Sunday, June 26, 2011

Anti-Malware Tools of Note

As promised, here is a resource-dump of some anti-virus/anti-malware tools I either use for came across in my recently documented battles that I thought would be helpful for reference.

As with many things in life, having the right tool for the particular job at hand can save much time and aggravation.   Hopefully most of these will already be well known to the GSD faithful readers. But I also hope that maybe one or two of these may be new finds as well to go into your toolbox.

Obviously this isn’t a complete list.  However they nicely supplement those I’ve already recommended. Check the side-bar to the left for many more that have been previously shared here.

While I do sometimes favor a direct frontal attack against malware while the system is running “live”, I typically find it much more productive to first whack-away at the infected system “off-line” having booted the system first in a WinPE environment.  I prefer to use my own custom Sexy USB Boots tools on a write-protected USB stick.  There are lots of flavors of WinPE including WinFE and WinRE and each bring their own benefits/drawbacks to the fight.

One important lesson I’ve learned is that the more scratch-space you can spare on your WinPE build, the better your apps will run in the WinPE operating environment.  Check out this WinPE and DISM/PEimg to boost Scratch Space (Ram Disk) post to option things out.  If you want to carry the option to boot from several different “boot.wim” files with different scratch-space settings, or maybe WinPE, WinRE, and WinFE boot options all on the same stick check out this WinPE Multi-boot a Bootable USB Storage device post for some thoughts.

Of course there are lots of different options for building your WinPE as well.  You can go “old-school” and use the Microsoft WAIK, there is WinBuilder, or you can check out TinyApps cool find to build a WinPE without any of those extra bits.  AgniPulse sets out a great tool and method to in his Beginners Guide to Creating Custom Windows PE.

My own preferred first-strike team is to boot the system with WinPE then toss the free tool VIPRE Rescue at the system.  There are two things that I think really make this anti-malware tool exceptional.  First it is easy to use and very thorough. But secondly, it creates some incredible logs and quarantines the files.  Both the logs and quarantined files helps me understand what was going on with the infection and possibly what vector it used.  That might help me secure the fixed system and submit the files for additional analysis.

Once the system is running “live” again, I also like to toss Malwarebytes Anti-Malware Free at the system.  It is a pretty aggressive anti-malware scanner with lots of options.

I also like SurfRight’s Hitman Pro 3 and have found it seems to do an exceptional job addressing issues that are missed by many other tools I have used. The plus is that you can use their product to get unlimited free scanning + 30 day removal.

Norton Power Eraser is a very powerful tool to root-out deeply embedded malware from a system Read their page carefully first.  I’ve had good experience with it myself.

I also keep handy and request a third-scan opinion from the still fairly new Microsoft Safety Scanner.  Being a “standalone” tool of sorts, it can be run in the WinPE environment or on the “live” system.  The trick in WinPE is to make sure your WinPE build has a large scratch-space value.  Check out this 4sysops post Offline Antivirus – How to run Microsoft Safety Scanner on Windows PE 3.0 for more details.

I do understand that for some folks, the thought of making a custom-spun WinPE boot tool could be quite intimidating.  With that in mind, you will want to keep a copy of the Microsoft Standalone System Sweeper Beta handy.  Of course you will need an uninfected “host” system to create the tool. Download the “builder” utility in either x32 or x64 flavor depending on your hardware and choose a blank CD, DVD, or USB drive with at least 250 MB of space. Execute the tool and build-away.

Of course, you may want to do more with this plain-Jane WinPE build that it lets you.  And you can if you know the tricks our dear TinyApps bloggist posts in his Extending Microsoft Standalone System Sweeper tips.

Maybe all you want is just to download and burn an ISO file to CD and use it to try to disinfect a system without all those extra bells-and-whistles that I love so much in WinPE.

Well, many reputable security product vendors offer their own tools as well in that same line.

Calendar of Updates has a page that is kept pretty updated Free Anti-Virus Rescue boot CDs including direct links to Avira Rescue CD & BitDefender Rescue CD.

F-Secure keeps their own Rescue CD resource updated. They also offer some fantastic Easy Clean, Online Scanner, and Blacklight rootkit tool.

Likewise, Kaspersky has their own Rescue Disk 10 tool as well as an Online Scanner, an incredibilly extensive toolbox of free Virus-fighting utilities to address specialized malware threats, a tool to remove banner from desktop, unlock Windows.  Kaspersky also offers valuable documentation on common malware information, viruses and solutions, as well as Rogue security software response guidance.

Dr.Web CureIt!! is another LiveCD solution worth knowing.  See also their Sysadmin First aid kit page for some additional resources.

Not “free” for everyone but a good LiveCD resource for Norton product users, check out the Norton Bootable Recovery Tool.  As explained on the page, “You will need your product key or PIN in order to use the Norton Bootable Recovery Tool.”

Likewise, if you are a Sophos customer, they also offer their customers the Sophos Bootable Anti-Virus tool. However, they do offer some Free Tools as well, including some specialized tools as well as Free Security Scan tools and their Sophos Anti-Rootkit tool.

Need more? Check out this GSD USB based AV/AM Tools post for many more options.

I have an extensive collection of highly-specialized sysadmin tools at my disposal. However the following tools are always the ones I keep coming back to over and over again. All free.

As malware (and particularly scareware/rogue-security “products”) gets more and more sophisticated, it seems even more highly-specialized tools are needed to fight and restore the damage done by them.

Broken EXE Association is a how to and REG files for fixing issues launching applications after an infection.

The Updated Combofix (5-23-11) is a highly specialized tool offered by the fine folks at forums.  It is not recommended to run on your own without guidance from their community unless you are already an advanced/professional Windows system specialist. Seriously.  Read their ComboFix usage, Questions, Help? page well and carefully before embarking on its usage.

See also their RKill utility. From that page:

RKill is a program that was developed at that attempts to terminate known malware processes so that your normal security software can then run and clean your computer of infections. When RKill runs it will kill malware processes and then import a Registry file that removes incorrect file associations and fixes policies that stop us from using certain tools. When finished it will display a log file that shows the processes that were terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot your computer as any malware processes that are configured to start automatically will just be started again. Instead, after running RKill you should immediately scan your computer using some sort of anti-malware or anti-virus program so that the infections can be properly remove

And for any Mac users/caretakers who are still reading this post, they also have a BleepingComputer Mac Rogue Remover Tool. Check out that page for more info.

This Google redirect virus forum thread has a lot of great tips and steps to follow in addressing malware in general.

As I last posted, I feel remiss to not re-mention this guide Remove Windows Recovery (Uninstall Guide) over at for a good review and walkthrough of a semi-automated recovery process.

Included in there are two noteworthy tools: RKill (Download Link) and Unhide.exe (Download Link). Rkill is a rouge-process killer of sorts and unhide.exe attempts to restore malware-relocated user files back to their original/rightful locations. See this Bleeping Computer Downloads: RKill page for more information as well as this one Question on 'unhide.exe' for more background information on them both.

You can also take the manual restoration approach offered by “colsearle”

Try navigating to the following path: (make sure you have the hidden files and folders visible)
C:\Documents and Settings\your user name goes here \Local Settings\Temp\smtmp
Inside the smtmp folder you will see three folders named 1, 2, 4
1 = Start Menu Program shortcuts
2 = Current User Quick Start shortcuts
4 = All Users Desktop folders and shortcuts
Simply copy the shortcuts back to the original path.

I also found this guide over at SmartestComputing written by “Broni” to be very helpful as well and full of specialized remediation tools and links How to restore files hidden/deleted by Windows Recovery virus.

Although most of what I see now-a-days is Windows 7 and Vista systems for most of my home/family/friends systems. More than a few still have XP systems. One trick still in my bag from days ago is when a system is cleaned of a internet-browsing redirector infection the internet doesn’t work anymore is that in many cases it requires the network sockets to be “reset” by running a tool like LSP-Fix or WinSock XP Fix 1.2 (via MajorGeeks mirror site).  This only should be run on XP systems.

Coming full-circle again in this post, some of these tools and techniques require working on a live running system and others can be done “off-line” using a LiveCD/WinPE/otherOS approach.

If you do go with a “off-line” boot method such as WinPE from a bootable USB flash or HDD, you want to be very careful you avoid potential cross-infection in your response/rescue efforts. Yes a bootable CD/DVD does offer greater protection but at the same time, it can severely reduce the number of options or other tools you can bring to bear on assessing and cleansing the system.

If you have a LOT of bootable ISO files (as I do for specialized situations), then I seriously recommend the awesome iodd device for sysadmins and incident responders as well as you semi-pro malware busters.  It allows you to carry many, many, many different bootable ISO files on a portable HDD and pick between them on the fly for off-line system booting.  Couple that with a physical write-block switch and the ability to partition the hard disk drive you cram into it, and you can carry many portable apps on there as well to access if you are booting in, say, a WinPE environment.

If that seems like way too much (and it never could be) firepower, then at least consider a USB flash drive with a write-block switch.  My personal preference is the Kanguru Flashblu II (NewEgg product link).  It is a great value for a reasonably sized USB drive with a write-block switch.  Sony also offers write-block switches on some of their USB flash drives (Alvis has one in fact) but they are getting harder and harder to find.

If you don’t have the option or resources to pick up either one, but do have a bootable USB flash drive that you have already loaded up with all your scanners, tools, and other response files, consider this simple and free tool usbdummyprotect. The trick to using it is to download the tool and unzip, then copy it directly onto your USB drive.  There, run it.  It creates a “dummy” file to fill up all the remaining free-space on your flash-drive.  In theory, this should prevent malware from copying any files to your drive.  When you want your free-space back, just delete the clearly identified dummy file.

Not quite the same thing, but noteworthy is Document Solutions free DSi USB Write-Blocker. You need to download and install this on your own clean-system first. Then run the tool BEFORE connecting a USB flash device.  Basically it keeps your own running system from writing TO the USB device once you plug the device onto your PC.  This should preserve time/date stamps and other file modifications.  It doesn’t necessarily protect your host system from anything bad on the device itself if you choose to either run anything directly or copy off the device and run locally. So understand how it works first then use it when the situation calls.

Finally, in some cases, the malware might have actually damaged or modified the Windows bootloader itself. If this is the case and any of the specialized tools already mentioned didn’t work to restore the Windows boot loader, then you may need to do it yourself.

See this GSD post Partition and Disk Management: Part II – Free and Useful Tools for a rich roundup of resources.

For a really nice and trusted freeware GUI tool check out EasyBCD 2.1 from NeoSmart Technologies.

I also recently discovered MBRWizard which is not a free product (but it is offered dirt-cheap) and has a great GUI as well.  However, for your value-expecting fans not afraid of a little command-line ninja work, they do offer a CLI Freeware version! Check out the Command line reference page for more information.

Effectively responding to a malware/rogue-ware infection is never an easy task. It takes careful assessment, planning, research, tool/utility/scanner gathering, off-line booting in many cases, and lots and lots of tedious, patience-requiring work.  It takes time, experience, and for the non-technical, lots and lots of help from a devoted community.

Obviously, this post can’t even really begin to scratch the surface of the tools and techniques out there. However, I hope it is a good starting point or comes to be a return-to resource source to collect valuable materials as you go forth and battle.


--Claus V.

Saturday, June 25, 2011

Skirmish 2: A Rouge Security Software battle

Fresh off of having wrestled my friend’s system back from the clutches of a rogue-security product, a few weeks later Dad called in a panic with his Windows Vista system in cardiac arrest.

He had booted his system only to find all their documents, emails, and family photos missing.

On top of that, they had a “security scanner” warning them their system was “infected” in many critical locations and only their product could remove the mess and possibly restore their files.

Oh bother. Not again.

I knew that with this kind of mess, attempting to clean the system remotely would be counter-productive.

Dad offered to drive down and pass the base-unit off to me.

Looks like the workbench was going to stay dust-free.

Basically, I followed the same steps previously outlined in the GSD post Skirmish 1: A Rouge Security Software battle.

However I had to tread just a bit more carefully in the assessment process.

Dad’s system did support direct USB flash-based booting.  So I could use one of my custom WinPE USB boot sticks for just a bit faster off-line booting performance.

I quickly determined (much to his relief) that all the user profiles, documents, emails, and photos were in fact present and accounted for.

Turns out this bad-nasty had done some additional mojo which “hid” all the start program files, as well as the user desktop (folder) environment as well.

The full list of infected baddies found:

  • Trojan:WinNT/Alureon.S
  • Exploit:Java/CVE-2009-3867.IJ
  • Exploit:Java/CVE-2008-5353.SN
  • Trojan:Java/Mugademel.A
  • TrojanDownloader:Java/OpenConnection.EM
  • Exploit:Java/CVE-2008-5353.QV

Again, another drive-by browsing infection caused by outdated Java version. Nice…

Because I first carefully assessed the system, in Dad’s system’s case, I had elected to NOT run CCleaner or any other temp-file cleanup tools.  This ended up being a very good thing.

This particular infection had relocated all those critical system/program files and settings into a temp folder.  Had I run the cleanup blindly, I would have ended up nuking all the original files and had to manually rebuild the entire Start/Program list, as well as the desktop items.

The public face of this infection ended up being a variant of “Windows Recovery” malware/rouge-security scareware.

This guide Remove Windows Recovery (Uninstall Guide) over at has a good review and walkthrough of a semi-automated recovery process.

Included in there are two noteworthy tools: RKill (Download Link) and Unhide.exe (Download Link). Rkill is a rouge-process killer of sorts and unhide.exe attempts to restore malware-relocated user files back to their original/rightful locations. See this Bleeping Computer Downloads: RKill page for more information as well as this one Question on 'unhide.exe' for more background information on them both.

I preferred to take the manual restoration approach offered by “colsearle”

Try navigating to the following path: (make sure you have the hidden files and folders visible)
C:\Documents and Settings\your user name goes here \Local Settings\Temp\smtmp
Inside the smtmp folder you will see three folders named 1, 2, 4
1 = Start Menu Program shortcuts
2 = Current User Quick Start shortcuts
4 = All Users Desktop folders and shortcuts
Simply copy the shortcuts back to the original path.

I also found this guide over at SmartestComputing written by “Broni” to be very helpful as well and full of specialized remediation tools and links How to restore files hidden/deleted by Windows Recovery virus.

Once all was running/cleaned as expected, I had to re-arm the Windows Firewall (disabled), re-arm the automatic updates (disabled), re-arm the anti-virus application (realtime protection disabled).

Again, all Browser Plugin Updates were applied. I updated all the web-browsers, Quicktime, Adobe Reader, etc.  Removed some toolbars, stuff like that.

Dad returned a week later and after a super-yummy lunch at a local authentic tex-mex dive, the system got handed back and once reconnected at its home, Dad found it to be perfectly restored.

Now if we can’t just push him onto Windows 7….

--Claus V.

Skirmish 1: A Rouge Security Software battle

Note: while some may find this a helpful guide, it is not a “cure-all” malware cleaning process. Every infection is somewhat different.  What I hope to offer is a process I have used to successfully clean a specific infection from a home-user’s system. Your mileage may vary.

More than many weeks ago, my video-desk buddy at the church asked me for advice about what virus-cleaning product I recommended.

In my experience that means two things, someone actually has a compromised system and that any singular answer I provide will be inadequate to solve their problem if attempted.  So I probed further so I could provide a better (more detailed) answer.

Turns out the user was reacting to a report that popped up on their computer warning them they had a whole bunch of infected system files and that their PC was going to perform worse unless they purchased the offered program.

He then proceeded to show me a long list of “infected files” all with crazy names and locations.  He had done some Google work on the files listed but hadn’t made any progress.

Well, I agreed he did have a serious issue, but likely those “files” were just a sham and in fact the security warning/program was the problem.

I told him I’d prefer to have him haul his system up to the church early so I could (off the network) hook it up to a spare monitor/keyboard and take a quick-peek.  He readily agreed.

That afternoon we met up and after what seemed like a ten-minute bootup I agreed his system was running super-slow.  This was a Windows XP system and after I launched the task-manager and it eventually appeared, a number of suspicious running processes were visible.  On top of things, the CPU fan was roaring like a jet taking off. Yes…my friend reported…this behavior had been happening recently also.

I was able to identify and disable the main rogue security app “loader” but significant problems remained and I suspected other stuff was lurking unseen at first glance.

Attempts to run any .exe application executable failed.  Attempts to run CMD failed as well.  The Control Panel was MIA. Bad things were afoot.

This quick-peek told me enough to confirm that my friend had indeed been hit by a scareware/rogue-security “product” infection and was in some serious hurt.

He trusted me to bring his system home and throw it on my workbench to attempt a full cleaning.

So is set the stage.

The battle begins

First thing I did was to off-line boot the system.  This was a bit more challenging than one would expect.

Although it was a nice mini-case IBM ThinkCentre unit, alas, it did not appear to support USB flash drive booting.

So I used one of my WinPE ISO files loaded on my iodd device (with the write-block switch thrown) to get the system up and running with me in control.  I then plugged in my 2GB USB stick that I had preloaded with various utilities and malware-busting tools. (note: because I didn’t yet have my Kanguru Flashblu II drive, I used usbdummyprotect to fill the remaining free space on the drive to avoid a potential write-back infection).

I then ran VIPRE Rescue overnight against the system.  When done it had located and isolated the following infections (and associated bits) in multiple locations:

  • Trojan.Boot.Alureon.Gen (v)
  • Trojan-Dropper.Win32.TDSS.cfvs (v)
  • FraudTool.Win32.FakeRean.e (v)

After rebooting I had a lot of work to do.

Next since the System Properties and Control Panel weren’t working, I discovered that rundll32.exe had been renamed to rundll.exe.  An examination of that file convinced me it was the original file, so I renamed it back and those items worked again.

Since any attempt to launch an application failed, I had to repair that.  This was made pretty easy by using the correct REG file fix found in this Broken EXE Association page.  Fixed.

Because the system was still crawling in terms of performance, I had to start addressing that or else it might take a month to get it running better.

The system was running on 1GB of RAM (2 512MB mismatched speed sticks) with a 40 GB (5400 RPM) HDD at almost 90% filled. Yikes!

The virtual memory settings had a very large custom valued set, so I rolled that back to let the system manage it instead.  I turned off start-menu animations.

Next, I ensured that all the user’s documents and other files were present and the start-menu lists appeared normal and unaffected by this malware version. Only after that had been established and I had collected some web-browsing log files to see if I could learn the infection point, I ran both CCleaner and CleanAfterMe to neaten things up and gain some additional free hard-drive space.

Disk fragmentation was horrible (although my friend appears to have been dutifully defragging his registry based on a desktop program that I found installed).  So I used JkDefrag Portable to clean that up.

Now that things were running (a bit) snappier, I returned to the infection cleaning.

I used the installed (but apparently was overwhelmed) Microsoft Security Essentials tool to re-scan the system.  It didn’t find anything, but now that it was running again, the history showed its battle at the time of the infection to keep the system clean.

  • Exploit: Java/CVE-2010-4452
  • Trojan: DOS/Alureon.A
  • Trojan: Java/Clagent.B

Still not convinced, I next ran Malwarebytes : Malwarebytes Anti-Malware Free which found 15 more bits and pieces.

I then sought-out and installed all the most current Browser Plugin Updates as the installed ones were woefully outdated…hence the vector for the infection in the first place.

Next?  I downloaded and ran Hitman Pro 3 from SurfRight.  It revealed some more stuff remaining that indicated a boot-loader infection. Bad-stuff man.  Hitman Pro did it’s thing and cleaned up that mess.

I recovered both the admin password and OS key as the user had lost those and documented those for him.

Windows Updates had also been borked.  As this was a Windows XP system, I found that running the following command in a (now working again) CMD window got them flowing again.  More info and methods in this Microsoft KB883821 bulletin

To register the Wuaueng.dll file, follow these steps:

  1. Click Start, click Run, type regsvr32 Wuaueng.dll, and then click OK.
  2. When you receive the following message, click OK:

    DllRegisterServer in Wuaueng.dll succeeded.

Now that the Windows updates were all on successfully, I upgraded the browser to IE8 from IE6. Also found installed (and so updated) were Safari for Windows and Firefox..

I removed the registry defragger and installed Defraggler to provide this user a more friendly tool.  The outdated version of Adobe Reader got removed and replaced with Adobe Reader X instead. Apple Quicktime was updated.

From here I took the system outside and opened up the case.

Loads of dust-bunnies and the foam-intake filter was completely obstructed with dust buildup.  Much cleaning later, the system now was purring quietly along.  All the dust was restricting the cool-air intake over the CPU heatsink (also caked in dust) causing the CPU to run hotter, causing the fans to go into overdrive causing the system fan-noise to require ear-protection.

I turned off System Restore so it would dump all the restore-points, some of which had copies of the infected files. This also added a bit more free-disk space.

I ran both Process Explorer (making sure no other rouge processes were found) as well as Autoruns for Windows (which I used to disable/remove some non-necessary helper services).

I then searched out and updated all the device drivers from the IBM/Intel sites I could find that applied to this particular system. For this particular IBM system, I located this ThinkVantage System Update utility that was a really big help in the process.

A full scan with MS Security Essentials and MalwareBytes AntiMalware both came back 100% clean.

For extra measure I also ran both Kaspersky’s Anti-rootkit utility TDSSKiller and Norton’s Power Eraser. Both also reported no issues found.

I flushed the DNS cache and cleared the Java cache.  HOSTS file looked normal.

Things were looking up.

I dug around on the spec page for this system and found it could support up to 2 GB of system RAM on the mainboard.  It just so happened that I had a pair of matched 1 GB PC2700 333MZ DDR sticks laying around.  I pulled the original ones and dropped these in.  I think I could hear the system actually taking a deep breath and shudder with relief once again.  Performance was much more nimble now!

Alas, I didn’t have a spare drive, but did pass on a note for my recommendation to upgrade to a larger capacity/faster RPM PATA hard-drive as well.


Time invested? Approximately 10 hours (not counting unattended overnight scanning) spread over a week.

Return on investment from gratefully shining face of owner? Priceless.

Lessons learned

Reviewing all the logs, it seemed clear that the user had browsed across an maliciously-coded web-page in a unpatched browser running unpatched/outdated browser plug-ins.  I suspect the java exploit got the ball started and once the actual malware installer app had been dropped/executed on the system. all bets were off despite MSSE’s attempts to protect the system.  For additional information on these things these references might be helpful..

I guess in some ways since the system was in the state it was, the slowness of the performance may have kept things from getting worse or the user being able to continue to work with the infection running in the background. In this case, the scareware/malware only helped cause the system to grind down even slower.

No one single anti-malware app fixed the problem.  Because the malware compromised/changed some key Windows filenames and settings, additional manual remediation work had to be performed.

There are a lot of great cleaning tools out there, the challenge is being familiar with the best of them and knowing which ones are the most effect to apply.

The whole process is quite involved and must be taken through logically, building on each success.

Next post -- same thing but with a twist -- Dad’s PC infection.

I’ll also do a standalone post linkfest listing these and other tools/resources I found helpful or came across in these skirmishes.


--Claus V.

PSA: Browser Plugin Updates

As I prepare my notes for one to two GSD posts on recent rogue-security product malware-purges from heavily infected systems, I’m going to offer a brief public service announcement.

In both cases, a review of the logs generated and collected during the incident responses strongly suggests to me that both infections occurred during innocent web-surfing when the users unknowingly landed on maliciously seeded pages that took advantage of exploitable code in their older versions of Java.

While probably not the specific exploit they encountered, these YouTube videos do illustrate how the process can work.

For more in-depth illustration and analysis of the problem, take a look at these security posts.

Patch it like a hobo

Trying to guide Dad though all the hoops on how to check his Windows (Vista) system early for latest versions of these most popular browser plugins has been quite challenging.  Not only do you you have to go confirm the current version you are running (either through the control panel or from the providers’ websites) but then you have to navigate through the download and install process, often trying to avoid an offered “bonus” software product installation in the process.

So, although at work I download such update packages directly from the provider’s source for security reasons, at home and in recommendations to family and friends, I usually just point them to the specific updated package as found on the Plugins Downloads site.  It’s just easier that way.

If you do want to go the “official source only” path, then here you go.

Adobe - Flash Player - This page will tell you what version of Flash you are running and what the latest versions are.

Troubleshoot Flash Player installation | Windows - Links to both the update page as well as the direct manual download links for most current level of both versions; Flash Player 10 ActiveX and Flash Player 10 Plugin.

Adobe - Test Adobe Shockwave Player - this page will play and display a Shockwave file which then tells you your currently installed version of Shockwave.  Write it down then…

…go to this page Adobe - Adobe Shockwave Player to see what the latest version actually is.  If this one is newer, download and install (just watch out for the offered “bonus” software install and uncheck the box if you don’t want it.

To confirm you have the freshest Java beans, pop over to this Verify Java Version page and see what fortune you get.  Need an update?  Well then my bedraggled friend, stop in at All Java Downloads to pick from the buffet.  You likely will be focusing on the Windows 32-bit and 64-bit versions.

I haven’t mentioned it, but Adobe Acrobat also is almost ubiquitously found on Windows systems and it also must be keep updated to avoid the worst of the PDF-related exploit issues out there.

Updates galore

This past month saw a banner crop of security patches and updates both to the Windows operating system environment as well as many popular Windows browser plugins.  Hopefully everyone who needs these applied them to their systems.  Adobe in particular has become more of a responsible citizen by changing the updating in their products to now do “auto-check” for updates. Oracle has been including a Java-update check service in their product for some time now.

It’s my personal experience that while these auto-update features do work, sometimes they don’t offer an available update for some time.  And when in the case of Java they are sitting quietly in the system tray as an indicator icon, it is easy to overlook.  Adobe at least throws the notice in your face.

I understand and acknowledge the challenges for many home-users in keeping informed and notified of these updates. Heck, it’s hard enough to get some home users to even care about patching third-party systems.

That said, as anyone who has either been a victim of a browser drive-by malware infection, or the guy or gal who had to spend many, many hours cleaning uncle Bob’s unpatched PC to save their system and Uncle Bob’s sanity again, it’s too serious to not keep an eye out and patch these browser plugins as soon as they get released.

Patch on Mr. Adams!

--Claus V.

GSD Blog Template Reboot

No, you have not accidently experienced a page-redirection to either the TinyApps.Org or NirBlog website, although they remain quite inspiring to me.

I’m blaming it on the super-hot, super-dry summer.  Looking at the “warm” color-tones previously used on the GSD blog just has made me feel uncomfortable of late.

So we are trying on some new new minimalistic clothing here to weather this long, hot summer here on the Texas Gulf Coast.

I feel cooler already.

--Claus V.

Saturday, June 18, 2011

Finally! Time to Post! New material list

After a recent text from my bro reminding me it has been since March since I’ve done a blog post, I was finally able to clear the schedule and set aside some time for GSD posting.

Looking at the sidebar, my blog-posting production has really been on a downward trend over the past few years…much like the rainfall totals here in most of Texas.

I ascribe most of this to a lack of time; work and family commitments have really amped up and what precious little free time I do find seems to go to sleeping and recharging my drained energy cells. However, I assure all that I haven’t lost the passion for blogging or sharing my finds in life and across the webs as I continue to wrestle with IT-related monsters.

So let’s just call this post a warm-up exercise. I’ve still got new material on Xplico, for/sec, as well as at least one massive write-up with my own recent malware-cleaning battles on behalf of my Dad and a IBM-er whose own systems were each about ready to be bagged-n-tagged after a horrible drive-by infection. Good stuff.

Recovered Things

Enchanted Keyfinder - free utility built off the Magical Jelly Bean Keyfinder app but updated. One of a few helpful keyfinder tools I carry around when a family/friend presents me their system for service but doesn’t have any of their OS/product keys. Spotted on CyberNet News

Power Data Recovery - fairly new freeware tool to my toolbox. I use a number of file-recovery software utilities as each one seems to have their own flavor to bring to the rescue attempt.

TestDisk and PhotoRec - CGSecurity - New release version at 6.12 out a bit ago. (release notes) If you PhotoRec regularly, don’t forget about PhotoRec Sorter from builtBackwards.

JFileRecovery - A while back I had to try to recover a super-massive super-corrupted PST file. It kept failing under normal copy-to-my-usb-drive operations with CRC check errors. I eventually got it copied over and repaired. In the process of finding a tool that would copy it across (errors and all) I stumbled across the Java-based JFileRecovery program. It is no-longer free and the leading link is for the “JFileRecovery deluxe” version. That said, you can still find the older/free .94 version I was playing with over on Softpedia. Copy that jar-file locally along with jPortable Launcher and jPortable and you have one more neat tool to try. While the file-size of the PST file I was wrangling exceeded the limits of JFileRecovery to handle it, it has helped with smaller files since.

FREE: EASEUS Todo Backup Free Edition - 4Sysops has a quick review on EASEUS Todo Backup Free. I guess one trick for recovery is to have a backup in the first place….

Utility Updates

EMCO Software has all kinds of neat goodies for sysadmins. Besides their mainstream products, there is some cool Freeware pickings as well, including networking tools like Ping Monitor, MAC Address Scanner. However for here, I’m highlighting MoveOnBoot and UnLock IT for dealing with locked files and other malware-nuisances.

Unlocker by Cedrick 'Nitch' Collomb still remains my favorite “unlocker” tool for dealing with locked files and I install it on all my personal systems. Couple that with Malwarebytes : RegASSASSIN and most locked files/keys can be dealt a knockout punch.

I’ve blogged before about defragging, and I still do periodically, but not as OCD-like as some approach drive-defragging as as “cure-all” for poor system performance. Some nice/free defragging apps that have been updated lately are Auslogic’s Disk Defrag, IOBit’s Smart Defrag, and Piriform’s Defraggler. Each has it’s own special flavor on the party. Find the one that fits your needs.

Updates from Sysinternals have been flowing fast-n-rapid-fire lately. Something for everyone here.

Updates: Process Monitor v2.95, TCPView v3.04, Autoruns v10.07, and a new blog post and webcast from Mark. - Sysinternals Site

Updates: ZoomIt v4.2, Process Explorer v14.11, ProcDump v3.04, and Mark Live: Zero Day Malware Cleaning with the Sysinternals Tools - Sysinternals Site

Updates: VMMap v3.1, RAMMap v1.11, Handle v3.46, Process Explorer v14.12 and Mark’s Blog: Analyzing a Stuxnet Infection with the Sysinternals Tools, Part 3 - Sysinternals Site

WhatIsHang - new freeware tool from Nirsoft. “Get information about hang (stopped responding) Windows software.” See Nir’s blog post First version of WhatIsHang is here for more info.

Speaking of Sysinternals and NirSoft, don’t forget about KLS Soft’s WSCC - Windows System Control Center for one-stop downloading/updating of these fantastic tools.

Emiel Wieldraaijer also makes a software called SysInternalsUpdater. The website doesn’t do the tool justice so look at 4Sysops review of the tool: FREE: SysInternalsUpdater – Update Sysinternals Suite

Network Stuff

Sometimes pulling the right-tool out for the job isn’t just about the right-tool; it’s about the attitude. Although my personal Ethernet cable repair tool, the ( page) TRENDnet RJ-11/RJ-45 Crimp/Cut/Strip Tool TC-CT68 seems to do an outstanding job at a sub $20 price, it only is yawn-worthy.

Instead I pine to deploy the $300 GerberGear Cable Dawg on a high-priority mission.

(To better understand my geek dilemma consult this xkcd: Worst-Case Shopping comic.)

This is one Samuel Jackson chest-thumping bad-ass tool! For consideration see these related posts/videos from Soldier Systems blog where I discovered the tool:

Cable Dawg - via Soldier Systems blog

Gerber Cable Dawg - (video demo) via Soldier Systems blog.

Need? Nope. Want. Heck-yeah!

Previously mentioned, check out the other Freeware made by Emiel Wieldraaijer. Some goodies in there….

Network Activity Indicator by ~laushung on deviantART. Love it but not to be confused with Igor Tolmachev’s IT Samples utility Network Activity Indicator for Windows 7 which is what I run on my own Windows 7 system.

TightVNC got an update to 2.0.3. Read the What's New page for all the fixes/improvements.

Wireshark has been through a pile of updates. Stable version is 1.6.0 now and comes in both x32 and x64 bit Windows flavors.

Here’s a handy tool for you Windows HOST file cowboys; Host Profiles on CodePlex. For a better rundown of the features and options with this tool, check out this post Hosts Profiles Management as spotted over at Windows7hacker.

Visual Delights

Greenshot - a free and open source screenshot tool for productivity.

Microsoft Research Image Composite Editor (ICE) updated to version 1.4.4 - Use this freeware digital image tool to stich together panoramic views from a series of overlapping digital image files. This newest update brings features such as video to panorama, lens vignette, improved blending and more. In both Windows x32 & x64 flavors. For more fun, check out their HD View blog.

Taking Proper Screenshots in Windows for Blogs or Tutorials - Scott Hanselman’s blog. I learned a few good lessons and hereby promise to prefer saving screenshots as PNG files rather than JPEG’s. See also these related tools: Ken Silverman's Utility Page and PNGGauntlet - PNG Compression Software from

Simple Desktops & MinimalWall have some super-simple desktop designs. I’m personally using a ton of the high-quality wall images direct from the Microsoft Windows 7 themes site. Due to my stress levels, I find the Nature, Places and landscapes, and the Holidays and seasons ones particularly relaxing when I get home. I don’t run them as “themes” rather I follow the tips in this The Windows Club post How to extract wallpapers from Windows 7 theme pack and pull/dump them into a super-folder that I then set my Windows 7 background/changer to cycle through randomly. Not as pretty but classy, try these Luxury Windows Variations and Luxury Plain Variations by ~Stratification on deviantART out for size.

Alvis blew some baby-sitting cash on a Insignia NS-DV1080P high-def camera a while back. She did her homework on the web first, then went to a local GoodBox store and, on her own, spend considerable time with the service staff looking through the choices. Eventually they conceeded defeat at the hands of my geek-let and pulled out (from back-room stock) the camera after showing her many other models. For some info check out local geek John's Blog Space: Insignia NS-DV1080P Review. I’ve been toying with the idea of using it to do live-capture/save-to-HDD of our church service. We run a trio of perma-mount Sony remote-op cams to capture the service and edit the feeds live on a Panasonic video editing board and pipe the output live/direct to a DVD burner. It works but the image quality is not to be bragged on. It does the job but barely. Unfortunately, it seems that Windows 7 x64 does not have the drivers available to use it for live-capture purposes. In the meantime I still have been playing with Debut Video Capture 1.60 Beta -, and Fx Video Capture Software in the hopes of eventually finding some reasonably cheap HD digital video camera to supplement our video recording work at the church house. Recommendations on a simple hardware/software combo compatible with a beefy Windows 7 x64 system host to plug it all into?

Finally, has a great round up of free virtual PDF printer apps: The best freeware virtual PDF printer: a comparison. I’ve been using PDFCreator or CutePDF when I set up a system for a home-user. That said, I think I’ll give their Editor’s Choice recommendation of PDF24 a try next time.

Sound Decisions

Steaming internet-radio at work is a mega “no-no” due to bandwidth utilization. And even though my own iPod is crammed full of tunes for the listening, there are just some times when “radio” style play is needed. I’m a big fan of SomaFM Free Internet Radio but unless I am at home, I just can’t consume it chill drone goodness. So lately I’ve been playing with Radio Sure to help me deep-freeze the tunes for some off-line playback goodness. I’ve also flirted with the similar app streamWriter but Radio Sure seems to fit my madness a bit closer. See both of these MakeUseOf blog posts for details on them: Connect To Radio Stations on The Internet From Any Computer with RadioSure and Record Songs From Internet Radio Stations with StreamWriter [Windows]

And if you aren’t getting your fill from the spy-centric Secret Agent: SomaFM portal, then check out this Shortwave Numbers Stations & The Conet Project: An Online Education In Espionage post from MakeUseOf blog for some deeply mesmerizing drone.

House-Cleaning Oft Overlooked

As noted in the intro, I’ve been doing some industrial-strength malware cleaning lately. One step in many self-cleaning process flows by do-it-yourselfers is to run something like CCleaner at the end to sweep up all the extra temp files and stuff. As a future GSD post will show, that can be a fatal error in some malware remediation work. That said, two places that sometimes get forgotten when doing manual temp-file cache cleaning are the Java cache files and the Flash (files and cookies) bits. It’s possible that malware files from a “drive-by” web-browsing infection could be lurking in these locations (or in the case of Flash…site preferences and settings).

How do I clear the Java cache? -

Adobe - Flash Player : Settings Manager - Website Storage Settings panel - Adobe

related: Deleting “Flash Cookies” Made Easier - IEBlog


My perennial RSS feed reader for Firefox continues get regular updates and improvements from the labor of love provided by R. Pruitt.

Newsfox Release - newsfox: installation

AD Explained

Download details: Group Policy for Beginners - Microsoft Download Center

WinPE Stuff

One of the sucky things (read-that as “lessons learned”) about delayed postings are that respected fellow-bloggers get first dibs on posting cool software toys.

Case in point, the TinyApps blog Sensei recently dropped this micro-bomb post: TinyApps.Org Blog : Build a custom Windows 7 PE image without Windows AIK or a Windows 7 install DVD.

Oh so sweet! As linked in the post, check out Make-PE3 Program for more details.

Neither tiny nor as simple, you may also want to see A Win7PEx86 project with plenty of system tools also at this forum thread. It is jammed-packed with a bus-load of tools and utilities that makes a combo rivaling a mashup of Canunks and Mavericks fans in a love-fest.

Finally, Brett Shavers has been a prophet in the wilderness preaching the love of WinFE to the masses. (I’m not aware of any locus or honey being harmed in the process.)

Sharing the love with WinFE - WinFE Blog

How easy (or difficult) is it to build a WinFE with WinBuilder? - WinFE Blog

Chromium Updating

Firefox (public version 4.x) remains my daily/personal browser of choice. The whole multi-development channel drama at Mozilla has cooled my passion for chasing the “nightly” world of late. So for now I have returned to the Clark Kent world of the public (x32 bit) version for my daily web-surfing and wrangling needs. The rich and granular world of the Add-on extensions still cannot be rivaled in Chrome/IE.

That said, for my more pleasure-filed world of pure and mindless web-surfing enjoyment I turn to Chromium. I enjoy the performance, the interface, and can use a few specific plug-ins like flash-blocking and ad-blocking to help with the joy. My prime source for Chromium is Caschy’s portable build over at the German site stadt-bremerhaven: Now it beats 13: Google Chrome and Chromium Release 13. (Note, privacy geeks might prefer the SRWare Iron build of Chromium instead.)

One of the real treats of Caschy’s build is the inclusion of an AutoIT exe file that when run launches an auto-updater to keep your Chromium package fresh-as-fresh-can-be.

I’ve previously used Chromium Nightly Updater for that purpose but it hasn’t been updated since 11/2010. There is also chromium-portable-and-updater (not updated since Feb.), and Chromium Updater (not updated since Dec 2010).

Why is that all important?

Well a few weeks ago, all us Portable Chromium fans of Cachy’s suddenly found the Updater.exe wasn’t working any longer.

So we had to manually trudge (almost daily) over to Index of /f/chromium/snapshots/Win, find the LATEST folder, and then download/unzip/copy-to-update the file to update our app files.

Wondering what happened, I fired up Wireshark and ran a packet-capture during the Update.exe process as it failed. Stepping through the packet trace, I found that it was looking to the repository but the file it was looking for couldn’t be found. The info in the packets let me to realize the repository location had changed, hence the update process failed. It was a very fun exercise and fascinating to see the manner the app works to locate and get the updated zip file. Network traffic geeks might enjoy running this exercise.

Yep. The old repository location was now 404.

I left what I hoped was a kind comment on the developer’s post page explaining my findings and wished out loud for an update to the AutoIt package to point to the revised repository.

Fortunately, Caschy and gang are a stand-up crew and indeed quickly updated their AutoIt Updater.exe file to point to the new repository location. New Portable Google Chrome Updater

So if you are living the Chromium life and want what appears to me to be the only current Chromium auto-updater tool out there that works at the moment for the new repository location, hop over to that page and grab it. Also they have released a command-line supported version as well for the curious.

Hardware List

Like most normal peons, our budget is stretched super-tight these days. If something breaks we try to fix it. If it breaks and can’t be fixed, we try to re-purpose it. It’s a good lesson to learn and I wish I had covered this ground as a younger man about twenty years ago.

So tech and hardware purchases are fewer and far between and I really have to weigh the cost/benefit ratio before plunking down what little disposable income we find now-a-days.

That said, I picked up over on several sets of specialty bits. I didn’t have these in the past for removing hard-drive covers and things when a failed drive couldn’t be zero-ed out via software and I had to pull the drive to yank/manually destroy the platters. (you can only remove so many drive covers via vice-grip pliers before it gets really tired…; Maxtech 16521MX 32-Piece Precision Bit Set (note good bits…sucky cheap plastic driver but then I didn’t plan on using it) and the 33 pc. Security Bit Set (great variety of specialty bits…though the plastic case’s off-gassing smell was very strong and funky),

However it was this third set, SMALL TORX SCREWDRIVER SECURITY TAMPER PROOF HOLE T5 T6 T7 T8 T9 T10 T15 that fixed a favorite “every day carry” tool of mine this week. A vendor was doing cabling work and a ceiling tile just wouldn’t fit as-cut around some descending cable bundles in the network room. I offered him my super-fave pocket tool Gerber 45898 Ridge Knife and with a flick and deft cuts, the tile was cut and slipped into place. However, somehow between re-maneuvering the ladder he was on, unbeknownst to me, the knife fell (safely) to the floor and became a unwilling ladder leg shim. When I realized what had happed some time later and removed it from under the (still-in-use) ladder leg, the weight had popped the blade-lock arm to the outside of the blade somehow and it couldn’t be closed.

I tried all the specialty bits I had to get the blade off. It was only when I tried one of the TORX bits that I found the one that matched it perfectly. I disassembled the knife, cleaned all the joints and reassembled back to full working order again. Who knew you had to be prepared to field-service your pocket knife?

Also purchased (via was this Kanguru Flashblu II 16GB USB 2.0 Flash Drive Model ALK-16G. The super-selling point was that it is one of the very last flash-drives that comes with a true write-block switch to prevent device writing. This is critical when your dealing with a malware infected system and using your response-flash-stick to clean house. My beloved iodd USB HDD drive also has a physical write-block switch. But while that device is carried in my tech-pack for planned responses, my new Kanguru stick is on my keys so when I get a “by-the-way my system right here is infected…can you take a quick look at it” at a friend or relative’s house, I can take a triage and first-response swing at their system without fear of cross-contamination.

Yep…still feels good to hit the keys….

And this was just a warm-up post.

Oh my…!


--Claus V.