Google Reader has completely changed the way I absorb information from the Internet. I rely on it daily… no HOURLY to keep up to date! Now that it’s going away I, as well as many others, are going to be trying to find alternatives.

Here I would like to create a list of Google Reader alternatives of all of us.  Here’s what I’m looking for in a replacement.

1. Something that has a desktop web interface.
2. A mobile interface.  (At least an API for developers so they could create their own.)
3. Subscriptions are synced, meaning, you don’t have to subscribe to each RSS on each device (ie. One list rules them all.)
4. If there’s an open source daemon that I could run on my home Linux server that meets the above requirements, that would work too.

Feedly

This is the one I switched over to. It was a really nice one-click transition for me. They automatically imported all my feeds and they even brought over my favorites! They have a blog post talking about the transition from Google Reader. Currently, their servers utilize the Google Reader API. However, when Google Reader goes dark, they have implemented their own copy of the API which will be a seamless transition!

The Old Reader

At first glance The Old Reader appears to be the Google Reader before Google did the overhaul. It has one click sign in, using a Facebook or Google+ account. Unfortunately, they do not have a mobile app, which is a requirement of mine, but I wanted to make sure I had at least SOMETHING out here.

If you have any other alternatives please let me know and post them in the comments section for others.

I started to investigate the idea this weekend. I found these two projects that I wanted to share with you guys. They helped me prove out that the plugin I want to write is possible without TOO much work.

Unofficial Google Music API – An unofficial, opensource API written in Python for Google Music.
MPC – A linux terminal based MPD client.

First, by modifying the example.py in the Google Music API a little I was able to create a script that would sign into Google Music, find the first song in my library and grab the streaming URL of that song.

#!/usr/bin/env python
# -*- coding: utf-8 -*-

from getpass import getpass
from gmusicapi import Api

def ask_for_credentials():
    """Make an instance of the api and attempts to login with it.
    Return the authenticated api.
    """

    api = Api()

    logged_in = False
    attempts = 0

    while not logged_in and attempts < 3:
        email = raw_input("Email: ")
        password = getpass()

        logged_in = api.login(email, password)
        attempts += 1

    return api


def demonstration():
    """Demonstrate some api features."""

    api = ask_for_credentials()

    if not api.is_authenticated():
        print "Sorry, those credentials weren't accepted."
        return

    print "Successfully logged in."
    print

    #Get all of the users songs.
    #library is a big list of dictionaries, each of which contains a single song.
    print "Loading library...",
    library = api.get_all_songs()
    print "done."

    print len(library), "tracks detected."
    print

    #Show some info about a song. There is no guaranteed order;
    # this is essentially a random song.
    first_song = library[0]
    print "The first song I see is '{}' by '{}'.".format(
        first_song["name"],
        first_song["artist"])

    #We're going to create a new playlist and add a song to it.
    #Songs are uniquely identified by 'song ids', so let's get the id:
    song_id = first_song["id"]
    
    print (api.get_stream_url(song_id))

    #It's good practice to logout when finished.
    api.logout()
    print "All done!"

if __name__ == '__main__':
    demonstration()

When running the script above, it’ll ask for a Google account and password. Once they are entered the script will login and load the library of the account. It will grab the first song in the library and output the URL to stream the song. Now that I had the streaming URL, I needed a way to add that to my MPD queue.

mpc clear
mpc add "URL FROM SCRIPT ABOVE"
mpc play

Low and behold! When I hit play the song started playing! So now we know that it can work the next step is figuring out if there’s a way to tie the Google Music library in with MPD’s library.

What I came up with was a VBScript that disables NetBIOS over TCP/IP for every NIC in a computer. The script can be easily modified to enable NetBIOS over TCP/IP as well. I’m currently using this as a Computer Startup Script. Once the script is run, the effects should take place on the next reboot.

The screenshot above shows you the settings we’re modifying. Use this as a reference so you know which line to uncomment in the script. By default I have the script set to 2 – Disable NetBIOS over TCP/IP.

'  Title:      Configure NetBIOS over TCP/IP
'   Date:      2/25/2013
'Updated:
' Author:      Gregory Strike
'    URL:      http://www.gregorystrike.com/2013/02/25/configure-netbios-over-tcpip-group-policy/
'
'Purpose:      The following script will itterate through all NICs on a computer
'              to configuure NetBIOS over TCP/IP.  It finds the NICs listed under:
'              HKLM\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces
'
'              For each NIC under the key, it sets the NetbiosOptions value to one
'              of the below.  (Be sure to uncomment the setting you desire.)
'
'              0 - Default: Use DHCP setting from the DHCP Server
'              1 - Enable NetBIOS over TCP/IP
'              2 - Disable NetBIOS over TCP/IP
'
'License:      This script is free to use given the following restrictions are followed.
'              1. When used the Author and URL above must remain in place, unaltered.
'              2. Do not publish the contents of this script anywhere. Instead a link
'                 must be provided back to the URL listed above.
'
'Requirements: Administrative Privileges

const HKEY_LOCAL_MACHINE = &H80000002

strComputer = "."
Set ObjWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")

'Set the path to the Network Interfaces
strKeyPath = "SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces"

'Get all the known interfaces
ObjWMI.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys

'If there was a problem getting strKeyPath, exit the script before throwing an error.
If IsNull(arrSubKeys) Then WScript.Quit

WScript.Echo Now() & " - Searching for Network Adapaters."

'Loop through all Network Interface Cards and disable NetBIOS over TCP/IP
For Each Adapter In arrSubKeys
	WScript.Echo Now() & " - Disabling NetBIOS over TCP/IP on '" & Adapter & "'"

	'Default: Use DHCP setting from the DHCP Server
	'objWMI.SetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath & "\" & Adapter, "NetbiosOptions", 0

	'Enable NetBIOS over TCP/IP
	'objWMI.SetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath & "\" & Adapter, "NetbiosOptions", 1

	'Disable NetBIOS over TCP/IP
	objWMI.SetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath & "\" & Adapter, "NetbiosOptions", 2
Next

WScript.Echo Now() & " - Completed."

Enjoy!

Let’s say you’ve found a webcam source online and you wanted to capture a time lapse video from it. For instance, here is Old Faithful at Yellowstone National Park which publishes a .JPG every minute. How would you create a time lapse from it? And even better, how would you do it using completely FREE software?!

First, since the script is a Bash script you need to be running Bash. The easiest way to do this is to be running a version Linux (Ubuntu or Linux Mint are nice!) since Bash is usually the default shell. You could also use Cygwin to do this in Windows, but it is beyond the scope of this article on how to use it. From here on out, I will assume you are running Bash in Linux.

Way back in 2007 I published a Bash script that captures a URL at a provided interval and saves it to a directory. This is the heart the process. Go ahead and grab the script and save it in your home directory as iget.sh. Though it’s pretty self-explanatory there is a more detailed explanation on the script’s page as well. Once you have the script saved you need to give it execute permissions by running:

chmod +x ~/iget.sh

Now we’re ready to capture the images. Launch a terminal session and create a directory to store the webcam images. Once created, change to that directory.

mkdir webcam
cd webcam

Run the iget.sh script with the required parameters.

../iget.sh http://www.nps.gov/webcams-yell/oldfaithvc.jpg of.jpg 60

The first parameter is the URL to be downloaded. The second parameter (of.jpg) is a base file name, every file that is saved to your computer will be time stamped and ended with this. Make sure you use the same extension (.jpg) that the webcam is publishing. The third parameter (60) is the amount of seconds between captures. Since the Old Faithful webcam updates every minute, I’ve chosen 60 seconds.

Let the script run for as long as you want. After you’ve captured all the frames you want for your video, move on to the next step.

…Don’t worry, I’ll wait…

…Got them yet? Good!

Ok, the next step is to delete any duplicate frames that may exist. This can occur for a couple reasons but depending on what you’re using the video for you may or may not want to do this. I prefer to delete them since I mainly use it for entertainment purposes and it creates a smoother looking video. Save the following script to your home directory as rmdupe.sh.

#!/bin/bash

cksum * | sort -n > filelist

old=""
while read sum lines filename
do
      if [[ "$sum" != "$old" ]] ; then
            old="$sum"
            continue
      fi
      rm -f "$filename"

done < filelist

Give it execute permissions using chmod and then run it in the directory you saved the .JPG files to.

chmod +x ~/rmdupe.sh
~/rmdupe.sh

Great! Now we’ve got rid of all our duplicate files. The next step is to remove any frames that may be corrupt. To do this I’m going to use a utility called jpeginfo, don’t worry. It’s free. However, it may not be installed by default on your Linux distribution so you’ll have to install it.

sudo apt-get install jpeginfo

Once it’s installed run this in the directory. It may take a while to go through but it will validate the JPEGs in the directory and delete any that fail validation.

find . -name "*" -exec jpeginfo -c {} \; | grep -E "WARNING|ERROR" | cut -d " " -f 1 | xargs rm -r

Now for the fun part where we convert the JPEGs to a movie. To do this I’m going to use mencoder, another free utility available in Linux. To install it run this:

sudo apt-get install mencoder

And here’s a command to convert the JPGs to a movie. You can tweak the arguments to change the codec, framerate, bitrate so be sure to check out the documentation how to tweak it.

mencoder "mf://*.jpg" -mf fps=10 -o OldFaithful.avi -ovc lavc -lavcopts vcodec=msmpeg4v2:vbitrate=800 

Once done, you’ll have a time lapse .AVI file! Here’s what it looked like after an afternoon of capturing.

Thanks for reading guys! Enjoy!

First, if you are deploying Adobe Reader, Adobe requires that you sign Distribution Agreement with them. It’s free, really not that difficult and it’s the only way to legally obtain the .MSI required to do the deployment. So just do it.

The purpose of this post is really about how to patch an Adobe Reader .MSI with the .MSP in a way that you are still able to customize the patched version with the Adobe Customization Wizard and then have that in a ready state to deploy using Active Directory. I’m not going to cover much of how to configure the group policies, I’m assuming that you already have that knowledge. After all, you guys are smart!

Since the scheduled updates of Adobe Reader is quarterly, patching it has not been I did often. By the time the new patch came out, I had forgotten how to do the process and wasn’t able to devote the time into trying to do it again. So, to help with this I’ve written a script that will patch the Adobe Reader .MSI using the .MSP and then extract some files from the .EXE installer. I’ll explain it below.

ECHO OFF

REM Title:       AdobeReaderPatcher.cmd
REM Date:        8/22/2012
REM Author:      Gregory Strike
REM URL:         http://www.gregorystrike.com/2012/08/23/how-to-deploy-adobe-reader-and-patches-with-active-directory/
REM
REM Purpose:     Automate the process of patching the Adobe Reader .MSI Installer
REM
REM Permissions: This script should be run from an elevated Command Prompt.
REM
REM License:     This script is free to use given the following restrictions are followed.
REM              1. When used the Author and URL above must remain in place, unaltered.
REM              2. Do not publish the contents of this script anywhere. Instead a link 
REM                 must be provided back to the URL listed above.
REM
REM This script was built using information I found at http://forums.adobe.com/message/4166521.

CLS

REM THESE MUST BE SET TO THE CORRECT VERSIONS!
SET BASEVER=1010
SET PATCHVER=1014
SET LANG=en_US

REM In most circumstances the variables following this line do not need to be modified.
SET BASE=AdbeRdr
SET PATCH=AdbeRdrUpd
SET CURDIR=%~dp0
SET AIPDIR=%CURDIR%AIP
SET EXEDIR=%CURDIR%EXE

REM Checking prerequisites
ECHO Checking prerequisites...
IF NOT EXIST %CURDIR%%BASE%%BASEVER%_%LANG%.msi GOTO :MISSINGFILE
IF NOT EXIST %CURDIR%%PATCH%%PATCHVER%.msp GOTO :MISSINGFILE
IF NOT EXIST %CURDIR%%BASE%%PATCHVER%_%LANG%.exe GOTO MISSINGFILE

IF EXIST %AIPDIR% GOTO :FOLDEREXISTS
IF EXIST %EXEDIR% GOTO :FOLDEREXISTS

REM Creating AIP Folder base
ECHO Creating AIP Folder base...
msiexec /a %CURDIR%%BASE%%BASEVER%_%LANG%.msi TARGETDIR="%AIPDIR%" /passive

REM Patching AIP with .MSP
ECHO Patching AIP with .MSP...
msiexec /a %AIPDIR%\%BASE%%BASEVER%_%LANG%.msi /p %CURDIR%%PATCH%%PATCHVER%.msp /passive

REM Renaming .MSI in AIP
ECHO Renaming .MSI in AIP...
RENAME %AIPDIR%\%BASE%%BASEVER%_%LANG%.msi %BASE%%PATCHVER%_%LANG%.msi

REM Extracting Setup Files from Base .EXE
ECHO Extracting Setup Files from Base .EXE...
%CURDIR%%BASE%%PATCHVER%_%LANG%.exe -sfx_o"%EXEDIR%" -sfx_ne
COPY %EXEDIR%\Setup.exe %AIPDIR%\Setup.exe
COPY %EXEDIR%\Setup.ini %AIPDIR%\Setup.ini

REM Updating Setup.ini
ECHO Updating Setup.ini...

TYPE %EXEDIR%\Setup.ini | FINDSTR /I /V \[Product\] > %AIPDIR%\Setup1.ini
TYPE %AIPDIR%\Setup1.ini | FINDSTR /I /V MSI= > %AIPDIR%\Setup2.ini
TYPE %AIPDIR%\Setup2.ini | FINDSTR /I /V PATCH= > %AIPDIR%\Setup.ini
DEL %AIPDIR%\Setup1.ini
DEL %AIPDIR%\Setup2.ini

ECHO. >> %AIPDIR%\Setup.ini
ECHO [Product] >> %AIPDIR%\Setup.ini
ECHO MSI=%BASE%%PATCHVER%_%LANG%.msi >> %AIPDIR%\Setup.ini

GOTO :END

:MISSINGFILE
ECHO.
ECHO ERROR - One of the following files was not found:
ECHO %BASE%%BASEVER%_%LANG%.msi
ECHO %PATCH%%PATCHVER%.msp
ECHO %BASE%%PATCHVER%_%LANG%.exe
ECHO.
ECHO 1. Verify these files exist in the same directory as this script (%CURDIR%).
ECHO 2. Verify the BASEVER, PATCHVER and LANG variables at the top are correct.

GOTO :END

:FOLDEREXISTS
ECHO.
ECHO ERROR - One or both of these folders already exists:
ECHO %AIPDIR%
ECHO %EXEDIR%
ECHO.
ECHO Please delete these folders and rerun the script.
ECHO.

:END
ECHO.
ECHO Script Complete.

Unless Adobe changes the process or naming convention of their files this script should take three files and output a working AIP (Administrator Install Point) directory with a patched .MSI that is ready to deploy via Group Policy. It follows all the steps that Adobe has laid out but simply automates it. Using this, the AIP is also in a state that can be customized by the Adobe Customization Wizard if you need to create a transform (.MST) to customize the options that are deployed. You only need this script if you are deploying a PATCHED .MSI. If you are using a base version this is unnecessary.

Here’s a list of the files you need. You should be able to pull these from Adobe’s FTP site (ftp://ftp.adobe.com/pub/adobe/reader/win/). They should all be downloaded and placed in the same folder. Again, remember the Distribution Agreement mentioned above.

Once all the files are downloaded and located in the same folder you need to update some variables in the script so that it knows which versions it’s working with. The script doesn’t modify it’s logic based on these variables, it’s really just using them to generate filenames on the fly. The script above was written shortly after Adobe Reader X v10.1.4 was released so it is already set to take the v10.1.0 .MSI and apply the v10.1.4 .MSP to the en_US version. Note the following lines in the script is where you make the modifications.

REM THESE MUST BE SET TO THE CORRECT VERSIONS!
SET BASEVER=1010
SET PATCHVER=1014
SET LANG=en_US

Once your changes are saved, launch an elevated Command Prompt and CD to your working directory.

Once there run AdobeReaderPatcher.cmd (or whatever you named it), and it will go through the patching process.

The script will generate a directory called “AIP”. When all is done, this will be the folder you copy to your network share or customize with the Adobe Customization Wizard. I should mention that the two setup (setup.exe and setup.ini) files that are copied are pulled from the .EXE. It’s actually the only reason we need the .EXE. Some of the options you may choose in the Adobe Customization Wizard require these files.

It’ll be interesting to see if this works with the next version of Adobe Reader X (v10.1.5?). Good luck everyone!

I needed a way to check the SMART status of a drive remotely and was able to come up with a couple different methods to do it. I wasn’t interested in any of the metrics, only whether or not SMART thought the drive was failing. So all of the examples below will give you the same answers but I thought I’d share the code for accessing it with a couple different languages. All of the examples are remotely querying the computer using WMI, so it is important that you have security to WMI on the remote computer.

This example, from Command Prompt using WMIC, will grab the Caption and Status for all drives on the computer. Grabbing the caption is beneficial for identifying which status belongs to which drive.

WMIC /Node:REMOTECOMPUTER DiskDrive GET Caption, Status

Here’s an example using PowerShell:

$WMI = Get-WMIObject -Computer REMOTECOMPUTER -Class Win32_DiskDrive
ForEach ($Drive in $WMI){ 
     $Drive.Caption + ": " + $Drive.Status
}

And finally an example using VBScript:

strComputer = "REMOTECOMPUTER"
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colDrives = objWMIService.ExecQuery("Select * from Win32_DiskDrive")

For Each Drive in colDrives
    WScript.Echo Drive.Caption & ": " & Drive.Status
Next

Running any of the above should give you the Caption and Status of the drive. If the status is “Degraded” or “Pred Fail” it’s likely that the drive is going to fail and the drive needs to be replaced. There are other values that status could be set to, for a more detailed explanation see Win32_DiskDrive class on MSDN.

One thing to note is just because SMART or the Status say the drive is fine doesn’t mean it is. If the drive is having issues and the logged failures on the drive haven’t crossed a threshold the drive may still report as “OK”. However, if SMART is saying there’s a problem, you should be able to trust it.

I needed a way to display just the IP address of a computer within a batch file. I accomplished this by using a combination of FOR, ipconfig, and find:

FOR /F "delims=: tokens=2" %%a in ('ipconfig ^| find "IPv4"') do set _IPAddress=%%a
ECHO %_IPAddress%

The heart of the command is ipconfig. You’re probably familiar with it, but if you’re not it displays a bunch of IP related information for the computer you’re on. This includes the IP address.

The next part is find. This only outputs the lines that have a string match. I’m feeding it “IPv4″ as I’m using it in WinPE v3.1, which is Windows 7 based. In XP and older you’d have to change “IPv4″ to “IP Address” or something like that.

The for statement simply pulls out the correct part of the string and stores it in a variable called _IPAddress. This can then be echoed anywhere else in the batch file.

FATAL: Could not read from the boot medium! System halted.

In the above screenshot my virtual network card was in bridged mode with the adapter type set to “Intel PRO/1000 MT Desktop (82540EM)”. To troubleshoot and see if the adapter type was the issue I changed it to “PCnet-FAST III (Am79C973)”. Doing this, I was able to get a little further, but still had problems.

Downloaded WDSNBP…
Architecture: x64
TFTP download failed
FATAL: Could not read from the boot medium! System halted.

After some research I found that I needed to install the Orcale VM VirtualBox Extension Pack. It can be downloaded from the VirtualBox.org Download Page. Once installed, I changed the Adapter type back to “Intel PRO/1000 MT Desktop (82540EM)” and was able to successfully boot into the WDS environment!

In order to successfully infect a system, malware has to be executed somehow. This can be done by tricking a user into running an infected program or it can even be done without user intervention by exploiting security holes found in the user’s system. When the computer is turned off the OS, all the applications and any existing viruses are killed and no longer running. Their processes are terminated. So, for malware to be effective the malware needs to be able to survive a reboot. The malware does this is by finding a way to tell the operating system to launch the malware on the next reboot. This way the malware can always be sure it is running. The areas below are places I find that malware developers target the most because they help meet this very need.

For quick reference for those that bookmark this page, here they are. They are explained further below.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Startup Folders [Current User & All Users]
HKEY_CLASSES_ROOT\.exe\PersistentHandler
HKEY_CLASSES_ROOT\exefile\shell\open\command

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
This is usually the first place I check. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run is a registry key used to tell Windows which programs to run when a specific user logs into the computer. So when a user logs into the computer anything under this registry key will be executed. It is a HIGHLY targeted area for malware developers to attack! Since it is located under HKEY_CURRENT_USER the user will have full access to read & write any changes here. So for malware developers it’s the proverbial low hanging fruit because it’s easy to write anything you want under this key.

Since this registry key is SPECIFIC TO THE USER it will only affect the user currently logged into the computer. So if ALL users are seeing the same infection on this computer, it is not likely located here (You may want to check the next registry key located under HKEY_LOCAL_MACHINE). What you are looking for here is anything that looks out of place. If you’re not familiar with the registry, most of it probably looks out of place! However, You should have a good feel of what you want running on your computer.

Some things to look for under this key would be .EXE files with random letters (ie. Hf&21fe~!.EXE). It’s uncommon for normal software developers to use names so cryptic, it makes their job harder. Malware, on the other hand, will often use random .EXE names in order to prevent detection by antivirus software as the malware .EXE could now be named anything. If you find one and you feel the .EXE is malicious, make note of the path, delete the registry value and delete (or at least rename) the .EXE.

Another thing to look for are entries that run programs stored in the user profile. In Windows XP this would be C:\Documents and Settings\[USERNAME]\… For Vista and Windows 7 it would be anything under C:\Users\[USERNAME]\. The user profile is writable by the user and therefore an easy target. Do the same as above, make note of the path, delete the registry value and then delete the .EXE.

One more thing to for look for here are programs called with “Rundll32″. Rundll32.exe itself is not malware (though some malware may disguise itself as rundll32.exe). It’s a legitimate .EXE used by Windows. If rundll32.exe is located in the System32 directory, it’s probably ok. What you should look for is the file that is listed directly after rundll32.exe (ie. “rundll32.exe ‘C:\Documents and Settings\[username]\Application Data\blahblahblah”). The blahblahblah is the file I would be concerned about. Keep in mind that legitimate programs can also use rundll32.exe, so before you delete anything be sure you know what you are deleting.

A screenshot of the HKEY_LOCAL_MACHINE Run key showing an example of a suspicious entry. This run key works just like the HKEY_CURRENT_USER key with the difference being that it applies to all users on the system.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
This registry key is pretty much the same as the HKEY_CURRENT_USER key above with the main difference being that it is SYSTEM WIDE. The entries under this key will be executed by any user that signs on to the computer. It’s not targeted as much as HKEY_CURRENT_USER because you need Administrative privileges to write changes here. However, some malware will still try to write here because if they are able to the benefit is that they can be sure their malware runs anytime ANYONE signs on to the computer, not just the person that caused the initial infection.

You are looking for the same types of entries here as the HKEY_CURRENT_USER key above.

Startup Folders [Current User & All Users]
The startup folder dates WAY back to Windows 3.1 (probably even earlier) and it is still used to this day. It’s purpose is very similar to the Run keys above, it runs programs when a user signs in. The difference is that this is a folder, not a registry key.

The default startup folder locations for all users. Anything located in these folders will be executed when ANY user signs on to the computer.

Windows XP - "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
Vista / 7  - "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

The default startup folder locations for a specific user. This applies only to the specific user and will not affect others that sign on to the system.

Windows XP - "C:\Documents and Settings\[USER NAME]\Start Menu\Programs\Startup"
Vista / 7  - "C:\Users\[USER NAME]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

In these folders we are again looking for things that don’t belong or look suspicious. The same type of rules apply here as they do in the Run keys above (ie. random characters). Most of time, however, the items listed in these folder will be shortcuts (or links). So in order to be sure we find the executable culprit, we need to Right-Click on the suspected file and choose properties. On the Shortcut tab, it will give us the Target. The target should be the actual executable file that will run. Make a note of the path, delete the shortcut, and then rename or delete the executable.

Example of the Properties view of a shortcut

File Association .EXE Hijacking
These next two registry locations handle the file associations of .EXE files. Basically, A file association is how Windows knows what program to use to open a certain type of file. For instance when you click on a .XLS file, Windows knows to open Excel. If you click on a .PDF file, Windows will know to open Adobe Reader.

Windows also has file associations for .EXE files. In normal situations when a user clicks on an .EXE, Windows will check the assocation for .EXE files and then use Explorer to launch the requested .EXE. Everyone is happy.

However, malware can hijack the association so that anytime an .EXE is run, the malware is run. Once the malware runs, it will usually run the originally intended .EXE and the user is none the wiser to what’s occurring in the background. The result is the malware runs.

To check that this isn’t happening you’ll want to check these registry keys:

HKEY_CLASSES_ROOT\.exe\PersistentHandler 
     (Default) value should equal: {098f2470-bae0-11cd-b579-08002b30bfeb}
HKEY_CLASSES_ROOT\exefile\shell\open\command 
     (Default) value should equal: "%1" %*
     IsolatedCommand value should equal: "%1" %*

That covers the first places I check when troubleshoot malware problems. I hope that reading this article has taught you something and you may be able to approach your issue with a little more insight than before.

Again, please let me stress that this will not fix ALL the malware issues out there. If you’re still having problems getting it cleaned up be sure to ask your “computer guy” to give you a hand. If you do, be sure to buy him/her lunch or something. Most of us are really nice people and won’t make a big deal out of it but I can tell you that showing your appreciation with some food or *GASP* even a little money would stand out as it doesn’t happen that often. It would also be greatly appreciated! …Oh, and there’s always my Amazon wishlist!