A glimpse of the future of human-computer interaction.
For more information see: Oblong.com
Tuesday, 2 December 2008
Friday, 28 November 2008
Avinash Kaushik - Web Analytics in an hour a day
Avinash Kaushik comes highly recommended for web analytics, plus he seems to be an ok person! 8-)
Monday, 1 September 2008
Microsoft provides examples of the worst documentation in the software industry
During the course of my work, I rather too frequently come across Microsoft documentation which consists of definitions of the form:
Of couse a BigThing is a thing which is big!
This tells me precisely nothing.
It annoys the hell out of me so much, and Microsoft seem to me to be a company that does this more than anyone else.
I am so annoyed I am going to start to compile a list of URL's that demonstrate what I'm talking about.
Hopefully someone from Microsoft will come across my list, and then someone else at Microsoft will agree its a good idea to not insult their customers with pages upon pages of documentation that provides no real information whatsoever.
I'm not going to go round pulling out examples now... I'm just going to add to my list every time I come across one.
Here's one that just got me... you might say it was the last straw:
evictmanagedresources
Microsoft's documentation on "evictmanagedresources" says, (and I quote) "Evicts all managed resources, including Microsoft Direct3D resources and those that are driver managed." In other words, evictmanagedresources evicts all managed resources. That really helps, doesn't it, Microsoft! Ever heard of examples? Ever thought you might like to include some in your documentation. Read my lips... never ever ever make a piece of software language documentation and don't include an example of usage.
Whoever at Microsoft needs to hear that, I don't know. But someone needs to write it in red ink on their forehead.
(Happy mood, today!)
If you're suffering from having to deal with Microsoft documentation, these fellows may help... 8-) ... Microsoft Dorset
"BigThing" : a BigThing is a thing which is big.
Of couse a BigThing is a thing which is big!
This tells me precisely nothing.
It annoys the hell out of me so much, and Microsoft seem to me to be a company that does this more than anyone else.
I am so annoyed I am going to start to compile a list of URL's that demonstrate what I'm talking about.
Hopefully someone from Microsoft will come across my list, and then someone else at Microsoft will agree its a good idea to not insult their customers with pages upon pages of documentation that provides no real information whatsoever.
I'm not going to go round pulling out examples now... I'm just going to add to my list every time I come across one.
Here's one that just got me... you might say it was the last straw:
evictmanagedresources
Microsoft's documentation on "evictmanagedresources" says, (and I quote) "Evicts all managed resources, including Microsoft Direct3D resources and those that are driver managed." In other words, evictmanagedresources evicts all managed resources. That really helps, doesn't it, Microsoft! Ever heard of examples? Ever thought you might like to include some in your documentation. Read my lips... never ever ever make a piece of software language documentation and don't include an example of usage.
Whoever at Microsoft needs to hear that, I don't know. But someone needs to write it in red ink on their forehead.
(Happy mood, today!)
If you're suffering from having to deal with Microsoft documentation, these fellows may help... 8-) ... Microsoft Dorset
Monday, 4 August 2008
Do you want to debug? - annoying dialog
ENQUIRER:
Dear, Dorset Software Consultant,
On my laptop (only,not my PC) I am getting a lot of annoying dialog boxes that pop up and say there is a runtime error and do I want to debug. ["Do you want to debug?"] If I say yes, the script editor from Microsoft pops up, but I don't know what I am doing with it so I always wind up closing it. How do I get these things to leave me alone?
Dear Enquirer,
Am I right in thinking that these dialogs only appear when you are using browser software?
If so then it is probably an easy thing to fix.
Open up internet explorer options and check the select boxes shown in the graphic below.
That should fix it.
If this is occuring not just in your browser software we may have to think along some other lines... like you may have some sort of mild virus.
Three likely scenarios occur to me:
(1) Virus:
Do you have virus software installed?
(2) A piece of software or hardware driver recently installed is conflicting with some other piece of software or hardware driver:
When did the dialogs start appearing?
Did you install some piece of hardware or software just prior to when the PC started doing this?
Is it while using a particular piece of software that this happens, or is it more random than that?
(3) You have some disk or memory corruption:
When was the last time you checked your disks for errors?
Are you running out of space on any of your disk drives?
Did you recently have a power failure that rebooted your PC without shutting down properly?
Or someone shut it down using the wall power switch instead of windows “Shut down” procedure?
ENQUIRER:
I think I am getting clearer about when this happens. I think it is related to the fact that I just close my laptop when it is plugged in, don't shut down, and then unplug the laptop from the wall later, either use it on battery, or plug it in somewhere else and use it on AC. I have been wondering for awhile: When I go to shut down in Microsoft, when should I select Standby, when should I select Hibernate (I think this has to do with not running down the battery, so I'm guessing you'll say that), or Turn off (or Restart) completely?
I want to know which I should choose of the first three when I am unplugging from the wall and moving the laptop somewhere else.
"Standby" and "Hibernate" are both designed to be ways of conserving power (usually of a laptop) whilst being able to stop and resume working from whatever point you have got to. For example you don't have to close and save files (at least theoretically) you can just stop, and pickup from whereever you had got to.
The difference between Standby and Hibernate is that Hibernate copies your computer memory (including any open files) onto your hard drive, whereas Standby leaves the power going to the memory and the contents of the memory as it is.
Consequently you should expect Hibernate to take a bit longer (both going into hibernation and coming out of it). On the other hand, Hibernate should conserve more battery life, because it is not having to keep power going to the laptop memory. If the laptop is going on a longer journey, it is probably better to use hibernate, because keeping power going to the computer memory may ultimately drain the batteries to such an extent that machine gives up and powers down, potentially losing any work that you haven't saved.
See difference between "Standby" and "Hibernate"
I think somewhere I have seen a piece of software that automatically moves your computer from Standby to Hibernate when battery reserves are getting low, although I don't remember for sure. In any case I personally wouldn't count on it.
Personally, I would be inclined to always save copies of my work. If I want to avoid overwriting an existing file that I'm not sure I want to replace yet, I would simply make a new copy and keep the old until I'm happy that the new one can replace it.
Also with regard to Hibernate, I would bear in mind that if your disk drives are old, or well used, or nearly full up, or very fragmented, or have shown any signs of being liable to errors or corruption, your hibernate file is going to be susceptible to corruption during the process of putting on to the hard drive and/or restoring it off again. The outcome of restoring a corrupt hibernate file is probably not predictable.
Wednesday, 23 July 2008
Useful command line instructions
Just while I'm thinking about some of them:
netstat 20
Lists all the active tcp-ip connections, so you can check for hackers ;-)
(20 is the number of seconds before a repeat)
ipconfig /all
Lists info on all physical network connections
ipconfig /release
ipconfig /renew
Tracert ipAddress/domain name
Traces network hops to remote locations so you can check a failing connection to see where it is failing.
There's a really useful one for rebuilding the Winsock protocol stack, but I don't have it to hand.
I'll add more of these as I think of them.
netstat 20
Lists all the active tcp-ip connections, so you can check for hackers ;-)
(20 is the number of seconds before a repeat)
ipconfig /all
Lists info on all physical network connections
ipconfig /release
ipconfig /renew
Tracert ipAddress/domain name
Traces network hops to remote locations so you can check a failing connection to see where it is failing.
There's a really useful one for rebuilding the Winsock protocol stack, but I don't have it to hand.
I'll add more of these as I think of them.
What has got my COM port?
Classic phone tools problem.
When you press the dial button you get this message.
"Com port is being used by another application.
Your call cannot be completed now."
But what application! What application is the COM port being used by.
What is the solution to making PhoneTools work?
Dogztar had a crack at some similar problems. As did moorhouselondon. Scroll down to the bottom of the pages to see the solutions. (Don't be put off by the "You need to be a premium member" message. Just scroll to the bottom of the page.)
In order to find out what is competing for the COM3 port, I uninstalled the Modem. In Windows XP when the machine is re-started, Windows automatically tries to re-install the Modem.
When windows tried to reinstall the modem, a COM port conflict message came up, alerting me that in my case it is ActiveSync attempting to connect via COM3 to my PDA which is causing the conflict.
This may not be the solution in all cases, but it was the source of the competition for the COM port in mine.
ActiveSync did not in any case need to access the PDA on the COM port, because it connects just fine using USB without it. With this option deselected, both PhoneTools and ActiveSync work correctly together on the PC.
Once I had deselected ActiveSync's attempts to connect on COM3 to my PDA, phone tools now works correctly again.
When you press the dial button you get this message.
"Com port is being used by another application.
Your call cannot be completed now."
But what application! What application is the COM port being used by.
What is the solution to making PhoneTools work?
Dogztar had a crack at some similar problems. As did moorhouselondon. Scroll down to the bottom of the pages to see the solutions. (Don't be put off by the "You need to be a premium member" message. Just scroll to the bottom of the page.)
In order to find out what is competing for the COM3 port, I uninstalled the Modem. In Windows XP when the machine is re-started, Windows automatically tries to re-install the Modem.
When windows tried to reinstall the modem, a COM port conflict message came up, alerting me that in my case it is ActiveSync attempting to connect via COM3 to my PDA which is causing the conflict.
This may not be the solution in all cases, but it was the source of the competition for the COM port in mine.
ActiveSync did not in any case need to access the PDA on the COM port, because it connects just fine using USB without it. With this option deselected, both PhoneTools and ActiveSync work correctly together on the PC.
Once I had deselected ActiveSync's attempts to connect on COM3 to my PDA, phone tools now works correctly again.
Wednesday, 2 July 2008
I'm new to blogging - where do I start?
Dear Dorset Software Consutants,
I will be setting up a blog later this summer and I'd love to hear some of your experiences with blogging.
I'm really after a number of bits of information. For a start what service would you recommend?
Who reads your blog? Is it public or private? How do I relate my blog to my business or other projects I am working on?
Many thanks for any help you can give me.
Rather than having one blog, you may notice that I have lots of blogs.
(And web sites, etc. etc.)
The blogs and sites and etc all connect up with each other in various different ways. This then provides multiple alternative routes into what is essentially all the same project.
The project has a number of different faces, each blog or web site provides a different face on the project, but from my point of view there is only ONE PROJECT.
The conclusion I came to is that really what an active participant in the global discourse on business, prosperity, productivity and accomplishment needs is not really a web-site or a blog or any such thing… more rather it is a “web presence”. You heard it here first!
;-)
Saturday, 14 June 2008
Creating a linked server for Sage line 50 version 14 on Microsoft SQL server 2005
Creating a linked server for Sage line 50 version 14 on Microsoft SQL server 2005.
Although documentation exists for creating linked servers on Microsoft SQL server 2005, and documentation exists regarding the Sage Line 50 v 14 (2008) ODBC driver, I couldn't anywhere find documentation that combined both.
If there is any, please let me know in the comments.
When I tried a fairly standard set of options for creating a linked Sage Line 50 version 14 server on SQL 2005, I tended to get problems like this:
Figure.1
The graphic shows an attempt to use the Sage Stock table via the linked server in a view on the SQL 2005 server.
You get back a few rows (the number varies) and then the error occurs:
"Row handle referred to deleted row or row marked for deletion"
and
"OLE/DB provider 'MSDASQL' Irowse getdata returned 0x80040e23"
and
"Could not get the data of the row from the OLE/DB provider 'MSDASQL'"
Other strange phenomena occured, like from an ADP (Access data project) connecting to a database that referenced the linked server, the sa account was able to connect, whereas a domain account with full access to the database and server admin rights on the SQL server was not able to use the linked server, even though all accounts were being mapped to a valid sage account with every permission under the sun granted to it. Before we could discover that, however, we had to get the thing to connect at all. And how we did that is as follows:
I spent a long time figuring it out, but maybe I'm the only person in the known universe that has ever needed to set up a Sage Line 50 linked server on Microsoft SQL 2005, so unless someone actual prompts me for more detail I'm going to be brief but include the critical things I noticed along the way.
First have a look at the following two graphics:
Figure.2
Figure.3
The first of these you have undoubtedly tried all the settings of the ODBC driver under the sun in an attempt to make it work (if you've come this far).
The second graphic however you may have passed over.
It sets the OLEDB provider for ODBC datasources settings for all linked server using the OLEDB provider for ODBC that are running on the same server.
It is not at all obvious to me what you are supposed to do if you have ODBC sources that need different alternative settings here, but I was "blessed" with only needing to conect to Sage Line 50 from SQL 2005, so I didn't have to deal with that particular problem.
The way to get to that dialog is to right click on the SQL Server Management studio hierarchy branch as showing in the graphic below:
Figure.4
As per the request from the blogger "Boozer" from St Albans (see comments), I have added some additional detail.
These are the 2nd and 3rd pages from linked server properties dialog. (The first page is already showing above.)
Figure.5: Security tab of linked server properties dialog:
Figure.6: Sever Options tab from linked server propeties dialog:
Figure.7: This grahic shows my Sage 50 version 14 ODBC settings.
I also scripted out the creation script of my linked server using the following menu command in the SQL 2005 Managemenet studio tool.
Figure.8
This gave me the script shown below:
You should be able to execute this SQL script in a query window against your server to produce an identical linked server setup to the one I have.
Some of the keys for us I think were as follows:
(1) Setting the "Zero level only" flag in the OLE/DB provider for ODBC (MSDASQL) properties dialog. (See Figure.3 above.) You can access this dialog via the right-mouse menu shown in Figure.4. Before I did this I tended to get the message "Row handle referred to a deleted row or a row marked for deletion" when running a SQL query against a recordset from the linked server. SQL tools would return a few rows, anything from 1 to about 5 or 6 before coming back with this error. The number returned any time the query was run was not always the same but, tiny compared the number of records I was expecting.
(2) We discovered there was a difference when trying to connect to the sage linked server when we were using integrated security accounts vs. when we were using SQL server native accounts. The conclusions here were not very complete. Integrated NT domain accounts worked when connecting via some of the Sage accounts, but did not work when connecting via other sage accounts, even Sages accounts that had been given maximum permisions to everything on Sage. Sage accounts that did not work with the integrated NT domain SQL server accounts did however work when using the SAGE Linked server via the security context of a Native SQL Server 2005 account.
(3) Much of what we were doing had been upgraded from pervious versions of SQL server, Sage and NT. The NT domain had been upgraded from a windows small business server to domain controller to an Active Directory. Sage accounts that worked with the new active directory accounts tended to be ones that had existed on the previous Sage installation.
Sponsored by Dorchester (in Dorset) Software
Although documentation exists for creating linked servers on Microsoft SQL server 2005, and documentation exists regarding the Sage Line 50 v 14 (2008) ODBC driver, I couldn't anywhere find documentation that combined both.
If there is any, please let me know in the comments.
When I tried a fairly standard set of options for creating a linked Sage Line 50 version 14 server on SQL 2005, I tended to get problems like this:
Figure.1
The graphic shows an attempt to use the Sage Stock table via the linked server in a view on the SQL 2005 server.
You get back a few rows (the number varies) and then the error occurs:
"Row handle referred to deleted row or row marked for deletion"
and
"OLE/DB provider 'MSDASQL' Irowse getdata returned 0x80040e23"
and
"Could not get the data of the row from the OLE/DB provider 'MSDASQL'"
Other strange phenomena occured, like from an ADP (Access data project) connecting to a database that referenced the linked server, the sa account was able to connect, whereas a domain account with full access to the database and server admin rights on the SQL server was not able to use the linked server, even though all accounts were being mapped to a valid sage account with every permission under the sun granted to it. Before we could discover that, however, we had to get the thing to connect at all. And how we did that is as follows:
I spent a long time figuring it out, but maybe I'm the only person in the known universe that has ever needed to set up a Sage Line 50 linked server on Microsoft SQL 2005, so unless someone actual prompts me for more detail I'm going to be brief but include the critical things I noticed along the way.
First have a look at the following two graphics:
Figure.2
Figure.3
The first of these you have undoubtedly tried all the settings of the ODBC driver under the sun in an attempt to make it work (if you've come this far).
The second graphic however you may have passed over.
It sets the OLEDB provider for ODBC datasources settings for all linked server using the OLEDB provider for ODBC that are running on the same server.
It is not at all obvious to me what you are supposed to do if you have ODBC sources that need different alternative settings here, but I was "blessed" with only needing to conect to Sage Line 50 from SQL 2005, so I didn't have to deal with that particular problem.
The way to get to that dialog is to right click on the SQL Server Management studio hierarchy branch as showing in the graphic below:
Figure.4
Addendum - scripting out Sage Line 50 Linked server on SQL 2005
As per the request from the blogger "Boozer" from St Albans (see comments), I have added some additional detail.
These are the 2nd and 3rd pages from linked server properties dialog. (The first page is already showing above.)
Figure.5: Security tab of linked server properties dialog:
Figure.6: Sever Options tab from linked server propeties dialog:
Figure.7: This grahic shows my Sage 50 version 14 ODBC settings.
I also scripted out the creation script of my linked server using the following menu command in the SQL 2005 Managemenet studio tool.
Figure.8
This gave me the script shown below:
/****** Object: LinkedServer [SAGE_Linked_Server] Script Date: 06/22/2008 20:56:02 ******/
EXEC master.dbo.sp_addlinkedserver @server = N'SAGE_Linked_Server', @srvproduct=N'SageLine50v14', @provider=N'MSDASQL', @datasrc=N'SageLine50v14', @provstr=N'SageLine50v14;uid=FillinTheBlank;pwd=FillinTheBlank;'
GO
EXEC master.dbo.sp_serveroption @server=N'SAGE_Linked_Server', @optname=N'collation compatible', @optvalue=N'true'
GO
EXEC master.dbo.sp_serveroption @server=N'SAGE_Linked_Server', @optname=N'data access', @optvalue=N'true'
GO
EXEC master.dbo.sp_serveroption @server=N'SAGE_Linked_Server', @optname=N'dist', @optvalue=N'false'
GO
EXEC master.dbo.sp_serveroption @server=N'SAGE_Linked_Server', @optname=N'pub', @optvalue=N'false'
GO
EXEC master.dbo.sp_serveroption @server=N'SAGE_Linked_Server', @optname=N'rpc', @optvalue=N'true'
GO
EXEC master.dbo.sp_serveroption @server=N'SAGE_Linked_Server', @optname=N'rpc out', @optvalue=N'true'
GO
EXEC master.dbo.sp_serveroption @server=N'SAGE_Linked_Server', @optname=N'sub', @optvalue=N'false'
GO
EXEC master.dbo.sp_serveroption @server=N'SAGE_Linked_Server', @optname=N'connect timeout', @optvalue=N'0'
GO
EXEC master.dbo.sp_serveroption @server=N'SAGE_Linked_Server', @optname=N'collation name', @optvalue=null
GO
EXEC master.dbo.sp_serveroption @server=N'SAGE_Linked_Server', @optname=N'lazy schema validation', @optvalue=N'false'
GO
EXEC master.dbo.sp_serveroption @server=N'SAGE_Linked_Server', @optname=N'query timeout', @optvalue=N'0'
GO
EXEC master.dbo.sp_serveroption @server=N'SAGE_Linked_Server', @optname=N'use remote collation', @optvalue=N'true'
You should be able to execute this SQL script in a query window against your server to produce an identical linked server setup to the one I have.
Some of the keys for us I think were as follows:
(1) Setting the "Zero level only" flag in the OLE/DB provider for ODBC (MSDASQL) properties dialog. (See Figure.3 above.) You can access this dialog via the right-mouse menu shown in Figure.4. Before I did this I tended to get the message "Row handle referred to a deleted row or a row marked for deletion" when running a SQL query against a recordset from the linked server. SQL tools would return a few rows, anything from 1 to about 5 or 6 before coming back with this error. The number returned any time the query was run was not always the same but, tiny compared the number of records I was expecting.
(2) We discovered there was a difference when trying to connect to the sage linked server when we were using integrated security accounts vs. when we were using SQL server native accounts. The conclusions here were not very complete. Integrated NT domain accounts worked when connecting via some of the Sage accounts, but did not work when connecting via other sage accounts, even Sages accounts that had been given maximum permisions to everything on Sage. Sage accounts that did not work with the integrated NT domain SQL server accounts did however work when using the SAGE Linked server via the security context of a Native SQL Server 2005 account.
(3) Much of what we were doing had been upgraded from pervious versions of SQL server, Sage and NT. The NT domain had been upgraded from a windows small business server to domain controller to an Active Directory. Sage accounts that worked with the new active directory accounts tended to be ones that had existed on the previous Sage installation.
Sponsored by Dorchester (in Dorset) Software
Saturday, 31 May 2008
Select file to crack - Virus information
Quite a lot has been documented about the Troj/BagleDl-BX, W32/Mitglieder.VD, hldrrr.exe, "Rootkit Haxdoor", "Hacktool.Rootkit", Trojan.Tooso.R, srosa.sys and wintems.exe
Sophos,
Spybot,
prevx.com,
symantec,
symantec again,
siusic.com,
spybot,
techsupportforum.
And related problems - such as that it destroys safe mode boot up.
hijackthis-forum,
devshed,
castlecops
[Incidentally with regard to the safe mode boot up registry problem I used this version of SafeBootKeyRepair.exe on 30May2008 on a Windows XP SP2 machine and it appeared to work in restoring the operation of Safe Mode without ill effects.]
The fellow on siusic noted (at the end of his post on the link just above) that this virus tended to get activated by starting Internet Explorer. And as the only external bits of software that IE launches at start up are 3rd party toolbars they uninstalled all the IE toolbars, and this helped reduce the activity of this virus.
I did the same and sure enough it helped.
About 3 more Symantec Anti-virus full scans down the road and a couple of reboots, and still at start up I get the "Select file to crack" message.
So I look on the registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
to see if I can stop anything suspicious.
Interestingly I see the following:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\swg
which is running:
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
Also I notice it has once again created this key in the registry: HKEY_CURRENT_USER\Software\FirstRRRun
Now GoogleToolbarNotifier.exe as you may know from what-is-exe.com is supposedly an exe that monitors your browser to see if anything tries to change your default search engine. However I'm wondering why after I have un-installed Google toolbar why this file is still starting up when windows boots so I go and check the file and I discover the file has a curious red cross icon, and bizarre copyright information. It refers to "microsoft" without any (c) or years.
Clearly whatever version of this malware virus I have inherited has replaced the real GoogleToolbarNotifier.exe with its virus alternative.
The "Select file to crack" dialog is being created by "CTHELPER.EXE" which is supposed to be a supporting file for Creative Labs Soundblaster devices (see liutilities ... but clearly not in my case.
A search of the machine shows that there are 4 copies of CTHELPER.EXE on the machine in question, these are in c:\Drivers\Audio\addon\common\amd64, c:\Drivers\Audio\addon\common\i386, C:\WINDOWS, and C:\WINDOWS\System32. The version of the file in C:\WINDOWS\System32 has the curious red cross on it like the hijacked version of GoogleToolbarNotifier.exe! Also it is exactly the same size as the hijacked GoogleToolbarNotifier.exe.
I then did a file search using FileBoss from theutilityfactory
for all files on my machine of this exact same size: 692,224. It revealed that there was another copy of this file called "mdelk.exe" and a load of copies called things like "A0056###.exe" ie. A followed by 7 digits, eg. A0056227.exe. There were some ligitimate files of this exact size too, but I checked the properties and the weird red cross icon to see that these were indeed the same virus file.
My guess is that the hijacked GoogleToolbarNotifier.exe is being used to start the copy itself onto hijacked CTHELPER.EXE and whatever else (if it doesn't exist already) and then start its, which in turn does the infecting of the machine all over again each time windows starts!
Aren't the guys who design these virus things humourous fellows! 8-)
My Symantec anti-virus failed to spot any of these files in repeated scans, and even when I click on one of these files and say "Scan for virus" it still comes back with "Scan complete, no virus found".
Something I didn't initially notice was that the virus - pretty sure it was this virus (haven't had any other infections recently) - also removed a key from my registry which enables you to "Show hidden files and folders" under advanced settings in windows explorer (-> Tools ->View).
Because the whole key had been removed from the registry I didn't notice intially that the option wasn't displaying on the list of advanced settings at all. So it couldn't be set one way or the other. It just wasn't there to be set.
I noticed this when I came to look at some files on my PocketPC (my T-mobile MDA pro PDA which I use to test development of PocketPC applications that I build for clients). When I looked at the files on the PocketPC via the windows explorer on the desktop, the /Temp and /Windows folders didn't appear, even though I could see them via the File Explorer on the Pocket PC.
The way to get the "Show hidden files and folders" option back is to re-create the registry key. You can do this by manually editing your registry (ball-ache) or by running a simple script. Gertnoob on cnet very helpfully provides one here: Show hidden files and folders.
Or copy the following into a text file with a .Reg extension. Then double-click on it to merge it into your regestry:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden]
"Text"="@shell32.dll,-30499"
"Type"="group"
"Bitmap"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,53,00,\
48,00,45,00,4c,00,4c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,34,00,00,\
00
"HelpID"="shell.hlp#51131"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30501"
"Type"="radio"
"CheckedValue"=dword:00000002
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51104"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"CheckedValue"=dword:00000001
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"
Sophos,
Spybot,
prevx.com,
symantec,
symantec again,
siusic.com,
spybot,
techsupportforum.
And related problems - such as that it destroys safe mode boot up.
hijackthis-forum,
devshed,
castlecops
[Incidentally with regard to the safe mode boot up registry problem I used this version of SafeBootKeyRepair.exe on 30May2008 on a Windows XP SP2 machine and it appeared to work in restoring the operation of Safe Mode without ill effects.]
The fellow on siusic noted (at the end of his post on the link just above) that this virus tended to get activated by starting Internet Explorer. And as the only external bits of software that IE launches at start up are 3rd party toolbars they uninstalled all the IE toolbars, and this helped reduce the activity of this virus.
I did the same and sure enough it helped.
About 3 more Symantec Anti-virus full scans down the road and a couple of reboots, and still at start up I get the "Select file to crack" message.
So I look on the registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
to see if I can stop anything suspicious.
Interestingly I see the following:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\swg
which is running:
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
Also I notice it has once again created this key in the registry: HKEY_CURRENT_USER\Software\FirstRRRun
Now GoogleToolbarNotifier.exe as you may know from what-is-exe.com is supposedly an exe that monitors your browser to see if anything tries to change your default search engine. However I'm wondering why after I have un-installed Google toolbar why this file is still starting up when windows boots so I go and check the file and I discover the file has a curious red cross icon, and bizarre copyright information. It refers to "microsoft" without any (c) or years.
Clearly whatever version of this malware virus I have inherited has replaced the real GoogleToolbarNotifier.exe with its virus alternative.
The "Select file to crack" dialog is being created by "CTHELPER.EXE" which is supposed to be a supporting file for Creative Labs Soundblaster devices (see liutilities ... but clearly not in my case.
A search of the machine shows that there are 4 copies of CTHELPER.EXE on the machine in question, these are in c:\Drivers\Audio\addon\common\amd64, c:\Drivers\Audio\addon\common\i386, C:\WINDOWS, and C:\WINDOWS\System32. The version of the file in C:\WINDOWS\System32 has the curious red cross on it like the hijacked version of GoogleToolbarNotifier.exe! Also it is exactly the same size as the hijacked GoogleToolbarNotifier.exe.
I then did a file search using FileBoss from theutilityfactory
for all files on my machine of this exact same size: 692,224. It revealed that there was another copy of this file called "mdelk.exe" and a load of copies called things like "A0056###.exe" ie. A followed by 7 digits, eg. A0056227.exe. There were some ligitimate files of this exact size too, but I checked the properties and the weird red cross icon to see that these were indeed the same virus file.
My guess is that the hijacked GoogleToolbarNotifier.exe is being used to start the copy itself onto hijacked CTHELPER.EXE and whatever else (if it doesn't exist already) and then start its, which in turn does the infecting of the machine all over again each time windows starts!
Aren't the guys who design these virus things humourous fellows! 8-)
My Symantec anti-virus failed to spot any of these files in repeated scans, and even when I click on one of these files and say "Scan for virus" it still comes back with "Scan complete, no virus found".
Addendum - "Show hidden files and folders" option is missing!
Something I didn't initially notice was that the virus - pretty sure it was this virus (haven't had any other infections recently) - also removed a key from my registry which enables you to "Show hidden files and folders" under advanced settings in windows explorer (-> Tools ->View).
Because the whole key had been removed from the registry I didn't notice intially that the option wasn't displaying on the list of advanced settings at all. So it couldn't be set one way or the other. It just wasn't there to be set.
I noticed this when I came to look at some files on my PocketPC (my T-mobile MDA pro PDA which I use to test development of PocketPC applications that I build for clients). When I looked at the files on the PocketPC via the windows explorer on the desktop, the /Temp and /Windows folders didn't appear, even though I could see them via the File Explorer on the Pocket PC.
The way to get the "Show hidden files and folders" option back is to re-create the registry key. You can do this by manually editing your registry (ball-ache) or by running a simple script. Gertnoob on cnet very helpfully provides one here: Show hidden files and folders.
Or copy the following into a text file with a .Reg extension. Then double-click on it to merge it into your regestry:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden]
"Text"="@shell32.dll,-30499"
"Type"="group"
"Bitmap"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,53,00,\
48,00,45,00,4c,00,4c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,34,00,00,\
00
"HelpID"="shell.hlp#51131"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30501"
"Type"="radio"
"CheckedValue"=dword:00000002
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51104"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"CheckedValue"=dword:00000001
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"
Subscribe to:
Posts (Atom)