So I’ve had a look, installing it into a VirtualBox environment…
The focus of this article is on one difference, the Windows Experience Index, mine is shown in the screenshot in the top right.
Win8 Control Panel
Well yes and no. Apart from the much talked about “start” button (not) re-instatement, the control panel throws out some differences for sure (see screenshots)…
Win8.1 Control Panel
….. notably the Windows Experience Index (or Performance Indicator) (or Assessment), a Microsoft gauge of the “goodness” of your machine.
Well in Win 8.1, it’s gone! See highlight…
Or Has It?
WinSat Usage -not all shown!
Actually, it’s still there under the command line… All you need to do is add a switch (I chose ‘formal’ as it does the lot).
The actual file that does the work is called winsat.exe and it’s in the System32 folder. Give it a ? switch from the command prompt and all it’s inner options and usages are revealed! (see left)
So fire up your command line and run:
…then watch the process stream past.
There no nice GUI web report, of course. The results are still there, tucked away (as they always were) as a set of XML files in the Windows directory. Go to:
Win8.1 System Assessment Files (cmd process finished in background)
..to find them. The screenshot right shows the files I’ve just created and you’ll see that the process has just finished in the Command Line window and that it took 2min 49.59 secs to run all the tests.
WinSat Win8.1 CPU Results
Running all assessments has produced 7 files.
The screenshot here on the left shows the end of the CPU one.
The time it took is plainly visible along with the plainly poor CPU assessment (well it is in a virtual environment after all!!)
Windows Performance Index is not dead and buried in the new Windows 8.1 – it’s only been buried.
Remove Referrals Information from This Website because of Malware
Like many blogs, this website has displayed the last few hits (referrals) that it’s received as a kind of ‘live’ activity recorder and a small service back to the referring website. However, I’ve had to pull this from my front page because over the last few days, hundreds of malware-laden websites have seemingly broadcasting pings to everyone else….
Anyone unlucky enough to click on these back-links to the ‘referrer’, is then presented with some fake anti-malware scan that’s almost impossible to get away from without resorting to Task Manager.
Analysis and Appearance
The referring link is usually from a sub-domain of an apparently ‘normal’ website (whatever ‘normal’ means, but I hope you know!). Here’s an example that points to malware:
tummy2tummy.com appears to be mother and baby website.
Cyber Security Warning1
Cyber Security Warning2
Cyber Security Warning3
Here are examples of the typical warning messages after hitting a duff link or two… These are taken from Firefox 3 & IE8, all fully patched and up-to-date etc.
The website sometimes redirects, sometimes not, to the malware-coded location.
The message/dialog boxes have a variety of wording and button suggestions
Some websites are completely un-closable by normal means and the Task Manager is the only way to get out of a loop
There are a variety of files to download from the various websites. The one in the video below is called “Inst_174s1.exe” – which I’ve seen 3 times now. I’ve also seen another called “setup_build8_239.exe” which has a standard windows setup icon inside it to ensure it’s apparent legitimacy!
Standard Anti-Virus Failure
The video shows the fake scan and the various failed attempts at closure I made. The current IP address of the user (myself) shows to add an air of realism to it, although this is easily shown on any webpage.
Fortunately, in this video, IE8, even though the browser privacy and window size & positioning was mucked around by the malware-site, was finally closable with the normal close button at the top right. On other sites, the only way to get out of the loop in both IE8 and Firefox, was to use Task Manger to crash the process down. This worked, fortunately.
I downloaded the files purposely on some occasions for analysis….
ESET’s NOD32 (my AV program) failed to detect both these files as bad! I uploaded both for analysis to ESET and one has since been found to contain a trojan, a variant of Win32/Kryptik.AWY trojan! This trojan has been in the signature database since 21/10/2009 when NOD32 was the only AntiVirus program to detect it! So things aren’t that bad. Presumably, if I’d have ran the programs NOD32 would’ve kicked in, but I haven’t tried that yet. The setup file was only first detected as malware yesterday, and then only by a few vendors. The analysis of it’s actions is particularly revealing as along with a shed-load of new registry keys, it also modifies the ‘hosts’ file!
NOD32 wasn’t alone in this scanning detection failure. I tried the online scanners of Trend, McAfee and AVG on the two files and they all failed to detect anything! Time constraints meant I didn’t try Kaspersky, Symantech et al, but I’m fairly certain that the same results would’ve happened.
Everything is not as it seems! Be very careful what you click on!
Send any suspicious file to VirusTotal.com as it has quite a crack at finding out the truth about files from it’s methodology of using most of the Anti-virus vendors.
As for my website here, the recent referrer back-links are now gone as they made me look like a pointer to bad sites, and I’m not. Whether it’s possible for this sub-domain behaviour to be blocked, probably depends on the website owners, as it’s not the browser’s fault.
What I have noticed, is:
A lot of these malware sites are hosted at my old crap host, ixWebhosting.com (If I recall, a setting exists to block sub-domain creation)
A lot of host sites are in Arizona, Florida and Utah
A lot of malware sites can be traced back to China & eastern European states.
Make of that what you will. If I spot any more ‘tendencies’ or ‘co-incidences’, I’ll add them to the list.
I got a ping this morning from a website called cleanup-registry.net It arrived because I’d been referenced as a website in the network setup using the plugin, “Related Websites” by the Blog Traffic Exchange (actually, it may be time to knock this experiment on the head as generally, the sites are only loosely related and have poor linkage otherwise).
Whatever; the link referenced an old post of mine about Microsoft software problems here. Notionally, the website looks okay and professional – but I smelled a rat!
This is a screenshot of the whole post (at ). So I did a search on the user’s error message:
‘The DOTNETFX35SETUP.EXE file is linked to missing export NTDLL.DLL:NtShutdownSystem.’ (it turns out later that I should have just done a search on the text in the first paragraph of the post…)
About six entries down in the Google search results, is this page from the respected ‘Yahoo! Answers’ forums website, shown at left.
The screen-shots of each WILL blow up to full-size, but to save you making direct textual comparisons, let me tell you now that the text in both, and one comment, the accepted answer in Yahoo! Answers, is EXACTLY the same!
For your interest, the accepted answer is that the OS’s are incompatible and there’s a fix described.
The real problem is the dates! cleanup-registry.net’s is the 8th September 2009; Yahoo! Answer’s is from 8 months ago!
What we are seeing is the same sort of tactic employed by the Google Treasure Chest scammers of a fake blog (now called a flog!) being used as part of a selling campaign. They’ve content-scraped decent content and passed it off as their own as a means of justifying their flogging area.
Q. Their product?
A. They are trying to sell a registry cleaner type software and a computer maintenance service ($25 per month!) in Las Vegas.
All of this is done under the banner of some fairly useful video how-tos and some less worthy content scraping from other websites….
The killer bits are that all the ‘blog’ entries are dated 24/9/2009 (apart from the odd one) and all the pages and how-tos are dated 24/7/2009!!!
I had an interesting referral from an external website early today. It was,
iblogger.com has a decent WHOIS entry and is USA based. However, the sub-domain bit is a bit iffy.
If you follow the link, it’s immediately redirected to
The tagline for this website is:
MyBookFace is a friendly social networking alternative to MySpace and FaceBook.
This seems clear and is an obvious parody or amalgam of the two global chatter stations.
Social Networking Problem
The problem with “MyBookFace” is it’s WHOIS – or rather it’s lack of information in it’s whois!!!
The registration is blocked by NameCheap.com, which is a bit odd for a public, socially-networked company!
Checking up on the ‘company’ I’ve found references to it being a source of malware in the past – but not currently. These are Google & McAfee.
But checking other things, like the tagline above, we find >4000 websites with exactly the same phrase in it – and some of them look decidely dodgy! Try this search and see….?
ESET NOD32 Antivirus Warning of Krytik.AAR trojan
Many of the sites are sexual or cracked entertainment places that all require you to download a “video viewer” or similar. Many others are no more than catalogue-type directories plastered with adverts. This is an example of an attempted trojan installation attack on my system from one random site I visited… After a highly entertaining psuedo-system ‘scan’ which said my ‘system’ had about 57 trojans in it, it then tried to run the setup.exe file.
This was a highly plausible looking scan for newbie-types. It showed various drives and even a gif-image of a supposed “Windows Alert”. The Joomla powered website was,
…called the MAGADHEERA REVIEW
Weakest Link - Goodbye!
There are also a heap of reported cracks of various WordPress websites if you Google for “MyBookFace scam” or similar. It’s sites like these, I think, that have been the source of my referral spam.
Like everything else, WordPress must be set up and maintained correctly, just like a car, if it’s to work properly.
Conclusion – MyFaceBook. You are the weakest link. Goodbye!
I haven’t done any more checks. But IMHO, Google & McAfee want to do more checks. While MyBookFace.crap may not be the source of malware, anything one-click away seems to be!
start -> run -> type ‘notepad’ (without quotes) and hit Enter on the keyboard
Paste Into Notepad:
Now paste the copied text into Notepad
Now Save the File:
Call the file a handy name like “StopAutoRun” but make sure it has a ‘reg’ extension!
So your file should be called something like StopAutoRun.reg
Now Run The Reg File You’ve Just Made:
Double-click the file – your registry will pick up the change and the handy autorun feature will be disabled!
Of course, you may be used to using this “handy feature”. If you want to keep it, don’t do any of the above but be very, very, very careful about any USB stick you insert into your computer, any CD you insert or play, any video you watch on DVD, and any network you map or connect to…
What About if I’m Already Infected?
How to Clear and Eliminate Conficker or Downadup?
Connect to the internet with a “good”, clean computer. You may need to borrow one or visit a friend’s house..
Download a clean up program – the NOD32 version is here: http://download.eset.com/special/EConfickerRemover.exe Other Anti-virus makers have similar ones.
Copy the tool you’ve just downloaded to your own PC and run it. It may take a while and you’ll definately need a reboot afterwards.
Install and/or Update a good Antivirus program (see above at top)
Over the last couple of days the strangest thought has plagued me. Two simple ugly words have kept emerging, only for me to lock them out and ridicule them as bizarre. Simon’s dead. Just to write it down feels like … Continue reading →
If you ever needed confirmation that the UK is not run by a shadowy cabal of sinister plotters but a bunch of chinless fucking idiots then the upcoming Digital Economy Bill is a good place to start. As well as … Continue reading →