Funny: Peerless Faucet Un-install Guide

2008-01-20T11:15:00.001-08:00

I recently installed some faucets in my house, and of course removing the existing faucets was a huge pain in the butt. Like a typical engineer, I waited until after I finished the job to bother reading any of the documentation - anyway, this is what I found. Obviously someone at Peerless has a sense of humor (or too much time on his/her hands).

Full document:

Document broken into sections for easy-reading:

Cleaning the Vundo Virus from your Computer

2007-09-17T06:02:00.001-07:00

I am still not sure how I got a trojan virus on my computer system. I have a consistently current version of the McAfee anti-virus software, I never download suspicious files, and I am very careful about my actions on the internet. So how could my computer have possibly been infected with a trojan virus? I can understand being infected with a worm, or some other type of virus that exploits a hole in Microsoft's software, but I feel like I must have done something wrong to have a trojan infect my system. I guess this goes to show that even the best of us can be fooled on the internet sometimes.

Well, regardless of how I initially became infected with the virus, I had no idea how difficult it would be to get rid of the dang thing! When my computer was infected, it didn't take long to realize the problem. Initially I noticed my internet service getting sketchy and my computer becoming more sluggish than normal. I was quick to blame Time Warner for the poor Roadrunner service because I have had internet issues in the past - at least until I noticed some of the more obvious symptoms. I noticed Internet Explorer popping up with ads for various random websites, even when I wasn't surfing the web. This was particularly suspicious because I use Firefox. The pop ups included, ironically, an add for WinAntivirusPro, which would usually be prefaced with a pop up that said something along the lines of "Is your computer and internet connection slower than normal? You may have a virus." Well, no sh*t, sherlock! Of course I have a virus!

The following is intended to describe some of the pitfalls that I ran into when trying to eradicate my computer of the virus. My hope is that someone will be able to read this and learn from my experience...

Time for action! So, I start by running a full McAfee virus scan so that I can get rid of this sucker once and for all! I started the detailed scan, and checked on it the next morning... nothing. It found a bunch of suspicious cookies, but no virus. So, I tried updating the .dat files because I noticed they were a bit out of date, and for some reason McAfee couldn't update the .dat files. This is when I knew things were about to get interesting.

What Virus do I have anyways? I was starting to get really concerned about this piece of malicious software that had full control of my computer, because I had no idea what could happen next. Was it snooping for passwords, was it getting ready to format my hard drive, or was it just going to try and sell me WinAntiVirusPro all day every day?!?! So, I went to McAfee's website and tracked down their free virus scan tool. I ran this on my computer, and low and behold it found the virus... it was called the Vundo virus. The positive side of all this is that the virus didn't appear to be malicious - it was mostly just a means of delivering ads to my computer.

Now there's no stopping me!! McAfee had some very straight forward instructions on removing the virus, which made me feel like I was finally in control. So, I followed McAfee's instructions for removing the virus, and it seemed like it was working. The coolest tool ever was the Process Explorer from Sysinternals that was referenced in the instruction. With this tool I finally felt like I had control of everything happening on my computer. So, I halted the Explorer.exe and Winlogon.exe processes, and McAfee was finally able to download the latest virus definitions. Bingo!

First attempt at removing the virus... So, I followed McAfee's instructions and after running the virus scan, which found and deleted a couple of files associated with this virus, I rebooted my computer hoping it would be gone (I mean, why wouldn't it be??)

The beginning of a very long battle After rebooting the computer, all of the symptoms from the virus were still present... I had not deleted it. So, I thought to myself: maybe I didn't follow the instructions properly, I mean they were a bit complicated, and I didn't see a Rundll32.exe process like it had mentioned, so maybe that was it? I try again to no avail, the virus was still there and for some reason McAfee wasn't finding it.

Beating around a bush. What next? McAfee failed me, and although I am a fairly good software developer I am not a virus expert. This is where I got depressed because I knew that no matter what route I take it is probably going to be a very difficult one to fight. Come-on, if McAfee can't detect and delete this virus, why would I have any reason to think that I had a chance in hell at tracking this thing down on my own?

Time to play detective. After reading a few websites about this virus, I discovered that one of the places this virus liked to put its main application was inside the c:\windows\system32 folder. So, I opened the folder and sorted the files by date. I found a bunch of files that had been created very recently and many of them looked suspicious. I hovered over the DLLs to see what company was listed, and none of the recent DLLs were Microsoft DLLs. They had names like whaodiey.dll, kjkmp.ini2, acbdhvot.dll, pmkjk.dll, etc... So, I went ahead and deleted anything that didn't look like it belonged and had been created within the last few weeks. I found that several of the DLLs couldn't be deleted because they were being used by another application. Ok, so now I just need to figure out how to delete the DLLs - but first I wanted to know how they were getting launched in the first place.

I opened up McAfee and noticed something interesting in the Reports and Logs section. Evidently registry entries were being modified, and for some reason McAfee was allowing the modifications without notifying me. I opened the logs and browsed to the registry entries that were being modified using RegEdit(Start>>Run>>"regedt32">>enter). Under the registry entry, which was inside the "Windows\CurrentVersion\Run\" directory, which I believe is where startup services are stored, I opened the registry entry, "FolderView" in this case and found that it was referencing one of the DLLs that I had just tried to delete. So, I figured I would just delete this registry entry, and maybe the DLL wouldn't start up next time... This didn't work. Not only did the DLL start back up, but the registry entry got re-written. I guess the virus developers thought someone might try this.

A Recipe for Success! So, now I think I have a good enough grasp of the nature of this virus that I am going to try something a little more drastic.
- I opened up that tool reference by McAfee (Process Explorer from Sysinternals) and started tracking down which processes were loading the virus's DLLs. There is a cool option with the tool where it will list all of the DLLs launched by a particular service, and will also list the company referenced by the DLLs. I started with Explorer.exe and browsed down the list to find any DLLs with no company listed. I then cross-referenced these DLLs with my suspected list of DLLs from the System32 folder, and viola - I found a few matches. So, now is when things get tricky, I need to kill Explorer.exe in order to delete the file, but if I kill explorer I can't browse through the directories to delete the files - a catch 22.
- So, I opened the command prompt (Start>>Run, "cmd", enter) before killing the Explorer.exe process (because you can't open new applications once the Explorer process is killed). I wasn't sure if this would work, but it was worth a shot.
- Before killing Exporer.exe, I wrote down the DLLs to be deleted, then I killed it. The desktop went blank and the task bar disappeared, but all the applications that were already open kept running like expected.
- I browsed to c:\windows\system32 and typed "del pmkjk.dll" - this was one of the DLLs referenced by the registry that I was having difficulty deleting before. Unfortunately it didn't work, it claimed that other processes were still using it.
- Now, back to the process exporer. I used the Find button to search for all processes that referenced this DLL (another excellent feature in this tool). I found that Winlogon.exe, svchost.exe, and lsass.exe were all referencing this DLL. So, I started by killing Winlogon.exe. Then, I killed the svchost.exe process. Finally, I killed lsass.exe (not knowing what the process was responsible for). Suddenly I got the message "Your computer will reboot in 1 minute..." Dang it! This virus thought of everything!
- Now I madly rushed to the command prompt and quickly browsed to the System32 folder to delete the DLLs in question. With only a few seconds left I deleted all the DLLs in question that had been referenced by these services, and my computer rebooted.

Am I done yet? When the computer rebooted, I checked the process explorer for suspicious DLLs and didn't see any - wow, what a relief! So, I browsed to the system32 folder, and finally deleted all of the random files that had been dumped there since I got the virus, and none of them were being used - another relief! I then cleaned up the couple of registry entries that McAfee logged as having changed. Finally I ran a full Virus Scan and found no viruses. Success!!

I hope that my experience here can help some of you out there figure out how to fight this virus old-school style if your anti-virus software fails to get the job done like mine.

Logman's Tech-Talk

Funny: Peerless Faucet Un-install Guide

Cleaning the Vundo Virus from your Computer