Anti-Malware Tools

It’s been about 5 years since I posted anything about the tools I use to clean off malware.  So, here’s my method:

1. Depending on the type of virus involved: I do a system restore to a system restore point to a time before the infection.

2. Run Hitman Pro.  This uses a combination of Bitdefender and Kaspersky definitions from the cloud.   Note that the free version will not remove the threat if the computer is domain joined, but it will usually show you where the file or registry entry is and you can remove it with another program manually.

3. Norton Power Eraser.  This this another cloud based reputation scanner along with the Symantec virus definitions.  You do need to be a careful with this one as it as a tendency of flagging uncommon/infrequently reported files.

4. ADWCleaner.   Generally finds the same files as Hitman Pro, but is completely free and will offer to clean them without asking for money.  Do note that it has a tendency to just restart Windows for the cleanup without warning you.

5. TDSSKiller.  The “go-to” rootkit remover.

6. Stinger from Mcafee.  Mcafee AV defs in a standalone program.

7. Sysinternals Suite – Specifically, the tools Process Explorer (with built-in Virustotal support) and Autoruns can help identify an infection and remove it.

– Soli Deo Gloria

Case of the Unexplained: 2014

Mark Russinovich’s famous “Case of the Unexplained” for 2014 from TechEd Europe 2014: http://channel9.msdn.com/Events/TechEd/Europe/2014/WIN-B410

– Soli Deo Gloria

Migrating from XP to Windows 7 – Inventory What’s There

In the mist of upgrading from Windows XP to Windows 7 on all of our computers, I thought I would share some of the scripts I’m using to make life a little easier.  We currently use local user profiles, printers added manually by hand through a Windows print server and sometimes statically mapped network drives for users that need to perform cross duty work in other departments.

Yes, I give you permission to laugh and yes I know there’s ways of doing these things in an automated and centralized fashion.  Going into the companies we buy, however, I’m seeing even sillier things in their environments.  One was a guy that was using Clonezilla, an external hard drive, a USB stick (at least it wasn’t a CD-ROM) and doing a custom image for each and every model of computer hardware he had.  He had an impressive talent for scripting however and I found many clever VBScript snippets all over the network he was firing via the login script to do things automated and in the background.

The below script is quick, dirty and thrown together from many different sources.  It will give you:

All the drives and UNC paths mapped under the logged in user’s profile

All of the printers networked and local under the logged in user’s profile

The default printer of the logged in user

Names of all Outlook profiles of the logged in user (this will error out if this does not exist)

List of unsorted software as given from WMI

Simply call it as the user from the login script and SCCM and dump the file to some where world writable.  It will dump the contents in plain text to a file in the format of username.computer.txt.

– Soli Deo Gloria

On Error Resume Next

Const HKEY_CURRENT_USER = &H80000001
Const r_ProfilesRoot = "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles"

strComputer = "." 
Set objWMIService = GetObject("winmgmts:" _ 
 & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") 
Set colInstalledPrinters = objWMIService.ExecQuery _ 
 ("Select * from Win32_Printer where Default = True") 
For Each objPrinter in colInstalledPrinters 
 PrinterDefault=objPrinter.Name 
 Next 
 
Dim objFileSystem, objOutputFile
Dim strOutputFile

Const OPEN_FILE_FOR_APPENDING = 8

Set objFileSystem = CreateObject("Scripting.fileSystemObject")

Set Shell = CreateObject("WScript.Shell")
Set WshNetwork = WScript.CreateObject("WScript.Network")
Set oDrives = WshNetwork.EnumNetworkDrives
Set oPrinters = WshNetwork.EnumPrinterConnections
oUser = WshNetwork.UserName

computername = Shell.ExpandEnvironmentStrings("%computername%")

strOutputFile="\\wksms01\logs\" & oUser & "." & computername & ".txt"
Set objOutputFile = objFileSystem.CreateTextFile(strOutputFile, TRUE)

objOutputFile.WriteLine("Network drive mappings:")
For i = 0 to oDrives.Count - 1 Step 2
objOutputFile.WriteLine("Drive " & oDrives.Item(i) & " = " & oDrives.Item(i+1))
Next
objOutputFile.WriteLine("")
objOutputFile.WriteLine("Network printer mappings:")
For i = 0 to oPrinters.Count - 1 Step 2
objOutputFile.WriteLine("Port " & oPrinters.Item(i) & " = " & oPrinters.Item(i+1))
Next

objOutputFile.WriteLine("Default Printer: ") & PrinterDefault


Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _ 
 strComputer & "\root\default:StdRegProv")

oReg.EnumKey HKEY_CURRENT_USER,r_ProfilesRoot,subKeys

objOutputFile.WriteLine(" ") 
objOutputFile.WriteLine("Outlook Profiles: ") 

For Each profileName In subKeys
 objOutputFile.WriteLine( profileName ) 
Next

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colSoftware = objWMIService.ExecQuery ("Select * from Win32_Product")

objOutputFile.WriteLine(" ") 
objOutputFile.WriteLine("Installed Software: ") 

For Each objSoftware in colSoftware
 objOutputFile.WriteLine objSoftware.Caption & ", " & objSoftware.installDate & ", " & objSoftware.installDate2
Next

objOutputFile.Close

Set objFileSystem = Nothing

AutoAdministator: A Nifty Free Remote Management Tool

This tip comes from the website 4sysops.com.  There is a program called AutoAdministrator that used to be payware, but is now freeware.  This program allows you to drill into your Active Directory structure and check off a bunch of computers for an action.  What can you do?

  • Password updates
  • Remote shutdown / reboot
  • Services maintenance
  • Registry maintenance
  • Network ping
  • Remote file management
  • Remote file information
  • Logged on user information
  • Execute processes locally or remotely
  • WMI queries
  • ODBC maintenance

I used it to select all the computers in an OU and then look at the logged in user to see if the computer description matched up.  I was also able to remotely execute programs against multiple computers which is very cool!

– Soli Deo Gloria

Set Folder and Registry Permissions with VBScript

Sample VBScript opens up registry and folder access with write access for the Everyone group:

 

' Create temp file with the script that regini.exe will use
'
set oFSO = CreateObject("Scripting.FileSystemObject")
strFileName = oFSO.GetTempName
set oFile = oFSO.CreateTextFile(strFileName)
oFile.WriteLine "HKEY_LOCAL_MACHINE\Software\TraxStar Technologies LLC\Client [1 5 7 11 17]"
oFile.Close

' Change registry permissions with regini.exe
'
set oShell = CreateObject("WScript.Shell")
oShell.Run "regini " & strFileName, 8, true

' Delete temp file
'
oFSO.DeleteFile strFileName

Dim strHomeFolder, strHome, strUser
 Dim intRunError, objShell, objFSO

 strHomeFolder="C:\Program Files\TraxStar"

 Set objShell = CreateObject("Wscript.Shell")
 Set objFSO = CreateObject("Scripting.FileSystemObject")
 If objFSO.FolderExists(strHomeFolder) Then
 intRunError = objShell.Run("%COMSPEC% /c Echo Y| cacls """ & strHomeFolder & """ /t /c /g everyone:F ", 2, True)
 End If

– Soli Deo Gloria

Giveaway of the Day: XYplorer 14.40

Very nice filemanager.  I own the full version, but this free one is almost as good!  Today only.

http://www.giveawayoftheday.com/xyplorer-14-40/

– Soli Deo Gloria

A Weekend with Plex

Finally decided to take the plunge and bought the lifetime subscription for Plex so I could dump all my TV shows into it and stream them to my TV in the living using Chromecast. However, certain TV shows just wouldn’t show up and the server log files weren’t much help.  The issue is that Plex expects to see files in the SXXEXX format, where S is the season and E is the episode number.  If your files don’t have this format, Plex will refuse to add them properly.

The real bear of course is that you may have many files…thousands of files…that do not fit this format.  What’s a guy to do?  Filebot to the rescue!  Basically: this program looks at each filename trying to determine what TV show it belongs to from an online TV database and then offers to put it in the proper naming format.  If the files are missing the TV show name, you can use Bulk Rename to add the show name to any part of the file en mass.  To find out if you are missing any episodes you can use TV Rename.

– Soli Deo Gloria

Bill Gates Trashed the Charms Bar, Win9 to RTM by end of 2014

http://www.reddit.com/r/windows/comments/2eclyz/updates_on_windows_9_and_windows_81_updates_by/

– Soli Deo Gloria

Windows 9 Tech Preview Coming in Late September

http://www.zdnet.com/microsoft-to-deliver-windows-threshold-tech-preview-around-late-september-7000032668/

– Soli Deo Gloria

Paragon Rescue Kit 14 Free

Got an e-mail from Paragon this morning about the Windows PE based Paragon Rescue Kit 14 Free: http://www.paragon-software.com/home/rk-free/.  Decided to take it for a test drive and unfortunately, I am disappointed.  First, you cannot install the program without registering.  It’s free to register to get the codes, but that’s a pain!  It wanted to use the Windows 8.1 ADK which I downloaded.  There’s two versions you can build: x86 and x64.  I built the x86 version.  I booted it and it comes up with a screen with several buttons: backup to virtual disk, postmortem backup, undelete partition, boot corrector, transfer files, load drivers, setup network.  You can also do a restore of course.  That’s it.  No file manager, no desktop and…no thanks.

There are better WinPE discs out there such as this one or the ones over at http://reboot.pro:

http://windowsmatters.com/2013/04/30/windows-8-based-pe-boot-disk-with-explorer-shell-and-all-my-favorite-apps/

– Soli Deo Gloria