Archive for November, 2006

Windows Vista Wallpapers

Here is a great post from digital inspiration chock full of Windows Vista wallpapers, you can download the Windows Vista wallpapers by right clicking the images and clicking save as. These would also be good to give you a Windows Vista feel on XP until you get it installed.

New Tool: Process Monitor from Microsoft

The folks from SysInternals, recently bought out by Microsoft, have released a new tool called Process Monitor that is written from the ground up to be a better alternative to Filemon and Regmon.

Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.

Process Monitor runs on Windows 2000 SP4 with Update Rollup 1, Windows XP SP2, Windows Server 2003 SP1, and Windows Vista as well as x64 versions of Windows XP, Windows Server 2003 SP1 and Windows Vista. Source: Microsoft Technet via f-secure

Looks pretty cool, will definitely play with it more on the next system that I have to clean. Here are some of the enhancements over Filemon and Regmon.

• Monitoring of process and thread startup and exit, including exit status codes
• Monitoring of image (DLL and kernel-mode device driver) loads
• More data captured for operation input and output parameters
• Non-destructive filters allow you to set filters without losing data
• Capture of thread stacks for each operation make it possible in many cases to identify the root cause of an operation
• Reliable capture of process details, including image path, command line, user and session ID
• Configurable and moveable columns for any event property
• Filters can be set for any data field, including fields not configured as columns
• Advanced logging architecture scales to tens of millions of captured events and gigabytes of log data
• Process tree tool shows relationship of all processes referenced in a trace
• Native log format preserves all data for loading in a different Process Monitor instance
• Process tooltip for easy viewing of process image information
• Detail tooltip allows convenient access to formatted data that doesn’t fit in the columns

Video of the Grey Goo Worm on Second Life

Here is a video of the Grey Goo worm that was attacking Second Life recently.

Zune Review from Cnet

Cnet.co.uk has a review up for the 30Gb Zune, here, and it seems similar to most other reviews I have read. They like it, wish you could do more wireless stuff with it, like the FM radio, wish you could use it as a usb drive, and they think it’s a good start.

We like:
Very good playback performance of audio, video and photos; intuitive and colorful interface; good FM radio with RDS; works well with Zune Marketplace software; integrated wireless allows sharing of songs (although limited) and photos; many accessories available at launch

We don’t like:
Not backwards-compatible with WMA-DRM9; weak native video support (it cannot play protected content) and no video offerings from Zune Marketplace; cannot be used as a hard drive (and no UMS support); proprietary USB; cannot use Wi-Fi to sync, stream or purchase content; minimal bundled accessories; no podcast directory; maximum capacity is 30GB

CNET.co.uk judgement:
The Microsoft Zune, with its intuitive interface and solid playback performance, will please most users. But lukewarm format support and the cool but limited Wi-Fi capability will have advanced users seeking more. The Zune is a very good start, though. Source: Cnet.co.uk

Full review is here.

SuperCodec.com

If you ever get infected by Supercodec.com, the software I found to remove it was Prevx from www.prevx.com. Ewido, spybot nor adaware would get it, and remember, lots of codec sites are not safe, before downloading a codec from anywhere, search for the domain name in Google and see if the name turns up on any lists.

From the front page of Prevx.com, it says it is removing the following files that the other spyware and malware programs are not.

TREVA.EXE VELOREASSOLUTO.EXE DVPLEO.EXE LOGFILESCLEANER.EXE 修論用マップ.EXE BITMATTEST.EXE EJUST-CO.EXE ISTALK_RMAHANDLING.EXE PETITIONSERVER.EXE VIMAGES.EXE 16643.PCSECURITY.EXE 8HYDW1F0.EXE 9BZJYKXU.EXE 9O6R7GBH.EXE AMPSETUPTOOL.EXE AMR100.EXE AMR239.EXE AMR941.EXE BAS102.EXE BAS444.EXE CHKCLS.EXE CLIENT(FULL).EXE CLIENT(WINDOW).EXE DCMGATEWL.EXE DPD LABELS.EXE DR60530W[1].EXE EJUST-JUST-CO2.EXE ESPORTATOSCANA.EXE F0374702.EXE FIGURA1_M.EXE FR-ALT.EXE FR-YENI.EXE FULL_PATCH_7.EXE FUND5ESL[1].EXE GASCOOL.EXE GAS-EJE-JUST-PINCH5.EXE GBALOAD.EXE GRECO_V101A.EXE GRECO_V105_P3.EXE GRECO_V105_P3_SSE.EXE HOSPITAL2000.EXE HUNKARE.EXE HUNKARE.EXE INHARITPLUS.EXE INSTDAS.EXE ITURTAS.EXE JW5VX2AG.EXE LAPLACE_P1.EXE LOGFILESANALYZER.EXE M800_332E[1].EXE MAP+CONT_3.EXE

Common files that have been recently bypassing many security products:
HOOFDSTUK370.EXE COMUNICAZIONI.VB.DLL ARMOROFGOD.EXE CLIENTE_VB2005.EXE CRITICAL VOLUME.EXEA DMIN$@.DLLLABORAS_1.EXE HC_TEST.EXE LIBGMS.DLL ASSETDEMO.DLL EXTRACTPHOTOS.EXE ACADSCRIPT.EXE ALL_DLL_FILES.DLL BARBANEGRA.EXE DOWNLOADSYMBOLS.EXE EMPCONTACTS.DLL DANG ASSIGNMENT 4.EXE LAB10 DEBUG.EXE JUGGLER1.0.2.EXE DMS4.EXE CRSINV.EXE GRNAUDIT.EXE INVAUDIT.EXE GLSREPS.EXE BOMMNT.EXE LIBRAIRIE.CTRLS.DLL EFCSSIPROV15.DLL DPPP.EXE %WINDIR%_E58.EXE DRUID_UNKNOWN.EXE %WINDIR%_E57.EXE %WINDIR%_E56.EXE GOOGLE.PNG.EXE DESKBAR_E55.EXE %WINDIR%_E55.EXE DEGOQATR.EXE DFNDRFF_E54.EXE IMAGE2.GIF.EXE %WINDIR%_E53.EXE %WINDIR%_E52.EXE %WINDIR%_E51.EXE DFNDRFF_E49.EXE IRDVXC.EXE DOCSYS.EXE DFNDRFF_E46A.EXE DFNDRFF_E44A.EXE INVASION3042 UNINSTALLER.EXE DFNDRFF_E43.EXE DLLRUN32.EXE DOLLARREV.EXE

Latest Malware Entities:
Worm Warezov GenMalware Trojan FIFAWin32 Rootkit GenTrojan Windir SXSTrojan MedCodecTrojan WinTasksTrojan MSSecure32Trojan SoftCodecTrojan VideosCodecTrojan LineageTrojan BancosTrojan DropperBackdoor HupigonBackdoor GreybirdTrojan PVieverTrojan DssConfTrojan IMCodecTrojan XpassGenTrojan Update-KBSpyware AntispySoldier

Windows Vista and ReadyBoost

One of the new features in Windows Vista that I really want to take a look at is the Windows ReadyBoost, which allows you to use thumb drives, or jump drives, enter your favorite USB drive term here, to speed up Windows Vista. So, if you have a system that doesn’t have as much memory as you like, or as much as Vista wants, you can plug in your USB drive and Vista will use it as virtual memory, that is not quite as fast as system memory, but quite a bit faster than accessing the swap file on the hard drive. This one commenter said he has a 4gig USB drive and is thinking about just leaving it plugged in his computer, since it speeds it up so much.

If there is one thing that can really help applications on Windows Vista run better, it’s memory. When comparing the performance of Windows XP and Windows Vista on a PC with 1 GB of main memory, Windows Vista is generally comparable to Windows XP or faster. However, we also know that in some cases, on PCs with 512 MB of main memory, applications on Windows XP may seem more responsive. Why? Mostly because the features in Windows Vista use a bit more memory to do the things that make it so cool, like indexing your data, keeping the fancier AERO UI running using the desktop window manager (DWM), etc. The less memory in your machine, the more often the OS must randomly access the disk. This slows system performs in cases where your applications just barely fit in memory on Windows XP but not quite in Windows Vista.

While I fully expect the generation of PCs that ship with Windows Vista to include more memory, we also know that many existing PCs have 512 MB. While memory has gotten much less expensive, many (non-geek) people I know are just not comfortable opening up their PC and installing more memory. While there are some great PC shops that will do this for you, a lot of people may not want to bother. Well with Windows ReadyBoost, if you have a flash drive (like a USB thumb drive or an SD card) you can just use this to make your computer run better with Windows Vista. You simply plug in a flash drive and Windows Vista will use Windows ReadyBoost to utilize the flash memory to improve performance.

So, if you just want your PC to run faster with Windows Vista — it’s pretty simple — connect your flash drive through any USB 2.0 socket or PCI interface and when the auto play interface comes up, choose “Speed up my system using ReadyBoost.” You need to have at least 230 MB free on the flash drive and some flash disks are not fast enough to support Windows ReadyBoost, although you’ll be told if that’s the case. Source: Windows Vista Team Blog

What would be cool is if system manufacturers actually included some USB drives with their systems, you can get a 1gig drive for less than $50 nowadays. They noted that if you remove the USB drive, it won’t affect your system, because it is using files on the USB drive that are also on the hard drive, you will just loose the performance gains. The data on the drive is also encrypted, so you don’t have to worry too much about loosing the drive. He also noted that Windows Vista will learn what you do most often and will try to optimize your system for that as well.

Windows Readyboost FAQ is here and some good shots of the install screens are here.

Another Wii Review

The other day I quoted a Wii review from Foxnews where I said I didn’t think I would like the Wiimote and having to interact that way constantly in the games. I love gaming, but I’ve become so used to the controller and smacking the buttons to simulate movement, etc, I don’t think I could get used to actually having to do the movement and have any fun. Well, Eirk Sofge from slate.com kinda agrees, but not for the same reasons, he says the Wiimote is to generic, meaning they had to set it up so everyone could use it and play, but in doing so, may have “dumbed” it down too much.

I’ll admit it?I was in love with the Nintendo Wii long before we’d ever met. And then, a few seconds after I touched those strange, new motion-sensing controllers, months of giddy anticipation vanished. I’ve played and won 14-hour-long Halo tournaments. I was a bird-slaughtering Duck Hunt master back when Times Square still had arcades. But the Wii, which is being marketed as the ideal system for newbie?s, made me feel like an incompetent novice. I don’t blame myself. The ugly truth is that the Wii’s already-legendary motion-detection system doesn’t work very well.

The new Nintendo’s flaws make me question who the Wii’s audience will be. Kids don’t want embarrassingly easy games. Casual gamers of any age will bail out the first time their crosshairs go AWOL. And hardcore gamers like me aren’t going to bother with a magic wand that makes us less efficient at killing aliens. For a console that wants to start a revolution, making users doubt their reflexes is a serious design flaw. By playing fast and loose with motion detection, the Wii swings wildly between deal-breaking frustration and hollow victories. Ultimately, it never achieves the level of difficulty that every console should aspire to: a good, fair challenge. Source: slate.com

But that’s just his opinion, and mine you can’t count on yet, because I haven’t even seen one, let alone tried it, I’m just assuming what I will think about it. I guess I’ll have to wonder through the mall and check one out, maybe get a quick idea, I don’t want people to think I’m slamming it yet, but I just don’t think I will like it. But, I’ve been wrong before.

Grey Goo Slimes Second Life

Second Life is back in the news again, and no, it’s not good either. A worm, dubbed grey goo has attacked the virtual world leaving spinning gold rings around the world, and once users started interacting with them, the servers started slowing down.

Virtual world Second Life had to close its doors for a short time on Sunday after a worm attack called grey goo.

The self-replicating worm planted spinning gold rings around the virtual world, which is inhabited by more than a million users. Source: BBC

Second Life became popular, and then the advertising guys started going nuts for it, seeing it as a way to add to their bottom line from within the virtual world, Dell has actually made announcements from there, as well as others. Second Life is said to have a population of about 1.5 million and is growing by 38% every month, but the article notes that the game starts slowing down and becomes unusable when only 15,000 users are logged on, which is only about 1 one hundredth of one percent. Wow. So, 15,000 people are responsible for the big amounts of money being spent everyday, or do they take turns logging in?

One user quoted in the article said she was quitting and would no longer be paying for the service, as she said she hasn’t been able to use it for almost a month. She said maybe you can fool new people, but you can’t fool the people who have been here any length of time.

Users were also unhappy about the copybot, that was recently being used to copy stuff from the game without paying for it, but Linden Labs said they would be releasing tools in the first quarter of 2007 to help users protect their virtual assets. If more problems erupt, it could be too late by then.

If you are interested in Second Life, then you should check out Second Life Videos for some great movies in and about Second Life.

Office Genuine Advantage Lockdowns

When originally asked if they were going to use Office Genuine Advantage to cripple users pc’s, like they are doing with Vista, Microsoft declined to comment. Well, the cat is out, and they are indeed going to force the reduced functionality on users who are suspected of running pirated software. I say suspected because they have had many, many problems and issues with Windows Genuine Advantage, as I originally noted here.

A knowledge base article, released on the 14th of November, Frequently asked questions about the Office Activation Wizard and about reduced-functionality mode in 2007 Office programs addresses this and reveals that they are indeed using reduced functionality mode. For perpetual license products, you can skip product activation 25 times. If you do not activate the product in the allocated number of program starts, the 2007 Office programs start to run in reduced-functionality mode, for Product Trial Program license products they start off running in reduced functionality mode.

When asked last month whether Microsoft was planning to punish alleged Office 2007 pirates by crippling the functionality of their software in the same way that Microsoft is doing with Vista via reduced-functionality mode, Microsoft officials were noncommittal.

But now Microsoft’s intentions are clear: Just as it is doing with Vista, Microsoft plans to incorporate what basically amounts to a “kill switch” into Office 2007. Office 2007 users who can?t or won?t pass activation muster within a set time period will be moved into “reduced-functionality mode,” according to Microsoft’s Knowledge Base article.

“When a program runs in reduced-functionality mode, many commands are unavailable (dimmed). Therefore, you cannot access those functionalities,” the article explains. Some of the limitations of reduced-functionality mode include the following:

• You cannot create new documents.
• You can view existing documents. However, you cannot edit them.
• You can print documents. However you cannot save them.”

Source: Yes, there is an Office 2007 ‘kill switch’

There is already a crapload of comments on that blog post, so I assume the Microsoft haters have jumped in and the fun has commenced, but I don’t know that for sure, there could actually be some good comments there. I wonder if the reason they waited until to announce was because of all of the trouble Windows Genuine Advantage has caused?

Zango Still Not Compliant and FTC Shuts ERG Ventures Down

Thought I would do a wrap-up of today?s spyware and adware stories, combine all of these slack jaws in one post of kicking their ass goodness. Ben Edelman posted his findings on Zango today, and surprise, surprise, Zango is still not compliant with the FTC requirements of the settlement. But who really thought they would be, I mean, the business model is eventually going to go away, if merchants who advertise through spyware or adware would actually start to care about their customers, and affiliates who actually force this stuff on users computers would get cut off by Google and other search engines, like normal webmasters do all the time, the money would dry up and they would blow away.

Ben and Eric Howes did all the testing this month, so this is not old stuff, this is stuff they found in about ten hours of work, something any merchant or official could find by just surfing some of these sites. Things like not having proper disclosure, or showing the disclosure after installation, or no disclosure whatsoever, legacy programs without the proper installation or un-installation tools, deceptive practices leading to installs and unlabeled advertising, all of which violate the terms of the settlement with the FTC.

More broadly, we believe intensive ongoing monitoring will be required to assure that Zango actually complies with the settlement. We have spent 3+ years following Zango’s repeated promises of “reform,” and we have first-hand experience with the wide variety of techniques Zango and its partners have used to place software onto users’ PCs. Testing these methods requires more than black-letter contracts and agreements; it requires hands-on testing of actual infected PCs and the scores of diverse infection mechanisms Zango’s partners devise. To assure that Zango actually complies with the agreement, we think the FTC will need to allocate its investigatory resources accordingly. We’ve spent approximately roughly 10 hours on the investigations leading to the results above, and we’ve uncovered these examples as well as various others. With dozens or hundreds of hours, we think we could find many more surviving Zango installations in violation of the proposed settlement’s requirements. We think the FTC ought to find these installations, or require that Zango do so, and then ought to see that the associated files are entirely removed from the web. Source: Ben Edleman

Zango doesn’t care, I believe everything they do is just to delay the inevitable and to soak up more money while they still can, if the fines imposed in the future are anything like this last one, then they will have plenty of money left to retire on I am sure, or to start some other shady means of making money. Nothing they say comes true, as far as I have seen, in their reply to the settlement they have said they have been compliant since January 1, 2006, which, as you can see from this article is not true at all. The FTC needs to take a look for themselves, it’s out there and is sure easy to find.

Speaking of the FTC, they announced last week that a U.S. district court has shut down a Web operation that is accused of secretly loading spyware and other malevolent software onto millions of computers after promising users free screen savers and video files. Now where have we heard of this before?

The FTC accused ERG Ventures and an affiliate with tricking consumers into downloading a piece of spyware called Media Motor, which installs itself and downloads other malware.

The malware was difficult for consumers to remove, the FTC said. The malware installed by Media Motor:

• Changed consumers’ home pages
• Added difficult-to-remove toolbars that display disruptive pop-up ads in consumers’ Internet browsers
• Tracked Internet activity
• Generated disruptive pop-up ads that were occasionally sexually explicit
• Added advertising icons to consumers’ Windows desktop
• Degraded computer performance
• Disabled antispyware and antivirus software

Source: PC World

the complaint names ERG Ventures, doing business as ERG Ventures LLC2, Media Motor, Joysticksavers.com, and PrivateinPublic.com, and its principal operators, Elliott S. Cameron, Robert A. Davidson II, and Gary E. Hill, as well as Taylor. They ask that anyone who has had any experience with them to email them at mediamotor@ftc.gov.

So, looks like it’s going to be another good day for the good guys.

This has also been posted at RealTechNews.com, Spyware Confidential and Faill.com