How To Spot Fake AV Malware

So you’re surfing the internet, minding your own business, and suddenly a message pops up that warns “you’re infected”. It is true? Sometimes. Unfortunately, these days the fake AV software looks more real than ever.

Here’s a good example of some fake AV that looks fairly convincing:

image

At first glance, a lot of people see this and believe they’re actually infected.

To make matters worse, even if you don’t click on the “Erase infected” button, after a few moments another window pops up:

image

Sadly, many users click “Yes, protect my PC now” and then it’s too late.

How Can You Tell It’s Fake?

Other than the obvious (knowing the name of the REAL antivirus software you have installed and knowing what it looks like), there are numerous ways to spot the fake AV. Get a well known antivirus such as Zonealarm mobile Security.

Browser version:
(This machine has IE8, Fake AV says IE7)
Wrong browser version reported 

Number of drives / letters:
(This machine doesn’t have a D: drive)
Reporting infections on drives that don't exist.

Incorrect navigation bars:
(Fake AV displays a modified Vista navigation bar on Windows 7 machine)

Fake AV

Fake AV menu

 
Real Windows Vista

Real Vista menu

 
Real Windows 7

Real Windows 7 menu

 

Typos or incorrect punctuation:
(Apostrophes pointed the wrong way)

Typos in dialog boxes are a clue that the software isn't legit. 

Virus warnings that are displayed in a web page:

Web page pretending to be virus warnings

Solution:

Train your users by showing them what the REAL AV software looks like, and show examples what the fake software looks like.

The best way to show the real software in action is to trigger an actual virus alert. Then you can screenshot your current AV software. But instead of using a real virus to trip the alert, you can use the EICAR test file.

The EICAR is a harmless file that is available in several different file formats:
EICAR virus test file

Here’s what it looks like inside the eicar.com.txt file:
Inside the EICAR file

You can use the EICAR file to generate end-user documentation on what your real AV software screens look like.

Example: Microsoft Security Essentials

1) Initial “infection” (triggered by clicking on the eicar.com.txt file)

Microsoft Security Essentials - Virus found

2) After clicking Show details

Microsoft Security Essentials - Show Details

3) After clicking Clean computer

Microsoft Security Essentials - Virus removed

You can create a one-sheet “Virus Response Document” to print out and give to your users and include your phone number on the bottom. A little education up front can save lots of lost time and expense cleaning up after an infection or fake AV software removal battle.

VN:F [1.9.20_1166]
Rating: 0.0/10 (0 votes cast)

Crazy Screen Shots – Outlook Takes 5 Days to Send

Sender complains that when they send an email the recipient doesn’t get it until 5 days later. Inbound email works fine. This is on a POP3 account (with no Exchange involved).

The source of the problem was located in the Outbox:

You've Got Mail!

Yep, that’s right, a 95 MB email attachment (sent twice). Smile

Once those items were deleted from the Outbox, email flow returned to normal.

VN:F [1.9.20_1166]
Rating: 0.0/10 (0 votes cast)

Windows Black Screen Of Death (KSOD)

Black Screen Of Death (KSOD) The news rags are online pointing fingers about who is to blame for the latest Windows issue nicknamed the blacK Screen Of Death (KSOD). Microsoft says it’s not a patch issue, Prevx apologized for initially blaming a patch. All I know for sure is that people want it fixed.

Oddly enough, about 10 minutes after reading the news I got a call from a client about a workstation exhibiting similar problems:

  • No desktop icons
  • No taskbar or start menu
  • Solid background (no wallpaper)

I’m not 100% certain that this is the same issue in the KSOD reports in the news, but it sounds similar.

WHAT DIDN’T WORK FOR ME

  • Launching Explorer.exe from the Task Manager
  • System Restore

WHAT DID WORK FOR ME

  1. Rebooted the PC in normal mode and logged in as Administrator
  2. Ctrl-Alt-Del / Task Manager

    Launch Task Manager from Ctrl-Alt-Del
  3. File | New Task (Run)

    File / Run

  4. Click Browse and browse to:
    "C:\Program Files\Internet Explorer\iexplore.exe"
    Click OK

    "C:\Program Files\Internet Explorer\iexplore.exe"

  5. When Internet Explorer opened, went to the following URL and downloaded SuperAntiSpyware:
    http://www.superantispyware.com/ 
  6. Installed SuperAntiSpyware, ran a scan and it found the following results:

    Trojan.SVCHost/Fake

  7. I let SuperAntiSpyware remove that trojan, rebooted, logged back in and the desktop icons, start menu and taskbar were working again.

 

Here is the item that SuperAntiSpyware quarantined:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe (Debugger – C:\Program Files\Microsoft Common\svchost.exe)

Again, I’m not saying for certain that this is the same issue others are reporting, but I wanted to pass  along what I found in case others see similar issues. This is what worked for me – your mileage may vary.

UPDATE 12/2/2009:
Here is the link to the Prevx KSOD cleanup tool (I haven’t tried it though):
http://www.prevx.com/blog/140/Black-Screen-woes-could-affect-millions-on-Windows–Vista-and-XP.html

VN:F [1.9.20_1166]
Rating: 0.0/10 (0 votes cast)

Windows 7 Media Center Missing TV Signal Menu

Windows Media CenterI was customizing a new Windows 7 Media Center PC for a friend and I ran across an interesting problem that was driving me nuts. This brand new PC has an internal tuner card and is connected to a 10/100/1000 network with an HDHomeRun dual-tuner on the LAN as well. So with the one internal and two external tuners it should be able to record 3 shows at the same time. Pretty cool!

After the initial Windows 7 setup with a mouse & keyboard plugged in, I decided to use my fancy multi-monitor setup and Remote Desktop to finish configuring & patching the PC before taking it on-site. I remotely installed the AV software, updated all of the drivers, etc. However, when it came time to configure Windows Media Center I was in for a bit of a surprise.

When I opened Windows Media Center | Tasks | Settings | TV, the menu was missing some options.

The TV Setup menu looks like this…
RDP Windows 7 Media Center
Fig. 1 Windows 7 Media Center via RDP 

When it should really look like this…
 Hyper-V Windows 7 Media Center
Fig. 2 Windows 7 Media Center via Hyper-V

Or even this…
Console Windows 7 Media Center
Fig. 3 Windows 7 Media Center via Console

As you can see in Fig. 1, the TV missing the Set Up TV Signal option. I searched all over the Internet and couldn’t find an answer to this problem. I tried uninstalling and reinstalling the Windows Media Center feature:
Uninstall Windows Media Center featue in Windows 7

That didn’t fix it.

I even tried Media Center Recovery

Open a Command Prompt

Type CD \windows\ehome [Enter]

Type mcupdate.exe –MediaCenterRecoveryTask [Enter]

How to reset Media Center to factory defaults

That did reset Media Center, but it didn’t fix the ‘no tuner option’.

So I checked one of my Windows 7 virtual machines running on my Hyper-V test box, and it showed the Set Up TV Signal option as shown in Fig. 2. I decided to try one more thing and RDP into that exact same virtual Windows 7 box and bingo, the Set Up TV Signal option disappeared right before my eyes!

So, I physically logged in locally on the new Win7 PC with a mouse and keyboard, restarted Media Center and the menu choice was there! And the choice for “Configure Your TV or Monitor” was there too. Apparently, the Windows 7 Media Center is aware of how you’re logging into the PC.

Once you’ve properly configured your tuner(s) the Tasks | Settings | TV menu should look like this…
Windows 7 Media Center properly configured

I’m sure this is an ‘edge case scenario’ since most people aren’t configuring Windows Media Center on Windows 7 via RDP, but it’s good to know that there are differences in MCE depending on how you login.

My original plan was to install this server in a media closet as a headless unit with all of the other AV equipment. But now that I know some features will be missing with RDP, I’m going to plug a physical monitor into it (or maybe install LogMeIn instead).

VN:F [1.9.20_1166]
Rating: 9.7/10 (9 votes cast)

Key Icon and User Roles in SBS 2008

From the mailbag:

“After a migration, some of the users showed up in the SBS Console with a key under their name and some didn’t. Example:

image

image 

I can’t change RWW access for these users either – it’s grayed out:

image

or even…

image

What does that key mean and how do I get rid of it? 

ANSWER

The key means the users are domain administrators, and therefore you can’t disable RWW for them individually. Don’t be fooled by the “User Role” column.

The key can come from two places.

1 – If a new user is created with the User Role of Network Administrator when running the SBS 2008 Add a new user account wizard, they get that key.

2 – In a migration scenario (like this one) if a user was a member of the “Administrators – domain/Builtin” Security Group on the source server, they will show up with that key after the migration to the SBS 2008 box (see George McFly above):

image 

Before we move onto the resolution (below), there are a few points to remember with User Roles in SBS 2008 detailed below. The wizards make it VERY easy to blow stuff up accidentally.

CAUTION – It is highly recommended that you read understand all of the information in this blog post before making changes any to user accounts and groups. There is no Undo or Recycle Bin for Active Directory changes in SBS 2008 RTM.

BACKGROUND INFO ON USER ROLES

When running the “Add a new user account” wizard in SBS 2008, you have
(by default) three options for User Roles:

  1. Standard User
  2. Network Administrator
  3. Standard User with Administration links

image 

Here’s what you get with each role.

Default group memberships by User Role:

Default SBS 2008 Groups & User Roles

Standard
User

Standard User
w/ Admin Links

Network
Administrator

All Users*

Yes

Yes

Yes

Windows SBS Fax Users

Yes

Yes

Yes

Windows SBS Link Users

Yes

Yes

Yes

Windows SBS Remote Web Workplace Users

Yes

Yes

Yes

Windows SBS SharePoint_MembersGroup

Yes

Yes

No

Windows SBS Admin Tools Group  

Yes

Yes

Windows SBS Administrators*  

Yes

Yes

Windows SBS Fax Administrators    

Yes

Window SBS SharePoint_OwnersGroup    

Yes

Windows SBS Virtual Private Network Users    

Yes

 

HINT: *The All Users and Windows SBS Administrators groups are E-mail Distribution Groups, not security groups, which means that you can’t assign security permissions to those groups.

Normally you would think that a group named “Windows SBS Administrators” would be some type of security group, but that’s just one of the gotchas in SBS 2008. The Groups tab in the SBS 2008 console makes this easy to see, but if you’re poking around in AD, you might forget. Just look for the ‘key’ icon to differentiate E-Mail and Security Groups.

image

So, this begs the question, “If I create a standard user, right-click them in the console and make them a member of all of the same groups as the Network Administrator in the chart above, do they get the ‘key’ icon?

Answer: No. You have to use Change user role for user accounts wizard (or dig into AD).

IMPORTANT USER ROLE / USER ACCOUNT TIPS

Things to remember about User Roles and user accounts in SBS 2008:

  • NEW USERS – User Roles are chosen at the time the User Account is created if you use the “Add a new user account” wizard (shown above).
  • CUSTOM ROLES – Have you ever gotten a call like this, “Mary is moving to part time, and we hired another person to do the same job in the afternoon – can you setup a new user account for Jennifer with the same permissions?”

    Now you can create a new role like “Reception” and create it based on Mary’s current permissions / memberships. This is great if you start creating new roles like “Warehouse”, “Intern”, “Vendor”, etc.

  • CHANGES – You can change the User Role assigned to an existing user after the fact using the “Change user role for user accounts” wizard (shown below). 
  • APPLYING ROLES – When applying a “User Role” to an existing user, you are given the option of adding or replacing the existing user permissions (shown below). This is where it gets sticky.
  • ADJUSTING PERMISSIONS OUTSIDE THE USER ROLE – After a User Role has been applied, you can tweak the permissions. This is great for creating department supervisors after the department has been mapped out.

    Example – You create a custom “Sales Rep” User Role, and then apply it to all sales users, including Marty McFly. Afterwards, since Marty is actually the Sales Manager, you also give him access to financial data.

  • REPLACE VS. ADD – If you re-apply a User Role to a user, you can accidentally remove any customizations to them. This is where you break the step above.

    Example – The custom “Sales Rep” user role has recently been updated to include a new e-mail distribution list. Then you decide to re-apply the permissions to Marty. Congratulations. You just took away Marty’s access to the financial data and made him a normal Sales Rep drone, and not a manger.

  • TRUST BUT VERIFY – Just because you see an entry in the “User Role” column, don’t assume that the user has had no customizations made to their account.
  • WE DON’T NEED NO STINKING WIZARDS – If you’re old school and manually create a user in Active Directory Users and Computers instead of the SBS Console, the user won’t show up in the SBS Users Console.

    Why? Because the attribute of “msSBSCreationState” = “<not set>”.

    But, you can change this in Active Directory by setting that to “Created”. Example – User account that will not show up in the SBS 2008 console:image

    Example – User account that will show up in the SBS 2008 console:image

RESOLUTION

OK, you understand the difference between Add & Replace, and the implications of re-applying a user role to an individual.

After you make a copy of the user group membership settings (because you love your job) you need to apply the “Standard User” User Role to that user and choose “Replace user permissions or settings” to get rid of that domain admin key. 

  1. Open the SBS Console, click Users and Groups, then click the Users tab.
  2. Click “Change user role for user for user accounts” wizard on the right.
    image
  3. Select the role for the user account (in our case Standard User), choose “Replace user permissions or settings”, and click Next.
    image
  4. Click on the name of the user on the left from the “All user accounts” column, click the Add button to move their name to the right column, then click the “Change user role” button.
  5. Done. Click Finish.
    image

ALTERNATE METHOD

If you’re AD savvy you can always open Active Directory Users and Computers and remove membership the ‘Administrators – domain/Builtin’ Security Group. This just takes away the ‘Administrator’ permissions and leaves everything else in tact.

Props: Thanks to Cory Rammer, MCSA/MCSE and all-around nice guy for his help on this post!

VN:F [1.9.20_1166]
Rating: 0.0/10 (0 votes cast)

The Return of Artie, Sort of

I’ve always been a big fan of a) The Adventures of Pete and Pete show (I own all the DVDs) and b) funny Microsoft videos. This morning I came across a video on the Microsoft OEM Partner Center that was pretty hilarious. And to top it off, one of the actors in the video reminded me of “Artie the Strongest Man in the World” from Pete and Pete. Behold:

Microsoft “Office With Every PC” Video

Microsoft, kicking it old school rap style

Artie – The Strongest Man in the World

Artie, the strongest man... in the WORLD!

Yes, I know it’s not really Artie, but it’s still fun to imagine. 🙂

If you’d like to check out the video, you’ll need a Microsoft Partner ID to access the OEM Partner Center website, and Silverlight installed on your PC. Or, you can show up at the KYSBSUG meeting tonight and I’ll play it there.

VN:F [1.9.20_1166]
Rating: 0.0/10 (0 votes cast)

Dell Raid Controller Thinks 160 GB Drive is 32 GB

Dell PowerEdge 400SCI’m sure everybody on Earth already knows this (and I’m just exposing my ignorance about computers – again), but I’d like to share a little tech tidbit in case some Google user runs into the same issue.

First off, before anyone asks, this is a small shop – they just want to buy one more year on their existing hardware before a refresh and SBS 2008.

Previous Configuration (slow, but works):

  • Dell PowerEdge 400SC
  • Windows Small Business Server 2003
  • 1 GB RAM
  • Dell CERC ATA100/4ch RAID controller
  • 2 ea. Western Digital WD400 40 GB IDE drives in RAID1 mirror

New Configuration (faster, but missing about 120 GB):

  • Same Dell PowerEdge 400SC
  • Windows Small Business Server 2003
  • 3 GB RAM
  • Dell CERC ATA100/4ch RAID controller
  • 2 ea. Seagate ST3160815A 160 GB Ultra ATA100 drives in RAID1

Issue: Removed the old WD drives and deleted the old array. Inserted the new Seagate drives, but the RAID controller only recognized them as 32248 MB drives (instead of 156250 MB). I didn’t order the parts myself, so I started to question the drives as being appropriate, but a double-check verified that they should work. Visual inspection of the jumpers on the new drives matches position on the old drives. I spoke with a Dell technician who was certain that the array was created wrong, but I told him that it misrecognized the drive size even before creating the array.

Resolution: While the Dell tech was searching, I rechecked the jumpers, and the new Seagate drives were in last position, exactly the same as the old Western Digital (position 1-2 shown below).

Western Digital drive jumper positions Western Digital (cable select)

The problem is that “cable select” on Western Digital drives isn’t in the same position as it is on Seagate drives (Seagate uses position 5-6 shown below).

Seagate drive jumper positions Seagate (cable select)

To make matters even funnier, the Seagate drives only have 8 pins. Doh!

Once I pulled the Seagate drives, moved the jumpers to match the cable select position shown on the sticker on the drive (instead of the physical location on a different brand drive) the array controller immediately recognized the correct drive capacity.

Details, details, details… that’s what happens when you’re in a hurry.

In my feeble defense…

Exhibit (A)
The Western Digital WD400 drive
didn’t have a jumper sticker on top.
Exhibit (B)
And the jumper setting is only shown in tiny print on the mobo of the drive.
WD400 - top WD400 - bottom

But, yes, I’m still retarded. 🙂

VN:F [1.9.20_1166]
Rating: 0.0/10 (0 votes cast)

Spyware – Antivirus XP 2008

Since some of my blog readers are end-users, and not IT pros, I wanted to pass along the following info.

The hot malware infecting machines lately seems to be "Antivirus XP 2008".
It starts simply enough:

Fake e-card / virus / trojan
(I especially like the typo of "aviailable" – nice).

The unsuspecting user clicks on the ‘e-card’ hyperlink, runs the download, and the next thing you know, you’ve got full-blown chaos on your hands:

Antivirus XP 2008 is malware

Folks – I know that looks legit, but it’s not. Until you downloaded that "e-card" your computer wasn’t infected. You can tell by the colored AVG icon in the system tray (circled in green).

Notice how quickly it spreads (circled in red). It’s also in 4 places in the Start Menu, not shown in the picture. Also notice the ‘Vista style’ fake close button at the top of the window – this is on an XP machine. And there are apparently 3 windows popped-up, but there is only one program on the task bar for "Antivirus XP 2008".  All stuff to look for.

In case you get bit, here’s a link for removal instructions for Antivirus XP 2008:
http://www.bleepingcomputer.com/malware-removal/remove-antivirus-xp-2008

VN:F [1.9.20_1166]
Rating: 0.0/10 (0 votes cast)

Peachtree Phone Support is Spendy

First, the crazy screen shot – check out the service category 😉

Coming Soon - Selection Not Available

LOLZ. Wonder how long the hold time is for "*Coming Soon*" category of support? Silly web-programmers 😉

Now for the sticker-shock price per minute:

$5 per minute - operators are standing by...

Fees:
For those of you playing the home game, that’s $5 per minute, or $300/hour. Not exactly chicken feed.

Initial Impressions:

1) A few mis-transferred calls, finally got in the right queue. Robot voicemail auto attendant asks for customer ID and then prompts for credit card number, but doesn’t give you enough time to type all the digits in. Prompts a second time – again, too short. Human attendant was actually nice.

2) Reached tech support – hold time was minimal (under 90 seconds). I was initially concerned with the thick accent on the other end of the phone, fearing that I was talking to a script zombie.  But I was pleasantly surprised that the Peachtree tech actually did have a brain. He was articulate, thorough, and found a resolution for us when the (lousy) Peachtree KB site, Google & E-E came up blanks (and no error codes in the event logs).

3) Satisfaction – The tech did all this support by phone, and at one point requested that about 5 screen shots be emailed to him, which quickly led to the ‘ah-hah’ moment. Several minutes later, back in business.

Verdict:
Expensive. But valuable. The tech resolved the issue without stumbling, faking it or sending us down dead ends that had nothing to do with the real issue. And considering that ‘payroll waits for no man’, every minute counts on a payday.

Client = happy. Day = saved. Employees = paid.

Props:
1.5 thumbs-up. I would have gone w/ 2 thumbs up, but the $5/minute stings. Still, "nice job Sage Software / Peachtree tech", spend that hard-earned money well!

VN:F [1.9.20_1166]
Rating: 0.0/10 (0 votes cast)