Scott Hanselman

I'm not even a tenth as clever as Mark Russinovich in tracking these things down, but I got to play IT department a bit today. You're probably the IT department for your family as well. When Uncle Frank gets a virus, he calls you. In this case, I was called upon to track down a virus.

With all due respect to Russia, there's very few things that regular folks need to be visiting in a .ru domain. In this case it was SMTP traffic and there's ZERO reason anyone should be sending mail in this way.

He had ran all sorts of anti-virus, anti-spyware, and anti-malware applications and didn't find anything. A cursory glance for funky .exe's in Task Manager showed nothing obvious.

I showed up and suggested we download the three horsemen: TCPView, Autoruns, and ProcessExplorer.

First step was to find out what process was asking for the Russian sites. TCPView to the rescue. We can see from the first screenshot that the port is being opened by winlogon.exe, the Windows NT Login Manager - certainly a legitimate executable.

There must be an evil DLL loaded inside of winlogon.exe. Next stop, Process Explorer.

Looking at winlogon.exe within Process Explorer and changing the Lower View to show DLLs. Then I sorted by Company Name, just because it never seems that evil software writers are clever enough to include a Company Name, does it?

That hywklcsj.dll looks a smdge suspicious, no? Smells auto generated to me and that fact that there's no Google results for it confirmed it to me.

Now, Autoruns. Note the now-missing ddcyv DLL. Perhaps that was the bootstrapper that started this whole thing, but now it's run away.

The BrowserHelperObject (BHO) section of Autoruns shows that this trojan also listens to IE and probably pops up porno ads while surfing.

After cleaning all this crap up and restarting, we're clean. No funky DLLs get loaded by explorer or winlogon and no suspicious traffic tries to get our of the computer.

I'm sure this Trojan has a name, but I couldn't figure out what Google Terms I could use to find our which version it is. I suspect a Trojan.Vundo varient, but this one doesn't quite fit the profile.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Hosting By

I recently moved a machine from our MAIN domain to a LAB domain (another domain with a hardened filewall for R&D and crazy stuff.)

We use Subversion for most of our Source Control, but a lot of legacy stuff is still in CVS and uses SSPI (Security Service Provider Interface enabling NTLM for CVS). So, when I do an update from Tortoise it automatically sends my Windows User details over there and authenticates me against the domain.

However, now I'd moved the machine and it was in another domain. The LAB domain is fairly harded and doesn't have a way for a MAIN domain user to login. Consequently updating CVS via SSPI is/was a problem.

I wrote a lame little batch file that's used like this:

addcvsuser.bat MYREPO labcvsuser

It looks like this:

IF "%1"=="" GOTO USAGE
IF "%2"=="" GOTO USAGE
SET CVSROOT=:sspi:MYCVSSERVERNAME:/%1
cvs passwd -a -r MAIN\somewindowsuser %2
SET CVSROOT=
GOTO EXIT
:USAGE
ECHO Usage: addcvsuser REPOSITORY NEWUSERNAME
:EXIT

Assuming the admin is logged in as a legit user, this file temporarily sets the CVSROOT Environment Variable with the name of the Repository you want to add a user to. The user will be added to the passwd file in that repository and won't be a real Windows User. It might be a user named labcvsuser that doesn't exist on the domain. That user is mapped to MYCVSSERVERNAME\somewindowsuser that IS a real Windows User, on the real MAIN domain.

Then, in Tortoise I change the CVSROOT used by Tortoise to :pserver: instead of :sspi: and open up ports 2401 and 2402. Now the LAB TortoiseCVS can use a username/password combo that's not on the domain and get mapped to a domain (or local) user and crisis averted.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Hosting By

I updated all the IBM (Lenovo) ThinkPad Craplets with the IBM Virus Software Installer this week. Mistake.

My wireless adapter started turning off every 3 minutes. Not losing signal, not disabling, TURNING OFF. The internal hardware would switch off.

Windows was/is set up to manage the Wireless Connection, but it seems that the IBM Access Connections (their view of networking) still influences things. Kind of a wireless "shadow government."

I don't see this documented anywhere, but I figured out that you have to run the Access Connections and go to Configure|Automatic Location Switching and TURN OFF "Enable automatic location switching." You also have to go Configure|Global Settings and TURN OFF "Enable automatic wireless LAN radio control."

And all is well. Today.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Hosting By

Recently folks were pointing to iColorFolder, a freeware application that "let's you add some color to your folders." I think it's cool that this guy wrote an application do this, but the funtionality is built into Windows.

Just right-click on the folder you want to mess with, select Properties, the the Customize Tab. Select "Change Icon" and set the folder icon.

Here's my zip file of collected folder icons.

File Attachment: foldericons.zip (113 KB)

This is what happens in the hidden Desktop.ini file when you do this:

[.ShellClassInfo]
IconFile=%SystemDrive%\icons\Snow.ico
IconIndex=0

I may be the utils guy, but if I can avoid loading something, I will. I figure this fellow's iColorFolder application just edits the desktop.ini of the folder anyway.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Hosting By

A co-worker stopped by this week with a strange problem in one of our Web Applications. Sometimes I'm Chief Debugger more than Chief Architect, but I enjoy the forensics.

He found that when developing one of our web sites, the ASP.NET worker process on his machine would hang at around 100%. He'd made a few changes and couldn't check in until he figured out what was up.

I installed Process Explorer and right-clicked on the worker process and went to the Threads Tab (a darned useful tab). It said that ReleaseFusionInterfaces was doing all the work. (I don't know the internals of the CLR to know what it's doing. Fusion is the Assembly Loader and I know what Release does. ;) I suspect that Suzanne Cook might know.) It seemed to me at this point that work WAS being done, but we were in an infinite or very long running loop.

We tried selecting Debug | Break from Visual Studio.NET, but the IDE became confused and dropped into the editor with the instruction pointer (represented by a the selected yellow line) ending up inside of an XML Comment. It was totally confused.

When you select the Call Stack from the Debug Windows Menu, code that (basically) you didn't write will be marked as <Non-User Code> and hidden/collapsed within the stack view, as seen in the screenshot to the right.

As with almost all things within Windows, right-click will set you free. Right-click on everything. If you right-click within the Call-Stack Window you can select "show non-user code." and you'll see the full stack. (This is one of many places that the IDE tries to make things easier by "lying" to you. Another is the DebuggerStepThrough Attribute.)

In the final screenshot with the non-user code visible within the stack, you can see that we're stuck on RegexInterpreter.Go(). It's very possible to create Regular Expressions that will run until the Sun burns out. It may seem like we're stuck in a loop, and perhaps this Regex would have eventually finished at some point, but of course it really needs to take just a few milliseconds.

We have a layer on top of ResourceManager.GetString() that is called GetStringMacro(). Some resources might have references to other resources, using a custom "macro" format we developered. A resource might be: "For assistance call [PhoneNumber]" where PhoneNumber is another resource that we'll need to resolve with another call to GetString. The regular expression pulls the stuff embedded within []'s out.

If you look at the last sceenshot at the first/top black line, you'll notice that the string literal being passed into ParseMacroString is missing the final ] bracket. Apparently our regular expression REALLY didn't like the lack of symmetry in this string. We'll need to fix the RegEx to be more robust, but for this problem, as soon as we fixed the string, everything worked and the RegEx executed in milliseconds again.

Now playing: Rent - Goodbye Love

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Hosting By