Archive for May, 2008

i have discovered what makes the world go round.

Wednesday, May 28th, 2008

Nothing happened when I pushed it though. Possibly I’m not worthy.

news from the frontlines: the userinit virus (updated 16-8-08)

Monday, May 26th, 2008

(phone rings)
“Hi, I think my computer has a virus.”
“Yeah?”
“Yeah, Windows doesn’t load properly, I get my wallpaper, but there’s no icons and no taskbar, and I get an error message saying-”
Userinit.exe failed to initialize, 0xc0000005?”
“…Yes…”
“Yep. Seen it a lot lately. Bring it in.”

It’s a new strain of the Virtumonde or Vundo virus, or whatever it’s calling itself these days. We’ve seen about nine machines come into the shop with it in the last 3 days or so, and it’s recent enough that none of the usual tools are seeing it. Not even the venerable NOD32 (Australian site) seems to know about it yet.

I fought it to a standstill by scanning with everything – and then there was one last little file that none of them could see that caused the above situation. It was c:\windows\__c00f220b.dat and to get rid of it without using a DOS or Live boot disc I needed killbox.

Update: 16th August

Here’s a screenshot of c:\windows\system32 in explorer, with all the files you should delete selected:

Things to note:

  • Sort the folder by date modified, and show in detail view like the screenshot. The infected files will be about 80% of the first page of most recently modified files here.
  • Except the .dat file (__c004379C.dat) the filenames are completely random, up to eight characters long and only A-Z; mostly lower case, but sometimes there’s a few uppercase letters too. Easily recognisable because they’re unpronouncable (very few vowels), but if you say it in your head and it sounds like it could be an abbreviation, google it first.
  • It’s mostly .dll files, with a few .exe files thrown in for good measure (as well as the .dat file). I have also seen some .ini and .ini2 files, which are instantly recognisable – try opening them in notepad and you’ll just see garbage, because they’re actually binary files (not human-readable text files like inis are meant to be).
  • This is the folder where Windows stores its most important files. Randomly deleting stuff from here is a bad, bad idea and could lead to a reinstall whether you like it or not. If in doubt, find someone more familiar with computers, offer them a beer or something, and get them to do it for you.

Update: 22nd July

I’ve seen Combofix take care of this virus all by itself, in one shot. From the walkthrough on that page it looks like there’s a few more steps than what I’ve written out below, but doesn’t make it as easy to screw up and delete the wrong files as with my method.

Update: 23rd June 2008

Some facts we’ve gathered:

  • It doesn’t appear to spread via USB thumbdrives, or over the network. We still aren’t sure what causes it, but recently installing some pirated software seems to be a common theme so far.
  • Once you’ve logged in, it will deliberately crash processes using rundll32.exe. userinit.exe is the most obvious, but it means you can’t run Add/Remove Programs or a command prompt window.
  • It will also crash the installers for some antivirus/antispyware programs, including NOD32 2.7.
  • NOD32 version 3 detects the .dat file as trojan.NZG. VundoFix doesn’t detect it at all.

You can still log into your machine and keep using it by doing the following:

  1. Start the machine. When the userinit.exe error message pops up, hit OK twice (two error messages), and hit Ctrl+Alt+Delete to load the Task Manager.
  2. Click on File -> Run…, type “explorer” and hit OK. The taskbar and desktop icons should now load, as will about eight “could not initialize properly” messages about Rundll32.exe. Click OK on each of these.

The following seems to be a pretty foolproof way to kill the virus. You’ll need Spybot Search & Destroy (remember www.safer-networking.org is the genuine address if you have to google it later) and Killbox.

  1. Install Spybot. Fully update it, may as well immunize with it, then run a scan. It should pick up and remove several Virtumonde infections. Don’t reboot yet.
  2. Run Killbox, and use it to remove all the __C00????.dat files in c:/windows/system32/ (there may be only one; I’ve seen five at once before). You will have to set them to delete on reboot as they’re actually still running. Don’t reboot until you’ve killboxed all of them.
  3. Reboot. Your computer will probably still be infected, but you’ll now be able to log in without manually running Explorer. I strongly recommend you download NOD 3 and run a full scan with it.

error 25090, or: all these office updates keep failing

Sunday, May 25th, 2008

I’ve seen this a lot at work lately: You run automatic updates, but there’s a pile of them for Office 2003 applications that just fail every time.

Microsoft describe the problem in KB827467, and the fix is short and sweet:

  1. Put the Office 2003 CD in the drive, start setup.exe, close it.

That’s it. Cancel out of the installer at the first opportunity, and it’ll reset whatever’s broken so the updates can install.

(Thanks to dannyman, whose post I somehow found before the KB article.)

why i like computers *and* cars

Sunday, May 11th, 2008

I cannot spot a single functional difference between the following two images:

(From here and here respectively)

things that shouldn’t exist

Friday, May 9th, 2008

ASRock aren’t the best known company in the world, but their products are common enough. They’re basically the budget arm of ASUS, who make great boards. Wikipedia would like to point out they put expensive features like WiFi and long-life caps on pretty cheap boards.

I like them for a different reason entirely: they make some of the coolest shit I’ve ever seen. Read the rest of this entry »

more dustblog

Friday, May 9th, 2008

See those metal fins? That’s where the sweet, cooling air used to go.

This video card hit 98 degrees celcius before we cleaned it. Now it peaks at 68 working as hard as it can.

More dust stalagmites, because the light today was perfect and my phone cam rocks:

Here’s why air compressors are cool. Before:

After:

And lastly: Note the blueness, the insides of an expensive laser printer, the insides of a cheap mass-produced cockroach…

quality, and why you should pay for it

Friday, May 2nd, 2008

The object in the above photo is the I/O backplate from a cheap computer case.

Cheerfully rolled up. By hand.

It’s made of steel, as is the thing on the left, which was an expansion slot cover.

The case itself was of such amazing quality that the hard drive didn’t fit in the proper bay, so I had to bend out the little tabs that would normally hold a drive there while you screwed it in.

Again, by hand.

This is a bit of a problem in the PC sales industry. Things get sold by the numbers with the slimmest possible profit margins, and to hell with the quality, a box is a box. And fair enough, a PC case basically is just a box with funny cutouts and a plastic swooshy curvy front bit.

But the cheap ones are made with the finest, cheapest steel in all of Guangzhou, occasionally don’t line up right (making building a PC in them frustrating), and can be designed so badly they’re quite capable of shorting out random parts of a motherboard (making building a PC in them exciting occasionally smoky a crappy way to end up not saving money overall).

Why should you buy a brandname card reader from a shop for $40 when you can get one on ebay for $4 including delivery? because you get a warranty that doesn’t cost double the item to fulfill, and you get a far better quality item overall anyway. Cheap USB card readers sometimes won’t read cards bigger than 1GB, or they might have a painfully slow transfer speed (and someday that’s going to be the difference between catching or missing a bus). It’s worth it to splash out on the Sandisk reader.

That broadband modem might be $20 cheaper than the one next to it on the shelf, but you’ll pay for that. The software that runs it might be less stable, less well programmed, the hardware itself might be unreliable. It’s still a modem, and it’s still a wireless access point, but the modem might be slow at negotiation so you’ll spend 10x the time waiting for the sodding thing to connect, and the access point might be less reliable, less secure by default, and you might not be able to watch streaming video over it (a nasty surprise – if you can’t watch 720p (about 7 megabits a second) over 54mbps wireless, take it the hell back). After my own experiences, I’m never again buying anything that isn’t from Linksys or Draytek.

You could save $10 by getting the cheaper wireless keyboard and mouse combo, but you shouldn’t. The keyboard will feel a bit less nice, the mouse wheel will wear out and spin freely after 3 months, the buttons will wobble, you’ll get a month of battery life instead of 6 and you might as well have cables for all the wireless range you’ll get.

Logitech wireless gear comes with Duracell batteries; offbrand keyboards come with offbrand cells. The difference there is more than symbolic. (Medion is a grey area.)

And don’t even get me started on Bluetooth. If the biggest word written on it isn’t a brandname, don’t buy it.

Paying a little more for something a whole lot better carries on up to full computers, too. If you’re strapped for cash, a $600 laptop will do; it’ll have an LCD widescreen, a 120GB hard drive, maybe a gig of memory, and these days wireless networking no matter what. It’ll have a Turion or maybe a Celeron, which are perfectly good CPUs if you don’t particularly know what a CPU is. You might even snag it with a two year warranty in a good deal, so the machine itself should be running for a while.

Warranty just isn’t what it used to be, though. It used to mean that the manufacturer warrants it’ll be free of defects for a period of time; nowadays it just means they’re obligated to give you a new or fixed one when it breaks over and over until the 12 months are up.

And there’s no substitute for buying something better in the first place.

Another one or two hundred bucks will ideally net you a Centrino notebook, which means Intel provided the CPU, graphics and main chipset. Generally this means you’ll get a machine that’ll run on batteries for probably 3-5 hours straight, connect to wireless networks with the least amount of pain, won’t melt your testicles off, and won’t be unspeakable agony to find drivers for 4 years down the track when you format it and hand it to your nephew to play with for school.

To be fair, I did buy my Dell Centrino with two batteries, and Intel’s 855 graphics chip was a bit underwhelming. That said, it’s now approaching its third birthday, still runs under its own steam for five or six hours off a full charge, and it’s still utterly silent if I’m not playing Halo on it.

Just try and tell me your 3 year old Acer does that.

insert score here are missing

Thursday, May 1st, 2008

Umm… no?