Wednesday, May 27, 2009

Instant IM Disclaimer App for Sametime Gateway

Intstant developed the internal Sametime IM disclaimer application in response to several IMtegrity customers and their need to notify Lotus Sametime users that their conversations may be recorded and monitored.

Since we are involved in Sametime Gateway deployments, we have also been receiving requests to create an external IM disclaimer application to notify external users (i.e. Yahoo, AOL users) that their conversations may be monitored and recorded. This week, we are announcing the first in a series of applications for the Sametime Gateway.

Our Sametime Gateway IM disclaimer application is a server based gateway extension that monitors all external IM conversations and provides an IM disclaimer notification to external users (typically running Yahoo, AOL, or Google).

The Instant IM disclaimer application for Lotus Sametime may also be configured to notify internal users that their Sametime IM conversations may be monitored.

We have had requests to included regular expression filtering (in order to prevent certain combinations of phrases from passing through the Lotus Sametime IM gateway) so that will be the next application to be included in this grouping.

Friday, May 22, 2009

Amazon iPhone Application

Earlier this week, I was in my local Best Buy where I was looking for a new belt holster for my iPhone (in addition to a new wii game for an upcoming birthday).

In the iPhone accessories aisle, I spotted a potential holster candidate. Hmmmm...looks good, not too expensive. Let me see what the reviews on Amazon look like.

From there, I did something that has now become a habit. I started the Amazon iPhone application, searched for the product, located the product on Amazon and then read the reviews. With 80% negative reviews, including numerous accounts of the belt clip breaking within 2 weeks, I was no longer enamored with the holster on the shelf.

However, while still using the Amazon application, I quickly located another holster on Amazon, read the reviews, and then purchased using 1 click.

I spent a total of less than 5 minutes inspecting the product on the shelf, reading reviews from Amazon, and then purchasing a competitive product from Amazon.

iPhone and Amazon make a very nice combination.


Tuesday, May 19, 2009

Experience Cleaning Malware Infected Box

The answer to “how to clean a machine that’s been massively infected with malware” is, in one word, Perseverance. I had even, at one time, given up completely on the process, and was certain I’d have to blow away and re-install the computer from scratch, but I stuck it out, and was able to eventually solve the problem.

Here’s the story:

My wife has a decent IBM Thinkpad T42, running Windows XP SP3. It had a copy of Norton Antivirus, but that had fallen out of date (and she’s not a very good “safe surfer”, which made it even harder). Her computer had gotten infected with Virtumonde.sci. This particularly nasty piece of malware hides in several places in the computer, and is hard to eradicate.

The evidence she’d contracted something nasty happened right after she accidentally clicked on a page that “looked” like a normal Windows Explorer pane, but was actually a hot link to a downloaded Trojan. The Trojan, containing the Virtumonde.sci code, executed, and made several insidious changes to her system… In fact, I’d only ever seen one piece of malware harder to remove, and that’s saying a lot (I’ve seen a lot of junk in my day!).

Well, my first job was to get SpyBot Search & Destroy. I highly recommend it and it’s free, but I recommend you support the developer by donating. Unfortunately, I couldn’t just fire up Internet Explorer and go download it. The thing about Virtumonde is that, what it does is hide in your computer and download OTHER malware that you have to contend with. Most of these involve clickjacking and pagejacking in Internet Explorer.

Luckily, I’d downloaded and installed both Google Chrome and Mozilla Firefox on her computer a couple of months ago (I don’t care for IE), so I fired up Chrome and went looking for Spybot. I downloaded it from, and installed it on her computer.

The initial run of the software took forever, interjected with sounds of “You’ve won!” or “Contact us for your winning number”, or some other such drivel, from web pages being served up in the background on her computer, which had been taken over by a piece of malware that Virtumonde had called into existence. This other software fired up IE clients in the background (hidden), and sent them to pages containing web ads, including vocal ones (ARGH!!!!).

After running Spybot, which takes a while, I had several hundred things for it to fix. It fixed 99% of them, but there were five or so elements (malware, registry entries, etc), that it needed a reboot and rescan to try to eradicate. So I did that.

That fixed 4 of the problems, leaving me with just one. I performed the reboot and rescan process again, but was unable to get that dang thing removed. On my contemplation of ritual suicide, I thought about the “Tools” menu in Spybot. These help me by showing me what Browser Helper Objects (BHOs), ActiveX objects, startup elements, processes, etc. are set up on the machine. Of course! I could go there to figure out what the deal was.

So, upon scanning the BHOs, I found some things that didn’t look right, and I deactivated them (I didn’t remove them, yet, because I wasn’t sure if they were bad or not, at this point). I did the same thing for browser help pages, host file information, and other elements. But what really jumped out at me was the recurrence of a program in the process list (like what you see in Task Manager, but with more information). It would disappear when I killed it, but come back a few minutes later. That meant that something else was re-calling it into existence!

Going through the help for the different pieces of malware, I found that Virtumonde hides in a web page that is coded to be the background page for Windows “Active Desktop”. So it’s basically always running, and gets loaded on system startup, but not from the “Run” or “RunOnce” registry entries. So I went to my display properties to change the background… and couldn’t! The ability to change the background was grayed out! Why in the frak would Microsoft make it so that this couldn’t be adjusted easily is beyond me, but it’s simply stupid.

After doing some research, and comparing my wife’s settings to mine (I have an identical laptop), I figured out what the registry entries were for “Background” and it’s settings in the registry, to have it editable, and not use the Active Desktop.

I rebooted the computer and re-ran the scan, but it kept coming up with new and interesting pieces of malware every single time! I finally figured out that Virtumonde had downloaded and installed the malware I was seeing NOW on the previous reboot, before I removed it. Therefore, to ensure that nothing was compromised, I rebooted in Safe Mode, without networking support, and re-ran Spybot.

While it was running, I checked the registry, to see if anything jumped out at me… and something did. I noticed that there were waaaay too many users for the system, and they had funky user names. And several pieces of malware that used Winlogon or Run / RunOnce entries in the Registry, were doing it from these other, nonsensical user names. I decided to just eliminate them.

They weren’t in the Users control panel applet, so I switched back to the registry to simply delete them. That turned out to be easier said than done – the permissions were all set to read-only, and on some of the entries, even after I’d set the permissions otherwise, I couldn’t delete them. Very frustrating, but not crippling, so I checked in on Spybot.

I had to eventually run Spybot several times, but it finally came up clean! Woo Hoo! I had finally slain the beast… or so I thought…

…I rebooted the computer into regular mode, and told my wife I had it fixed. Five minutes later, all kinds of ads started popping up on her computer. The malware was back.

Despondent, I contemplated if it would be simpler to beat myself to death with her computer or re-install the operating system (a tough choice). I decided that the simple solution was to ignore it… for now.

Fast forward 1 week, during which time my wife has been using my computer to do all of her internet surfing. Now, you remember me mentioning that she’s not exactly the safest surfer in the world? Yeah… well, this concerned me to no small degree. I mean, if she wants to use her computer on the internet in an unsafe manner and gets bitten for it, that’s her choice. But not mine! She knew that was the best way to get me to work on her computer (and she was right). So I tackled the problem again yesterday afternoon…

I again used my favorite tool, Spybot Search & Destroy. I started immediately from Safe Mode, logged in as Administrator (which no one uses on her computer, so there’s less crud in it), though, and disabled every single Startup entry, including ones that I knew were OK (baseline). I ran the checker, and had it remove all of the malware it could find. I rebooted several times during this process, finally getting not one, but two clean bills of health from Spybot before I continued to my next plan.

Next, I started the computer in Safe Mode, and logged in under my wife’s account. I again ensured that there were no Run, RunOnce, WIN.INI, SYSTEM.INI, Background, Classes, or Winlogon elements being loaded by checking the Startup Items in the Tools menu in Spybot. I then ran the checker.

The first time, it came up with a problem, but it was just a cookie – no big deal, there. I rebooted, checked the startup elements again, and re-ran the checker, and it came up clean. I then did it AGAIN, and it again came up clean.

“All Right! I’m on a roll!”, I said, and decided to take the plunge. I rebooted the computer, and let it start up normally, under my wife’s user account. I had set Spybot to run on startup (the only thing set to run at startup), and it went along it’s merry way. Man, it’s interesting how much longer that scan takes on “normal” rather than “safe” mode!

However, when it was done, another perfectly clean bill of health! I rebooted one final time, re-ran Spybot one final time, and still showed no malware!

So, finally, I re-enabled the startup elements that I KNEW were good (like the Trackpoint controller, etc), and rebooted, and then re-ran the scan one final time.

Finally clean, I shut the computer down and went for some liquid refreshment – well deserved, I believe.

May this help you in your struggles with the lowlife black hats in our industry…

Todd Fuder

Thursday, May 14, 2009

Notes 8.02 Hanging

We are seeing a bunch of cases where the Notes 8.02 client is hanging on start up. Usually, immediately after the authentication dialog, the Notes client will just 'hang' with an hourglass. Of course, on a customer site, or even internally, this is a problem.

One solution, which is immediate and very satisfying, is to start the client with:
nlnotes.exe instead of notes.exe. Ah....problem solved.

There is also a setting that appears to work, although we have not used it yet - which is to add this to the notes.ini

Tuesday, May 12, 2009

How to run without IIS

We are looking at some applications where we support both Lotus Sametime and Microsoft OCS - but provide a nice web UI. It's a frequent dilemna: Java or .net. For this application, I'm inclined to use .net - mainly because there are so many great charting components.

However, I don't want to limit our deployments to just shops where they run IIS. Here is a background article on and running without IIS.

An article on Cassini:
Article by Eric Pearson:

Friday, May 8, 2009

Sametime Buddy List Adminstrator and AdminP

We are wrapping up our integration efforts to connect our Sametime Buddy List Administrator with AdminP. This is a result of large customer where they need to have rename activities automatically populated to Buddy List Administrator.

More info next week with screen shots.

Good Microsoft Article on OCS Tabs

Many of our customers deploy our Instant Archive Viewer for Microsoft OCS using 'in place' tabs within the OCS client.

Here is a good article on configuring OCS tabs with OCS R2:

Wednesday, May 6, 2009

Picture from Lotusphere 2009 Accepting Best in Show Award

Here is a nice picture of a few of the Instant folks (Peyton McManus and Todd Fuder) accepting the best in show award.

Lotusphere is always the best place to meet our customers, hear new ideas, and have 4 days of fun with our customers.

Instant Team Sessions 3.1 Now Supports Linux

Recently, a large customer requested that we support Linux (well, Ubuntu) with our browser based client for Instant Team Sessions. With Team Sesssions 3.1, we have added supported for Linux to our browser based client.

In version 3.1, we have also updated the Sametime plugins to work well within the Notes 8.5 client - another customer request.

I've attached a screen shot of ITS 3.1 (Instant's persistent chat environment for Lotus Sametime)