grown painfully slow due to intense fragmentation.

The Windows operating system is a very dynamic environment. Typically, dozens of read/write actions take place every second of operation. Temporary files are written and erased again and again. Windows also maintains a number of permanent files as part of it’s normal operation; these typically grow in size over time. Normally, they are hidden from the user but if you deselect the “Hide protected Windows system files” option under Folder Options, they become visible. Users’ data files also become fragmented as they are added to over time. A heavily used system can become fragmented quickly.

You can limt fragmentation and the slowness that comes with it by keeping your hard drive from filling up. My rule of thumb is this: If the drive is over half-full, it’s time either to start deleting stuff, or to get a larger drive. Hey storage is cheap. A terabyte–a trillion bytes of storage–costs less than $100. Stop to think about just how large a number a terabyte is.