Saturday, April 17, 2010


I guess WindowsITPro Mag is going to publish one of my letters. I don't like paper, so I probably won't see it. Apparently it had something to do with my last blog post. They like when someone reads one of their guru's posts and then takes the ball and runs with it. That's the whole point of what they're trying to do.

These days, it seems that the general population of techs rely solely on "tools". Not many know how to write any code at all - not even batch. Much of it is laziness, but also there's Wally Syndrome. Fact is, most corporations are so political, the more you do the more likely you are to get in trouble. Most would rather keep their heads down and mouths shut, and coast along doing the minimum - just like Wally in the Dilbert cartoon. Sometimes I completely understand, because sometimes people are punished for doing a good job. That's the way corporate politics often work, all over the world.
I'm just driven, though. I don't think of my one job as being the end-all. Jobs are just opportunities. If we try to excel, we become better each day and more employable. So if it didn't work out at one place, for whatever reason, and you are diligent at becoming a better person, your viability is assured. I'm not saying life will be guaranteed as easy. Life is dynamic and you have to be dynamic in order to survive. Your skills and mindset need to be dynamic.

Sunday, March 7, 2010

Checking For Updates

There are quite a few free utilities, add-ins, plug-ins, etc. that are either ubiquitous or at least my own preference to have on all computers. Keeping track of updates was a royal pain. Sometimes I'd get so busy for so long I'd neglect checking for months.
I wanted a script that checks Internet sites for updates rather quickly. I figured PowerShell would give me the power to do it. I finally found the code from Alex Angelopoulos at
WindowsITPro, but I'm not sure anyone thought to use it the way I wanted.
I prefer to leave my PowerShell security at the default level, which is to disable scripts from running. I use an old-fashioned CMD script as a wrapper-script to write my script, lower security, run the script, and finally delete the script and raise security back up.
The script requires maintenance, but it sure beats the old haphazard way. I edit the version-levels for each product to keep them current. The script checks the host web-page, tries to look for a version string, and if it can't find it, it is assumed the version has either changed to a newer one, or the version can no longer be found.

Some web-pages confound all my efforts to find a version I can query. That's because they have some very intricate layers of web-sites working together that make them hard to hack. I'm not trying to hack them - just query them - but their security precautions have made it impossible for me to check Apple's or Adobe's sites. The others are pretty straight-forward.
As usual, watch out for text-wrapping in the code window.

:: Allow PS scripts to run
powershell -command "& {Set-ExecutionPolicy -Scope LocalMachine Unrestricted -Force}"

:: Create Powershell script (from Alex K. Angelopoulos, WindowsITPro)
@echo Param( > ".\Get-WebString.ps1"
@echo [string]$Uri, >> ".\Get-WebString.ps1"
@echo $Encoding = "Default" >> ".\Get-WebString.ps1"
@echo ) >> ".\Get-WebString.ps1"
@echo $WebClient = New-Object System.Net.WebClient >> ".\Get-WebString.ps1"
@echo $WebClient.Encoding = [System.Text.Encoding]::$Encoding >> ".\Get-WebString.ps1"
@echo $WebClient.DownloadString($Uri) >> ".\Get-WebString.ps1"

:Sun Java Update 18
powershell -command ".\Get-WebString.ps1" | find /i "Version 6 Update 18"
if %errorlevel%==0 goto :Diskeeper
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

powershell -command ".\Get-WebString.ps1" | find /i "Build-900"
if %errorlevel%==0 goto :Firefox
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

powershell -command ".\Get-WebString.ps1" | find /i "US/firefox/3.6"
if %errorlevel%==0 goto :doPDF
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

:doPDF 7.1.330
powershell -command ".\Get-WebString.ps1" | find /i "7.1.330"
if %errorlevel%==0 goto :Paint.NET
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

:Paint.NET v3.5.4
powershell -command ".\Get-WebString.ps1" | find /i "v3.5.4"
if %errorlevel%==0 goto :IZArc
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

powershell -command ".\Get-WebString.ps1" | find /i "4.1"
if %errorlevel%==0 goto :CPU_Z
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

powershell -command ".\Get-WebString.ps1" | find /i "Z 1.53"
if %errorlevel%==0 goto :burnaware_free
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

powershell -command ".\Get-WebString.ps1" | find /i "2.4.4"
if %errorlevel%==0 goto :DeepBurner
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

powershell -command ".\Get-WebString.ps1" | find /i "DeepBurner Free 1.9"
if %errorlevel%==0 goto :ImgBurn
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

:: It's longer, but I'm truncating many sections. You can extrapolate from here.
:: So on to the ending...

del /q ".\Get-WebString.ps1"

:: Raise PS security back up
powershell -command "& {Set-ExecutionPolicy -Scope LocalMachine Restricted -Force}"
powershell -command "& {Set-ExecutionPolicy -Scope CurrentUser Undefined -Force}"
powershell -command "& {Set-ExecutionPolicy -Scope Process Undefined -Force}"

Why not use VersionTracker? Because my company blocks that site, and because that site has too many items, and not all the items I want. My script is just-right for me. While it runs, I can be doing other things. By running it once a week, I stay current.

Wednesday, February 3, 2010

Manually Killing Viruses, Part 4

This is the mop-up, or the repair. At this stage, all the viruses, worms, Trojans, rootkits, etc. are gone, but Windows is damaged. A repair-install often doesn't fix things. Installations often only look to see if something exists, and if it's already there, it wont' actually re-install.
Some Windows XP machines are infected because they don't have the latest patches or service packs. If there's an i386 folder on the hard drive, it would be wise to make sure it has the latest service pack applied. To find out at a glance, just look for a file starting with SP3 in i386. If all you can find is SP2, then try slipstreaming SP3 into the folder.
You might want to consider the SFC command. The right command can force all files to match a specific source.

If the problem is that you can't reach the Internet, check the "hosts" and "lmhosts.sam" files. They're in C:\Windows\System32\drivers\etc\ Open them with Notepad and make sure the only line in hosts is the standard loopback... localhost
lmhosts.sam should be blank, but lines beginning with "#" are comments. All of lmhosts.sam is normally comments.
Malware can redirect valid Internet addresses to go to malicious sites instead.

Damaged Internet security suites, like McAfee and Norton Internet Security are usually damaged by malware, and you can't get to the Internet until the products are forensically removed. Luckily McAfee and Symantec/Norton each have removers.

You might also try repairing the winsock with WinsockFix, or something like it. Delete the network device(s) from Device Manager and rebuild them.
If you still can't get to the Internet, run all these commands in this order...
net use * /d /y
NET USE /persistent:no
ipconfig /release
net start lanmanserver
net start Server
net start lanmanWorkstation
net start Workstation
net start "Remote Procedure Call (RPC)"
net start RpcSs
net start "Plug and Play"
net start Telephony
net start wuauserv
net start Dhcp
net start "DHCP Client"
net start Dnscache
net start "DNS Client"
net start helpsvc
net stop NetSvc
net stop Netlogon
net start Netlogon
net start Netman
net start "Network Connections"
net start "Remote Access Connection Manager"
net start "Security Accounts Manager"
net start prepdrvr
net start LmHosts
net start TapiSrv
net start "TCP/IP NetBIOS Helper Service"
net start TermService
net start WebClient
net start Browser
netsh int ip reset
netsh winsock reset
netsh firewall reset
ipconfig /renew
arp -d *
nbtstat -R
ipconfig /flushdns
nbtstat -RR
ipconfig /registerdns
netdiag /test:winsock /v

If you can get to the Internet, but specific addresses are blocked, look in hosts or lmhosts.sam, as mentioned above, or look in the Registry under...
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

As soon as you get to the Internet, you should update all anti-virus and anti-malware definitions, update Windows, or install/reinstall the protections that were removed.
As of this writing, these are my favorites, in this order...
Microsoft Security Essentials
Rootkit Revealer

The Rootkit tools only reveal rootkits, they don't clean.
Plus, you have to know what you're looking at. Some of the items in the revealed list are not bad things, but good. But the list is normally short.

Oh, one more thing... If you encrypted the hard drive, and a virus ruined your computer, none of this is likely to work at all. Reformat. Encryption at the hard drive level is a nasty bit of business. Not worth it, in my opinion. If you have data that critical, stick it on a secure USB drive. I have one that requires a password, plus a fingerprint. That's should work for paranoid data. I highly recommend avoiding entire hard drive encryption, unless it's a secondary drive.

Friday, January 29, 2010

Manually Killing Viruses, Part 3

Hunting for viruses in the Registry...
The most obvious startup location in the Registry is...

The following are normally empty...

It gets more complex beyond that...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows /v AppInit_DLLs (this is normally blank)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
The "Shell" and "UserInit" values often are edited by viruses, sometimes loading worms or Trojans.

If the computer is un-bootable, and you're booted of a Rescue CD, then you need to load Registry hives off the hard drive. To do this, you need to launch Regedit and expand HKEY_USERS. With HKEY_USERS highlighted, click "File", "Load Hive...", and browse to C:\WINDOWS\system32\config\. Make sure you're loading from the correct drive, or you're wasting your time. If booted from a rescue CD, the Rescue CD's Windows folder will be the default. Make sure you pay attention and get to the correct, infected, hives. Give them sensible names.
Load "SOFTWARE" and "SYSTEM", naming them something that makes sense. Or name them anything beginning with any letter after "S" so that alphabetically the hives you load always drop below the other normal hives. This is because you'll be doing searches and it's faster to search only the loaded hives.

Next, load all the user profiles which create HKEY_CURRENT_USER when users are logged on. These hives are called NTUSER.DAT and are stored at the root of every profile...
C:\Documents and Settings\%username%\NTUSER.DAT

Some don't realize that HKEY_CLASSES_ROOT is identical to HKEY_LOCAL_MACHINE\SOFTWARE\Classes. When you load the "SOFTWARE" hive, you effectively get full access to HKEY_CLASSES_ROOT through the ...\Classes key.
Look into every startup location as mentioned above.

In the System hive, you'll be looking for malicious services. It helps to have a healthy Windows XP machine to compare with. Still, there is some guess-work. Proprietary OEMs like to add tons of mostly legitimate craplets. That's what I call the 30-50 odd-ball "goodies" that HP, Gateway, Sony, Dell, etc. like to infest new computers with so that they run like crap. Since these things usually cause more degradation that value, if you accidentally break one of these, thinking it's a virus, no real harm done.

You need to look at all the suspicious DLL's and EXE's that you carved out of \Windows\ and \System 32\. Copy the names and search the loaded hives. This is how you find where they're activated. In doing this, you sometimes find out that the files are okay, and you can put them back. Other times, you get confirmation that they're malicious.

When you're done, always unload the hives. If you forget, things usually tend to unload okay anyways, but sometimes it will corrupt the hives (or the logs) and make things worse.

This whole set of posts is abbreviated. There really are too many sneaky places in the Registry to launch threats to mention all of them. Many replace Windows files with malicious files, diverting normal functions. Others create new services and functions.

Finally, check C:\boot.ini to see if anything is bogus.

When you believe you've carved the worst out, try booting off the normal hard drive.

Tuesday, January 26, 2010

Manually Killing Viruses, Part 2

It helps to have a healthy example of every OS to compare a viral computer with. Not sure exactly what the healthy Registry key should be? Look on your XP example machine.
And of course you have to have another computer connected to the Internet to Google any questions. Look up info on files, Registry values, viruses, cleaning and repair advice in various situations...

So we left off with temp files deleted and you sorted the Windows and System 32 folders to see what the most recently modified files were. And you moved suspicious files to a dormant folder we named C:\Suspicious.
You can also do the same inside the Program Files folder. You can move entire folders.

Browse to every Startup folder in every profile on the computer and look for links to suspicious executables.
Check all Favorites, QuickLaunches, Desktops, etc. for evil links.
Check Microsoft Office Startup folders for C:\Program Files\Microsoft Office\Office12\STARTUP and \XLSTART and every profiles startup folders for Word and Excel.

If they have a legal copy of McAfee, you can download the latest McAfee definitions, expand them, and run a commandline scan. Example for the SuperDAT definition file named "sdat5873.exe"...
- Download the DAT or SuperDAT to the McAfee installation folder. Also download the latest engine.
- Then open a command prompt at the same path and run the following command...
sdat5873.exe /e
- Then run 5400eng.exe to update the McAfee engine. If this fails, you're dead in the water until you get the computer booted the hard way.
These files will not expand unless you have a legal McAfee license.
You may not get much feedback when the def's expand, so open Task Manager and watch until sdat5873.exe drops out of memory. On a slow computer, it can take 15 minutes. On a fast computer, it can take 20 seconds.
- Assuming all went well, and both the engine and the def's are expanded, you should see quite a few files, one being scan.exe and several ending in .dat. In the same command-prompt path, launch a scan with the following command...
scan.exe /adl /all /noexpire /clean /rpterr /report c:\ScanRpt.txt
This can take an hour.

You can do the same sort of things for Norton/Symantec - download various stand-alone tools and start scanning.
You can also scan using tools that come on the UltimateBootCD4Win. There are all sorts of anti-virus and anti-malware scanners on the CD.

While that's churning, you can browse suspicious files some more.
One of the crafty things malicious hackers do is they might take legitimate Microsoft files and rename them. So you might do a cursory glance and file properties and see that it is labeled as a Microsoft file. It looks legit. But pay attention. Sometimes they'll take something like tftp.dll and rename it to something else, like ftfp.dll. Their code might use trivial ftp to open a conduit for the hacker to take control of your computer, or send your passwords or credit card account numbers. So make sure that the file name matches the what the properties say it is. A mismatch is definitely suspicious.
To avoid DLL-hell, Windows will sometimes keep multiple copies of one DLL on the hard drive. They obviously have to have different names. Depending on what version of a DLL is required, Windows will register a DLL by an alias, and then when loaded into memory, an alias'd DLL is loaded with the proper name so that the program works. So just because a DLL has a different name doesn't necessarily prove that it's bad, but if it looks suspicious, like tftp does, you should move it to the C:\Suspicious folder.

This concludes part 2.
Next, we'll get to the Registry.
Only a geek would think this is fun.

Monday, January 25, 2010

Manually Killing Viruses, Part 1

This is mostly for Windows XP, since I've never personally seen OSX, Vista, or Windows 7 with a virus. The latter three can get viruses, but they tend not to because they have a far better OS design.

I was recently presented with the most virus-infested junk-heap I've ever seen. First, it was clogged with cat hair and dust. Second, it REEKED of cigarette smoke! Every time I turned it on, I gagged.
This computer was running Windows Media Center Edition SP3, but it was unbootable. It kept prompting to restore from the Sony recovery partition that would reformat the hard drive. This would have nuked about 2,000 songs, video clips, and movies. It would also have taken several licensed products with it, including Office 2007.

Geek Squad wanted $200 just to "look" at it. No offense - they're just making a living. I'm sure they would have just reformatted and handed it back with a $300-$400 bill. I fixed it for $40, since she was a friend and co-worker.

My primary tool in these situations is the Ultimate Boot CD 4 Windows. This developed from BartPE, which is almost an historical name, now. But those of us who participated in developing it felt like pioneers. I may have been the first person to build a bootable USB stick, with Windows XP on it, but the computer I was trying to use wasn't USB-bootable as Dell had claimed. Two weeks after someone else had succeeded, I got a Dell D800 that I successfully booted my USB stick to - the same one that had been built three weeks before.

Enough nostalgia...
Booting to the UltimateBootCD4Win allows you to be a virtual god. The viral hard drive is dormant - nothing on the hard drive is running.
I boot from a 4GB USB stick. The boot-image is only 512MB - the USB boot-image limit. But that doesn't matter. The boot image ends up being drive X: and the rest of the space on the USB stick is whatever drive letter is available after the other drives have been enumerated.

The strategy/mentality is thus... Every virus in the past 10 years seems to be a "blended threat", meaning you never get infected with just one bug. You end up with a virus, a few worms, and a Trojan or two. There's often a root-kit installed, too.
So, booting from the UltimateBootCD4Win, I browse to the C: drive.
- Save time and delete all temp files...
-- C:\Windows\Temp
-- C:\Documents and Settings\%userprofile%\Local Settings\Temp
-- C:\Documents and Settings\%userprofile%\Local Settings\Temporary Internet Files\Content.IE5\ (delete all folders and index.dat, but leave desktop.ini)
Do a searching delete of all files ending in .tmp, .del, .dmp, .chk, or beginning with tilde (~).
Now look at all the old Windows patch folders that collect in the Windows folder. Delete every old folder and log file that you know you'll never want to uninstall. Usually that means keeping anywhere from 3 months to a year - no more.
This saves time from then on when running scans and searches because now there are fewer files on the hard drive. And you probably broke several viruses in the process.
- Next, analyze the contents of C:\Windows\ and C:\Windows\System32\, sorting by date/time. Some legit files update every second, like the Windows XP licensing file wpa.dbl, so this is an example of an important good file. Many of the others will be viruses. Don't just start deleting everything unless you know for sure. If you don't know for sure, then try moving them to a folder, like C:\Suspicious\. Recreate the folder structure inside there. Wherever you take a file, drop it in the same folder, like C:\Suspicious\Windows\System32\. That way when you're finished, and you decide some files are safe, you can put them back.

This concludes part 1 - the easy preliminary steps. It gets more complex in following chapters.