We hadn’t succeeded after all in cleaning the PC of this crap. After my previous post, Erika and I spent a long evening attacking this thing without any victory at all. I was all for copying her important data to an external drive, hitting it with AV/Spyware, copying it the new laptop, and wiping the old one.

But while I was working in Dublin, Erika came across the key – it had used Deamon tools and installed a virtual CD of itself! Now that’s mean! She discovered this via karspesky online when it reported a virtual CD-Drive that she didn’t know about, and couldn’t see.

So she uninstalled Deamon tools, and went back over the process previously outlined, and that, apparently, was that. No more virus.

Way to go Erika.

May 29, 2008 at 4:42 pm

HLDRRR Infection

Erika got infected with HLDRRR the other day – fortunately she’s just bought a brand new Asus M50SA which she has been able to use, because getting rid of this rootkit is a freaking nightmare.

Reading the internet I see that a lot of people don’t understand exactly what a rootkit is, and are surprised when Task Manager etc. can’t find it, or can’t stop it.

Folks, when you have a rootkit, you cannot TRUST your system anymore! The only solution is to boot from a external read-only source (such as a live-cd or a read-only USB key) and track down where the rootkit has installed itself. The good news is, the rootkit has to be in your registry somewhere, and usually you can find out where it is by checking on the internet.

First let’s describe some symptoms;

  • Anti-Virus gets turned off and/or deleted and/or uninstalled
  • Firewall meets the same fate
  • You may get the blue screen of death if the rootkit crashes some vital Windows processe to insert itself into them.

Got that? Now you’re infected. Here’s how to check;

  • Internet or network connection crashes or slows right down
    • That’s because you are now the proud host of a rooted box, and it’s using all your bandwidth to download malware and porn…
  • Computer seems really busy but there’s no obvious processes in task manager eating up all your CPU
    • That’s because it’s busy hiding all that malware and porn, or cracking your passwords files…
  • Can’t boot into Safe Mood
    • That’s because if you could boot into Safe Mood, you could stop the rootkit from running and uninstall it…

Here’s what NOT TO DO;

  • Ignore the issue… because it WON’T go away.
  • Start using internet banking… because you can kiss your money goodbye.

Here’s what to do, if you have gotten HLDRRR;

  • Delete Megadrv3 device (follow instructions from Alireza Peyman).
  • Log out straight away.
  • On another computer, research, research, research. These things change all the time
  • Get someone else to download BART PE and create a Live CD
  • Reboot your computer with the CD in the drive
  • Delete everything in [windows]\system32\drivers\down.
  • Browse your system and delete everything in every Temp directory, which includes Temporary Internet Files
  • No, really, find every Temp/Temporary/Temporary Internet Files directory, and delete everything
  • Delete [windows]\system32\hldrrr.exe
  • Create a new empty read-only file called hldrrr.exe
  • Delete [windows]\system32\hidr.exe
  • Create a new empty read-only file called hidr.exe
  • Delete [windows]\system32\srosa.sys
  • Create a new empty read-only file called srosa.sys
  • Delete [windows]\syystem32… etc. etc.
  • Create a new… etc. etc.
  • Delete anything else that the internet suggests, if you can find it (mdelk.exe, wintems.exe, but the names change frequently!)
  • Load up your registry (follow the instructions)
  • Find all references to hldrrr and delete them
  • Find all references to hidr and delete them
  • Find all references to srosa.sys and delete them
  • Find all references to… (get the picture yet?)
  • Unload your registry
  • Remove the disk and reboot.
  • Check if the Megadriv3 device is still uninstalled.
  • Check if the empty,read-only files you created above are still visible and are still 0kb.

You may, or you may not, have gotten rid of this infection.

See my next post for what to do if you just want to give up, but want to save all your files!


Written by seancasaidhe

May 23, 2008 at 7:57 am

AVG 8 Free – Part III

with 5 comments

Continuing the story of my struggles with AVG 8, well I’ve uninstalled it and currently am without anti-virus, but only until I have time to find something decent to replace it.

Oh to recount the problems I had! To start with, I had a bugger of a time getting rid of Link Checker. Disabling it, as reported elsewhere, leaves a really annoying icon in the system tray. I followed the advice to re-install AVG 8 without linkchecker, but had real problems uninstalling it as it wasn’t even able to kill it’s OWN PROCESSES! What a rubbish installer!
OK, so I uninstalled completely, and re-installed without link-checker. The only advantage was the icon didn’t show a problem all the time – otherwise, the thing was equally heavy on system resources as before.

What I noticed immediately was that every time I got an email, Windows locked up for a short but noticable period, which was really annoying. Then, as previously reported, I found that the 3 processes were sucking up over massive amounts of memory, over 100MB. Now I use Lightroom and Photoshop a fair bit and I really don’t want anything else taking up memory unless it has to, because working with photos takes up enough memory as it is!

So goodbye AVG 8, and good riddance. A real pity, ‘cos I’ve been using it for years. They seem to be going down the Norton Anti-Virus route, as someone else has said.

Written by seancasaidhe

May 21, 2008 at 5:16 pm

Images of Thoughts

For once I’ve something good to write about (a lot of Sicilians complain that I write too negatively abouut Sicily, which isn’t true at all, it’s just the negative things get me worked up more than the positive things!)Images of Thoughts

So here’s to Luigi – one of those genuinely good guys that everyone likes, and a regular at Flickr Palermo meets. Obviously he’s a keen photographer and I can’t count the number of times I’ve bumped into him at various concerts and events, always with his Canon, always with a smile and a keen eye for a good photo.

So when I heard that Luigi is launching a photographic exhibition at the MiKalsa bar, I was keen to get along.

Fortunately Sonia was able to swap shifts at work so at 21:30 we found a decent parking spot nearby and arrived to find Pepe and Rojo digging into some dinner, with the rest inside. Sonia certainly considers it an unmissable event, and I’d have to agree.

He’s titled it “Le Immagine del Pensiero”, which translates sortof to “Thoughtful Images”, which sounds a lot better in Italian than it does in English. Maybe I’m just a bad translator. Luigi has based the exibition on his more recent work, reflecting his recent focus on portraits and character studies of his friends.

All the dozen or images are extremely good – some I’ve previously seen on Flickr but many are premiered at the exhibition. Each photo has a small quote from literature attached, a little “pensiero”. My personal favourite; this.

So get along if you can, and if you can’t, get onto Flickr and leave some comments!

Written by seancasaidhe

May 21, 2008 at 3:42 pm

Mafia on the Mind

Now the other day I wrote that a friend was involved in an accident and that night had the car burnt out. For me it’s fairly clear – the guy involved is pissed she’s taking action against him, and burnt out her car as a lesson.
Except nothing is ever that simple here in Sicily. The girl lives in a town near Palermo that is heavily controlled by Cosa nostra, and that changes everything.

Take for example Cinisi, the place where Peppino Impastato was born, fought, and killed. He was born into the mafia (father, uncles, all mafiosi for the most part), he fought the mafia all his life (calling the mafia a “mountain of shit” was the least of it), and was killed by the mafia (they beat him to a pulp in a cowshed, stuffed some dynamite in his pockets, took him to a local railway line, and blew him up).

Recently the boss of Cinisi turned, and has showed that the grip on Cinisi is still rock-solid. So that raises a burning question, pardon the pun. Given that her town is under the shadow of Cosa nostra – did her car get burnt with or without the permission of the local men-of-honour?

If not, then that guy is really really stupid, because the mafia really don’t like things to happen in their areas that might bring the attention of the police and provide an excuse for outsiders to stick their noses in.
If he did have permission – then my friend is in a lot more trouble than we thought.

Me personally, I don’t think the local mafia give a flying fck about the whole thing, but then I’m not Sicilian and I don’t understand. Even after a year, I still don’t see the hidden things, and I’ve given up trying, ‘cos I keep twisting myself into knots over what somebody said, what they didn’t say, what might what they said mean, what might what they didn’t say mean, and why didn’t they say it, Why did they say what they said?

To quote Gen McAuliffe in Bastogne – aw nuts!! I’ll just take everything at face value, and more the fool those who think less of me because I’m honest!

Written by seancasaidhe

May 18, 2008 at 5:00 pm

Dog Days in Sicily

The heat arrived with a vengeance today (Friday), with a hot wind blowing in from the south, and the sun burning off any morning clouds long before I woke up. The short walk to work had me sweating, and in the evening Palermitans were walking around groaning “Oh I can’t take this anymore!”

Go goodbye spring, hello summer, let’s all go to the beach and get burnt! At least, that’s what everyone seems to do when it gets hot, and skin cancer rates are shooting up – but jeez, don’t mention that to a Sicilian, they’ll block their ears and run away – not talking about something means it won’t happen, or didn’t happen! They’re good at that here, not talking.

Written by seancasaidhe

May 17, 2008 at 1:15 pm

Talking about a revolution

with 2 comments

Today Sonia and I took time to get to the Addiopizzo event in Piazza Magione. We arrived waaay too early at 7pm, just to grab some photos if possible and see what’s what. We wandered around a bit, checked out some t-shirts, some of the exhibitors and what not. There was a shedload of carabinieri, dripping medals and cutting people with the knife-sharp creases on their jet-black uniforms (here’s a killer, these guys are ALWAYS in dress-uniform!) talking with the young Addiopizzo people, no doubt sharing war-stories of the Fight Against the Mafia.

Addiopizzo PosterI should explain perhaps that Addiopizzo is an organisation dedicated to fighting the extortion rackets, the payments for which are called the “pizzo”. The idea is they help people to expose extortion attempts, provide support (for like, when your factory get’s burned down overnight…) and encourage people to shop in places which refuse to pony up.

Anyway there’s a fair few stalls and a band-stage being set-up, so we’ll be back later tonight to get a bit of culture and music and show our support.

The one notable thing that did occur demonstrated to me the problems that organisations like Addiopizzo face in changing the culture here – 20 minutes after we got there, a fire-engine pulled up with sirens and lights and great urgency. We noted at the far end of the piazza a bunch of people gathered near a car, including a lot of Addiopizzo t-shirt wearing activists. After a few minutes Sonia and I went along to have a looksee and find out what was going on – something to do with a car it appeared, which had been broken into or had parts of the engine nicked, or maybe someone tried to burn it – I was overcome with curiosity and I have to admit I prodded Sonia into asking on the Addiopizzo people, who was looking very pissed off, about what had happened.

“Niente!” Nothing.

Sonia was really pissed with me – “I knew he’d say that, Sean! It’s useless asking anyone anything here – omerta!”

Even in Addiopizzo, the Sicilian mentality gets in the way.

Written by seancasaidhe

May 16, 2008 at 9:01 pm