Friday, November 30, 2012

Excellent Group Policy How-To

I've been testing Window Server 2012 via the "Early Experts" class, which is a very cool class, and experienced this very informative, super user-friendly TechNet how-to article on Group Policy. I'm not a GP guy. What I mean by that is that my job doesn't require a deep understanding of GP, only a foundational level understanding of GP, so I don't know the really cool things you can do with GP for your network(s). After going through this how-to for Server 2012 I now understand some deeper things about GP.

The how-to is for Server 2003, but it works for Server 2012 at least for the part we are at in Administering GP.

Check it out here.

I highly suggest going through, at your own pace, the Windows Server 2012 Early Experts challenge.

Monday, November 19, 2012

Slay the File Recovery Malware

I recently slayed the File Recovery malware on my brother's computer. I'll give you my routine that worked. If you have another one, please let me know in the comment box.

File Restore hides your start menu links and a bunch of other stuff to scare you that your computer is truly broken. We won't restore this stuff in the beginning of the routine though. I wanted to go ahead and tell you so you know why those links are gone in case you have to deal with this beast.

I disabled Microsoft Security Essentials real-time scanner in preparation for Combofix.
I then ran combofix. I ran combofix before Malwarebytes because I know this malware is really nasty and wanted to go in with the big guns first. Don't be scared to run comboxfix. Start the app file, proceed with defaults. It will go through around 50 scans (the speed of the scans depends on your computer's specs - I've seen it go fast, I've seen it take a while - 10 to 60 minutes) then, it will create a log report, then open the log report giving you details on what it did. 
Rebooted into safe mode.
Ran Malwarebytes quick scan. It only detected some PUPs. I told Malwarebytes to delete them anyway because it was adware and I wanted to make the system squeaky clean.
Rebooted into normal mode.
Ran Windows Repair. This tool is amazing. File Restore can really mess with the default settings for Windows, thus making it look broken. Windows Repair fixes the stuff malware screws up like that. It's a very nice tool. It automatically reboots after the scan finishes. This scan can take a while too. Again, the speed of the scan depends on the specs of your computer.

Windows was fixed after this routine. I wasn't done yet though. I enabled the real-time scanner for Microsoft Security Essentials. I made sure the quick scan was on a daily schedule. It was. I also wanted to make sure this computer was safe not just from the non-user stuff, but even from user-related 'attacks' like answering the door for malware when it goes knocking. I hooked them up with OpenDNS. I enabled the web filter. I went with the Custom configuration on the web filter enabling protection from Adware, P2P/File share sites, Dating sites, Nudity, Pornography, Proxy/Anonymizer, and Web Spam. OpenDNS also has basic malare/botnet protection too which helps.

Then, I installed the Web of Trust addon for Internet Explorer and Firefox. Web of Trust is a terrific broswer add-on rating websites to give you an idea of what you're getting into before you visit a site. A small dot next to each link gives you a rating for the site: green is good, yellow is questionable and red is bad.

If you click on a red rated site WOT will popup asking you if you really want to visit this site and lists why the site is rated red. This will scare most users, preventing them from downloading and installing malware on accident. It's nice. It works.

This is how I handled the problem. Do you have a different way? Tell me about it in the comment box below.v

Friday, November 9, 2012

HP All-in-One Black Screen Blinking Cursor at Startup

I got a call from my brother earlier this week. He told me his HP All-in-One computer (brand new by the way) will only display a black screen with a blinking cursor after the blue HP splash screen. At the splash screen he has the option to click the escape key for diagnostics. He said the diagnostics don't solve the problem and asked if I could take a look at it for him. I said sure.

When I arrived at the scene, it's exactly as he told me: black screen, blinking cursor. He was worried about the hardware, but I assured him it most likely isn't his hardware and that if it just happens to be the hardware he still has the safety net of the warranty. I restarted the computer. I hit escape when given the option and waited for the HP diagnostic menu. I checked things out, made sure the boot order was correct, etc. I mostly wanted to check out the hardware diagnostic utility. I ran that and all the hardware passed the tests as I thought they would. I couldn't get into the advanced boot options though due to HP's diagnostic stuff overriding such an option. I wanted to boot into safe mode and check things out. If anyone reading this knows how to override HP's boot utility let me know because it's annoying.

Anyway, I put in the windows 7 disc and got to the recovery console. My hunch was that some malware screwed up the system since Windows wouldn't boot. Keep in mind, I wasn't getting an error message like 'bootmgr failed, couldn't be found, etc." or "ntldr missing." All I had to go off of was the black screen, blinking cursor, which isn't much to go by. My hunch was that the boot files were missing and had to be replaced from the Windows disc.

I booted from the Windows 7 disc. Instead of selecting install, I chose 'repair your computer.' After choosing that option, Windows ran a short scan for startup problems. It detected some problems then asked if I wanted to restart to correct the problems. I went ahead with this option even though my usual skepticism kept me from thinking this would solve the problem. I was right. It didn't solve the problem. I booted back into the recovery console, this time startup repair didn't detect any problems (???), then I went for the command prompt. This is where you want to go for this kind of problem. If you encounter this problem, go to the command prompt and enter the following commands, hitting enter after each command. Make sure and include spacing as spacing is shown.

Bootrec.exe
bcdedit /export C:\BCD_Backup
c:

cd boot
attrib bcd -s -h -r

ren c:\boot\bcd bcd.old
bootrec /RebuildBcd

bootrec /fixmbr
bootrec /fixboot 
exit

After these commands, remove the rescue CD then reboot. Your computer should now boot into Windows 7.

We're not out of the woods yet though! I booted into their desktop and what did I see? I saw the File Restore monster. It was "scanning" showing me all of these "problems," a thousand windows were opening a second; it was crazy. Since I had dealt with this monster in the past, I was prepared to slay it this time around. My brother was worried that it was his computer; that it wasn't secure enough. I assured him that this malware only gets in if it's let in. This stuff doesn't get in by brute force. Someone using the computer let it in, by accident of course, but still having an Apple or Ubuntu wouldn't have stopped this.

Anyway, how did I slay the File Restore monster? I'll give you my routine that works. If you have another one, please let me know in the comment box.

File Restore hides your start menu links and a bunch of other stuff to scare you that your computer is truly broken. We won't restore this stuff in the beginning of the routine though. I wanted to go ahead and tell you so you know why those links are gone in case you have to deal with this beast.

I disabled Microsoft Security Essentials real-time scanner in preparation for Combofix.
I then ran combofix. I ran combofix before Malwarebytes because I know this malware is really nasty and wanted to go in with the big guns first. Don't be scared to run comboxfix. Start the app file, proceed with defaults. It will go through around 50 scans (the speed of the scans depends on your computer's specs - I've seen it go fast, I've seen it take a while - 10 to 60 minutes) then, it will create a log report, then open the log report giving you details on what it did. 
Rebooted into safe mode.
Ran Malwarebytes quick scan. It only detected some PUPs. I told Malwarebytes to delete them anyway because it was adware and I wanted to make the system squeaky clean.
Rebooted into normal mode.
Ran Windows Repair. This tool is amazing. File Restore can really mess with the default settings for Windows, thus making it look broken. Windows Repair fixes the stuff malware screws up like that. It's a very nice tool. It automatically reboots after the scan finishes. This scan can take a while too. Again, the speed of the scan depends on the specs of your computer.

Windows was fixed after this routine. I wasn't done yet though. I enabled the real-time scanner for Microsoft Security Essentials. I made sure the quick scan was on a daily schedule. It was. I also wanted to make sure this computer was safe not just from the non-user stuff, but even from user-related 'attacks' like answering the door for malware when it goes knocking. I hooked them up with OpenDNS. I enabled the web filter. I went with the Custom configuration on the web filter enabling protection from Adware, P2P/File share sites, Dating sites, Nudity, Pornography, Proxy/Anonymizer, and Web Spam. OpenDNS also has basic malare/botnet protection too which helps.

Then, I installed the Web of Trust addon for Internet Explorer and Firefox. Web of Trust is a terrific broswer add-on rating websites to give you an idea of what you're getting into before you visit a site. A small dot next to each link gives you a rating for the site: green is good, yellow is questionable and red is bad.
If you click on a red rated site WOT will popup asking you if you really want to visit this site and lists why the site is rated red. This will scare most users, preventing them from downloading and installing malware on accident. It's nice. It works.


My brother and his wife were very exited with the work I done for them. They feel better and safer which is good.

This is how I handled the problem. Do you have a different way? Tell me about it in the comment box below.