Remove XP Anti-Malware

Since I have had to remove this from 2 computers today, which coincidently were both running AVG, I thought I would post up the way to remove it from an ‘infected’ computer.

NOTE: These instructions are intended as a guideline on how to remove this infection. If you are not sure how to do this then please make sure you consult a professional. All such information and related graphics are provided “as is” without warranty of any kind.

The first step is to repair the running of executable files (exe files):

Click on Start, Run and type ‘notepad’ then press enter. Now copy and paste the information below into Notepad.

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\secfile]
[-HKEY_CLASSES_ROOT\secfile]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

Now save this file by clicking on File, Save As; select the file type and set it to “All Files” then enter ‘fix.reg’ into the file name box making sure you save the file to the Desktop and click OK.

Now double-click the ‘fix.reg’ file on the desktop and click Yes to confirm.

There is a second method which you may need to use to stop XP Anti-Malware from running, in both cases I have had use both methods so here is the second method.

Click on Start, Run and type ‘Notepad’ then press enter. Copy and paste all of the information below into Notepad.

[Version]
Signature="$Chicago$"
Provider=Myantispyware.com

[DefaultInstall]
DelReg=regsec
AddReg=regsec1

[regsec]
HKCU, Software\Classes\.exe
HKCU, Software\Classes\secfile
HKCR, secfile
HKCR, .exe\shell\open\command

[regsec1]
HKCR, exefile\shell\open\command,,,"""%1"" %*"
HKCR, .exe,,,"exefile"
HKCR, .exe,"Content Type",,"application/x-msdownload"

Now save this file by clicking on File, Save As; select the file type and set it to “All Files” then enter ‘fix.inf’ into the file name box making sure you save the file to the Desktop and click OK.

Now right-click on the “fix.inf” file on the Desktop and select Install. Now reboot the computer into ‘Safe-mode with Network Support’.

Now download MalwareBytes Anti-malware, install and ensure that it fully updates before running. Now run a ‘Quick Scan’, once it has completed it will display the results. Now click on ‘Remove Selected’ and reboot the computer. Details about how to install and run MalwareBytes Anti-malware can be found on other sites but the important part is the Registry file and INF file above.

- Rob

Trend Worry-Free Business Security

We have started to roll out as number of Trend Worry-Free Business Security installations in the last week or so and have run in to the same problem each time. Each of the installations have been to Microsoft Small Business Server 2008 servers and what actually happens is that the WFBS management console installs onto Microsoft IIS by default, when you try to access the console you sometimes get a password prompt. After entering the password you are just left with a blank page, other times you don’t get the password prompt at all. If you do get this then follow the steps below as this has fixed out problem each time:

• First open Internet Information Service Manager on the server and check that the website “OfficeScan” exists. Now close the Internet Information Service Manager.
• Now open a command prompt and change to the “Trend Micro\Security Server\PCCSRV” folder
• Now type “svrsvcsetup.exe -uninstall” and wait for this to complete, it could take a number of minutes.
• Now open Internet Information Service Manager on the server and check that the website “OfficeScan” no longer exists. Now close the Internet Information Service Manager.
• Now type the following commands pressing enter after each one:
  • svrsvcsetup -install
  • svrsvcsetup -setvirdir
  • svrsvcsetup -setprivilege
  • svrsvcsetup -enablessl
• Now restart the following services using the Services Applet:
  • Trend Micro Security Server Master Service
  • IIS Admin Service
  • World Wide Web Publishing Service

Now if you try to access the console you should be able to log on to the console successfully.

This worked for us each time, so I hope it’ll work for others too.

- Rob

There’s a price on yer head

Some of you may have read that latest news that Microsoft has put out a $250,000 reward to find who is behind the Conficker worm that is said to have infected as many as 12 million computers.  They are doing this because it has taken the firm view that the creation of the Conficker worm as a criminal act.

This may seem like a bold move but it is not the first time they have done this. In 2005 they paid $250,000 to two individuals who helped identify the creator of the Sasser worm.  Rewards were also offered of $250,000 for the creators of the other three major computer worms Blaster, MyDoom and Sobig however the authors of these were never caught.

In reality this amount of money is a small drop in the ocean for a company like Microsoft but in doing so they are trying to send out a strong message to the authors of such worms.  They are simply saying that they will not sit idly by while the creators wreak havoc on their clients systems.  In reality the fact of the matter is that regardless of what Microsoft or Microsoft Trustworth Computing Group offer it seems that it will offer very little in the way of a deterrent for such authors as it is a challenge that they enjoy rising to.  What it does do is help their clients to feel that they are doing all they can to try an prevent such hassles returning in the future.

The worm itself infects a computer that is not fully up to date with the latest updates from the Microsoft Update website. If you are in any doubt then the best action is to visit the Microsoft Update website and apply all the latest critical updates.  Once this is complete continue to revisit the site until you are told there are no further critical updates. You should also ensure that your Anti-Virus software is fully up-to-date, if you don’t already have one then visit either AVG or aVast who both provide free versions for home use.

Security via Interguard

I have just had the heads-up from a good friend of mine to let me know that he will be sending over my copy of Interguard software for home, laptop and corporate security.  All being well I should have the stuff over this evening and all things being equal will get something posted up over the next couple of days.  As products go this is shaping up to be a great product with a very comprehensive range for features for such things as monitoring web access.  DataLock which helps prevent data leakage from a business as well as laptop security so should your beloved laptop be stolen or lost then it can located, data retrieved and the notebook disabled from ever working again.

Awesome stuff so you’ll have the review as soon as I have it.

Spam prevention

Recently we had some problems with our DNS provider for the business which caused us to look at moving the domain over to another more reliable provider.  In the end we decided to settle with hosting the DNS with pipex and while they may not have always had the best reputation they are one of the larger players, considering the problems recently meant that we had no email or website traffic we were not able to get caught with that again.  All went well with the transfer as I made sure that all of the DNS records were live before the actual transfer took place so the transition was completely seamless.  However, since then it would seem that the spammer capitalised on one oversight that I made during the transfer; this was SPF (Sender Policy Framework).  For those that don’t know what this is basically it is a TXT record within DNS which defines the hostnames and/or IP addresses which can receive and send mail for the domain name it applies to.  This TXT record is read by any mail server that can support it and should the email not have originated from the correct address then it is treated as spam and discarded as such.  If, however, the mail originates from a valid address then it is processed as normal and passed on to the recipient.  On the other hand if the recipient mail server does not support SPF then this information is simply ignored.  Since I hadn’t got this information handy I was tasked with re-creating the SPF data which for those that have looked it is not the most straightforward thing to do however Microsoft have very kindly created a wizard on their website which takes out most of the work.  The address is as follows: http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

Using this wizard you are able to enter your domain name and it will process the DNS record to see what settings exist with regard to mail servers and then guide you through the process of creating the SPF data.  Over the past few years I have using a number of tools but this has to be the easiest to follow.  So check it out, the more people that use SPF the less spam will be possible.

As always thanks for reading and if you have any questions then drop me a line.

The enemy within…..

Following on from the recent security theme I would like to carry this on a little further and discuss an aspect of security in business that may not always be so obvious to everyone.  Most individuals will be aware of the threat that the Internet poses to business as well as the threat that is posed by wireless networks.  However what are great deal of businesses do not understand is that the greatest threat is not always what lies without but in fact it is what lies within.  It is a known fact that a number of employee’s that leave businesses go on to work for other companies but a number of these individuals go on to start their own business.  Either way these, soon to be former, employee’s have access to key information about you business and more importantly your clients.  In the past it has been difficult for this information to be transported out of the business without being easily spotted however with the rise in USB storage devices transport of this data has become much simpler and moreover much more discreet.  So what can you do to stop this, the simplest way is to block USB storage devices and CD/DVD writers to all but the most trusted users.  In order to achieve this you could buy some software to handle endpoint security such as GFI EndPoint Security but for up to 25 computers this costs in excess of £400 which is beyond the reach of most small businesses.  So what can small businesses do to protect themselves; well the answer is through a group policy on the server restrictions can be placed on users or groups of users and I will explain how.

Read the rest of this entry »

Better safe than sorry (part 2)

Yesterday I wrote about encrypting data on your notebook computer when you are carrying data around. Within that posting I mentioned TrueCrypt as a program which can be used for this task so for those of you that are interested in it, I mean who wouldn’t as it’s open source, here’s a brief tutorial. Read the rest of this entry »

Better safe than sorry

Over here in the UK there has been a lot in the paper recently about the data losses by some of the key government agencies such as HMRC as well as businesses such as Skipton Building Society much of which was not encrypted data. As you will know there has been much public outcry and quite rightly so but do we have any room to talk?

The fact is that almost every business today owns at least 1 notebook computer and typically that will be taken out to meet clients, to work from home etc. On that notebook there will typically be a great deal of data regarding either your own business or possible about your clients data so do you encrypt your data? The answer is almost certainly no, so how on earth can we complain when other organisations do they same. While I understand that these organisations should know better as they have much larger funding budgets to get people onboard that should be telling them this but the fact of the matter is that very few businesses do this themselves. Recent figures show that the public is 80% more cautious with their personal data than before the HMRC data loss which is a positive move for security. You may think that the data on your notebook is of no value to anyone else but lets just assume for one minute that you loose your notebook and you have the following on it:

• On it is the payroll figures as you needed to work on them tonight
• You also have the sales figures for your clients
• Details of a new proposal for a potential client
• Documentation regarding a client(s) site, not including passwords

So what is the value of this to anyone else:

• The payroll data would be invaluable to a headhunter for example. If you had a member of staff who had some very coveted knowledge then they would be able to know where to start with pay offers
  • If the payroll figures included home addresses of employees then this would also be of interest to criminals for identity theft.
• Sales figures would be of great interest to your competition as they would be able to ascertain the financial value not only of your own company month in month out but also the value of each of you clients each month.
• Details of a new proposal would again be of interest to your competition as they would then know what you are proposing but more importantly what you are planning to change for this fantastic service. If this proposal is for an IT system this may also be of use to a potential hacker as it may provide information regarding internal systems or security information.
• Documentation regarding a clients site would almost certainly hold value to a potential intruder if it was technology documentation as it would provide valuable insight into what internal systems they had. If it related to equipment such as phones, plant machinery then again it would have value to competitors or companies in that field.

Read the rest of this entry »