0xBAADF00D

I understand trying to protect your IP, I really do, but that understanding stops when it comes to making your user’s life miserable. This is what Pinnacle Studio did to me for about half a day.. Half a day I’ll never get back, and let me tell you, half a day at this point in my life is easily like a week of time from my 20s.

So the story goes like this… I got a bizarre series of questions from one of my good friends over IM. I went back and forth a few times and just kind of dismissed it. Two days later I had the exact same exchange and the bot filter in my head got tripped. This was definitely some kind of bot I was talking to. So I alerted him that his account my have been compromised and helped him scan his box to make sure nothing got past the no pest strip. All was good. Then I decided to give my own system a shakedown just for good measure. It found the regular host of false positive baddies that I have lying around for recovering passwords and the like, NirSoft and Sysinternals stuff.

The thing that got my attention was an apparent rootkit that was discovered that was reported as being critical and was known to spoof browser logins and steal passwords. Now I’m seriously paranoid about the security of my system and watch every process like a hawk, and I don’t really engage in any dangerous activities anyway, but since I’m paranoid I understand every system has it’s weakness and mine is no exception.

So I got out my trusty copy of Rootkit Revealer and let it chew on the system for a while, and wouldn’t you know it, it turned up the same set of registry keys as suspicious. The keys contained ‘embedded nulls’. From the Rootkit Revealer page:

Key name contains embedded nulls.
The Windows API treats key names as null-terminated strings, whereas the kernel treats them as counted strings. Thus, it is possible to create Registry keys that are visible to the operating system, yet only partially visible to Registry tools like Regedit. The Reghide sample code at Sysinternals demonstrates this technique, which is used by both malware and rootkits to hide Registry data. Use the Sysinternals Regdellnull utility to delete keys with embedded nulls.

Here are the keys:

Details: HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}
Details: HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}
Details: HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}
Details: HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}
Details: HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}
Details: HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}
Details: HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}
Details: HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}
Details: HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}
Details: HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}
Details: HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}
Details: HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}

At this point a slowly burning panic set in, because like I said before, I have a healthy dose of paranoia. A single false positive is one thing, but two starts to give the reported incursion some weight..

Searching around the net just deepened the paranoia as more and more people reported all kinds of horrible things with the same registry keys. I still wasn’t 100% convinced this was a legitimate hit, something told me we could all have the same application installed, because the reports were so different in every case it seemed like the registry keys were the only thing that was the same. Then I stumbled on a forum post in the Spybot Search & Destroy forum. They found that Pinnacle Studio 9 was hiding registration/licensing information using those keys. So basically they were using rootkit methods for general use.

While some people might say that it is up to the detection software to filter out legitimate software from malicious software, I just don’t agree. This approach was a decision by Pinnacle, and not a decision that effected the quality of their software or contributed to a novel feature that gave me more return for my investment. All it did was make it easier for them to do something at the expense of my system. I just think there is something unethical about that behavior and I’m not going to start some kind of online campaign. I’m just going to not give Pinnacle any more of my money and look for a competing product that does not muck about in my system’s internals to solve a problem they are having.

Category: fixes, Tips | No Comments »

Recently I starting having problems burning DVDs, specifically DVD-Rs at my burner’s max speed in Nero Buring ROM 6.6. The exact error I was getting was:

“Power calibration error”

I didn’t change my buring process, or the type of stuff I was backing up, and I didn’t change the media I normally use. So I just thought my burner was dirty, or was failing. It was going on somewhere near 5 years and I use it a lot. Having it fail was a distinct possibility. So I started searching around the net and reading in forums to try to understand what could be causing the problem. It was looking more and more like hardware failure.

Then by chance I used ImgBurn, and I saw the following warning in the log:

“SPTD can have a detrimental effect on drive performance.”

So I decided to do some more digging and found out that SPTD stands for SCSI Pass-Through Direct. Which is a device driver developed by Duplex Secure Ltd which provides a new method of access to storage devices. It is something used by Daemon Tools, which I had installed not to long ago to do some work with ISO images, and then promptly forgot about.

So I uninstalled Daemon Tools and tried to burn another disc. I was surprised to find that the burn failed again with the same error. I took a look in my registry, in the drivers section to see that SPTD was still installed and there was no clear way to remove it.

So it was back to searching through forums. I found a few posts that described messy manual ways of removing the driver from the system. The best way I found was to download the driver installer from: www.duplexsecure.com and then when prompted, click the ‘uninstall’ button.

After a reboot, no more problems burning DVDs at any speed or media format. What a long and painful road…

Category: fixes, Tips | No Comments »

So I pretty much live on the command line in windows ( cmd.exe ), call me old fashioned, but I like the power and flexibility. One thing that irritated me is that, by default, my input prompt keeps shifting right with the length of my directory tree and I have less and less room to enter my commands. What I really want is something that looks like this:

[9:46]::[C:\temp]
:

Where the colon ‘:’ is my input prompt and takes up very little room.

This can easily be accomplished with the PROMPT command in the command shell:

PROMPT [$T$H$H$H$H$H$H]:$M:[$P]$_:

What the above example says is create a prompt with the time which looks like this:

11:19:15.24

Then use $H which is backspace to delete the last 6 characters, so we are left with:

11:19

the $M is just a nice to have feature that lists the name of the remote drive you are on, if that is the case, and the $P lists the current drive and path.

The last thing is the $_ which adds a carriage return and line feed, which gives you the clean line to type your input on.

That’s all there is to it, you can use this page to add your own tweaks..

Category: Tips | No Comments »

While cleaning up my command line tools package DSToolBox I ran across a bug while upgrading to the latest release of TCLAP. Which is a header only template library for command line parsing.

One of the cooler aspects of the library is that it can handle all kinds of type conversions for you so you don’t have to worry about casting them yourself.

This feature is what caused the problem when compiling with the Zc:wchar_t- compiler switch in VC8.

The switch sets the ‘Treat wchar_t as Built-In type’ option to ‘No’.

This is all well and good until we have two templates that resemble the example below:

template<>
struct ArgTraits<wchar_t> {
typedef ValueLike ValueCategory;
};
 
template<>
struct ArgTraits<unsigned short> {
typedef ValueLike ValueCategory;
};

Since wchar_t is no longer treated as a built in type by the compiler, it falls back ( basically ) to:

typedef unsigned short wchar_t;

This causes the compiler to complain with:

error C2766: explicit specialization; ArgTraits<unsigned short>' has already been defined

Since we want to have the library support both types if wchar_t is a real type we can use built in defines to #ifdef it out:

#ifdef _MSC_VER
    #ifndef _NATIVE_WCHAR_T_DEFINED
        #define TCLAP_DONT_DECLARE_WCHAR_T_ARGTRAITS
    #endif
#endif
 
#ifndef TCLAP_DONT_DECLARE_WCHAR_T_ARGTRAITS
 
template<>
struct ArgTraits<wchar_t> {
typedef ValueLike ValueCategory;
};
 
#endif

This way if wchar_t is a built in type we get both template specializations, but if it isn’t we only get one.

Category: C++, fixes | No Comments »