Roger's Random Ramblings

Windows 8, VMWare, HAL_INITIALIZATION_FAILED, VirtualBox and broken network bridging

2011-10-05T14:02:00.000-07:00

A couple of days ago I downloaded Windows 8 to port my C++ code to this new platform. I tried to install
Windows 8 into my good old VMWare Workstation 5.5.9 where I run my other virtual machines, but ended up getting a HAL_INITIALIZATION_FAILED error message when booting from the .iso:

But since word was on the street that VirtualBox 4.1.2 could handle Windows 8 I gave that a try.
Unfortunately the Windows installer kept hanging while "Expanding Windows Files" while installing it onto
the VirtualBox virtual machine.

After some trial and error I changed the number of processors/cores in the VirtualBox virtual machine settings to the same number of processors/cores as on the host system, in my case two. This change seemed to do the trick and the installation completed without any other issues.

When I went back to run my VMWare virtual machines I noticed that their brigded networking was no longer working :( Switching to NAT and it worked fine, back to bridged and no network connection. For some reason the installation of VirtualBox caused my existing bridged connection to fail. Anyway, the solution was to explicitly set the network adapter VMWare should bridge with, in my case the Wireless adapter:

Hope this helped someone. Now I'm going to try the 64-bit version of Windows 8.

How to find the process that is using a TCP port

2011-09-18T00:59:00.000-07:00

Earlier today I was inspecting all computers in my home for malware with the help of GMER and FreeFixer. I was also using the netstat command line tool to look for any suspicious network connections. Netstat shows established TCP connections and ports that are listening for incoming connections. There was one entry in the netstats output that looked a bit suspicious: A connection to a server at cust.tele2.se on port 5938 and cust.bredbandsbolaget.se, also on port 5938.

The problem with netstat is that I couldn't see the name of the executable file that had established this connection. As usual Sysinternals comes to the rescue. They offer a tool called TCPView which also shows the process name along with connection info. It turned out that TeamViewer that I recently installed had established the cust.tele2.se:5938 connection:

Another alternative to find the process name that owns a connection is to use netstat -o which will list the process identifier for each connection and compare it to the information listed in the Windows Task Manager.

BUGCODE_USB_DRIVER

2010-09-12T01:47:00.000-07:00

Seems like VMWare 5.5, iTunes and my new iPhone don't not mix. When I plugin in the iPhone I get the following blue screen:

The only work-around I could find to this problem was to install iTunes directly on the host machine :(

Desktop Security 2010 Scareware

2010-04-30T23:57:00.000-07:00

Stumbled upon another rogue security application called Desktop Security 2010. It has been around for some time now. What's new about this one is that it adds a new column to the Windows Task Manager falsely claiming that some of my files are infect:

Your Protection Scareware

2010-04-07T07:35:00.000-07:00

Stumbled upon a new scareware application called "Your Protection" today:

FreeFixer v0.55 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2010-04-07 14:20

Registry Startups (5 whitelisted)
HKCU\..\Run, Your Protection = "C:\Program Files\Your Protection\urpprot.exe" -noscan

SafePcAv Scareware

2010-02-05T07:28:00.001-08:00

Ran into another scareware application today. It detects malware on a clean machine:

FreeFixer v0.53 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2010-02-05 16:13

Processes (21 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\Program Files\SafePcAv Software\SafePcAv\SafePcAv.exe

End of FreeFixer log

"Antimalware Defender" Scareware Disguised as a Windows Critical Security Update

2010-01-31T06:07:00.000-08:00

Antimalware Defender is another scareware application. It pops up dialog boxes falsely claiming it is part of a Windows Critical Update:

Antimalware Defender reports lots of malware on a clean system:

You can use FreeFixer to remove AntiMalware Defender. I've pasted a FreeFixer log below which will help you identify the malware items:

FreeFixer v0.53 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2010-01-31 15:04

Browser Helper Objects

{fa217b17-bd53-4441-bc32-3de578a2826a}, {fa217b17-bd53-4441-bc32-3de578a2826a}, C:\WINDOWS\system32\fa217b17-bd53-4445-bc32-3de578a2826a_6.avi

Registry Startups (4 whitelisted)

HKLM\..\Run, fa217b17-bd53-4445-bc32-3de578a2826a_6 = "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\fa217b17-bd53-4445-bc32-3de578a2826a_6.avi", start minimized

HKCU\..\Run, fa217b17-bd53-4445-bc32-3de578a2826a_6 = "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\roger\Application Data\fa217b17-bd53-4445-bc32-3de578a2826a_6.avi", start minimized

Processes (23 whitelisted)

C:\Program Files\FreeFixer\freefixer.exe

Explorer.exe Modules (109 whitelisted)

C:\WINDOWS\system32\MSVCR71.dll

Rundll Modules (71 whitelisted)

C:\DOCUME~1\roger\LOCALS~1\Temp\wrk90.tmp

Recently created/modified files

2 minutes, c:\Documents and Settings\roger\Local Settings\Temp\wrk90.tmp

2 minutes, c:\Program Files\Antimalware Defender\Antimalware Defender.dll

2 minutes, c:\Documents and Settings\roger\Local Settings\Application Data\fa217b17-bd53-4445-bc32-3de578a2826a_6.avi

2 minutes, c:\Documents and Settings\roger\Application Data\fa217b17-bd53-4445-bc32-3de578a2826a_6.avi

2 minutes, c:\Documents and Settings\All Users\Application Data\fa217b17-bd53-4445-bc32-3de578a2826a_6.avi

2 minutes, c:\WINDOWS\system32\fa217b17-bd53-4445-bc32-3de578a2826a_6.avi

2 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\6CSRVCZ7\s[2].bin

Did this help you remove AntiMalware Defender?

MyPcSecure Scareware

2010-01-30T02:17:00.000-08:00

MyPcSecure claims to detect malware on a clean system:

It's located in C:\Program Files\MyPcSecure Software\MyPcSecure\MyPcSecure.exe

How to set up Magic Mouse on Windows

2010-01-27T00:58:00.000-08:00

Do you want to use Apple's Magic Mouse on Windows? No problem, just follow these step-by-step instructions. I've tested this on Windows XP. Right-click, left-click and vertical scroll are working just fine:

1. Open up the Windows Control Panel. (classic mode):

2. Double click on Bluetooth Devices:

3. In the Devices tab, click Add.

4. Check "My device is set up and ready to be found".

5. Power on your magic mouse with the on/off switch under the mouse. If it is already powered on, power it off and on again.

6. Click Next.

7. After a while, Windows will find the Magic Mouse.

8. Select "Apple Wireless Mouse" and click Next

9. Select "Use the passkey found in the documentation". Type in 0000 as the passkey and click Next:

10 Click Finish:

11. Click OK:

12. Now you should be able to move the mouse pointer, use left- and right-click. To get the vertical scroll working you need to install the Magic Mouse Windows drivers. These are made available by the great people over at uneasysilence.com. There's a 32-bit and and 64-bit version.

13. Done.

Did this help you get your Magic Mouse working on Windows?

SysDefenders Scareware

2010-01-12T09:30:00.000-08:00

Here's another faked anti-virus program. Claims to detects lots of malware on a clean system:

FreeFixer v0.51 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2010-01-12 07:29

Registry Startups (4 whitelisted)
HKCU\..\Run, 8ytzu5al.exe = C:\WINDOWS\system32\8ytzu5al.exe

Processes (21 whitelisted)
C:\Program Files\FreeFixer.0.51\freefixer.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\8ytzu5al.exe
C:\Program Files\SysDefenders Software\SysDefenders\SysDefenders.exe

End of FreeFixer log

Tweets, Google Search Results and Speech Ballons

2010-01-11T12:29:00.000-08:00

This was news to me. Tweets now appear in Google's search results, in a speech balloon:

Antivirus PC 2009

2010-01-01T03:49:00.000-08:00

Antivirus PC 2009 is yet another faked antivirus program. It claims to detect malware on a clean system:

Internet Security 2010

2009-12-09T17:53:00.000-08:00

Ran into another faked anti-virus program:

FreeFixer log below. I've highlighted the bad items in red. Hope this helps you with the removal.

FreeFixer v0.50 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-12-10 02:49

Registry Startups (3 whitelisted)
HKCU\..\Run, Internet Security 2010 = C:\Program Files\InternetSecurity2010\IS2010.exe

Processes (19 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\Program Files\InternetSecurity2010\IS2010.exe

Recently created/modified files
0 minutes, c:\Program Files\InternetSecurity2010\IS2010.exe
0 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\O1EF052R\SetupIS2010[1].exe

Koobface "Locks" Computer With Captcha

2009-11-13T17:01:00.000-08:00

Koobface is still going strong. Here you can see it in action. It "locks" the computer and asks the user to solve a captcha:

I've pasted the FreeFixer log from the infected system. Everything is malware except freefixer.exe:

FreeFixer v0.49 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-11-14 01:55

Registry Startups (3 whitelisted)
HKLM\..\Run, sysldtray = c:\windows\ld15.exe
HKLM\..\Run, Captcha7 = rundll "C:\Program Files\captcha.dll",captcha
HKLM\..\Run, sysfbtray = c:\windows\freddy73.exe

Processes (19 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
c:\windows\freddy73.exe

Recently created/modified files
8 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\WEGR55JE\v2googlecheck[1].exe
8 minutes, c:\Program Files\captcha.dll
8 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\6CSRVCZ7\v2captcha[1].exe
20 minutes, c:\WINDOWS\zwer_1258158897.exe
20 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\6CSRVCZ7\v2googlecheck[1].exe
20 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\4HUF4TYN\v2captcha[1].exe
20 minutes, c:\WINDOWS\freddy73.exe
20 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\O1EF052R\fb[1].73.exe
20 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\6CSRVCZ7\get[1].exe
21 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\4HUF4TYN\ff2ie[1].exe
21 minutes, c:\WINDOWS\ld15.exe

End of FreeFixer log

Control Center Rogue

2009-11-13T15:55:00.001-08:00

Yet another rogue. This one is promoted as a free video. If you install the "video", you will get the Control Center Rogue. It claims to detect lots of viruses on a clean system. It also replaces the default shell with cc.exe.

If you got this infection and want to start your default shell (explorer.exe) again, just press Ctrl + shift + ESC and the Task Manager will pop up. Open the File menu and select New Task. Type in explorer.exe and press enter. Now you can start FreeFixer to remove the ControlCenter malware. I've marked the malware files in red in the FreeFixer log below:

FreeFixer v0.49 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-11-14 00:30

Shell settings
HKCU\..\Winlogon, Shell = C:\Documents and Settings\roger\Application Data\CC\cc.exe

Registry Startups (3 whitelisted)
HKCU\..\Run, agent.exe = C:\Documents and Settings\roger\Application Data\CC\agent.exe

Processes (18 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\Documents and Settings\roger\Application Data\CC\agent.exe
C:\Documents and Settings\roger\Application Data\CC\cc.exe

End of FreeFixer log

AntiAID

2009-11-12T02:57:00.000-08:00

Another day, another faked anti-virus program. Today it's called AntiAID and claims to detect a bunch of malware on a clean computer:

I've pasted a FreeFixer log below and highlighted the malware files in red:

FreeFixer v0.49 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-11-12 10:22

Registry Startups (3 whitelisted)
HKCU\..\Run, 8enyqcv1.exe = C:\WINDOWS\system32\8enyqcv1.exe
HKCU\..\Run, AntiAID = C:\Program Files\AntiAID Software\AntiAID\AntiAID.exe -min

Processes (20 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\8enyqcv1.exe
C:\Program Files\AntiAID Software\AntiAID\AntiAID.exe

Recently created/modified files (29 whitelisted)
-123 minutes, c:\Program Files\AntiAID Software\AntiAID\AntiAID.exe

End of FreeFixer log

SystemWarrior Malware

2009-11-11T06:13:00.000-08:00

Ran into a new faked anti-virus program today called System Warrior. It claims to have found lots of malware on a clean system:

I've pasted the FreeFixer log from the infected system below, and marked the malware items in red. Hopefully this will help you to remove SystemWarrior:

FreeFixer v0.49 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-11-11 14:51

Registry Startups (3 whitelisted)
HKLM\..\Run, SystemWarrior = "C:\Program Files\SystemWarrior Software\SystemWarrior\SystemWarrior.exe" -min
HKCU\..\Run, zrn6.tmp.exe = C:\WINDOWS\system32\zrn6.tmp.exe

Processes (21 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\zrn6.tmp.exe
C:\Program Files\SystemWarrior Software\SystemWarrior\SystemWarrior.exe

Recently created/modified files (16 whitelisted)
0 minutes, c:\Program Files\SystemWarrior Software\SystemWarrior\Uninstall.exe
0 minutes, c:\Program Files\SystemWarrior Software\SystemWarrior\SystemWarrior.exe
0 minutes, c:\WINDOWS\system32\zrn6.tmp.exe
0 minutes, c:\Documents and Settings\roger\Local Settings\Temp\zrn6.tmp.exe
0 minutes, c:\Documents and Settings\roger\Local Settings\Temp\tbg5.tmp.exe

End of FreeFixer log

AntiMalware Rogue

2009-11-09T09:26:00.000-08:00

Found another rogue today named "AntiMalware". It claims to have found 10 threats on a clean computer:

This rogue is located in C:\Program Files\AntiMalware\. Its executable file is named antimalware.exe.

BlockProtector

2009-11-06T14:10:00.000-08:00

Ran into a new faked anti-virus program today. This time it's called BlockProtector and claims to have found 700+ "SPYWARE Objects":

Here's a FreeFixer log from the infected system. I've marked the malware files with red:

FreeFixer v0.49 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-11-06 22:55

Registry Startups (3 whitelisted)
HKLM\..\Run, BlockProtector.exe = C:\Program Files\BlockProtector Software\BlockProtector\BlockProtector.exe
HKCU\..\Run, gdm1F.tmp.exe = C:\WINDOWS\system32\gdm1F.tmp.exe

Processes (23 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\gdm1F.tmp.exe
C:\Program Files\BlockProtector Software\BlockProtector\BlockProtector.exe

Application modules (85 whitelisted)
C:\WINDOWS\system32\MSVCR71.dll

Recently created/modified files (27 whitelisted)
2 minutes, c:\WINDOWS\SoftwareDistribution\Download\4f16665ac0e64727d0b09512c7b6d40c\update\tzchange.dll
2 minutes, c:\WINDOWS\SoftwareDistribution\Download\4f16665ac0e64727d0b09512c7b6d40c\tzchange.dll
2 minutes, c:\WINDOWS\SoftwareDistribution\Download\4f16665ac0e64727d0b09512c7b6d40c\tzchange.exe

End of FreeFixer log

McAfee + Adobe Reader 9

2009-11-03T01:38:00.000-08:00

Looks like Adobe and McAfee have teamed up. Adobe Reader 9 bundles a McAfee component which can display the following message:

I think that most people gets pretty annoyed by this type of bundling.

BlockScanner Rogue

2009-11-02T04:57:00.000-08:00

Ran into a new rogue today called BlockScanner:

Here's a FreeFixer log which shows what modifications the Block Scanner software did on the infected computer:

FreeFixer v0.48 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-11-02 13:03

Registry Startups (3 whitelisted)
HKLM\..\Run, 0079dcbc.exe = C:\WINDOWS\system32\0079dcbc.exe
HKCU\..\Run, goz21.tmp.exe = C:\WINDOWS\system32\goz21.tmp.exe
HKCU\..\Run, BlockScanner = C:\Program Files\BlockScanner Software\BlockScanner\BlockScanner.exe -min

Processes (20 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\goz21.tmp.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\nqn22.tmp.exe
C:\Program Files\BlockScanner Software\BlockScanner\BlockScanner.exe

Recently created/modified files (1 whitelisted)
3 minutes, c:\Program Files\BlockScanner Software\BlockScanner\uninstall.exe
3 minutes, c:\Documents and Settings\roger\Local Settings\Temp\nsu20.tmp\nsProcess.dll
3 minutes, c:\WINDOWS\system32\goz21.tmp.exe
3 minutes, c:\WINDOWS\system32\0079dcbc.exe
3 minutes, c:\Documents and Settings\roger\Local Settings\Temp\nqn22.tmp.exe
3 minutes, c:\Documents and Settings\roger\Local Settings\Temp\goz21.tmp.exe
3 minutes, c:\Documents and Settings\roger\Local Settings\Temp\rew1E.tmp.exe
..

My Favorite Screeshots

2009-11-01T13:21:00.000-08:00

Adobe Flash Player bundles McAfee Security Scan:

The winlogon86.exe malware displays a faked detection pop-up:

FreeFixer repairing broken Internet Access due to the winhelper86.dll malware:

Fixing the UserInit registry setting by booting directly from the Windows Vista installation DVD:

Windows Police Pro

2009-10-28T08:00:00.000-07:00

Another day, another rogue. This one is called Windows Police Pro:

Here's a FreeFixer log from the infected computer. Malware files appear in red:

FreeFixer v0.48 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-10-27 18:28

Registry Startups (3 whitelisted)
HKCU\..\Run, inixs = C:\WINDOWS\system32\minix32.exe

Processes (18 whitelisted)
C:\WINDOWS\system32\minix32.exe
C:\Program Files\FreeFixer\freefixer.exe

Recently created/modified files (18 whitelisted)
2 minutes, c:\WINDOWS\system32\pump.exe
3 minutes, c:\WINDOWS\svchast.exe
3 minutes, c:\WINDOWS\system32\plugie.dll
3 minutes, c:\Program Files\Windows Police Pro\Windows Police Pro.exe
3 minutes, c:\Program Files\Windows Police Pro\msvcr80.dll
3 minutes, c:\Program Files\Windows Police Pro\msvcp80.dll
3 minutes, c:\Program Files\Windows Police Pro\msvcm80.dll

Active Security rogue

2009-10-27T13:17:00.000-07:00

Another rogue, dubbed Active Security:

Here's a FreeFixer log of the infected system. Malware files appear in red:

FreeFixer v0.48 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-10-27 17:57

Registry Startups (3 whitelisted)
HKCU\..\Run, wow64main.exe = C:\DOCUME~1\roger\LOCALS~1\Temp\wow64main.exe
HKCU\..\Run, Active Security = "C:\Program Files\Active Security\asecurity.exe" -noscan

Processes (23 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\wow64main.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\wscsvc32.exe
C:\Program Files\Active Security\asecurity.exe

..

EnumPageFiles missing in Windows 2000

2009-10-27T00:01:00.000-07:00

Seems like the EnumPageFiles documentation at MSDN is incorrect. EnumPageFiles should be available starting with Windows 2000 Pro, but there's no export with that name in psapi.dll.

This is a dump of the functions available in psapi.dll on my Windows 2000 Pro machine (No service pack installed):

C:\Program Files\Microsoft Visual Studio 8\VC>dumpbin /exports c:\tmp\dump\psapi.dll
Microsoft (R) COFF/PE Dumper Version 8.00.50727.762
Copyright (C) Microsoft Corporation. All rights reserved.

Dump of file c:\tmp\dump\psapi.dll

File Type: DLL

Section contains the following exports for PSAPI.DLL

00000000 characteristics
37EC8753 time date stamp Sat Sep 25 10:26:59 1999
0.00 version
1 ordinal base
19 number of functions
19 number of names

ordinal hint RVA name

1 0 00001CDE EmptyWorkingSet
2 1 00001226 EnumDeviceDrivers
3 2 00001981 EnumProcessModules
4 3 00003106 EnumProcesses
5 4 00001106 GetDeviceDriverBaseNameA
6 5 00001789 GetDeviceDriverBaseNameW
7 6 00001728 GetDeviceDriverFileNameA
8 7 000016D8 GetDeviceDriverFileNameW
9 8 0000185E GetMappedFileNameA
10 9 000017E1 GetMappedFileNameW
11 A 00001BD4 GetModuleBaseNameA
12 B 00001B7E GetModuleBaseNameW
13 C 00001B1D GetModuleFileNameExA
14 D 00001AC7 GetModuleFileNameExW
15 E 00001C35 GetModuleInformation
16 F 00003233 GetProcessMemoryInfo
17 10 00003351 GetWsChanges
18 11 00003317 InitializeProcessForWsWatch
19 12 00001D42 QueryWorkingSet

Summary

4000 .data
1000 .reloc
1000 .rsrc
4000 .text

No EnumPageFiles export. But what if I install service pack 4? Will EnumPageFiles be available there? The answer is no, psapi.dll is not updated while installing the service pack.

When running an application linking to the unavailable EnumPageFiles you will see an error message saying:

The procedure entry point EnumPageFilesA could not be located in the dynamic link library PSAPI.DLL.

The Win2k work-around

You can get the paging files from the registry by reading "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management, PagingFiles".

Do you know of some other method of enumerating the paging files?

SecurityTool Rogue

2009-10-23T05:27:00.000-07:00

Ran into a new rogue today called "Security Tool":

This program was installed by exploiting a security hole in an unpatched Windows XP installation. Below is a FreeFixer log to show what files appeared on the infected computer:

FreeFixer v0.47 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 1
Log dated 2009-10-23 14:45

Registry Startups
HKLM\..\Run, sysgif32 = C:\WINDOWS\Temp\wpv511255703227.exe
HKLM\..\Run, restorer64_a = C:\WINDOWS\system32\restorer64_a.exe
HKLM\..\Run, 60306520 = C:\DOCUME~1\ALLUSE~1\APPLIC~1\60306520\60306520.exe
HKLM\..\Run, PromoReg = C:\WINDOWS\Temp\_ex-08.exe
HKLM\..\Run, Antivirus Pro 2010 = "C:\Program\AntivirusPro_2010\AntivirusPro_2010.exe" /hide
HKLM\..\Run, Regedit32 = C:\WINDOWS\system32\regedit.exe (file is missing)
HKCU\..\Run, restorer64_a = C:\Documents and Settings\Roger\restorer64_a.exe
HKCU\..\Run, mserv = C:\Documents and Settings\Roger\Application Data\seres.exe
HKCU\..\Run, svchost = C:\Documents and Settings\Roger\Application Data\svcst.exe

Autostart shortcuts
zavupd32.exe, , C:\Documents and Settings\Roger\Start-meny\Program\Autostart\zavupd32.exe

Recently created/modified files
15 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\BN6.tmp
15 minutes, c:\WINDOWS\system32\dllcache\agp440.sys
15 minutes, c:\WINDOWS\system32\drivers\AGP440.SYS
15 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\BN5.tmp
42 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\TMP13.tmp
42 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temporary Internet Files\Content.IE5\2B6JEHAV\win[1].exe
42 minutes, c:\WINDOWS\system32\_scui.cpl
42 minutes, c:\Program\AntivirusPro_2010\Uninstall.exe
42 minutes, c:\Program\AntivirusPro_2010\wscui.cpl
42 minutes, c:\Program\AntivirusPro_2010\htmlayout.dll
42 minutes, c:\Program\AntivirusPro_2010\pthreadVC2.dll
42 minutes, c:\Program\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll
42 minutes, c:\Program\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll
42 minutes, c:\Program\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll
42 minutes, c:\Program\AntivirusPro_2010\AVEngn.dll
42 minutes, c:\Program\AntivirusPro_2010\AntivirusPro_2010.exe
44 minutes, c:\Documents and Settings\Roger\Application Data\lizkavd.exe
44 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temporary Internet Files\Content.IE5\G5ER0HM3\Install[1].exe
44 minutes, c:\Documents and Settings\All Users\Application Data\60306520\60306520.exe
44 minutes, c:\Documents and Settings\Roger\Application Data\svcst.exe
44 minutes, c:\WINDOWS\Temp\_ex-08.exe
44 minutes, c:\Documents and Settings\Roger\Application Data\seres.exe
44 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\BN12.tmp
44 minutes, c:\Documents and Settings\Roger\restorer64_a.exe
45 minutes, c:\WINDOWS\system32\restorer64_a.exe
45 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\10.tmp
45 minutes, c:\WINDOWS\Temp\wpv791256209457.exe
45 minutes, c:\WINDOWS\Temp\wpv651256085323.exe
45 minutes, c:\WINDOWS\Temp\wpv511255703227.exe

Antivirus Pro 2010 Rogue

2009-10-21T22:48:00.001-07:00

Ran into a another rogue today. Antivirus Pro 2010:

These malware files appeared on the computer: AntivirusPro_2010.exe, seres.exe, lizjavd.exe and svcst.exe.

Total Security rogue

2009-09-21T00:31:00.000-07:00

Ran into another rogue anti-virus tool called Total Security. It was install by exploiting a security hole:

PC Antispyware 2010 Rogue

2009-08-14T08:00:00.000-07:00

Here's another rogue anti-spyware application that was installed by exploiting a security hole:

Advanced Virus Remover Rogue

2009-08-13T09:00:00.000-07:00

Ran into this rogue anti-virus program a few days ago:

Update October 27, 2009

Today I ran into this rogue again. I captured a FreeFixer log where you can see the modifications Advanced Virus Remover did on the infected computer:

FreeFixer v0.48 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-10-27 18:15

System policies
HKCU\..\policies\system, DisableTaskMgr = 1

Transport service providers (3 whitelisted)
{3F8DAED5-1A15-44C0-A465-27536D3B3C98} - C:\WINDOWS\system32\winhelper.dll
{6DBCA3F0-ACCF-4F0E-8998-F976BB4FA56D} - C:\WINDOWS\system32\winhelper.dll

Registry Startups (3 whitelisted)
HKLM\..\Run, winupdate.exe = C:\WINDOWS\system32\winupdate.exe
HKCU\..\Run, Advanced Virus Remover = C:\Program Files\AdvancedVirusRemover\PAVRM.exe

Processes (19 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\WINDOWS\system32\winupdate.exe
C:\Program Files\AdvancedVirusRemover\PAVRM.exe

Application modules (70 whitelisted)
C:\WINDOWS\system32\winhelper.dll

Recently created/modified files
1 minute, c:\Program Files\AdvancedVirusRemover\PAVRM.exe
1 minute, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\6CSRVCZ7\SetupAdvancedVirusRemover[1].exe
1 minute, c:\WINDOWS\system32\winhelper.dll
1 minute, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\4HUF4TYN\dfghfghgfj[1].dll
1 minute, c:\WINDOWS\system32\winupdate.exe
..

Webmarketingexperts.com.au Spam

2009-08-11T03:03:00.000-07:00

I keep getting spam linking to webmarketingexperts.com.au:

Anyone else getting these?

Most annoying error ever?

2009-07-15T09:04:00.000-07:00

The device 'Generic volume' cannot be stopped because a program is still accessing it.

This isn't that helpful. I want to know the name program that is using the drive, and the name of the files that are still open.

Darn, my VMware virtual machine was detected

2009-07-13T06:28:00.000-07:00

I wanted to install the software from yourcursor.com to see if they bundle some additional software with their cursors. To my surprise, their installer detected it was running in a virtual machine:

Looking around for workarounds... To be continued..

Antivirus Plus

2009-07-09T08:05:00.001-07:00

Ran into the ~~good~~ old rogue Antivirus Plus application today:

Update October 27, 2009

Today I ran into AntiVirus plus again. I capped a FreeFixer log so you can see what changes this rogue antivirus program did:

FreeFixer v0.48 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-10-27 18:06

Registry Startups (3 whitelisted)
HKLM\..\Run, AntiVirus Plus = C:\Program Files\AntiVirus Plus\AntiVirus Plus.70155.exe
HKCU\..\Run, AntiVirus Plus = C:\Program Files\AntiVirus Plus\AntiVirus Plus.70155.exe

Autostart shortcuts
AntiVirus Plus.lnk, , C:\Program Files\AntiVirus Plus\AntiVirus Plus.70155.exe
AntiVirus Plus.lnk, , C:\Program Files\AntiVirus Plus\AntiVirus Plus.70155.exe

HOSTS file
78.159.125.60 us.search.yahoo.com
78.159.125.60 uk.search.yahoo.com
78.159.125.60 search.yahoo.com
78.159.125.60 www.google.com.br
78.159.125.60 www.google.it
78.159.125.60 www.google.es
78.159.125.60 www.google.co.jp
78.159.125.60 www.google.com.mx
78.159.125.60 www.google.ca
78.159.125.60 www.google.com.au
78.159.125.60 www.google.nl
78.159.125.60 www.google.co.za
78.159.125.60 www.google.be
78.159.125.60 www.google.gr
78.159.125.60 www.google.at
78.159.125.60 www.google.se
78.159.125.60 www.google.ch
78.159.125.60 www.google.pt
78.159.125.60 www.google.dk
78.159.125.60 www.google.fi
78.159.125.60 www.google.ie
78.159.125.60 www.google.no
78.159.125.60 www.google.com
78.159.125.60 www.google.de
78.159.125.60 www.google.fr
78.159.125.60 www.google.co.uk

Goodbye GoogleUpdate.exe

2009-07-03T12:21:00.001-07:00

GoogleUpdate.exe is the shared component that keeps Google Toolbar, Google Chrome and other Google products up to date. Google got a lot of critic for creating yet another process that kept running in the background.

The good news is that upcoming version of Google's software will use the Windows Task Scheduler which only run at periodic intervals, not 24/7 like GoogleUpdate.exe did.

Invited to the Dreamhost Private Servers

2009-07-01T07:03:00.000-07:00

Got an invitation to the DreamHost private servers a few days ago. Basically, the invitation allows me to start a private server starting at 150MB and $5 / month. I'm currently running my sites in the shared environment and I'm happy with the response- and up-time.

Anyone tried the Dreamhost PS? And how long will 150MB last? I'm currently using around 1400 CPU seconds/day.

Hey again Roger!

Last week we again sent you an email inviting you to try our still-new
DreamHost PS (Private Servers) and/or our DreamHost PS MySQL service!
But again it looks like you never checked it out at:

http://www.dreamhostps.com/

Nor did you choose to sign up by visiting:

https://panel.dreamhost.com/?tree=vserver.provision

Well, it's hard for us to understand how you couldn't give it a shot for
just $10/month (33% off). But not impossible for us to believe. What's
IMPOSSIBLE for us to believe is if you don't take advantage of this, our
final and greatest offer!

$10/month off.. forever. That's 100MB free.. meaning you can get your
very own Private Server with 150MB of ram for just FIVE dollars a month!
Awooooooga!

The main advantages of DreamHost PS are:

* You get your own PROTECTED system resources for improved stability.
* You get more flexibility than regular hosting to run any process.
* You can scale your resources on the fly, and reboot your own PS.
* It's currently only +$10/month for every 100MB of memory. ($10 off!)
* It's a completely seamless transition from our regular shared hosting.

You can also sign up for DreamHost PS MySQL, which is just like PS but
for your databases. If you get both PS and PS MySQL, you get another 20%
off both, forever!

Now, this is really our final final offer. And, it expires one week from
today (by 2009-07-05) .. sign up and we'll be able to provision you
ASAP!

Thanks one final time,
The Happy DreamHost Evite Team!

P.S. If you'd prefer not to be notified by email in the future should
you be given any more invitations, please visit our contact preferences
page here:

https://panel.dreamhost.com/id/?tab=contact

And select to not receive "DreamHost Promotions" anymore!

Following_me, Followers_me

2009-07-01T04:22:00.000-07:00

Another Twitter bug :)

FreeFixer.com now using Google Trends

2009-06-29T08:00:00.000-07:00

Google recently announced the Trends Gadget. Here's you can it in action on FreeFixer.com:

Seaport.exe is a legitimate file from Microsoft.

Here's two additional examples of the gadget in action.
freddy46.exe and reader_s.exe

Spotify Invites for Sale

2009-06-26T01:28:00.000-07:00

Sigh, some people are selling Spotify invites:

http://www.tradera.com/Spotify-Invite-NU-2st-Invite-till-basta-musik-tjansten-auktion_91492107
http://www.prylbanken.se/annons/musik_cd_lp/spotify_invite_saljes/421779/
http://www.allaannonser.se/saeljes/filmer_musik/spotify_invite.html
http://www.kopingtorget.se/index.php?action=show&show_id=1458&show_torg_namn=vasteras
http://www.eskilstunatorget.se/index.php?action=show&show_id=1846
http://www.fuska.nu/forum/trad.php?id=1810079

I've got 2 invites. Send me an email and I'll invite you. 100% free, like it was intended to be. (You have to live in Sweden, Norway, Finland, the UK, France or Spain.)

Why does Windows create fragmented files by default?

2009-06-25T09:00:00.000-07:00

This is wierd. My external drive got lots of free space and is completely defragmented:

Now, I'm backing up my VMware virtual machines, by copying the VMware files to the external drive. These are a bunch of 2GB files which should fit without any problem in the free space of the drive. But for some reason, these files get fragmented:

And it's not just two three fragments, it's 10.000+ fragments!

Why?

Toolbar galore after installing popular applications listed on Download.com

2009-06-24T04:29:00.000-07:00

This is how Internet Explorer might look like after installing the 20 most popular Windows applications listed on Download.com:

Firewall Blocked Spotify?

2009-06-23T06:14:00.000-07:00

I've been running Spotify for quite some time now. It's a great application for streaming music. However, today the Spotify client refused to log in with the following error message:

An error occured
A firewall may be blocking your Internet connection (error 110). Additionally you could try to change the currently used proxy settings.

The thing is, I have not modified any of my firewall settings. Spotify aside, there's no problem with any of my other applications that need an internet connection. Browsing works fine, using SSH works as usual, etc.

Temporarily disabling the firewall did not help either. Anyone else having the same problem?

Update:
ChrZZ kindly suggested in the comments that resetting my Spotify password should solved the problem. I visited http://www.spotify.com/en/password-reset/ and followed the instructions, and this solved the problem.

Are you also getting the "firewall may be blocking" error? Does resetting the password solve the problem for you too? Please let me know in the comments below.

Update 2:
In the comments Mr Anonymous suggests that all you need to do is to uncheck the "remember me" checkbox. Did this solve the problem for you?

How to enable the security tab in Windows Explorer

2009-06-17T10:00:00.000-07:00

The Windows NT family of operating system allows you to set various permissions on files and folders that controls what operations users are allowed to perform. For example, you might want to set up a folder on your computer and allow some users to modify the files in that folder, while other users are only allowed to read the file data. These permissions are editable from Windows Explorer, by right-clicking on a file or folder and selecting the security tab:

However, on Windows XP Home and Windows XP Pro the security tab is hidden be default if your computer has not joined a domain. To enable the security tab:

Click on Start
Choose Control Panel
Click on Folder Options
Select the View tab
Uncheck "Use simple file sharing"

Soon 1000 followers! Thank you everyone for your follows

2009-06-17T00:16:00.001-07:00

Spammers, Captcha Workers and Getafreelancer.com

2009-06-16T08:00:00.000-07:00

This is crazy, look at the search results for captcha over at Getafreelancer.com.

From one of the job descriptions:

i want captcha entry agents immediatly.i`ll give u a target to achieve daily,if u think u cannot fulfil this requirement plz don bid.if thigns wrk out gud,we`ll stay in a long term partnership.i`ll pay bi weekly.i will pick more than one bidder.lowest bid wins

Here's another one:

Hello

I'm Looking for large/Medium Large team to work on my online 24/7 captcha entry project. Server is very fast. Itz a long term Project.
***Rate:$0.80/k (Good Captcha Only).
***Very very Good counting.
Only Interested & serius teams BID & PM me plz.

Serius individuals can also BID & contact via PM.

Thanks_
*************************************************Happy Bidding......

Suppose this is how your captchas get solved over and over again. Or can large scale captcha solving like this have any legit use?

LastWriteTime, ChangeTime and GetFileInformationByHandleEx

2009-06-15T13:20:00.000-07:00

Starting with Windows Vista, there's a new export available called GetFileInformationByHandleEx. You can use this function to get information about a file, in the format of a FILE_BASIC_INFO struct:

typedef struct _FILE_BASIC_INFO {
  LARGE_INTEGER CreationTime;
  LARGE_INTEGER LastAccessTime;
  LARGE_INTEGER LastWriteTime;
  LARGE_INTEGER ChangeTime;
  DWORD         FileAttributes;
}FILE_BASIC_INFO, *PFILE_BASIC_INFO;

What puzzles me about this struct is the two last members, LastWriteTime and ChangeTime. What is the difference between these two members? Sounds like they specify the same thing to me?

Compare Google and Bing searches side by side with Panic.nu

2009-06-14T15:52:00.000-07:00

Want to compare the search results from Google and Bing? Then you might want to give panic.nu a try, which displays your Google and Bing search results framed side by side. Here's an example search on freefixer:

How to dump DLL exports

2009-06-14T12:51:00.000-07:00

To print the function names that a Windows dynamic link library exports (DLL), you can use the dumpbin.exe tool, which comes with Visual Studio. For example, the following command line exports all functions in kernel32.dll:

>dumpbin.exe /EXPORTS c:\windows\system32\kernel32.dll

Microsoft (R) COFF/PE Dumper Version 8.00.50727.762
Copyright (C) Microsoft Corporation. All rights reserved.

Dump of file c:\windows\system32\kernel32.dll

File Type: DLL

Section contains the following exports for KERNEL32.dll

00000000 characteristics
49C4D12E time date stamp Sat Mar 21 12:36:14 2009
0.00 version
1 ordinal base
954 number of functions
954 number of names

ordinal hint RVA name

1 0 0000A6E4 ActivateActCtx
2 1 0003551D AddAtomA
3 2 000326F1 AddAtomW
4 3 00071DFF AddConsoleAliasA
5 4 00071DC1 AddConsoleAliasW
6 5 00059412 AddLocalAlternateComputerNameA
7 6 000592F6 AddLocalAlternateComputerNameW
8 7 0002BF11 AddRefActCtx
9 8 AddVectoredExceptionHandler (forwarded to NTDLL.RtlAddVectoredExceptionHandler)
10 9 00072451 AllocConsole
11 A 0005F6D4 AllocateUserPhysicalPages
12 B 0003597F AreFileApisANSI
13 C 0002E45A AssignProcessToJobObject
14 D 00072639 AttachConsole
15 E 0005725A BackupRead
16 F 00056340 BackupSeek
17 10 000578B5 BackupWrite
18 11 00016877 BaseCheckAppcompatCache
19 12 0006CF46 BaseCleanupAppcompatCache
20 13 0006CFCA BaseCleanupAppcompatCacheSupport
21 14 0006CE01 BaseDumpAppcompatCache
22 15 0006CD7F BaseFlushAppcompatCache
23 16 0001656D BaseInitAppcompatCache
24 17 0002B38D BaseInitAppcompatCacheSupport
25 18 000174E3 BaseProcessInitPostImport
26 19 0003838A BaseQueryModuleData
27 1A 000151C0 BaseUpdateAppcompatCache
28 1B 000195B7 BasepCheckWinSaferRestrictions
29 1C 00037AA7 Beep
30 1D 00070DBB BeginUpdateResourceA
31 1E 00070C18 BeginUpdateResourceW
32 1F 0002C03C BindIoCompletionCallback
33 20 0006C02D BuildCommDCBA
34 21 0006BFFF BuildCommDCBAndTimeoutsA
35 22 0006C05F BuildCommDCBAndTimeoutsW
36 23 0006C0B9 BuildCommDCBW
37 24 00060E36 CallNamedPipeA
38 25 00060BE7 CallNamedPipeW
39 26 00061BFF CancelDeviceWakeupRequest
40 27 000300E2 CancelIo
41 28 00063F58 CancelTimerQueueTimer
42 29 0002CC19 CancelWaitableTimer
43 2A 000127C3 ChangeTimerQueueTimer
44 2B 00061AB9 CheckNameLegalDOS8Dot3A
45 2C 00061879 CheckNameLegalDOS8Dot3W
46 2D 0005AAF2 CheckRemoteDebuggerPresent
47 2E 00067E31 ClearCommBreak
48 2F 000666BF ClearCommError
49 30 0001D3F6 CloseConsoleHandle
50 31 00009BE7 CloseHandle
51 32 0002C87D CloseProfileUserMapping
52 33 0002F611 CmdBatNotification
53 34 000679B1 CommConfigDialogA
54 35 000678BD CommConfigDialogW
55 36 00010B79 CompareFileTime
56 37 0000D117 CompareStringA
57 38 0000A3FE CompareStringW
58 39 00031463 ConnectNamedPipe
59 3A 000730FF ConsoleMenuControl
60 3B 0005B53D ContinueDebugEvent
61 3C 000383FF ConvertDefaultLocale
62 3D 0002FEDF ConvertFiberToThread
63 3E 0002FF1E ConvertThreadToFiber
64 3F 000286EE CopyFileA
65 40 0005F39C CopyFileExA
66 41 00027B32 CopyFileExW
67 42 0002F87B CopyFileW
68 43 0005989A CopyLZFile
69 44 0006C8E5 CreateActCtxA
70 45 000154FC CreateActCtxW
71 46 000741A8 CreateConsoleScreenBuffer
72 47 000217AC CreateDirectoryA
73 48 0005C213 CreateDirectoryExA
74 49 0005B5CA CreateDirectoryExW
75 4A 00032402 CreateDirectoryW
76 4B 000308B5 CreateEventA
77 4C 0000A749 CreateEventW
78 4D 0002FFB7 CreateFiber
79 4E 0002FFD7 CreateFiberEx
80 4F 00001A28 CreateFileA
81 50 0000950A CreateFileMappingA
82 51 0000943C CreateFileMappingW
83 52 00010800 CreateFileW
84 53 0006C769 CreateHardLinkA
85 54 0006C5AC CreateHardLinkW
86 55 0003138D CreateIoCompletionPort
87 56 0006C4CC CreateJobObjectA
88 57 0002CB13 CreateJobObjectW
89 58 0006C49E CreateJobSet
90 59 0002CC9B CreateMailslotA
91 5A 0002CCEC CreateMailslotW
92 5B 0003968A CreateMemoryResourceNotification
93 5C 0000E9DF CreateMutexA
94 5D 0000E957 CreateMutexW
95 5E 00060CDC CreateNamedPipeA
96 5F 0002F0DD CreateNamedPipeW
97 60 0002AC6C CreateNlsSecurityDescriptor
98 61 0001D83F CreatePipe
99 62 0000236B CreateProcessA
100 63 0001D54E CreateProcessInternalA
101 64 000197B0 CreateProcessInternalW
102 65 00080311 CreateProcessInternalWSecure
103 66 00002336 CreateProcessW
104 67 000104CC CreateRemoteThread
105 68 00012EBD CreateSemaphoreA
106 69 00010126 CreateSemaphoreW
107 6A 0006C7D4 CreateSocketHandle
108 6B 0006C28E CreateTapePartition
109 6C 000106D7 CreateThread
110 6D 0002BFE6 CreateTimerQueue
111 6E 0002117D CreateTimerQueueTimer
112 6F 00065C7F CreateToolhelp32Snapshot
113 70 00034962 CreateVirtualBuffer
114 71 00062C21 CreateWaitableTimerA
115 72 0002FB5A CreateWaitableTimerW
116 73 0000A715 DeactivateActCtx
117 74 0005B0FB DebugActiveProcess
118 75 0005B581 DebugActiveProcessStop
119 76 0005AB46 DebugBreak
120 77 0005B14E DebugBreakProcess
121 78 0005B175 DebugSetProcessKillOnExit
122 79 DecodePointer (forwarded to NTDLL.RtlDecodePointer)
123 7A DecodeSystemPointer (forwarded to NTDLL.RtlDecodeSystemPointer)
124 7B 0005D29D DefineDosDeviceA
125 7C 00021F1E DefineDosDeviceW
126 7D 0007EFED DelayLoadFailureHook
127 7E 000326C5 DeleteAtom
128 7F DeleteCriticalSection (forwarded to NTDLL.RtlDeleteCriticalSection)
129 80 0002FE8C DeleteFiber
130 81 00031EDD DeleteFileA
131 82 00031F63 DeleteFileW
132 83 00063F2B DeleteTimerQueue
133 84 00063EE4 DeleteTimerQueueEx
134 85 00021130 DeleteTimerQueueTimer
135 86 0006B21E DeleteVolumeMountPointA
136 87 0006AA70 DeleteVolumeMountPointW
137 88 00001629 DeviceIoControl
138 89 00011336 DisableThreadLibraryCalls
139 8A 0001273F DisconnectNamedPipe
140 8B 00058ABB DnsHostnameToComputerNameA
141 8C 0002CEC2 DnsHostnameToComputerNameW
142 8D 00032180 DosDateTimeToFileTime
143 8E 00062939 DosPathToSessionPathA
144 8F 0002C1F7 DosPathToSessionPathW
145 90 0001D4C5 DuplicateConsoleHandle
146 91 0000DE9E DuplicateHandle
147 92 EncodePointer (forwarded to NTDLL.RtlEncodePointer)
148 93 EncodeSystemPointer (forwarded to NTDLL.RtlEncodeSystemPointer)
149 94 00070A89 EndUpdateResourceA
150 95 000708B4 EndUpdateResourceW
151 96 EnterCriticalSection (forwarded to NTDLL.RtlEnterCriticalSection)
152 97 00038241 EnumCalendarInfoA
153 98 00076889 EnumCalendarInfoExA
154 99 000798BD EnumCalendarInfoExW
155 9A 0007989A EnumCalendarInfoW
156 9B 000768CA EnumDateFormatsA
157 9C 000768EA EnumDateFormatsExA
158 9D 000798E0 EnumDateFormatsExW
159 9E 00038811 EnumDateFormatsW
160 9F 00076928 EnumLanguageGroupLocalesA
161 A0 00079843 EnumLanguageGroupLocalesW
162 A1 0002E010 EnumResourceLanguagesA
163 A2 00060699 EnumResourceLanguagesW
164 A3 00060291 EnumResourceNamesA
165 A4 00055AE1 EnumResourceNamesW
166 A5 000600A4 EnumResourceTypesA
167 A6 000604B1 EnumResourceTypesW
168 A7 00076967 EnumSystemCodePagesA
169 A8 0007987F EnumSystemCodePagesW
170 A9 00079D19 EnumSystemGeoID
171 AA 0007690A EnumSystemLanguageGroupsA
172 AB 00079825 EnumSystemLanguageGroupsW
173 AC 00037D11 EnumSystemLocalesA
174 AD 00079864 EnumSystemLocalesW
175 AE 000768AC EnumTimeFormatsA
176 AF 000388EE EnumTimeFormatsW
177 B0 00076949 EnumUILanguagesA
178 B1 0002A8DC EnumUILanguagesW
179 B2 00058A0F EnumerateLocalComputerNamesA
180 B3 0005888F EnumerateLocalComputerNamesW
181 B4 0006C25B EraseTape
182 B5 000668D1 EscapeCommFunction
183 B6 0001CB12 ExitProcess
184 B7 0000C0F8 ExitThread
185 B8 000687D5 ExitVDM
186 B9 00032A09 ExpandEnvironmentStringsA
187 BA 000305FE ExpandEnvironmentStringsW
188 BB 00071767 ExpungeConsoleCommandHistoryA
189 BC 0007174F ExpungeConsoleCommandHistoryW
190 BD 0005FBCC ExtendVirtualBuffer
191 BE 00061D60 FatalAppExitA
192 BF 00061D12 FatalAppExitW
193 C0 00061DAE FatalExit
194 C1 00030665 FileTimeToDosDateTime
195 C2 0000E906 FileTimeToLocalFileTime
196 C3 0000E88C FileTimeToSystemTime
197 C4 00074184 FillConsoleOutputAttribute
198 C5 00074139 FillConsoleOutputCharacterA
199 C6 00074160 FillConsoleOutputCharacterW
200 C7 00030F29 FindActCtxSectionGuid
201 C8 0006CC4F FindActCtxSectionStringA
202 C9 0002FD54 FindActCtxSectionStringW
203 CA 00030D06 FindAtomA
204 CB 0002F82F FindAtomW
205 CC 0000EE77 FindClose
206 CD 00035805 FindCloseChangeNotification
207 CE 0005D483 FindFirstChangeNotificationA
208 CF 00034C1F FindFirstChangeNotificationW
209 D0 00013879 FindFirstFileA
210 D1 0005D4EA FindFirstFileExA
211 D2 0000EB1D FindFirstFileExW
212 D3 0000EF81 FindFirstFileW
213 D4 0006B399 FindFirstVolumeA
214 D5 0006AE59 FindFirstVolumeMountPointA
215 D6 00069EF1 FindFirstVolumeMountPointW
216 D7 0002D2BF FindFirstVolumeW
217 D8 00032145 FindNextChangeNotification
218 D9 00034EE1 FindNextFileA
219 DA 0000EFDA FindNextFileW
220 DB 0006AD3F FindNextVolumeA
221 DC 0006AF89 FindNextVolumeMountPointA
222 DD 0006A19D FindNextVolumeMountPointW
223 DE 0002CFAB FindNextVolumeW
224 DF 0000BF29 FindResourceA
225 E0 00035FA8 FindResourceExA
226 E1 0000AD28 FindResourceExW
227 E2 0000BC6E FindResourceW
228 E3 0002CF70 FindVolumeClose
229 E4 00035805 FindVolumeMountPointClose
230 E5 00074C5C FlushConsoleInputBuffer
231 E6 000126E1 FlushFileBuffers
232 E7 000355EC FlushInstructionCache
233 E8 000359A1 FlushViewOfFile
234 E9 00076FF1 FoldStringA
235 EA 0007A776 FoldStringW
236 EB 0002F7A8 FormatMessageA
237 EC 00034BBF FormatMessageW
238 ED 000721CD FreeConsole
239 EE 0001D6EF FreeEnvironmentStringsA
240 EF 00014B87 FreeEnvironmentStringsW
241 F0 0000AC7E FreeLibrary
242 F1 0000C210 FreeLibraryAndExitThread
243 F2 000260C2 FreeResource
244 F3 0005F702 FreeUserPhysicalPages
245 F4 00034B99 FreeVirtualBuffer
246 F5 00074B61 GenerateConsoleCtrlEvent
247 F6 000099B5 GetACP
248 F7 0005C283 GetAtomNameA
249 F8 00033117 GetAtomNameW
250 F9 0006916B GetBinaryType
251 FA 0006916B GetBinaryTypeA
252 FB 00068D0C GetBinaryTypeW
253 FC 0003850B GetCPFileNameFromRegistry
254 FD 00012F16 GetCPInfo
255 FE 00077187 GetCPInfoExA
256 FF 0007B30D GetCPInfoExW
257 100 00076AAB GetCalendarInfoA
258 101 00039050 GetCalendarInfoW
259 102 0006CCE2 GetComPlusPackageInstallStatus
260 103 00067E49 GetCommConfig
261 104 000669CD GetCommMask
262 105 00066A56 GetCommModemStatus
263 106 00066ADF GetCommProperties
264 107 00066B97 GetCommState
265 108 00022128 GetCommTimeouts
266 109 00012FBD GetCommandLineA
267 10A 00017023 GetCommandLineW
268 10B 0005E471 GetCompressedFileSizeA
269 10C 0005E349 GetCompressedFileSizeW
270 10D 000216A4 GetComputerNameA
271 10E 00058793 GetComputerNameExA
272 10F 000201F1 GetComputerNameExW
273 110 000316CF GetComputerNameW
274 111 000711F2 GetConsoleAliasA
275 112 0007168C GetConsoleAliasExesA
276 113 00071392 GetConsoleAliasExesLengthA
277 114 00071385 GetConsoleAliasExesLengthW
278 115 00071671 GetConsoleAliasExesW
279 116 000711C6 GetConsoleAliasW
280 117 00071527 GetConsoleAliasesA
281 118 000712F9 GetConsoleAliasesLengthA
282 119 000712E1 GetConsoleAliasesLengthW
283 11A 00071509 GetConsoleAliasesW
284 11B 00075213 GetConsoleCP
285 11C 000762E3 GetConsoleCharType
286 11D 00071AE7 GetConsoleCommandHistoryA
287 11E 00071945 GetConsoleCommandHistoryLengthA
288 11F 0007192D GetConsoleCommandHistoryLengthW
289 120 00071AC9 GetConsoleCommandHistoryW
290 121 000746A1 GetConsoleCursorInfo
291 122 0007593F GetConsoleCursorMode
292 123 00037C83 GetConsoleDisplayMode
293 124 000748D9 GetConsoleFontInfo
294 125 00074A01 GetConsoleFontSize
295 126 00072D59 GetConsoleHardwareState
296 127 00071E3C GetConsoleInputExeNameA
297 128 00071C11 GetConsoleInputExeNameW
298 129 00072739 GetConsoleInputWaitHandle
299 12A 00075469 GetConsoleKeyboardLayoutNameA
300 12B 00075481 GetConsoleKeyboardLayoutNameW
301 12C 0001AC50 GetConsoleMode
302 12D 000760C7 GetConsoleNlsMode
303 12E 0001AEC7 GetConsoleOutputCP
304 12F 00075505 GetConsoleProcessList
305 130 0001B963 GetConsoleScreenBufferInfo
306 131 00074769 GetConsoleSelectionInfo
307 132 00071B79 GetConsoleTitleA
308 133 0001B774 GetConsoleTitleW
309 134 00075499 GetConsoleWindow
310 135 00076CB9 GetCurrencyFormatA
311 136 0007C80A GetCurrencyFormatW
312 137 000300B1 GetCurrentActCtx
313 138 00074A8F GetCurrentConsoleFont
314 139 0003502E GetCurrentDirectoryA
315 13A 0000B917 GetCurrentDirectoryW
316 13B 0000DE95 GetCurrentProcess
317 13C 000099C0 GetCurrentProcessId
318 13D 0000998B GetCurrentThread
319 13E 000097D0 GetCurrentThreadId
320 13F 0003621E GetDateFormatA
321 140 000337A5 GetDateFormatW
322 141 00067B81 GetDefaultCommConfigA
323 142 00067A89 GetDefaultCommConfigW
324 143 0007BB81 GetDefaultSortkeySize
325 144 00061B84 GetDevicePowerState
326 145 000302F5 GetDiskFreeSpaceA
327 146 000303A3 GetDiskFreeSpaceExA
328 147 000128A3 GetDiskFreeSpaceExW
329 148 000301B7 GetDiskFreeSpaceW
330 149 0005FFAF GetDllDirectoryA
331 14A 0005FE40 GetDllDirectoryW
332 14B 000214E3 GetDriveTypeA
333 14C 0000B370 GetDriveTypeW
334 14D 0001CC93 GetEnvironmentStrings
335 14E 0001CC93 GetEnvironmentStringsA
336 14F 00012FA8 GetEnvironmentStringsW
337 150 00014B92 GetEnvironmentVariableA
338 151 0000F194 GetEnvironmentVariableW
339 152 0001AB53 GetExitCodeProcess
340 153 00021435 GetExitCodeThread
341 154 00065D07 GetExpandedNameA
342 155 00065DB4 GetExpandedNameW
343 156 000115DC GetFileAttributesA
344 157 00013851 GetFileAttributesExA
345 158 00011195 GetFileAttributesExW
346 159 0000B7EC GetFileAttributesW
347 15A 00010D0D GetFileInformationByHandle
348 15B 00010B17 GetFileSize
349 15C 00010AA9 GetFileSizeEx
350 15D 00031C4D GetFileTime
351 15E 00010EF1 GetFileType
352 15F 0005F50C GetFirmwareEnvironmentVariableA
353 160 0005F3F5 GetFirmwareEnvironmentVariableW
354 161 0001399C GetFullPathNameA
355 162 0000B8F2 GetFullPathNameW
356 163 00076982 GetGeoInfoA
357 164 00079987 GetGeoInfoW
358 165 0006C7C3 GetHandleContext
359 166 0002BDC5 GetHandleInformation
360 167 00075771 GetLargestConsoleWindowSize
361 168 GetLastError (forwarded to NTDLL.RtlGetLastWin32Error)
362 169 0007BBAB GetLinguistLangSize
363 16A 0000A874 GetLocalTime
364 16B 0000D302 GetLocaleInfoA
365 16C 00011602 GetLocaleInfoW
366 16D 0002C2E3 GetLogicalDriveStringsA
367 16E 00061437 GetLogicalDriveStringsW
368 16F 00030B1C GetLogicalDrives
369 170 00061DF7 GetLogicalProcessorInformation
370 171 000696C6 GetLongPathNameA
371 172 000133F3 GetLongPathNameW
372 173 0005FB30 GetMailslotInfo
373 174 0000B56F GetModuleFileNameA
374 175 0000B475 GetModuleFileNameW
375 176 0000B741 GetModuleHandleA
376 177 0006004E GetModuleHandleExA
377 178 0001FCC1 GetModuleHandleExW
378 179 0000E4DD GetModuleHandleW
379 17A 00060D53 GetNamedPipeHandleStateA
380 17B 00060AED GetNamedPipeHandleStateW
381 17C 000608F2 GetNamedPipeInfo
382 17D 00037975 GetNativeSystemInfo
383 17E 00068083 GetNextVDMCommand
384 17F 0001801D GetNlsSectionName
385 180 0006102C GetNumaAvailableMemory
386 181 00061072 GetNumaAvailableMemoryNode
387 182 00060EA9 GetNumaHighestNodeNumber
388 183 00060F81 GetNumaNodeProcessorMask
389 184 00060FE6 GetNumaProcessorMap
390 185 00060EF4 GetNumaProcessorNode
391 186 0002EC54 GetNumberFormatA
392 187 000344EC GetNumberFormatW
393 188 00075641 GetNumberOfConsoleFonts
394 189 000756AD GetNumberOfConsoleInputEvents
395 18A 00074821 GetNumberOfConsoleMouseButtons
396 18B 00012847 GetOEMCP
397 18C 000315CC GetOverlappedResult
398 18D 00061EF7 GetPriorityClass
399 18E 00036464 GetPrivateProfileIntA
400 18F 00032760 GetPrivateProfileIntW
401 190 00035F51 GetPrivateProfileSectionA
402 191 00032DD7 GetPrivateProfileSectionNamesA
403 192 0005CAE2 GetPrivateProfileSectionNamesW
404 193 0001EDBD GetPrivateProfileSectionW
405 194 00032B86 GetPrivateProfileStringA
406 195 0000F9FD GetPrivateProfileStringW
407 196 0005CB03 GetPrivateProfileStructA
408 197 0005CC6D GetPrivateProfileStructW
409 198 0000AE40 GetProcAddress
410 199 00021765 GetProcessAffinityMask
411 19A 0006230D GetProcessDEPPolicy
412 19B 0006226A GetProcessHandleCount
413 19C 0000AC61 GetProcessHeap
414 19D 0005F9B3 GetProcessHeaps
415 19E 00061CDD GetProcessId
416 19F 00062239 GetProcessIoCounters
417 1A0 000621FF GetProcessPriorityBoost
418 1A1 00061F5D GetProcessShutdownParameters
419 1A2 00035309 GetProcessTimes
420 1A3 00012CC3 GetProcessVersion
421 1A4 0006214C GetProcessWorkingSetSize
422 1A5 000364D9 GetProfileIntA
423 1A6 0002F8A2 GetProfileIntW
424 1A7 0005D0AF GetProfileSectionA
425 1A8 0005D0E8 GetProfileSectionW
426 1A9 00021495 GetProfileStringA
427 1AA 000213F8 GetProfileStringW
428 1AB 0000A7BD GetQueuedCompletionStatus
429 1AC 00035BE0 GetShortPathNameA
430 1AD 0001F26E GetShortPathNameW
431 1AE 00001EF2 GetStartupInfoA
432 1AF 00001E54 GetStartupInfoW
433 1B0 00012FD9 GetStdHandle
434 1B1 00038A3C GetStringTypeA
435 1B2 0007720F GetStringTypeExA
436 1B3 0000C08F GetStringTypeExW
437 1B4 0000A530 GetStringTypeW
438 1B5 00061DC0 GetSystemDEPPolicy
439 1B6 0000BFDD GetSystemDefaultLCID
440 1B7 00012852 GetSystemDefaultLangID
441 1B8 000130D8 GetSystemDefaultUILanguage
442 1B9 00014F8A GetSystemDirectoryA
443 1BA 00031DEB GetSystemDirectoryW
444 1BB 00012DF6 GetSystemInfo
445 1BC 00035370 GetSystemPowerStatus
446 1BD 00062360 GetSystemRegistryQuota
447 1BE 0000176F GetSystemTime
448 1BF 0002D37F GetSystemTimeAdjustment
449 1C0 000017E9 GetSystemTimeAsFileTime
450 1C1 00062006 GetSystemTimes
451 1C2 000212F1 GetSystemWindowsDirectoryA
452 1C3 0000ADC9 GetSystemWindowsDirectoryW
453 1C4 0002146C GetSystemWow64DirectoryA
454 1C5 0002146C GetSystemWow64DirectoryW
455 1C6 0006C302 GetTapeParameters
456 1C7 0006C1CC GetTapePosition
457 1C8 0006C39F GetTapeStatus
458 1C9 00061967 GetTempFileNameA
459 1CA 000359E7 GetTempFileNameW
460 1CB 00035DFA GetTempPathA
461 1CC 00030791 GetTempPathW
462 1CD 0003973D GetThreadContext
463 1CE 00063E71 GetThreadIOPendingFlag
464 1CF 0000A4B5 GetThreadLocale
465 1D0 0000A833 GetThreadPriority
466 1D1 00063BCF GetThreadPriorityBoost
467 1D2 0005B1C0 GetThreadSelectorEntry
468 1D3 00063E04 GetThreadTimes
469 1D4 0000934A GetTickCount
470 1D5 0003635D GetTimeFormatA
471 1D6 00034003 GetTimeFormatW
472 1D7 000350EF GetTimeZoneInformation
473 1D8 00009FB0 GetUserDefaultLCID
474 1D9 0000C004 GetUserDefaultLangID
475 1DA 00013110 GetUserDefaultUILanguage
476 1DB 000379BE GetUserGeoID
477 1DC 00068989 GetVDMCurrentDirectories
478 1DD 0001127A GetVersion
479 1DE 00012B7E GetVersionExA
480 1DF 0000AF05 GetVersionExW
481 1E0 00021BA5 GetVolumeInformationA
482 1E1 0000FA85 GetVolumeInformationW
483 1E2 0006B0A1 GetVolumeNameForVolumeMountPointA
484 1E3 0001FB88 GetVolumeNameForVolumeMountPointW
485 1E4 0002E893 GetVolumePathNameA
486 1E5 0002E5FD GetVolumePathNameW
487 1E6 0006B240 GetVolumePathNamesForVolumeNameA
488 1E7 00020D14 GetVolumePathNamesForVolumeNameW
489 1E8 00021363 GetWindowsDirectoryA
490 1E9 0000AE1B GetWindowsDirectoryW
491 1EA 0005F78C GetWriteWatch
492 1EB 000360D9 GlobalAddAtomA
493 1EC 0001010C GlobalAddAtomW
494 1ED 0000FDCD GlobalAlloc
495 1EE 0005F844 GlobalCompact
496 1EF 00030BC3 GlobalDeleteAtom
497 1F0 000360F3 GlobalFindAtomA
498 1F1 00034EC7 GlobalFindAtomW
499 1F2 0005F648 GlobalFix
500 1F3 000367A2 GlobalFlags
501 1F4 0000FCCF GlobalFree
502 1F5 0005C263 GlobalGetAtomNameA
503 1F6 0002C3CE GlobalGetAtomNameW
504 1F7 00034CE9 GlobalHandle
505 1F8 0000FFB9 GlobalLock
506 1F9 000310FA GlobalMemoryStatus
507 1FA 0001F992 GlobalMemoryStatusEx
508 1FB 00012459 GlobalReAlloc
509 1FC 00034DD1 GlobalSize
510 1FD 0005F68C GlobalUnWire
511 1FE 0005F662 GlobalUnfix
512 1FF 0000FF22 GlobalUnlock
513 200 0005F67C GlobalWire
514 201 00064C16 Heap32First
515 202 00064AD1 Heap32ListFirst
516 203 00064B7F Heap32ListNext
517 204 00064D30 Heap32Next
518 205 HeapAlloc (forwarded to NTDLL.RtlAllocateHeap)
519 206 0003614E HeapCompact
520 207 00012C56 HeapCreate
521 208 0005F8A1 HeapCreateTagsW
522 209 00010F98 HeapDestroy
523 20A 0005F870 HeapExtend
524 20B HeapFree (forwarded to NTDLL.RtlFreeHeap)
525 20C 0005F9C4 HeapLock
526 20D 0005FAFD HeapQueryInformation
527 20E 0005F8B2 HeapQueryTagW
528 20F HeapReAlloc (forwarded to NTDLL.RtlReAllocateHeap)
529 210 00039499 HeapSetInformation
530 211 HeapSize (forwarded to NTDLL.RtlSizeHeap)
531 212 0005F8C3 HeapSummary
532 213 0005F9DE HeapUnlock
533 214 0005F91F HeapUsage
534 215 0005F993 HeapValidate
535 216 0005F9F8 HeapWalk
536 217 0002AF8F InitAtomTable
537 218 00009F91 InitializeCriticalSection
538 219 0000B8C9 InitializeCriticalSectionAndSpinCount
539 21A InitializeSListHead (forwarded to NTDLL.RtlInitializeSListHead)
540 21B 00009842 InterlockedCompareExchange
541 21C 0000981A InterlockedDecrement
542 21D 0000982E InterlockedExchange
543 21E 00009856 InterlockedExchangeAdd
544 21F InterlockedFlushSList (forwarded to NTDLL.RtlInterlockedFlushSList)
545 220 00009806 InterlockedIncrement
546 221 InterlockedPopEntrySList (forwarded to NTDLL.RtlInterlockedPopEntrySList)
547 222 InterlockedPushEntrySList (forwarded to NTDLL.RtlInterlockedPushEntrySList)
548 223 00074355 InvalidateConsoleDIBits
549 224 0000BD6F IsBadCodePtr
550 225 0003596F IsBadHugeReadPtr
551 226 0000C03D IsBadHugeWritePtr
552 227 00009EA1 IsBadReadPtr
553 228 0003228B IsBadStringPtrA
554 229 0000A67C IsBadStringPtrW
555 22A 00009F19 IsBadWritePtr
556 22B 0000B87C IsDBCSLeadByte
557 22C 0007B60E IsDBCSLeadByteEx
558 22D 00013133 IsDebuggerPresent
559 22E 0006C464 IsProcessInJob
560 22F 0000AECA IsProcessorFeaturePresent
561 230 00061BC8 IsSystemResumeAutomatic
562 231 0001116B IsValidCodePage
563 232 0007752F IsValidLanguageGroup
564 233 0001C1C3 IsValidLocale
565 234 0007763B IsValidUILanguage
566 235 00015239 IsWow64Process
567 236 00038E18 LCMapStringA
568 237 0000CD48 LCMapStringW
569 238 000665FE LZClose
570 239 00066587 LZCloseFile
571 23A 000597E4 LZCopy
572 23B 000660BD LZCreateFileW
573 23C 00080311 LZDone
574 23D 00065F62 LZInit
575 23E 00066190 LZOpenFileA
576 23F 00066257 LZOpenFileW
577 240 00066379 LZRead
578 241 000662EE LZSeek
579 242 000801F6 LZStart
580 243 LeaveCriticalSection (forwarded to NTDLL.RtlLeaveCriticalSection)
581 244 00001D7B LoadLibraryA
582 245 00001D53 LoadLibraryExA
583 246 00001AF5 LoadLibraryExW
584 247 0000AEEB LoadLibraryW
585 248 0006261E LoadModule
586 249 0000A055 LoadResource
587 24A 00009A2D LocalAlloc
588 24B 0005F844 LocalCompact
589 24C 00035554 LocalFileTimeToFileTime
590 24D 00055DE6 LocalFlags
591 24E 000099CF LocalFree
592 24F 00055EE1 LocalHandle
593 250 00032E4D LocalLock
594 251 0003092F LocalReAlloc
595 252 0005F85A LocalShrink
596 253 000325EC LocalSize
597 254 00032EE1 LocalUnlock
598 255 00032391 LockFile
599 256 0002F571 LockFileEx
600 257 0000CD37 LockResource
601 258 0005F730 MapUserPhysicalPages
602 259 0005F75E MapUserPhysicalPagesScatter
603 25A 0000B9A5 MapViewOfFile
604 25B 0000B936 MapViewOfFileEx
605 25C 000653A0 Module32First
606 25D 000652E7 Module32FirstW
607 25E 00065525 Module32Next
608 25F 00065484 Module32NextW
609 260 00035EBF MoveFileA
610 261 0005E49B MoveFileExA
611 262 0003568B MoveFileExW
612 263 00021261 MoveFileW
613 264 00035EDE MoveFileWithProgressA
614 265 0001F72E MoveFileWithProgressW
615 266 00009866 MulDiv
616 267 00009C98 MultiByteToWideChar
617 268 00014FFC NlsConvertIntegerToString
618 269 00035849 NlsGetCacheUpdateCount
619 26A 00077509 NlsResetProcessLocale
620 26B 0006113A NumaVirtualQueryNode
621 26C 00011081 OpenConsoleW
622 26D 0002AD98 OpenDataFile
623 26E 000132AC OpenEventA
624 26F 000131E0 OpenEventW
625 270 00021982 OpenFile
626 271 0000BC16 OpenFileMappingA
627 272 0000BB7A OpenFileMappingW
628 273 0006C538 OpenJobObjectA
629 274 0006C3C0 OpenJobObjectW
630 275 0000EABB OpenMutexA
631 276 0000EA35 OpenMutexW
632 277 000309E9 OpenProcess
633 278 0003334F OpenProfileUserMapping
634 279 0002CA57 OpenSemaphoreA
635 27A 0002E31F OpenSemaphoreW
636 27B 0002FC08 OpenThread
637 27C 00062C90 OpenWaitableTimerA
638 27D 00062B25 OpenWaitableTimerW
639 27E 0005AD4C OutputDebugStringA
640 27F 0005B405 OutputDebugStringW
641 280 000745CD PeekConsoleInputA
642 281 000745F0 PeekConsoleInputW
643 282 00060977 PeekNamedPipe
644 283 00012792 PostQueuedCompletionStatus
645 284 0006C228 PrepareTape
646 285 0002005F PrivCopyFileExW
647 286 0005E0C1 PrivMoveFileIdentityW
648 287 00064F55 Process32First
649 288 00064E9C Process32FirstW
650 289 000650C8 Process32Next
651 28A 00065027 Process32NextW
652 28B 00013029 ProcessIdToSessionId
653 28C 0002C06E PulseEvent
654 28D 00066E45 PurgeComm
655 28E 0001637B QueryActCtxW
656 28F QueryDepthSList (forwarded to NTDLL.RtlQueryDepthSList)
657 290 0005D344 QueryDosDeviceA
658 291 00021D8D QueryDosDeviceW
659 292 0002AFC9 QueryInformationJobObject
660 293 00039608 QueryMemoryResourceNotification
661 294 0000A4C7 QueryPerformanceCounter
662 295 0002FA4E QueryPerformanceFrequency
663 296 0005C6F4 QueryWin31IniFilesMappedToRegistry
664 297 0002C092 QueueUserAPC
665 298 00030A6A QueueUserWorkItem
666 299 00012AA9 RaiseException
667 29A 00072B5D ReadConsoleA
668 29B 00074613 ReadConsoleInputA
669 29C 00074659 ReadConsoleInputExA
670 29D 0007467D ReadConsoleInputExW
671 29E 00074636 ReadConsoleInputW
672 29F 00073945 ReadConsoleOutputA
673 2A0 00073E65 ReadConsoleOutputAttribute
674 2A1 00073E19 ReadConsoleOutputCharacterA
675 2A2 00073E3F ReadConsoleOutputCharacterW
676 2A3 00073921 ReadConsoleOutputW
677 2A4 00072BAC ReadConsoleW
678 2A5 00031637 ReadDirectoryChangesW
679 2A6 00001812 ReadFile
680 2A7 0002BD0B ReadFileEx
681 2A8 0002DE61 ReadFileScatter
682 2A9 000021D0 ReadProcessMemory
683 2AA 00075BF9 RegisterConsoleIME
684 2AB 00075A09 RegisterConsoleOS2
685 2AC 00072C02 RegisterConsoleVDM
686 2AD 0001702E RegisterWaitForInputIdle
687 2AE 000211CD RegisterWaitForSingleObject
688 2AF 0002B086 RegisterWaitForSingleObjectEx
689 2B0 0005F632 RegisterWowBaseHandlers
690 2B1 00068AE9 RegisterWowExec
691 2B2 000130FF ReleaseActCtx
692 2B3 000024B7 ReleaseMutex
693 2B4 0000C04D ReleaseSemaphore
694 2B5 0005C1F1 RemoveDirectoryA
695 2B6 00036F8B RemoveDirectoryW
696 2B7 0005953C RemoveLocalAlternateComputerNameA
697 2B8 0005945B RemoveLocalAlternateComputerNameW
698 2B9 RemoveVectoredExceptionHandler (forwarded to NTDLL.RtlRemoveVectoredExceptionHandler)
699 2BA 00036C6C ReplaceFile
700 2BB 0005F2DF ReplaceFileA
701 2BC 00036C6C ReplaceFileW
702 2BD 00061BD7 RequestDeviceWakeup
703 2BE 00061B5C RequestWakeupLatency
704 2BF 0000A0DB ResetEvent
705 2C0 0005F7C5 ResetWriteWatch
706 2C1 RestoreLastError (forwarded to NTDLL.RtlRestoreLastWin32Error)
707 2C2 00032927 ResumeThread
708 2C3 RtlCaptureContext (forwarded to NTDLL.RtlCaptureContext)
709 2C4 RtlCaptureStackBackTrace (forwarded to NTDLL.RtlCaptureStackBackTrace)
710 2C5 RtlFillMemory (forwarded to NTDLL.RtlFillMemory)
711 2C6 RtlMoveMemory (forwarded to NTDLL.RtlMoveMemory)
712 2C7 RtlUnwind (forwarded to NTDLL.RtlUnwind)
713 2C8 RtlZeroMemory (forwarded to NTDLL.RtlZeroMemory)
714 2C9 00075061 ScrollConsoleScreenBufferA
715 2CA 00075085 ScrollConsoleScreenBufferW
716 2CB 000217EA SearchPathA
717 2CC 0000E77C SearchPathW
718 2CD 0007A903 SetCPGlobal
719 2CE 00076C16 SetCalendarInfoA
720 2CF 00077E5B SetCalendarInfoW
721 2D0 00059DD1 SetClientTimeZoneInformation
722 2D1 0006CCA5 SetComPlusPackageInstallStatus
723 2D2 00066ECF SetCommBreak
724 2D3 00067FEB SetCommConfig
725 2D4 00066EE7 SetCommMask
726 2D5 00066F86 SetCommState
727 2D6 0006728E SetCommTimeouts
728 2D7 00058720 SetComputerNameA
729 2D8 00058838 SetComputerNameExA
730 2D9 0005869F SetComputerNameExW
731 2DA 00058579 SetComputerNameW
732 2DB 00074BE8 SetConsoleActiveScreenBuffer
733 2DC 00075283 SetConsoleCP
734 2DD 00071B05 SetConsoleCommandHistoryMode
735 2DE 0001B2C3 SetConsoleCtrlHandler
736 2DF 0007302A SetConsoleCursor
737 2E0 00074DC4 SetConsoleCursorInfo
738 2E1 000758BF SetConsoleCursorMode
739 2E2 00074D4A SetConsoleCursorPosition
740 2E3 000731E0 SetConsoleDisplayMode
741 2E4 00075125 SetConsoleFont
742 2E5 00072E29 SetConsoleHardwareState
743 2E6 0007519F SetConsoleIcon
744 2E7 00071EE8 SetConsoleInputExeNameA
745 2E8 0001B08D SetConsoleInputExeNameW
746 2E9 00072EA9 SetConsoleKeyShortcuts
747 2EA 000757F9 SetConsoleLocalEUDC
748 2EB 0008033A SetConsoleMaximumWindowSize
749 2EC 00072F70 SetConsoleMenuClose
750 2ED 0001AF28 SetConsoleMode
751 2EE 00076219 SetConsoleNlsMode
752 2EF 00071865 SetConsoleNumberOfCommandsA
753 2F0 0007184A SetConsoleNumberOfCommandsW
754 2F1 00075A7D SetConsoleOS2OemFormat
755 2F2 000753A1 SetConsoleOutputCP
756 2F3 00073309 SetConsolePalette
757 2F4 00074CD0 SetConsoleScreenBufferSize
758 2F5 000750A9 SetConsoleTextAttribute
759 2F6 00071BA1 SetConsoleTitleA
760 2F7 0002D9CD SetConsoleTitleW
761 2F8 00074E91 SetConsoleWindowInfo
762 2F9 SetCriticalSectionSpinCount (forwarded to NTDLL.RtlSetCriticalSectionSpinCount)
763 2FA 0003610D SetCurrentDirectoryA
764 2FB 0000F38E SetCurrentDirectoryW
765 2FC 00067D51 SetDefaultCommConfigA
766 2FD 00067C59 SetDefaultCommConfigW
767 2FE 0005FDAF SetDllDirectoryA
768 2FF 0005FD19 SetDllDirectoryW
769 300 00032076 SetEndOfFile
770 301 000334A8 SetEnvironmentVariableA
771 302 0001025E SetEnvironmentVariableW
772 303 0000ACAF SetErrorMode
773 304 0000A0B7 SetEvent
774 305 00036626 SetFileApisToANSI
775 306 0001CDB6 SetFileApisToOEM
776 307 00012822 SetFileAttributesA
777 308 000314DD SetFileAttributesW
778 309 00010C2E SetFilePointer
779 30A 00021057 SetFilePointerEx
780 30B 0005D89C SetFileShortNameA
781 30C 0005D7CF SetFileShortNameW
782 30D 00031CC0 SetFileTime
783 30E 0005D779 SetFileValidData
784 30F 0005F59F SetFirmwareEnvironmentVariableA
785 310 0005F484 SetFirmwareEnvironmentVariableW
786 311 0002146C SetHandleContext
787 312 0000CD37 SetHandleCount
788 313 0002E19C SetHandleInformation
789 314 0002CAAF SetInformationJobObject
790 315 00076613 SetLastConsoleEventActive
791 316 SetLastError (forwarded to NTDLL.RtlSetLastWin32Error)
792 317 0005979B SetLocalPrimaryComputerNameA
793 318 00059585 SetLocalPrimaryComputerNameW
794 319 00055CF9 SetLocalTime
795 31A 00076A0B SetLocaleInfoA
796 31B 00077FB3 SetLocaleInfoW
797 31C 0002CDE8 SetMailslotInfo
798 31D 00061C27 SetMessageWaitingIndicator
799 31E 000313F4 SetNamedPipeHandleState
800 31F 0002C348 SetPriorityClass
801 320 00062194 SetProcessAffinityMask
802 321 000622A4 SetProcessDEPPolicy
803 322 000621C4 SetProcessPriorityBoost
804 323 0002C8FD SetProcessShutdownParameters
805 324 000303D8 SetProcessWorkingSetSize
806 325 0005FC88 SetSearchPathMode
807 326 0001D37B SetStdHandle
808 327 00061B13 SetSystemPowerState
809 328 000598E8 SetSystemTime
810 329 00059AAE SetSystemTimeAdjustment
811 32A 0006C35E SetTapeParameters
812 32B 0006C186 SetTapePosition
813 32C 00062D04 SetTermsrvAppInstallMode
814 32D 0002FA82 SetThreadAffinityMask
815 32E 00063C09 SetThreadContext
816 32F 000392E5 SetThreadExecutionState
817 330 00063EB0 SetThreadIdealProcessor
818 331 0001B8F2 SetThreadLocale
819 332 0000C1A8 SetThreadPriority
820 333 00063B94 SetThreadPriorityBoost
821 334 0001AF90 SetThreadUILanguage
822 335 00059988 SetTimeZoneInformation
823 336 0002B26E SetTimerQueueTimer
824 337 0004495D SetUnhandledExceptionFilter
825 338 00079D9C SetUserGeoID
826 339 00068854 SetVDMCurrentDirectories
827 33A 00061A55 SetVolumeLabelA
828 33B 00061501 SetVolumeLabelW
829 33C 0006B1D1 SetVolumeMountPointA
830 33D 0006A4D5 SetVolumeMountPointW
831 33E 000096A1 SetWaitableTimer
832 33F 0006680A SetupComm
833 340 000730A4 ShowConsoleCursor
834 341 000366C6 SignalObjectAndWait
835 342 0000BD09 SizeofResource
836 343 00002446 Sleep
837 344 000023A0 SleepEx
838 345 00039762 SuspendThread
839 346 00010712 SwitchToFiber
840 347 000329C2 SwitchToThread
841 348 00010BBC SystemTimeToFileTime
842 349 0002E9A9 SystemTimeToTzSpecificLocalTime
843 34A 0006C437 TerminateJobObject
844 34B 00001E1A TerminateProcess
845 34C 0001CB3B TerminateThread
846 34D 0001EFCE TermsrvAppInstallMode
847 34E 0006519A Thread32First
848 34F 0006524E Thread32Next
849 350 00012E3F TlsAlloc
850 351 00013777 TlsFree
851 352 000097E0 TlsGetValue
852 353 00009C65 TlsSetValue
853 354 00064E5C Toolhelp32ReadProcessMemory
854 355 000312ED TransactNamedPipe
855 356 00067339 TransmitCommChar
856 357 0005FC26 TrimVirtualBuffer
857 358 TryEnterCriticalSection (forwarded to NTDLL.RtlTryEnterCriticalSection)
858 359 0005A84B TzSpecificLocalTimeToSystemTime
859 35A 0005FF59 UTRegister
860 35B 000801FF UTUnRegister
861 35C 00063FCA UnhandledExceptionFilter
862 35D 000322EC UnlockFile
863 35E 0003232B UnlockFileEx
864 35F 0000BA14 UnmapViewOfFile
865 360 00075CC6 UnregisterConsoleIME
866 361 0002C008 UnregisterWait
867 362 0003006A UnregisterWaitEx
868 363 000707EA UpdateResourceA
869 364 000706E3 UpdateResourceW
870 365 00076624 VDMConsoleOperation
871 366 00068F59 VDMOperationStarted
872 367 0007BBD5 ValidateLCType
873 368 00039828 ValidateLocale
874 369 0002EFC2 VerLanguageNameA
875 36A 0002F04A VerLanguageNameW
876 36B VerSetConditionMask (forwarded to NTDLL.VerSetConditionMask)
877 36C 0001ABE6 VerifyConsoleIoHandle
878 36D 0005FEAF VerifyVersionInfoA
879 36E 0001FB26 VerifyVersionInfoW
880 36F 00009AF1 VirtualAlloc
881 370 00009B12 VirtualAllocEx
882 371 0005FC49 VirtualBufferExceptionHandler
883 372 00009B84 VirtualFree
884 373 00009BA2 VirtualFreeEx
885 374 0002B13F VirtualLock
886 375 00001AD4 VirtualProtect
887 376 00001A61 VirtualProtectEx
888 377 0000BA71 VirtualQuery
889 378 0000BA40 VirtualQueryEx
890 379 0005F69C VirtualUnlock
891 37A 0001338E WTSGetActiveConsoleSessionId
892 37B 000673C3 WaitCommEvent
893 37C 0005B458 WaitForDebugEvent
894 37D 0000A0FD WaitForMultipleObjects
895 37E 000095D8 WaitForMultipleObjectsEx
896 37F 00002530 WaitForSingleObject
897 380 00002550 WaitForSingleObjectEx
898 381 00060CA1 WaitNamedPipeA
899 382 0002C674 WaitNamedPipeW
900 383 0000A174 WideCharToMultiByte
901 384 0006250D WinExec
902 385 0001CC5D WriteConsoleA
903 386 00073505 WriteConsoleInputA
904 387 00072FE4 WriteConsoleInputVDMA
905 388 00073007 WriteConsoleInputVDMW
906 389 00073528 WriteConsoleInputW
907 38A 00073C85 WriteConsoleOutputA
908 38B 00074031 WriteConsoleOutputAttribute
909 38C 00073FE5 WriteConsoleOutputCharacterA
910 38D 0007400B WriteConsoleOutputCharacterW
911 38E 00073C61 WriteConsoleOutputW
912 38F 000354B4 WriteConsoleW
913 390 00010E27 WriteFile
914 391 0005D6D9 WriteFileEx
915 392 0002DDB5 WriteFileGather
916 393 0005CA54 WritePrivateProfileSectionA
917 394 0005CA9B WritePrivateProfileSectionW
918 395 00035D84 WritePrivateProfileStringA
919 396 0001EE4C WritePrivateProfileStringW
920 397 0005CDFB WritePrivateProfileStructA
921 398 0005CF3D WritePrivateProfileStructW
922 399 00002213 WriteProcessMemory
923 39A 0005D0CD WriteProfileSectionA
924 39B 0005D106 WriteProfileSectionW
925 39C 0005D091 WriteProfileStringA
926 39D 000332E1 WriteProfileStringW
927 39E 0006C2C8 WriteTapemark
928 39F 0006C83B ZombifyActCtx
929 3A0 000353FE _hread
930 3A1 00038B17 _hwrite
931 3A2 00034E94 _lclose
932 3A3 000365D5 _lcreat
933 3A4 00035436 _llseek
934 3A5 0005F7F2 _lopen
935 3A6 000353FE _lread
936 3A7 00038B17 _lwrite
937 3A8 00034D71 lstrcat
938 3A9 00034D71 lstrcatA
939 3AA 00010FD2 lstrcatW
940 3AB 00030D7C lstrcmp
941 3AC 00030D7C lstrcmpA
942 3AD 0000AA6C lstrcmpW
943 3AE 0000BB41 lstrcmpi
944 3AF 0000BB41 lstrcmpiA
945 3B0 0000AA36 lstrcmpiW
946 3B1 0000BEA1 lstrcpy
947 3B2 0000BEA1 lstrcpyA
948 3B3 0000BB04 lstrcpyW
949 3B4 000101B1 lstrcpyn
950 3B5 000101B1 lstrcpynA
951 3B6 0000BA8F lstrcpynW
952 3B7 0000BE56 lstrlen
953 3B8 0000BE56 lstrlenA
954 3B9 00009AA9 lstrlenW

Summary

5000 .data
6000 .reloc
66000 .rsrc
84000 .text

Facebook rejects my email address

2009-06-13T12:11:00.000-07:00

Facebook thinks my email address is invalid when I try to sign up for an account. I'm getting an error message saying: "Please enter a valid email address". Funny, since I've been using that email address for some years now:

Update 25th Nov 2009

Found this in their help section:

Unfortunately we do not support email addresses with generic prefixes (e.g. info@, webmaster@ etc.). Since email addresses of this nature are typically used for organizations and businesses, we do not allow them to be used for personal Facebook accounts. You will need to use a personal email address that does not contain this type of prefix. There are no exceptions to this rule.

XP Deluxe Protector - Yet Another Rogue Anti-Virus Scanner

2009-06-12T14:11:00.000-07:00

So, here we got again. XP Deluxe Protector, yet another rogue:

This rogue uses xpdeluxe.exe as its file name, located under %UserProfile%\XP Deluxe Protector\. Panda security and the great folks over at BleepingComputer has more information and removal instructions.

It is still live at xpdeluxeprotector.com (IP: 91.212.65.140). The following domains are also hosted on the same IP: personaldeluxeguard.com and winpc-antivirus09.com.

twitpocalypse

2009-06-12T08:00:00.000-07:00

Twitpocalypse is upon us :)

Did any 3rd party tools or services crash?

Update:
TweetDeck has realeased and update:
http://twitter.com/TweetDeck/status/2137655061

NT_ERROR, NT_SUCCESS - identifier not found

2009-06-12T00:46:00.000-07:00

After upgrading the Windows SDK I ran into the following compile error, in code which previous to the upgrade compiled without any problems:

error C3861: 'NT_ERROR': identifier not found'
error C3861: 'NT_SUCCESS': identifier not found'

Turns out that the NT_SUCCESS macro definition has been moved from <stierr.h> to <subauth.h>. NT_ERROR seems to be completely removed from the headers in the new platform SDK.

To solve the problem I created this tiny header file which should work with both the new and old SDK:

#ifndef WINDOWS_NTSTATUS_H
#define WINDOWS_NTSTATUS_H

/**
* @author Roger Karlsson
* @since 2009-03-13
*/

#ifndef NT_SUCCESS
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#endif

#ifndef NT_ERROR
#define NT_ERROR(Status) ((ULONG)(Status) >> 30 == 3)
#endif

#endif //WINDOWS_NTSTATUS_H

"Client does not support authentication protocol requested by server; consider upgrading MySQL client"

2009-06-11T01:00:00.000-07:00

Did you just upgrade MySQL and got the error message:

Client does not support authentication protocol requested by server; consider upgrading MySQL client.

MySQL 5.1+ uses an authentication protocol that is incompatible with older clients. The best solution is probably to upgrade your mysql client, but there is a quick an dirty fix if want to continue using your old client: You can reset the password to the pre-4.1 format for each user that needs to use an old client program:

mysql> SET PASSWORD FOR 'username'@'localhost' = OLD_PASSWORD('thepassword');

More information available here:
http://dev.mysql.com/doc/refman/5.1/en/old-client.html

Windows Server 2008 R2 Free Download

2009-06-10T00:01:00.000-07:00

Did you know you can download Windows Server 2008 R2 Release Candidate and evaluate it until March 2010? The .ISO file is available here:

http://www.microsoft.com/downloads/details.aspx?FamilyId=a4e21e2e-e992-4aec-9ed4-086de21632a2&displaylang=en

Windows Server 2008 R2 Release Candidate Product Keys for Evaluation:

Windows Server 2008 R2 Release Candidate Enterprise
# Product Code : Q7Y83-W4FVQ-6MC6C-6QQTD-TPM88

Windows Server 2008 R2 Release Candidate Standard
# Product Code : Q7Y83-W4FVQ-6MC6C-6QQTD-TPM88

Windows Server 2008 R2 Release Candidate Datacenter
# Product Code : MW6C7-2MYCB-PF3DK-VCQ2W-XGWFP

Windows Web Server 2008 R2 Release Candidate
# Product Code: RBBKH-BVD6B-74FV9-RYPJ7-TCFXB

How to create an .ISO image from a CD-ROM

2009-06-09T00:37:00.000-07:00

I wanted to create an .ISO image from one of my Windows XP CD-ROMs. Unfortunately, I could not find such a feature in Roxio, which came pre-installed on my old Dell laptop. After some searches I ran into the free IsoRecorder, which solved my problem. Once IsoRecorder is installed, you can create an .ISO image just inserting your CD-ROM, right-click and choose "Create image from CD":

Please note, IsoRecorder did not prompt me to restart my machine, which I had to do to get it working.

Why doesn't Twitter search find my tweets?

2009-05-31T13:42:00.000-07:00

Here's an old tweet of mine:

Why does it not appear when searching for WideCharToMultiByte:

What am I missing here? Shouldn't a tweet appear in the search result when using one of the the words from the tweet as a search term?

Some of my tweets are coming up in the search result though. For example, a search for freefixer shows some of my tweets.

System Security - How a faked anti-spyware program tricks its way onto user's systems.

2009-05-29T07:00:00.000-07:00

I ran into System Security a few days ago. This is one of many rogue anti-spyware programs that pops up a now and then. I've captures some screenshots to show how users are tricked into installing this application:

While browsing some web pages the following dialog from Internet Explorer popped up. It falsely claimed that my system needed a "anti viruses check". The system is 100% clean.

If you click OK, the following will appear:

The the observant user will notice the above is just a web page that, tries to mimic the user interface of Windows XP. Web pages cannot access the local disk to scan for malware files.

If you click OK, you will get another faked scan result:

If you click "Remove all", you will get the actual installation file (install.exe):

Now it get dangerous. So far, System Security has not been able to access the system. All scan results and warnings are just faked. But if you choose to install the file install.exe you are in trouble. System security will get access to your computer:

Now that System Security got access to the system it will start showing scan results and warnings, all for the purpose of getting you to buy the program:

Here it falsely claims that some keylogger named Lsas.Blaster.Keylogger is sending my credit card information to a remote server:

Schedule Blogger Post

2009-05-28T06:00:00.000-07:00

Did you know you can schedule a blog post while using Blogger? Just type in the date when you want it to be published:

Viewing a Certificate Revocation List (CRL)

2009-05-27T07:00:00.000-07:00

A certificate revocation list contains serial numbers for certificates that has been revoked. A revoked certificate should not be trusted. The revokation lists are available at each Certificate Authority, such as Verisign.

I had problems finding information on how to view the contents of a .crl file, so hopefully this will help you. To view the revocation list in plain text, you can use the openssl command line tool:

openssl crl -inform DER -in Class3Commercial.crl -text -noout

Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /O=VeriSign, Inc./OU=VeriSign Trust Network/OU=www.verisign.com/
repository/RPA Incorp. by Ref.,LIAB.LTD(c)98/CN=VeriSign Class 3 CA - Commercial
Content/Software Publisher
Last Update: Apr 15 10:00:08 2009 GMT
Next Update: Apr 25 10:00:08 2009 GMT
Revoked Certificates:
Serial Number: 010E4C379581BA0566F7C99FB5924E20
Revocation Date: Nov 28 17:46:46 2000 GMT
Serial Number: 0110E0DF875EDB73D8F276C87615D025
Revocation Date: Sep 13 21:08:20 1999 GMT
Serial Number: 0118A8D557A89E6B3BBA6DFA5119C8D9
Revocation Date: Jan 25 21:37:21 2000 GMT
Serial Number: 012FADDC287FE873AF9771C160774F0E
Revocation Date: Jul 13 23:31:00 2001 GMT
...

Is there any C++ syntax highlighter that outputs data suitable for pasting into a HTML document?

2009-05-27T00:55:00.000-07:00

Anyone know of some tool that given a .cpp or .h file outputs data suitable for pasting into a HTML document?

What I want is something like this:

Input:


//My class
class A
{
};

Output:


<span class="cplusplus-comment">//My class</span>
<span class="cplusplus-keyword">class</span> A
{
};

By having spans marking up the keywords, comments and other parts of the code, it's all about adding some CSS code to the stylesheet to have the c++ code highlighted.

How to get the service pack number using the WIN32 API

2009-05-26T08:05:00.000-07:00

To get the service pack number on a Windows machine you can call the GetVersionEx function and pass a pointer to a OSVERSIONINFOEX struct. OSVERSIONINFOEX has two members, wServicePackMajor and wServicePackMinor, which holds the service pack information.

How to block outbound connections with the Windows Firewall

2009-05-25T04:00:00.000-07:00

The Windows Firewall for Vista and Windows 7 allows you to block outbound connections, something that Windows XP didn't. To block outgoing connections:

Press the Start button.
Open Control Panel.
Click on Administrative Tools.
Click on Windows Firewall with Advanced Security.
Click on Windows Firewall Properties.
Select the Private Profile tab. (or the Public or Domain tab if you are on that type of network.)
Choose Block in the drop down for outbound connections.

Now Windows will block outgoing connection. I did however not see any notification when an outbound connection was blocked. There's an option to display a notification about blocked inbound connections, but I could not find anything about outbound connections. Anyone know how to enable these?

What's your brain age?

2009-05-20T00:15:00.000-07:00

Ran into this memory game the other day. According to the site it will activate prefrontal region of the brain, it will prevent memory loss and cultivate memory ability and concentration True or not, I don't know, but the silly game can be quite fun.

Once you've finished a round it will estimate your "brain age". Seems I cannot get below 24. I suppose that's pretty decent since I'll be 34 in a few months :)

How do you score?

http://flashfabrica.com/f_learning/brain/e_brain.html

And here's someone with true skills:

seaport.exe

2009-05-19T11:24:00.000-07:00

The SeaPort.exe file is signed by Microsoft and looks legitimate to me. Is there some malware/trojan/spyware out there that use the SeaPort.exe name, or is there any other reason for removing this file? More than 75% of the visitors FreeFixer file library visitors say they remove this file:

Does Windows Firewall block outgoing connections on Windows XP?

2009-05-19T00:28:00.001-07:00

No, according to Wikipedia:

XP's Windows Firewall cannot block outbound connections; it is only capable of blocking inbound ones.

Nathan "Flutebox" Lee and Beardyman @ Google, London

2009-05-17T01:00:00.000-07:00

prnet.tmp

2009-05-06T12:41:00.000-07:00

About two week ago a FreeFixer user added prnet.tmp to the online file database. I've not had the chance to analyze this file myself, but from the large number the searches it must be a major problem right now.

This file is dropped in C:\WINDOWS\system32\ and adds itself to the registry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, prnet, which starts the prnet.tmp process every time a user logs on to the machine. Those infected by this malware reports a large numbe of unwanted pop-up windows.

If you need assistance to remove prnet.tmp, please post a FreeFixer log at the FreeFixer User Group.

View the raw HTTP request body in PHP

2009-05-06T07:12:00.000-07:00

I'm currently working on a bug where some Japanese characters are not appearing correctly on the FreeFixer web site. In the process of tracking down the problem I needed to view the raw HTTP request body that FreeFixer sends when posting information about a file or some registry data. In PHP, this can be done by calling the http_get_request_body() function. Unfortunately, this function requires a PECL extension which was unavailable in my current setup. However, this solved the problem:

$request_body = @file_get_contents('php://input');

WordPress' .htaccess file explained

2009-05-05T16:30:00.000-07:00

If you have configured your WordPress system to use pretty permalinks the following will be added to the .htaccess file:

# BEGIN WordPress

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

Explaining the .htaccess, row by row

<IfModule mod_rewrite.c>
This line checks if the mod_rewrite module is available on the server. If not, none of the enclosed Rewrite commands will be processed.

RewriteEngine On
This directive enables the runtime rewriting engine.

RewriteBase /
Let's the server know that the .htaccess was reached via / and not through any other path prefix.

RewriteCond %{REQUEST_FILENAME} !-f
This condition is true if the the path REQUEST_FILENAME not refers to an existing file.

RewriteCond %{REQUEST_FILENAME} !-d
This condition is true if the the path REQUEST_FILENAME not refers to an existing directory

RewriteRule . /index.php [L]
If the two RewriteCond's listed above evaluated to true the server will load index.php. [L] indicates that no further rewrite rules should be processed.
If any of the RewriteCond's evaluated to false, the server will load the actual file or directory instead of index.php.

How to start a command prompt in administrator mode on Windows 7

2009-05-01T00:01:00.000-07:00

Some days ago, while playing around with Windows 7, I needed to run a couple of command line programs with administrator privileges. To start a command prompt in elevated mode, type cmd.exe in the run box and instead of pressing enter, press CTRL + SHIFT + ENTER. This key combination works on Windows Vista too.

How to create a new MySQL database and user from the command prompt

2009-04-29T05:55:00.001-07:00

1. Start mysql.exe, the MySQL monitor:

C:\Program Files\mysql\mysql-5.0.77-win32\bin> mysql.exe -h localhost --user=root -p

2. Create the user and set the password:

mysql> CREATE USER theusername@localhost IDENTIFIED BY 'thepassword';

3. Make sure the new user appear in the user table:

mysql> SELECT * FROM mysql.user;

4. Create the database:

mysql> CREATE DATABASE yourdatabase;

5. Make sure your database was created:

SHOW DATABASES;

6. Grant all privileges for your new database to your user:

mysql> GRANT ALL ON yourdatabase.* to theusername@localhost;

7. Done. Now you got a new database and a new user with all privileges.

MicroBuzz - Your Microblog Search Engine

2009-04-22T07:21:00.000-07:00

I've been playing around with Google's custom search. And here's the result, a microblog search engine:

MicroBuzz searches tweets on Twitter, YouAre, Koornk, Rejaw, Jaiku, Bloggy, Kwippy, FriendFeed, BrightKite, Identi.ca and Plurk.

Hope you find it useful!

Google killing Internet Explorer 6.0 at google.se

2009-04-18T06:31:00.001-07:00

This is what appears when browsing Google.se with Internet Explorer 6.0. Notice the ad for Google Chrome:

From Stefan at Bloggy.

Framing gone wild

2009-04-06T05:40:00.000-07:00

Framing gone wild. Click on the screenshot if the link does not work:

Do you think it is ok to frame publishers' content, like Digg, Krumlr, HootSuite, Ow-Ly, Facebook and StumpleUpon are doing?

Adsense ads + framed content allowed?

2009-04-05T16:43:00.000-07:00

Is it allowed to frame someone else content, and show Google AdSense ads, like this?

Digg and Facebook are also framing publisher's content.

2009-04-03T10:06:00.001-07:00

New photo: Red apple core nine days

Gmail Autopilot

2009-04-01T04:00:00.001-07:00

More available here:
http://mail.google.com/mail/help/autopilot/index.html

Youtube upside down

2009-04-01T03:06:00.000-07:00

conflicker

2009-04-01T02:44:00.000-07:00

no, it's conficker, not conflicker.

Removal tool available from Microsoft.

2009-03-31T23:45:00.001-07:00

Malware or legitimate?

reader_s.exe

2009-03-31T07:32:00.000-07:00

reader_s.exe seems to be the major infection out there right now. More than 30% of all users entering freefixer.com from a search engine are looking for information about this Virut variant.

66.249.67.86

2009-03-31T07:24:00.000-07:00

66.249.67.86 is the Google bot...

GoGrid Denial of Service

2009-03-30T22:19:00.000-07:00

Got this in my inbox this morning:

Hello Roger,

On Friday, March 27 at 11:10 AM PDT, and again today Monday, March 30 at 12:25 PM PDT, GoGrid suffered a series of large scale distributed denial of service (DDoS) attacks that affected the network connectivity of many GoGrid servers.

These network attacks were of a type that we had not seen before, and which our automated network attack prevention hardware was unfortunately unable to prevent.

We estimate that up to 25% of GoGrid customers had servers that were either unreachable or had degraded network performance and packet loss during significant parts of both of these attacks, and at times as much as half of you were affected more briefly. We know that many of you rely on GoGrid to run your critical Internet infrastructure, and apologize for the impacts to your business that these attacks may have caused.

CURRENT STATUS

The situation has now been stabilized as of 4 pm PDT, and the network performance of most GoGrid servers should be normal. If you were affected and opened a case during the attack, you should receive a more detailed RFO from our support staff or your Service Team. If you are still seeing any issues with your servers, please open a case at http://my.gogrid.com or call at the numbers below.

[snip]

Status reports available here: http://www.gogridstatus.com/

How to remove @replies from your Twitter feed

2009-03-30T00:40:00.000-07:00

Ever wanted to filter the replies from your Twitter RSS feed? Easy with help of Yahoo Pipes and mat.su.

Below is a snapshot of my Twitter RSS feed. The first item in the feed is a @reply. I want a RSS feed without my @replies.

This is how to do it:

Go to the filtering pipe.
Enter your username and click "Run Pipe".
Click on "Get as RSS" and you are done. Now you got a new RSS feed, where your @replies has been filtered.

Here's a snapshot of my new RSS feed. As you can see, the @replies has been removed:

2009-03-28T11:52:00.001-07:00

New photo: arla milk earth hour.

2009-03-28T05:20:00.001-07:00

New photo: red apple core two days.

2009-03-27T10:19:00.001-07:00

Installing WP Super Cache to figure out how they implemented the .htaccess rewrites.

2009-03-27T06:22:00.001-07:00

New photo: red apple core.

2009-03-26T03:28:00.001-07:00

New photo: yellow star of bethlehem.

2009-03-24T15:54:00.001-07:00

New photo: slaka church http://tinyurl.com/cf4rxs

Why your photos don't appear when searching on Flickr

2009-03-24T13:59:00.000-07:00

I've just created a Flickr account! I'm planning to upload most of the photos that I've previously made available over at free-photo-gallery.org under the Creative Common Attribution license.

Anyway, after uploading my first photo, I wanted to make sure it appeared when searching. But no matter how detailed searches I made, the photo refused to appear in the search results. After some googling I found this in the Flickr FAQ:

If your account is new, first you need to upload at least 5 photos. After that minimum has been reached, then it shouldn't take more than a few days until your photos appear in searches, groups, etc.

5 photos uploaded now, hope to see them appear soon.

How to install Windows 7 in VMWare Workstation 5.

2009-03-23T14:32:00.000-07:00

Upgrade to the latest version of VMWare Workstation 5. At the time of writing it's 5.5.9.
Create a new virtual machine from the File menu. Choose "Windows Vista (experimental)" or "Windows Vista x64 Edition (experimental)". If you don't choose any of the Vista options, you will not be able to install VMWare Tools. Without VMWare Tools you will not get your network up and running.
When you've created the virtual machine, configure the CD-ROM to use the Windows 7 .ISO file.
Start the virtual machine and install Windows 7.
Install VMWare Tools.
Done.

2009-03-23T06:56:00.001-07:00

Trying to install Windows 7 into VMWare Workstation 5.5.8.

2009-03-22T14:45:00.001-07:00

New photo: coffee stain http://www.flickr.com/photos/free-photos/3375886335/

2009-03-20T10:09:00.001-07:00

New photo: suprised-snail http://www.flickr.com/photos/free-photos/3370489244/

2009-03-19T20:08:00.001-07:00

New photo: fingers-of-climber http://www.flickr.com/photos/free-photos/3368282626/

How to create a self-signed certificate and sign a .exe file

2009-03-19T14:00:00.000-07:00

Here's an example how to create a new certificate, how to sign a file with the private key and finally, I show how to verify the signed file and why this fails.

First we start out by creating the certificate. This is done with the makecert.exe command-line tool. The following command creates a certificate named "RogTestCert" and adds it to certificate store called "RogCertStore". The -r option tells makecert to create a self-signed certificate. -pe marks the generated private key as exportable, which allows the private key to be included in the certificate.

>makecert.exe -r -pe -ss RogCertStore -n "CN=RogTestCert" RogTestCert.cer
Succeeded

You can now view the new certificate using the Certificate Manager.

To sign a file we use signtool.exe. We specify that we want to use the certificate named "RogTestCert" in the "RogCertStore" certificate store:

>signtool.exe sign /s RogCertStore /n RogTestCert myfile.exe
Successfully signed: myfile.exe

The file is now signed. If you right-click the file and choose Properties, you will notice that a new tab called "Digital signatures" has appeared.

Finally, we try to verify the myfile.exe's signature, which should result in an error, since RogTestCert is not a trusted root certificate:

>signtool.exe" verify myfile.exe
SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
SignTool Error: File not valid: myfile.exe

Number of errors: 1

2009-03-19T07:20:00.001-07:00

Just got back to Stockholm from a skiing trip in Riksgränsen

Snowy tree contour nearby Sofia Kyrka in Vitabergsparken

2009-03-13T21:05:00.001-07:00

Snowy tree contour nearby Sofia Kyrka in Vitabergsparken, S.. http://tinyurl.com/cyjfmd

Google introduces interest-based advertising

2009-03-13T01:26:00.000-07:00

Got an email from Google this morning, letting me know about the upcoming interest-based advertising. You may need to update your privacy policy:

Hi,

We're writing to let you know about the upcoming launch of interest-based advertising, which will require you to review and make any necessary changes to your site's privacy policies. You'll also see some new options on your Account Settings page.

Interest-based advertising will allow advertisers to show ads based on a user's previous interactions with them, such as visits to advertiser website and also to reach users based on their interests (e.g. "sports enthusiast"). To develop interest categories, we will recognize the types of web pages users visit throughout the Google content network. As an example, if they visit a number of sports pages, we will add them to the "sports enthusiast" interest category.

[snip]

For more information about interest-based advertising, you can also visit the Inside AdSense Blog at http://adsense.blogspot.com/2009/03/driving-monetization-with-ads-that.html.