Preventing Spyware

You wouldn’t be reading this if you weren’t curious about spyware… I’ve shown you how to get rid of it (easily) so lets look at how to prevent it.

I’m not going to repeat myself so I won’t go into detail, but spyware has several limitations. If you don’t want to get too advanced, here are a few easy ways to prevent spyware:

1. Use Internet Explorer 8 (stop whining, it does work very well)

2. Use Google Chrome (preferred method)

3. Use Mozilla Firefox (whatever the lastest version is)

4. Don’t click on pop-ups… if you have a pop-up blocker, turn it on!

5. If it tells you that you have a virus, the thing telling you is probably the virus… stop clicking on things!

6. Download and install MalwareBytes… then do a full scan occasionally

Now for more advanced ways!

1. Set security on C:\windows\system32\drivers\etc\hosts to Everyone read-only

2. Use regedt32 to set permissions on HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN and HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN to Everyone Read-Only. *** SOME SOFTWARE INSTALLS WILL NOT LIKE THIS: meaning future installations of software may fail because they cannot write to this key ***

3. Research CLEANMGR and use it’s “autopilot” function to clean temp files every time you reboot.

4. If you are in a domain environment, lock down Internet Options (specifically the proxy part)– and if you ARE in a domain environment, get a web filter… Barracuda even has its own spyware removal tool. There are some free ones out there like Untangle that even work pretty well.

5. Change your DNS to OpenDNS servers (http://opendns.org/) by setting it manually on your NIC or where ever you get DHCP from (at home this would be your “Linksys” router)

6. Set these registry keys to everyone read-only as well HKEY_CLASSES_ROOT/.exe and HKEY_CLASSESROOT/exefile

Dealing With Spyware

Let’s face it… I’ve never had spyware and I look at porn, and browse the web for hours at a time… whats your problem? 🙂 All kidding aside, spyware is a real problem. I’m sure everyone reading this at some point or another has had or dealt with fake antivirus software that just will NOT go away! Luckily for you I do this for a living and understand the limitations of spyware and how to deal with it. Coders are lazy people… they do just enough to get things to work and patch/update as problems arise rather than spending a few extra days to plan out every possible scenario and code it into their program– I suppose if Microsoft tried that… well… lol

Current spyware has several limitations:

  • Unable to cross user profiles (possibly due to Windows Vista/7 and UAC… limiting coders options to the current user). While this is not a REAL limitation, when you code a program to mass infect, you have to make it as compatible as possible. Sticking around in the current user’s profile makes the software very compatible.
  • Relies on reboots/triggers to activate. Usually spyware will associate itself with .exe (exefile) in the registry, other times it will load as a hook… because of this it has more limitations. One of these triggers is setting Internet Options to use a proxy… the proxy is the spyware usually as a service or as a DLL hook
  • It can’t effectively control where you go in explorer.exe (Windows shell) or it would potentially block itself…
  • It usually can’t block regedit because it makes changes to the registry… or it would potentially block itself…
  • To deal with antivirus and AWESOME programs like MalwareBytes… it has to remain anonymous. Thus, its very easy to spot 130e9rjfm312rja.exe in a folder or in task manager
  • If you are lucky enough to be in a domain environment, it can’t stop domain admin from another PC using PSTOOLS! 🙂

I think you get the point, so here’s what I am going to do for you today… I’m going to teach you… how to count….all the way… to schffifty schvive. Actually… I’m going to show you how to solve 99% of spyware problems.

Problem: You have spyware!

Solution: Taking what we know into account, the first thing you should do is create a new user and set a good password. If you anticipate having lots of spyware problems, leave the account in place when we are done. In almost all verisons of windows, its the same process to add a new user

1. Start

2. Control Panel

3. User Accounts

4. Add a new user (administrative user, not standard user)

5. Call it… swsvc or AntiSpyware or.. Joe (me) and everytime you get spyware you can login as me (Joe)

6. Create a password… preferably a pass-phrase. A pass-phrase is at least 14 characters… you can use your phone number spelled out, i.e. “four eight zero five five five one two three four”

7. Reboot

When the computer comes back up, login as the new user you created. If you are lucky, the spyware hid itself in an obvious place and we can delete it before we continue. Once you are logged in, click Start, click Run (or use Windows key + R) and launch “regedit” then navigate to LOCAL MACHINE>SOFTWARE>MICROSOFT>WINDOWS>CURRENTVERSION>RUN

This is usually how the spyware starts everytime you reboot. Check for items that have a path starting with \users\<your username>\appdata\local or \documents and settings\<your username>\. These paths usually end up somewhere in a temp folder with a random lettered/numbered executable.

Honestly though, you can probably delete everything under Run and be safe. Most of that stuff is your quick launch, antivirus tray icon (not the service), adobe quick launch, java update, etc. Once that is done, browse to USERS>long string of numbers>SOFTWARE>MICROSOFT>WINDOWS>CURRENTVERSION>RUN. There are going to be quite a few “SIDs” which are the long string of numbers, but y0u won’t find that path if it isn’t a valid user. So take the time and explore them all. Delete anything “weird” under Run.

Just for the heck of it, Windows Vista/7 users should open up My Computer and browse to \users\<their username>\appdata\local\ and look inside temp and microsoft for folders that have random letters and numbers. XP users will do the same, except use \documents and settings\<their username>\application data\ or \documents and settings\<their username>\local settings\.

Once you’re done looking, whether you find anything or not, goto Start > Control Panel > Internet Options > Connections tab > LAN Settings button and clear all the check boxes.

Next step is to download the greatest tool ever made, MalwareBytes. Here is a link: http://download.cnet.com/3001-8022_4-10804572.html?spi=cd39b95079d2256cc6dc1fc880e6e8d0&part=dl-10804572

MalwareBytes is small, compact, FREE… it doesn’t have bloat-ware or annoying ads… and it WORKS! It is your typical Next>Next>Finish type of installation. No tricks… At the very end  of the install leave “Update” and “Launch” checked.

After it updates and opens up, close it. — yea… lol. You could have unchecked “Launch” but let’s face it… we’re already worn out trying to search for this article.

In Vista/7 we have to right click MalwareBytes and “Run as Administrator” or it will not search other user’s profiles.

Once its loaded, do a full scan on C:\ … and wait… depending on how many files (usually 100,000 per hour if you have a decent PC) you might have to wait a while.

Once the scan is completed, it will have undoubtedly found your spyware. Remove all of it and reboot. Login as your regular user and verify the spyware is gone. You will have to double check Internet Options again (as noted above) and verify the same things. If you don’t, internet might not work right away.

Side notes:

Under rare circumstances, spyware will associate itself with .exe and exefile in the registry. If you open up regedit, navigate to HKEY_CLASSES_ROOT\.exe, default should be set to exefile. If it is not, it is probably set to scefile or something else. In any case, browse to HKEY_CLASSES_ROOT\exefile or scefile or whatever is there, and check the load options (SHELL>OPEN>COMMAND) and see if it provides you with a strange path.  Command default should be set to “%1 %*”

Also a rarity, once in a while the spyware will infect your hosts file. This file is located at C:\windows\system32\drivers\etc\hosts. The easiest way to open this file, is to have notepad open, and drag/drop it into notepad. It should have ONE entry (two if you have IPv6):

127.0.0.1       localhost
::1             localhost

If you can’t figure this out, or something isn’t working and you haven’t removed your spyware… leave a comment with the exact steps and messages you get and I will surely (inb4 don’t call me Shirly) try to answer your questions. If you are in the Phoenix area, I can always come over and fix your problems for a nominal fee.

Disappearing E-mail Text

Problem: Random e-mails (most notably distribution group e-mails) are delivered to users with stripped bodies, i.e. no text inside the e-mail.

I was not sure where to start with this, so I began my search in the obvious places… Microsoft Message Tracking and the spam filter. Well… for one, the company was not using a smart-host and this was happening on internal e-mails, so I could rule out the spam filter. I attempted to troubleshoot using message tracker, but of course it would only tell me the e-mail was delivered.

I patched and configured the server until I was blue in the face to make sure all the bugs were removed. The server was configured identically to most 2003 servers I’ve come across. The server had Eset anti-virus (non-Exchange version) which we upgraded… uninstalled… replaced… nothing resolved the issue.

Finally, I did some research on CommVault and NetVault (both running on the server, unsure of job status because at the time I did not have access to the backup software as I was an outside consultant only given specific access. On a whim I disabled both and had them do several tests… all of which worked successfully.

Internally they made the decision to discontinue the use of one of the backup solutions on the Exchange server.

Resolution: Don’t use two  log-based backup solutions on an Exchange server. I imagine both solutions had some sort of continous backup technology where they were constantly monitoring and backing up logs, causing the e-mail text to be misplaced.

Moxy 6.0 on Windows 2008 R2 Terminal Server

I was recently tasked with the construction of a Windows 2008 R2 terminal server for a financial company running the typical Advent applications: Axys and Moxy.

Needless to say.. Axys was easy and Moxy doesn’t natively support 64-bit Windows so it was a pain in the neck. I made it work however, and this is how:

1. I did the obvious and installed the 64bit versions of all the components Moxy needs (vcredist x64 and x86, SQL client components x64, SQL Server 2005 ADOMD, ASOLEDB9, BC x64)

2. Then I created an ODBC system connection that points to the SQL server with username and password saved. Name it MOXYDSN32

3. x64 saves ODBC in the same reg key as x86… but the application is looking in the x64 key– stupid. I don’t know who’s fault that is at Microsoft, but you sir, are not my friend. Normally ODBC is saved in:
HKLM/Software/ODBC/ODBC.INI/

…but you have to export and import the MOXYDSN32 key to:
HKLM/Software/Wow6432Node/ODBC/ODBC.INI/

4. Now because the installation process won’t run at all, we have to manually run install. Luckily, when you install Moxy on a PC that DOES work it saves a log. This log basically boils down to this batch file:

@echo off
copy M:\Moxy60\msxml4.dll C:\WINDOWS\system32\msxml4.dll
copy M:\Moxy60\msxml4r.dll C:\WINDOWS\system32\msxml4r.dll
copy M:\Moxy60\winhttp5.dll C:\WINDOWS\system32\winhttp5.dll
regsvr32 C:\WINDOWS\system32\msxml4.dll
regsvr32 C:\WINDOWS\system32\winhttp5.dll
copy M:\Moxy60\sqlis3.dll “C:\Program Files\Common Files\System\OLE DB\sqlis3.dll”
copy M:\Moxy60\sqlis3r.dll “C:\Program Files\Common Files\System\OLE DB\sqlis3r.dll”
copy M:\Moxy60\sqlvdr3.dll “C:\Program Files\Common Files\System\OLE DB\sqlvdr3.dll”
copy M:\Moxy60\sqlvdr3r.dll “C:\Program Files\Common Files\System\OLE DB\sqlvdr3r.dll”
copy M:\Moxy60\sqlxml3.dll “C:\Program Files\Common Files\System\OLE DB\sqlxml3.dll”
copy M:\Moxy60\sqlxml3r.dll “C:\Program Files\Common Files\System\OLE DB\sqlxml3r.dll”
copy M:\Moxy60\xblkld3.dll “C:\Program Files\Common Files\System\OLE DB\xblkld3.dll”
copy M:\Moxy60\xblkld3r.dll “C:\Program Files\Common Files\System\OLE DB\xblkld3r.dll”
regsvr32 “C:\Program Files\Common Files\System\OLE DB\sqlvdr3.dll”
regsvr32 “C:\Program Files\Common Files\System\OLE DB\sqlxml3.dll”
regsvr32 “C:\Program Files\Common Files\System\OLE DB\xblkld3.dll”
regsvr32 M:\Moxy60\axysdata.dll
regsvr32 M:\Moxy60\mxapxexprt.dll
regsvr32 M:\Moxy60\mximprt.dll
regsvr32 M:\Moxy60\moxycsv.dll
regsvr32 M:\Moxy60\qbcontxt.dll
regsvr32 M:\Moxy60\qrybldr.dll
regsvr32 M:\Moxy60\editqitm.dll
regsvr32 M:\Moxy60\qbedit.dll
regsvr32 M:\Moxy60\mxusrdatamgr.dll
regsvr32 M:\Moxy60\mxqrytree.dll
regsvr32 M:\Moxy60\mxrulemgr.dll
regsvr32 M:\Moxy60\mxPubSubCOMWire.dll
regsvr32 M:\Moxy60\mxPubSubPSPRovider.dll
regsvr32 M:\Moxy60\mxPubSubRemoteProvider.dll
regsvr32 M:\Moxy60\mxProviderComDlg.dll

Running this as a batch file will install Moxy. M:\ is the network drive Moxy is installed to. I do not work for Moxy and this is not a supported configuration. There are some bugs that I haven’t been able to work out (random error messages that don’t affect the overall functionality).

Is your e-mail broken? Blame Cisco.

Just a few things you may eventually come across:

Getting an NDR stating #500 Firewall Error# is usually the fault of Cisco IOS. Chances are you have the ip inspect command set for smtp/esmtp. Removing this resolves the error (which may be inconsistent and difficult to replicate on demand).

Fixing Fake AntiVirus spyware infections is very easy in a domain environment through the use of PSLIST/PSKILL from the PSTOOLS package that Microsoft has available through Sysinternals. It appears that most fake antivirus programs associate themselves with the “exefile” class and redirect .exe to a “scefile” class where it loads its own executable as a wrapper. If by chance you can still run regedit (some block it… others don’t) you can remove the wrapper from the key in regedit and then set permissions on the key to read only for everyone. This will allow you to download and install MalwareBytes and/or ComboFix. Other times regedit is blocked and you will have to locate the file itself (almost always in the user’s temp files) and set permissions to deny full control to everyone and end the task. If you are looking for AntiVirus software that works well in preventing this type of spyware infection, either Symantec Endpoint (11.0.5 is latest release) or Microsoft Forefront Client Security seem to work very well.

20-20 Worksheet: The file format was not recognized

A while back I was troubleshooting an error for a user running 20-20 Worksheet on a Windows XP machine. The user was one of many running the program, but had a specific issue opening sif files that no one else had.

If she attempted to open a sif file, she would get the file format was not recognized. Other users would attempt to open the same file and they would not have errors.

Like most technicians… I don’t have the patience to call other companies for technical support. So I sent 2020 customer support an e-mail and while I waited I decided to do it on my own.

I quickly downloaded process monitor and excluded all the crap. I opened the sif file and magic! It couldn’t find a few registry entries (HKCU/Software/Classes/CLSID and HKCR/CLSID). I went to a machine that was working and exported the missing keys and it fixed the problem.

Problem: Opening a .sif file within 20-20 Worksheet produced a “The file format was not recognized” error message.
Resolution: Import missing registry keys

…the best part is the e-mail correspondence between myself and “technical support”

“Great,

What registry key did you import into her machine that fixed it?? And where in the registry did you find this key?

Thanks

Sincerely, 20-20 Technical Support Team”

Virtualizing your environment with Microsoft Hyper-V

After having completed 3 more virtualization projects this month, I have decided that anyone who hasn’t done so yet must be the same type of people running CRT monitors, Intel Pentium 4 processors and Windows XP.  So… let me explain the benefits of virtualization.

First of all, if you pay your own electric bill and you have more than 2 servers this will reduce your power bill. The new HP servers, in combination with Windows 2008 R2, have excellent “green” features such as the ability to shut off cores that are not in use (google: p-states). Newer processors run somewhere in the neighborhood of 65 to 80 watts. Older processors fall somewhere above 100 watts. Chalk one up for savings: You are running all of your servers on 1 or 2 servers that can run on a fraction of their cores when idle.

Second… ease of management. If you have ever worked for a company that offers managed services then you know how ridiculous it is to managed a customer with lets say… 10 different physical servers. I’m sure you just love trying to manage 10 open RDP windows. On top of that… one of those 10 physical servers locks up. Does it have iLO? If it does, did I document it? I didn’t… crap, now what! Hyper-V allows you to manage the console of each virtualized server from one server. You can shutdown, restart, pause/save state without having to RDP into the server. You can manage the consoles the way you would manage 10 open word documents (Windows 2008 R2, like Windows 7, has that nifty taskbar grouping feature).

Third… if you spend a little extra dough you should add a second server (hopefully you decided on the enterprise version of Windows Server) and implement a Hyper-V cluster. You can have failover and the ability to avoid downtime even when its time to do all those pesky maintenance tasks. Live migration is pretty awesome, I just wish that when a Hyper-V node crashed, that the server wouldn’t reboot unexpectedly. They should really figure that one out… anyways… FAILOVER AND LESS DOWNTIME.

Lastly, and least important of all… you get to put all your old hardware on eBay… clean out that rack and have it look presentable again. Cosmetic, I know… but any IT guy can appreciate a clean, clutter-free rack space.

Something new to me that I have been playing around with is Microsoft’s Windows Deployment Services in R2… its benefits really stand out in a virtual environment. Deploying new servers, or prepping virtual servers for customers has never been easier.

If you want consulting to see if you can benefit from virtualization, or perhaps you already know the benefits and you need a company with several years of virtualization experience over a wide variety of platforms (yea, yea… VMWare can do it too), head on over to www.dcicorporation.com and drop us a line.

Windows Vista Fax and Scan – Access denied to My Documents

I came across what I thought to be a very common issue… but the solution ended up being rather odd (and out of compulsiveness, I just happened to stumble upon it).

When presented with an access denied error and users accessing their My Documents folders via redirection, my first inclination is to check permissions. I did notice some rather strange permissions on the folders, so I set them to owner/system/administrator full control with inherit and re-applied them to all subfolders. I then set the owner of the files to the user. This did not resolve the problem.

Ultimately… my obsessive behavior of deleting that damned desktop.ini file resolved the problem. After I deleted the desktop.ini file, magically it started working. This left me confused, and laughing, initially.

Apparently the desktop.ini file is what changes “My Documents” to look like “Joe’s Documents.” I thought this would just be interpreted as an alias. If I am on the server and I saw “Joe’s Documents” I could still type My Documents in the path and reach the same destination. Apparently Vista’s Fax and Scan doesn’t make that distinction and decided that it would use alias path to connect– I don’t know why Microsoft failed to accommodate this problem, it seems like it shouldn’t make a difference.

Problem: Vista’s WFS cannot access My Documents
Solution: Delete desktop.ini

Hi, and stuff.

Welcome to my brain dump.

I plan on posting stuff I come across in my field. I work as a network engineer for Decision Consultants, Inc. (www.dcicorporation.com) and I am a jack of all trades for them. You are more than welcome to contact DCI if you read this and decide you wish to pay for my expertise– its not cheap, and thats on purpose.