SOLUTION: Malware extensions continually reload within Chrome even after reinstallation

Greetings again random internet-surfing technology enthusiasts,

Today, I’d like to tackle a puzzling issue that many techs encounter with regard to disinfecting Chrome and problematic extensions that manifest within it.  Of course, anyone with any technical expertise is aware of the fact that browser extensions are currently one of the hottest attack vectors for unsuspecting users’ machines, but removing and keeping such extensions from reloading is another matter entirely.  Some of examples of these include:

  • AdBlocker (not the legitimate and excellent AdBlock)
  • Vosteran Search
  • WebProtector
  • and many, many others

Most techs use some degree of automatic scanning and removal tools, and that’s fine, provided they don’t rely on them exclusively (as it doesn’t work… something I’ve covered countless times in the past).  However, even those who dabble in manual or assisted-manual disinfection procedures have probably found that Chrome is one of the most problematic items to permanently clean on a user’s PC.  This is ironic because Chrome also happens to be the browser I recommend to my clients for safety and speed currently (and it has been for quite some time).  Does that mean that we should move on to a different browser choice instead?

Fortunately, nope.  There is indeed a pretty universal solution to this problem, and today I’ll reveal it to you.  For purposes of illustration, we’ll choose the third example extension I listed above for today’s explanation (WebProtector).

Each Chrome extension is affiliated with a unique identifier to help users locate and install the extension from the Chrome Web Store.  WebProtector’s, for instance, happens to be kfecnpmgnlnbmipaogfhoacoioifjgko.  The Web Store does indeed host this extension in spite of its fraudulence; and Google, for all their great work in producing a relatively safe browser in Chrome, have done a pretty terrible job of keeping the store cleaned of such filth.  The problem with WebProtector (and many of these other extensions) is that even after they’re cleaned from the computer and all other malware is removed, the users may find that they reload themselves regardless later on with little or no warning.  You might think that completely uninstalling Chrome, removing all directories on the system relating to Chrome, and cleaning/resetting the user’s Chrome Data profile (as I described in another post recently) should logically solve the problem.  But it doesn’t.  The extension yet again reloads itself upon future reinstallations.

The answer to the puzzle is Policies in the Windows registry.  Chrome stores its policies in the following two keys:

  • HKCU\Software\Policies\Google
  • HKLM\Software\Policies\Google

Under these keys you will find a subkey called Extensions; it is from this key that Chrome is instructed to load the infected extensions upon each reinstallation and subsequently thereafter at regular intervals.  Simply deleting these keys (provided the user is not reliant on any policies in Chrome for administrative purposes) will prevent the behavior.  At an elevated command prompt, try typing these commands:

REG DELETE “HKCU\Software\Policies\Google” /f
REG DELETE “HKLM\Software\Policies\Google” /f

Specifically, the autoinstall keys that are likely being used are:



However I like to remove the entire Policies key on most machines as other suspect keys are also often used, such as whitelisting of bad extensions and even blacklisting of good ones.

It also goes without saying that the extension itself must first be removed for this to work.  That includes killing the keys relating to it in the following locations:

  • HKLM\SOFTWARE\Google\Chrome\Extensions\
  • HKCU\SOFTWARE\Google\Chrome\Extensions\

As well as the associated files within the user’s Chrome User Data directory.  If you’re really just looking to clean sweep the entire program, you can follow my previous instructions to backup the user’s Bookmarks and other personal items and then simply wipe out all related keys and files after uninstalling Chrome.  This will finally solve the problem!

SOLUTION: CPU Throttling on Dell Latitude Ultrabooks (E7440, E7240) after power exceptions

Recently I have seen multiple instances (fairly rarely, but nevertheless) of the newer Dell Latitude Ultrabooks (circa 2013/2014 models, E7440 and E7240 specifically) throttling CPU frequencies under exceptional power conditions (such as possibly a misbehaving AC adapter or extremely low battery condition while under load).  I haven’t confirmed the exact circumstances which lead to this behavior, but I do know of a solution.

I first noticed this when a client recently reported sluggish operation of his brand-new E7440 Ultrabook… which, of course, made little sense considering the blazingly-fast parts (SSD included) that we purchased for him.  I checked the software briefly and saw no issues which would suggest configuration problems.  However, upon opening Task Manager, under the Performance tab, the CPU frequencies were reportedly below 400 MHz permanently–which, of course, is incredibly low considering the max Turbo Boost frequency of the i5 Haswell CPU he had of 2.8 GHz.  Fortunately, I had seen this problem once before.

My theory is that it is likely related to power disruption conditions, as I have only thus far seen it happen in circumstances where an AC adapter was not providing proper voltage or where the machine was in a very low battery state while sustaining heavy CPU loads for some reason (Windows Updates, etc.).  The machine responds by throttling CPU clock rates to protect itself from possible damage, but the problem is that it never reverts from this throttled state until it is powered off and the battery is removed.

Fortunately, the solution is easy, if not a bit difficult to discover.  All that is required is a BIOS update to the latest firmware available from Dell (, search for your particular model).  In my most recent client’s case, an upgrade from A05 to A15 immediately corrected the problem.  It remains to be seen whether it recurs, but I do not expect it to given the last instance I saw, where we did just the same thing and the problem was permanently corrected.

Poweliks: Widespread malware without a filesystem object

Preliminary note:  This process will normally remove Poweliks from a system.  However, Poweliks is merely a tiny fraction of what is usually also alongside it on an infected system; after all, it is a downloader.  So if you’re trying DIY disinfection, just be advised that there is a very good chance that your system is still infected even after this process by multiple other malware families.  I would advise hiring a professional in your local area to assist with the job instead of risking your personal information and data!

I’ve long been preaching that scanners just don’t do the trick as a universal, one-size-fits-all solution to malware, and that’s precisely because they can’t possibly catch everything.  The latest zero-day threats will always find a way to evade even the best antimalware tools in some capacity, and because of that, a complete reliance on scanners for either proactive blocking of threats or removal of existing embedded threats is misguided and will always run into trouble.

This latest threat, which has now been circulating for a few months, is a perfect example of this.  It’s called Poweliks, and it’s unique for one very specific reason: it infects the system without the use of a filesystem component at all.  Now, it’s not like this is the first threat to accomplish such things; before it, we had such interesting specimens as the TDL4 rootkit, which created a hidden, encrypted partition at the end of the drive containing the rootkit’s code, which was loaded at each boot before the Windows partition.  Eventually, however, this rootkit was identifiable (at least, somewhat) via the presence of a conspicuous (and suspicious) 10 MB or so empty space (RAW) at the end of a drive.  And it was easy to kill: simply delete that partition from offline and set the proper Windows partition as active.

Poweliks uses a totally different approach: it embeds itself in the system’s registry in an encrypted key that actually contains the body of the malware as opposed to mere settings and program data (as is intended for the Windows registry to contain).  The identity of the key has changed across variants, but the most recent one I’ve seen is:


What about symptoms?  Well, they’re not all that clear-cut.  The machine will certainly be slower than normal.  Apart from that, it may simply be generally infected, as that’s what Poweliks is all about: downloading other infections.  The problem is that you cannot search for a particular process in memory or even a file on the hard drive, as no file exists and the process is always a completely legitimate one.

However, at least as of currently, it is not random.  The most recent process which has been associated with Poweliks infections is dllhost.exe.  It’s a totally normal process, so seeing it running by no means indicates infection.  However, seeing it running persistently and for long periods of time is a bit more suspicious if you’re having other symptoms.  And if you close dllhost.exe using Task Manager and it repeatedly reappears in multiple instances, it’s a really suspicious scenario.  You’ll also likely see tons of other random (normally legitimate) processes running which should not need to be running.  These can’t be specified here as they are random.

For further diagnosis, however, you can download Process Explorer to inspect the genealogy of the processes that are currently running.  It’s a dead giveaway: if dllhost.exe is launching dozens of other processes, you know it’s Poweliks.


This isn’t so bad at all if you know how to tackle it!

The easiest way to handle it is to prepare with a tool that can handle removal first.  In this case, I recommend RogueKiller.

NOTE:  This tool isn’t to be used lightly, especially by those who aren’t thoroughly familiar with computer repair.  By design, it is heavy on false positives, so take care when agreeing to remove what it flags as suspicious.

Try the following approach:

  1. Open RogueKiller; allow the prescan to finish.  Run a scan.
  2. Once the scan completes, look for its detection of Poweliks on the Registry tab.  Be sure it is selected for removal.
  3. Open Process Explorer.  Pause all dllhost.exe processes.  Kill all processes below any dllhost.exe process once the processes have been paused.
  4. Click Delete on the RogueKiller window and immediately reboot the system.

With any luck, upon reboot, the malware will be gone.  By pausing the process with Process Explorer, you essentially negate the malware’s ability to detect its neutralization via watchdog processes that relaunch the dllhost parent process after it’s killed.  That enables disinfection to take place before the malware is relaunched and the registry key is reinfected.

Of course, to repeat myself, keep in mind that Poweliks is merely a tiny fraction of what is usually also alongside it on an infected system; after all, it is a downloader.  So if you’re trying DIY disinfection, just be advised that there is a very good chance that your system is still infected even after this process by multiple other malware families.  I would advise hiring a professional in your local area to assist with the job instead of risking your personal information and data!

Guide: Western Digital WD5000F032 External Hard Drive Disassembly

Everyone who does any sort of data recovery knows that Western Digital external hard drives can be a real pain to break into if they fail.  While I’ve found plenty of extremely helpful visual guides to disassembly of these models in the past, the model I received today for repair wasn’t among them.  It’s a WD5000F032 (also WD5000C032, and perhaps other similar model numbers as well), and the method to disassemble it is completely different.

So I took it upon myself to create a guide of my own.  Hope this helps you!

Western Digital WD5000F032 external hard drive Disassembly

Western Digital WD5000F032 external hard drive Disassembly

Step 1 - Remove the rubber liner

Step 1 – Remove the rubber liner

Step 2a - Press the plastic tabs on top...

Step 2a – Press the plastic tabs on top…

Step 2b - ...and bottom

Step 2b – …and bottom

Step 3 - Slide the contents out of the shell casing

Step 3 – Slide the contents out of the shell casing

Step 4 - Remove screws

Step 4 – Remove screws

Step 5 - Remove more screws

Step 5 Step 5 – Remove more screws

Step 6 - Remove the final screw

Step 6 – Remove the final screw

Step 7 - (Optional) remove the drive from the bracket

Step 7 – (Optional) remove the drive from the bracket

SOLUTION: Google Chrome process will not close; Chrome will not re-open

A frustrating issue that I have encountered on multiple recent customers’ PCs is an inability to completely close all Google Chrome processes–and, even more frustratingly, a consequent inability to reopen Chrome once it has been closed on the machine.  This happens regardless of whether the Continue running background apps when Google Chrome is closed checkbox is checked in Settings.

Two workarounds exist: either reboot the machine or open Task Manager and kill the hanging chrome.exe process that is responsible for this problem.  But, of course, this is no long-term solution.

Fortunately I have found the long-term solution!  Keep in mind it may be different in your case depending on the cause, but it appears that this problem is always a product of one of two conditions:

  1. A problematic plugin/extension, or
  2. Corrupt User Data of some sort.

For sake of justification, in the case of my customers’ machines, the first one was caused by a problematic QuickTime plugin (disabling it fixed the problem), and the second one was a corrupt Cookies store–one which could not be cleared using the Clear Browsing Data dialog.

In light of this, there is a relatively easy way to solve either.  Here is the process by which I propose you approach the solution in your particular case:

  1. First, open Chrome and navigate to chrome:plugins.  Disable all plugins and restart the browser.  You may have to kill chrome.exe manually once and then reopen/reclose the browser to test this.  If the behavior persists, reenable the plugins one-by-one to narrow down the one which is responsible.
  2. If this doesn’t work, reenable all plugins, then navigate next to chrome:extensions and disable all extensions next.  Repeat the close/open process to see if the behavior persists.

If this still doesn’t work, now that you’ve ruled out any plugin/extension issues, you’ll need to employ this final phase of the fix, which involves locating corrupt User Data and fixing it.

METHOD 1: From The Ground Up

The first approach involves recreating a new User Data store for your Chrome profile.  This is the most surefire way of correcting the issue as it involves working from the ground up with a new profile and reintroducing customizations (such as Bookmarks, Preferences, etc.) until you find one which is a problem (in my case, it was Cookies).  Here’s how it works:

  1. Open up a folder browser window (a Windows Explorer window) on your PC and navigate to the folder %LOCALAPPDATA%\Google\Chrome
  2. Inside this folder, you will find a subfolder called User Data.  Make sure Chrome is closed (including the hanging chrome.exe process), then rename this folder to something such as User Data.old
  3. Open Chrome again and close it.  Voila, no problems.
  4. Note that a new User Data folder has now been created which is blank.  Here’s the tricky part.  The new profile doesn’t have any of your previous data in it (as you probably noticed).  If you’re simply using a roaming Google Chrome profile (such as one where you sign in while opening the browser) to retain your settings, it’s as easy as signing in again to repopulate your stuff.  But if you aren’t, you’ll need to manually copy over the data from the corrupt profile.  To do so:
    1. Navigate to %LOCALAPPDATA%\Google\Chrome\User Data.old\Default to get to the old corrupt profile data that you are no longer using.
    2. Open another folder browser window and navigate to the new profile data here: %LOCALAPPDATA%\Google\Chrome\User Data\Default 
    3. Close Chrome (if it isn’t already) and copy over the following user data files within this folder one at a time, opening and closing Chrome in-between each time to check for a hanging chrome.exe process after the file is copied:
      1. Archived History
      3. Extension Cookies
      4. Favicons
      5. History
      6. Login Data
      7. Preferences
      8. Shortcuts
      9. Top Sites
      10. Visited Links
    4. If you copy a file and the behavior reappears, that’s obviously your culprit.  In my case, it was Cookies, which you’ll notice I didn’t even list above because I bet that’s what your problem is too!

METHOD 2: From The Top Down

You can reverse this method if you want to try and retain as much as possible of your profile (i.e., if you have a ton of extensions installed that you don’t want to redownload–though to restore those you can technically also simply copy the subfolders within the Default folder as well that relate to them).  First I would create a backup of the User Data folder before beginning just in case, and afterwards I’d begin renaming suspect files one by one until you find the culprit.  Start with Cookies and go through the rest of the files in the Default folder until you find the problem.

Thank goodness this is solved!  It’s an annoying one.

SOLUTION: Microsoft Outlook 2013 hangs at “Loading Profile…” after Office Update

Now here’s an interesting conundrum.  A recent update to Microsoft Office 2013 that’s being pushed out automatically to clients results in some of them being unable to open Outlook 2013.  Instead of running normally, the program will hang at the “Loading Profile” stage of launch, as though the profile is corrupt (if you haven’t already checked this, it could actually be the case instead of course).  A workaround is to open Outlook using the well-known /safe command line switch; but this is merely a workaround (which in turn disables all add-ons), not a permanent solution.

For a much more reasonable resolution, try this instead:

  1. Run regedit (Start > Run > type regedit and press ENTER)
    1. On Windows 8, Win + R; type regedit and press ENTER
  2. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common
  3. Right-click, select New > Key and name it Graphics
  4. Select the Graphics key you just created, right-click in the right panel and choose New > DWORD (32-bit) Value and name it DisableHardwareAcceleration.
  5. Double-click the new value and assign it a value of 1.
  6. Close regedit and try opening Outlook again.

This should fix the problem.  I first stumbled upon the solution when I realized that opening my TeamViewer Remote Support program while Outlook was loading kicked it into launching, which suggested either a network- or graphics-related cause (as TV affects both of those when launching).  The original solution listed here came from the Microsoft Office 2013 Issues Blog, though the symptoms listed are different from these.

Hope this helps! 🙂

SOLUTION: Dell Laptops Hang on Reboot/Shutdown after Windows 8.1 update

I’ve recently encountered a pretty new issue involving some Dell laptops where the system will simply hang at a black screen, completely blank, when a shutdown or restart is initiated.  This behavior occurs following the installation of the free Windows 8.1 update.  There is no evidence present in the Event Log or anywhere else to indicate what might be to blame, and nothing on the internet that I could find references the issue.

In my case, I encountered the problem while setting up around 10 Dell Latitude E7240 (Latitude 12 7000 Series) notebook computers for my clients.  The solution, as it turns out, is pretty simple.

As usual, it’s a driver which is to blame for the problem.  I first stumbled across the solution while troubleshooting when I decided to disable the wireless adapters (Wi-Fi and Bluetooth) using the hardware wireless switch on the side of the computer before shutting down.  You’ll notice that while Airplane Mode is on, the system reboots/shuts down just fine.

It’s because of the Dell Wireless 1601 WiFi/BT driver that’s preinstalled; for whatever reason, the Bluetooth portion of it is incompatible with Windows 8.1.  Explicitly disabling Bluetooth also fixes the problem, confirming that this is the source of the issue.

To correct it once and for all, here’s what you need to do:

  1. Download this driver from Dell.
  2. Choose to Extract Without Installing and specify a location of your choice.
  3. Wait a few seconds for the confirmation dialog to appear, then click View Folder.
  4. Double-click the Install_CD subfolder to open it.
  5. Run setup.exe and follow the instructions.
  6. Reboot the computer.

The problem is solved!

I presume this most likely affects all Dell computers running the A01 version of the driver.  I hope this solution has helped you!

SOLUTION: Windows Vista In-Place Upgrade fails when PowerShell is installed

This one’s quick and easy.  On multiple occasions, I’ve encountered problems with Windows Vista performing an in-place upgrade (in situations where conventional repairs are not sufficient and such measures are necessary) if the client’s machine has Windows PowerShell installed.  PowerShell is listed as incompatible with the upgrade procedure by the Setup process.  Usually, it’s as easy as removing it via Control Panel > Programs and Features > Turn Windows features on or off, but on more than one occasion, when a workstation is really screwed up, this process fails.

In those cases there are two other options you can try.  The first is to head to Programs and Features, choose View installed updates, and remove Windows Management Framework Core, which is the update associated with PowerShell.  If this STILL doesn’t fix it, however, there’s one surefire way to do so:

  • Simply rename the directory %SYSTEMROOT%\System32\WindowsPowerShell (where %SYSTEMROOT% is the system environment variable for the Windows directory).

This easy workaround will allow the upgrade to proceed, which will usually fix most serious problems with a Vista installation and pave the way for updates and other corrections before wrapping up the work.  It’s just another way I’ve been able to avoid a reinstallation of Windows under circumstances which would normally seem to suggest it as the only option.

CryptoLocker: UNdecryptable file ransom—How to recover

For some time now, malware authors and attackers buying licenses for use of their programs on the black market have been making a killing off of file recovery ransom schemes.  The most widespread of these was the “Windows File Recovery” style rogues that hit a couple of years ago, where a rogue recovery program named something of the sort would appear on an infected system in an attempt to convince the user that they had lost all of their data due to some catastrophic event (i.e., a hard disk failure) and that they would need to pay to have those files retrieved.  More recently, these were followed up by the still-rampant FBI Moneypak Trojans, which display a message at Windows startup explaining that the FBI has locked the PC due to its use for illegal activities and that the user will need to pay $300 via Moneypak to have it unlocked.

None of these initial attempts were very difficult to thwart unless the user or technician was completely unfamiliar with them.  The Windows Recovery rogues simply hid the files, which could easily be unhidden following their removal.  The most sinister thing they ever did was moved the user’s shortcuts to a hidden temporary folder.  The FBI Moneypak is a cinch to kill once you know of its loading points (though it does often come bundled with the ZeroAccess rootkit).  Some of the later iterations of these ransom rogues took this a step further by actually encrypting the user’s data, but even these could be beaten with special decryption tools.  Eventually, they were assigned the title of Ransomware, which technically could be used to classify any of these specimens.

In case you haven’t heard, there’s a new form of this malware, however, and it’s much, much nastier.  It’s called CryptoLocker, and it also encrypts the user’s data—but it does so using a fusion of AES and RSA encryption that is literally impossible to reverse without the possession of a private key.  That private key resides on a remote server that is only accessible once the user actually pays to have the decryption performed (and it doesn’t always work, either).  By the time the user knows they’ve been infected, all of their precious data has usually already been encrypted.  Needless to say, this is disastrous, especially for businesses.

Over the course of the past few weeks, I’ve had two different customers with this infection.  While it’s true that there is no possible way to decrypt the data, fortunately, there are still ways to recover some or even all of the data (albeit, slightly older versions of the files) if you know just one simple trick.

Windows Vista and beyond include a little-known feature called Volume Shadow Copy.  It’s closely-related to System Restore, of which many people are familiar already, but most people are not aware of the fact that Volume Shadow Copy (unlike System Restore) actually includes management of versioned snapshots of the user’s data as well.

This is a valuable tool in data recovery, of course, provided the system is bootable and the Volume Shadow Copy functionality is accessible/unbroken.  But it also happens to work with current versions of the CryptoLocker Trojan.

Here’s the process you’d need to follow:

  • Remove the CryptoLocker Trojan first or all recovered data will also be encrypted.
    • This is actually pretty easy to do; you can find a plethora of information about it across the internet.  The Trojan loads from an executable in the user’s AppData\Roaming folder (Documents and Settings\Application Data on XP) which can simply be removed to kill it.
    • However, CryptoLocker also has been bundled with Zbot very frequently, so also be sure to check for a randomly-named folder in AppData\Roaming or AppData\Local as well containing a single randomly-named executable and remove it as well.
  • Either right-click on a folder and choose Restore previous versions in Windows 7 to reveal dated snapshots of the contents of that folder, or in any version of Windows (XP SP2 and beyond), download ShadowExplorer to assist in the browsing and copying of these versioned copies.
  • Copy the data from the most recent unencrypted snapshot to a safe location.

If you need help locating all of the files which were encrypted, you can download ListCrilock from Grinler, which is a tool that lists the contents of the HKEY_CURRENT_USER\Software\CryptoLocker\Files registry key (the location CryptoLocker records the files it has encrypted).

While this is a very fortunate oversight by the authors of the malware, I wouldn’t expect it to last.  All that would need to be added is a quick routine to clear all restore points or the contents of the System Volume Information folder to prevent this recovery from taking place, and the authors know this—something which is probably in the works already as this solution has begun to spread throughout the security communities.  Ultimately, what this should do is remind everyone of the importance of regular (preferably versioned) backups offsite or to a drive which is disconnected in between backups (to prevent the files from being encrypted upon the next connection).

Thanks to Grinler for much of the information used to assemble this post, for his excellent tool, and for running a terrific website in the process.

SOLUTION: Recover/import Windows Live Mail Contacts to new computer

So today I was tasked with recovering a client’s contacts stored in a Windows Live Mail edb database for the first time.  At first, it seemed like a daunting task–primarily because I could not get a (previously) popular solution involving the now-deprecated EseDbViewer to work.  That’s because, as I later discovered, the process must be performed on the original PC in order for it to work; if you try it using the recovered files on another machine, it simply fails.

Update: A reader, Chris Siddons, has posted an alternate method to accomplish this for those with a great number of contacts.  Feedback indicates that it works quite well.  Thanks, Chris!  Here is his method:

1) On my old PC, I Located the folder “C:\Users\{Username}\AppData\Local\Microsoft\Windows Live\Contacts\Default” (obviously, replacing your user name as appropriate)

2) I copied the entire contents of this folder to a temporary location (memory stick, or another way of transferring the data to the new PC.

(NB This folder contains three folders, 15.4 15.5 and W4CR1, which appear to be empty but contain various hidden folders and files, including several versions of contacts.edb, so you may appear to be copying empty folders, but don’t worry about this, just follow these instructions as they worked for me!)

3) I located the folder “C:\Users\{Username}\AppData\Local\Microsoft\Windows ive\Contacts\Default” on the new PC and deleted the contents, then replaced them with the contents of the Default folder from the old PC.

Following is the remainder of the original blog entry:

Fortunately, as is usually the case, there is another way around this problem, and it’s actually quite easy.  The goal is to get the contacts from the edb into a readable .csv (Comma Separated Values) file for import into Windows Live Mail.  And a company known as Nirsoft (who makes a number of helpful tools, often of forensic nature) has a program that works perfectly.

It’s called LiveContactsView, and it’s designed for viewing Windows Live Messenger contacts.  However, Windows Live Mail uses the same format for storing its contacts, so it works here, too.

Here’s the full process:

  1. Download LiveContactsView.
  2. Recover the original Windows Live Mail contacts database files from the failed PC/original drive:
    • They’re located in %LOCALAPPDATA%\Microsoft\Windows Live Contacts\{GUID}\DBStore, where %LOCALAPPDATA% is an environment variable equivalent to \Users\{USERNAME}\AppData\Local\ on the drive, and {GUID} is a random string assigned to the original user’s profile.
  3. Using LiveContactsView, open the contacts.edb file from the DBStore folder.
  4. Select all fields within the list view.
  5. Export the items to a .csv file.
  6. Import the .csv file into the mail client of your choice.

That’s it!  It’s actually remarkably simple, and it is the best (and only) method I’ve found to accomplish this to date.