Tag Archive: EXE

Windows Experience Index – in 8.1 – Where is it?

Strangely post on September 25th, 2013
Posted in Technology Tags: , , , , , , , , , , , , , ,

Introduction

Win8 Experience Index (also in Win7)

Win8 Experience Index (also in Win7)

Recently Microsoft announced  a bit of a climb down over its release of Windows 8.1 to MSDN developers (like me).  Their previous stand was for developers to get 8.1 at the same time as commercial release.

So I’ve had a look, installing it into a VirtualBox environment…

The focus of this article is on one difference, the Windows Experience Index, mine is shown in the screenshot in the top right.

Differences?

Win8 Control Panel

Win8 Control Panel

Well yes and no.  Apart from the much talked about “start” button (not) re-instatement, the control panel throws out some differences for sure (see screenshots)…

Win8.1 Control Panel

Win8.1 Control Panel

….. notably the Windows Experience Index (or Performance Indicator) (or Assessment), a Microsoft gauge of the “goodness” of your machine.

Well in Win 8.1, it’s gone!  See highlight…

Or Has It?

WinSat Usage

WinSat Usage -not all shown!

Actually, it’s still there under the command line…  All you need to do is add a switch (I chose ‘formal’ as it does the lot).

The actual file that does the work is called winsat.exe and it’s in the System32 folder.  Give it a ? switch from the command prompt and all it’s inner options and usages are revealed!  (see left)

So fire up your command line and run:

C:\Windows\system32\winsat.exe formal

…then watch the process stream past.

Results

There no nice GUI web report, of course.  The results are still there, tucked away (as they always were) as a set of XML files in the Windows directory.  Go to:

C:\Windows\Performance\WinSAT\DataStore

Win8.1 System Assessment Files (cmd process finished in background)

Win8.1 System Assessment Files (cmd process finished in background)

..to find them.  The screenshot right shows the files I’ve just created and you’ll see that the process has just finished in the Command Line window and that it took 2min 49.59 secs to run all the tests.

Examining Results

WinSat Win8.1 CPU Results

WinSat Win8.1 CPU Results

Running all assessments has produced 7 files.

The screenshot here on the left shows the end of the CPU one.

The time it took is plainly visible along with the plainly poor CPU assessment (well it is in a virtual environment after all!!)

Conclusion

Windows Performance Index is not dead and buried in the new Windows 8.1 – it’s only been buried.

Related Posts:

Website Referral Spam and Cyber Security Malware

Fear Uncertainty DoubtRemove Referrals Information from This Website because of Malware

Like many blogs, this website has displayed the last few hits (referrals) that it’s received as a kind of ‘live’ activity recorder and a small service back to the referring website.  However, I’ve had to pull this from my front page because over the last few days, hundreds of malware-laden websites have seemingly broadcasting pings to everyone else….

Anyone unlucky enough to click on these back-links to the ‘referrer’, is then presented with some fake anti-malware scan that’s almost impossible to get away from without resorting to Task Manager.

Analysis and Appearance

The referring link is usually from a sub-domain of an apparently ‘normal’ website (whatever ‘normal’ means, but I hope you know!).  Here’s an example that points to malware:

http://srpvxdd.franklinrealtyvacationrentals.com/page.php?n=overcome-compulsive-overeating

franklinrealtyvacationrentals.com is a normal-looking estate agent’s site in Florida.

This next one points to a blank page, has a similar php ?page= construct, but lacks a sub-domain:

http://sweetepeach.com/page.php?uuu=cube-memory-dane-elec

sweetepeach.com is a website under construction at ixWebHosting, my old host that I left because it was so slow.

And this one is another malware-laden website:

http://www.pbparts.com/error.php?404

pbparts.com appears to be a computer parts on-line store in Arizona.

And here are two web addresses from the same domain!:

http://rlzkiio.tummy2tummy.com/page.php?n=tiered-tulle-dress

http://ziqklvc.tummy2tummy.com/page.php?d=official-ffa-dress

tummy2tummy.com appears to be mother and baby website.

Examples

CyberSecurityWarning1

Cyber Security Warning1

CyberSecurityWarning2

Cyber Security Warning2

CyberSecurityWarning3

Cyber Security Warning3

Here are examples of the typical warning messages after hitting a duff link or two…  These are taken from Firefox 3 & IE8, all fully patched and up-to-date etc.

  • The website sometimes redirects, sometimes not, to the malware-coded location.
  • The message/dialog boxes have a variety of wording and button suggestions
  • Some websites are completely un-closable by normal means and the Task Manager is the only way to get out of a loop
  • There are a variety of files to download from the various websites.  The one in the video below is called “Inst_174s1.exe” – which I’ve seen 3 times now.  I’ve also seen another called “setup_build8_239.exe” which has a standard windows setup icon inside it to ensure it’s apparent legitimacy!

Standard Anti-Virus Failure

The video shows the fake scan and the various failed attempts at closure I made.  The current IP address of the user (myself) shows to add an air of realism to it, although this is easily shown on any webpage.

Fortunately, in this video, IE8, even though the browser privacy and window size & positioning was mucked around by the malware-site, was finally closable with the normal close button at the top right.  On other sites, the only way to get out of the loop in both IE8 and Firefox, was to use Task Manger to crash the process down.  This worked, fortunately.

I downloaded the files purposely on some occasions for analysis….

ESET’s NOD32 (my AV program) failed to detect both these files as bad!  I uploaded both for analysis to ESET and one has since been found to contain a trojan, a variant of Win32/Kryptik.AWY trojan!  This trojan has been in the signature database since 21/10/2009 when NOD32 was the only AntiVirus program to detect it!  So things aren’t that bad.  Presumably, if I’d have ran the programs NOD32 would’ve kicked in, but I haven’t tried that yet.  The setup file was only first detected as malware yesterday, and then only by a few vendors.  The analysis of it’s actions is particularly revealing as along with a shed-load of new registry keys, it also modifies the ‘hosts’ file!

NOD32 wasn’t alone in this scanning detection failure.  I tried the online scanners of Trend, McAfee and AVG on the two files and they all failed to detect anything!  Time constraints meant I didn’t try Kaspersky, Symantech et al, but I’m fairly certain that the same results would’ve happened.

Conclusion

Everything is not as it seems!  Be very careful what you click on!

Send any suspicious file to VirusTotal.com as it has quite a crack at finding out the truth about files from it’s methodology of using most of the Anti-virus vendors.

As for my website here, the recent referrer back-links are now gone as they made me look like a pointer to bad sites, and I’m not.  Whether it’s possible for this sub-domain behaviour to be blocked, probably depends on the website owners, as it’s not the browser’s fault.

What I have noticed, is:

  • A lot of these malware sites are hosted at my old crap host, ixWebhosting.com  (If I recall, a setting exists to block sub-domain creation)
  • A lot of host sites are in Arizona, Florida and Utah
  • A lot of malware sites can be traced back to China & eastern European states.

Make of that what you will.  If I spot any more ‘tendencies’ or ‘co-incidences’, I’ll add them to the list.

Related Posts:

Watch Out for cleanup-registry.net!

Introduction

I got a ping this morning from a website called cleanup-registry.net   It arrived because I’d been referenced as a website in the network setup using the plugin, “Related Websites” by the Blog Traffic Exchange (actually, it may be time to knock this experiment on the head as generally, the sites are only loosely related and have poor linkage otherwise).

Whatever; the link referenced an old post of mine about Microsoft software problems here.  Notionally, the website looks okay and professional – but I smelled a rat!

cleanup-registry.net

Cleanup-Registry.net

Cleanup-Registry.net

This is a screenshot of the whole post (at ).  So I did a search on the user’s  error message:

‘The DOTNETFX35SETUP.EXE file is linked to missing export NTDLL.DLL:NtShutdownSystem.’ (it turns out later that I should have just done a search on the text in the first paragraph of the post…)

Yahoo!Answers page

Yahoo!Answers page

About six entries down in the Google search results, is this page from the respected ‘Yahoo! Answers’ forums website, shown at left.

The screen-shots of each WILL blow up to full-size, but to save you making direct textual comparisons, let me tell you now that the text in both, and one comment, the accepted answer in Yahoo! Answers, is EXACTLY the same!

For your interest, the accepted answer is that the OS’s are incompatible and there’s a fix described.

The real problem is the dates!  cleanup-registry.net’s is the 8th September 2009;  Yahoo! Answer’s is from 8 months ago!

Conclusion

What we are seeing is the same sort of tactic employed by the Google Treasure Chest scammers of a fake blog (now called a flog!) being used as part of a selling campaign.  They’ve content-scraped decent content and passed it off as their own as a means of justifying their flogging area.

Q. Their product?

A. They are trying to sell a registry cleaner type software and a computer maintenance service ($25 per month!) in Las Vegas.

All of this is done under the banner of some fairly useful video how-tos and some less worthy content scraping from other websites….

The killer bits are that all the ‘blog’ entries are dated 24/9/2009 (apart from the odd one) and all the pages and how-tos are dated 24/7/2009!!!

Furthermore, the domain owner is hidden by our old friends at Domains by Proxy..

Do you really trust this sort of stuff?  I don’t.  Whether it’s supporting malware or not, it’s selling by devious means using the same methods as used by zillions of scams worldwide.

Caveat Emptor – buyer beware!

Related Posts:

MyBookFace Crap

Introduction

I had an interesting referral from an external website early today.  It was,

http://kexhoxonxk.iblogger.org/

iblogger.com has a decent WHOIS entry and is USA based.  However, the sub-domain bit is a bit iffy.

MyBookFace.net

If you follow the link, it’s immediately redirected to

http://mybookface.net/

The tagline for this website is:

MyBookFace.net

MyBookFace.net

MyBookFace is a friendly social networking alternative to MySpace and FaceBook.

This seems clear and is an obvious parody or amalgam of the two global chatter stations.

Social Networking Problem

The problem with “MyBookFace” is it’s WHOIS – or rather it’s lack of information in it’s whois!!!

Bemused

The registration is blocked by NameCheap.com, which is a bit odd for a public, socially-networked company!

Malware?

Checking up on the ‘company’ I’ve found references to it being a source of malware in the past – but not currently.  These are Google & McAfee.

But checking other things, like the tagline above, we find >4000 websites with exactly the same phrase in it – and some of them look decidely dodgy!  Try this search and see….?

Warning of Krytik.AAR trojan

ESET NOD32 Antivirus Warning of Krytik.AAR trojan

Many of the sites are sexual or cracked entertainment places that all require you to download a “video viewer” or similar.  Many others are no more than catalogue-type directories plastered with adverts.   This is an example of an attempted trojan installation attack on my system from one random site I visited…  After a highly entertaining psuedo-system ‘scan’ which said my ‘system’ had about 57 trojans in it, it then tried to run the setup.exe file.

This was a highly plausible looking scan for newbie-types.  It showed various drives and even a gif-image of a supposed “Windows Alert”.  The Joomla powered website was,

www.techniz.co.uk/rss.php?magadheera%20review

…called the MAGADHEERA REVIEW

Weakest Link - Goodbye!

Weakest Link - Goodbye!

There are also a heap of reported cracks of various WordPress websites if you Google for “MyBookFace scam” or similar.    It’s sites like these, I think, that have been the source of my referral spam.

Like everything else, WordPress must be set up and maintained correctly, just like a car, if it’s to work properly.

Conclusion – MyFaceBook. You are the weakest link. Goodbye!

I haven’t done any more checks.  But IMHO, Google & McAfee want to do more checks. While MyBookFace.crap may not be the source of malware, anything one-click away seems to be!

Related Posts:

Problems with Conficker or Downadup?

Or How to Disable Autoruns

– to Stop This Particular Infection Route

This is a brief summary of what to do…
  1. Make sure you have a proper anti-virus program running
    • NOD32 is a good one!
    • AVG is too
    • Kaspersky, Trend, CA are also good brands
  2. Make sure your anti-virus is current and updated.  Check like so:
    • Somewhere on your program will be it’s last update
    • For NOD32, hover your mouse cursor over the little icon next to the taskbar clock (bottom right in XP)
    • As well as version numbers, the last update shows in reverse date format – 6 Feb 2009 is 20090206
    • Other programs are very similar and the last update is usually pretty obvious so you don’t need to fiddle with settiings etc.
  3. Disable autoruns as this is a good way for the virus/malware/trojan to get you
    • This is the best and easiest way to do this:
Copy This Text:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=”@SYS:DoesNotExist”

Open Notepad:

start -> run -> type ‘notepad’ (without quotes) and hit Enter on the keyboard

Paste Into Notepad:

Now paste the copied text into Notepad

Now Save the File:

Call the file a handy name like “StopAutoRun” but make sure it has a ‘reg’ extension!

So your file should be called something like StopAutoRun.reg

Now Run The Reg File You’ve Just Made:

Double-click the file – your registry will pick up the change and the handy autorun feature will be disabled!

Of course, you may be used to using this “handy feature”.  If you want to keep it, don’t do any of the above but be very, very, very careful about any USB stick you insert into your computer, any CD you insert or play, any video you watch on DVD, and any network you map or connect to…

What About if I’m Already Infected?

How to Clear and Eliminate Conficker or Downadup?

  1. Connect to the internet with a “good”, clean computer.  You may need to borrow one or visit a friend’s house..
  2. Download a clean up program – the NOD32 version is here: http://download.eset.com/special/EConfickerRemover.exe Other Anti-virus makers have similar ones.
  3. Copy the tool you’ve just downloaded to your own PC and run it.   It may take a while and you’ll definately need a reboot afterwards.
  4. Install and/or Update a good Antivirus program (see above at top)

Further Reading and Information Sources

Related Posts:

Comments are closed

© 2007-2017 Strangely Perfect All Rights Reserved -- Copyright notice by me