Monday, April 2, 2012

Bing reflection

In case you missed it, Bing home page had today an interesting effect: a reflection of the logo and search box on the water in the animated background image - and the reflections were waving with the water waves...


video

Bing used animated backgrounds before, but I think this is something new. I'm not sure if this was some sort of April's Fool or a new trend in Bing homepages, but I liked the idea.
Posted by at 0 comments

Saturday, March 31, 2012

Pwned

 

Today I had my system infected with a trojan. I don’t even remember when it was the last time to have one… The worst part of it – I didn’t get it by visiting dubious sites (pr0n, warez), but from a news site (http://news.com). Most likely the malware was masquerading as an ad and exploited some unpatched hole in Adobe Flash (caveat!) as the site is full of Flash advertisements and had problems in the past, too.

I was browsing the news and suddenly the browser disappeared (crashed). I restarted it thanking Adobe and thinking nothing more of it. Soon after that, problems appeared.

The first red flag was an elevated prompt from Windows 7, asking for permission to run ‘SoftwareUpdate.exe’. Since I was not installing anything, I canceled it. Yet the prompt came again, and again, and again. From the dialog’s details, the program was "c:\Users\alinc\AppData\Local\temp\SoftwareUpdates.exe", so I renamed the executable to *.exe_ extension, and canceled the prompt again. This time I got error messages that updates can’t be installed, so I set up to investigate who was displaying it. To my surprise, I could not launch TaskManger (taskmgr.exe) nor SysInternal’s ProcessExplorer (procexp.exe). As soon as the programs were started, they were closed automatically... It was clear now I was infected.

I logged off, and switched users, logging in with a different local Administrator account. Problems occurred here as well, I still could not launch ProcExp. Soon I started to get tons of error messages “A Write command during the test failed to complete”, culminating with a “System error, hard disk failure detected”. All the icons on desktop disappeared leaving only one “Smart_Hdd” shortcut.

Screenshot2

I opened a command prompt and stated to see problem here as well - folders and files disappeared from ‘dir’ commands. I renamed procexp.exe to something else (alin.exe) and this way I was able to launch it without being closed anymore. You can see in one look Process Explorer highlighted in gray 2 suspect programs (C:\ProgramData\rmIhrYfwFjUdy.exe and C:\ProgramData\QFUDzzwTiL1aQy.exe): they had weird names, were launched from ProgramData, had no Description or CompanyName.

screenshot1

Even more worrying, rmIhrYfwFjUdy.exe had launched a recursive “attrib.exe /s +h \*.*” (not shown, I killed it immediately)– this was hiding all the files and folders on my computer! I believe all these was a scamming scheme to convince me into buying some “cleanup program” that would fix the “hard drive failures” “detected” and reported in the previous messages.

I tried to stop/kill the malicious programs by pressing Delete, but those were protecting each other – as soon as one was killed, the other one was immediately starting it up again. The solution is to right click them, and use “Suspend” command. Suspend both, then you’ll be able to kill them without coming back. Now I could move the binaries out of the way for my collection and investigate further.

I run another Sysinternal/Microsoft tool, Autoruns. This indicated rmIhrYfwFjUdy.exe was launched at logon time via a registry value written under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. I deleted that as well.

I updated Microsoft Security Essentials to the latest definitions, and I started a scan. With latest definitions, it flagged as malware two of the binaries. QFUDzzwTiL1aQy was recognized as Win32/Bumat!rts, and SoftwareUpdate was recognized as Win32/Tibs!IT. The 3rd program was not recognized, so I used the Microsoft’s Virus Submission Sample Page to submit rmIhrYfwFjUdy.exe for further analysis. 

The trojan left more traces on my computer:

- The "Smart HDD" shortcut on desktop pointing to QFUDzzwTiL1aQy.

- A “Smart HDD” program group with 2 entries, one masquerading as an “Uninstall” program, but pointing to the same malware.

- Most folders and files were hidden. I had to run recursive ‘attrib –h’ of my own to reset attributes.

- The StartMenu and Taskbar settings were all changed. All the icons in start menus were hidden, the taskbar was set with Vista-like settings (program buttons with texts, no grouping, system tray showing all icons, etc). I had to go to Properties and explicitly set or reset all to defaults.

Startmenu

- All icons under “Administrative Tools” were deleted. In fact, the whole “C:\ProgramData\Microsoft\Windows\Start Menu” folder was cleaned of all files.

AdminTools

- The “C:\Users\All Users” folder is also gone. There may be other effects I haven’t found yet…

Basically I’ve lost all the shortcuts/icons of all installed programs, but I’m still pleased I caught it in time before it caused more damage - the situation could have been much worse…

In any case, this was one more win for Sysinternals tools.

Posted by at 14 comments

Thursday, September 29, 2011

Have a Windows Phone 7? Here’s how to force a Mango update

Microsoft has released Windows Phone 7.5 Mango release, and carriers have already rolling out the update for most models (see list of phones for which Mango update is already rolling). Unfortunately, this roll-out is graduate and it may take weeks until the carrier provider notifies you to install it.

But, via FnPsychopath’s post in the above mentioned article, there is a way to force the Mango update on phones for which Mango has started rolling out:

Connect your Windows Phone to a PC and launch the Zune software
Click on Phone > Settings > Update. Allow the software to tell you whether an update is available. If so, skip this guide. If not continue to the next step.
Time to force the update. Click another button (any of the options above or below the word Update). Then click the Update button again, and this time disconnect your computer from the internet after 1-2 seconds. Do this by pulling out the Ethernet cable, disabling Wi-Fi, etc. If it says your phone is already up to date, you didn't disconnect quickly enough and need to try this step again.
Wait 30 seconds or so and Zune should display a notification that an update is available. This is 7392, the first Mango pre-update.
Now reconnect to the internet and continue with the update process through the Zune software.
After 7392 is fully installed, you may receive a notification that another update is available. If so, install it now. If not, proceed to the next step.
If the second update isn't popping up on its own, repeat steps 3-5, causing the 7403 update to appear.
Install 7403, brave reader. Speeding right along, isn't it? ;)
Mango time! At this point, Zune should automatically start installing the last update, 7720, aka Mango. If it doesn't happen automatically, force it like we did in previous steps.

Nice hack! It worked for me exactly as described. I’m not sure if this is a bug in Zune software or an intentional feature/workaround, but it sure is handy!

Posted by at 1 comments

Thursday, August 25, 2011

<Strings> Element in VSCT files – ButtonText, CommandName, CanonicalName, MenuText, oh my!

 

If you ever added a Button definition in VSCT files for Visual Studio menus, you may have wondered what are all the ButtonText, MenuText, CommandName, etc. elements associated with the button.

When you create a new Visual Studio Extensibility project and tell it to create a menu item, accepting the default values, the result is a generated vsct file containing code like this:

      <Button guid="guidVSPackage1CmdSet" id="cmdidMyCommand" priority="0x0100" type="Button">
        <Parent guid="guidVSPackage1CmdSet" id="MyMenuGroup" />
        <Icon guid="guidImages" id="bmpPic1" />
        <Strings>
          <CommandName>cmdidMyCommand</CommandName>
          <ButtonText>My Command name</ButtonText>
        </Strings>
      </Button>


I’m going to tell you upfront it’s indicated to change the format of the <CommandName> element – the project template generator gets it wrong how the value should look like.



So,  where do these values appear in UI?  There is a MSDN article for the Strings Element description, but is a bit confusing, and as writing this article, it contains a couple of mistakes.



To better exemplify where all these elements appear, let’s start by defining a Button command with each child element specified, like so:



VSCT





Now let’s build the project and see where these strings appear in Visual Studio.



Let’s start with ButtonText. This is a mandatory string, and, if any other strings are omitted, this string will be used to generate the other optional values. This means this string can appear in all places 



As the MSDN page describes, ButtonText is used in UI when the button is placed in a menu controller (such as the dropdown menu of the NewProject button):



MenuControllers



However, the same ButtonText string is used when the button is placed:



- in the Visual Studio’s Main Menu



- in a toolbar (e.g. in the Standard toolbar)



MenuToolbars



In the same picture, notice also that when the button is placed in a menu (e.g. under the File menu), a different string is used – this time MenuText is used.



A button can be easily added to other menus and toolbars by using the Tools/Customize dialog. However, using the dialog it may be a bit confusing because it displays a different string. Neither ButtonText nor MenuText will appear in this dialog, despite the dialog mimicking the looks of menus and toolbars. Here, in the Controls list, is used the CommandName string.



Customize



The CommandName also appears in the Add Command dialog that can be invoked from the Customize dialog, in the Commands list.



CustomizeAdd



Now you may see why it’s recommended to change the format of the CommandName generated by the project wizard. It may be hard for users to figure out that cmdidMyCommand is actually related to what the user usually sees in the UI for that command, more like “Command Name”. Use a descriptive string for your command names, use spaces and no funky “cmdid” prefixes. Or simply don’t define at all this string, and let the shell display instead the ButtonText string – this is probably what you’ll want in most cases.







The MSDN article indicates CommandName is also used in the Tools/Options dialog in the Keyboard page. This is incorrect. The Keyboard dialog displays the LocCanonicalName string (or in it’s absence, the ButtonText string), after stripping unwanted characters such as spaces, ellipses, ampersands, etc.



Keyboard



The LocCanonicalName string  is also displayed in the Command tool window, in the Intellisense/autocomplete popups.



CommandWindow



Again, the MSDN page is a bit misleading here, as it seem to suggest that CanonicalName string appears in the Command Window (after being stripped of ampersands, spaces, etc).



While the autocomplete popup only displays the LocCanonicalName string,  both CanonicalName and LocCanonicalName can be used for command execution, but you have to type the canonical name string. Notice that execution succeeded no matter which of these strings was typed, whereas trying to execute an inexistent command displayed an error message.



CommandWindow2



Again, if one of these strings (or both) is omitted from the button’s definition, the ButtonText is used instead to generate a canonical name for command execution and/or the autocomplete popup.



And finally, the ToolTipText string is used for the button’s tooltip, when the button is placed:



- in the Visual Studio’s main menu, as a top-level button



- in a toolbar (in this case the keyboard shortcut, if any, is also displayed in the tooltip)



The tooltip is not displayed when the button is placed as a menu item (e.g. in the File menu) as the MSDN page indicates.



TooltipText

Posted by at 2 comments

Wednesday, July 20, 2011

Facebook scams and removing Facebook posts

 

Facebook scams are proliferating lately, and I just got tricked by one of them, too :-(
It starts with a friend sharing a link like "Crazy girl must be nuts but also a damn smart for mak1ng this video". If you click it and follow the "age verification" prompts that follow you'll only help the malware spread - as it will add without your knowledge an identical post to your wall.
The Jaa button in the “age verifications” prompts is not the German word for Yes, but the Finnish word for Share :-)
So, if you see such posts, don't follow the links!

Graham Cluley security analyst at Sophos Antivirus describes better similar malware on his blog
http://nakedsecurity.sophos.com/2011/07/12/a-spider-under-the-skin-its-a-facebook-survey-scam/

If  you made the mistake of following the link, and now you have an unwanted post on your wall, here is how to delete the post from the Facebook page: Hover the post in your wall. An X blue button will appear in the right of the message. Use the button

image

Click the button to open a context menu and choose to Report it – it will remove it and report as malware. The same removal X button can be accessed from the post’s thread page (that you can access by clicking the link with the timestamp of the post, highlighted above)

image

Posted by at 2 comments

Monday, July 18, 2011

“Visual Studio was my idea”

 

Not mine, but yours. Well, it’s not entirely true, but you get the idea. If you have suggestions for improving the next versions of Visual Studio, you can make your voice heard by posting or voting on existing posts at  http://visualstudio.uservoice.com

Posted by at 0 comments

Tuesday, July 12, 2011

Samsung Focus not charging

 

Today I run into a hardware bug with my Samsung Focus – no matter how long I’d keep the phone plugged in, it showed the same battery level, somewhere at 30%. I reset the phone, but instead of fixing the problem, it made it worse - now the battery level was shown at 0%, and again, keeping the phone plugged in had no effect. The phone was simply not charging. Now every time I was unplugging the phone it displayed notifications that battery level is too low and I should plug it back in.

I searched the net and I found that other users had similar problems, and the “fix” was to return the phone to the carrier provider for a refund/exchange. Ugh.

Then I found another user who fixed his phone by resetting the phone in diagnostics mode. Fortunately his solution worked for me, too. Here it is:

  • Start the phone application and show the keyboard
  • Type ##634# - this enters the phone diagnostics mode
  • Type *#2*# - this displays the battery information. All the numbers on the first page in the (MV) section were shown as 0% or 0mV.
  • Now reset the phone (by keeping pressed the power button until the phone turns off, then press it again to turn the phone back on)

After reset, the battery level started showing 100% (it was about time, after being kept so long plugged in), and re-entering the battery information diagnostics page seemed to agree – now it was showing non-null numbers, all good.

 FocusPowerDisplay

You can find more interesting diagnostics codes about Samsung Focus on XDA-Developers forum page.

Posted by at 7 comments
Subscribe to: Posts (Atom)