Category Archives: XP

autorun.inf AV blocking gotcha

Discovered this today from within Windows 7. …Any software process that involves copying, moving, or even deleting the autorun.inf file can fail as a result of current default antivirus software (aka AV) behavior.  This file is at the root of every Windows drive.

In preparation for an SBS 2011 install I wanted to create a bootable USB drive of the install media.  To start I attempted to clean off the drive of all its contents but that process failed with the autorun.inf file.  Then I realized that I should’ve just reformatted so to be thorough; of course that sledge-a-matic action worked.

I’ve done this before for SBS 2011 and WHS 2011 which can require this type of USB drive install media on headless servers.  The odd thing is that never before was this an issue so this must be something new that has emerged behind the security scenes but of which I was not aware.  What I uncovered was the Trend Micro WFBS Agent settings were blocking both ‘delete’ and ‘copy’ actions to the autorun.inf file.  This isn’t specific to just TM though as the Google search result I found pointed to a different AV vendor.  If you hit this error, disable the AV temporarily as the workaround. 

Initially I opted to go the Windows 7 USB/DVD Download tool method (creates a bootable USB drive from ISO or DVD) but hit an issue when it failed during the copying process.  After trying variations and getting the same failed result, I opted to go the longer manual creation route as detailed by Tim Barrett in his www.NoGeekLeftBehind.com blog.  During that process I hit the root issue in a way that gave me a usable error message to find the solution.  After disabling the AV I hit success.

Advertisements

XP, Windows 2003, Office 2003 ‘End of Life” Only Days Away! – What does this mean?

Kudos to Eric Ligman, aka The Man, for coming through with a very proactively timed post on what this means that XP is at “End of Life”.  It sounds scary but in reality you might see that there is still more breath to the XP & Windows 2003 OS, as well as, Office 2003.  That’s a good thing since a lot of businesses are still using these products!

Microsoft SMB Community Blog:

How to know when support ends or changes for your Microsoft product

 

There was just a question floating around about when Mainstream and Extended support phases for Microsoft products ended, based on the fact that three of our products (Windows XP, Office 2003, and Exchange Server 2003) all make this shift from Mainstream to Extended support next week on the 14th, and how would you know. I thought I would share with everyone here in the Community so you all know.

First, let’s start with what the differences are between Mainstream support and Extended support phases. Here is a quick chart to show you what is and is not included inside each of these phases  …more <link below to full article>

Microsoft SMB Community Blog : How to know when support ends or changes for your Microsoft product

Today was a Sisyphus Day

Carrying the boulder up the hill again …this time doing an endless SBS 2008 migration the “Microsoft Way”. Not that I didn’t know in advance that it would be daunting. I’m just saying after 5 sleepless days the d#@! boulder is starting to get annoying.

After a very simple third party certificate installation process – Kudos to SBS developement team magic on that one – now onto why XP client are unable to use RWW even though they are on SP3, while Vista clients are no prob.  (http://www.sbslinks.com/fixmyrww.htm ) This is killing me!

XP SP2 Change Analysis Tool – Tricky on SP3

Deployment Trick when you are given error during install on XP SP3.  The installer expects XP SP2 and it is fixated.

For the message "the version of Windows XP is incompatible with this patch", there is a fix I’ve successfully used.

tip found here:
http://www.winhelponline.com/blog/fix-change-analysis-diagnostic-install-xp-
sp3/

where in the registry you simply flip the CSDVersion data value from 0x300
(SP3) to 0x200 (SP2)

key at:  HKLM\SYSTEM\CurrentControlSet\Control\Windows

Antivirus 2008 or was it 2009 or was it…? a Malware Removal Tool Discussion

Last month’s Microsoft Malicious Software Tool cleans this threat (Win32/FakeSecSen – Microsoft naming):

http://blogs.technet.com/mmpc/archive/2008/11/12/win32-fakesecsen-a-nasty-piece-of-work.aspx

…and Microsoft has had a great amount of success as reported by the tool:


From Sandi @ Spyware Sucks this business perspective breakdown in $

Fraudware detected on 994,061 computers

As reported by Microsoft:
http://blogs.technet.com/mmpc/archive/2008/11/19/msrt-review-on-win32-fakesecsen-rogues.aspx

The figures relate to what Microsoft has labeled “Win32/FakeSecSen”.  That figure does not (I think) encompass all of the fraudware (fake security software) products that are out there.

Just imagine, if you will, if just 1% of the owners of those detected machines were fooled into buying the fraudware software at $40 a pop – that’s $397,624.40 in illicit income garnered by the crooks.  When we take into account the fact that billing services such as the (now defunct?) Bucksbill were regularly accused of double-charging victim’s credit cards, then we’re looking at an illicit income of $795,248.80.

Scary, isn’t it.  Is it any wonder the crooks behind malvertizing are so persistent?

Published Friday, November 21, 2008 9:53 AM by sandi


Here’s a word on the tool from Microsoft’s Steve Riley including some information I found uniquely valuable:

Steve Riley [MSFT]

Newsgroups: microsoft.public.security.virus

From: “Steve Riley [MSFT]” <steve.ri@microsoft.com>

Date: Mon, 1 Dec 2008 14:15:34 -0800

Local: Mon, Dec 1 2008 5:15 pm

Subject: Re: Alerting – Malicious software removal tool (MSRT)

When the MSRT runs, if it finds what it looks for, it removes it and reports that removal to Microsoft. If it finds nothing, it exits. Neither I nor the
tool nor the SIR make any claims that the MSRT completely cleans a machine. As others have pointed out, it is one element of an effective arsenal of
tools to help improve security.

Here’s something interesting, which might even surprise you: this month (November 2008) the single most prevalent piece of malware the tool detects
is Win32/FakeSecScan (rogues that mimic the Security Center). As of 13 November, we’ve tracked 811,000 removals. This includes some FakeSecScan
threats that were no longer active when detected — meaning that they were incompletely cleaned manually or by other AV products, and the MSRT
successfully cleaned out the remaining bits.

I have a proposal for you — actually, for everyone reading this thread. The MSRT creates a log file in %WINDIR%Debug. KB 890830 describes its output.
If you ever encounter an instance of where the tool fails to properly clean a machine, the Microsoft Malware Protection Center is ready to help. Go to
http://www.microsoft.com/security/portal, click on “Submit a Sample,” and please send us your MRT.LOG file and a sample of the malware, if you can.
We’d love to work with everyone to make sure the tool is as effective as possible.


Steve Riley
steve.ri@microsoft.com
http://blogs.technet.com/steriley
Protect Your Windows Network: http://www.amazon.com/dp/0321336437


You may not be aware, but you can run that Microsoft tool manually.  ‘Run-> MRT’  It of course runs in the background quietly after you download it’s latest version via MU or WSUS each Patch Tuesday.  To learn more on running this manually and an in depth guide on the tool look here:  http://www.vista4beginners.com/Windows-Malicious-Software-Removal-Tool

clip_image001

Another tool I heard recommended that I’d never heard of before (much like it was with the ever successful against this threat – Malwarebytes) is SuperAntiSpyware:

Here’s some very interesting background on the bad guys behind this threat from security super-friend (think Hall-of-Justice) Jesper:

http://msinfluentials.com/blogs/jesper/archive/2008/11/07/xp-antivirus-in-the-news.aspx

If you want to be knowledgeable and prepared for this ever adapting malware threat, read the above and follow the references on how this elaborate shakedown scam got hacked.  It is very impressive to see how they have been so successful at their nefarious deeds due to capitalism in the black market.  Basically they have implemented a franchise business model of sorts founded on social engineering piggy-back attacks.