TechByter Worldwide

If you enjoy today's article, please share it!

Program Date: 08 Sep 2013

DivX, a Good Video Player Gone Bad

When I received a notification that an update for the video player DivX was ready, I installed it. The installer asked if I would like to install the player module for my browser and I agreed. That was a very bad decision.

There was no obvious immediate change, but the next day when I started Firefox and Chrome, the default search engine and the home page for both browsers was "http://search.conduit.com/?ctid=CT3288691&CUI=UN28173394001009023&UM=2&SearchSource=13". This is a search engine with an extraordinarily poor reputation.

I presume that DivX earns a few cents whenever anyone launches the search.conduit page. That's OK. What's not OK is the fact that the installation was performed without my permission or knowledge and it hijacked both of my primary browsers. By default, I want Chrome to open no pages. Firefox, on the other hand, opens about a dozen pages.

I posted an early version of this article to Facebook and heard from several people that I had just done what I tell everyone else not to do. To which I reply, Yeah, but .... In my own defense, there are some differentiating factors here.

DivX has been a good application and the "player module" was presented as just that, a player module. There was nothing mentioned about adding a new browser bar (I detest browser bars) or about taking over as my primary search engine or about destroying all of my start pages. Given my previous good experience with DivX, I had no reason to suspect foul play.

Click for a larger view.DivX is no longer on any computer I own because the VLC media player seems to be capable of playing anything that DivX could and VLC doesn't hijack my browsers.

The exploit hijacked Firefox, Chrome, and Internet Explorer. In each case, any start pages I had set were discarded and the Conduit search engine was set as the start page. Additionally, the default search engine for each browser was switched to Conduit.

The URL passes a significant amount of information from my computer to Conduit (specifically, everything after the question mark in the URL). This isn't private information, but I'm sure that it does identify to Conduit the source of the click so that DivX can collect its pieces of silver.

I can understand why DivX doesn't explain any of this in advance because if they said, "Click this button and we'll delete all your start pages, set your home page to a crappy search engine, and also make that crappy search engine your default search engine," not too many people would take them up on the offer. But if they say they're just going to install (with your permission) an updated "player module", many people will probably accept the offer.

Getting rid of the Conduit search engine wasn't easy.

For Chrome, I needed to visit the Settings panel and remove references to Conduit from the Extensions section. Then I had to change the Home Page option.

Firefox was somewhat more difficult. I restored a previous version of the browser settings with MozBackup and everything seemed to be fine, but when I booted the computer, Conduit was back as my primary search engine. Initially I couldn't find anything in the StartUp directory or in the Registry, but I did find a file named "ministub.exe" in the root directory of the C drive. A Google search clearly identified this application as belonging to Conduit.

That file works in conjunction with some files that DivX and Conduit do everything they can to hide. Together, the files change the default home page and search engine preferences for all browsers. Before I was able to find the files that ministub.exe called, I tested to confirm my hypothesis by renaming the file from ministub.exe to a_really_rude_comment_ministub.exe. When I booted the system the next time, everything remained as I had set it.

Click for a larger view.Here's the path I followed to resolve the problem.

The Windows 8 Task Manager provides some insight into what applications start when the computer boots. It was here that I found the two culprits by Conduit.

Where are those files located?

Click for a larger view.I right-clicked the malware entry and selected the Open file location option.

Click for a larger view.I mentioned that the files were tucked away carefully. They were in:
C:\Program Files (x86)\SearchProtect\bin\.

That's not a directory that the casual observer would choose to examine.

Specific applications exist for Internet Explorer, Firefox, and Chrome. At startup, each of your browsers will once again be "protected" by Conduit.

I deleted the files and the directory. Then I returned to the root directory and deleted a_really_rude_comment_ministub.exe.

Click for a larger view.At this point, I discovered "Search Protect by conduit" in the list of installed programs. Here again DivX or Conduit has carefully obfuscated its product by moving "conduit" away from the front of the name and setting its own name in lower case.

It seems to me that if you're proud of your work, you'll want people to see your name. After all, I don't name this program "Random Technical Information from techbyter"!

Click for a larger view.To fix Internet Explorer, it's essential to remove the DivX browser bar and to use Internet Options to reset the default search engine.

So, over a 2-day period this exploit by DivX and Conduit cost me about 3 hours as I conducted a search-and-destroy mission.

I have uninstalled DivX and strongly recommend that you do the same if it's on your computer. Many video players exist and there's no point in using a player such as DivX that installs what can only be called crapware without your permission or knowledge.

Buying a New Router

In honor of my birthday (and a day off on Tuesday), the Wi-Fi part of the Wi-Fi router that I installed a year ago last month stopped working. The D-Link router had a 1-year warranty and it had been in service for 1 year and 4 days. Warranty service would have been useless because I would have had to ship the thing somewhere and wait for it to be repaired. During the interim, most of the computing devices in the house would not have been able to access the Internet because they're wireless. So, it was off to buy a Wi-Fi router.

The first decision I made was not to buy another D-Link router and local stores seemed to have mainly Linksys routers in stock. I haven't owned a Linksys router since before the company was acquired by Cisco, if that tells you anything, and I found one in stock in town that supports the new 802.11ac standard. I had planned to upgrade the router later this year or early next year, once the prices had begun to fall. So the router I bought this week cost about twice what a more traditional router would have cost and maybe $50 more than I would have paid if I'd been able to wait until early 2014.

When I returned, the initial installation took about 5 minutes. The Linksys instructions made no sense and I did what made sense rather than what the instructions said. The on-screen guide was uncommonly good, so I was able to rename the router from "Cisco06068" to something that my devices would recognize (FBI_Surveillance_4267) and to modify the passkey so that all devices that were previously on the network would continue to be on the network.

Click for a larger view.I found that I had a new "guest" network and I like that addition. I gave it a different passphrase from what's used on our devices.

Click for a larger view.The next thing I noticed is that the new router's signal is considerably stronger than the signal from the old D-Link device. The small red mark on the image at the right shows the signal strength of the previous router.

When it comes to Wi-Fi, stronger signals are definitely better signals.

But the wired network printer appeared to be off-line. That's because the D-Link router set its address as 192.168.0.1 and the new one is at 192.168.1.1. That single difference meant that the new router had created a new network and because the printer had a static IP address, it existed only on the old network.

Changing the IP address, deleting the existing printer instance from all computers, and allowing Windows to find the "new" printer took care of the problem.

As holiday/birthday time-wasters go, it could have been worse; still, I wasn't planning to spend a big chunk of the day being a computer tech.

When You Can't Connect

Later the same day, I had a discussion with an acquaintance about a Wi-Fi problem. The person's laptop computer was able to connect to the Wi-Fi router, but only when the router and and laptop were in the same room.

My first thought was that the router's output might be weak, but the signal strength meter indicated an adequate signal. That's when we learned that a Kindle device in the same room as the laptop was able to connect without a problem. And that turned the problem on its head. Instead of suspecting the router, I now suspected the notebook.

I once had a notebook that frequently lost its connection to the router even when the notebook was in the same room with the router. As a test, I bought a $10 USB Wi-Fi adapter, plugged that in, and turned off the notebook's Wi-Fi adapter. Problem solved. That's what my acquaintance will try.

With Wi-Fi, location is everything.

We also talked about router placement. A 1-foot wall can appear to be several feet thick if the signal from the router to the portable device describes an oblique angle with the wall. The best location for a router is near the middle of the house. Mine is near an outside wall, so I provide fine coverage across the street but only marginal coverage at some locations inside the house.

Fraudsters Continue to Annoy

Who are all these people and why do they want to be friends with me on Facebook and LinkedIn? Who are these women from all over the world and why do they want me to add them to my Skype address book? The answer, in both cases, is that they're up to no good and the best option is simply to ignore them.

Click for a larger view.Let's start with a Facebook invitation. In most cases, an image will appear at the left of the name. This time it didn't and that was one clue that this was a fraud. That's not a definitive indicator, though. An image might fail to appear for a legitimate request and most of the fraudulent requests do have images.

What is definitive is the location that the link references.

Just hover the mouse cursor over the name of the person who supposedly wants to be friends, or over any of the other links. Don't click. Just hover.

All of the links go to the same location on most fraudulent messages. In any event, the link will not be to FaceBook but, as in this example, to a site in Greece.


Click for a larger view.And here's one from LinkedIn, another service whose name is frequently used for fraudulent messages.

A plug-in for Thunderbird offers the ability to see the type of e-mail program that sent the message. This information is shown in the upper right corner of the message and this message purporting to be from LinkedIn clearly shows that the message came from Thunderbird on a Linux computer.

Of course, hovering the mouse cursor over the purported link shows that the target is not LinkedIn but hai61.com. I checked the registry for this domain name and found that it's registered to a company in China.

Another clue is evident in the "From" line, which says that the message is from "Rashmi Naikar" but the person who supposedly wants to connect with me is named "Hope Looney".

Although someone with the name Hope Looney may exist, I considered that name alone to be a clue that this wasn't legitimate.

Messages such as these may be more effective than the typical bank fraud messages that intend to draw unsuspecting link clickers to sites that will attempt to install malware on their computers because so many people participate in services such as LinkedIn and FaceBook and because the messages offer seemingly legitimate and safe links that would allow you to see who the person requesting contact is.

The problem is that those "safe" links have also been poisoned.

When you're reading e-mail, do it from a helicopter and just HOVER.

Skype has its own unique problems.

I use Skype and I maintain a phone number that is associated with Skype. That means people can contact me by calling the number from any phone or by using the Skype name. But two or three times a day, I receive Skype IM solicitations from women (or people posing as women) from countries all over the world.

Click for a larger view.Skype's security settings could be much better. I have specified, for example, that I will accept internal Skype calls only from people who are in my contact list and this setting is replicated for Skype IM's. This should mean that people such as "winda.chielo2" would not be able contact me.

Still, several times a day, these "ladies of the phone" ask me to add them to my contact list. My response is always to block the person and to report abuse.

Skype takes a different view of these settings than I do: I don't mind someone calling me by using the Skype phone number, which is why I leave that setting open for anyone who's not obscuring their own phone number. But even if you set Skype IMs and calls to "people in my Contact list only", Skype intentionally allows people to contact you.

Click for a larger view.Here's how Skype explains it: These requests are coming from "users who are contacting you for the first time and on a speculative basis. There isn't any way to stop this as any 'blanket block' built in would prevent genuine users not on your contact list from contacting you." That, in fact, is exactly what I want. I don't want people I don't know to send IMs and to call using my Skype ID.

So the only solution is to do what I'm already doing.


Short Circuits

FTC Catches Webcam Maker in a Lie

The Federal Trade Commission has accused Internet video camera manufacturer TrendNet of lying to consumers. The company said that the cameras were secure, but according to the FTC the company knew about a security flaw that allowed hackers to take over the cameras at will.

The FTC accuses the company of recklessly endangering their customers because hackers, as early as January 2012, had demonstrated the system's security flaws. The Internet-enabled cameras transmitted customers' login information unencrypted over the Internet, making them clearly visible to anyone who observed the data stream. TrendNet also had a mobile application that was supposed to allow the owner of the camera to control it using their smart phone. TrendNet did upload a security patch to their website when the flaw was revealed and attempted to contact customers.

The FTC is unable to fine the company in this case, but TrendNet has agreed to submit to a 20-year security-compliance auditing program and signed an agreement stating that it will no longer misrepresent the security of its cameras. In signing the consent order, TrendNet makes it possible for the FTC to impose fines if it lies to consumers in the future.

According to the FTC, the company's actions increased the likelihood that consumers would be targeted for theft or other criminal activity as well as making it possible for strangers to observe camera owners' families via the Internet.

The New Yahoo

Yahoo has unveiled its new logo. The old logo was purple, flat, and cartoonish. The new logo is more in the blue range, sculpted, beveled, and somewhat less cartoonish. The old logo carried the registered trademark symbol (®) but the new logo doesn't even have the trademark (™) symbol that is used before a trademark is registered.

Yahoo apparently put a lot of work into designing the new logo, in which the second O is oversized, just as it was in the original logo. It seems that Yahoo wants to share that story.

Perhaps you'll have better luck with it than I did.

Later, hoping that the video would provide some insight in the the designer's intent, I was able to watch. It revealed nothing, but at least it was short.

The old logo had been in place since not long after Yahoo was founded 18 years ago. In the 14 months that former Google executive Marissa Mayer has been in charge, Yahoo has changed its policy on working from home, updated the service's main page, improved the e-mail service, and enhanced Flickr. There have also been several acquisitions that are aimed at improving Yahoo's reach on mobile devices. The largest of the acquisitions was the $1.1 billion purchase of Tumblr.

So why is the logo such a big deal? In the words of the company's PR folks: "We wanted a logo that stayed true to our roots (whimsical, purple, with an exclamation point) yet embraced the evolution of our products." And I noticed that one pundit was wondering on Friday if Yahoo's long-time users would accept it because the logo was such a radical departure from what the company had used for the past 18 years.

Combining Real Books and E-Books

As much as I like e-books, there are times when a real paper book has definite advantages. Novels and non-fiction books are generally good candidates as e-books because we read them from front to back without a lot of skipping around. Reference books, on the other hand, are used in a completely different way. We jump from page 36 to 875 to 52 to 457 in tracking down the information we need. That's not so easy in an e-book.

E-books don't take up much space. We can carry around hundreds of titles in a package about the size of a thin trade paperback. Paper books can exist in only one location at a time and they're bulky. So when we buy books, we have to decide which set of advantages and disadvantages we want to accept for this particular book: light and portable or easy to jump around in? You pick one or the other. Very few people buy both.

In a few cases, I've made the wrong choice. Amazon is usually understanding and allows people to return an electronic version of a book and buy a paper copy in its place. Going the other way probably isn't as easy. Or hasn't been. Now Amazon offers a better choice.

Here's how it works: You have to start with the paper version of the book. Then, if you decide that you want the electronic version, you can buy it for $1 to $3 and some of the electronic versions are free to buyers of the paper book. Typical prices for e-books are in the $10 to $15 range.

Currently this is a test of the new service that Amazon calls MatchBook. It doesn't apply just to new purchases though, but to books that you purchased as early as 1995. That, by the way, is when Amazon was founded. It doesn't apply to all books, though. So far only a few publishers have signed up for the program.

Neither Gone nor Forgotten, Ballmer Persists

He may be retiring within the next 12 months, but Microsoft CEO Steve Ballmer will leave the company with either the keys to its own rejuvenation or a time bomb with a burning fuse. Microsoft phones are currently in distant third or fourth place behind Android phones and Apple phones. Microsoft wants to change that, so it bought a Nokia. Not a phone, but the whole company.

In purchasing Nokia's phone business, Microsoft also brings Stephen Elop, Nokia's chief executive, back to Microsoft. The number of analysts who think that Microsoft can move into either first or second place in the phone marketplace is approximately equal to the number of General Motors board members who drive Ford trucks to work. In other words, the $7.2 billion dollar deal isn't likely to change the relative positions of the players.

So why ....?

Well, Microsoft is nearing 40 (38 to be exact) and appears to be going through a mid-life crisis. Microsoft can't buy itself a shiny red convertible or sneak across town to have an affair, so the solution seems to be an attempt to reinvent itself. In a way, Microsoft today looks a lot like Apple did in the mid 1990s. Apple's products were first rate, but sales were lousy. Apple brought back Steve Jobs who ruthlessly transformed Apple. Microsoft, on the other hand, has within about a one-week period announced that its CEO will be stepping down and that it has made a gigantic acquisition.

Big acquisitions are difficult enough when the CEO and the board are all long-time veterans who plan to stick around. A CEO hunt that is simultaneous with an acquisition could spell trouble for both. Of course, it might also be an opportunity.

So why ....?

Microsoft is under a lot of pressure from investors to improve its stock performance. At a time when desktop PC sales are declining, tablet computer sales are increasing, and smart phone sales are exploding, Microsoft perhaps sees an opportunity in a new marketplace. With the advent of the Surface tablet, even though its sales have been disappointing, Microsoft has clearly entered the hardware market.

And that moves it closer to Apple's business model. Despite all the fuss about Apple's operating system, the company is mainly a hardware company.

Blackberry continues to be a force in the smart phone marketplace, but it no longer has the resources it once had. The combined Microsoft-Nokia (MicroKia? NoMicrosoft?) has plenty of money and lots of smart people to call on. Although Nokia is no longer the stand-out leader in the telephone handset marketplace, it does retain second place if you include all phone types, not just smart phones.

Three years ago, Nokia made a deal with Microsoft to use Microsoft's phone software for its smart phones. Despite early stumbles, the current crop of Windows phones are well regarded. If you consider smart phones sold between April and June of this year, just under 80% were Android devices (79.3%). Apple phones had 13.2% of the market. That left 3.7% for Windows phones and 3.8% for everybody else.

So why ....?

But what if there's slightly more to this deal than just the acquisition? Stephen Elop will step down as Nokia's CEO when the deal closes, presumably early next year, and will again be a Microsoft employee. That clearly puts him in position for consideration as the next CEO of Microsoft. Initially, though, he will be responsible for Microsoft's games and music division as well as Microsoft's hardware division. In his previous Microsoft position, Elop ran the business division, responsible for the Office Suite. Earlier, Elop was head of Macromedia when it was acquired by Adobe and he ended up running Adobe's field operations.

In other words, this 49-year-old Canadian seems to be a top candidate for the top slot at Microsoft.