Microsoft to discontinue making Microsoft Money

June 10th, 2009 by tungsai


You know, I have mixed feelings. I use Money 2002, because the newest versions were way, too bloated with bells & whistles. (Plus I already had a license and I didn’t wanna pay any more, especially after trying the trial period of 2007.) I religiously put my data into Money, but it has only been able to actually accurately do a couple things: Make pie charts of our spending categories, and provide a history of transactions better than the bank. After a year, it *sort of* predicts future cash flow & net worth, but applies it to the wrong accounts.

Completely useless were the areas where I was supposed to “Build my portfolio”, as all my various TIAA/CREF, Fidelity, American Funds, etc., are broken down into at least 15 if not more different actual “Funds” that have a stock symbol. I never took the time to meticulously add them in, except for once I tried it, and Money got the numbers all wrong. Yeah, yeah; garbage in, garbage out; but should it BE so complicated that I can’t “Just Do It”? So… Scrap the investment tracking.

The newest version of Money even went so far as to offer to automatically connect to ALL my accounts and download daily updates. It reminded me of the robust, vast array of drivers available in NT 4.0 Server: Though a huge list of providers appeared to be available, none of them were used by me, so that feature was useless.

Yeah, its sole purpose has pretty much been to see “Gee, how much did we spend on diapers THIS month?” but even such granularity could not be obtained, since diapers are always mixed in with other purchases that got labeled “Household” or “Groceries”.

I don’t know if 2007 or whatever the latest version has this problem, too, but money is also very bad at guessing what category a transaction should be if it has any type of unique number in it whatsoever, which 90% of them do. Very annoying.

So, in conclusion, I guess the only major thing I’d going to lose is the ability to see where spending has been in the past.

odsca.dll malware update – day 5

January 30th, 2008 by tungsai

Yesterday I finalized my “Forensic Analysis” of the unknown malware that my work PC had contracted. I sent the results to McAfee, and was given instructions on how to provide them with the actual files. I did this, and I got an immediate response from an automated system that indicated complete ignorance of any known maliciousness.

I now believe I know how it was able to launch itself even in safe mode, and keep itself alive no matter what. However I don’t know how it got there, unfortunately. I suppose I could just begin brazenly surfing teh innernets full throttle until I saw it again, but at this point I’ve got other things to work on.

The way that I finally discovered the malicious files was using Filemon from SysInternals, which I had done a few days ago but did not realize that what I was witnessing was malicious.

In the Windows Registry, the following new key was inserted:

HKLM\Local machine\software\microsoft\windows NT\CurrentVersion\Winlogon\

Attempting to delete / rename / remove permissions from this key result in it getting instantly re-created back to the original state! This DLL is also listed in two other areas of the registry as well; the DLL register areas or something. (In an area that I don’t go into very often, under the CurrentControlSet region).

This apparently is causing winlogon.exe to execute the DLL located in C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\ICONS\ODSCA.DLL.

In the same directory, multiple files of similar but different files were getting created. the filenames were called acsdoXX.dat, where XX is some combination of ascending or descending letters; such as acsdoaa.dat, acsdoab.dat, acsdoac.dat, etc. I did not try to delete these files, or if I did, I also got “Access Denied”.

Attempting to delete the file results in “Access Denied”.

After determining this, I finally decided that I need to get to some other projects and tasks at work so I’m reformatting C:\ and reinstalling windows. If McAfee or SANS get back to me, and anything more comes of this, I’ll let you know.


Reboot caused new, lamer message to appear

January 29th, 2008 by tungsai

The saga of my unknown malware continues. I tried that RunAnalyzer, and it was just so much information that I had no idea what was legitimate and what wasn’t. Sorry, but I don’t have hours to parse through all that information. I will say that it is very interesting though.

So, I rebooted, to see if a new, randomly generated message would appear. Sure enough, a NEW dialogue appeared! Even dumber than all the previous:


Important – Errors found in the system

During the scan of files which are start automatically at computer startup, a critical errors in system registry were found.

0x01ff0010 irql: 1f SYSVER 0xbf04014

NT_Kernel error 1276 (EXCEPTION NOT HANDLED)

[ OK ]


So dumb, it’s not even worth commenting how many red lights go off. They just threw a bunch of random windows terminology together! I logged out, then back in, and, the same message popped up again. And again, after a 2nd logout. And again, after a 2nd reboot. I guess maybe they rotate at some random, unknown cycle.

I ran REGEDIT and looked in the Start > Run areas where malware likes to hide; and nothing of note whatsoever there. some NVidia stuff and Pivot Pro, my 3rd party software (Well past its expired trial period), and my AV stuff but nothing weird.


The thing is, these messages show up as actual APPS running in the Windows Task manager, yet I can find NO registry, DLL, startup, whatever, of what is spawning them! I really think that possibly some key system DLL or exe has been comprimised but I CANNOT tell which.



The SysInternals program ProcExp.exe verified every single EXE I could see. Besides, I don’t think it does a very good job of showing me every execution thread; because when I opened five explorer windows, it did not indicate any new sub-threads of explorer.exe: (Click to Enlarge)


So this program does not help me.


Possible Malicious Infection – Day 3

January 29th, 2008 by tungsai

So, I log on, boot up, and two pop-ups appear on my desktop. The first one is UltraMon.exe crashing. Probably / Maybe legitimate; Ultramon is the program I use to control my Awesome Triple Monitor setup. But the Other, Oh, the OTHER message…. Well, have a look:



SysFader: IE7XPLORER.EXE – Application Fatal Error

The instruction at 0x0f634739 referenced memory at 0x03ac4e50. The memory could not be read. Click on OK to terminate

[  OK  ]


Now, although SysFader is a legitimate thing that I’ve heard of (It’s what windows uses to make your background fade to dark greyscale when logging out, etc.), The executable “IE7XPLORER.EXE” does *not* exist. And even if it were a legitimate IE7, I DID NOT LAUNCH it. Nor was it in my startup. So, why would sysfader / IE7 get an “Application Fatal Error”? Answer: IT WON’T.

Note: This message ALSO appeared as a little warning bubble in the SysTray, you know, those

For laughs, I googled “IE7XPLORER.EXE”…


DUH! Big surprise there. Still… it’s amazing that NO HITS occurred. (By the time you read this, Google will have already picked up my Blog.)

Also interesting of note is that no other antivirus companies other than the one mentioned yesterday (SaliarAR) have identified it. It reminds me of the ages old theory about how Antivirus companies would create the viruses, release them into the wild, and then, Voila! Here’s a cure… for $60! Not that I’m accusing this SaliarAR of doing such things… but it just reminds me of that old joke / conspiracy theory.

Since this occurred at boot-up, Noel suggested I try this program called RunAnalyzer, available from the folks who do Spybot Search & Destroy. I downloaded it, installed it, and it appears to be taking a while. I’ll take this opportunity to post this page, for the benefit of White Hatted Admins.

Correction: There IS a legitimate process called "System".

January 28th, 2008 by tungsai

Oh well! *Blush*

However, I have used the following tools to try and discover what is launching these pop-ups, and, near as I can tell, explorer.exe itself is launching them.

–Spybot Search & Destroy

–McAfee VirusScan

–AdAware 2007

–Filemon (SysInternals)

–Procmon (Sysinternals)

–ProcXP (VERY cool util, thanks Ryan) (Sysinternals)

Strange Windows Pop-up

January 25th, 2008 by tungsai

Today my XP machine popped up with the following dialogue box:





Unhandled exception in WINSYSLDR.EXE (0xCD003592) Division by zero.


Not knowing if it was a malicious thing, i.e., a fake pop-up box where if you click “OK” you’re actually launching some evil virus, I Googled WINSYSLDR.EXE. and got…




Yes, that’s right- the Internet has NO knowledge of WINSYSLDR.EXE. Now, everybody knows that a Division by Zero error can happen from time to time if an application is written poorly. This pop-up dialogue box has all the marks of a legitimate error message… EXCEPT for the fact that nobody in the world ever seems to have heard of WINSYSLDR.EXE. That is impossible.

My next step to investigate this strange error is, obviously, to search my system for WINSYSLDR.EXE. It took a while, since I run a very bloated XP machine, loaded with crap, including drivers & extra programs for my Triple Monitor Setup. But, sadly, the little puppy found nothing. NOTHING!! The file does not EXIST on my machine!



Luckily, the dialogue was still on my desktop, so I used a little trick to find out exactly what process was feeding the dialogue box. By pressing CTRL+ALT+DEL, I brought up the Task Manager and sort by CPU. Then I drag the dialogue around the screen quickly by the title bar, and watch for some process to start taking more CPU power. The only process I could see that was accelerating when I did that was my “UltraMonTaskbar.exe”. I killed it, and the pop-up remained. Perhaps it was just too small to register on the top of the task list, but at this point I had to move on to other things and so I just “X”‘ed the dialogue, rebooted, and posted this blog.