Back and Forth

Fake Antivirus Removal Tips

The battle against the fake antivirus programs has intensified int he past few months, and unfortunately there’s no end in sight. Blair Fritz, ForthPhaze Support Specialist, cleaned up an infection this week on an XP system, and we thought it might be interesting to explain the process we use to fix these infections.

1. The first thing we have to do is stop the part of the attack that prevents installing or opening programs on your system. There are a couple of ways to go about this. The easiest way is to open the startup tab in msconfig (Start/Run/msconfig) and find the part of the virus that loads when you start your computer. The entries on the startup tab can be cryptic, but there are two ways to tell which is the bad program. Under the Command column, look for any entry that points to C:\Documents and Settings. Legitimate programs will be installed in C:\Windows or C:\Program Files. Anything that loads out of C:\Documents and Settings should raise a red flag. Another marker is a Startup Item name that’s just a random collection of eight letters and numbers. If you find these, click off the check mark next to it and click apply, then restart the computer.

If you have a simple infection, this will stop the program that was blocking your other programs. If it doesn’t work, plan B is to restart the computer again but this time press F8 while the computer is restarting. This will load the Windows startup option page. Select Safe Mode with Networking and press enter. Safe mode only installs the basic Windows components and drivers, no add-on software is installed and this stops the infection from loading most of the time.

If this doesn’t work, you’ll need to run a program that kills the blocking program from the desktop. We are huge fans of a program called rKill. Download it on an uninfected computer (only from that page!) to a thumb drive, copy it to the desktop, and then double click to run it. It might take a few minutes to complete, but when it’s finished you should be able to open all the programs on your computer that you weren’t able to open before.

One important note: Once you get to this point, do not restart your computer or you might go back to square one.

Now that we can open programs, it’s on to step two…

2. This one is short and easy. We need to make sure we can get to the internet. Open your web browser of choice. If it connects to your homepage and you can get around the web, you’re ready for step three.

If you can’t get online, the infection has tried to redirect your connection to the web. Fortunately it is an easy fix. Open the Control Panel and click Internet Options. Under the Connections tab, click the button for LAN Settings, and then uncheck the box for “Use a proxy server for your LAN.” Click OK to exit and restart your browser, it should open on your home page and you should be able to visit any website.

3. Now we’re ready to install the software we use to remove the virus from a system.

We use three different programs. The first is Combofix. (Again, only download it through that page.) It’s an amazing virus and malware removal tool. Download it, and double click it to run. There will be a pop-up screen warning that it might conflict with your antivirus program, but we always click to continue and have never had a problem.

Combofix will ask to install Microsoft’s Windows Recovery Console as part of its installation. Let it. This is an add-on that should be on every Windows system by default. After that, just let Combofix run. Depending on the infection it might take up to a half-hour to clean the system, and you might be prompted to reboot. (If so, return to safe mode by pressing F8 like before.) When Combofix is finished it will generate a text report that is going to be gibberish unless you’re a security specialist. Don’t worry about it.

The second program we use is Malwarebytes Anti-Malware, or MWB for short. We use MWB as part of a virus infection repair to double check for infections, but it’s really good at removing tracking cookies and other spyware that everyone gets on their computers. Running MWB every couple of weeks is a great habit to get into.

We do a full system scan with MWB after running Combofix. In almost all cases it comes back clean, but there have been a couple of times when it’s found infections that were missed by Combofix.

You can remove these with MWB, but infected files showing up in MWB after Combofix has always meant a deeper infection in our experience. If you delete them with MWB, the infection will probably return the next time you restart your computer.

The fix is in a good antivirus program. We have become big fans of Microsoft Security Essentials for home users. It has yet to let us down on cleaning up an infected system, even when Combofix didn’t work, and it’s tested very well on preventing infections.

You might be wondering, if Microsoft Security Essentials is so good then why not skip Combofix and Malwarebytes and just install MSE? It’s about time. It takes us less time to use Combofix and MWB to clean up a system, and then install MSE (or AVG Network Edition for our business clients) for future protection. Even when we have to use MSE to clean up an infection, we still do a second scan. It’s not clean until you have a clean scan.

4. The final step is doing what you can to prevent another attack.

Use a comprehensive antivirus program. We recommend Microsoft Security Essentials for home systems and AVG Network Edition for business networks.

Make sure your system has the most recent Microsoft, Adobe and Sun/Java updates installed. It’s hard to use a computer without Adobe Acrobat Reader and Flash, or Sun’s Java programming, but all three have been the source of security problems. Keep them updated.

Set your browser to block all pop ups. Firefox and Google Chrome have this setting by default, but it has to be changed on Internet Explorer through Tools/Internet Options/Privacy. Make sure the box for “Turn on Pop-Up Blocker” is checked, then click the Settings button and change the Blocking Level to High: Block all pop ups.

You can use the browsing history to see which site you were at when you got the infection, but it’s not going to be a lot of help in preventing a future infection. These attacks come from a pop-up ad. Most websites use third-party companies to sell and place ads on their site. The ad brokers scan submissions for viruses, but the virus writers get around this by creating an innocent looking fake ad that opens a pop up window when the page loads or you roll your mouse over it. The virus is in the pop up window, and this is beyond the control of the web site and the ad broker. The best defense is a good antivirus program to stop the program before it loads on your computer and setting your web browser to block all pop ups.

If you have tried doing the above steps but are still having trouble cleaning up the system, or you are uncomfortable performing any of these tasks, feel free to contact us. We are here to help! (and our rates are not as high as the Geek Squad)

Dropbox Your Windows Server Shares

I’ve read several posts on how to use @DropBox on a Windows Server. The information seems to be fragmented, and not always accurate. I’m going to summarize two things today. First, I’ll cover setting up @Dropbox on a Windows server, and second, I’ll briefly discuss security considerations. I’ll be working with Windows 2008, you can do the same with Windows 2003.

Setting Up @DropBox

Logon to the Widows Server as administrator
Download and install DropBox from their website
Copy contents of C:\Users\Administrator\AppData\Roaming\Dropbox\bin to a new folder C:\Program Files\Dropbox
Obtain the Windows 2003 Resource kit files instsrv.exe and srvany.exe. It is perfectly safe to install the Windows 2003 Resrouce Kit on Win2008.
Copy instsrv.exe to C:\Program Files\Dropbox
Copy srvany.exe to C:\Program Files\Dropbox
Open Command Prompt
Execute “C:\Program Files\Dropbox\instsrv.exe” Dropbox “C:\Program Files\Dropbox\srvany.exe”
Execute REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Dropbox\Parameters /v Application /d “C:\Program Files\Dropbox\Dropbox.exe”
Execute REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Dropbox\Parameters /v AppDirectory /d “C:\Program Files\Dropbox”
Delete or move the shortcut to Dropbox away from the startfolder (Start -> All Programs -> Startup) on the startmenu
Launch Services.msc
Right-click DropBox service, logon tab, check the Allow service to interact with desktop option
Execute net start Dropbox
Move your shared folders you need to share with outside users into your DropBox folder location, and reset sharing permissions. NTFS permissions should be maintained

One thing that is a “quirk” I’ve found so far, despite the interact with desktop option in Services, you may need to execute dropbox.exe to get the System Tray icon to appear. This does cause a second DropBox process, though, so you should kill one of them.

Security Considerations

The biggest question to be asked in setting this up, from the Network Administrator’s point of view is “Does the convenience of this service create a less secure computing environment?”

There are a few things that are well documented in regards to security of @DropBox. Here are their statements in regards to security:

Shared folders are viewable only by people you invite
All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password
All transmission of file data and metadata occurs over an encrypted channel (SSL)
Dropbox website and client software have been hardened against attacks from hackers
Online access to your files require your username and password
Public files are only viewable by people who have a link to the file(s). Public folders are not browsable or searchable
Dropbox employees aren’t able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents)

In regards to @DropBox security standards, it does meet the minimum encryption standards for industry compliance, such as HIPAA and SARBOX. The one well documented problem with the security implementation is that you, the enterprise and owner of your data, have no access to or control of the encryption key.

The main question that is asked by Network Administrators is, is it as safe as a VPN? The answer is more a policy answer than a technical answer. I would say technically, yes, as far as the encryption in place. However, policy plays a big role here as well:

How secure are the devices that are accessing the data through DropBox?
What are the password policies
What are the lockdown/wipe policies of mobile devices, such as laptops, netbooks,and smartphones?
Who has access to the account credentials for DropBox?

Just as an employee can walk out the door to the office and leave it unlocked at the end of the day, similar security breaches can be made with a cloud computing service, or a local computing service. Any security that is put in place is only as good as the policies and practices of company employees to protect the enterprise. To provide the best security possible, at a minimum:

Only Network Administrators and authorized management level employees should have access to the credentials for the DropBox account(s).
Authorized personnel should install and setup the service
Security harden all devices that will be accessing company data from outside the company network.
Ensure your Acceptable Use Policies and Procedures up to date

Training is also important. Ensure that employees know how to work within @DropBox and manipulate files. Make sure they have learned and understand the ramifications of sharing folders and files.

These are a few considerations that need to be made. There are many more, such as using TrueCrypt or Windows BitLocker to enrypt files at the source and local cache, or how to create a secure publishing mechanism within @DropBox to publish files to your clients. For these considerations, a professional IT firm should be consulted. If you have any questions on this topic, feel free to contact us, and we’ll be happy to assist.

–Chris Dickens, Systems Enginner and Owner, ForthPhaze Technology, LLC

Preventing a Fake Antivirus Attack

We’ve seen a big surge recently in fake antivirus attacks. These virus and malware programs have been around for a couple of years but they’ve recently become much more dangerous and more difficult to remove from infected systems.

If you’re not familiar with this kind of attack, it uses a pop up window telling you that your system is infected with multiple viruses or that you no longer have antivirus protection. Google has images of dozens of different examples that you can look through here.

The point of this attack is to create a moment of panic and get you to click on the link to repair the problem. If you do that it will install malware on your computer and take you to a page where you hand over your credit card number to “fix” it.

Most users are smart enough to avoid falling for that, but that doesn’t mean you’re out of the woods. The creators of this pop up lied about your system being infected, they’re lying about fixing it if you click on their link - and they’re lying that clicking the “X” in the top right corner will just close the window. Clicking anywhere on the pop up will install its malware and virus programs on your computer.

One way to close the window without infecting your computer is with the ALT-F4 keystroke, which closes the active window. However, a safer method is to press Control-Alt-Delete (at the same time) and click on the button to open the Task Manager. A small window should open with tabs for Applications, Processes, Performance, etc. Click on the Applications tab and then close all of the applications running in that window, by clicking on each application once to highlight it and then clicking the End Task button at the bottom. Run a virus scan on your system immediately after the pop up closes.

The one bit of good news with this kind of attack is that it is easy to prevent. It works through a pop up window and most commonly comes through your internet browser. If you can prevent the pop up, you can prevent the fake warning from ever appearing on your system.

To prevent fake antivirus attacks, FIRST you should update to the latest browser of choice. If you are still using Internet Explorer 7.0 or older, update it immediately to IE8. Or, switch to Firefox. Both Internet Explorer and Firefox have good pop up blockers, but Firefox has a couple of advantages. First, the pop-up blocker in IE is set by default to “block most automatic pop-ups” and this has allowed the fake antivirus pop up to get through. (You can change this to block all popups in IE’s Internet Options/Privacy settings.) Second, the pop-up blocker in Firefox has been more effective at the default settings, but the big advantage Firefox has is a plug in available from their website that blocks practically all internet ads.

NEXT, you should also make sure your Windows version is kept up to date. Microsoft now includes a very good malicious software removal tool that can stop these infections before they get on your system, but it only works if your system is kept up to date.

LAST, make sure you’re using a good comprehensive antivirus suite. The variations in these viruses makes it impossible to recommend one brand as the best, but any antivirus and security suite from a reputable company (AVG, Norton, Trend, Microsoft) will give you much better odds of being protected than a basic antivirus program that only scans your email.

If you do get infected, contact us. A simple infection can be cleaned up quickly, and if you have a bad infection we’ll clean it up and help you with the next steps to protect yourself and your identity.

-Brian Igo, IT Support Specialist

How to Bypass Traditional Customer Service for a Better Experience

Last week, I was trying to solve a few technical problems on the job. One was an issue with a Watchguard firewall device. I won’t bore you with the details. My other problem was figuring out a great way to do time tracking on a smartphone that easily integrates with Quickbooks.

On Twitter last week, I posted a few questions regarding my Quickbooks problem, seeking advice or input from my followers on any suggestions they may have. I even sent a comment @Quickbooks so that Intuit would respond. Their response was lackluster, but in the posting the questions, I received a recommendation on @Tsheets. Within a day I also had a response from Jen Harris, from Tsheets.com and also received a phone call from her. We talked about their service, but also spent about 10 minutes talking about the power of social media for brand development engaging your target consumer.

On my Watchguard problem, I wasn’t necessarily searching for an answer on Twitter. I posted a rhetorical question, perhaps seeking sympathy from a fellow IT person, or a suggestion on how to find an answer. What happened next was interesting. Later that evening, I received an e-mail from Tracy Hillstrom, a product manager for Watchguard. Someone who knew tracy saw my pondering question on Twitter, and forwarded it.

The lesson to be learned here is this:

1.) The outsourced India-based call centers are dead.

2.) Companies are watching their brand image on social media.

3.) Because most social media is public, companies are much more responsive to questions, complaints, and customer service inquiries to keep the public opinion of the brand experience positive.

If you have a customer service issue with a company or product, try using a social media platform like Twitter to get some help. Even if the appropriate people are not following you, companies can monitor their brands through advanced search tools, because of the public nature of Twitter.

But there are some protocols that should be applied.

1.) Be honest, but be tactful. If you are frustrated, be frustrated, but don’t flame the brand, unless there’s no hope to correct the issue. A backlash can occur if you are too negative on these types of services.

2.) Be timely. Things happen quickly on social media, so if you post a question or inquiry, check back often for responses. If a customer service person or fellow “Tweep” (Twitter Peep, or friend) tries to help, but your trail goes cold for a few days, the desire to assist will fade quickly.

2.) Praise the action. If a business or a person comes through for you, be sure to give them their props. Online brand management is all about managing the image, so if you get good service, let everyone know.

Here is a list of companies and brands that are known to be on Twitter. Next time you have a customer service issue with any of these companies on Twitter, give them chance online to resolve your issue.

A Tech Industry Bailout

With all the news about banking and automotive bailouts in the fall, it got me to thinking about following question:

“What if the tech industry needed a bailout?”

What if we were to wake up one Monday morning to the announcement that Microsoft had run out of cash? Would the Federal Government just let the Microsoft monopoly collapse? What if the government bailed out the software and giant, and we suddenly were found ourselves in a situation where the government had a significant ownership stake in the operating system of 88% of the computers in production in homes and business throughout this country and worldwide?

Would you be ok with it? Or would you switch operating systems? In your home, that might not be such a daunting task. But try taking a business with 20 Windows workstations and a Small Business Server, with employees who have built work skills and processes around Windows over the years, to Linux and Mac.

Do you believe the U.S. government would abuse the power that it had over your computing environment? Do you believe that the government would eventually divest at a profit and go away, as we’ve been led to believe will happen with the banks? Or do you believe that the government would want to maintain nationalized control of the tech sector, just as many speculate that it wants a permanent nationalized stake in the U.S. banking industry?

What if Google was also out of cash and needed a bailout to stay afloat? How would you feel about a government bailout for Google, resulting in the government having ownership and access to all the data and information that Google has collected over the past ten years?

For IT professionals such as myself, who are tasked with thinking through “What if “ scenarios to build sound disaster recovery and continuity plans for businesses, the “What if the operating systems and productivity tools themselves went away, or needed to be eliminated from the equation?” is one that is quite perplexing.

Send me your thoughts.

Small Business Server 2003 Transition Pack Step-By-Step

Saturday night I ran the Microsoft Small Business Server Transition Pack for a client. This transition pack is not a widely used tool, as most people who have outgrown an SBS are usually in the market for a new server as well. This particular client had an SBS server installed just about a year ago, so the hardware reinvestment was not a good approach.

There are several blog posts and articles on preparation for the TP, and how Windows looks different after the transition, as well as what to do if the transition pack fails. However, the documentation seemed to be a big black hole in terms of the step-by-step process itself. With the documented known issues with running the TP being essentially disaster situations and non-functioning servers, needless to say it made the process quite unsettling going in.

Although I’m lacking in screenshots, here was my step-by-step experience with the transition.

1. Shutdown Backup Exec Services
2. Shutdown Symantec Antivirus Services
3. Shutdown VMware Services
4. Change 3rd party applications to manual startup
5. Export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Small Business key from registry
6. Delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Small Business key from registry

(Documentation suggests that you uninstall Internet Explorer 7 as well, but 6 was still installed on this system.)

7. Remove Ethernet cable
8. Launch TP from disc
9. Enter TP key
10. Enter administrator password
11. Reboot #1 (all reboots are automated)
12. Reboot #2
13. Reboot #3
14. Windows Setup Screen
15. Reboot #4
16. Windows Setup Screen
17. A prompt for the install.exe file on the SBS 2003 R2 Technologies disc. HUH??
18. Found SBS discs and the R2 Tech disc, there is no “install.exe” on the CD!!
19. PANIC!!
20. Found blog post saying you can ignore or cancel. Whew!
21. Finish automated setup
22. Reboot #5
23. Windows 2003 Standard Edition bootup screen
24. Activate Windows dialog
25. Plug in Ethernet adapter
26. Activate YES / Register NO – activate -> Success!
27. Reboot #6
28. TP Finish screen
29. Import HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Small Business key to registry
30. Start Backup Exec Services change to automatic startup
31. Start Symantec Antivirus Services change to automatic startup
32. Start VMware Services change to automatic startup
33. Add TP CALs

TOTAL TIME: 1 hour 54 minutes.

From here you are recommended to reinstall your service packs. So there is another reboot or two and another hour or two of work.

After running the Transition Pack, I seem to be questioning the option as a true value add. I am still unclear if the cost and time justifies the value gained in contrast to upgrading. Upgrading is often a harder sell of course, as some business owners are just reluctant to jump on the latest Windows release (I have a client that finally upgraded from Windows 2000 to Windows 2003 in October of this year!). But if you must use the TP, hopefully this post will help.

Special thanks to all the people who failed their way through the TP process in the past. You helped to add to the documentation of known issues of the mysterious Transition Pack, so your plight was not in vain!

A Geek's Chore List - Don't Forget to Dust-Off

On Thursday this week I assisted a client in moving their three production servers from a downstairs open office to an upstairs semi-closed environment, which had been converted from a storage closet. The room had been properly prepped with a thorough cleaning and its own climate controls and HVAC system [The client is an HVAC company in town]. They were also installing a new security system in the same room. The primary reason for making this move was for disaster purposes. The building, while not necessarily in a flood plain, had seen some disturbingly close water in the spring flood of Bloomington and southern Indiana. So they made a decision to move all of their security, I.T., and other electronic systems upstairs.

The old location of the servers was just inside the office door from the machine shop, where they draft custom duct for HVAC installations. There is a lot of dust and debris that carries over into the office. In addition, the office is frequented by their field technicians, who tend to get dirty on the job as they work in construction sites and outside in the dirt and mud. They frequently carry that dirt into the office on their clothes. Needless to say, the air in the office was anything but clean, despite a good air system in the office area.

During the move on Thursday, we popped open the cases of each server and sprayed dust-off inside the servers for the first time in probably a year. The amount of dust and dirt that came out of those servers was simply shocking. Shortly upon spraying one down, an employee walked in the office and his first comment was, “Why is it cloudy in here?”

We completed the dusting of Pigpen and his two siblings, and then I proceeded to have a 10 minute sneeze attack. I probably lost a couple months of life expectancy based on the amount of dirt I inhaled.

According to ComputerDust.com, integrated circuits (ICs) can suffer from overheating as a result of the insulating affect of dust as well as suffer from electrical shorts caused by dust across their contacts. Tests show that the internal temperature of a CPU can go up as much as 30 degrees due to a buildup of dust. While we cannot predict the lifespan reduction of operating a PC in an environment that has a higher concentration of dust than what would be considered normal conditions, it can be reasonably concluded that reducing dust in the operating environment and in the CPU case will reduce the risk of failure.

There are a few mitigating approaches to reducing dust:

1. Use Dust-off regularly. You should use dust-off around the open areas of your PC, such as the case vents, the power supply fan, and any other venting fans, on a monthly basis. PCs should opened up 3-4 times per year for inside cleaning.

2. Use a dust cover. They are relatively inexpensive and will sufficiently keep dust out of your computer.

3. Invest in a PC Air Filter. Also relatively inexpensive, operates just like your air filter in your home’s heating/cooling system.

utilizing these options will reduce risk of failure and provide some piece of mind. Just to be clear, ForthPhaze Technology will do no other chores beyond dusting – no window cleaning or lawn maintenance! (Unless the rate is good…)

Also, beware of the dangers of Dust-off. Don’t try these tricks at home!

Security Notice from Sunbelt Regarding VIPRE Update

I just received the following email below regarding a problem with a VIPRE update.

Last week there was an isolated incident that may compromise an operating system component. It was corrected with the next definition release, however some agents had the definitions long enough to still be affected. The affected computers will not reboot without a system restore. If you experience this in your environment, DO NOT reboot any additional computers until the following utility has been applied.

We have created steps to remedy this problem. You should follow these steps if you have version 3.1 of any CounterSpy or VIPRE agents installed on computers prior to October 20, 2008.

The instructions below will use the CSE/VIPRE console deployment to push out a utility. This utility was created specifically to remedy this problem. After this utility is run on the agent, it will be safe to reboot the machines. This utility takes 15 seconds to run (per agent) and will not require a reboot or otherwise change the installed agent or disturb the end user.

The goal of this utility is to delete these files:

C:\Windows\System32\sbfc.dat
C:\Program Files\Sunbelt Software\SBEAgent\definitions\sbts.dat

1. Stop the Counterspy/Vipre Enterprise Service.
2. Close the Counterspy/Vipre Console.
3. Navigate to the Counterspy/Vipre install directory.
4. Rename the Packages folder to Packages-Clean.
5. Save http://www.sunbeltsoftware.com/support/vipre/stopbootquar/packages.zip to the CSE/VIPRE install directory.
6. Extract the new Packages folder.
7. Start the Counterspy/Vipre Enterprise service.
8. Log onto the Counterspy/Vipre console.
9. Change the Deployment Timeout to 15 seconds. (System->Configuration->Advanced Settings)
10. Add “SBEAgentDeployW.exe” and “STOPBO~1.EXE” to the Admin-defined good for all policies. (Make sure to click the Good tab to prevent accidentally adding these to the Known bad).
11. Wait for the deferred work to be processed for all Installed agents.
WARNING: All agents with a status of “installed” must process their deferred work before proceeding. Failure to do so will result in this patch NOT being applied.
12. Deploy to a test agent using the Push method from the console.
13. Reboot the test agent to verify that the patch was correctly applied.
14. Apply the patch to each policy by selecting all the agents and then Deploying via the automated push method.
15. Test at least one machine from each policy before allowing all the agents to reboot. If the patch did not take, double check the exclusions and push it out again.

Once all machines have the patch applied, you can then replace the install package with the original.
1. Stop the Counterspy/Vipre Enterprise Service.
2. Close the Counterspy/Vipre Console.
3. Navigate to the Counterspy/Vipre install directory.
4. Delete the Packages folder.
5. Rename the Packages-Clean folder to Packages.
6. Start the Counterspy/Vipre Enterprise service.
7. Log onto the Counterspy/Vipre console.
8. Change the Deployment Timeout back to 120 seconds. (System->Configuration->Advanced Settings)

You can contact our support department if you have any questions on this or run into any issues. Support can be reached at support@sunbeltsoftware.com or by calling (877) 673-1153 Monday through Friday 9 a.m. to 6 p.m. EST.

We apologize for any inconvenience that this may cause.

Thank you,
Sunbelt Software