Category: Uncategorized (Page 2 of 2)

Why do I do this? After I promised I would never install another peice of Microsoft Software on my laptop if I could help it. I’m attempting to install the Expression Web upgrade (replaces FrontPage 2003):

Can someone please tell me why it doesn’t like OneNote? I like OneNote. I use it a lot. Please God tell me this is an error in the message string table and nothing to do with some kind of horrible incompatibility with Office 2003.

[UPDATE: It installed fine. It didn’t kill OneNote. It must be a visual error only. Probably meant to say “Microsoft Office FrontPage” or similar.]

I’m currently recovering from a catastrophic hard drive failure on my main machine, my wonderful toshiba laptop.

This is not fun, let me tell you.

A hard drive failure sounds at first like a bee is stuck somewhere inside the computer’s chassis. Then it progresses to sounding more like what you hear in your head when eating a crunchy breakfast cereal.

My advice is, back up everything when you hear the bee.

Editor’s Note, August 2020:

Correction: If you can’t hear the bee, it’s time to back up.

Lesson learned is worth repeating up top: Do not browse the web with IE under a user context with Administrator privileges.

I normally use FireFox 1.5 as my Internet browser, with JavaScript turned off and no flash plug-in. However if I find an amusing or intriguing link on Slashdot, Digg, or Reddit that is highly recommended but requires those features, I’ll use Internet Explorer to peruse the link, because the flash plugin and Javascript works there. Last time I did this (Yesterday) I got “hijacked”. I don’t know when it happened. All I know is that sometime later, I got a piece of yellow “toast” popping up in the system tray with a red “X” icon saying, “Windows Firewall has detected that your computer may be under attack”. Now, I don’t use Windows Firewall – it’s turned off. (Call me stupid, but that’s how it is.)

When I clicked on the “system” popup, it took me to a website for “Tesla Plus – top-rated spyware removers”. Ooookay. Doesn’t feel very “Microsoft” to me. When I launch IE again, I notice that my default home page – normally “about:blank” is now set to a fake microsofty-looking search page, with a bunch of additional links at the bottom for Viagra, home shopping, internet music – the usual spam garbage. Oh, and an official-looking link at the top for www.pcadprotector.cc which – surprise, surprise – goes to that Tesla Plus page.

The interesting thing is that it didn’t just change my browser home page preference. This thing changed where “about:blank” actually goes to!

Aiiee. Deep nasty. My browser had been “hijacked”.

After some exploring looking for traces of “pcadprotector” on the web and on my harddrive, I found many articles recommending Hijack This as a detector for browser problems of this nature. It certainly shows up all the possible ways evil programs can get into your system.

Hijack This showed that in addition to the Adobe Acrobat Reader and Java web plugins, there was another one that didn’t look familiar: c:\windows\system32\sdkec.exe. The file was dated a few days ago, which seemed odd for a resident of the windows\system32 directory. Upon viewing the contents of the application (via NOTEPAD.EXE – a rough but illuminating method) I found reference to “pcadprotector”. Busted!

I terminated the process using  Task Manager, used HiJack_This to remove the extra plugin reference, and rebooted with a sigh.

Except… it didn’t fix the problem. IE’s home page was still hijacked. I ran HiJack_This again, and found that there was another extra plugin that had taken the place of the first one. This one had a different application file: c:\windows\system32\d3ds32.exe. I repeated the fix process one more time to see if the pattern would repeat itself, and it did. This time: c:\windows\appuw32.exe. Clearly there was another rogue process running on my machine that was creating copies of the hijack with different file names, ensuring that it would always be launched and installed. Ergh.

After a clean reboot, I checked Task Manager again for unfamiliar processes. One was c:\windows\atlue.exe. (At least, that is what it was called on my system, at this time.) I did a google search for “atlue.exe” and the only hits that came back were from people complaining of spyware problems so I was pretty sure I’d found the “mother” trojan. I couldn’t terminate this process – I didn’t have permission! (I hate it when that happens.) So I used Process Explorer to examine what DLLs it relied on, and then changed the Windows ACL entry for one of the DLL files so that it couldn’t be executed. After a reboot, It wasn’t running and I was able to delete the atlue.exe file and clean up the plugin entries one final time using Hijack_This.

Moral: Do not browse the web with Internet Explorer under a user context with Administrator privileges. It’s just not safe anymore.

Editor’s Note, August 2020: We’re a long way from 2006 and although web browsing still has various associated risks, we can be thankful that OS and Application security improvements over the years has made incidents like this one largely a thing of the past. Also, I use Windows Firewall enabled like any sensible netizen, and have done so since, oh, Windows 7, when it became less intrusive.

So thanks to a recent upgrade, I’ve slightly more than doubled the RAM in my laptop. It’s now running with 1.25 GB of RAM. So why do I still need to worry about virtual memory? Do I need a swap file?

This morning I right-clicked on My Computer and set the Windows XP virtual memory settings to “No Paging File”. Rebooted.

Now I’m defragmenting my hard drive while browsing the web and updating this web site. Narry a glitch or complaint from the operating system.

When it finally barfs (perhaps on one more wafer-thin application) I’ll let you know