Thursday, December 24, 2009

Merry Christmas

To those of you who celebrate Christmas: Merry Christmas!

Our office will be close on Dec 25, 2009. Any orders placed online will be processed on Saturday, Dec 26.

NetScanTools LE Status

Well it won't be out before Christmas. Much as I wanted to get it done, it's not quite done. The post-purchase registration system is just about done and is being tested today. The next step is finalizing the fileset and building the installer. Then release. Watch this space for news.

NetScanTools LE is the "Law Enforcement" version: see

NetScanTools Pro Maintenance Plan Renewal Sale

Did you forget to renew your NetScanTools Pro v10 Maintenance Plan? -maybe by a lot? -maybe even by a year or more?

Here is your chance to be back on the plan and get the Windows 7 friendly 10.94 version! Special price reduction on the "Over 180 days Late" v10 Maintenance Plan renewal - instead of $150, the renewal price is $135 through December 31, 2009. Call us (360) 683-9888 or go to the maintenance plan page below for a link to order online:

Tuesday, December 15, 2009

Boeing 787 Dreamliner' First Flight over Sequim WA

I took this video about 10 minutes after the 787 first took off. It was headed out the Strait of Juan de Fuca towards the relatively unpopulated areas of the Washington coast--like Forks. Sorry about the quality, it was high up and there were clouds which made it tough for the camera to focus. You can see the 787 and the chase plane. There were two chase planes when it took off, but only one stayed with it. Notice how quiet it is. You can see the landing gear still out if you look carefully.

Kirk Thomas

Friday, December 11, 2009

Weekend Sale Dec 11-14

The Managed Switch Port Mapping Tool is 35% off this weekend - Black Friday continues! See this page:

Monday, December 7, 2009

Windows Trojan removal using Knoppix

My brother called me to say his Windows XP laptop had trojan problems. He said it all started after he applied for a game testing job over the internet where the company had him download an executable application to use as part of the process (not a good idea).

The first thing I did was tell him to download MalwareBytes antiMalware and HiJack This. I had him run HiJack This and send me the scan dump text. Some malware won't even let you download or run those, so he was lucky. I spent a bit of time going through the list, but right off I saw a few obvious pieces of malware in the startup and a bunch of junk like old printer driver accessories that needed to go.

The obvious malware looked like this under the categories AppInit_DLLs, SSODL, and SharedTaskScheduler:

wehazibi.dll, gaganoza.dll, mudabihu.dll, wukoraga.dll, jujutoji.dll, jaduzumi.dll, bezijigi.dll, wegagolu.dll

And this entry
MySQL c:\Program.exe (file missing)

Another interesting file was c:\windows\system32\GameMon.des.exe (file missing). Various sources say this is not good to have, so I put it on the list.

The problem was that HiJack This couldn't remove all the things I listed, nor could Malware Bytes because the malware was not letting him boot into Safe Mode. But that was OK because I told him to use Knoppix. He had never heard of it, but eventually he understood that Knoppix is a CD based Linux that can access your hard drive if you want it to. And the best part is that it's another OS, so it's completely unaffected by the viruses or trojans on your Windows hard drive.

I had him set the laptop to boot from the CD drive and had him burn a CD of the Adriane version of Knoppix 6.2.0. He chose to use the command line interface from the Knoppix menu instead of the X-Windows interface, but that's OK if you know how to use 'cd' to change directories and 'rm' to remove files. I prefer the X-windows interface because it has a full file manager. But sometimes Knoppix has trouble with the mouse especially if it's a laser mouse (hopefully this gets improved), so he probably made a good choice - I don't know how it works with a touch pad on a laptop either.

Anyway, after booting to Knoppix he was able to cd to those file locations and delete them off the C drive. Then he rebooted and was able to use HiJack This to remove the startup entries, then he ran Malware Bytes anti-malware to clean up 'droppings'. Plus I had him update Java and other things like Adobe Acrobat.

People don't realize that Knoppix can be used to view hard drives without actually booting Windows, you simply put in the Knoppix CD, reboot and go from there. I learned about this technique from a Law Enforcement customer - they use it to view files on bad guy computers without booting Windows. But you can also use it to remove malware files if you know where they are already.

NetScanTools Pro at Laura Chappell's Summit 09

Laura Chappell is holding her 3 day Summit 09 "Hands-On Tools, Troubleshooting and Security" conference right now Dec 7-9. NetScanTools Pro will be used on Wednesday for demonstrations and hands on experience in traceback and reconnaissance.

Friday, November 27, 2009

Black Friday/Cyber Monday Sale

Please visit and click on the sale banner to see what's on sale.

Have a good weekend!

Thursday, November 26, 2009

Happy Thanksgiving!

To those of you in the USA!


Wednesday, November 25, 2009

November Newsletter Published

This newsletter talks about the changes in NetScanTools Pro 10.94 in detail. It covers new record types that it can retrieve: NSEC, DNSKEY, RRSIG and the new Get Basic DNS Records tool. There is also a discussion about using the Passive Discovery tool and the changes made to make it easier to use.

There is a status report on NetScanTools LE (law enforcement edition).

I added in a paragraph about my experience upgrading a computer from Windows Vista x64 to Windows 7 x64. It was actually pretty painless. And it even worked!

The newsletter can be found on this page:

Saturday, November 7, 2009

NetScanTools (TM) Pro 10.94 USB Version Patch Ready

I should have posted this a couple days ago, but for those of you who are NetScanTools Pro USB Version users, the patch to upgrade to the latest version 10.94 is ready. You will need an active maintenance plan to access the patch. Login through Help/Check for New Version.

NetScanTools Pro USB Version is a fully portable software application that runs from a USB flash drive. It is self-contained and does not require installation on the target computer. All data is saved on the USB drive and not saved to the hard drive of the computer hosting it. NetScanTools Pro USB Version runs on Windows 7, Vista, XP, and 2000. It runs on both the 64 and 32 bit versions of the operating systems and is a 32 bit application itself.

More information about NetScanTools Pro USB Version:

Right now we are having a sale. Get the installed version on CDROM and the USB Version for the price of the USB Version. More details:

Tuesday, November 3, 2009

NetScanTools (TM) Pro 10.94 Published

The installed version of this release was posted on November 2. This release is geared towards improved Windows 7 compatibility.

It now includes the latest version of WinPcap 4.1.1 (just released last week) which has been extensively tested on Windows 7. NetScanTools Pro uses WinPcap for packet capture and generation of specialized packets. Previously we used 4.0.2 which seems to work fine on Windows 7 for our purposes.

We've also updated the SQLite DLL to the latest version 3.6.19 and made it statically linked to avoid SxS DLL problems.

Feature-wise there are several changes to the "DNS Tools-Core" toolset. There is a new tool called "Get Basic DNS Records". This tool requests SOA, A, NS, MX, CNAME, PTR and TXT resource records as applicable for a given input IP address, hostname or domain name. It saves time by combining all those queries into one query.

DNS Tools - Core also now includes options for requesting the NSEC, DNSKEY and RRSIG resource records. We have had the ability to parse those records for awhile, but now you can directly request them and the parsing has now been significantly improved. When parsing NSEC, we added showing the list of resource records (RR) covered. In DNSKEY we added display of the public key as hex and also now also compute and display the Key ID. The Key ID can be correlated with the corresponding Key ID from the RRSIG records. The RRSIG record parsing was improved by adding display of the signature in hex and we now parse many more "types covered".

DNS Tools - Core also had a problem when doing a Zone Transfer of a medium to large zone. They would crash the program. This was due to a memory allocation error and also due to the fact that in C "static int x = 0;" is not reset to zero when the function is re-entered.

Passive Discovery has a change which is more user related. We had heard from people who saw a "Error compiling filter" when they tried to run it. This was due to a mismatch between the WinPcap interface they selected, the subnet mask and the starting network IP address. We are no longer saving the subnet mask and starting IP, they are being recalculated. We also reworded the Recalculate button to better explain what it does and we improved the error messages.

There were some other minor changes but I won't go into those. As usual the database were updated. If you have NetScanTools Pro with an active maintenance plan, click on Help/Check for New Version to get 10.94.

Wednesday, October 28, 2009

How to use ARP Ping to Detect Duplicate IP Addresses

Update January 2014: there is a dedicated Duplicate IP Address Scanning Tool in NetScanTools Pro.

I've mentioned before how due to past problems with online games sites I have my son use a Linux distribution called Knoppix 6.0.1 that runs from a CD inside a Microsoft Virtual PC 2007 virtual machine. Well due to a problem with a DHCP server, I found that Knoppix was taking the same IP address as an HP Laser Printer. I had been having trouble with the printer on the weekend - it decided on it's own to change it's fixed IP address.

So I decided to use the situation as a real world demonstration of how to find a duplicate IP address. This can be done from NetScanTools Pro using the ARP Ping Tool. Since I had my suspicions about the printer, I used the printer IP. The video shows the results quite clearly.

In NetScanTools Pro v11 we will be introducing a tool to scan the whole subnet for duplicate IPs, not just one at a time.

Tuesday, October 27, 2009

October Newsletter Posted

This newsletter talks about our releases and the progress being made on NetScanTools LE. It also talks about the upcoming NetScanTools Pro 10.94.

It also mentions the return of the 2 for 1 NetScanTools Pro CDROM and USB sale.


Friday, October 23, 2009

KB970892 solved - at least for me!

As I mentioned in early posts, Sage ACT 2009 (ACT 7) uses MS SQL Server Express 2005 and KB970892 failed to patch it. Someone anonymously posted a solution today and it works for me. Their solution of changing the registry entry makes perfect sense because if you dive into the patch log, you will see that it seems to think that SQL Server is not fully installed and it asks you to use add-remove programs to complete the installation.

By simply changing this registry entry from a numeric '1' to a '0' (zer0), you are apparently telling the patch that the original installation was completed correctly:


Change the "Resume" value from a 1 to a 0.

(If you have multiple instances of MSSQL installed, the MSSQL.1 reg key might be different for you)

Now you should be able to install the update either from Windows Update or manually using the knowledge base patch that has a full user interface. I used the full user interface patch and you may need to stop your instance of SQL Server before the patch can be fully applied - it will tell you if you need to. I did not use the "silent" Windows Update patch.

A big THANK YOU to whoever figured this out and to the person who posted the solution here today!

Tuesday, October 20, 2009

Managed Switch Port Mapping Tool v1.99

Today we released Managed Switch Port Mapping Tool v1.99. It has a number of internal improvements such as making sure no duplicate macs appear on a switch port, giving the user control of autosizing the column widths and many other changes. We also updated SQLite to 3.6.19.

Visit either or for more information or to download.

Still no luck with KB970892

Today I had a few minutes, so I tried stopping all the SQL Server processes and running the patch manually using the version downloaded from the knowledge base. Still no go.

I also tried using the add-remove programs suggestion the patch log suggests, but after you get part way through it, it starts asking for SQLRUN_SQL.MSI which is not on the computer. Nor is it on the ACT 2009 install CD. And to make matters worse, I couldn't find it in the developer downloads area in MSDN.

So now I'm at an impasse. I guess the next step is to see if Peachtree (Sage) has a fix for this. I'm not holding my breath.

Oh and one comment suggested looking for another instance of SQL Server on the machine. I haven't found one yet.

Friday, October 16, 2009

KB970892 fails relentlessly

10-31-09 Update: an anonymous comment provided a simple solution. See the newer posts in this blog.

Most of the time I never have any trouble with Patch Tuesday. But this time I got a consistent failure: KB970892 fails to install every time. So as a result, I have little yellow shield with a ! in it on the taskbar - every day.

SQL Server 2005 express edition was installed by ACT 2009 last year on this XP system. Internally the SQL Configuration Util calls it Act 7. Anyway, the install log says this when it gets to the error:

"Error 29565, Product Microsoft SQL Server 2005 Express Edition. SQL Server Setup cannot upgrade the specified instance because the previous upgrade did not complete. Start the Remote Registry service and go to Add/Remove Programs, select the Change button for Microsoft SQL Server 2005, and then select SQL instance ACT7 and complete the setup."

Whatever. I went to control panel - add/remove programs and started to do this but stopped (chickened out - will do system backups before trying this). Then I went to MS's site and downloaded the KB patch manually and ran it. During the install/patch process it said to stop the process for ACT7 - I did it, but the patch still failed.

Internet searches show that other people are having the same problem, but I can't see a definitive solution. Does anyone have a solution?

Monday, October 12, 2009

SNMP Snooping, Adding MIBs and other stuff

Those of you who perhaps use Wireshark on a regular basis are aware that SNMP traffic randomly occurs on your network, particularly from printers. On October 7 Laura Chappell posted a short article called "SNMP Snooping". In the article Laura talks about using NetScanTools Pro to have a look at the SNMP information available from a wireless HP printer. She talks about pulling out reams of statistics including Wireless SSIDs and WLAN signal strength. This is all done by simply 'Walking' the . OID. Even more interesting are the printer's listening ports - also something reported by the NetScanTools Pro SNMP Tool (he is how: set the IP and community name, select Advanced Queries, press Perform Action, then press Listening Ports Report).

Laura will be talking about SNMP and NetScanTools Pro during her Summit '09 Conference in December. The article is here (at least until Weds, Oct 14):

Laura also mentions that she had to add MIBs to the SNMP tool in order to understand the data from the printer. Without the printer MIBs translating the numbers to human readable information, the Walk results are just numbers or strings and don't really look too interesting. Today we added a new video explaining why you need to do this and how to add a MIB to NetScanTools Pro. This even works with the NetScanTools Pro Demo:

Sunday, October 4, 2009

September Newsletter Out

Yes, it was just barely released in September. Been busy. You can read it here:

Thursday, September 17, 2009

New Video Posted

Yesterday we posted a new video covering how to use most of the features in the NetScanTools Pro URL Capture Tool. We address using the tool to safely view the text that makes up a web page - remember, we do not execute scripts or any other active code found in the web page. We also show how it can be used to display the actual destination URL of those shortened URLs popularized by Twitter. And we also show how to use it with a multiple site, single IP web server.

This new video and other demonstration videos are found on this page:

Friday, September 4, 2009

NetScanTools (TM) Pro 10.93.1 Published

On September 1, 2009 we release NetScanTools Pro 10.93.1. This is a recompile of 10.93 to support the new SxS linkage. There are no changes to the software other than versions and the addition of the registered trademark symbol where appropriate. This release is for the installed version only - the USB version remains at 10.93.

Thursday, September 3, 2009

NetScanTools Pro and the effects of KB971090

In late July Microsoft pushed out a fix for an Visual C++ 2005 SP1 ATL problem (see our August 4 blog entry) that broke our demo at a critical time just when we were sponsoring a webinar. I thought I had it fixed by recompiling our main executable and using the new vcredist_x86.exe to bring the SxS linkage up from 8.0.50727.762 to 8.0.50727.4053. Well not quite.

It wasn't until NetScanTools Pro 10.93 was released for a few days that I realized the full extent of the problem. We had one customer who said that he couldn't start the program. It was the famously unhelpful XP message "This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem." This means that the Side by Side (SxS) system DLL linkage is wrong. The stange part was that this customer did have the 4053 DLLs installed.

I tracked it down to a problem in the nstpro.exe manifest that showed both 762 and 4053 required to be loaded. Of course this worked fine on all our computers and the majority of our customers, but not this one customer.

The fix was to recompile ALL executables, DLLs and custom libraries imported by our executables. One or more of our libraries was compiled using the 762 linkage, so when I compiled the main program, a manifest was generated asking for both.

Again, Microsoft should have warned of the full effects of this change to those using the MFC and runtime libraries when a SxS DLL linked project was opened for the first time in the Visual C++ 2005 compiler.

So now as a result of this we have released NetScanTools Pro 10.93.1 on September 1. This only affects the installed version and the demo. It does not affect the USB version because it uses statically linked libraries.

Monday, August 31, 2009 back online was down from Tuesday Aug 26th evening all the way through Thursday Aug 27th evening - around 24 hours. It's back running now.

Wednesday, August 26, 2009 down for maintenance

The ISP hosting merged with another ISP so they decided to move the servers hosting us somewhere else. After several reschedulings, they decided to do this on Tuesday night Aug 25. Hopefully it will be complete soon, but while they do this our site is down. Doing this during the busiest time of week costs us money, so we will be reevaluating our relationship with this ISP.

Thursday, August 20, 2009

NetScanTools (TM) Pro 10.93 Published

The installed version and USB version of NetScanTools Pro 10.93 are both now available. If you have an active maintenance plan, you can upgrade today. Use Help/Check for New Version, then login.

The changes in this release range from the cosmetic (like adding our new registered trademark notation) to bug fixes to adding a minor new feature. The minor new feature was brought about by a customer suggestion and it was to provide the decimal representation of the input IP address on Subnet Calculator. Apparently our user sometimes hardcodes the IP address in a link and making it decimal makes it harder for bots to pick up the link.

Two of the bugs were seen during the August 12 webinar:

The first was when Laura was running a Continous Ping, then she pressed Stop and went into Setup. When she was talking about the various Ping options, the Continuous Ping started up again in the background results window. This was fixed.

The second thing I saw during the webinar was when Laura entered her favorite of the day hostname and it then went through and translated it to an IP address, then ran the IP address through the list of RBL servers. The problem was that the translated address was Actually what had happened was the host to IP didn't resolve because there was no A record for the hostname in DNS. Now if this happens, it stops and tells you that it couldn't resolve for an IP.

If you want the full list of changes, you can install 10.93, then click on the Welcome left panel control, then click on Welcome to NetScanTools Pro icon. This will show a completely revamped page including the list of changes since the last release (10.92). There are also a few helpful hints.

We will be doing additional testing on Windows 7 RTM soon to make sure everything works properly there. If you are on Windows 7 RTM and you see a problem, let us know the exact steps you are using to reproduce it -- remember, we can't fix what we can' duplicate here.

Wednesday, August 19, 2009

NetScanTools Webinar Recap

Well here I am a week later talking about the August 12 webinar. It was one of my busiest days ever. Laura did a great job -- even in the face of a couple of bugs that I saw and I'm sure she saw. Both were fixed in the 10.93 release. They were minor, but obvious to me.

Anyway, the webinar went well. We had about 25 people attend. I actually spoke using a mike which was kinda cool. Laura did 99% of the talking -- something she is far better than I at doing. She covered several parts of the program: the automated tools, ARP Scanning, ARP Ping, Graphical Ping, RBL checking, TCP Traceroute and TCP Ping. Even a bit of whois and quickly touching on DNS tools.

It's always interesting to watch someone else use a program you've designed because you see that they use it in a different way than you thought people should use it. That's why customer feedback and LISTENING to customer input is so important. Whenever a usability suggestion comes in, I try to add it to my 'to-do' list. Even if it's not practical - it may be someday.

I digress. Just as with Laura's Wireshark webinars, her presentation was polished and though there were few slides, the intent of the webinar was not to go through a slide presentation but rather to provide pointers that people may miss -- like right clicking in the results to see the popup list of other things you can do.

I took part in welcoming the group and I also spoke at the end about some plans for version 11 which I won't discuss here. We also touched on the Managed Switch Port Mapping tool ( -- Laura is interested in doing a webinar on it because not only do network admins have uses for it but it can also be used in the security arena.

Laura will be making an 'archived' version available to those who want to review the webinar. Sorry, but I don't think it will be free -- training is Laura's business so there will be a cost. I'll defer to Chappell Seminars on those points. Please visit for other webinars and the archived version of this one.

Great job Laura!

Monday, August 10, 2009

NetScanTools Webinar on Wednesday, Aug 12

Reminder: Laura Chappell (of Wireshark fame) is presenting the first NetScanTools Webinar on August 12, 2009 at 12noon PDT/GMT-7. The cost is $99. If you are an existing NetScanTools Pro customer, you can email sales or support and get a 50% off coupon.

Our current Summer Sale includes the webinar.

Here is a description of what will be covered in the webinar and you can also sign up on the same page.

Friday, August 7, 2009

Windows 7 RTM on MSDN

They posted it yesterday and I just confirmed it's there. Now the decision for my OS testing system: do I erase the Vista 64 that's on there now and replace it with Win7 x64? Should I try upgrading it? if I erase it all the Virtual machine OS's will be destroyed and I'll have to rebuild them -- or maybe not -- I can just save the virtual OS files onto a backup and reinstall Virtual PC and reload them. And does Microsoft's Virtual PC 2007 run on Windows 7? I know it can host it. Questions...

Tuesday, August 4, 2009

Security Update for Compiler broke our demo

One Tuesday night (July 28)/Wednesday morning a set of patches were pushed out through Windows Update. Specifically KB973923 and KB971090 which were updates to Visual C++ Service Pack 1.

On Wednesday July 29, I set about to rebuild our NetScanTools Pro demo in anticipation of Thursday's Laura Chappell Wireshark 101 Webinar sponsorship. I've done this frequently and tested it on computers here that had the compiler. All worked well and it was posted.

On Thursday July 30, the webinar was held and a number of people downloaded the demo.

On Friday July 31, I had two people call and email about the dreaded "C:\program files\nwps\NetScanTools Pro Demo\nstpro.exe This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem." (PANIC!) A quick Google search pointed to the Side by Side (SxS) DLL linkage being wrong. After a bit of checking I saw that the MFC and Visual C Runtime DLL dependencies had changed from 8.0.50727.762 to 8.0.50727.4053 (it was in the manifest file). (FRUSTRATION!) Almost no one trying the demo will have those later SxS DLLs. I found that MS had updated the vcredist_x86.exe so I sent it to one of those people and it fixed the demo. Now I had to quickly rebuild the demo installer to include the new 8.0.50727.4053 redistributable SxS installer and post it. I did that by 5pm Pacific Time.

Bottom line: if you downloaded the demo between 5pm Wednesday July 29 and 5pm Friday July 31, you need to discard that download and redownload it today. Use the same link, that has not changed.

So here's my rant. I admit Microsoft told us they were updating some security issues with ATL, but I was using MFC and it didn't seem like it applied to us. And yes, we should have tested the demo on a computer without a compiler on it.

But Microsoft should have said:
"LISTEN UP! if you are using MFC and or Runtime DLLs dynamically linked, anything you compile from now on will need to use the new redistributable we provided or your app might break!"

Something like this needs to be in the compiler and should be shown when the compiler first loads a dynamically linked application for the first time after they make an update such as this. What's so hard about that?

Oh and they also published similar patches for the 2008 compiler. We use that too and now we know. Needless to say non-starting demo programs probably = lost business.

Thursday, July 30, 2009 sponsors Wireshark 101 Jumpstart Seminar

Today we had the privilege of sponsoring one of Laura Chappell's free Wireshark 101 for Newbies Jumpstart Seminars. This is a live webinar that runs about 75 minutes. You can read my July 12 review below on the last one I attended. Very good info!

The next one is scheduled for August 18 at 10am PDT/GMT-7. Register at Over 2000 people registered for today's seminar and only the first 1000 lucky people actually get to listen in, so be sure to login early on the day of the seminar.

Laura is doing a seminar devoted to NetScanTools Pro on August 12 and 12 noon PDT/GMT-7. Register at Cost is $99. Current NetScanTools Pro customers can email our sales department for a 50% off coupon.

Monday, July 27, 2009

NetScanTools is now a Registered Trademark

On July 21, 2009 Northwest Performance Software, Inc. was issued a trademark by the US Patent and Trademark office for the word "NetScanTools".

Sunday, July 12, 2009

Review of Laura Chappell's Wireshark 101 Jumpstart

Last Tuesday I took part in Laura Chappell's live online seminar about Wireshark. It's really for those who are new to Wireshark (which I'm not), but I wanted to see how the seminar was presented and I wanted to see if there was something I could learn about Wireshark that I didn't know. I was pleasantly surprised on both accounts. In case you don't know who Laura is, you should know that she has many years of network training to her credit.

The class was free (always a good price) and Laura had a limit of 1000 attendees. I think over 1700 signed up. I was able to make it in under the cutoff a half an hour ahead of time. The class was conducted using a Citrix viewing program that I had to install. This was required so that we could see slides and Wireshark in action. The quality of the audio was similar to that of a phone call, not super high but very intelligible. I used DSL (1.2 mb) which was fast enough for both the video portion and the audio. Laura also provided the slides as a downloadable PDF so you could follow along (I did).

There was a way to communicate back to the Laura and her assistants using both instant messaging and phone or audio link if you need to ask a question. Many people did ask questions. Yesterday I received the complete list of questions and answers by email.

Laura started the seminar by covering Wireshark on a general level, explaining how it can be integrated into the various packet capturing methods and explaining how it could open 'trace files' offline at a later time. Then she covered the various Wireshark placement options with their advantages and disadvantages. This included both tapping into wired network streams, mirroring them and even using wireless capture devices to see traffic on a wireless network.

Laura then moved directly into using Wireshark live to capture data into the file sets. Filesets allow you to create a large capture in multiple smaller files. Then she showed how to alter the time column so that you could see the relative time between packets rather than the default seconds since the beginning of the capture. Of course there were discussions about defining both capture filters to eliminate unwanted packets from our capture file and post capture filtering of the packets in the file. Since post-capture filtering can be complex in this program, Laura also covered changing the coloration of the rows of captured packets depending on the data in the packet. Laura also touched on following streams of TCP or UDP data. This is helpful when you are following communications between a client and server -- especially if the client is compromised by a trojan or something similar.

Even though Laura talked quicker than I ever can (though still slower than my 19 year old daughter), she ran out of time -- 75 minutes quickly ran into nearly 90 minutes. But she did leave us with a "to-do" list. First and foremost was to get the latest version of Wireshark, version 1.2. This version now includes optional GeoIP locating for IP addresses which is quite helpful (NetScanTools Pro does this too!). They take it one step further and display the IPs on a world map, which is always good (NetScanTools Pro will have this soon).

I learned that Laura puts on a very professional and well thought out seminar. This one was free and since Laura is the training business, she also has others that are not free. The other seminars are reasonably priced. They go into detail on many networking subjects, so please consider them. You can find Laura's seminars at You can follow her on Twitter at -- she posts usually every day -- not just business posts!

I also learned things about Wireshark that I didn't know -- particularly that GeoIP option and the colorizing methods.

If you are interested in seeing one of Laura's seminars, she will be repeating this same FREE seminar live on July 30 at 12pm Pacific Time. Please consider it. Go and sign up, then have a look at the other seminars Laura offers because with travel and training budgets tight like they are, having a live seminar delivered to your desk should be something your business should strongly consider. You can sign up for the next Wireshark Jumpstart seminar here.

Friday, July 3, 2009

Symantec Endpoint Protection 11 Didn't Start Today

Today I turned on the computer with Symantec Endpoint Protection Manager on it and came back half an hour later to login and use the computer (Windows XPsp3). Cursor moved OK, but it didn't give me the login prompt. Oh no, not today! I have way too many other things to do. So I rebooted and was able to login.

The first thing I notice is the little Endpoint Protection shield didn't have the green dot, it had the red circle with a slash. So I tried to use the Endpoint client. It said Proactive Threat Protection was down and needed to be fixed, but more ominously was the virus definitions were yesterday's and not today's...After awhile it hung up and I had to manually kill it. Bad news...

So next I tried logging into Symantec Endpoint Protection Manager Console. The login window appeared fine, but when I tried to login, I got a message "Failed to connect to the server". So off to Google. I found a page in Symantec's very detailed support knowledgebase that told me how to turn on"FINE" level debugging. I then opened Control Panel Service Manager and found that the Endpoint Protection Service Manager service was not running. When I attempted to restart the service, it kept stopping, so I looked in the "catalina.out" file to see what was happening. This file is the tomcat web server log file and it shows the interactions between java and the server. I could see at least one place where the server port 8443 had a bind failure. To a sockets level programmer, this tells me that the server was not starting properly because it could not start listening on a port. The fascinating (and frustrating) thing about this was that NetScanTools Pro connection endpoint list was NOT showing anything else using port 8443 tcp or udp.

So next I tried modifying tomcat\conf\server.xml to a different port 8445. That didn't work. The service would exit after a few seconds. So back to Google. I found another knowledgebase article that said the tomcat uses ports 8005 and 9090 as well. Then I remembered that I saw the HP Toolbox icon on the taskbar near the Endpoint Protection shield. I wonder...

I had installed the HP Toolbox as part of a printer install a couple of years ago, long BEFORE I put this AV product on there. And I had noticed that the Toolbox had vanished and I forgot about it. So off to Windows Explorer and I searched the Program Files/Hewlett Packard and found Toolbox and Toolbox 2.0. Both had an Apache Tomcat 4.0 subdirectory. OK -- this must be it!!!

I started NetScanTools Pro and looked again at the connection endpoint list and saw that java.exe was using port 8005. So I started msconfig and found HP's Toolbox startup entry and disabled it. Then I rebooted...

The shield was back with the GREEN DOT!

The two programs interfered with each other. I don't know why the HP Toolbox was loaded first after not being loaded first for a whole year. Nothing changed yesterday---that I know of.

I wasted 2.5 hours, hopefully you won't after reading this. It really applies to any two programs that are both using tomcat.

Wednesday, July 1, 2009

NetScanTools (TM) Pro 10.92 USB Version Patch Ready

The USB upgrade patch is ready for those of you who have NetScanTools Pro USB version. If you have Wireshark Portable version installed on that same USB stick, you can now use the left panel Optional Tools menu to start Wireshark from within NetScanTools Pro. This has always worked for the installed version and now the USB version can do the same thing. When you first launch it, we provide a File Open navigation window where we ask you to locate and select the wiresharkportable.exe file. We then save that relative location for the next time you start Wireshark.

Everything else, including TCP Ping, is also included in the upgrade.

If you have NetScanTools Pro USB, click on Help/Check for New Version and login to get the patch. You must have an active maintenance plan to login.

Monday, June 29, 2009

NetScanTools (TM) Pro 10.92 Published

This release added a powerful new feature to Ping - Enhanced: TCP Ping. TCP Ping uses either a SYN or ACK packet to 'ping' a target and it looks for a response back. If it gets a response, it shows the timing with submillisecond resolution. In this case the timing you are seeing is TCP Latency because you are seeing a TCP response to a TCP packet. Our TCP Ping gives you control over the TCP header. You can set the Distributed Services Code Point bits and the ECN bits to see what effect they have on packet delivery between two points. You can also set the Sequence, Window and Acknowledgement fields in the TCP header to whatever you want. AutoPing was renamed Continuous Ping and we also added Autosave mode so that all the ping results can be saved to a file. This file has tabbed delimited columns so that you can easily import the results into a spreadsheet. This is one of the most complete Ping tools on the market giving you instant access to all three modes of operation: ICMP, UDP and TCP Ping.

Other changes include the addition of the Distributed Services bits to Packet Generator, additional information added to whois IP address queries, improvements to Traceroute and TTCP. Graphical Ping can now send packets as large as 4095 bytes.

10.92 is available now and is ready for download by current registered users. USB version 10.92 will be available in the next day or two.

Thursday, June 25, 2009

ARP Scan versus Ping Sweep

Today I had a user ask me what the difference was between ARP Scan and Ping Sweep (NetScanner) and why he gets different results when running them on his 192.168.0.x subnet.

Here was my answer:

There is a difference between ARP Scan and Ping Sweep. When you do an ARP Scan of a subnet, all devices that communicate with IPv4 on that subnet must respond to ARP packets. If they don't respond they cannot communicate with any other machine. This even applies to devices that are running firewalls and do not respond to ICMP echo request packets (ping packets).

When you use Ping Sweep on that same subnet, you are sending ICMP echo request packets to every device. If the device (computer) is running a third party 'personal' firewall or even something like the built-in Windows Firewall, it may not respond depending on the firewall settings. So you will see fewer devices respond with Ping Sweep than with ARP Scan.

They both have their uses because ARP Scan does not work once it crosses a router to another subnet or WAN. ICMP packets generated by Ping Sweep are routed unless deliberately blocked, even across the internet.

Tuesday, June 2, 2009

NetScanTools (TM) Pro 10.91 Published

Both the installed version and the USB version are ready at the same time -- amazing! The changes are relatively minor if you are using an English version of Windows, but if you are using a non-English European version, this release has potentially big changes. If your C:\documents and settings\%username%\application data\nwps\netscantoolspro (XP/2000/2003) path has non-English characters in it, the paths to the database files might not have been understood properly by SQLite, so you would not be able to open the SQLite databases. This has been fixed.

The second major thing affects those who need to place the files normally found in those two paths somewhere else, maybe for a virtual machine. We've added a way to use an .ini file to describe new paths to those files.

There are also some other small changes and as usual we've updated the databases. Whois now supports several more top level domains and there were two corrections to existing domains -- like .mil whose whois server went offline a while ago.

If you have 10.x and your maintenance plan is active, please use Check for New Version to get the latest version.

And don't forget to look at once in a while for periodic sales. Right now there is a 2 for 1 sale, a USB and CDROM license for the price of the USB.

Tuesday, May 19, 2009 redesigned

I finally redesigned so that it's more than just one ugly cluttered page. It now has several pages -- hopefully more informative and better organized.

This redesign was my first real serious use of Expressions Web. I'm not used to CSS, so it's taking me a while to get it working right. I have a new respect for those who can build fancy sites with CSS.

I still want to improve it with some additional graphics, but that will be in the next revision.

Drop by and have a look:

Monday, May 18, 2009

Managed Switch Port Mapping Tool v1.98 Released

I recently found out that if a non-English, yet valid character from another European language was part of the c:\documents and settings\ path, the Switch Port Mapper might not be able to open the SQLite database files. Or even create the user database file for that matter. This is because SQLite expects the filename to be UTF-8. So I fixed that problem in 1.98.

I also added in better results grid column sorting and export of the Switch Properties report to a text file. SQLite and the databases were updated.

If you have the software, please click on Help/Check for Update or visit

Friday, May 15, 2009

NetScanTools (tm) Basic Edition Released May 14, 2009

What? another NetScanTools?

Yes. When we stopped producing NetScanTools Standard 5.1 in August 2004, we left a whole lot of registered users without any alternative. Business users who wanted to move up opted for NetScanTools Pro, but many, many home and small business users could not justify or afford the upgrade, so they either kept using on NetScanTools Standard (yes, we still hear from people who have used it for years) or they found something else.

Two weeks ago we decided to make a new program using the latest Visual C++ 2008 compiler along with an updated interface -- that's right two (2) weeks ago. Now there is a new program created from almost scratch and it is completely finished! And it works fine on Windows 7, Vista 32/64, 2008, 2003, XP and even Windows 2000.

This new tool has simplified versions of six tools: Ping, Traceroute, Ping Scan, Graphical Ping, DNS Tools and Whois. They are very usable versions of more advanced tools found in NetScanTools Pro. There are embedded web pages comparing the NetScanTools Basic versions of the tools with the NetScanTools Pro versions. Plus we show you what other tools are available in NetScanTools Pro -- just in case you are interested.

It is now our entry level program.

And it's freeware. Try it. Enjoy it. And don't forget to give us feedback on the About NetScanTools Basic page.

You can find it here:

Tuesday, May 12, 2009

2001 Prius Mileage

This is completely off topic, but I've wanted to say this for a long time.

I bought a 2001 model Prius new in November 2000 and I now have 105,000 miles on it, so I would call myself an experienced owner. Not too long after I bought it a leading consumer magazine stated that their measured combined city/hwy mileage was 41 mpg. This is something that has stuck with the 1st US generation Prius and is still widely reported.

Let me just say that if our Prius ever averaged as low as 41 mpg, I would have it back to the dealer for repairs. In fact, I cannot recall ever filling up and getting below 40mpg. I have had as high as 51 mpg as measured by a fillup -- the display mileage is a good indicator, but not always correct, it has read as high as 54mpg which I do not believe.

As an engineer I know that in order for my mileage to be valid, I should reduce or eliminate as many variables as possible. Since I live in a small town, I always fill up at the same Chevron station (except on trips). Usually at the same pump so the angle of the car is the same. Another variable in computing mileage is the time of year. Gasoline formulation changes throughout the year -- winter blends are different than summer blends.

Oh, and don't forget that blasted ethanol blending encouraged by people who want to see their food prices go up. When I first got the Prius, the Chevron pump did not have a 10% ethanol blend sticker on it. A couple of years ago (or so) it appeared and the mileage promptly went down a couple mpg, never to come back up. Refiners here seemed to be late in adding ethanol because we get our crude from Alaska and the ethanol has to be shipped here.

But the blend is only part of it: that model Prius is appears to be highly susceptable to temperature.

My observations are that when the temperature is below 40F, the mileage goes down to the 43mpg vicinity. When the temperature is above 60F, the mileage goes up into the high 40s.

Most of my driving is at county road speeds, a bit of highway and a bit of 10-25 mph retirement town crawling. Our elevation varies from sea level to 250 feet. And I replaced the OEM tires that wore out quickly (we went through two sets way before 50K miles) with Les Schwab TOYO 800 Ultras several years ago -- the TOYOs supposedly have a higher rolling resistance than the OEMs, but I didn't notice any mileage differences. I keep them at 40 psi and try to check them once a month. A before you say that my speedometer/odometer is wrong because of non-OEM tires --Sequim just installed 2 traffic radar units in front of the high school to tell you to go 20 mph -- the speedometer matches the radar units displays.

All this is to say that the magazine ran some tests, probably in the winter with ethanol in the gas at an unreported altitude higher than sea level and forever pronounced it to be 41 mpg combined. They would be surprised to learn that I filled up last week and got about 47 mpg which is not bad for a 9 year old car in late April/early May.

Perhaps they should consider testing cars at more than one location and at different temperatures for a more accurate report.

Monday, May 4, 2009

More on Graphical Ping

We've always wanted to produce a good graphical ping tool and now I think we've finally got one. Enter an IP and press start -- and away it goes. The cool thing about it is that you can monitor congestion, in other words you can watch the round trip travel time go up and down as you browse the web. If dropouts occur, you get a little red triangle appearing in the graph where a packet should have been.

The graph is cool because you can see at a glance what's happening. Did I mention you can print it? yes you can, but you have to stop it from collecting data first. And you can also 'window' the graph. What I mean is that you can enter in the maximum number of points you want to see and then the older points drop off the left side. The older points are not lost because they are saved in the database.

The database is cool because you can export it in native format or in tabbed delimited format. If you export it in native format, you can import it back and review a previous ping session in the graph later. You can also do two reports. The first gives a list of all dropped packets. The second is a list of all packets with a travel time longer than what you specify -- this shows a list of slow packets.

Sunday, May 3, 2009

NetScanTools Pro 10.90 Released on May 2

This new release has a new cool tool: graphical ping. It works by pinging an IP or host on a periodica basis, then displaying the packet travel time vs the time on a graph. You can print the graph in color. The packet travel times are saved in a database for later analysis. There are two reports that can be shown in your web browser based on the packet info in the database. The database can be saved and reloaded later for further analysis.

The second major improvement is to NetScanner Ping Sweep tool. Previously the NetScanner tool was taking about 20-30 seconds to scan a 254 IP linear range of IPs on your local subnet. By making some changes, I was able to get this down to the low 6 second range. A speed improvement of about 4 times.

There are a number of other improvements that you will run into: ARP Scan now has a hostname column, Domain Keys now query on default._domainkey. etc., SMTP Email test now can request receipts and set priority at urgent, plus you can add a custom header item.

I'll get a page together and post a video soon about the new Graphical Ping tool.

Friday, April 17, 2009

April 20% Off Sale

We are having a 20% off sale on selected products today April 17 through Monday April 20, 2009. Please visit this page for more information.

MS Patch Day

In case you may have missed it, Wednesday, April 15 was more than income tax due day, it was Microsoft's patch day for Windows. Depending on the OS, you could download between 2 to 8 patches. Please do a Windows Update today.

Monday, April 6, 2009

Managed Switch Port Mapping Tool v1.97 Released

Yes, I know I said that 1.96 would be the last of the 1.x, but a customer had a Cisco(r) 6509 that really needed correct port descriptions and it needed better reporting of the duplex mode parameters. So I worked with him to get those two changes into 1.97. It apparently works quite well now on that big switch. The port descriptions match up with what the CLI says! If you have a Cisco device that supports CISCO-STACK-MIB, please click on Setup and have a look at the Custom Description settings. And don't forget to activate the Custom Description column from the Column Order and Visibility Editor.

So go to to get the software or if you already have it, click on Help/Check for Update.

Friday, March 13, 2009

Malware attack avoided

And now something appropriate for Friday the 13th!

Last weekend I was checking the news on a few sites using fully patched IE6 on XP when I went to my local major news site. Before the page finished loading, I saw this message in a standard popup dialog box with OK and Cancel:

"For the further viewing of page it's needed to set an update.
To update it immediately press OK."

Immediate strongly suspicious (the POOR English was also a clue), I looked on the lower left bar of IE and saw "84654321(dot)cn/vparivatel.php" (I replaced the period with dot so you won't accidentally click on it -- DO NOT go to that URL -- it's still alive). The CN extension was enough for me to know that something no good was happening. I quickly wrote it down and used Task Manager to kill iexplore.exe. Then I restarted and cleaned out IE's cache.

Killing IE is the best way to deal with things like this because as you will discover below, hitting Cancel was just as bad as hitting OK on that dialog box.

Next, I fired up NetScanTools Pro and went to URL Capture. This tool brings in the text from a website and does not run scripts or download images. It simply downloads the raw text and displays it. So I entered the URL and retrieved it. Inside the script tags was this:

function last(){
if (confirm('\nFor the further viewing of page it\'s needed to set an update.\nTo update it immediately press OK.'))

You can see that whether you press OK or Cancel or red X, it appends ?a to the URL and activates it. So next I used URL Capture to do just that, manually of course. And guess what, MALWARE. Here is the start of what comes back:

Server: Apache/2
X-Powered-By: PHP/5.2.8
Accept-Ranges: bytes
Content-Length: 43241
Content-Disposition: inline; filename=1.exe
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/octet-stream
MZ followed by lots of barely printable characters, then part of a regular webpage.

MZ are the first two characters of an executable Windows file, and IE was being told that it was an application. So if I had not killed IE, it would have infected my computer with this executable. Needless to say I contacted the news site webmaster, but they didn't reply. I suspect it came through an ad that was rotated through.

Don't go to that URL because if you do, you will get this MALWARE executable -- it is still alive today.

Searches on 1.exe and vparivatel reveal that it does something similar to that other MALWARE I reported on where there is a forced redirect (hijack) to a bogus AV or security product.

The moral of all this is that you can get these things even from what you think are trusted sites. If those sites are running ads from other 3rd parties, you cannot totally trust the site. And the second thing is to kill your browser with Task Manager rather than trying to shut it down normally -- oh and don't forget to clean the browser's cache -- immediately.

Tuesday, March 10, 2009

NetScanTools (TM) Pro 10.82 Published

NetScanTools Pro 10.82 was completed and published on February 28. The USB patch was ready on March 2. This was an urgent release fixing an obvious problem that we missed in 10.81: nslookup was not showing results. A couple other minor changes were also done in this release.

10.81 (released just 5 days before) had several fixes, the biggest was fixing the Windows 7 crash problem. It was happening because we were not correctly identifying the new operating system and reverting to older code usable only on Windows 2000. Windows 7 didn't tolerate those old function calls at all, so the program crashed. The second most important addition was a warning message that now appears when you click on a results link in URL Capture. Other minor changes were made and all databases were updated.

Thursday, February 19, 2009

Game Sites with Knoppix

After the problems we had with online game sites allowing malware through, I decided to put a complete end to it. My son now uses Knoppix run from a CDR to play his online games.

Here's what I did: I downloaded Knoppix 6.0 ISO image and burned it to a CDR. Then I changed the computer that formerly had the trojan so that it would boot from the CD drive first before going to the hard drive. I put in the Knoppix CD and rebooted.

A simple text interface shows up that allows you to select a number of things, one of which is a full X desktop. All the things you need for web browsing are in there including a modified version of Firefox called Iceweasel. We now use Iceweasel to play the online games. By default it doesn't allow scripting, so we had to learn how much scripting is necessary, but now his online games play fine with complete graphics and sound just as though he were on Windows XP -- except without the worries of picking up maleware. It doesn't use the hard drive, just memory.

When he's done, we exit the X session and shutdown/reboot. Simply remove the CD and Windows comes back when you reboot.

One thing we did find is that it works best with a wired internet connection -- I couldn't get any of the wireless computers to work with Knoppix, but then maybe I don't know exactly what to do.


Free AirPcap Adapters at Sharkfest

Although I haven't decided whether I will be able to attend, I wanted to let you know about Sharkfest. Sharkfest is all about WireShark(r) and it is put on by people who make WinPcap. We use WinPcap in NetScanTools Pro. WinPcap is a packet driver ( Wireshark uses it to capture packets and we use it to both capture and generate packets. Wireshark is the best free network packet analysis tool I know of. The packet capture files that NetScanTools Pro saves can be opened by Wireshark for in-depth analysis.

Here are the details about the conference:

Wireshark(r) Developer and User Conference
June 15 - 18, 2009
Stanford University Palo Alto, California

SHARKFEST is an educational event that offers in-depth instruction over the course of 3 days to the benefit of anyone wishing to enhance their skill set with, and optimize the effective use of, the world's most popular network and packet analyzer, Wireshark.

Space is limited and due to a full house last year, early registration is strongly encouraged. Single registration for all 3 days is $695.00 USD. Details including conference hotels, group discounts and the conferenceschedule can be found at Every paid registration will receive a FREE AirPcap Classic Adapter (SRP $198USD) and so much more!

Thursday, February 5, 2009

Browser Hijack Wrap-up

So far that computer has had no additional problems. I did use HiJackThis to make sure there were no additional startup files or registry entries that I missed. And I scanned it with Malwarebytes too with no additional findings.

One comment on the original xpsdg6420222.exe file. Symantec identifies it as a Bloodhound.SONAR.2 file which "indicates a running process with behavior similar to that of a Trojan horse that records keystrokes. It may represent a new, previously unidentified type of risk." Definitely a risk that I don't ever want to see again.

Thanks to all those who left comments and I hope what I've shown you was instructive and helpful. I certainly learned alot and my next post goes into an even more difficult, yet similar problem on yet another kids' computer.

Friday, January 30, 2009

More on the browser hijack

I ran Symantec Endpoint on it again this morning and it finally identified what this was. They call it a Bloodhound.PDF.3 which was discovered and added to their definitions on Dec 18. Symantec calls the infection rate low 0-2 sites, but based on the comments I've had here it's higher than that. I submitted the zipped up acr442b.tmp file to them. It was definitely the infection vector because it went through that old Reader 7.1. Lesson: update your Adobe Acrobat Reader.

Also, to all those following my analysis, please be careful when messing around with svchost.exe because there is a real one and a fake one. The real one lives in system32 and the fake one lives in system32\drivers. This is especially important when you are going through the registry. There are references to the real one and references to the fake one, so BE CAREFUL.

Thank you all for your great comments.

Wednesday, January 28, 2009

A run-in with Defender-Review browser hijack malware

WARNING: this is long and technical.

It was about 6:30 last night when my son said "That's wierd, mom's computer just rebooted". I asked him if he did it and he said no, he was in the middle of playing one of his online games. I thought uh-oh, not now -- I'm just way too busy.

(update: I was running AVG free version 8 on this machine at the time and it did not see this.)

When it rebooted, all looked normal except for a supposed Windows Firewall Message that it had blocked an attempt by Win32.Zafi.B to talk out through the firwall. The Keep Blocking and Unblock buttons were grayed out and a third button was there -- it said something about fix it -- so I clicked it and like magic, IE7 opened up viewing Defender-Review [.] com where it tried to tell me that I had viruses and I had to buy their AV software to fix it.

So I immediately unplugged the network cable. Next I went to another computer on another network and did research on the supposed virus and the web site that popped up. The virus was an old email virus from 2004. Little chance of that happening because we use Pegasus on that machine and I don't allow attachments to be opened. And email was scanned on the way in.

So I focused on the web site - I wondered "is their marketing budget so low that they have to resort to hijacking to get people to come to their site?". I quickly learned enough through Google to see that it was a browser hijack. Oh, by the way, this was the first hour wasted.

Next I tried the basics. I opened Firefox and it wouldn't open on the desktop. It appeared in Task Manager, but did not open the first time. I killed it and tried until it eventually appeared with a strange message about blocking and to click on some links -- view source showed that it was an embedded window in the original. And NetScanTools Pro's URL Grabber pulled in the text portion of URLs without a problem -- it is completely safe. OK, definitely browser hijacking.

So I next launched msconfig. As soon as I went to the Startup tab it started blinking rapidly and the computer went through the fastest shutdown I've ever seen. Now I was mad.

I restarted it and went into Safe Mode. I started msconfig and carefully examined the Startup section (I knew they had to use this) and found what I was looking for--an out of place entry with an apparently random exe name (I've seen this method before):
(checked box) xpsdg6420222 -- "C:\Documents and Settings\%username%\Application Data\Google\xpsdg6420222.exe" 2 -- Software\Microsoft\Windows\CurrentVersion\Run

I immediately UNCHECKED it, pressed OK and went to that FAKE Google directory and removed the EXE and a DLL that was with it -- sorry I can't remember the exact name of the DLL -- I think it was mjkdpl.dll. They both had no versioning or authoring resources and Google toolbar is not installed.

Then I searched for that filename with regedit and found one instance of it. I didn't write down where -- sorry!

Next I rebooted and I now had control of the browsers. But wait! that's not all: the next morning I did more research and found that there may be more "droppings" -- kind of like the elk poop in our yard -- on the computer.

So I searched the hard drive for all files created yesterday and sorted by time so I could see the ones created when the problem was first noticed. I found several. I noticed that 3 minutes before a group of strange files (all had no versioning resources) there was one 2MB file called acr442b.tmp. While viewing it in notepad, I saw "pdf" at the beginning. Maybe a coincidence, maybe not. That computer had Acrobat Reader 7.1 on it. So I uninstalled it and installed reader 9. The old version might have been the infection vector, but it also could have been a clicked on popup -- I can't get an 11 year old to remember.

Back to the file list. I found and removed these:

C:\Documents and Settings\%username%\Local Settings\Temp\acr442b.tmp
C:\Documents and Settings\%username%\Application Data\Adobe\usanaz.exe (21kb)
C:\Documents and Settings\%username%\Application Data\AdobeUM\manol.exe (13kb)
C:\Documents and Settings\%username%\Application Data\AppleComputer\xerks.exe (1kb)
C:\Documents and Settings\%username%\Application Data\Corel\rasim.exe (16kb)
C:\Documents and Settings\%username%\Application Data\Cyberlink\gdi32.dll (12kb)
C:\Documents and Settings\%username%\Application Data\Help\kernell32.dll (10kb -- note the extra 'l' in kernel -- a dead giveaway)

Note: I did not find sinashi.exe, msclock.exe, netsk.exe as some sites have reported -- probably a versioning issue. I even searched again for them in Safe Mode.

I also found but could not remove this one because it was 'in use':
C:\Windows\System32\drivers\svchost.exe (48k)

Now I'm PO'd again because svchost.exe DOES run as part of the operating system, but that's not where its supposed to be located. It should be in System32, not down in drivers and it should be 14K. Be sure to leave the svchost.exe that is in C:\Windows\System32 alone. It's part of the operating system. The one down in "drivers" has to go.

OK, back to Safe Mode. Now I opened regedit to search for all instances of "drivers/svchost.exe". I found these places:
(this runs it at startup)
HKCU/Software/Microsoft/Windows/CurrentVersion/Run/svchost.exe c:\windows\system32\drivers\svchost.exe
(these poke a hole in Windows Firewall for their malicious svchost to send data)
HKLM/System/ControlSet001/Services/SharedAccess/Parameters/FirewallPolicy/DomainProfile/AuthorizedApplications/List %windir%/system32/drivers/svchost.exe:*:Enabled:svchost
HKLM/System/ControlSet002/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/AuthorizedApplications/List %windir%/system32/drivers/svchost.exe:*:Enabled:svchost

It was not in CurrentControlSet which was wierd.

Then I deleted C:\Windows\System32\drivers\svchost.exe.

Then I rebooted normally and temporarily installed Symantec Endpoint Protection 11 and scanned the whole machine. Nothing. I also installed Malware Bytes Anti-Malware -- 6 minor cookie things which were apparently unrelated.

I think I got it all. I hope this helps someone else remove this trash that illegally took control of our PC. I am a programmer and an MS user since DOS 3.1, so I'm well aware of some of these tricks and knew where to look. If I were an average non-technical user, I would have been hosed because no scans caught it. As it was I wasted 3 hours on this.

I'm going to try and Knoppix up and running off a boot CD so my son can play his online games without worries. Try your stupid hijacking tricks against that. And try selling your software the way we sell ours: by being innovative (legally) and providing good value for your customers.

Friday, January 23, 2009

Pinging a MAC Address

Twice in the last month I've picked up the phone to answer a presales tech support call and I had to gently answer this question: "Can your software help me find my laptop? someone stole it, but I know it's MAC address. Your software has something called ARP Ping. I want to use it to ping my lost laptop!"

What they really wanted was to do some kind of trace or ping to the laptop's MAC address and get a response back if it happened to be online somewhere on the internet. Since our software has ARP Ping, they thought it could be used to ping their computer's MAC address. I had to go through an explanation where I basically told them that although their MAC address may be (or may not be) unique, the system of routing packets on the internet has no way to sending a packet to the MAC address of their lost laptop. I told them that the MAC address is a hardware address of the ethernet card and it is only used within the local network (on his side of his DSL router). The packets leaving his network through the router are on a higher level protocol and do not retain the MAC address of the devices on his side of the DSL router. That's the simple explanation. I told them next time they buy a laptop to get software that periodically "phones home" like LoJack.

The more detailed explanation has to do with how packets are transmitted on a network. To send a packet between two computers on the same ethernet network you need two types of addresses: Layer 2 (L2) -- the OSI model link layer and Layer 3 (L3) -- the OSI model network layer. L2 addresses are local in scope which means that two devices may have the same L2 address (this does happen) as long as they are not on the same network segment or subnet. An L3 address must also be unique within the scope of the network it is connected to. On an ethernet network a MAC address is a L2 address and an IPv4 address is L3.

In order to deliver a packet between two computers on an ethernet network, L2 addresses need to be mapped to L3 addresses. This mapping can be either dynamic (usual method) or static. The ARP protocol (RFC 826) is used to build and maintain this mapping. It is a simple protocol intended to find the L2 hardware address of a device given a known L3 IP address on an (usually but not limited to ethernet) network. A device does this by sending an ARP Request packet to all the devices on the network segment asking for the L2 address given a known L3 address.

A typical ARP conversation looks like this:
"All devices! ( -- who has IP address My IP address is and my MAC address is 00:11:22:22:33:ef" (ARP Request)
"Device replies -- I do! I do! and my MAC address is 00:22:44:66:ab:cd" (ARP Reply)

Now the ARP cache on each device has the IP address and MAC address of the other and they can exchange packets. Each device keeps a transient ARP cache locally showing those mappings based on previous packet exchanges.

When you need to send a packet to an IPv4 address outside your network segment, it sends them through the Default Gateway or router. How does your computer know when to send a packet through the gateway? by looking at the destination IP address and subnet mask . When your computer sees that the packet has to leave the network segment, it finds the L2 and L3 address of the gateway/router, then sends the packet there. The router sees that the IP address is not for the local network segment and uses its routing table to forward it on to the next network. The IP packet does not retain the network L2 address of your computer once it goes through the router just as ARP Request packets are not sent through the router. The networks on the other side of the router will most likely have different L2 Link Layer addresses that are not necessarily MAC addresses as you know them.

So back to the original question: can ARP Ping be used to send a packet to some MAC address outside your network?

No. Because ARP Ping is simply sending the normal ARP Request packet while monitoring the timing. If you try to send a strange ARP Request packet with the destination IP address in it but containing a valid local destination MAC address, it won't work because no computer on your segment will respond. The ARP service on all the listening computers is looking for the IP address of the device that received it, not a MAC address. When the ARP packet hits the router, it is ignored if it does not have the IP address of the router in it. And similarly, if you send a packet with IP and a random MAC address, it too will not leave your network.

Tuesday, January 20, 2009

Managed Switch Port Mapping Tool v1.96 Released

Yes, this was done on Inauguration Day -- new government, so a new version -- why not?

The highlights of this release are:
1. SNMP settings are now individually retained and set for each device IP address.
2. XML spreadsheet export significantly enhanced so that when you import it into Microsoft Excel or OpenOffice Calc, you see the same thing as you saw in the results grid.
3. XML import of previously saved results now works correctly.
4. User interface changes to the left control panel.
5. Internal database format changes necessary for version 2.0.

OK, so what about 2.0? can't tell you yet. Why? It will be out before summer.

Oh, and also in this release is the a cool thing to help out the first time user. When you first run the program the Help File opens up to the Getting Started section. This section has been significantly revised so that new users can understand what they need to do to use the program. It is and is not a simple program to use. Once you understand what is required by the program, it works well.

In case you are wondering what on earth I'm talking about...have you ever looked in a wiring closet and seen all the same color gray cables attached to a switch? Have you ever wondered how you are supposed to trace those cables back to computers in the next room? The Managed Switch Port Mapping Tool communicates with an SNMP managed switch to find out what devices are connected to its physical ports and map out those connections. The results are presented in an easy to understand spreadsheet format. Learn more about it here.

Friday, January 16, 2009

Next Switch Port Mapper Version almost ready

1.96 is almost ready. I've almost finished the documentation -- quite a few changes there especially in the new expanded "Getting Started" section.

The biggest thing about this version is the change from global setting of the SNMP parameters to individualized settings saved for each SNMP device. That way one can use SNMP v1 and another can use SNMP v2c or maybe even be on a non-standard port number -- whatever. Another significant change is in the look of the left side control panel. It's more organized now and hopefully easier to understand. The final significant change is in the XML export. It now conforms better to the XML standards Microsoft uses for Excel. After all the results are in a spreadsheet. The column widths are correct and the font is now supplied. It just plain looks better when you import it into Excel. If you don't have Excel, that's not a problem -- it also works with OpenOffice 3's Calc. It imports in just fine if you select the MS Excel 2003 XML import filter.

Look for it early next week. And one more thing, this is probably the last 1.x version. The internal and visible changes made in 1.96 were necessary to support the new cool things coming in 2.0...

Thursday, January 15, 2009

Windows 7 Calculator

Unbelievable. I started looking around in Win7 Beta and found that for the first time since Windows 98 and NT4, (and possibly earlier) someone was assigned to work on improving Calculator. OK, so what...

The standard and scientific modes have both undergone minor facelifts with some of the buttons renamed and grouped better. But the big changes are the addition of two new modes: Programmer and Statistics. Obviously I'm drawn to the Programmer mode because I need to see bits in my work with packets in NetScanTools Pro. There is a cool binary display below the normal display where you can easily visualize what's in the bytes. Changes to this have been long overdue and I will definitely be using the Programmer mode once I jump by development machine from XP to Windows 7.

Wednesday, January 14, 2009

Windows 7 knows it is in a Virtual Machine

Today I did a Windows Update on Win7beta to get Tuesday's patches from Microsoft. There was at least one.

Then I saw a link in the start menu for games. Cool. So I opened it up and saw the usual games plus three that I don't recall seeing the past: Internet Checkers, Internet Backgammon and Internet Spades. I'll be trying those out soon. What was more interesting for me was the area on the right where it said "This computer's Performance Information has not been created."

OK, so let's create it -- I clicked on "Rate this computer", then again on the "Rate this computer button" on the next page and got a somewhat surprising message "Unable to run an assessment inside a virtual machine. WinSAT can not obtain accurate measurements inside of a virtual machine. Please try again running directly on the native hardware." DARN! -- but cool nevertheless. It knew it was running inside Virtual PC 2007. Maybe I should find a spare hard drive to put this on in another machine...

Monday, January 12, 2009

NetScanTools (TM) Pro 10.80 on Windows 7 Beta

Installation of the full version of NetScanTools Pro on the new Windows 7 Beta went smoothly. The main files installed OK and since the Visual C++ 2005 runtimes are not included in the operating system, our installer launches the runtime installer. Then it launches the WinPcap 4.02 installer. WinPcap also installs OK. Whew!

One thing I was very concerned about was the operation of WinPcap on this operating system. So the first thing I tried was the ARP scan of our subnet because it uses WinPcap to create the ARP packets. It worked! another BIG sigh of relief!

So I went ahead started testing all the other functions. Everything worked fine until I got to the Network Statistics tool. Just like when we first tested on Vista -- it FROZE -- obviously Microsoft changed something. I'll find it. I have to install the 2005 compiler and source on the beta, then step through it to find the offending function call. Not too hard -- usually. If you run into this, you have to open up the registry editor and clear the currentView key under HKEY_CURRENT_USER\Software\NWPS\NetScanTools Pro 10\CommonDataEntry. Then you can restart the program without it locking up again. Just don't try to use the Network Statistics tool.

All the other functions worked fine. I saw no other problems whatsoever. So the transition from Vista to Windows 7 should be fairly quick for NetScanTools Pro.

Installing Windows 7 Beta on Virtual PC 2007

Yes, it worked. In a word: painless. I had no problems installing the new Windows 7 Beta (build 7000) on Virtual PC 2007 sp1. I assumed that Win7 was closest in architecture to Vista, so I selected a Vista configuration and bumped the Virtual Machine memory up to the required 1GB. I left the default max virtual hard drive size at 64GB. The host OS is Vista 64 on a quad core 8GB machine. I "captured" the ISO install file located on a network drive on another machine, then rebooted the virtual machine and installation proceeded from there.

Things I noticed about installation: less user interaction required to get it installed. Yes, there was the usual location and time stuff, but there was less other stuff. And it only rebooted once to complete the installation which was great. I did ask for the product key which I was given before I downloaded it and it did the product activation automatically. Whether all this simplicity remains in the RTM version, we'll just have to see.

Windows 7 Observations: some user interface changes -- more glowing things like icons and bars. The start menu button glows when your cursor hits it. The layout of the start menu is a bit cleaner as is the Windows Explorer layout. The start menu does look fairly much unchanged other than small appearance changes. Everything is where it was in Vista. The taskbar is bigger -- approximately twice as high and the programs are shown as icons without their names. This appears to be a departure from earlier OS's. Maybe some of you will notice that the default background screen is a fish -- not just any fish, but a betta -- you know, a play on the word BETA. I think it should be a active background with the fish moving around. What a cool timewaster that would be.

Another biggee is less and I mean way less of those annoying UAC messages "are you sure you are sure you are sure...". I was able to open the registry editor without a big argument from the operating system -- nice!

Another thing that is on every window titlebar is the "Send Feedback" link. I guess they want feedback, but since I've only used it for an hour, I'll hold off.

So far, I like what I see!

Friday, January 9, 2009

Windows 7

The announcement of the public release of the Windows 7 beta was a couple days ago and already news articles are calling Windows Vista "much-maligned" with users experiencing "many problems" with it. The push to get the next release of Windows out really comes as no surprise.

The end user acceptance of Vista seems low after two years. I say this based on visitor logs of our websites and also our own user polls during product registrations. XP is still the dominant operating system seen in our website logs at a rate of 75%-78% of all Windows OS visitors. Vista is running about 15%-20% with the other old Windows operating systems down in the noise. This data comes from two sites looking at the last couple months. This represents a small increase in the Vista numbers from what I reported in October and it does show a couple percentage points drop in the XP numbers. These kinds of numbers are probably behind the push to get Windows 7 out -- reminds me of Windows ME.

While I haven't actually got my hands on the Windows 7 beta yet, I do want to try it out soon. I hope it will load into MS Virtual PC 2007 for testing. Hopefully none of our software breaks this time and our code changes will be minimal -- there were so many code changes required for Vista.

Thursday, January 1, 2009

Happy New Year!

Happy New Year!

Hopefully 2009 will be better than 2008 was. I will be in the office on Jan 2. We return to normal business on Monday, Jan 5.