Saturday, December 18, 2010

Virus Attack!

One of our computers, a 32-bit Vista laptop, recently became infested with a virus. Using either Google or Yahoo, and then clicking on a result, the browser would first go briefly to several other sites before going to the selected URL. It appeared that the virus may have been a money-earner, clicking on ads that brought someone a profit. I also got repeated popup messages that the computer was running out of disk, or out of memory, or out of "resources." None of that was true, but the computer did seem slow.

The antivirus software, Microsoft Security Essentials (MSE), looked green (OK) in the system tray, but it would not update itself, reporting an error. After reboots to "safe" mode, MSE looked red or didn’t appear at all, and the browser still misbehaved. Also, various system services would shut down, and the more I investigated, the more the virus seemed to react and shut things down.

I was able to download Malwarebytes anti-malware, update it, and perform a scan, which came up with three results:
  • rogue.installer registry key
  • spyware.passwords.xgen in the recycle bin, and
  • rogue.hddscan in a temp directory
Malwarebytes attempted to clean them and said that it had done so. But the bug was still there after a reboot to “safe” mode. Another downloaded spyware scanner ran much more slowly but came up empty.

I reverted the drive to a previous time, before the symptoms had appeared, but that didn’t help. I eventually reverted the drive to the earliest available restore point, weeks earlier, and that didn’t help either. So:
  • Either the bug had installed itself in the Master Boot Record, or
  • It had attached itself to a program that always gets started at boot, and had done so without the change being noticed by the system restore software.
I suspect that it had attached to Java Updater (jusched.exe), which is started at every reboot. I can’t prove it - just a suspicion, based on a couple of observed symptoms.

Fortunately, I had made a complete disk image of that laptop on an Iomega 2 TB external drive just six weeks earlier, using Macrium Reflect (free). Macrium restored the drive in about an hour, including the Master Boot Record, and the problem was gone. Files in the lost six weeks were then restored from more-recent partial backups. Apparently nothing of value was lost, except a lot of my time.

The virus may also have posed other risks, of which we are not aware:
  • It might have been a keylogger, sending keystrokes back to someone;
  • It may also have tried to find personal data and send that;
  • It could have tried to send virus-laden emails to our mailing list; and
  • it may have tried to infect other computers on the network.
I did have the computer disconnected from the network except when downloading the virus scanners, and so far, no other computer has shown symptoms of the infection. There is no indication that emails were sent - no backscatter from virus checkers or bad email addresses. This particular computer does not contain much personal data, and we have taken steps to deal with the keylogger possibility, including changes in passwords and a new IP address.

How did the virus get in? Windows and Internet Explorer (IE) were entirely up to date. I checked recent emails, and that doesn’t seem to be the path. It may have come through Java, which was not quite up to date - I know for certain that the same computer was infected through Java a couple of years ago. Perhaps it did come in through Internet Explorer itself, or one of the many browser extensions - this computer was still running IE7 rather than the newer IE8. I’ll never know for sure, but Java is now up to date and Internet Explorer is now IE8. Was it a virus, or a worm, or a trojan? Who cares, it was destructive.

What a pain. Wouldn’t you just love to get hold of the cowardly creeps who write viruses like that and cause other people so much grief? What kind of "man" (woman?) is that intelligent, and yet so incompetent that they have to make a living by deliberately hurting other people?

Thursday, November 4, 2010

Iomega Professional 2 TB External Drive Review

It works! With eSATA and USB 2.0 ports, this drive connected easily to six different computers ranging from 7 years old to less than a month, and running operating systems from Windows XP up to Windows 7, some 32 bit and some 64 bit. Every computer saw it as an external hard drive and was able to use it.

I have other ways of doing day-to-day backup, but was about to send a computer in to HP for repair and bought this drive (from TigerDirect, $130) to make an image backup first. That went so well that I started on the other computers, backing them up with Microsoft's image writer, Windows Complete PC Backup (WCPCB) where it was available (Win 7 and Vista Ultimate only). I also used Macrium Reflect Free Edition on all six computers, with success on all but one, and tried Paragon Backup & Recovery Free 2010 on that one, with uncertain success.

Hardware & Performance:
  • Iomega Professional Hard Drive 2 terabytes (2,000 GB), P/N 31853000, Model LDHD-UPS, eSATA and USB 2.0.
  • Capacity as displayed on a Windows Vista system: 1.81 TB, or 2,000,396,288,000 bytes.
  • Maximum transfer rates (advertised): eSATA 3,000 megabits/second (Mb/s), USB 2.0 480 Mb/s. Those are peak rates, not achievable in large transfers.
  • Actual average data transfer rates for complete image backup: As high as 475 megabits/second (Mb/s) writing through the eSATA port from a new computer, and as low as 93 Mb/s writing through USB 2.0 from a 4-year-old Toshiba laptop running Windows XP (a 7-year-old Gateway laptop with XP did better than that lame Toshiba!).
  • In its search for image backup devices, WCPCB did not "find" the drive on a Vista Ultimate system when the drive was connected by USB 2.0, though it was mounted as a "local disk" and files were visible. Therefore, the drive was not usable for WCPCB backup via USB. It did find the drive when connected by eSATA.
  • On Windows 7 computers, WCPCB did find the drive when connected either by USB or by eSATA.
  • Macrium always found the drive and was able to write to it. Unfortunately, though, I was unable to boot their linux rescue CD on one of the Windows 7 systems. They claim to have a fix if you buy the "full" edition, $40 per computer. I may blog about Macrium Reflect later - I do like their software best, except for this problem.
  • The Iomega Professional Hard Drive box indicates compatibility with Windows XP, Vista, and Windows 7 (32-bit). Does anyone even make a 32-bit Windows 7 system? I suppose, but anyway the drive seems to work just fine on two different 64-bit Windows 7 HP laptops, using either the eSATA or the USB connection and the drivers already in Windows 7.
  • The drive is very quiet, and I'm fussy about noise. It's quiet.
  • In Device Manager: The drive is listed as a "Samsung HD204UI USB Device", or just a "Samsung HD204UI" when connected by eSATA.
  • According to the box label, the drive was assembled in Korea, Sept 20, 2010. I wonder if the entire system is made for Iomega in Korea by Samsung. That's OK.

I would expect any external drive to come with software for backing up the computer, both for drive-image backups and for incremental backups. Indeed, the box containing this drive touts their "Iomega NeverDown Software," which, unfortunately, was not in the box and is not to be found anywhere on the Iomega web site. Apparently, it has been discontinued. The box does contain a brief manual, in seven different languages, telling how to get started with NeverDown, but alas, no software (oops). They do offer the downloadable "Iomega Protection Suite," including:
  • Iomega's v.Clone, which allows you to run YOUR OWN computer on anyone else's hardware. It's a "virtual image" - is that an image backup? Their own user manual advises that v.Clone is not backup software.
  • Roxio Retrospect Express, which appears to protect exactly one computer on one external drive, no more. I'm not interested - my 2TB Iomega drive now has ten compressed system images on it from six fully-competent computers, and is barely half full.
  • Hence, Iomega apparently does not offer an image backup solution. Ouch.
Happily, though, many other companies do offer image backup software, some for free, such as Macrium and Paragon.

A caution: I have not yet attempted to restore an image to any computer's hard drive. That's a risk I won't take unless I have to, and the repaired computer came back from HP with the internal drive intact. Where possible I do make at least two different images, one by WCPCB and one by Macrium or Paragon or both, in the hope that one will work if the other fails.

For your consideration: Universal Serial Bus. USB 2.0 followed USB 1.0, and has been around for at least seven years now. USB 3.0 is a recently-approved standard, and manufacturers are working hard to implement it in new computers and drives. It is about 10 times as fast as USB 2.0, a little faster even than eSATA, so computers with USB 3.0 may no longer need an an eSATA port. Therefore, future computers might have to talk to this particular drive using only USB 2.0.

That's not too bad, though - Macrium backed up a complete Windows 7 computer in 32 minutes via eSATA and 59 minutes via USB 2.0. In both cases, 105 GB "used" space on the computer's drive was compressed to one 78 GB file on the Iomega drive. Actual average data transfer rates, therefore, were 349 Mb/s and 189 Mb/s respectively, so the eSATA image backup was not even twice as fast as the USB 2.0 backup even though burst speed is six times higher.

Copyright (c) 2010

Please add your comments or questions.

Friday, October 8, 2010

Snippage User Manual

Windows 7 Active Desktop

Snippage is written and offered at no cost by Gabo Mendoza. It's a cool little program that can display a web page, or (better yet) a portion of a web page on the desktop. That web page can be active, such as a web cam which refreshes, and you can select just the camera image. You can watch weather radar, the stock market, twitter, anything you'd like to keep an eye on. Other applications will run right on top of it, when you need the desktop space, but the Snippage window will keep up to date in the background.

It's a replacement for the Active Desktop of Windows XP, and it runs on XP, Vista, and Windows 7. I was unable to find a help file or a manual, and I did learn a few lessons the hard way, so here is my little "manual" with apologies to Gabo Mendoza.

First: Install Adobe AIR from get.adobe.air. The current version (Oct 8, 2010) is 2.04. Snippage was written for AIR 1.0, though, and it still works with AIR 2.04, so the version may not matter much.
Second: Visit to download the file snippage.air. As of Oct 8, 2010, the current version is 1.0 R 12.
Third: Run snippage.air. Click past the dire warnings. Snippage is used by lots of people so I doubt it's a spy. Allow the installer to put a shortcut icon on the desktop for now because you may need to restart Snippage a few times. You can delete that later.

Snippage will open with a little window showing a pointer "click me," see below. Move the mouse pointer up past that and click "Expand to browser view."

Enter the URL of the web page that you want to snip (or cut and paste from another browser) and click the red "go."

You can re-size the browser view of your page, if necessary, by dragging the bottom right corner. Then move the snip window over the part of the web page that you want to snip with the upper left corner, re-size it with the lower right.

Snip it by clicking the upper right corner. Now all you have left is the part of the page that you want, called the snip. Drag on the top and put it wherever you want on the desktop.

Once you have let go of the snip, your ability to control it may disappear. It does for me. To regain control:
  • Right-click on the AIR icon in the system notification area (tray), click "Exit." Then,
  • Restart Snippage by clicking on the desktop icon, then quickly move the mouse to the top of the Snippage window.
Do what you need to do:
  • To move the snip, drag the top as before.
  • To delete the snip, click "Expand to browser view" and then click the "X" in the upper right corner of that larger window.
  • There are other options too.
To make Snippage start every time the computer boots up, place a shortcut to the executable (copy the one on the desktop) in your startup folder.

Here's nice page that I have used in Snippage tests: It is the Duluth, Minnesota ship canal camera at the Lake Superior Marine Museum. The image updates every 30 seconds and will occasionally display an iron-ore carrier or a "salty" ocean-going vessel. For boat watchers, the web site even has a schedule of expected arrivals and departures.

I've tried Snippage on Windows XP SP3, Vista, and Windows 7 - they all work about the same. On competent dual-CPU Vista and Win 7 machines, Snippage needs less than 1% of the CPU time. On an old single-CPU XP system it may be over 1% but not 2%. I suspect this would depend on the number of snips displayed and the rates of update.

I'm grateful to Gabo Mendoza for giving us this cute tool. One of my users is upgrading from XP to Win 7 and wants to keep the active desktop.

Saturday, Oct 9, 2010:

Oops - I just noticed an issue. When I have two snips running, and delete one, it doesn't really go away. The next time I run Snippage it comes back. You can work around that problem by editing a text file, not pretty but it it works:
  • Stop Snippage.
  • Locate the "snipset" file.
    • On my Vista and Win 7 systems it is C:\Users\Don\AppData\Roaming\Snippage.B28F...B29B.1\Local Store\current.snipset.
    • On an XP system it's C:\Documents and Settings\Don\Application Data\Snippage.B28F...B29B.1\Local Store\current.snipset.
  • You may wish to make a backup copy of that file somewhere just in case.
  • Open the file with a plain text editor such as Notepad.
  • Snips are defined between <snip...> and </snip> tags. Within each snip you will find the URL of the web page that the snip displays, along with positioning and "snipping" information.
  • Find the snip that contains the web page you want to delete, and remove it completely, including the <snip...> at the front and the </snip> at the end. Save the changes.
  • Run Snippage. If it doesn't work correctly, try again - something is wrong in the edit.

Tuesday, April 20, 2010

Send Blog Posts to Twitter

I recently started using Twitter, to follow the Boston Marathon. It's great for events like that. But then I also found out how to make my new blog posts appear on Twitter as if I had "tweeted" them, in the Twitter "timeline" as if they were part of the conversation. It's not hard - here's how:
  • Go to Feedburner and create an account. If you are already on Blogger, you can use that account - you will notice that actually resolves to a Google address.
  • Under "Burn a feed right this instant," enter your blog address. Next >>
  • Then select a feed source. The default is Atom - I have used that.
  • On the WELCOME! page, click NEXT >>
  • On the CONGRATS! page, click "Skip directly to ..."
  • On the Publicize tab, select Socialize.
  • On the Socialize page:
    • Add your Twitter account. Then,
    • Change Post content to "Title and Body." This just means that the "tweeted" content will be the title and the first line or two of the body, instead of just the title. Or don't change it.
    • Be sure to ACTIVATE at the bottom of the page.
I do notice a time lapse between the blog post and the tweet appearing on Twitter. Maybe 20 - 30 minutes? I haven't timed it. Perhaps that's an intentional delay in Blogger, to allow time for the inevitable blog-post corrections before the RSS feed is generated. Just a guess.
Don on Twitter (opens in a new window)