Into the Void

Widgetbox Neon Text Generator web widget

A flashy thingy for the manics.

Experimental interface to the Bipolar Planet mobile community on Winksite. You can access the site directly from your mobile phone at http://winksite.mobi/bpplanet/m.

Want a free Bipolarplanet.mobi QRCode t-shirt? Be one of the first 5 people to join the mobile community then pop back here and leave a comment. I’ll need your email address so I can contact you for snail mail address - don’t worry, your address won’t appear in the comments.

Technorati: mobile+community mobile+phone cell+phone .mobi QRCode free+t-shirt

MYTAGO - do magic with your phone

Yes, it’s Yet Another Meatspace Tag. This one requires a free membership to get the tags. Seems like a bit of a privacy hassle.

MYTAGO is a little different from QRCode or Shotcode. There’s no phone app. Instead, take a picture of the tag and use one of these methods to get the tag data -a bookmark and description:

• Take a picture of the tag image. Next time you sync your phone to your PC, upload the jpeg image to the MYTAGO site to get the tag data.
• Enter the URL of an online tag image and get the tag data.
• Type the 12 digit code from a tag image into the MYTAGO site to get the tag data.
• Install an Uploader Tool on your PC.
• Email the tag image or the 12-digit tag code to yourusername@mytago.com with your PIN as the email subject line. The tag data will be available next time you log into MYTAGO.

I signed up with a site called Outside.in a few months ago and they turned me down because I don’t have enough geotag info in my blog, i.e. I write about ideas rather than local coverage. I guess they figured out that nobody interesting is going to geotag every post.

Now Outside.in has changed things so that they can read a feed and include only items with geographical information in them.

Testing Hatboro, PA.

It would, of course, would have been far easier to reformat my hard drive.

The problem seems to be a bagel variant and has something to do with files named
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\srosa.sys
and possibly an infected NETWAITING.EXE file.

I have tried multiple rootkit detection and removal programs with varying degrees of success.

McAfee Security Center says that no parts of my McAfee software are enabled. It says that parts of the software are missing and I have to reinstall.

McAfee Rootkit Detective 1.1 flagged hidr.sys and said it would remove it, but it didn’t.

F-Secure Online Virus Scanner is unable to download all its files - I suspect the bug is blocking them. Their Blacklight program has been integrated into the new scanner. Oh well.

AVG Free won’t install - it can’t find one of its installation files - I assume the malware is deleting it. AVG is my number one favorite free antivirus program.

Panda Anti-rootkit, available from Download.com, found the files and renamed one of them, but the problem came back next boot. Panda offers a number of free tools too, including an online scanner called ActiveScan and a beta online scanner named nano-scan. The big thing they offer is repair utilities for specific infections.

EliBagle v10.75 located the files and a registry entry. I rebooted in safe mode. I deleted the files. I deleted the registry entry. And just to be certain, I deleted the preload file for hidr.exe.

At this point IE is no longer going out to strange web sites. I can only hope that it was unable to download something even worse while McAfee was down.

My McAfee subscription is still active, but I haven’t decided whether to reinstall or to switch to something cheaper and just as useless.

Technorati: bagel+variant rootkit Panda+Anti-rootkit Panda+ActiveScan Rootkit+Detective F-Secure trojan

I found a related topic on the What the Tech forums.
http://forums.whatthetech.com/Someonething…ml&hl=srosa

It may be the same as my problem. The tool mentioned in the article, Blacklight, is no longer available, but the company has a dozen or so FREE special-purpose disinfecting tools. Time to make the donuts… errrr…. bagels.[/i]

Update 12/3/2007:
Got it! With a a couple of utilities and a brief foray into the frightening forest of “safe mode.” Why do they call it safe mode when you can do so much damage from there?

Please, folks, I’m just messing around here. DON’T DO WHAT I DID TO FIX YOUR PROBLEM!!! I’m an old lady who does regular backups and I often screw things up bad enough that I have to reformat. One thing about having two hard drives is that your data is (usually) safe from your tender ministrations.

So.

This thing seems to have been a Bagel variant. The gist of it is that it runs as a driver. An “intercept directory listings and delete anti-virus files” sort of a driver. Regular spyware cleaners don’t even look at drivers. So [i]that’s[/i] what a rookit is! Now things are starting to make sense. HJT didn’t list this bug.

Bagel hid its files well. Once I ran something to detect rootkits I had something to work with - filenames and registry entries. I couldn’t find anything to clean it automatically, but as I said, I’m not afraid to reformat. In a DOS command shell “dir sr*” listed the file srosa.sys. No other way of listing the directory could see it. Not “dir,” not “dir s*.” I couldn’t list hidr.wtfever it was called, but when I tried to delete it the error message indicated that the file was indeed there but couldn’t be deleted. Safe mode it is. I deleted the files, modified the registry, and sacrificed a small animal to the ‘Net God in hopes that my laptop would reboot after what I did. Hey, stuff happens.

So after all that garbage, my laptop is no longer going out to sites in Eastern Bloc countries looking for… trouble. My hope is that I didn’t delete some driver that, say, enables me to play movies or burn mp3 CDs for the car. That remains to be seen.

However, there is an entry left in the registry called LEGACY_SROSA. Since it doesn’t expressly list the path of “srosa” I’m not sure whether to delete it.

Found this f*cker at the bottom of index.php. The file was in the top level and IE kindly downloaded it for me. It’s late, it’s my own site, and I wasn’t paying attention. I ran it. I don’t know what’s going to happen. I’m running a McAfee scan - it didn’t flag the executable - and I suppose I should grab AdAware or Spybot S&D or both.

Now if you’ll excuse me, I’m going to go boil my laptop.

Update 11/19:
IE went out to a bunch of sites this morning looking for a page called hltraff.php. Not good. It also killed McAfee and won’t let me do a system restore. I found the installation and as I looked at the file it disappeared from the directory. I guess I’m going to have to reformat and start over.

Update 11/25:
I am so pwned.

First access of this file - the first person who was infected by my site - gives me an idea when it was uploaded to my server.

That’s someone who my webpage may have infected. After that the accesses come several times a page.

This is the ftp access where the hacker uploaded the infection and the hacked index.php:

66.246.252.53 resolves to sr178.2dayhost.com - that’s the hacker.
69.141.48.56 resolves to c-69-141-48-56.hsd1.pa.comcast.net - that’s me.

yeah

Just upgraded to WordPress 2.3.1. The release, not the release candidate. I wound up have to go into phpMyAdmin and set the auto_increment value in some of the MySQL tables.

Now that I’ve sorted it out, I have to say that so far I like it. Sidebar widgets and tags are built right in.

Don Parks Daily Habit - Visual Security: 9-block IP Identification

An interesting site I came across a few weeks ago, lost, then found again.

Look, I’m beautiful! Uh, well, at work anyway. My identicon at home looks like one of the bugs from the movie “Starship Troopers.”

Update: Since you wondered…