Spyware Removal for today - what’s good right now for getting rid of nasty spyware
Spyware/Malware/Rootkits are a nightmare for any IT department big or small, when you have the option i almost always just prefer to re-image a machine to be 100% sure of removing the nasties as rootkits can embed themselves so deep in the OS its just a hopeless battle where you end up destroying the install and wasting alot more time just trying to remove it than a re-image would take. Your milage may vary and this is obviously a situational decision as you may not have the resources to re-image at will and get someone up and running again in an hour.
Should you be in that situation where getting rid of the offender is your chosen plan of attack then here is some newer tools that may help you down that road.
I have had people ask me my thoughts on safety.live.com, to me it seems like just a baby web based MSE alternative and whilst MSE is quite good for prevention I’m not confident of its abilities to remove harsh infections that are already present.
So heres my list of removal tools and the order in which I would use them (sites hyperlinked for your convenience):
1. ComboFix - Freeware and quite compact, it seems to be VERY affective at getting some of those common and really stubborn system based attacks, always a first port of call.
2. Super Anti Spyware and MalwareBytes are on par for me as paid secondary cleanup apps, I don’t use them as much since the paid versions are where its really at for long-term assistance. but if you need to be sure that a system is clean it is definitely worth using a second scanner on top of combofix to be 100% sure, SAS has a solid reputation and would be the one I would go to first in most situations.
Platform(s) Affected: Windows XP, Windows 2000, Windows Server 2003 32-bit
The master browser is stopping or an election is being forced
One, or both of the following may be present in a clients events. If so then the solution is to alter the registry keys as listed to resolve the messages continual appearance.
Error Message:
The browser has received a server announcement indicating that the computer
is a master browser, but this computer is not a master browser.
The master browser has received a server announcement from the computer
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{000000000000000000. The master browser is stopping or an election is being forced.
In order to stop this error from occuring, use Regedit and set the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList from Auto or YES to FALSE
System Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters]
Value Name: IsDomainMaster, MaintainServerList
To prevent an NT Workstation or Server (non-PDC) from acting as a browser, create a new string value, or modify the existing value, named “MaintainServerList” and set it “No”, the other options are “Yes”, “No” or “Auto”.
EventID:
Log Name: System
Source: bowser
Date: 13/07/2010 3:56:00 PM
Event ID: 8005
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer:
Description:
The browser has received a server announcement indicating that the computer
is a master browser, but this computer is not a master browser.
Log Name: System
Source: bowser
Date: 13/07/2010 3:56:00 PM
Event ID: 8003
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer:
Description:
The master browser has received a server announcement from the computer
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{. The master browser is stopping or an election is being forced.
Permalink
Microsoft Desktop Search AddOns
So Microsoft Downloads gave me some interesting links this morning, addons to desktop search that actually look half useful(makes me wonder why they aren’t just part of the search to begin with).
Desktop Search Add-ins
Outlook Saved Mail
This one looks good, a brief quote from the download page.
“This iFilter allows you to perform a search on all elements of your MSG (.MSG) files including Message Body; Subject; From; From Name; From Address; To Name; To Address; CC Name; CC Address; Doc Title Prefix; Sent Date; Received Date; Primary Date; Conversation ID; Attachment Names and will indicate if an attachment is present within the .MSG. Additionally, content within attachments are indexed and searched.”
MS Networks Search
However great this sounds I’m wary of the bandwidth and load on fileservers by having this installed, with no central management you could accidentally DOS your own file servers. Not to mention gig to the edge, wan based file servers and vpn users will all suffer if this just treats servers as local resources.
IE History Search
I personally don’t use IE for my primary browsing so this addon doesn’t appeal to me, it may be up your alley though so here’s the link.
http://www.microsoft.com/downloads/details.aspx?FamilyID=EA7F95D9-69AE-4639-9D76-A44F51109053&displaylang=en
Handy Vista Commands
I noticed a handy article come through techrepublic today with some nifty vista commands to have on hand.
aero on and off
Right click the desktop and select new shortcut, where it says “type the location” put the following in their own shortcuts.
aero off
Rundll32 dwmApi #104
Aero on
Rundll32 dwmApi #102
Note: aero on will make your screen blink but aero off will do nothing so it just happens.
Task mgr
Bring up task mgr instantly
Ctrl+shift+esc
Shell Commands
This article also had some useful tips on shell commands that may come in handy, shoot through to see them.
http://blogs.techrepublic.com.com/window-on-windows/?p=713&tag=nl.e132
Deploying Vista Service Pack 1 (Vista SP1) via WSUS
Well I luckily upgraded our WSUS Server to 3.0 SP1 and ran into a snag where I couldn’t deploy SP1 to our Vista test machines, after some digging I found out that under that version you need to run a patch on the WSUS server retrieving the update. Updating the WSUS server that connects to the internet for updates would never actually retrieve the vista SP1 so you have to run through this.
The full step by step is here http://blogs.technet.com/wsus/archive/2008/03/24/deploying-vista-sp1-into-a-wsus-3-0-server-part-ii.aspx
Or for my trademark cliff notes.
Get this Patch http://support.microsoft.com/kb/938759
Patch your wsus server that connects to the internet for updates (I patched all my WSUS servers to be safe) NOTE: Requires a reboot
Then in the WSUS console under your server right click “Updates” choose “Import”
This will redirect you to the website where you can search for Vista SP1
Pick the standalone pack, click view basket at the top of the page and then import.
Voila Vista SP1 in your shiny new WSUS box.