Tuesday, July 24, 2007

Beyond Crappy to Shitty

Yesterday I encountered software that goes well beyond "crappy" to the truly shitty level. It's a trojan-style virus named Virtumonde.

I'm still not 100% sure how it weaseled into my system -- especially considering I keep this WinXP box patched and updated and run an anti-virus program (Avast) and WinPatrol (which checks for system modifications). Nonetheless, yesterday while I was browsing the Web in Firefox, Avast suddenly started firing off warnings of a trojan trying to install itself. I instructed Avast to block/delete it. There were 5 or 6 such warnings and I now suspect that Avast wasn't able to kill one of them.

Oh, and I should mention that I wasn't browsing for porn or looking at otherwise suspicious Websites. Rather, I was just looking up PHP tutorials. And I subsequently went back to those sites -- using Firefox's history -- and didn't have a repeat attack. So, the source of the attack remains a mystery.

At that point, WinPatrol kicked in -- setting off alarms that an add-on, a Browser Helper Object (BHO), was trying to be installed in MS Internet Explorer. Mind you, IE was not even open at this point as I was browsing with Firefox. These BHOs had no names, but the files associated with them were

opnmnkh.dll
ddcca.dll

Both these files had been placed in \WINDOWS\system32 right at the time of the Avast trojan warnings.

First, I tried to disable them within IE. No luck. Then I tried simply deleting them, but Windows would not let me because they were being used by a system process (and I couldn't terminate that process). Then I tried removing them with WinPatrol. No luck. Then I installed a second anti-virus/spyware app, Windows Defender. Defender identified the Trojan as Virtumonde, but it was unable to remove the files. It did describe the trojan and offer some advice about it:
Description:
This program displays advertisements and may be difficult to remove.

Advice:
Remove this software immediately.
Sigh. No shit, Sherlock.

I moved to the next level of combat: Hijack This and KillBox. Hijack This provided some additional diagnostic information, pulled from the registry:

O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\opnmnkh.dll
O20 - Winlogon Notify: ddcca - C:\WINDOWS\system32\ddcca.dll
O20 - Winlogon Notify: opnmnkh - C:\WINDOWS\SYSTEM32\opnmnkh.dll

This told me that the BHOs were being loaded during the system boot, via Winlogon Notify; and Hijack This informed me that (1) this was very early in the boot process and thus hard to kill and (2) that this was a common route for trojans to install themselves. Helpful info, but then Hijack This couldn't do anything about these registry entries. For some reason I can't understand, they cannot be deleted. Next I turned to KillBox, which is supposed to be able to terminate processes and delete files associated with them. It didn't work.

And during this time, ddcca.dll was renamed to jkkll.dll and gebyy.dll -- obviously, randomly generated file names. But opnmnkh.dll remained the same and seemed to be the main culprit.

Finally, after five hours of struggling with this and screwing up my entire day, I turned to SystemRescueCd, described by Wikipedia as
a distribution of the GNU/Linux operating system on a bootable CD-ROM disc, useful for repairing unbootable computer systems and retrieving data after a system crash.
Yes, indeedy! I'd used this once before to rescue files from a computer that wouldn't boot into Windows. This time, I booted from the CD and, from the command line, renamed the offending files to

gebyy.fuckoff
opnmnkh.fuckoff

Rebooted my system and, finally, I stopped getting alerts about an virus/trojan infection. Once the files were deleted, I could go back to Hijack This and remove the registry keys.

My system now seems back to normal, but, of course, I'm wondering if I fully removed that crappy (shitty) trojan.

Man, it's enough to make me spend more time on my Mac, which is not such a big, juicy target for crap like this.

P.S. And I give a bit thanks to WinPatrol for preventing those BHOs from loading! I'm off to pay for their "Plus" version right now!

P.P.S. I did try two apps that are designed specifically to remove Virtumonde, but the ones I looked at did not succeed. I suspect this trojan has been mutating and is thus resistant to the automatic removals. The most helpful information about this trojan, for me, was on Audit My PC.

Labels:

Saturday, July 14, 2007

Radio Flyer: NOT Crap

Every once in a very long while a company's customer service surprises you in a good, non-crappy way.

Radio Flyer, the maker of "little red wagons" since 1917, recently proved this to me. We bought my son one of their Deluxe Steer & Stroll Trikes. These are pretty cool as they allow the parent to "co-pilot" the trike, steering it from behind.


This feature has helped us steer Ian out of traffic on numerous occasions -- although now, at 3.5 years old, he doesn't need much co-piloting and is almost ready to move up to a two-wheeler.

In any event, the gears in the front wheel went out a few months ago. I couldn't figure out how to open the wheel, let alone fix the gears and so I went to RadioFlyer.com to buy a replacement part. I was prepared to purchase it, but I stumbled upon their warranty form. Truth be told, I couldn't remember exactly when I purchased it so I guesstimated a date. I really was not sure that our trike qualified, but I figured it didn't hurt to fill out the form. And Radio Flyer did not request any proof of purchase from me.

I really didn't expect much, but just a few days later a replacement part appeared on our doorstep. Radio Flyer had promptly shipped it to us at their expense. Amazing!

I attached it to our trike and Ian was mobile once again.

Thank you, Radio Flyer, for proving that some companies still stand behind their products!

Tuesday, July 10, 2007

A Proposal: IOSYBWGFYO Crap

There really ought to be an acronym for crap like this:

Slashdot Yahoo Downgrades MusicMatch Jukebox:
Posted by kdawson on Monday July 09, @07:11AM
from the nice-while-it-lasted dept.

BanjoBob writes 'MusicMatch Jukebox has been a bundle of great MP3 and music management applications in one package. Apparently, it is the end of life for this wonderful MP3 player, ripper, catalog, CD player, Internet radio player, purchase outlet, Auto DJ, Super Tagger, and music database. There was nothing not to like about the product. There is nothing to like about the new downgrade, Yahoo! Music Jukebox. MusicMatch users have been getting notices to 'upgrade'; those who have taken the bait are not pleased. The Yahoo! Music Jukebox feedback forum doesn't have much nice to say about the product. Lots of features have gone away and the 'free upgrade' costs about $20.'"

Maybe the acronym should be "IOSYBWGFYO", or:

In Order to Serve You Better, We're Going to Fuck You Over

Wednesday, July 04, 2007

M-Audio FireWire 410 -- Confusing and Crappy

First, a disclaimer: I am not a professional musician or an audio engineer. But I have worked in radio for over 30 years. So, I think that it is not just my incompetence that has made my experience with the M-Audio FireWire 410 audio interface a hair-pulling-out nightmare....

To continue reading this article and the 42 comments on it, please go to the new home for the Crappy Software blog:

http://crappysoftware.tvcrit.com/?p=57

Labels: ,