Category Archives: 5281

Port 48195 – increased attacks

Body:

I was onsite today with a client and they still use Scorpion Softwares Firewall Dashboard product to monitor their ISA 2004 server.  The morning report came in and it showed that from some time yesterday there had been a massive increase in the attacks on their server.  I dug a little deeper and found that the attacks were all destined for port 48195.  I did some digging and found nothing out there at the moment, so I pinged a few security people I know (Susan Bradley and Dana Epp) – they too knew nothing.

image

From what I can see – the source IP’s are all different Aussie ISPs – it makes me suspect that there is some Malware out there on infected machines that is trying to attack various hosts.  Watch out for more on this as I find out.

Category: Troubleshooting
Published: 3/07/2009 10:51 AM

How to mess up your network with virtualisation…

Body:

Got a call from a friend yesterday.  He had some problems with his network which essentially revolved around Active Directory being messed up.  The exact details are a little unclear, but the long and short of it was that around a week back, their main DC had some hardware problems so they resolved it by transferring the system over to Hyper-V (not sure how they did this either).  The AD problems continued and they dug deeper. Along the way (and I don’t know where/when) they decided to DCPromo two of their non virtualised DC’s down to member servers (one of them was their exchange server). Problems persisted.  I was asked to look into it some more and found a few things. Netdiag was reporting all kinds of problems with DNS (which was AD integrated), and in the event logs for Directory Service we found just one error which suggested that they were in a USN Rollback scenario.  USN Rollback scenarios are discussed here http://support.microsoft.com/?kbid=875495 .

The USN is an internal number that allows domain controllers to track where they are at with respect to replication of Active Directory information. If a DC detects that it has rolled back then it will stop replicating information to other DC’s. It will also put the NETLOGON service into a paused state.  It does this to protect the rest of the network.  Ok so my friend being a developer (and having a couple of developers with him) saw the NETLOGON service was paused, so what did they do?  They wrote a script to restart the NETLOGON service so it would not pause. Sheesh – NEVER LET A DEVELOPER RUN YOUR NETWORK. 🙂

Ok – so the way to fix a USN Rollback is to dcpromo the affected server down and then back up to a domain controller OR restore a system state backup. Only problem was that this was there last DC, and I was uncertain of the last system state backup.  It turned out that it was only done AFTER they moved the virtualised DC from physical into virtual. Ouch.  Digging deeper it follows that they did some form if image backup on the physical system while it was live – unsure of what tool was used, but doing something like this is NEVER a good idea in a multiple domain controller environment.

It’s now a few days since I started writing this blog post and my friend has had to accept defeat. He finally bit the bullet and called MS for support – their only responses were as above – restore the AD from backup… which he didn’t have a good backup of at all.  He had to accept that he needed to rebuild his entire domain from scratch. 

What caused it? Well I suspect that the way he moved the physical DC into a virtualised environment was the start of the problems. Not ensuring he had good / tested backups along the way was also part of the problem.  Not calling on experienced resources early in the piece was a big problem too.

Long story short – Microsoft have said that they don’t support imaging of DCs live – there are reasons behind that – DON’T DO IT.  If you are out of your depth – CALL FOR HELP. Backups are useful… during a problem situation you can NEVER have too many of them.

Category: Troubleshooting
Published: 22/05/2009 6:12 AM

Kyocera Print Mode Error from Outlook 2007

Body:

imageLast week my accountant called me with a problem. He was having problems “printing anything to the Kyocera printer”. He has a Kyocera Mita KM-1650 KX printer connected to his SBS 2003 Server via the network.  All users print to this main printer as their default printer.

I asked him over the phone exactly what that meant and in typical client fashion he told me that “anything I try to print to the printer won’t work”.  Ok – he’s just around the corner so I thought I’ll drop in and see what the problem is.

I arrived onsite and he was not there, so I was left to my own investigations.  Here’s how I tackled the problem.

Question 1 – When did the problem start? According to the secretary, he’s had the problem for a while, but they are not sure when the problem started.  Ok – this is good but not definitive.

Question 2 – Does the problem affect all users or only this one user? Again – the secretary says that the problem only affects this one person.  All other users can print just fine.

Question 3 – Given the problem only affects one user, is it with all applications or only one or two? At this point the secretary is unclear, so it’s time to get onto the computer and see for myself.

First thing I did was to try to reproduce the problem.  On the users desktop, I went into Printers under Control Panel and printed a printer test page. This worked just fine.  Therefore I figured it had to be an application level problem.

I opened up Word 2007, typed in =rand(10,1) and pressed enter.  This is a cool shortcut that will generate a page of text.  You can play with the numbers and get more text, multiple pages and so on.  Anyway – once i had a page of text, I hit the print button and waited. The page printed just fine.

I opened up Excel 2007 (no cool shortcut there), typed in numbers in a few columns and hit Print again.  Again the page printed just fine.  Ok – so two key apps work fine.

I opened up Outlook 2007, opened an email and hit Print. Ok – it sent the print job to the printer and the printer displayed “Print Mode Error” on the LCD screen and locked up.  I had to power the printer off and back on again to get it to respond.  Looks like we have a problem then with Outlook 2007 printing to the printer. Ok – so first thing was to check the printer properties for anything strange.

I went to the printer and checked things like page size etc. Sure enough it was set to A4 paper which is the standard here in Australia. Nothing too out of the ordinary at all really.clip_image002[4]

Ok so I had to have a hard think about this. What was different about printing from Word 2007, Excel 2007 and Outlook 2007?  The answer was the Page Setup. I checked the page setup from without Outlook 2007 and got the dialog on the right.  You can see that the paper type and size is set for Letter.  Ok – that should not cause a problem really but given we are using A4 paper, I decided to give that a shot and change it to A4.

I then hit print again in Outlook 2007 and was surprised to see that it printed out just fine.  Ok – so was it just the paper setting that did it or was it something else?  I hate to resolve a problem by accident, so I decided to set the paper back to Letter again and test it.  If this was the problem then for sure it would fault again with the Print Mode Error.

clip_image002[6]

Sure enough it did.  Cool – I had found the problem.  I reset the Page Setup in outlook for the emails to A4 and tested one more time.  Worked fine and I was done!  All up the entire problem took less than 5 minutes to investigate and resolve. In fact it has taken longer to write this blog post than it did to resolve the problem.  I hope that the solution helps you but also that the methodology that I used to investigate the problem is of some use to you as well.

 

 

 

Category: Troubleshooting
Published: 19/04/2009 1:02 PM

What is WHEA_Logger?

Body:

One of my clients servers stopped working over the weekend – literally just stopped. We could not login via the console, remote connectivity was unresponsive. We had to power cycle the system to get it running again.  After it came up, I began to comb the event logs for more information.  I found that it stopped working over the weekend on Saturday at around 1:50pm.  I know this because the Windows system logs every five minutes to a file to say “I was running at this time…” and then on a reboot, if it was unscheduled, it reports in the system event log with an event ID of 6008 the following text “The previous system shutdown at 1:50:52 PM on 17/01/2009 was unexpected.”  The system event log also held an event with an event ID of 1 and a source of WHEA_Logger the following event “An uncorrected hardware error occurred. A record describing the condition is contained in the data section of this event.”

Hmm – interesting – it thinks there’s been a significant hardware error that caused it not to blue screen, but to lock up massively.  Digging into the WHEA_Logger, I found this document that describes just what the Windows Hardware Error Architecture is and what it does.

I looked into the HP iLo logs which should log all hardware failures but it is clear. This suggests that the OS thinks there was a major Hardware failure, but that the Hardware knows nothing about it. I don’t like this at all.  The plan of attack at this point is to upgrade the firmware and drivers on the server to the current versions across the board and monitor the situation. If the system fails again then we would log the fault with HP (it’s a HP DL 580 G5) and given we will have already upgraded the firmware and drivers to the latest, it should short cut some of the diagnostics they would normally perform.

Category: Troubleshooting
Published: 20/01/2009 8:16 AM

Netgear WGR 614 Router Config Tip

Body:

I had to program a Netgear WGR614 Router last Thursday and the normal http://routerlogin.net would not work.  Most frustrating indeed.  I did some searching and found that if I did a hard reboot of the router and then went to http://192.168.1.1/basicsetting.htm and you can reconfigure it without the wizards.  I could not find anywhere on the Netgear website about this little tip. Hope it helps 🙂

Category: Troubleshooting
Published: 17/11/2008 9:07 AM

Strange folder names during SBS 2003 to SBS 2008 migration?

Body:

I was doing an SBS 2003 to SBS 2008 Migration last week and had something very strange happened. I had a directory called Network Data that literally disappeared. Below you can see the Windows Explorer view shows no trace of the Network Data directory.  I initially thought that I had some disk corruption or something else, that is until I dropped to a CMD prompt and did a DIR listing as below.  You’ll notice that there is a Network Data directory.  You will also notice that there is is NO Start Menu folder. I looked into both the network data folder and the Start Menu folder and found the contents to be the same.  Why then was it being called Start Menu in Windows Explorer and not in a CMD prompt.

clip_image001

I copied over the relevant folders to the new SBS 2008 server too, and the problem still persisted as you can see below.  I could not see any reason why the problem would copy over to the new server.  Strange I thought, so I asked the SBS Dev team who were backing me up on this migration (we were part of the SBS 2008 TAP program where we get to run a customer on SBS 2008 well before it’s official release). He hit it on the first attempt. Inside the Network Data folder was a file called desktop.ini. I learned that the contents of this file have the ability to customise the display of not only the contents of the folder that it is in, but ALSO the folder name of the folder it is in when viewed with Windows Explorer.  Ok – so when I deleted the desktop.ini file, the folder magically renamed itself to Network Data again and things were fine.

 clip_image001[4]

So this problem really has NOTHING to do with the SBS version or the fact I was doing a migration, it was related to a user somehow putting the file in this folder itself and could have happened anywhere / anytime.

Thanks to Adam DePue from the SBS Dev team for helping me sort this one out!

Category: Troubleshooting
Published: 13/08/2008 9:25 PM

Thank you Steve Cooper!

Body:

Steve Cooper is the local Aussie Director for PSS, and for years I’ve been berating… err suggesting to him that here needs to be a better way for us to get a hotfix than to call Microsoft all the time. Well there is – and has been for some time and now they are making it even easier to get hotfixes.  When you check out an MS KB article now, such as the one below you will see that they have changed the format of them.

image

You will see that they will now allow you to request to get the hotfix quickly and efficiently from the web.  Look out for this icon on the KB articles.

image

Thanks Steve for listening to what we need and getting it sorted!

Category: Troubleshooting
Published: 3/08/2008 2:09 PM

Exchange 2003 mail getting lost???

Body:

I’ve had an ongoing scenario on my SBS 2003 server that I’ve never fully investigated in which mail to some yahoogroups gets "lost". You check the SMTP queues and it’s not there so you believe it’s gone out.  Then later when you reboot your server, it suddenly appears!!!  apparently if you restart your Exchange Information Store or the SMTP service it will also reappear.  Henry Craven discovered this little KB that was released last week which sounds just like the problem that I’ve been having – Thanks Henry – I’ll try it out and see how it goes!

Category: Troubleshooting
Published: 3/08/2008 2:05 PM

How to remove Antivirus 2008

Body:

I had a migraine yesterday – a pretty severe one that lasted 12hours plus. So today I was off to the Doctors to figure out what it was and get some drugs to deal with it again.  Ok – so then I went to the Pharmacy to get the prescription filled.  I’ve been going to the same Doctor and Pharmacist for 10 years now. Behind the counter, the pharmacist – Allan was on the phone with Telstra.  It turned out that his computer was infected by a virus and had been down since last Friday. He had been lodged a case with Microsoft, and they had taken him so far, but then referred him to Telstra Bigpond as it was their antivirus protection package that he had installed.  Microsoft walked him through clearing the Internet History, AND they told him to remove the existing antivirus software in an attempt to fix the problem. Telstra Bigpond support was totally lost with this and they could not get his other AV software reinstalled.  Anyway – I walked in the door and offered to help.  I know that this thing is particularly bad right now and it appears to be constantly changing which makes it hard for the antivirus packages to keep up with it.  I however was very lucky. One of my close friends is Sandi Hardmeirer a known and respected Antimalware fighter.  I called Sandi and said "what do I do here…"

Sandi’s response was to use Smitfraudfix and Malwarebytes Anti-Malware to clean it. Ok – so I attempted to go to the Smitfraudfix website and found myself redirected to some funky website that was most certainly NOT the Smitfraudfix site.  Ok – this is one bad ass piece of malware on this computer. The issue here is that I don’t truly know what the malware on this computer will do now. It could contain a keylogger which is capturing every keystroke I type.  Hmm – this is a risk now as anything I do it may be logged.  The malware was also obviously preventing me from getting to the known sites to get the things I needed to fix this problem.  So I thought I’ll connect back to my SBS server which is fully protected and I guessed that the malware would not know about my URLs etc.  The risk though was that the keylogger might capture my passwords!  Again this did not bother me as my servers are protected with two factor authentication by AuthAnvilimageI have a cool key token which generates one time password that means even if the keylogger captures my password it is totally useless.  So I logged into my SBS server via which is protected by RWWGuard and then on to my SBS server itself.  I quickly downloaded the files I need and emailed them to myself. I was then able to access my email using RWW again and download the files to the computer.  There, I bypassed the bad guys attempts to block me AND protected my passwords at the same time.

Once downloaded I rant Smitfraudfix and set it to scan the system. It produced a logfile which is reproduced in part below.

 

 

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
+————————————————–+
[!] Suspicious: nfavxwdbmqx.dll
BHO: QXK Olive – {2419FE5A-CAAD-4C36-B45C-90D53379A7B3}
TypeLib: {35068476-D597-421A-A128-5A86F89D5C4C}
Interface: {C9CE49A0-843B-4A0E-8932-491C487B2EB7}
Interface: {D04BC5F0-97AA-404F-B8E4-AED0EF871551}
+————————————————–+
[!] Suspicious: kgxmotapktx.dll
BHO: QXK Olive – {812AE34E-162C-4C94-BAA1-A2C0431AEC84}
TypeLib: {8C6AACDD-4862-496C-BA20-D712AD679760}
Interface: {6A4A71B0-36D2-4674-87AF-288F60E3EC71}
Interface: {A74CD9A1-9348-4B3F-87A4-4852C2CE802E}

[!] Suspicious: eqvwamkl.dll
SSODL: eqvwamkl – {EF2A52A0-938B-4234-B611-AD17904E9996}

[!] Suspicious: evgratsm.dll
SSODL: evgratsm – {EC578342-2C34-40DC-B2DA-4E04D35A0E0C}

I then ran it to clean and it gave me the following (again an excerpt from the log file)

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
C:\WINDOWS\nfavxwdbmqx.dll deleted.
C:\WINDOWS\kgxmotapktx.dll deleted.
C:\WINDOWS\eqvwamkl.dll deleted.
C:\WINDOWS\evgratsm.dll deleted.

Ok – so that was some of the bad stuff – I then ran the  Malwarebytes Anti-Malware across the system and it showed me that the system was HEAVILY infected with a load of bad stuff.

Malwarebytes’ Anti-Malware 1.23
Database version: 1008
Windows 5.1.2600 Service Pack 2

11:00:12 30/07/2008
mbam-log-7-30-2008 (11-00-12).txt

Scan type: Quick Scan
Objects scanned: 44702
Time elapsed: 6 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 23
Registry Values Infected: 10
Registry Data Items Infected: 2
Folders Infected: 13
Files Infected: 50

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\xxyyVmji.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\efccyayA.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\yttcyivq.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatemail2.1 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatemailbundle2 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatemailbundle2.1 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatmailman2.1 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatmailman2 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatemail2 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcn66j0er8j (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcn66j0er8j (Rogue.Multiple) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0b399c3f-11f4-493e-95b5-22346ad53f93} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0b399c3f-11f4-493e-95b5-22346ad53f93} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b44e2b70-ed5a-4704-8c0c-2d0a09eb5a90} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b44e2b70-ed5a-4704-8c0c-2d0a09eb5a90} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{040ba7f9-cdc9-4f2a-bafd-5b13501b2dad} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{040ba7f9-cdc9-4f2a-bafd-5b13501b2dad} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxyyvmji (Trojan.Vundo) -> Delete on reboot.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhcn66j0er8j (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcj66j0er8j (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\wnslvxtf (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\kvxqmtre (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advap32 (Trojan.Spammer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\247d4af7 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{040ba7f9-cdc9-4f2a-bafd-5b13501b2dad} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\efccyaya -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\efccyaya  -> Delete on reboot.

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\rhcn66j0er8j.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\rhcn66j0er8j.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\clbdriver.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Winfe36.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphcj66j0er8j.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clbdll.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\agpqlrfm.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphcj66j0er8j.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcj66j0er8j.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\grswptdl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pphcj66j0er8j.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\esea.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\erms.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xdhyfgcj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efccyayA.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\Q33B17XP\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opnlLefc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ccoqtf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ixmgasew.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\M10K8Y3M\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pxefpj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qcjuhnwx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oeyvtc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\btlnvy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vnwmdxwb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kwqxqdrt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ysvbxo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cpwwljuo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Ayayccfe.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Ayayccfe.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\djgazb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yttcyivq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qviyctty.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyyVmji.dll (Trojan.Vundo) -> Delete on reboot.

Ok – so at this point it looks like it was clean. To be sure I went to TrendMicros website and ran a Housecall – this now looks clean.

Advice to the pharmacist then was to ensure he changed all passwords for all online systems. I suggested also that he consider a format and rebuild of the system to be sure and left it in his hands for his regular support people to take over.

Category: Troubleshooting
Published: 30/07/2008 8:57 PM

USB Flash Drive not working on Windows Vista?

Body:

 

I picked up a 16G Corsair Flash Voyager when I was in the US last month from Frys.  It worked fine on my laptop but refused to work on my desktop.  Instead I got the dialog box on below requesting drivers for it.  Naturally I didn’t have drivers for it.

clip_image001

I did some digging and found this article on their website. The Corsair website had some helpful FAQ’s that I found at this link it had the instructions below.

Please try the following instructions to get your USB devices working properly in Windows Vista: 1. Go to Local Disk (C)/Windows/System32/Driverstore/Filerepository 2. Go to usbstor.inf ( click the one that is newest) 3. Copy the usbstor.inf and usbstor.PNF files. 4. After you have copied the two files go to Windows/inf folder and paste the files in that folder. Now your USB devices should work.

Now – in my case, I found that the usbstor.inf and usbstor.pnf files were both missing from the Windows/inf folder.  I don’t know why – but they were.  Copy and replace as per instructions and it’s working fine now.

 

 

 

 

Category: Troubleshooting
Published: 12/05/2008 10:48 PM