From: Abuse Department [mailto:abuse-uk-irl@ripe.net]

Sent: 24 September 2010 14:32

To: XXXXXXXXXXXXXX

Subject: ISP DISCONNECTION WARNING - ADVISORY ABUSE NOTICE

From: <abuse-uk-irl@ripe.net>

Date: Fri, Sept 24, 2010 at 12:44 PM

Investigation Number: 1171

Subject: ISP DISCONNECTION WARNING - ADVISORY ABUSE NOTICE

For The Attention Of: The Bill payer/Owner of this ISP account.

Our investigations have determined that your Internet Services account has been used to scan, flood or attempt to gain unauthorized access to another computer, (please see the details of the incident(s) attached to this e-mail). This activity is a violation of our Internet Services Acceptable Use Policy and the our Internet Services Account Agreement, under which you have been provided service.

THIS NOTICE IS TO ADVISE YOU THAT FURTHER ABUSE OF YOUR INTERNET SERVICES ACCOUNT MAY RESULT IN A SUSPENSION OR TERMINATION OF YOUR ACCOUNT, WITHOUT FURTHER NOTICE TO YOU. We are empowered to take such action if, in our sole determination, you have violated the terms of our Acceptable Use Policy or our Internet Services Account Agreement.

The alleged incident originated from the local IP address of 192.168.1.100 which, at the time of the incident, was assigned to a device with the unique physical address of 00:13:10:24:45:F8. This address identifies the network adapter or router connected to your ADSL/Broadband modem.

If you are unaware of this type of activity coming from your account, you may wish to inquire with others who may have access to your account and/or change the password to your account to ensure that only authorized users have access to it. IT IS ALSO POSSIBLE THAT YOUR COMPUTER MAY BE INFECTED WITH A VIRUS OR YOUR COMPUTER SYSTEM MAY HAVE SOME OTHER SECURITY PROBLEM SUCH AS AN UNSECURED MAIL OR PROXY SERVER WHICH COULD ACCOUNT FOR THIS ACTIVITY ORIGINATING FROM YOUR SYSTEM.

In the event you are not able to attend to the situation immediately, please disconnect your computer from the ADSL modem to prevent further abuse.

A full description of the incident including realtime IP addresses and web traffic can be found in the attachment.

Any questions of help can be obtained from out staff during office hours 0900-1700 Monday to Friday.

Our complete contact information can also be found in the PDF report.

Kind Regards

The Abuse Team

Attached to the email is a so called 'report' which is a 'RAR' file. Inside of the 'RAR' file is another file which is named 'Incident-Report-201009241171.pdf.exe'. So far it all looks like an elaborate hoax as the network the client is on is not on the range mentioned in the email and since when is a report sent as an executable file?

Any which way I will be putting it through the lab machine later to see what comes out, either way it will be interesting.

If you do hear of anyone receiving this tell them not to open it.

- Rob

NOTE: These instructions are intended as a guideline on how to remove this infection. If you are not sure how to do this then please make sure you consult a professional. All such information and related graphics are provided “as is” without warranty of any kind.

The first step is to repair the running of executable files (exe files):

Click on Start, Run and type ‘notepad’ then press enter. Now copy and paste the information below into Notepad.

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\secfile]
[-HKEY_CLASSES_ROOT\secfile]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

Now save this file by clicking on File, Save As; select the file type and set it to “All Files” then enter ‘fix.reg’ into the file name box making sure you save the file to the Desktop and click OK.

Now double-click the ‘fix.reg’ file on the desktop and click Yes to confirm.

There is a second method which you may need to use to stop XP Anti-Malware from running, in both cases I have had use both methods so here is the second method.

Click on Start, Run and type ‘Notepad’ then press enter. Copy and paste all of the information below into Notepad.

[Version]
Signature="$Chicago$"
Provider=Myantispyware.com

[DefaultInstall]
DelReg=regsec
AddReg=regsec1

[regsec]
HKCU, Software\Classes\.exe
HKCU, Software\Classes\secfile
HKCR, secfile
HKCR, .exe\shell\open\command

[regsec1]
HKCR, exefile\shell\open\command,,,"""%1"" %*"
HKCR, .exe,,,"exefile"
HKCR, .exe,"Content Type",,"application/x-msdownload"

Now save this file by clicking on File, Save As; select the file type and set it to “All Files” then enter ‘fix.inf’ into the file name box making sure you save the file to the Desktop and click OK.

Now right-click on the “fix.inf” file on the Desktop and select Install. Now reboot the computer into ‘Safe-mode with Network Support’.

Now download MalwareBytes Anti-malware, install and ensure that it fully updates before running. Now run a ‘Quick Scan’, once it has completed it will display the results. Now click on ‘Remove Selected’ and reboot the computer. Details about how to install and run MalwareBytes Anti-malware can be found on other sites but the important part is the Registry file and INF file above.

- Rob

Me: “Hi there, I have a problem with BackupExec for Small Business Server that was supplied with these new servers for my client”.

Dell: “What is the problem?”

Me: “When I enter the license key it says that it is invalid. It accepts the “Premium” license key but it will not accept the SBS key”

Extended period of silence…now 15 minutes in to the call and not progressed

Dell: “What license number do you have?”

Me: “The license key is…”

Dell: “That’s a serial number”

Me: “It says license key?”

Dell: “No that’s the serial number”

Me: “But it says on the front cover that it is the “Software License Key” and inside, just above the key, it says “Software License Key”. Surely it would say serial number if that is what it is?”

Dell: “No that’s the serial number, you need to go to the Symantec licensing portal and register the serial number”

Me: “But I have done dozens of these and I have always just entered the key into the software”

Dell: “They have tightened up the licensing recently”

Me: “Hmm, ok where do I go to register the ‘serial number’?”

So now we go to the Symantec licensing portal, I complete the registration in order to log on to the site. After entering the ‘serial number’ it says that the ‘serial number’ is invalid.

Me: “It says the number is invalid”

Dell: “Are you sure it is entered correctly?”

Me: “Yes I’m sure but it does not say it is a serial number it clearly says it’s a license key”

Dell: “Ok I need to speak with Symantec, can you hold"?”

Me: “Err yeah ok”

So I was put on hold, 35 minutes in to the call and I had made no progress. Needless to say I did not stay on hold as by this point I was completely frustrated by the fact that the support technician was simply not listening. The conversation above it not verbatim but I must have explained to this guy about 10 times that it clearly states it is a License Key and not a Serial Number but he was not listening.

The most important skill that any person who is in a customer facing role can do is just listen. By not exercising this most fundamental skill during this call my whole experience with Dell’s “Pro-support” was completely destroyed and had this been my first experience then I would be one very unhappy client and would think twice about buying Dell again.  That said only a week before I had spoken to them and the support tech I spoke to I cannot say enough about. He listened and acted on what I was telling while verifying what I was saying was correct.

I can only assume that my bad experience was a one-off but none the less it was a bad experience.  So if nothing else, don’t talk just listen and everything else will take shape.

One of the key characteristics of IT support technicians, in my opinion, is to listen to what the client wants or needs. Once you listen then you can deliver exactly what they are looking for from you but without the very first step you are headed nowhere fast. Now IT support on the “frontline” and Internet support have some very different characteristic but on key difference the scope of products and devices that need to be supported.

It turned out that the main issue with this particular client was that the person coordinating the IT internally did not really understand it which meant that they wanted to know every single last detail about everything on the system.  The was not because of anything other than a fear of having to deal with and support (internally) something that they really didn’t understand on anything other than a desktop use level. What we do is to help the client to understand what they need to know and explain why they don’t need to know about the disk configuration on the server.  This is the core of true IT support, it is the ability to not only support the technology but to also support the clients as an individual so that they can understand and more importantly how it relates to their business.

If your business is not getting good IT support from its supplier or you want to know how your system works for your business then contact us

This may seem like a bold move but it is not the first time they have done this. In 2005 they paid $250,000 to two individuals who helped identify the creator of the Sasser worm.  Rewards were also offered of $250,000 for the creators of the other three major computer worms Blaster, MyDoom and Sobig however the authors of these were never caught.

In reality this amount of money is a small drop in the ocean for a company like Microsoft but in doing so they are trying to send out a strong message to the authors of such worms.  They are simply saying that they will not sit idly by while the creators wreak havoc on their clients systems.  In reality the fact of the matter is that regardless of what Microsoft or Microsoft Trustworth Computing Group offer it seems that it will offer very little in the way of a deterrent for such authors as it is a challenge that they enjoy rising to.  What it does do is help their clients to feel that they are doing all they can to try an prevent such hassles returning in the future.

The worm itself infects a computer that is not fully up to date with the latest updates from the Microsoft Update website. If you are in any doubt then the best action is to visit the Microsoft Update website and apply all the latest critical updates.  Once this is complete continue to revisit the site until you are told there are no further critical updates. You should also ensure that your Anti-Virus software is fully up-to-date, if you don’t already have one then visit either AVG or aVast who both provide free versions for home use.

• Desktop/Server agents – these will typically be used to provide the necessary features to make delivering managed services easier and more importantly efficient.
• PSA Software (Professional Services Automation) – this is the software that will be used to manage your deliverables and help you to ensure that you are delivering on your promises to clients.

The first point that we looked at was the management software that was on offer.  The key player at this time was Kaseya who at this point had a very large share of the desktop/server market.  The software itself is very compete as a package but we found that it did not lend itself well to small deployments in a cost effective manner.  This led our search deeper and it was then when we found Zenith.  At this time a relatively new player but none the less a very powerful toolset and extremely cost effective.  The product also did not have a steep learning curve which meant that the tech’s were able to quickly get on board with the product.  This meant that we were sold on the product that we’d use to manage our clients site’s, next it was on to the PSA.

The next hurdle was to be the decision on what PSA software we would be using to manage the clients.  As with many MSP’s we initially decided to start by running a relatively manual system by keeping notes which involved a combination of both spreadsheets and completed paperwork that is then filed.  Within a short period of time we found that we started to outgrow this manual system so we then had to undergo the process of looking a tools that would be able to manage this a little cleaner.  The first product that we tried was osTicket, this worked great for simple ticketing based on email transaction as well as web based entry.  Now to be fair this worked fantastic at what it did but we needed more from it, we required more integration of the fringe elements such time tracking for onsite work as well as site documentation.  Next we looked at Shockey Monkey, this is a project being developed for the community Vlad Mazek (OwnWebNow) which is shaping up to be an amazing project but unfortunately we were quickly being over taken by our needs which meant that we needed to look for a ready made package.  After much searching we have finally settled on AutoTask.  This will truly help our business moving forward as the whole workflow will be managed from end-to-end.  From the moment the call comes in a ticket is created.  From here and work done is added to the ticket, if onsite work is required then a site visit can be added to the ticket.  For any work done on the ticket it is allocated a code which allows us to govern what charges are applied and if they have a Managed Service Agreement then the time is allocated to the account and is tracked through the account.  This means that we can see very quickly that our accounts are profitable or not.  When the work is completed we can then make any adjustments to charges and the post it for invoicing.  The final step is then to import the invoice into QuickBooks directly.  If terms of the techs onsite, they can now fill in the work as soon as they leave site from a PDA/handheld device which means we have the most accurate information possible as it is still fresh in their mind.

All of this works to make our business run smoother and more importantly make my life easier which I am all for.  Many of the lesson I have learned others have learned and documented before me, so why listen to me?  No idea, but for what it’s worth I didn’t listen but sometimes you have to work things out for yourself

"What version of Word are you running?"

"Version 6"

"Wow that’s old now they’re at Version 95 now!"

Now to most it’s pretty obvious that MS made a leap in their naming of office applications after Office 4.3 (Word 6) when they then release Office 95 which went on to be Office 97, Office 2000, Office XP, Office 2003 and now Office 2007.  Again the Office suite has seen a great deal of progress made and a whole host of new functions and other things that make working easier and more efficient.  The problem is how do you find all of these new feature or if you have found them where do you find the time to learn how to use them.  More people now are using computers at home and as a result it has changed the IT Training market especially in small businesses where most staff will say they know how to use Word, Excel, Powerpoint etc but do they?  I have always said to clients that they know more about Word and other Office apps than I ever will, and they will look at me gone out. Why?  Because I don’t use it I just fix it.

I was talking to one of our partners and a good friend of mine recently who’s an IT trainer.  He was telling me that they we’re starting to run "Surgeries", perhaps not the best title as it conjured up images of a room full of sick people wondering desperately why they bothered being on time as the doctors is running an hour behind.  He went on to explain that many companies have staff who are proficient in using Office applications but could to with help on certain little things.  So what they do is they get setup in a room and effectively run a drop-in training room where members of staff will go to them with a specific problem and they will address it via a short 20 minute session, then when they are done another person will come in.  Now coming from the school of "I know how to use it" even I can see what value this would be, so I asked the all important question "What about cost?".  He replied "well it can work out as little as £12.50 per person depending on the number of delegates".  At that cost I don’t there are any businesses that can’t get value from that particular type of training……lets call it Micro-training!!

Ok so it’s a little shameless pimping of a partners business but the thing is I don’t pimp other peoples wares lightly as it’s not the way I do things, however this type of training is completely different to anything I have ever seen before and despite being a Nottingham based company they work throughout the UK to support businesses.  So if you’ve got staff that can’t mail merge, can’t do graphs in excel (that’s me Andy) or other such tasks then give Andy a call at F1rst I.T. Training and Support on 0115 926 2078 or email him on andyhardy@f1rstit.co.uk