Cryptolocker (Again, new and improved ?)

UPDATE: Be sure to read the comments to this post. I am posting new information and updates as comments. There is a lot of information there.


Yes, again we see Cryptolocker. My client emailed me the following “I received an email on Friday from Energy Australia that took me to a website and it asked me to run a program but I could not open anything I believe that email may have caused this issue if that is of any help”

This falls in line with other peoples observations i.e.


We have not yet worked out how this version works nor what files have been affected. Here is the text
  !!! YOUR SYSTEM IS HACKED !!! All your files was encrypted with Cryptolocker!   This means that without the decryption key the recovery of your files is not possible, If your files have a value to you and you are willing to pay me for the decryption key please contact me:   You have 3 days to pay for my services. After this period, you will lose all your files.   Anti-virus software can remove Cryptolocker, but can not decrypt your fles. The only way to recover your files -is to pay for the decryption key.   Information for IT-specialist:   Data was encrypted with AES (Rijndael) algorithm with the session key length if 256 bits. Session key is encrypted with RSA (2048 bits) algorithm. Public-key is enclosed into Cryptolocker. Private-key for decryption of the session key is stored only in my database. To crack this key, you will need more than a million years time.

Here is a photo

This is the nasty email that began it all






Tags: ,

Real world test of Trend Worry Free Professional

I miss Microsoft ISA/TMG. I miss being able to report staff’s internet usage, solve bottlenecks, isolate PC’s that have downloaded Malware and all the other general IT admin things that go with this.
Along comes Trend Worry Free Professional which allows you to setup your browser to the external proxy in Trend Micro’s Amazon cloud.

You can setup Ldap integration with your AD and then after the staff have used it, do reports on their activity.

This all sounds really nice.

So what are the real world issues with this product?
  • Using it from South Australia and using Proxy servers on the eastern side of Australia, my latency is huge. It adds 30 ms. A slow ADSL2+ connection feels this badly. All my pages are delayed and slow coming up. The experience over fibre or in the eastern states is far less exaggerated.
  •  I keep getting certificate popups. I get it for my email (Especially using Office 365), I get it for many of the HTTPS sites I use.
  • The proxy settings are easy to tamper with. Unless you lock IE settings down or force the settings via Group policy, users can bypass the proxy.
  • I have a few websites that “sometimes work”. One happens to be my webmail. The experience is very hit and miss with the proxy turned on.
  • The built in reports are very basic. They don’t give me enough detail.

Ok, this all sounds really bad. Yes, there are some teething issues and the latency is killing me so why do I love this product ?
  • It filters all my outbound web traffic and removes Malware and viruses instantly as discovered.
  • I can dump the raw logs into Excel an do my own reports.
  • I can have external roaming users logged into this no matter where they are in the world.
  • I have control of what happens on the network.

So if you have Fibre, are in the eastern states or have a client with very little expectations (maybe they are not a big internet user) then this is an awesome tool.

If you are a geek like me, you have to work out if the tool makes your habits safer and live with it, or forge ahead as the speed annoyed you and run other protection.

Don’t forget, this is only version 1, future advancements will help.

Tags: ,

Trend Micro Worry Free 9 attachment blocking

We have just upgraded a client to TMWF9 (Another one in a long list of clients to upgrade). In the products previous configuration, attachment blocking was turned on.
Exceptions were set to allow most Microsoft Office documents in. This included Word Doc and Docx format.

After the upgrade, the attachment policy is still the same. The Doc and Docx files are allowed through however, they are not getting through.

They are being replaced with the text file saying that the attachment was removed due to policy.

We have tried turning the Attachment blocking on / off and turning the exception for Word on and off.


We have a case open with Trend. The only work around presently is to disable attachment blocking.

NOTE: Be aware. If Attachment blocking is on, Scanmail stomps around in your email store removing all attachments that match. Even if the attachments were placed into your mailbox years ago. It is not just an attachment blocker but also a remover of existing attachments. Don’t play with attachment blocking until you understand this.

Tags: , ,

Trend Micro Worry Free 9 TMproxy32.dll crash in IE9

After a Trend Micro worry Free 9 upgrade from Trend Micro WorryFree 8, we now see a client with a crash in TmProxy32.dll.

It crashes out the browser and renders it useless.

I am currently working with Trend Support looking for a solution.

We have 2 workarounds at the moment.
  • Use the Internet Explorer 64 bit – Which leaves you safe and protected
  • Use the Internet Explorer 32 bit but under the add on’s, disable the TmIEPlugInBHO Class (Version – Which does not leave you safe and protected.

We have so far found one sure fire way to create the crash.

Windows 2008 R2 64bit enterprise server in Remote Desktop hosting mode using IE9 32bit browser and clicking the second tab with the default IE multi-tab setting set to show new tab (Under Tools – internet options – General Tab and then select the tab behaviour to a new page).

Open IE, let the default page come up then click the second tab and click a most popular site (As listed by IE9).


The error comes up as:


Internet Explorer has stopped working
  • Windows can check online for a solution and close the program
  • Close the program
  • Debug the program


Faulting application name: iexplore.exe, version: 9.0.8112.16490, time stamp: 0x51955cca

Faulting module name: TmProxy32.dll, version:, time stamp: 0x52df52ed

Exception code: 0xc000000d

Fault offset: 0x0001e452

Faulting process id: 0x6438

Faulting application start time: 0x01cf7975ee091613

Faulting application path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Faulting module path: C:\Program Files (x86)\Trend Micro\Security Agent\TmProxy32.dll

Report Id: b9113ce2-e569-11e3-9b0b-e839352523ea



The event log shows


Log Name:     Application

Source:       Application Error

Date:         27/05/2014 4:10:00 PM

Event ID:     1000

Task Category: (100)

Level:         Error

Keywords:     Classic

User:         N/A

Computer:     ADLTS02.jhg.local


Faulting application name: iexplore.exe, version: 9.0.8112.16490, time stamp: 0x51955cca

Faulting module name: TmProxy32.dll, version:, time stamp: 0x52df52ed

Exception code: 0xc000000d

Fault offset: 0x0001e452

Faulting process id: 0x6438

Faulting application start time: 0x01cf7975ee091613

Faulting application path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Faulting module path: C:\Program Files (x86)\Trend Micro\Security Agent\TmProxy32.dll

Report Id: b9113ce2-e569-11e3-9b0b-e839352523ea


The Windows Error reporting logs contains:











Sig[0].Name=Application Name


Sig[1].Name=Application Version


Sig[2].Name=Application Timestamp


Sig[3].Name=Fault Module Name


Sig[4].Name=Fault Module Version


Sig[5].Name=Fault Module Timestamp


Sig[6].Name=Exception Offset


Sig[7].Name=Exception Code


Sig[8].Name=Exception Data


DynamicSig[1].Name=OS Version


DynamicSig[2].Name=Locale ID


DynamicSig[22].Name=Additional Information 1


DynamicSig[23].Name=Additional Information 2


DynamicSig[24].Name=Additional Information 3


DynamicSig[25].Name=Additional Information 4


UI[2]=C:\Program Files (x86)\Internet Explorer\iexplore.exe

UI[3]=Internet Explorer has stopped working

UI[4]=Windows can check online for a solution to the problem.

UI[5]=Check online for a solution and close the program

UI[6]=Check online for a solution later and close the program

UI[7]=Close the program

LoadedModule[0]=C:\Program Files (x86)\Internet Explorer\iexplore.exe





























LoadedModule[29]=C:\Program Files (x86)\Internet Explorer\IEShims.dll























LoadedModule[52]=C:\Program Files (x86)\Internet Explorer\ieproxy.dll


LoadedModule[54]=C:\Program Files (x86)\Trend Micro\Security Agent\TmIEPlg32.dll

LoadedModule[55]=C:\Program Files (x86)\Trend Micro\Security Agent\TmProxy32.dll

FriendlyEventName=Stopped working


AppName=Internet Explorer

AppPath=C:\Program Files (x86)\Internet Explorer\iexplore.exe


Tags: ,

Trend Micro Worry Free Professional proxy software is not talking with my AD

I am not sure if this is a widely known problem yet. Fresh install of TMWF9 and then the Professional AD sync tools.

I selected my own custom port for Trend to quirey my AD (6443). (It uses an Apache service)

It will not communicate. I ran up a fake IIS server on this port and it works, so my firewall rules are ok.

I ran “Netstat -an” and noted that the Trend service was running on port 6433. I need it on my server IP on port 6443.

I located and edited:
<drive letter>:\Program Files (x86)\Trend Micro\InterScan Web Security as a Service\AuthenticationAgent\Apache-20\conf

I changed the following

Listen 6443

(Which listens on all free IP’s ports)

To the following (Where I have used my server IP)


All fixed.

Tags: , ,

Unplugging my iPhone from my Laptop causes a BSOD (Stop Error)

Over the last 3 days, when I unplug my iPhone, my laptop has a Blue screen of death (BugCheck 1000007E).

This is accompanied by what can only be described as the most disturbing crackle from the laptop speakers on reboot. My imagination originally made me think the bearings in my hard disk were being ground down and I was happy to discover it was just a noise from the speakers.

My Laptop is running Windows 7 and I am not aware of any changes leading up to this. USB drives (including powered external drives), my keyboard and other USB devices do not cause this issue. Uninstalling iTunes made no difference. I found that the problem could be resolved by taking the file C:\windows\system32\drivers\mpfilt.sys out of action.

This file seems to have no author information stored in it and online, no one seems to know what it is. My system is now working fine. So far no services or devices have played up and I have no more blue screens.

Using Microsoft’s debug tool “WinDbg” I located and analysed the memory dumps in C:\Windows\Minidump
Unable to load image \??\C:\windows\system32\drivers\mpfilt.sys, Win32 error 0n2 *** WARNING: Unable to verify timestamp for mpfilt.sys *** ERROR: Module load completed but symbols could not be loaded for mpfilt.sys ******************************************************************************* * * *                       Bugcheck Analysis                                  * * * ******************************************************************************* BugCheck 1000007E, {c0000005, 83a8c778, 8f38bb78, 8f38b750} *** WARNING: Unable to verify timestamp for usbaapl.sys *** ERROR: Module load completed but symbols could not be loaded for usbaapl.sys Probably caused by : mpfilt.sys ( mpfilt+9fb )   Followup: MachineOwner ———   SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Some common problems are exception code 0x80000003. This means a hard coded breakpoint or assertion was hit, but this system was booted /NODEBUG. This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but … If this happens, make sure a debugger gets connected, and the system is booted /DEBUG. This will let us see why this breakpoint is happening. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: 83a8c778, The address that the exception occurred at Arg3: 8f38bb78, Exception Record Address Arg4: 8f38b750, Context Record Address   Debugging Details: ——————   EXCEPTION_CODE: (NTSTATUS) 0xc0000005 – The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. FAULTING_IP: nt!IofCallDriver+5f 83a8c778 ff548838       call   dword ptr [eax+ecx*4+38h] EXCEPTION_RECORD: 8f38bb78 — (.exr 0xffffffff8f38bb78) ExceptionAddress: 83a8c778 (nt!IofCallDriver+0x0000005f) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2    Parameter[0]: 00000000    Parameter[1]: 00000074 Attempt to read from address 00000074 CONTEXT: 8f38b750 — (.cxr 0xffffffff8f38b750) eax=00000000 ebx=86f52600 ecx=0000000f edx=86f52600 esi=8915b3d8 edi=86f527f4 eip=83a8c778 esp=8f38bc40 ebp=8f38bc50 iopl=0 nv up ei ng nz na pe cy cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010287 nt!IofCallDriver+0x5f: 83a8c778 ff548838 call   dword ptr [eax+ecx*4+38h] ds:0023:00000074=???????? Resetting default scope CUSTOMER_CRASH_COUNT: 1 PROCESS_NAME: System CURRENT_IRQL: 0 ERROR_CODE: (NTSTATUS) 0xc0000005 – The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 00000074 READ_ADDRESS: GetPointerFromAddress: unable to read from 83bb971c Unable to read MiSystemVaType memory at 83b99160 00000074 FOLLOWUP_IP: mpfilt+9fb 94b829fb ??             ??? BUGCHECK_STR: 0x7E DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE LAST_CONTROL_TRANSFER: from 94b829fb to 83a8c778 STACK_TEXT: 8f38bc50 94b829fb 888890e0 8904d430 86df54f8 nt!IofCallDriver+0x5f WARNING: Stack unwind information not available. Following frames may be wrong. 8f38bc68 83a8c77c 00001081 86f52600 00000000 mpfilt+0x9fb 8f38bc80 b730194b 88889028 88889028 888890e0 nt!IofCallDriver+0x63 8f38bcac b7307dc9 86df54f8 8f38bccc 88889765 usbaapl+0x194b 8f38bcd8 b7304228 88889028 885c5670 88889028 usbaapl+0x7dc9 8f38bcec 83c71cb5 8a5651b0 8a5651b0 86b638e0 usbaapl+0x4228 8f38bd00 83abe10b 885c5670 00000000 86b638e0 nt!IopProcessWorkItem+0x23 8f38bd50 83c5fb6f 00000001 ab4bfbea 00000000 nt!ExpWorkerThread+0x10d 8f38bd90 83b11299 83abdffe 00000001 00000000 nt!PspSystemThreadStartup+0x9e 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19 SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: mpfilt+9fb FOLLOWUP_NAME: MachineOwner MODULE_NAME: mpfilt IMAGE_NAME: mpfilt.sys DEBUG_FLR_IMAGE_TIMESTAMP: 43670416 STACK_COMMAND: .cxr 0xffffffff8f38b750 ; kb FAILURE_BUCKET_ID: 0x7E_mpfilt+9fb BUCKET_ID: 0x7E_mpfilt+9fb Followup: MachineOwner ———  

With UAC turned off I went into the folder C:\windows\system32\drivers\and renamed this file mpfilt.sys (mpfilt.sys.old). then restarted the computer. After the reboot I started Regedit.


**** WARNING when editing the registry be very careful. I always make backups (Export). There is no undo when editing the registry and many settings apply immediately *****


I went to HKLM – localmachine\system\currentcontrolset\services\mpfilt , then exported the settings for the “mpfilt” folder and deleted this “mpfilt” folder.
I also exported and deleted HKLM – localmachine\system\controlset001\services\mpfilt and localmachine\system\controlset002\services\mpfilt

Finally I exported and deleted the following key called “LowerFilters” in the following locations

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{36FC9E60-C465-11CF-8056-444553540000} (deleted the value “Lowerfilters “) and the same process applied to HKEY_LOCAL_MACHINE\SYSTEM\controlset001\Control\Class\{36FC9E60-C465-11CF-8056-444553540000} and HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{36FC9E60-C465-11CF-8056-444553540000} .


Now my system is stable once again.


Does anyone know what this mpfilt.sys does and whom produces it ?



Tags: , , , , ,