Forgot your password?
Lord of the Rings

Journal: Without

Journal by Jorj X. McKie

        Without regard for
        space and time; in memory
        heart stands yet alone

        Open heart; light of
        hope, as of life -- no word. One
        ever standing; without

                                        -- 25-30 August 2010


Go deo, a Shearc.

User Journal

Journal: First Firefox Post...

Journal by Jorj X. McKie
ForSC - Updated 20100225

With the Annoying Virus Adventure in the past, and all of our computers updated with the latest AVG antivirus, I turned to the issue of a new browser. Firefox is the first test, and I like it a lot. First thing to get installed was a mouse gestures extension, as I've become dependent. Very nice installation for extensions, and much of the UI shows better planning than IE. I'm not 100% sure about tabbed browsing yet, but it definitely is very nice in some situations.

The one thing that I miss from IE, at this point, is the image toolbar. Not only could I initiate an image save with one click, but it would also tell me how the images were laid out on the page. Anyone know if this is contemplated as a feature or implemented in an extension?

Also, I would be very interested in anyone's Firefox tips and tricks. I know a lot about the ins and outs of IE, but I'm a newbie with this browser. Thanks!

Update: Another minor irritation: IE keeps a "last saved in" setting for each type of file that is saved (or, at least, different settings for web pages and images), but Firefox does not. It looks like saving a download file, an image, and a web page all use the same "last location" setting.

Update 2: I've set Firefox to be my default browser, but when I open an internet shortcut on my desktop, it uses IE instead. However, URLRun (a program that takes the current content of the clipboard, removes spaces and line breaks, and opens it as a URL - it's very useful for long URLs that are broken between lines in e-mails) correctly uses the default browser. Double-clicking a local HTML file correctly uses the default browser. Anyone know how to correct this?

Update 3: Almost forgot to add: I'm writing this in Mozilla Moontiger. Gotta love that Firesomething!
User Journal

Journal: Geneva Convention(s) 2

Journal by Jorj X. McKie
There has been a lot of talk about the Geneva Convention recently. From a quick reading of the document (Convention III, Relative to the Treatment of Prisoners of War), it seems that most people don't know what they are talking about. This may include many of the people in government who are responsible for applying the Convention. In fact, the convention on the treatment of prisoners of war is only one of several.

Here is an overview page. Text of Convention III. Another version, indexed and slightly easier to read.

From my quick reading (skimming) of the text, it seems that it not only bans mental and physical torture, but that any form of coercive interrogation is also forbidden. However, under article 4, it looks like that many of the prisoners are not covered by the convention at all. It covers regular troops, and irregulars to the extent that they openly bear arms and are identifiable as fighters. Moving on, there is nothing that covers the suspension of the convention. The provision for denunciation of the Convention specifies that such denunciation takes effect only a year after it has been made, and after any conflict in existence at the time of the denunciation has ended and all prisoners from that conflict have been properly disposed of (i.e., no changing the rules in the middle of the game). Oh, and it does not seem to be illegal to put individual prisoners on trial for crimes they have committed, providing that they have all the normal legal rights available to persons under the jurisdiction of the detaining power (with certain specified minimum rights, such as access to counsel). Based on what I saw, I could not decide whether or not military tribunals are competent to try POWs.

I'm not trying to make political points here. The words "Geneva Convention" have been thrown around a lot, and it seemed like a good idea to inject some facts into the discussion (yes, I know this is Slashdot, blah blah blah).
User Journal

Journal: Where I Grew Up

Journal by Jorj X. McKie
This is where I spent most of my childhood. This is where I went to high school.

This is where I work now, in the building to the immediate west of the pond.

TerraServer is cool. :-)

Journal: BackDoor.Agent.BA? Virus Fun 7

Journal by Jorj X. McKie
After reading the front page story about the latest IE malware, the next time that I started up my computer at home, I got several popups for (among other things) spyware detection/removal. This motivated me to download the BHODemon utility which was mentioned by one of the posters in the article. Sure enough, I had a rogue Browser Helper Object. So I used BHODemon to disable it. Within a minute or so, it had re-enabled the entry. Still executing in memory. So I took a look at the file, C:\Windows\System32\lpaebe.dll. No version information - always a dead giveaway that the file is not part of the OS. I used Process Explorer ( to figure out where it was running. As expected, it was attached to each IE process, but it was also attached to the shell process (explorer.exe). So I tried the first trick - rename the DLL, then restart the shell (log off/log on worked in this case). This worked, so I used BHODemon to again disable the BHO entry. This time it stayed disabled. So the first step was complete.

The other clue that I had an infection was that my home page was changed. And, when I restored it, it was changed back (to about:blank). When I removed the BHO, that stopped the change back to about:blank. Since I had physically disconnected from the Internet as soon as I figured out what was going on, my correct home page should have led to an error page. However, it sent me to a search page, one that was nothing like the normal Microsoft default search page. With a little work, I discovered that this page was another component of the infection. It was a file called SP.HTML, which was dropped in my temp directory. Had I been connected to the net, I think that it would have restored the BHO infection.

At this point, I went to another computer to dig up some information about this infection. Using the size of the BHO dll, I searched several virus information sites, as well as using Google to search the web in general. McAfee has a pretty good description of what was going on with my computer.

I had noticed that the BHO dll and the infected search page had pretty much the same timestamp. Being fairly paranoid (and not trusting McAfee to be complete), I decided to look around and see what else might have happened at the same time. So I searched the entire machine for files that had been modified the same day (as close as I could get with the crummy WinXP search tool). I noticed another file, wink.dll, as well as the fact the something had been messing with Notepad and WMPlayer at the same time. At this point, I decided that a real virus scan was required. I used the free edition of AVG. I did a whole-system scan with the latest virus definitions (over 230,000 files, about 60 minutes to do the full scan), and it found the virus as "BackDoor.Agent.BA" (as well as three others that I had saved for dissection in the past). However, it could not remove the file, or move it to its "Virus Vault". I decided that I would give it another chance, and tried my trick of renaming the DLL and restarting the computer. No dice - Windows would not let me rename the file, and AVG still could not remove it. So I used Process Explorer to try and figure out where it was running. No result - as far as Process Explorer could tell, it was not in memory. But I still could not delete or rename it. The AVG resident scanner was repeatedly telling me that the virus was detected, but AVG could not fix it.

Back to the internet for more information. The result was disappointing. None of the virus sites that I tried had any information on a WINK.DLL. WINK.EXE was apparently part of the payload of the Klez worm, but WINK.DLL was unknown. Google gave me a single hit, for a security forum. Someone had the same problem that I did. They gave him some advice, but I do not have the tool that they were using, and I could not quickly figure out how to get it. Back to the computer.

Reasoning that the DLL would probably have to be somewhere in the registry, I used regedit to search for "wink". After many hits for unrelated items having to do with digital ink, I found what I was looking for in HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Windows. Under that key, there was a named value "AppInit_DLLs" with the string value "C:\Windows\System32\wink.dll". Jackpot! Apparently, this key causes the named DLL to be run every time an application is started. This explained the large number of warnings that I was getting from the AVG resident scanner. Also why AVG bluescreened about 50% of the time when I logged in. So I changed the value so that it did not point to the virus DLL. Within a few seconds, it was changed back. Hmmm. I thought about changing the value and restarting before it changed back, but the frequency of restoration was fast enough that I thought that I would not be able to shut down fast enough to beat the change. So I thought a bit, and then realized that I could set permissions on the registry key. So I changed them so that only the Administrator account had the authority to change the key and its named values (I was logged in to my account at the time). I switched over to the administrator account and changed the value. This time it stayed the way that I put it. Back to my account, log off and restart. First good sign: the repeated alerts by the AVG resident scanner no longer occurred. Back to C:\Windows\System32. Attempt to rename the file. "Access denied". Attempt to delete the file. "Access denied". Hmmm... Go to the command line, and check the file permissions. Execute only. Well, that makes sense, I guess. I then used CACLS to give myself full control over the file (though this could likely have been done through the Security tab of the Properties dialog in Windows Explorer). Rename the file. Success. Rescan the directory with AVG, which found and removed the virus file.

Now, for Notepad and WMPlayer. I normally use Metapad for text editing, and WinAMP for media, so this was not a terribly threatening infection. AVG shows both files as clean, though their timestamps have been altered to the same time as the two infection DLLs and the SP.HTML file. I copy a clean version of each from another system, and they compare as identical (using WinDiff). To be safe, I replace each file with a clean copy, and delete the Notepad.exe.bak, Notepad.exe.tmp, WMPlayer.exe.bak, and WMPlayer.exe.tmp files that had been created at the same time. I don't know if the infection attempt failed, or if it was interrupted, because all of the files scan as clean and compare to the originals as identical.

Finally, I deleted the bogus search page and reset the registry entries pointing to it. I left this for last, as it would have let me detect if the infection had gone active again. I then plugged the LAN cable back into the hub, and re-enabled the connection. Clean connection, but another spyware popup. I close it, and check for syspicious files, but there is nothing. As it is now 1:00 am, and I need to be up at 5:45, I decided to postpone any further investigation.

Conclusion: switch to Firefox or Opera in the very near future. Install Adaware if necessary. Leave AVG running. I have never before left a virus scanner running continuously, but this sort of thing is not something that one can prevent by being careful. I can get infected just by visiting an infected site, and I can't depend on them to be patched up to date, or to have their web server (IIS was probably the infection vector in this case) secured. So I have to pay CPU cycles for their inattention. Irritating. But I'm relieved to have the virus gone.

Another interesting fact. This is apparently a combination of several viruses that have been seen in the past, quite possibly an effort by the same author as the Klez worm. None of the several virus information sites that I visited (including Symantec, McAfee, CA, and Grisoft) had complete information on this infection. Which is why I am posting it here, so that it is accessible in some form.
User Journal

Journal: Choose Civility 4

Journal by Jorj X. McKie
I saw this column in the Dallas Morning News the other day, and it really struck a chord. I have not yet had a chance to check out the book that is mentioned.

Even in the possession of identical information, two individuals may disagree. The difference is one of values and priorities. Those differences should be respected by both. Belittling or demonizing those with whom one disagrees is not acceptable.

Journal: The GMail has landed 5

Journal by Jorj X. McKie
Yeah, me too. johndiii (at) gmail (dot) com will get to me. Thanks very much to the donor of the invitation. It looks like there are some very interesting capabilities; I am going to start migrating a bunch of my addresses over the gmail, just to see how they handle it.

Of course, the 1GB limit just means a much more difficult disposal task when one does approach the limit. It seems large, but given a couple of moderately active mailing lists, it's not that remote a limit. I wonder if there's a way to move messages from other mail archives to GMail. I've got a few thousand in a personal archive of the WTL list that I moderate...
Lord of the Rings

Journal: Activating this account - KD, read this

Journal by Jorj X. McKie

Maybe it will get some mod points. Slashcode seems to be going through a weird phase again.

Beloved. I do not wish to make things hard for you. But I believe that, in this case, things are meant to be hard for us. And I believe that having some contact, if not meeting, is the right thing to do. I know that it would help me; I am having a very hard time with this. You will, of course, decide for yourself - and I will respect that. At least, I will not try to force the issue. I will continue to ask.

I downloaded the Angels and Airwaves album, but I have not yet listened. I will regard it as yet another gift from you. You have given me much, and I would cherish you for what time you have left.

You have my email address. Please.

Those who do not understand Unix are condemned to reinvent it, poorly. - Henry Spencer, University of Toronto Unix hack