Wednesday, December 15, 2010

Yahoo toolbar causing Internet Explorer 8.0 to crash

I had one of my users come and grab me saying that their Internet wasn't working. Anyone who has worked long enough with computers knows this can mean anything but since I was just using the Internet to pull up some information, so I knew it wasn't building wide.

 I followed her to her desk and she launched Internet Explorer 8. It opened and then instantly closed itself. Odd, I opened my self and it did the same thing but stayed open a little longer. I popped open task manger to ensure nothing funny was happening. Didn't see anything funny. I jumped into "Internet Options" and changed the home page to http://www.google.com/ since it is really basic and I thought maybe a page was causing the problem.

Opened IE again and this time it would stay open but the one tab kept crashing and the recovering the tab over and over again. I went ahead and went the through the same process as above and changed it to  a blank page then reopened IE. Same behavior.

I thought maybe it was possibly malware behavior but wasn't really sure. Fired up Process Explorer and Process Monitor by Sysinternals. Process Monitor didn't seem to show anything odd. I then went to Process Explorer thinking that now it was probably a dll loaded with IE with causing a problem. Went to properties, and then Threads for iexplorer. I noticed one of the dlls that was pretty active was yt.dll. I looked at the top of IE and noticed a toolbar, after searching to confirm my thoughts the dll belonged to the yahoo toolbar. I uninstalled the tool bar and reopened IE. It was working fine.

Not sure what changed that caused the sudden problem, no updates happened in that time frame but if you start to have the same problem hope this helps.

UPDATE - I am seeing alot of traffic on this post and from the comments we can tell it's happening to multiple people and it started today. I only had one user with the problem. I saw a yahoo question about this apparently with vista it will tell you that yahoo toolbar is the problem, which would have made the proble easier. My user had xp and it told me nothing other than crashing. I will be contacting yahoo, if they don't already know. Curious if it's a certain toolbar version.

UPDATE 2 - I did see that the following update got installed yesterday on the computer: KB2079403. You can read the following link by microsoft http://support.microsoft.com/kb/2079403 and it seems to apply to all versions of windows. Dark stated his had a similar issue but that he had no such updated, and the last update was 11/19. So furhter proof it's most likely not microsoft update.

Update 3 - It looks like probably the problem had to do with an older version of the toolbar. Most people don't update theirs. What caused it to break today is still a mystery.

FOR THOSE WANTING JUST THE FIX AND NOT THE STORY
-Just uninstall the Yahoo toolbar.
-Install the latest version of the toolbar if you still want it. (Latest version seems to be working)

Friday, December 10, 2010

Using Sysinternals Desktops to assist in removing a virus

Sysinternals Desktops

I was asked to look at a computer that was acting funny by a friend; they thought that it had a virus. After working on the computer for a little while I didn’t notice anything that really popped out. But I went to install Microsoft Security Essentials and it would never complete. It wouldn’t lock up the computer and the scroll bar kept rotating. I also noticed that shutting down and starting up was taking longer than it should.
After realizing something was up I opened task manger and didn’t notice anything odd. Winlogon was being more active than it should be though; something I only noticed because I was trying to see what would maybe be conflicting with the MSE install.

So I decided to start diagnosing and pulled over the Sysinternals suite to look around. Weirdly though anytime I started to try and open Process Monitor, Process Explorer or Rootkit Revelear they would open for about a second than close again.

I was confident at this time that their existed a virus on the computer. For testing I named a text document “Process Explorer” and opened it. It also was force closed shortly after that. I knew this was a pretty sure sign that I had something to wrestle with. Also I noticed a weird rar.exe file sitting hidden on my jump drive I used to move files over. I would delete it and it would return while being plugged into the computer. So I had a pretty good guess that the program would propagate itself using jump drives. I was after a reboot able to get MSE to install but left it alone so I could figure out the virus.

So I set out to find out a way to start process monitor or Process Explorer, since I knew if the virus didn’t want me opening these tools, then I would be able to use them to find my solution. So in trying to figure out how to trick the program I tried renaming the programs which still didn’t work. After a little bit I saw the Sysinternals desktops application in their suite and wondered how it went about creating multiple desktops on the background. I thought maybe (or had a small hope) that maybe the virus wasn’t smart enough to notice apps running inside a different desktops. After running desktops and opening a second desktop I was able to open, in that second desktop, process monitor and process explorer.

I restarted the computer wanting to ensure that it was desktops and not something I had done earlier allowing me this. After windows loaded I had the same problem of not being able to run Process Monitor and Process Explorer. I Fired up Desktops again and in the second desktop again I was able to get them running fine. Desktops will forever be in my antivirus removal box because of this.

I didn’t notice anything funny in process explorer and everything listed as Microsoft signed. The machine was actually very clean for a home user. So I ran Process Monitor for a minute and stopped it looking for any peculiar behavior. After looking through I noticed what I noticed earlier, winlogon was showing up way more than normal. After filtering to include only winlogon I noticed that about a little under every second it would check a key here:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acdcacaeaacbafbeaa

Process Monitor of Winlogon Activty - Part 1



Process Monitor of Winlogon Activty - Part 2
And then all the subkeys. The funny random name of the key was a bad sign. I popped up regedit and saw the it also had a dll with the same random key name, as it’s, file name located in the system32 folder of windows. I was pretty confident this was my problem. I exported the key just for sure and then deleted it. Right away the key was back.

I also noticed it would look at Pending File Rename Operations and then also a value called Blud under the Winlogon key. With all this info I then, went back to installing MSE and after it installed and manually installed the latest defenitions which I had downloaded earlier. I right-clicked the DLL acdcacaeaacbafbeaa.dll in the System32 folder and told MSE to scan it. It then said that it had found WORM:Win32/Swimnag.gen!A.dll I did a search and came up with this link from google. http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Worm%3aWin32%2fSwimnag.gen%21A

I checked the dll was gone, good job MSE on keeping it gone. I was then able to go into the registry and delete the blub key located at HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\

I also noticed the associated key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acdcacaeaacbafbeaa" was no longer there. After reviewing the scan history on the computer I pulled up the log and noticed MSE had removed it too.

After watching taskmgr.exe and running a Process Monitor session I could see that winlogon was back to normal. I restarted the computer one more time to see if this time it would boot normally. It did. Also the computer stopped placing the hidden Autorun.inf and rar.exe on the jump drive. The computer was overall a lot more responsive. At this point I did a full scan with MSE and discovered no further problems.

CONCLUSION – I have tried to see if anyone else has used desktops to prevent a virus from closing applications and posted the story online but haven’t seen it. I don’t think this was an intended use of desktops but very interesting none the less. I would love to hear if this works for other viruses.

NOTE - Microsoft's stance is normally that after your system has been compromised you should reinstall the computer. I didn't do it here because I was feeling challenged at the time, and didn't have the disks for this persons computer. Normally I do reinstall since.

UPDATE - Shared this with Mark Russinovich and based on what I said the program was checking the Window titles, using window enumeration and that it only works for the current desktop. That is why I was able to use Sysinterlas Desktops to create another desktop to open Process Monitor and Process Explorer.

Wednesday, November 10, 2010

FREE Windows Timer Application to replace SteadyState Timer

So I have worked with a library that currently uses SteadyState. As we were getting ready to migrate to Windows 7 and new computers we found out that the compatability was non existant. So we couldn't use steadystate. Than just recently Microsoft came out to state that they were going to end support for steadystate eventually anyways.

You can still download SteadyState till the 31st of December after which no more. You can read that announcement here. Also they released some documents which help you to duplicate many of the features of SteadyState, which Keith Comb's covers in one of his blog posts here. I recommend reading the blog post and snagging all three documents.

One of the things you discover though is that the timed log-off/shutdown/restart functionality just isn't there. You could use a script to log them off but then the user never know's how much time they have before reboot or log off. So I went ahead and wrote a little program to duplicate this behavior.

It allows you to set whether you want when the time ends to restart,logoff, or shutdown. It will display a bubble in the bottom right corner counting down the time. You may have different times for different user. Also their is no installer just the exe, the readme, and a example registry value. I recommend putting a key in the registry under the run value for windows. Seems to work great. If you have any questions please contact me at mortythe2 @ gmail . com no spaces. Or leave comments here.

Download Here

Friday, October 15, 2010

Change IP Address of EBS Conflict with router

So I am one of the handfull of people that purchased EBS, no laughing. Normally it has been a good product. Recently though I had the need to move our management server to another location which involved another subnet.

One of the things you really want to remember is that you must change it's ip address first and then move it. The reason is because you are strongly recommended by microsoft to use their "Change IP Address Settings" wizard. This wizard checks connectivity with the other two servers and makes changes to them.This is fine but I ran into a little problem. Something I am not new. to

Sadly the setup of EBS was a royal pain. after it was setup it was fine but I have not been in any way impressed with their wizards, setup or other. Maybe for some they worked but I think it's just that updates broke them and the EBS team had given up the ghost, even before the announcement was made.

Anyways Back to the story. After firing up the wizard and having it do it's check it provides you a box to change the IP Address, Subnet Mask, and the Gateway. After changing the Gateway and IP address. It came up with the error you see in the picture above.The selected IP address is already in use by another system with physical address XX-XX-XX-XX-XX-XX. (In the picture above I changed the Hardware address.)

So I double checked to ensure the address I gave it wasn't already used. I then moved to an IP above. Got the same message with the same physical address. Tried 4 other IPs all same physical address. So I checked the arp table. That physical address was tied to my router. A tad odd. Any address from the other subnet I put in their gave me that error. I have never had any other product point to my router like this. So after doing no searching I tried my own solution that worked.

Right after you enter the IP address but right before you click on the "change" button it is going to do a check to see if that IP address is in use, which in my case was broken and stopped me from working. So right before clicking "Change" then unplug the server from the network and as soon as the "Progress of IP address change"(Next screen) screen comes up then quickly plug it back in. If you don't then you will get errors on this screen, and will have to close the wizard and try again.

After using the unplug method to skip the error check I was able to move the server. Problem was I had to change some of the security server firewall settings. For Example I had to change the IP address of my Mangement computer under these two computer sets:
  • Remote Management Computer
  • DNS Servers
Also had to update a few other custom policies, after that though it straightened all of that out. You will also need to upgrade some group policies. Follow the instructions at this technet link: http://technet.microsoft.com/en-us/library/dd996618(WS.10).aspx

You can also check all that it does or should change by going to this link: http://technet.microsoft.com/en-us/library/cc540075(WS.10).aspx . Hope this helps anybody else out that may run across this.

Wednesday, October 6, 2010

Symantec = Fail or windows cannot load the user's profile

So I recently started fixing personal computers again recently and remembered why I hate doing it. Anyways I was asked to look at a slow laptop. After taking it home I connected to the internet after noticing it appeared to be virus free. I ran a defrag and it ran some updates.

After doing this and rebooting I saw a screen I didn't like.I was getting aa 16bit 640x480 welcome screen. It gave me the error: windows cannot load the user's profile but has logged you on with the default profile system. Detail - Insufficient system resources exist to complete the requested service.Ugh and it was giving me an error about bcmwltry.exe. So I rebooted into safe and tried to do a restore. To earlier that day it succeeded but I was getting the same problem. So I tried to before I had touched it and it wouldn't restore. :( I then removed the Dell Wireless utility to at least get rid of the bcmwltry.exe error to see if I would get anymore.

I also created a new user just to check. After rebooting I then selected the new user and get the following error: userinit.exe the application failed to initialize properly 0xc000012d. After looking around I found two forums mentioning Symantec Antivirus as a possible culprit after it had gotten a update of some kind. I am sure while I had it connected to the internet it had done this.

So let me state first off. I have already had numerous problems with various versions of Symantec in the past, don't like it and if I have the choice I uninstall  it. I hadn't done this yet because the user had a up-to-date subscription and I hate to remove a product that someone has paid a subscription for.

Continuing on with the story, I went ahead and in safe mode ran msconfig killed all symantec related startup items. Also disabled all the Services. A reboot later and still no go. I took it a step further in Safe mode. I renamed  the following three folders:

  • C:\Program Files\Common Files\Symantec Shared 
  • C:\Program Files\Symantec
  • C:\Program Files\Symantec Antivirus
I just added .old to the end of the folders. After a reboot I had the beautiful welcome screen I loved. And guess what, the system was speedy as all get up. That was a good enough excuse for me to remove Symantec. I renamed all three folders back to what they were and did an install of anything Symantec. 
After this I went about my normal computer cleanup steps and installed a free antivirus solution. I predict a very happy client.

MORAL OF THE STORY - Beware of Symantec - (aka If you start having problems with your computer check your Symantec Antivirus Software)

Thursday, August 12, 2010

The Cheap Panic Button for the Avaya IP office System

To create a Panic button in Avaya IP Office


In moving to a new phone system and a new building I was tasked with finding a solution to the panic button that may be cheaper. Well previous it required us having to setup buttons in all locations as well as having to pay a alarm company to monitor the system. It involved another phone line.

So we ended up choosing the IP Office solution. After chatting with my Avaya partner he said it could be done, but the phone would be on the hook the whole time. Not very discreet for a panic button so I worked at it.

What you need to do is open up your Voicemail Pro Manager. Create a new module, I called it Panic, but that is up to you. It will start you with a “Start Point.” You will be adding a Post Dial action so under Misc. you need to select “Post Dial” and click somewhere on the white space below.

Now double-click on the box to open it up. Change the” Token Name” to something you would remember. Now you are going to need to record a message for the system to use. So go to “Entry Prompts” amd click the + button. Set it to use your “Telephony Handset” extension. Put a name for the file, I called mine Panic. Hit the record button. Go through the process of recording the file until you like it. After you are done make sure you record the full path and file name for that recording. Press the “Close” button and click the “X” button to delete that prompt.

Go Under “Specific” and click “Post wave file” and check “Play out a looped wave file.” In the first box type or paste the full path to the wav file you recorded earlier. In the next box put in the number you want it to call remember to add a 9. (I recommend testing this on a number other than 991 or emergency dispatch first, since while testing you don’t want to bug them to death and send out the cops.) If you want it to page a page group than type “PAGE:” and then the number of the page group.

Press “OK” and then draw a “connector” line between “Start Point” and the Post Dial action you just created. Now at this point you could also add other number for it to dial. You would just create another post dial action and follow the steps above and add a connector line to it from the previous post dial action. When done press the “Save & Make Live” button. Close out “Voicemail Pro Client.”

Open “IP Office Manager” and go to Short Code. And a New Short Code and put in whatever code you want, I used *85. Change the feature to “Voicemail Collect”. Under telephone type in the name of the module that you created in “Voice Pro Client”, in my case it was “Panic” and this time put quotes around the name. (The quotes may not be necessary.) Leave the Line Group Id as 0. Merge the changes

Now you could dial the short code on your phone to test. It would work great. Problem is when in panic. You don’t want to be pressing a combination of 3-5 buttons. Also you will notice it will say on the phone you dialed it “Forwarded”

So to eliminate the first problem. Open “IP Office Manager” and go to the User or User Rights depending on who you want it applied to. Go under “Button Programming” and create a button that will be on the first page of the phones. I changed my Label to “PANIC” and leave the action as “Dial.” Under Action Data put in the short code you programmed earlier, ie #85. Press OK and Merge the settings into the Phone Switch.

Now you have a button to press. Problem is still it says “Forwarded” which you don’t a phone saying if the reason you are pressing the button is nearby. On the VoicePro Server browse to: “C:\Program Files (x86)\Avaya\IP Office\Voicemail Pro\VM\WAVS\enu\”. The last Folder may be different depending on the language of the system. Go down till you find the file called “ssb_10.wav” and rename it to “ssb_10-disabled”. Now you are good to go the phone doesn’t say anything either now.

So after all those steps you are able to drop those panic buttons. Now this may not work if you phone is out in the open easy to see by everyone. But most likely you will be able to press 1 button on your phone very inconspicuously if you need to.

DISCLAIMER: USE AT YOUR OWN RISK, if you use my directions I am not held accountable for any problems that may arise.

Tuesday, August 3, 2010

IP Office with 9600 phones Waiting for LLDP

At work we had setup the Avaya IP Office R6.0. When we purchased it we also purchased 5621 phones. I was asked to purchase some addition phones for one or two departments, but the 5600s are EOL(End of Life.) I don't dig buying EOL products so dug around and found the 9650 to be a worth equivilent. Instead of putting one phone out that is different in a department I thought I would suck in the new phone and figure it out.

First problem would be that it would boot up and just sit saying "Waiting for LLDP." After some hunting around I realized that the 5600s and 1600s use option 242. So I jumped into my DHCP server and added a scope option for 242. Put in the following info that was already in my 176 scope option. "MCIPADD=XXX.XXX.XXX.XXX,MCPORT=1719,TFTPSRVR=XXX.XXX.XXX.XXX" (You will need to add something else to this so jump below to grab the full portion)

It boot up and I was able to login. The phone was still acting a little funny. IE lots of the buttons were acting wierd. No Visual voice as well as a couple of other things. After running around long enough I found out that the phone needs to grab IP Office specific firmware. If your IP Office was purchased with the 6.0 release then you can skip the next step. If you upgraded it to 6.0(9600 are only supported starting at release 6.0) then do the following.
  • In the Avaya IP Office R6 Manager click on "File>Advanced>Embedded File Management..."
  • Login and then click on "File>Upload System Files" (May be File>Upload Phone Files if you are running an earlier version of the manager)
It will have then uploaded the necessary files for the phones to the SD card. No still no luck for me. Well after more digging around I saw that the phone was saying "Bad FileSV address" right before it would finish loading up. I than searched around some more I realized I needed to add the one more option to option 242. You need to add ",HTTPSRVR=XXX.XXX.XXX.XXX" to the end of the above so that it appears as :
MCIPADD=XXX.XXX.XXX.XXX,MCPORT=1719,TFTPSRVR=XXX.XXX.XXX.XXX,HTTPSRVR=XXX.XXX.XXX.XXX

The addresses should be your IPO Unit, although depending on your setup it may be a little different. After adding the option and rebooting I was good to go. Hope this saves someone time they shouldn't have to waste.

Thursday, March 4, 2010

Legally Re-Imaging/Cloning computers with Windows

So I was at a Technet UserGroup meeting and heard something that was important for people. After chatting with a Microsoft License Specialist it became clearer.

So legally you cannot re-image computers with an OEM license. To do this the lowest requirement you must meet is this:
  • One Volume License for the Desktop Windows Product that matches what you have. So if you purchased computers with Windows 7 Professional, than you will need a Volume License for Windows 7 Professional.
  • Volume License Media for that product
You will then base your image off of this software and after imaging using the OEM key that is on the computer. The cool part is you may have 4000 computers with OEM licenses of Windows 7 pro, but you only need to add the 1 VL and the VL Media and your legal. Why Microsoft does this I am not going to go into but you have the basic info and below a little more nifty VL information
When you purchase a Volume license of a Windows Desktop Os you are actually purchasing a upgrade license. This is different than all of their other products, where usually you are buying a full license. So since they are an upgrade licenses you must have an existing Windows OS on the computer or for the computer (Full Retail Product) to apply this VL to. So you can't buy a computer without an OS and think you can buy a Volume License.
I mention this blog posting because this was news to me. Apparently in the EUA it states you can't re-image using just the OEM Media and I know we all read the EUA :) and know this, errr not. Anyways I hope this helps you feel legal.

You can grab the file Microsoft refers to re-imaging here: Microsoft Reimaging download . As you look at this I recommend giving their license people a call.

Saturday, February 13, 2010

Windows EBS + Optional Update Step = Wasted time/Bad Server

So I had a problem where my Magement server was not opening the admin console or System Center Essentials Console. It was just erroring out and closing. After looking around I found the following error in the Event Viewer of the management server:
This problem was because WSUS 3.0 SP2 tried to install during the Progress of Optional Updates Step of EBS Install on the Management Server.
Level: Error     Source: IIS-W3SVC-WP    Event ID: 2268   General: "Could not load all ISAPI filters for site 'WSUS ADMINISTRATION'. Therefore site startup aborted."

I did some digging around and remembered that one of the Optional Updates it wanted to install was WSUS 3.0 SP2. I started looking around and other than finding a very sparce WSUS folder there was no proof that WSUS was on the server. So I went and downloaded WSUS 3.0 SP2 x64 from here. I just ran I quick install and then rebooted the server. After that I was then able to open the Mangement Server's Admin Console for EBS and the System Center Essentials Console.

My Recommendation is to skip the Optional Update Step of the EBS install on all servers. Some updates will install but many don't and you have to install them afterwards anyways. Also one or two of the updates will cause the server to say it needs to reboot causing it to restart then it trys to reinstall that update again. Lets just say it will keep doing it as long as you allow it. The problem is the check the box that you checked for it to do this is in the Planning Wizard and if you are here then most likey you already checked it. The other way to skip this step then is to unplug the cord that connects it to the internet when it gets to this point. Then when it errors out to plug it back in and hit "Next"

Monday, February 8, 2010

Smart Hosts Exchange 2007 SP1

So I was getting a strange error while trying to setup exchange to use a smart host. The Steps I had taken were to go into the the Send Connector that was already setup for email going out. I then Clicked on the Radio Button "Route mail through the following smart hosts:" I then added my mail server. Then I clicked on the change button beside "Smart host Authentication:" and put in the credentials. After clicking ok I got this error. "The DomainSecureEnabled parameter can't be set to $True unless the DNSRoutingEnabled parameter is also set $True."
Wierd, since I am new to Exchange 2007 I haven't gotten use to the shell so I was kinda lost on what it was saying. After Looking around the net no luck. I hit "OK" on the error and Canceled out of the Authentication dialog. After looking at the previous dialog I noticed the following Check mark for the setting opposite of using a smart host.

There is the option "Enable Domain Security (Mutual Auth TLS)." So I clicked the radio button back on "Use Domain system" and unchecked it" and then swapped back to "Route mail through the following smart hosts:" Went and put in the Authentication information again and it took it this time.

Personally the settting "Enable Domain Security" since it is a subsetting of Use domain Security it should have no effect on using a smart host. If so the Setting should be set to the bottom of both. Since if you choose route mail through smart host it gray's out that setting. Wierd. This might be fixed in Exchange 2007 SP2 but I don't know. Anyways hope it helps someone else out too.

Saturday, February 6, 2010

Kodak EasyShare C613 Lens Error

So my favorite niece got a Kodak EasyShare C613 for Christmas I believe about a year and a 1/2 ago. Well It had gotten stuck halfway out and when turned on would give a "Lens Error" and then some numbers not sure what they were since it's working now. The process to get it fixed was a piece of cake.

Just take out the 7 screws on the sides and bottom of the camera. I used a #0 Phillips to take them out. The front is not connected by any wires so you will take it off. First though take out the batteries, SD card and pop open the battery compartment.

Start pulling the front from the body of the camera on the bottom. The tops and halfway up the sides is a little more tight. I used a 1.4mm regular screw driver to slide into the gap and turned it to widen the gap. Doing this slowly all around got the front off.

Wipe off the sides of the telescopic lens. Pop the batteries back in and close the compartment. Turn it on. To do this you need to press the on/off button which may be hard to see. Pull the black plastic back some to see it. I used the phillips to turn it on.

For me it turned on and finished it's extension. Tested it by turning it off and on a couple of time. Good to go. It sounded a little mechanical so I blew it out which fixed it a little. But it worked and thats what mattered. Then time to put it back together. Pull out the batteries and leave the door open. Slide the front back on starting at the top and pressing it together. When done put the 7 screws back, followed by the SD card and batteries. You are good to go.

If the above didn't fix it for you yours may have been damaged further then hers. Hope this helps someone

Monday, January 25, 2010

CompTIA A+, Network +, Server + requires renewal

So I got a call from a vender for exam preparation material, and they shared with me something that will affect many people now. Previously if you held CompTIA A+, Network +, and/or Server + you were not required to renew them. Kind of nice since many other venders required you to do so. Due to them getting those Certifications blessed per se by the ISO. Then they have to provide a way to renew, meaning that we have to renew. They have set this at every 3 years. This is effective as of January 1, 2010. So I looked at their renewal page to see what you can do. You can take the latest version of the Cert, or a Bridge exam to it. You can start keeping track of CEUs, and after hitting a particular number of them then you are good for another 3 years.


Good thing though is that you only have to maintain the highest of the 3 that you have, the order being as I have them listed in the title. For example if you have the Network +, you don't have to maintain the A+ just maintain the Network +. By this same theory, even though they don't state it exactly, then you could just take and pass then next certification to complete the renewal requirements. Since when you pass say the Security + then your highest wouldn't need to be renewed for 3 years.

Have no gripes about this because I am kind of tired of running into techs that claim certain certs but have had them forever, and can't even swap out a light bulb. OK I am exaggerating but we all know them. Off to study for the next Exam....

Here is the link to CompTIAs Renewal Policy FAQ

Monday, January 18, 2010

Antivirus Live = Very Annoying


So I had one of my users call me over the weekend regarding the fact that they are getting a lot of virus warnings. The first thing I asked was if it said ESET on the box. Nope, yeah well the lots of boxes warning of viruses the first tip that it wasn't my solution. This particular users was a limited user so I knew that it had penetrated only so deep and that removal wouldn't be very hard. I told them to try a restart first. This because sometimes you just wander onto a website that pertends a program is running and actuality hasn't installed anything. Well that didn't fix the problem so I told him to leave it on my desk and I would fix first thing Monday.

After turning it on I notice a little blue shield with a diagnal shield. and Next thing after letting it it for a little bit the screen looks like the picture to the right. (Insert picture.) So first things first. I know at this point it is installed on the computer. Since this person is a limited user it limits where it can hide(unless it takes use of some exploit in the OS). Any time you try to run a program it will pop up real quick then close. So go ahead and restart and if necessary(I hope it is) log in. Really quickly goto the start menu and click on "Run..", type in "regedit"(without Quotes) and hit enter. At this point the program hasn't become suppoer annoying so it won't stop you from doing this. You could also boot into safe mode or under a different user. You are going to go to the following key:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Run . (if you are doing this under a different user than the one that has the problem than do a search for sysguard and it will find it for you.)
Look to the right and you will see an entry for a file that is located in  Documents and Settings\(the Username that is infected)\local settings\Application Data\(random string)\(randomstring)sysguard.exe
Delete this entry and restart. After restarting and logging in as the infected user you will no longer run into a problem. At this point you need to fix all the stuff it broke.

Open up Internet Explorer and goto Internet Options under Tools. Goto the Connections Tab and click on LAN settings. Uncheck the box beside "Use a procy server for your LAN." You should no be able to browse as needed. You may try getting spydoctor or other spyware tool and remove the rest of it that way, but I will continue the manual way for sake of helping those that prefer it.

Lets go ahead and get rid of the remnant file. You can do it a coupel of ways. Goto Explorer and in the address bar goto this location "(rootdrive):\Documents and Settings\(the Username that is infected)\local settings\Application Data\." Or you can show hidden files and click through till you get to the same spot. One of the folders at that loication will just be a whole bunch of letters. For my user the folder was called uceejn. Look inside of it and you sill see the sysguard.exe or in my instance the dbdvsysguard.exe. Delete the folder it is in. Now it's gone.

We are going to have to fix some registry keys so go back to the Start Menu and click on "Run...", type "regedit" and hit Enter. Delete the following folder "AvScan" located here: HKEY_CURRENT_USER\Software\AvScan (only the AvScan folder).

It will have also modified these settings and you may want to change them back but depending on your settings in Internet explorer then you might like your settings this way. You could reset Internet Explorer back to it's defaults too to reslove this.
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:5555"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = "1"
 You are now good to go. I would like to credit http://www.2-viruses.com/remove-antivirus-live this site since I got the last 5 regsitry keys it modifies from there.

Also I did run a scan with eset and it did find the file and delete it since when writing the instructions I left the file there to see if ESET Anvitirus could find it. Always make sure you are running the lastest version and defs of your Antivirus as well as patch your OS and applications.