Thursday, December 24, 2009
NetScanTools LE is the "Law Enforcement" version: see http://www.netscantools-le.com/
Here is your chance to be back on the plan and get the Windows 7 friendly 10.94 version! Special price reduction on the "Over 180 days Late" v10 Maintenance Plan renewal - instead of $150, the renewal price is $135 through December 31, 2009. Call us (360) 683-9888 or go to the maintenance plan page below for a link to order online:
Tuesday, December 15, 2009
Friday, December 11, 2009
Monday, December 7, 2009
The first thing I did was tell him to download MalwareBytes antiMalware and HiJack This. I had him run HiJack This and send me the scan dump text. Some malware won't even let you download or run those, so he was lucky. I spent a bit of time going through the list, but right off I saw a few obvious pieces of malware in the startup and a bunch of junk like old printer driver accessories that needed to go.
The obvious malware looked like this under the categories AppInit_DLLs, SSODL, and SharedTaskScheduler:
wehazibi.dll, gaganoza.dll, mudabihu.dll, wukoraga.dll, jujutoji.dll, jaduzumi.dll, bezijigi.dll, wegagolu.dll
And this entry
MySQL c:\Program.exe (file missing)
Another interesting file was c:\windows\system32\GameMon.des.exe (file missing). Various sources say this is not good to have, so I put it on the list.
The problem was that HiJack This couldn't remove all the things I listed, nor could Malware Bytes because the malware was not letting him boot into Safe Mode. But that was OK because I told him to use Knoppix. He had never heard of it, but eventually he understood that Knoppix is a CD based Linux that can access your hard drive if you want it to. And the best part is that it's another OS, so it's completely unaffected by the viruses or trojans on your Windows hard drive.
I had him set the laptop to boot from the CD drive and had him burn a CD of the Adriane version of Knoppix 6.2.0. He chose to use the command line interface from the Knoppix menu instead of the X-Windows interface, but that's OK if you know how to use 'cd' to change directories and 'rm' to remove files. I prefer the X-windows interface because it has a full file manager. But sometimes Knoppix has trouble with the mouse especially if it's a laser mouse (hopefully this gets improved), so he probably made a good choice - I don't know how it works with a touch pad on a laptop either.
Anyway, after booting to Knoppix he was able to cd to those file locations and delete them off the C drive. Then he rebooted and was able to use HiJack This to remove the startup entries, then he ran Malware Bytes anti-malware to clean up 'droppings'. Plus I had him update Java and other things like Adobe Acrobat.
People don't realize that Knoppix can be used to view hard drives without actually booting Windows, you simply put in the Knoppix CD, reboot and go from there. I learned about this technique from a Law Enforcement customer - they use it to view files on bad guy computers without booting Windows. But you can also use it to remove malware files if you know where they are already.
Friday, November 27, 2009
Thursday, November 26, 2009
Wednesday, November 25, 2009
There is a status report on NetScanTools LE (law enforcement edition).
I added in a paragraph about my experience upgrading a computer from Windows Vista x64 to Windows 7 x64. It was actually pretty painless. And it even worked!
The newsletter can be found on this page:
Saturday, November 7, 2009
NetScanTools Pro USB Version is a fully portable software application that runs from a USB flash drive. It is self-contained and does not require installation on the target computer. All data is saved on the USB drive and not saved to the hard drive of the computer hosting it. NetScanTools Pro USB Version runs on Windows 7, Vista, XP, and 2000. It runs on both the 64 and 32 bit versions of the operating systems and is a 32 bit application itself.
More information about NetScanTools Pro USB Version:
Right now we are having a sale. Get the installed version on CDROM and the USB Version for the price of the USB Version. More details:
Tuesday, November 3, 2009
It now includes the latest version of WinPcap 4.1.1 (just released last week) which has been extensively tested on Windows 7. NetScanTools Pro uses WinPcap for packet capture and generation of specialized packets. Previously we used 4.0.2 which seems to work fine on Windows 7 for our purposes.
We've also updated the SQLite DLL to the latest version 3.6.19 and made it statically linked to avoid SxS DLL problems.
Feature-wise there are several changes to the "DNS Tools-Core" toolset. There is a new tool called "Get Basic DNS Records". This tool requests SOA, A, NS, MX, CNAME, PTR and TXT resource records as applicable for a given input IP address, hostname or domain name. It saves time by combining all those queries into one query.
DNS Tools - Core also now includes options for requesting the NSEC, DNSKEY and RRSIG resource records. We have had the ability to parse those records for awhile, but now you can directly request them and the parsing has now been significantly improved. When parsing NSEC, we added showing the list of resource records (RR) covered. In DNSKEY we added display of the public key as hex and also now also compute and display the Key ID. The Key ID can be correlated with the corresponding Key ID from the RRSIG records. The RRSIG record parsing was improved by adding display of the signature in hex and we now parse many more "types covered".
DNS Tools - Core also had a problem when doing a Zone Transfer of a medium to large zone. They would crash the program. This was due to a memory allocation error and also due to the fact that in C "static int x = 0;" is not reset to zero when the function is re-entered.
Passive Discovery has a change which is more user related. We had heard from people who saw a "Error compiling filter" when they tried to run it. This was due to a mismatch between the WinPcap interface they selected, the subnet mask and the starting network IP address. We are no longer saving the subnet mask and starting IP, they are being recalculated. We also reworded the Recalculate button to better explain what it does and we improved the error messages.
There were some other minor changes but I won't go into those. As usual the database were updated. If you have NetScanTools Pro with an active maintenance plan, click on Help/Check for New Version to get 10.94.
Wednesday, October 28, 2009
I've mentioned before how due to past problems with online games sites I have my son use a Linux distribution called Knoppix 6.0.1 that runs from a CD inside a Microsoft Virtual PC 2007 virtual machine. Well due to a problem with a DHCP server, I found that Knoppix was taking the same IP address as an HP Laser Printer. I had been having trouble with the printer on the weekend - it decided on it's own to change it's fixed IP address.
So I decided to use the situation as a real world demonstration of how to find a duplicate IP address. This can be done from NetScanTools Pro using the ARP Ping Tool. Since I had my suspicions about the printer, I used the printer IP. The video shows the results quite clearly.
In NetScanTools Pro v11 we will be introducing a tool to scan the whole subnet for duplicate IPs, not just one at a time.
Tuesday, October 27, 2009
It also mentions the return of the 2 for 1 NetScanTools Pro CDROM and USB sale.
Friday, October 23, 2009
By simply changing this registry entry from a numeric '1' to a '0' (zer0), you are apparently telling the patch that the original installation was completed correctly:
Change the "Resume" value from a 1 to a 0.(If you have multiple instances of MSSQL installed, the MSSQL.1 reg key might be different for you)
Now you should be able to install the update either from Windows Update or manually using the knowledge base patch that has a full user interface. I used the full user interface patch and you may need to stop your instance of SQL Server before the patch can be fully applied - it will tell you if you need to. I did not use the "silent" Windows Update patch.
A big THANK YOU to whoever figured this out and to the person who posted the solution here today!
Tuesday, October 20, 2009
Visit either http://www.switchportmapper.com or http://www.netscantools.com/spmapmain.html for more information or to download.
I also tried using the add-remove programs suggestion the patch log suggests, but after you get part way through it, it starts asking for SQLRUN_SQL.MSI which is not on the computer. Nor is it on the ACT 2009 install CD. And to make matters worse, I couldn't find it in the developer downloads area in MSDN.
So now I'm at an impasse. I guess the next step is to see if Peachtree (Sage) has a fix for this. I'm not holding my breath.
Oh and one comment suggested looking for another instance of SQL Server on the machine. I haven't found one yet.
Friday, October 16, 2009
Most of the time I never have any trouble with Patch Tuesday. But this time I got a consistent failure: KB970892 fails to install every time. So as a result, I have little yellow shield with a ! in it on the taskbar - every day.
SQL Server 2005 express edition was installed by ACT 2009 last year on this XP system. Internally the SQL Configuration Util calls it Act 7. Anyway, the install log says this when it gets to the error:
"Error 29565, Product Microsoft SQL Server 2005 Express Edition. SQL Server Setup cannot upgrade the specified instance because the previous upgrade did not complete. Start the Remote Registry service and go to Add/Remove Programs, select the Change button for Microsoft SQL Server 2005, and then select SQL instance ACT7 and complete the setup."
Whatever. I went to control panel - add/remove programs and started to do this but stopped (chickened out - will do system backups before trying this). Then I went to MS's site and downloaded the KB patch manually and ran it. During the install/patch process it said to stop the process for ACT7 - I did it, but the patch still failed.
Internet searches show that other people are having the same problem, but I can't see a definitive solution. Does anyone have a solution?
Monday, October 12, 2009
Laura will be talking about SNMP and NetScanTools Pro during her Summit '09 Conference in December. The article is here (at least until Weds, Oct 14):
Laura also mentions that she had to add MIBs to the SNMP tool in order to understand the data from the printer. Without the printer MIBs translating the numbers to human readable information, the Walk results are just numbers or strings and don't really look too interesting. Today we added a new video explaining why you need to do this and how to add a MIB to NetScanTools Pro. This even works with the NetScanTools Pro Demo:
Sunday, October 4, 2009
Thursday, September 17, 2009
This new video and other demonstration videos are found on this page:
Friday, September 4, 2009
Thursday, September 3, 2009
It wasn't until NetScanTools Pro 10.93 was released for a few days that I realized the full extent of the problem. We had one customer who said that he couldn't start the program. It was the famously unhelpful XP message "This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem." This means that the Side by Side (SxS) system DLL linkage is wrong. The stange part was that this customer did have the 4053 DLLs installed.
I tracked it down to a problem in the nstpro.exe manifest that showed both 762 and 4053 required to be loaded. Of course this worked fine on all our computers and the majority of our customers, but not this one customer.
The fix was to recompile ALL executables, DLLs and custom libraries imported by our executables. One or more of our libraries was compiled using the 762 linkage, so when I compiled the main program, a manifest was generated asking for both.
Again, Microsoft should have warned of the full effects of this change to those using the MFC and runtime libraries when a SxS DLL linked project was opened for the first time in the Visual C++ 2005 compiler.
So now as a result of this we have released NetScanTools Pro 10.93.1 on September 1. This only affects the installed version and the demo. It does not affect the USB version because it uses statically linked libraries.
Monday, August 31, 2009
Wednesday, August 26, 2009
Thursday, August 20, 2009
The changes in this release range from the cosmetic (like adding our new registered trademark notation) to bug fixes to adding a minor new feature. The minor new feature was brought about by a customer suggestion and it was to provide the decimal representation of the input IP address on Subnet Calculator. Apparently our user sometimes hardcodes the IP address in a link and making it decimal makes it harder for bots to pick up the link.
Two of the bugs were seen during the August 12 webinar:
The first was when Laura was running a Continous Ping, then she pressed Stop and went into Setup. When she was talking about the various Ping options, the Continuous Ping started up again in the background results window. This was fixed.
The second thing I saw during the webinar was when Laura entered her favorite of the day hostname and it then went through and translated it to an IP address, then ran the IP address through the list of RBL servers. The problem was that the translated address was 255.255.255.255. Actually what had happened was the host to IP didn't resolve because there was no A record for the hostname in DNS. Now if this happens, it stops and tells you that it couldn't resolve for an IP.
If you want the full list of changes, you can install 10.93, then click on the Welcome left panel control, then click on Welcome to NetScanTools Pro icon. This will show a completely revamped page including the list of changes since the last release (10.92). There are also a few helpful hints.
We will be doing additional testing on Windows 7 RTM soon to make sure everything works properly there. If you are on Windows 7 RTM and you see a problem, let us know the exact steps you are using to reproduce it -- remember, we can't fix what we can' duplicate here.
Wednesday, August 19, 2009
Anyway, the webinar went well. We had about 25 people attend. I actually spoke using a mike which was kinda cool. Laura did 99% of the talking -- something she is far better than I at doing. She covered several parts of the program: the automated tools, ARP Scanning, ARP Ping, Graphical Ping, RBL checking, TCP Traceroute and TCP Ping. Even a bit of whois and quickly touching on DNS tools.
It's always interesting to watch someone else use a program you've designed because you see that they use it in a different way than you thought people should use it. That's why customer feedback and LISTENING to customer input is so important. Whenever a usability suggestion comes in, I try to add it to my 'to-do' list. Even if it's not practical - it may be someday.
I digress. Just as with Laura's Wireshark webinars, her presentation was polished and though there were few slides, the intent of the webinar was not to go through a slide presentation but rather to provide pointers that people may miss -- like right clicking in the results to see the popup list of other things you can do.
I took part in welcoming the group and I also spoke at the end about some plans for version 11 which I won't discuss here. We also touched on the Managed Switch Port Mapping tool (http://www.switchportmapper.com/) -- Laura is interested in doing a webinar on it because not only do network admins have uses for it but it can also be used in the security arena.
Laura will be making an 'archived' version available to those who want to review the webinar. Sorry, but I don't think it will be free -- training is Laura's business so there will be a cost. I'll defer to Chappell Seminars on those points. Please visit http://www.chappellseminars.com/ for other webinars and the archived version of this one.
Great job Laura!
Monday, August 10, 2009
Our current Summer Sale includes the webinar.
Here is a description of what will be covered in the webinar and you can also sign up on the same page.
Friday, August 7, 2009
Tuesday, August 4, 2009
One Tuesday night (July 28)/Wednesday morning a set of patches were pushed out through Windows Update. Specifically KB973923 and KB971090 which were updates to Visual C++ Service Pack 1.
On Wednesday July 29, I set about to rebuild our NetScanTools Pro demo in anticipation of Thursday's Laura Chappell Wireshark 101 Webinar sponsorship. I've done this frequently and tested it on computers here that had the compiler. All worked well and it was posted.
On Thursday July 30, the webinar was held and a number of people downloaded the demo.
On Friday July 31, I had two people call and email about the dreaded "C:\program files\nwps\NetScanTools Pro Demo\nstpro.exe This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem." (PANIC!) A quick Google search pointed to the Side by Side (SxS) DLL linkage being wrong. After a bit of checking I saw that the MFC and Visual C Runtime DLL dependencies had changed from 8.0.50727.762 to 8.0.50727.4053 (it was in the manifest file). (FRUSTRATION!) Almost no one trying the demo will have those later SxS DLLs. I found that MS had updated the vcredist_x86.exe so I sent it to one of those people and it fixed the demo. Now I had to quickly rebuild the demo installer to include the new 8.0.50727.4053 redistributable SxS installer and post it. I did that by 5pm Pacific Time.
Bottom line: if you downloaded the demo between 5pm Wednesday July 29 and 5pm Friday July 31, you need to discard that download and redownload it today. Use the same link, that has not changed.
So here's my rant. I admit Microsoft told us they were updating some security issues with ATL, but I was using MFC and it didn't seem like it applied to us. And yes, we should have tested the demo on a computer without a compiler on it.
But Microsoft should have said:
"LISTEN UP! if you are using MFC and or Runtime DLLs dynamically linked, anything you compile from now on will need to use the new redistributable we provided or your app might break!"
Something like this needs to be in the compiler and should be shown when the compiler first loads a dynamically linked application for the first time after they make an update such as this. What's so hard about that?
Oh and they also published similar patches for the 2008 compiler. We use that too and now we know. Needless to say non-starting demo programs probably = lost business.
Thursday, July 30, 2009
The next one is scheduled for August 18 at 10am PDT/GMT-7. Register at http://www.chappellseminars.com/s-wireshark101.html. Over 2000 people registered for today's seminar and only the first 1000 lucky people actually get to listen in, so be sure to login early on the day of the seminar.
Laura is doing a seminar devoted to NetScanTools Pro on August 12 and 12 noon PDT/GMT-7. Register at http://www.chappellseminars.com/s-nst.html. Cost is $99. Current NetScanTools Pro customers can email our sales department for a 50% off coupon.
Monday, July 27, 2009
Sunday, July 12, 2009
The class was free (always a good price) and Laura had a limit of 1000 attendees. I think over 1700 signed up. I was able to make it in under the cutoff a half an hour ahead of time. The class was conducted using a Citrix viewing program that I had to install. This was required so that we could see slides and Wireshark in action. The quality of the audio was similar to that of a phone call, not super high but very intelligible. I used DSL (1.2 mb) which was fast enough for both the video portion and the audio. Laura also provided the slides as a downloadable PDF so you could follow along (I did).
There was a way to communicate back to the Laura and her assistants using both instant messaging and phone or audio link if you need to ask a question. Many people did ask questions. Yesterday I received the complete list of questions and answers by email.
Laura started the seminar by covering Wireshark on a general level, explaining how it can be integrated into the various packet capturing methods and explaining how it could open 'trace files' offline at a later time. Then she covered the various Wireshark placement options with their advantages and disadvantages. This included both tapping into wired network streams, mirroring them and even using wireless capture devices to see traffic on a wireless network.
Laura then moved directly into using Wireshark live to capture data into the file sets. Filesets allow you to create a large capture in multiple smaller files. Then she showed how to alter the time column so that you could see the relative time between packets rather than the default seconds since the beginning of the capture. Of course there were discussions about defining both capture filters to eliminate unwanted packets from our capture file and post capture filtering of the packets in the file. Since post-capture filtering can be complex in this program, Laura also covered changing the coloration of the rows of captured packets depending on the data in the packet. Laura also touched on following streams of TCP or UDP data. This is helpful when you are following communications between a client and server -- especially if the client is compromised by a trojan or something similar.
Even though Laura talked quicker than I ever can (though still slower than my 19 year old daughter), she ran out of time -- 75 minutes quickly ran into nearly 90 minutes. But she did leave us with a "to-do" list. First and foremost was to get the latest version of Wireshark, version 1.2. This version now includes optional GeoIP locating for IP addresses which is quite helpful (NetScanTools Pro does this too!). They take it one step further and display the IPs on a world map, which is always good (NetScanTools Pro will have this soon).
I learned that Laura puts on a very professional and well thought out seminar. This one was free and since Laura is the training business, she also has others that are not free. The other seminars are reasonably priced. They go into detail on many networking subjects, so please consider them. You can find Laura's seminars at http://www.chappellseminars.com/. You can follow her on Twitter at http://twitter.com/LauraChappell -- she posts usually every day -- not just business posts!
I also learned things about Wireshark that I didn't know -- particularly that GeoIP option and the colorizing methods.
If you are interested in seeing one of Laura's seminars, she will be repeating this same FREE seminar live on July 30 at 12pm Pacific Time. Please consider it. Go and sign up, then have a look at the other seminars Laura offers because with travel and training budgets tight like they are, having a live seminar delivered to your desk should be something your business should strongly consider. You can sign up for the next Wireshark Jumpstart seminar here.
Friday, July 3, 2009
The first thing I notice is the little Endpoint Protection shield didn't have the green dot, it had the red circle with a slash. So I tried to use the Endpoint client. It said Proactive Threat Protection was down and needed to be fixed, but more ominously was the virus definitions were yesterday's and not today's...After awhile it hung up and I had to manually kill it. Bad news...
So next I tried logging into Symantec Endpoint Protection Manager Console. The login window appeared fine, but when I tried to login, I got a message "Failed to connect to the server". So off to Google. I found a page in Symantec's very detailed support knowledgebase that told me how to turn on"FINE" level debugging. I then opened Control Panel Service Manager and found that the Endpoint Protection Service Manager service was not running. When I attempted to restart the service, it kept stopping, so I looked in the "catalina.out" file to see what was happening. This file is the tomcat web server log file and it shows the interactions between java and the server. I could see at least one place where the server port 8443 had a bind failure. To a sockets level programmer, this tells me that the server was not starting properly because it could not start listening on a port. The fascinating (and frustrating) thing about this was that NetScanTools Pro connection endpoint list was NOT showing anything else using port 8443 tcp or udp.
So next I tried modifying tomcat\conf\server.xml to a different port 8445. That didn't work. The service would exit after a few seconds. So back to Google. I found another knowledgebase article that said the tomcat uses ports 8005 and 9090 as well. Then I remembered that I saw the HP Toolbox icon on the taskbar near the Endpoint Protection shield. I wonder...
I had installed the HP Toolbox as part of a printer install a couple of years ago, long BEFORE I put this AV product on there. And I had noticed that the Toolbox had vanished and I forgot about it. So off to Windows Explorer and I searched the Program Files/Hewlett Packard and found Toolbox and Toolbox 2.0. Both had an Apache Tomcat 4.0 subdirectory. OK -- this must be it!!!
I started NetScanTools Pro and looked again at the connection endpoint list and saw that java.exe was using port 8005. So I started msconfig and found HP's Toolbox startup entry and disabled it. Then I rebooted...
The shield was back with the GREEN DOT!
The two programs interfered with each other. I don't know why the HP Toolbox was loaded first after not being loaded first for a whole year. Nothing changed yesterday---that I know of.
I wasted 2.5 hours, hopefully you won't after reading this. It really applies to any two programs that are both using tomcat.
Wednesday, July 1, 2009
Everything else, including TCP Ping, is also included in the upgrade.
If you have NetScanTools Pro USB, click on Help/Check for New Version and login to get the patch. You must have an active maintenance plan to login.
Monday, June 29, 2009
Other changes include the addition of the Distributed Services bits to Packet Generator, additional information added to whois IP address queries, improvements to Traceroute and TTCP. Graphical Ping can now send packets as large as 4095 bytes.
10.92 is available now and is ready for download by current registered users. USB version 10.92 will be available in the next day or two.
Thursday, June 25, 2009
Here was my answer:
There is a difference between ARP Scan and Ping Sweep. When you do an ARP Scan of a subnet, all devices that communicate with IPv4 on that subnet must respond to ARP packets. If they don't respond they cannot communicate with any other machine. This even applies to devices that are running firewalls and do not respond to ICMP echo request packets (ping packets).
When you use Ping Sweep on that same subnet, you are sending ICMP echo request packets to every device. If the device (computer) is running a third party 'personal' firewall or even something like the built-in Windows Firewall, it may not respond depending on the firewall settings. So you will see fewer devices respond with Ping Sweep than with ARP Scan.
They both have their uses because ARP Scan does not work once it crosses a router to another subnet or WAN. ICMP packets generated by Ping Sweep are routed unless deliberately blocked, even across the internet.
Tuesday, June 2, 2009
The second major thing affects those who need to place the files normally found in those two paths somewhere else, maybe for a virtual machine. We've added a way to use an .ini file to describe new paths to those files.
There are also some other small changes and as usual we've updated the databases. Whois now supports several more top level domains and there were two corrections to existing domains -- like .mil whose whois server went offline a while ago.
If you have 10.x and your maintenance plan is active, please use Check for New Version to get the latest version.
And don't forget to look at http://www.netscantools.com/ once in a while for periodic sales. Right now there is a 2 for 1 sale, a USB and CDROM license for the price of the USB.
Tuesday, May 19, 2009
This redesign was my first real serious use of Expressions Web. I'm not used to CSS, so it's taking me a while to get it working right. I have a new respect for those who can build fancy sites with CSS.
I still want to improve it with some additional graphics, but that will be in the next revision.
Drop by and have a look: http://www.switchportmapper.com/
Monday, May 18, 2009
I also added in better results grid column sorting and export of the Switch Properties report to a text file. SQLite and the databases were updated.
If you have the software, please click on Help/Check for Update or visit http://www.netscantools.com/switchportmapperdownload.html
Friday, May 15, 2009
Yes. When we stopped producing NetScanTools Standard 5.1 in August 2004, we left a whole lot of registered users without any alternative. Business users who wanted to move up opted for NetScanTools Pro, but many, many home and small business users could not justify or afford the upgrade, so they either kept using on NetScanTools Standard (yes, we still hear from people who have used it for years) or they found something else.
Two weeks ago we decided to make a new program using the latest Visual C++ 2008 compiler along with an updated interface -- that's right two (2) weeks ago. Now there is a new program created from almost scratch and it is completely finished! And it works fine on Windows 7, Vista 32/64, 2008, 2003, XP and even Windows 2000.
This new tool has simplified versions of six tools: Ping, Traceroute, Ping Scan, Graphical Ping, DNS Tools and Whois. They are very usable versions of more advanced tools found in NetScanTools Pro. There are embedded web pages comparing the NetScanTools Basic versions of the tools with the NetScanTools Pro versions. Plus we show you what other tools are available in NetScanTools Pro -- just in case you are interested.
It is now our entry level program.
And it's freeware. Try it. Enjoy it. And don't forget to give us feedback on the About NetScanTools Basic page.
You can find it here:
Tuesday, May 12, 2009
I bought a 2001 model Prius new in November 2000 and I now have 105,000 miles on it, so I would call myself an experienced owner. Not too long after I bought it a leading consumer magazine stated that their measured combined city/hwy mileage was 41 mpg. This is something that has stuck with the 1st US generation Prius and is still widely reported.
Let me just say that if our Prius ever averaged as low as 41 mpg, I would have it back to the dealer for repairs. In fact, I cannot recall ever filling up and getting below 40mpg. I have had as high as 51 mpg as measured by a fillup -- the display mileage is a good indicator, but not always correct, it has read as high as 54mpg which I do not believe.
As an engineer I know that in order for my mileage to be valid, I should reduce or eliminate as many variables as possible. Since I live in a small town, I always fill up at the same Chevron station (except on trips). Usually at the same pump so the angle of the car is the same. Another variable in computing mileage is the time of year. Gasoline formulation changes throughout the year -- winter blends are different than summer blends.
Oh, and don't forget that blasted ethanol blending encouraged by people who want to see their food prices go up. When I first got the Prius, the Chevron pump did not have a 10% ethanol blend sticker on it. A couple of years ago (or so) it appeared and the mileage promptly went down a couple mpg, never to come back up. Refiners here seemed to be late in adding ethanol because we get our crude from Alaska and the ethanol has to be shipped here.
But the blend is only part of it: that model Prius is appears to be highly susceptable to temperature.
My observations are that when the temperature is below 40F, the mileage goes down to the 43mpg vicinity. When the temperature is above 60F, the mileage goes up into the high 40s.
Most of my driving is at county road speeds, a bit of highway and a bit of 10-25 mph retirement town crawling. Our elevation varies from sea level to 250 feet. And I replaced the OEM tires that wore out quickly (we went through two sets way before 50K miles) with Les Schwab TOYO 800 Ultras several years ago -- the TOYOs supposedly have a higher rolling resistance than the OEMs, but I didn't notice any mileage differences. I keep them at 40 psi and try to check them once a month. A before you say that my speedometer/odometer is wrong because of non-OEM tires --Sequim just installed 2 traffic radar units in front of the high school to tell you to go 20 mph -- the speedometer matches the radar units displays.
All this is to say that the magazine ran some tests, probably in the winter with ethanol in the gas at an unreported altitude higher than sea level and forever pronounced it to be 41 mpg combined. They would be surprised to learn that I filled up last week and got about 47 mpg which is not bad for a 9 year old car in late April/early May.
Perhaps they should consider testing cars at more than one location and at different temperatures for a more accurate report.
Monday, May 4, 2009
Sunday, May 3, 2009
The second major improvement is to NetScanner Ping Sweep tool. Previously the NetScanner tool was taking about 20-30 seconds to scan a 254 IP linear range of IPs on your local subnet. By making some changes, I was able to get this down to the low 6 second range. A speed improvement of about 4 times.
There are a number of other improvements that you will run into: ARP Scan now has a hostname column, Domain Keys now query on default._domainkey. etc., SMTP Email test now can request receipts and set priority at urgent, plus you can add a custom header item.
I'll get a page together and post a video soon about the new Graphical Ping tool.
Friday, April 17, 2009
Monday, April 6, 2009
So go to www.switchportmapper.com to get the software or if you already have it, click on Help/Check for Update.
Friday, March 13, 2009
Last weekend I was checking the news on a few sites using fully patched IE6 on XP when I went to my local major news site. Before the page finished loading, I saw this message in a standard popup dialog box with OK and Cancel:
"For the further viewing of page it's needed to set an update.
To update it immediately press OK."
Immediate strongly suspicious (the POOR English was also a clue), I looked on the lower left bar of IE and saw "84654321(dot)cn/vparivatel.php" (I replaced the period with dot so you won't accidentally click on it -- DO NOT go to that URL -- it's still alive). The CN extension was enough for me to know that something no good was happening. I quickly wrote it down and used Task Manager to kill iexplore.exe. Then I restarted and cleaned out IE's cache.
Killing IE is the best way to deal with things like this because as you will discover below, hitting Cancel was just as bad as hitting OK on that dialog box.
Next, I fired up NetScanTools Pro and went to URL Capture. This tool brings in the text from a website and does not run scripts or download images. It simply downloads the raw text and displays it. So I entered the URL and retrieved it. Inside the script tags was this:
if (confirm('\nFor the further viewing of page it\'s needed to set an update.\nTo update it immediately press OK.'))
You can see that whether you press OK or Cancel or red X, it appends ?a to the URL and activates it. So next I used URL Capture to do just that, manually of course. And guess what, MALWARE. Here is the start of what comes back:
Content-Disposition: inline; filename=1.exe
MZ followed by lots of barely printable characters, then part of a regular webpage.
MZ are the first two characters of an executable Windows file, and IE was being told that it was an application. So if I had not killed IE, it would have infected my computer with this executable. Needless to say I contacted the news site webmaster, but they didn't reply. I suspect it came through an ad that was rotated through.
Don't go to that URL because if you do, you will get this MALWARE executable -- it is still alive today.
Searches on 1.exe and vparivatel reveal that it does something similar to that other MALWARE I reported on where there is a forced redirect (hijack) to a bogus AV or security product.
The moral of all this is that you can get these things even from what you think are trusted sites. If those sites are running ads from other 3rd parties, you cannot totally trust the site. And the second thing is to kill your browser with Task Manager rather than trying to shut it down normally -- oh and don't forget to clean the browser's cache -- immediately.
Tuesday, March 10, 2009
10.81 (released just 5 days before) had several fixes, the biggest was fixing the Windows 7 crash problem. It was happening because we were not correctly identifying the new operating system and reverting to older code usable only on Windows 2000. Windows 7 didn't tolerate those old function calls at all, so the program crashed. The second most important addition was a warning message that now appears when you click on a results link in URL Capture. Other minor changes were made and all databases were updated.
Thursday, February 19, 2009
Here's what I did: I downloaded Knoppix 6.0 ISO image and burned it to a CDR. Then I changed the computer that formerly had the trojan so that it would boot from the CD drive first before going to the hard drive. I put in the Knoppix CD and rebooted.
A simple text interface shows up that allows you to select a number of things, one of which is a full X desktop. All the things you need for web browsing are in there including a modified version of Firefox called Iceweasel. We now use Iceweasel to play the online games. By default it doesn't allow scripting, so we had to learn how much scripting is necessary, but now his online games play fine with complete graphics and sound just as though he were on Windows XP -- except without the worries of picking up maleware. It doesn't use the hard drive, just memory.
When he's done, we exit the X session and shutdown/reboot. Simply remove the CD and Windows comes back when you reboot.
One thing we did find is that it works best with a wired internet connection -- I couldn't get any of the wireless computers to work with Knoppix, but then maybe I don't know exactly what to do.
Here are the details about the conference:
Wireshark(r) Developer and User Conference
June 15 - 18, 2009
Stanford University Palo Alto, California
SHARKFEST is an educational event that offers in-depth instruction over the course of 3 days to the benefit of anyone wishing to enhance their skill set with, and optimize the effective use of, the world's most popular network and packet analyzer, Wireshark.
Space is limited and due to a full house last year, early registration is strongly encouraged. Single registration for all 3 days is $695.00 USD. Details including conference hotels, group discounts and the conferenceschedule can be found at http://www.cacetech.com/sharkfest.09/. Every paid registration will receive a FREE AirPcap Classic Adapter (SRP $198USD) and so much more!
Thursday, February 5, 2009
One comment on the original xpsdg6420222.exe file. Symantec identifies it as a Bloodhound.SONAR.2 file which "indicates a running process with behavior similar to that of a Trojan horse that records keystrokes. It may represent a new, previously unidentified type of risk." Definitely a risk that I don't ever want to see again.
Thanks to all those who left comments and I hope what I've shown you was instructive and helpful. I certainly learned alot and my next post goes into an even more difficult, yet similar problem on yet another kids' computer.
Friday, January 30, 2009
Also, to all those following my analysis, please be careful when messing around with svchost.exe because there is a real one and a fake one. The real one lives in system32 and the fake one lives in system32\drivers. This is especially important when you are going through the registry. There are references to the real one and references to the fake one, so BE CAREFUL.
Thank you all for your great comments.
Wednesday, January 28, 2009
It was about 6:30 last night when my son said "That's wierd, mom's computer just rebooted". I asked him if he did it and he said no, he was in the middle of playing one of his online games. I thought uh-oh, not now -- I'm just way too busy.
(update: I was running AVG free version 8 on this machine at the time and it did not see this.)
When it rebooted, all looked normal except for a supposed Windows Firewall Message that it had blocked an attempt by Win32.Zafi.B to talk out through the firwall. The Keep Blocking and Unblock buttons were grayed out and a third button was there -- it said something about fix it -- so I clicked it and like magic, IE7 opened up viewing Defender-Review [.] com where it tried to tell me that I had viruses and I had to buy their AV software to fix it.
So I immediately unplugged the network cable. Next I went to another computer on another network and did research on the supposed virus and the web site that popped up. The virus was an old email virus from 2004. Little chance of that happening because we use Pegasus on that machine and I don't allow attachments to be opened. And email was scanned on the way in.
So I focused on the web site - I wondered "is their marketing budget so low that they have to resort to hijacking to get people to come to their site?". I quickly learned enough through Google to see that it was a browser hijack. Oh, by the way, this was the first hour wasted.
Next I tried the basics. I opened Firefox and it wouldn't open on the desktop. It appeared in Task Manager, but did not open the first time. I killed it and tried until it eventually appeared with a strange message about blocking and to click on some links -- view source showed that it was an embedded window in the original. And NetScanTools Pro's URL Grabber pulled in the text portion of URLs without a problem -- it is completely safe. OK, definitely browser hijacking.
So I next launched msconfig. As soon as I went to the Startup tab it started blinking rapidly and the computer went through the fastest shutdown I've ever seen. Now I was mad.
I restarted it and went into Safe Mode. I started msconfig and carefully examined the Startup section (I knew they had to use this) and found what I was looking for--an out of place entry with an apparently random exe name (I've seen this method before):
(checked box) xpsdg6420222 -- "C:\Documents and Settings\%username%\Application Data\Google\xpsdg6420222.exe" 2 -- Software\Microsoft\Windows\CurrentVersion\Run
I immediately UNCHECKED it, pressed OK and went to that FAKE Google directory and removed the EXE and a DLL that was with it -- sorry I can't remember the exact name of the DLL -- I think it was mjkdpl.dll. They both had no versioning or authoring resources and Google toolbar is not installed.
Then I searched for that filename with regedit and found one instance of it. I didn't write down where -- sorry!
Next I rebooted and I now had control of the browsers. But wait! that's not all: the next morning I did more research and found that there may be more "droppings" -- kind of like the elk poop in our yard -- on the computer.
So I searched the hard drive for all files created yesterday and sorted by time so I could see the ones created when the problem was first noticed. I found several. I noticed that 3 minutes before a group of strange files (all had no versioning resources) there was one 2MB file called acr442b.tmp. While viewing it in notepad, I saw "pdf" at the beginning. Maybe a coincidence, maybe not. That computer had Acrobat Reader 7.1 on it. So I uninstalled it and installed reader 9. The old version might have been the infection vector, but it also could have been a clicked on popup -- I can't get an 11 year old to remember.
Back to the file list. I found and removed these:
C:\Documents and Settings\%username%\Local Settings\Temp\acr442b.tmp
C:\Documents and Settings\%username%\Application Data\Adobe\usanaz.exe (21kb)
C:\Documents and Settings\%username%\Application Data\AdobeUM\manol.exe (13kb)
C:\Documents and Settings\%username%\Application Data\AppleComputer\xerks.exe (1kb)
C:\Documents and Settings\%username%\Application Data\Corel\rasim.exe (16kb)
C:\Documents and Settings\%username%\Application Data\Cyberlink\gdi32.dll (12kb)
C:\Documents and Settings\%username%\Application Data\Help\kernell32.dll (10kb -- note the extra 'l' in kernel -- a dead giveaway)
Note: I did not find sinashi.exe, msclock.exe, netsk.exe as some sites have reported -- probably a versioning issue. I even searched again for them in Safe Mode.
I also found but could not remove this one because it was 'in use':
Now I'm PO'd again because svchost.exe DOES run as part of the operating system, but that's not where its supposed to be located. It should be in System32, not down in drivers and it should be 14K. Be sure to leave the svchost.exe that is in C:\Windows\System32 alone. It's part of the operating system. The one down in "drivers" has to go.
OK, back to Safe Mode. Now I opened regedit to search for all instances of "drivers/svchost.exe". I found these places:
(this runs it at startup)
(these poke a hole in Windows Firewall for their malicious svchost to send data)
It was not in CurrentControlSet which was wierd.
Then I deleted C:\Windows\System32\drivers\svchost.exe.
Then I rebooted normally and temporarily installed Symantec Endpoint Protection 11 and scanned the whole machine. Nothing. I also installed Malware Bytes Anti-Malware -- 6 minor cookie things which were apparently unrelated.
I think I got it all. I hope this helps someone else remove this trash that illegally took control of our PC. I am a programmer and an MS user since DOS 3.1, so I'm well aware of some of these tricks and knew where to look. If I were an average non-technical user, I would have been hosed because no scans caught it. As it was I wasted 3 hours on this.
I'm going to try and Knoppix up and running off a boot CD so my son can play his online games without worries. Try your stupid hijacking tricks against that. And try selling your software the way we sell ours: by being innovative (legally) and providing good value for your customers.
Friday, January 23, 2009
What they really wanted was to do some kind of trace or ping to the laptop's MAC address and get a response back if it happened to be online somewhere on the internet. Since our software has ARP Ping, they thought it could be used to ping their computer's MAC address. I had to go through an explanation where I basically told them that although their MAC address may be (or may not be) unique, the system of routing packets on the internet has no way to sending a packet to the MAC address of their lost laptop. I told them that the MAC address is a hardware address of the ethernet card and it is only used within the local network (on his side of his DSL router). The packets leaving his network through the router are on a higher level protocol and do not retain the MAC address of the devices on his side of the DSL router. That's the simple explanation. I told them next time they buy a laptop to get software that periodically "phones home" like LoJack.
The more detailed explanation has to do with how packets are transmitted on a network. To send a packet between two computers on the same ethernet network you need two types of addresses: Layer 2 (L2) -- the OSI model link layer and Layer 3 (L3) -- the OSI model network layer. L2 addresses are local in scope which means that two devices may have the same L2 address (this does happen) as long as they are not on the same network segment or subnet. An L3 address must also be unique within the scope of the network it is connected to. On an ethernet network a MAC address is a L2 address and an IPv4 address is L3.
In order to deliver a packet between two computers on an ethernet network, L2 addresses need to be mapped to L3 addresses. This mapping can be either dynamic (usual method) or static. The ARP protocol (RFC 826) is used to build and maintain this mapping. It is a simple protocol intended to find the L2 hardware address of a device given a known L3 IP address on an (usually but not limited to ethernet) network. A device does this by sending an ARP Request packet to all the devices on the network segment asking for the L2 address given a known L3 address.
A typical ARP conversation looks like this:
"All devices! (255.255.255.255) -- who has IP address 192.168.1.29? My IP address is 192.168.1.44 and my MAC address is 00:11:22:22:33:ef" (ARP Request)
"Device 192.168.1.29 replies -- I do! I do! and my MAC address is 00:22:44:66:ab:cd" (ARP Reply)
Now the ARP cache on each device has the IP address and MAC address of the other and they can exchange packets. Each device keeps a transient ARP cache locally showing those mappings based on previous packet exchanges.
When you need to send a packet to an IPv4 address outside your network segment, it sends them through the Default Gateway or router. How does your computer know when to send a packet through the gateway? by looking at the destination IP address and subnet mask . When your computer sees that the packet has to leave the network segment, it finds the L2 and L3 address of the gateway/router, then sends the packet there. The router sees that the IP address is not for the local network segment and uses its routing table to forward it on to the next network. The IP packet does not retain the network L2 address of your computer once it goes through the router just as ARP Request packets are not sent through the router. The networks on the other side of the router will most likely have different L2 Link Layer addresses that are not necessarily MAC addresses as you know them.
So back to the original question: can ARP Ping be used to send a packet to some MAC address outside your network?
No. Because ARP Ping is simply sending the normal ARP Request packet while monitoring the timing. If you try to send a strange ARP Request packet with the destination IP address 0.0.0.0 in it but containing a valid local destination MAC address, it won't work because no computer on your segment will respond. The ARP service on all the listening computers is looking for the IP address of the device that received it, not a MAC address. When the ARP packet hits the router, it is ignored if it does not have the IP address of the router in it. And similarly, if you send a packet with IP 0.0.0.0 and a random MAC address, it too will not leave your network.
Tuesday, January 20, 2009
The highlights of this release are:
1. SNMP settings are now individually retained and set for each device IP address.
2. XML spreadsheet export significantly enhanced so that when you import it into Microsoft Excel or OpenOffice Calc, you see the same thing as you saw in the results grid.
3. XML import of previously saved results now works correctly.
4. User interface changes to the left control panel.
5. Internal database format changes necessary for version 2.0.
OK, so what about 2.0? can't tell you yet. Why? It will be out before summer.
Oh, and also in this release is the a cool thing to help out the first time user. When you first run the program the Help File opens up to the Getting Started section. This section has been significantly revised so that new users can understand what they need to do to use the program. It is and is not a simple program to use. Once you understand what is required by the program, it works well.
In case you are wondering what on earth I'm talking about...have you ever looked in a wiring closet and seen all the same color gray cables attached to a switch? Have you ever wondered how you are supposed to trace those cables back to computers in the next room? The Managed Switch Port Mapping Tool communicates with an SNMP managed switch to find out what devices are connected to its physical ports and map out those connections. The results are presented in an easy to understand spreadsheet format. Learn more about it here.
Friday, January 16, 2009
The biggest thing about this version is the change from global setting of the SNMP parameters to individualized settings saved for each SNMP device. That way one can use SNMP v1 and another can use SNMP v2c or maybe even be on a non-standard port number -- whatever. Another significant change is in the look of the left side control panel. It's more organized now and hopefully easier to understand. The final significant change is in the XML export. It now conforms better to the XML standards Microsoft uses for Excel. After all the results are in a spreadsheet. The column widths are correct and the font is now supplied. It just plain looks better when you import it into Excel. If you don't have Excel, that's not a problem -- it also works with OpenOffice 3's Calc. It imports in just fine if you select the MS Excel 2003 XML import filter.
Look for it early next week. And one more thing, this is probably the last 1.x version. The internal and visible changes made in 1.96 were necessary to support the new cool things coming in 2.0...
Thursday, January 15, 2009
The standard and scientific modes have both undergone minor facelifts with some of the buttons renamed and grouped better. But the big changes are the addition of two new modes: Programmer and Statistics. Obviously I'm drawn to the Programmer mode because I need to see bits in my work with packets in NetScanTools Pro. There is a cool binary display below the normal display where you can easily visualize what's in the bytes. Changes to this have been long overdue and I will definitely be using the Programmer mode once I jump by development machine from XP to Windows 7.
Wednesday, January 14, 2009
Then I saw a link in the start menu for games. Cool. So I opened it up and saw the usual games plus three that I don't recall seeing the past: Internet Checkers, Internet Backgammon and Internet Spades. I'll be trying those out soon. What was more interesting for me was the area on the right where it said "This computer's Performance Information has not been created."
OK, so let's create it -- I clicked on "Rate this computer", then again on the "Rate this computer button" on the next page and got a somewhat surprising message "Unable to run an assessment inside a virtual machine. WinSAT can not obtain accurate measurements inside of a virtual machine. Please try again running directly on the native hardware." DARN! -- but cool nevertheless. It knew it was running inside Virtual PC 2007. Maybe I should find a spare hard drive to put this on in another machine...
Monday, January 12, 2009
One thing I was very concerned about was the operation of WinPcap on this operating system. So the first thing I tried was the ARP scan of our subnet because it uses WinPcap to create the ARP packets. It worked! another BIG sigh of relief!
So I went ahead started testing all the other functions. Everything worked fine until I got to the Network Statistics tool. Just like when we first tested on Vista -- it FROZE -- obviously Microsoft changed something. I'll find it. I have to install the 2005 compiler and source on the beta, then step through it to find the offending function call. Not too hard -- usually. If you run into this, you have to open up the registry editor and clear the currentView key under HKEY_CURRENT_USER\Software\NWPS\NetScanTools Pro 10\CommonDataEntry. Then you can restart the program without it locking up again. Just don't try to use the Network Statistics tool.
All the other functions worked fine. I saw no other problems whatsoever. So the transition from Vista to Windows 7 should be fairly quick for NetScanTools Pro.
Things I noticed about installation: less user interaction required to get it installed. Yes, there was the usual location and time stuff, but there was less other stuff. And it only rebooted once to complete the installation which was great. I did ask for the product key which I was given before I downloaded it and it did the product activation automatically. Whether all this simplicity remains in the RTM version, we'll just have to see.
Windows 7 Observations: some user interface changes -- more glowing things like icons and bars. The start menu button glows when your cursor hits it. The layout of the start menu is a bit cleaner as is the Windows Explorer layout. The start menu does look fairly much unchanged other than small appearance changes. Everything is where it was in Vista. The taskbar is bigger -- approximately twice as high and the programs are shown as icons without their names. This appears to be a departure from earlier OS's. Maybe some of you will notice that the default background screen is a fish -- not just any fish, but a betta -- you know, a play on the word BETA. I think it should be a active background with the fish moving around. What a cool timewaster that would be.
Another biggee is less and I mean way less of those annoying UAC messages "are you sure you are sure you are sure...". I was able to open the registry editor without a big argument from the operating system -- nice!
Another thing that is on every window titlebar is the "Send Feedback" link. I guess they want feedback, but since I've only used it for an hour, I'll hold off.
So far, I like what I see!
Friday, January 9, 2009
The end user acceptance of Vista seems low after two years. I say this based on visitor logs of our websites and also our own user polls during product registrations. XP is still the dominant operating system seen in our website logs at a rate of 75%-78% of all Windows OS visitors. Vista is running about 15%-20% with the other old Windows operating systems down in the noise. This data comes from two sites looking at the last couple months. This represents a small increase in the Vista numbers from what I reported in October and it does show a couple percentage points drop in the XP numbers. These kinds of numbers are probably behind the push to get Windows 7 out -- reminds me of Windows ME.
While I haven't actually got my hands on the Windows 7 beta yet, I do want to try it out soon. I hope it will load into MS Virtual PC 2007 for testing. Hopefully none of our software breaks this time and our code changes will be minimal -- there were so many code changes required for Vista.