Search This Blog

Friday 29 April 2011

Fake Anti Virus Applications and how to remove them

I often get customers who have had a drive by download and end up with a fake Anti Virus application on their PC, this usually pops up windows all over the screen and we get a support call to get rid of it. The usual culprits are users who have to be administrators but it is not always the case, if its Windows XP then anyone is pretty much at risk.

So the key to these is to find the rogue task in Task Manager, you can usually spot it because it has a description that is poorly written, it will repeat the exe name or will have no description. Find the exe and terminate the process and the fake Anti Virus should close, now you know you have the right file.

Search the registry for this file name and you should find the two registry keys for Open Shell are listed with the exe location and path appended to the open command on any shell or exe.

•HKEY_CLASSES_ROOT\exefile\shell\open\command
•HKEY_CLASSES_ROOT\comfile\shell\open\command

The default value for each of these should be "%1" %*

If your value contains the malware exe path, reset the path here and then delete the exe file.

You should now find the fake Anti Virus malware is removed.

Thursday 28 April 2011

Windows 2008 Boot.ini

A good point to note is that Windows 2008 Server does not use the boot.ini file anymore to determine which partition to boot from. This is now all completed via the command line utility bcdedit.exe

For example if you need to rename your primary boot partition to be displayed when Windows starts you can use this command

bcdedit /set {current} description "Windows 2008 Server Primary"

There is a lot more to this utility but worth knowing that it is there!

Monday 11 April 2011

Upgrade DSL firmware on a Cisco Router

I had to upgrade the firmware on a Cisco 877 recently so thought I would outline the best way to do this.

Firstly download your ADSL firmware from Cisco, you will need a Smart Net Contract for this. The file will be something like adsl_alc_20190.3.0.017.bin

Next you need to TFTP the file to the router, I use a basic TFTP Server and save the file in the root of the flash, you may notice there is not an existing firmware file for the routers current firmware. This is normal if you have an embedded firmware with the IOS, you can check this with the show version command and then look for the output for F/W and see if it is set to embedded.

Once you have TFTP the file to the Cisco you can then rename it removing the version number part

adsl_alc_20190.3.0.017.bin is renamed to adsl_alc_20190.bin

Then you reboot the router and the firmware is loaded.

Trend Micro Office Scan Hotfix Issue

I recently deployed version 10.5 of Office Scan and following best practice installed the latest service pack and hotfix from Trend Micro, as part of our test process we found that the clients would show as online client side but offline at server side.

We followed trouble shooting through firewalls and ports and then noticed when we tried to create a client package to install with this failed with an error that files cannot be found.

A quick look in the folders for Office Scan showed several files renamed _INVALID as the file extension and in the system event log there were multiple entries logged as ID 900 relating to invalid digital signatures detected by Office Scan and that the files had been renamed.

It turns out that the latest hotfix for Office Scan 10.5 has a check for the digital signature of the Office Scan files and if they are not signed correctly they are renamed for safety, the problem being that the files are all not signed as expected and Office Scan disables itself for you.

The details are logged in the this KB

http://esupport.trendmicro.com/Pages/Tscexe-keeps-being-renamed-to-Tscexeinvalid-when-applying-bandage-Damage-Cleanup-Engine.aspx?print=true

It is pretty poor testing when a hotfix disables the product so severely. Boo Trend Micro.

Friday 8 April 2011

DCdiag fails over IPSEC Tunnel

I had a server behind a IPSEC tunnel between two Cisco 1841 routers and when running a dcdiag the Locator check was failing. I used the verbose output on the dcdiag and it noted that UDP packets were being either dropped or fragmented to the destination servers.

I looked at the syslog on the Cisco 1841 and I could see UDP packets between the two servers being dropped, I checked the class map for this policy map and udp was listed at the bottom of the class map but it was not being matched.

I then created a new class map for the udp protocol and added this with inspect to the policy map and then dcdiag worked. I used a inspect log in the policy map to show this in the syslog.

Strange behaviour that the udp packets do not match even though they are in the right class map, but I needed a solution so I created a new protocol definition for the UDP LDAP on port 389 and then a new class map and policy map inspection.

ip port-map user-ldap-udp port udp 389
class-map type inspect match-any cmap-ldap-traffic
match protocol user-ldap-udp
exit
policy-map type inspect ccp-inspect
class type inspect cmap-ldap-traffic
inspect
exit
exit