Networkgeek


Networkgeek Blog

Technical Bits and Bytes

Removing Malware 8/31/2016.

When cleaning a Windows computer of viruses and malware, I have had good luck with AdwCleaner. It does not replace antivirus and anti-rootkit tools, but it does a great job of cleaning the popular malware/adware off a Windows system quickly. I often find that if I run it first to clean the computer, the more intense scanning software finds no traces of malware. Another great utility added to my collection.

 

The difference between RAID and backup 8/29/2016.

Too many times have I seen technicians impliment RAID as a way of backing up data. This is what I tell them:

RAID: Redundant array of independent disks (or inexpensive disks)
http://en.wikipedia.org/wiki/RAID
The goals of RAID are reliability, availability, performance, and capacity.
In simple terms, RAID makes your data available by using more than one disk, so if one disk fails, you still have access to you data.

RAID doesn't protect you against a file being deleted.
RAID doesn't protect you against a file being overwritten.
RAID doesn't protect you against a file getting corrupted.
RAID doesn't protect you from your system being compromised and all of your data being deleted, overwritten, or corrupted.
RAID doesn't protect you if the building burns down.
RAID doesn't protect you if your server destroys all of your disks.

Backup:
http://en.wikipedia.org/wiki/Backup
The two main purposes of backup are to recover data from a loss and recover data from an earlier time.
In simple terms, backup is a copy of your data somewhere else, like a DVD, thumb drive, tape, or a hard disk moved to another location.

Backup protects you against a file being deleted.
Backup protects you against a file being overwritten.
Backup protects you against a file getting corrupted.
Backup protects you from your system being compromised and all of your data being deleted, overwritten, or corrupted.
Backup protects you if your building burns down.
Backup protects you if your server destroys all of your disks.

Please backup your data.

 

Email Critical and Error Events from System Log in Windows with Wevtutil.

Eventtriggers on Windows XP were handy to alert you to a critical event on a non-managed remote system. The problem was - you had to know the exact event ID or the trigger would not go off. Windows 7 and above has a similar function built into the Scheduler, but you still need to know the Event ID.

I have a handful of systems that are non-managed and remote, so I have them email me the last 10 critical and error events that occurred within the last 24 hours using Windows Event Utility (wevtutil). I do this to warn me of Bad Block events on the HDD or any major impending disasters.

    :: Email events - Windows 7 - Server 2008 and higher
    :: Export and email last 10 critical and error events from System log within the last 24 hours
    :: Uses Mailsend to email events
    :: https://github.com/muquit/mailsend
    @echo off
    wevtutil qe System "/q:*[System [(Level=1 or Level=2) and TimeCreated[timediff(@SystemTime) <= 86400000]]]" /f:text /c:10 /rd:True > C:\logs\%computername%-sys-errors.txt
    PING -n 4 127.0.0.1 > nul
    :: If file size is zero do not email
    for %%R in (C:\logs\%computername%-sys-errors.txt) do if %%~zR equ 0 GOTO END
    for /f "tokens=2 delims=[]" %%f in ('ping -4 -n 1 %computername% ^|find /i "pinging"') do set IP=%%f
    c:\bin\mailsend.exe -to destination@domain.com +cc +bc -from user@domain.com -ssl -port 465 -q -auth-login -smtp smtp.domain.com -domain mail.select.com -sub "%computername% System Events (%IP%) sent %time%" -user user@domain.com -pass password -mime-type "text/plain" -msg-body "c:\logs\%computername%-sys-errors.txt"
    :END

This way I do not have to have the Event IDs correct because all critical and error events are emailed and I can decide which events should be ignored. This script sends the email over encrypted SSL and also includes the Computer Name and IP Address of the reporting system.

Emailing from the command line can be quite tricky. Mailsend works best for me. See more examples here. In the example above I specified a domain name for the SMTP HELO/EHLO. Without it, the system sending the email is identified as "localhost" which may result with an "Invalid HELO name" error. Also, if you are using Gmail, sending too many messages quickly can temporarily freeze email from that sender with an "Authorization failed (534 5.7.9)" error. This can be remedied by going to: https://accounts.google.com/DisplayUnlockCaptcha and sending the email within ten minutes to authorize that system. You will also have to disable 2-step verification. If you are an administrator, you are better off using your own email server or email service. I use Hostgator, which allows me to apply custom rules, use my own accounts in my domain, and keeps my emails private.

 

View remote desktop sessions from multiple servers.

I recently had to manage many Windows servers. Sometimes these systems needed to be rebooted due to software installations deployed using active directory. The systems were geographically spread out and users were logged on at all times day and night. I found it cumbersome to alert users that the system was going to be rebooted (the users never paid attention to alerts anyway) so I would identify the systems that had the fewest users logged on and alert them to log off or be kicked off. This small quick and dirty script creates a text file that allows me to quickly glance at all the remote desktop sessions and view the servers with the least users logged on. It leaves a space between server sessions and lists the name of the server on top as a header.

Pulls hostnames from serverlist.txt.

    @echo off
    echo. > %homepath%\documents\sessions.txt
    FOR /f %%a in (%homepath%\documents\serverlist.txt) do (
    ECHO.
    ECHO %%a
    qwinsta /server:%%a
    ECHO.
    ECHO.
    ) >> %homepath%\documents\sessions.txt
    start notepad %homepath%\documents\sessions.txt

If you are managing even a handful of Remote Desktop servers, you should be using RDCMan

 

Virus removal

Viruses get installed on your Windows computer using various methods such as Windows vulnerabilities, Adobe Flash or Reader exploits, Java exploits, or even a user clicking on a fake alert displayed as a link. These are usually called drive-by downloads. The recent strains of malware, ransomware, scareware, spyware, or however it is labeled, are particularly deceptive and damaging to computers, and can be very difficult to remove.

Criminals use viruses to trick you into entering your credit card number. Do not click on anything these malicious programs display. These criminals are usually located in the Eastern bloc and will gladly ruin your computer rather than let you remove the Malware.

Here are the methods I use. If you are uncomfortable with any of these instructions you should research them first.

  1. Your best option is the Kaspersky Rescue Disk, especially if you cannot boot up the operating system. Boot the computer using the disc and it will clean up the infection, the problem with this is that you need a computer to download and create the disc.

  2. Another great option is Malwarebytes Anti-malware. If you install it, it will eradicate most viruses. Download it here. It is free for personal use, but be warned that it will try to install toolbars and such during installation, so read the installation options carefully.

  3. For rootkit removal, use TDSS killer from Kaspersky. Rootkits are software that hides its presence. It is always a good idea to scan for them if you think you have been infected.

  4. If the virus is stubborn and keeps coming back after removal or cannot be terminated, use RogueKiller. RogueKiller can detect and terminate random processes that other virus removal packages cannot find. You can use RogueKiller to terminate the process and then use Malwarebytes or other antivirus software package to clean up the infection.

  5. If you have removed the virus but the computer is unable to download Windows updates, re-register these dlls that may have been unregistered by the virus.

  6. Open an elevated command prompt and run these commands.

    net stop wuauserv
    regsvr32 wuapi.dll
    regsvr32 wuaueng1.dll
    regsvr32 wuaueng.dll
    regsvr32 wucltui.dll
    regsvr32 wups2.dll
    regsvr32 wups.dll
    regsvr32 wuweb.dll
    net start wuauserv

  7. Lastly, if you have been unlucky enough to be infected with the Cryptolocker ransomware, you can try to decrypt your files here.

I hope these steps help you. To protect your computer I suggest you reduce the amount of attack vectors. Uninstall toolbars, coupon finders, third party registry cleaners, and shopping helper software. These programs may be useful to you but they are poorly written and can be an open door to malware writers. If you want more protection from viruses than your antivirus software can provide, I suggest EMET.

 

Date and Time Variable.

To use a date and time variable in the Windows command line I have been using these commands:

    for /f "tokens=1,2" %%u in ('date /t') do set d=%%v
    for /f "tokens=1" %%u in ('time /t') do set t=%%u
    if "%t:~1,1%"==":" set t=0%t%
    set timestr=%d:~6,4%%d:~0,2%%d:~3,2%%t:~0,2%%t:~3,2%

To use this simply insert the variable %timestr% into your script wherever you want the date.

Unfortunately in order to have the output in military time you must set the computer clock to military time. I like having my clock display the standard time (AM\PM) but I want my time stamps to be in military time. so I now use a utility called doff (date offset) by John Fitzgibbon. This flexible utility easily parses the date and time and uses 24 hour military time. Here is a sample script:

    @echo off
    for /f "tokens=1-6 delims=/ " %%a in ('doff ss/mi/hh/dd/mm/yyyy') do(
    set ss=%%a
    set mi=%%b
    set hh=%%c
    set dd=%%d
    set mm=%%e
    set yyyy=%%f)
    echo The time is %yyyy%%mm%%dd%%hh%%mi%%ss% >> c:\log.txt

Here is a simple WMIC timestamp script that also uses military time:

    @echo off
    for /f "tokens=2 delims==" %%G in ('wmic os get localdatetime /value') do set datetime=%%G
    set dte=%datetime:~0,8%
    set tme=%datetime:~8,6%
    echo %dte%%tme% >> c:\log.txt

 
Daylight Saving Time
ISO 8859-1 Character Set