How to clean virus and malware infections Tips & Tricks

Download PDF

Let’s get straight to the point.

Computer-VirusDepending on the malware type, you may get away only by using the infected computer to perform self-cleaning.But if you suffer from a more sinister intrusion type, you will need another computer with an internet connection and a USB stick or any other type of removable storage to copy the needed files to infected pc.

(1) Always do your best to find out the malware name or intrusion type. 60-70% of times if you find the virus name or type, you will easily find a tool to get rid of it. Many antivirus companies make small applications free for download that remove certain types of viruses. To find a virus name, look at your desktop for any unknown new icons, check your antivirus log (it has possibly detected it but unable to remove, it will display the name or type), look for obvious things like suddenly you have a  program called “Registry Cleaner” or “Microsoft Antivirus” or “Speed optimiser” etc. Very often malware will pretend to be helping you, in a very nice looking application layout it will be showing you all these problems with your machine etc. , but instead its all fake. So “Google” the name and you will find out instructions or tools to get it out.

EXAMPLES OF VIRUSES PRETENDING TO BE ANTIVIRUS:

antivirus-2010

 

Sinergia-Cleaner

 

antimalware-protection1

 

(2) Most everyday viruses can be removed by running you antivirus scan (deep/full scan). Unfortunately there is still a lot of malware out there for which you will need some more advanced tools to heal your system.

  • RKill ComboFix RKill and ComboFix from Bleeping Computers, my absolute favourites. Combinaton of these tools can remove 98% of viruses today.

http://www.bleepingcomputer.com/download/combofix/

http://www.bleepingcomputer.com/download/rkill/

 HOW TO USE THEM:

!!! IMPORTANT !!! Only use these tools when necessary, ComboFix can damage your system in some cases, do not use if there is no intrusion. ComboFix is not an antivirus and can not be installed. It is only a tool for malware removal. DISABLE ANY INSTALLED ANTIVIRUS BEFORE RUNNING COMBOFIX. Combofix needs to be re-downloaded every time because it doesn’t update the definitions like a normal antivirus, therefore make sure to grab the latest version from the link above.

1. Once downloaded put both files (RKill and ComboFix) on your C: drive (Windows OS Drive usually C:)

2. Run RKill first with Administrator rights (right click>Run as administrator or just double click if you already have admin rights)

Rkill will open a Command Prompt (black DOS) window and start checking the system for anything out of the ordinary. It looks at the executables file association, it looks at registry, running services/processes etc. Many viruses will hook up to your system before OS boots so your Antivirus is unable to detect them and stop. RKill sees these intrusions and stops them from being in “Work in progress mode” to “Inactive” mode. It does not remove them, it only gives your antivirus some chance against them.

RKILL

RKill_run

After RKill you can try and run your ordinary Antivirus software, but i recommend to run ComboFix instead. From personal experience regular antivirus programs even after RKill are unable to take the virus down.

Run ComboFix with administrator rights and follow its instructions. It is very straight forward, make sure not to interrupt ComboFix in any stage. Depending on the infection size, it may take from 5min to 1hour (yes thats right 1 hour!). Do not restart the pc on your own unless instructed. Once ComboFix is done it will show you a log file in notepad.

ComboFix

How-to-use-combofix

 

ComboFix_log

Now, to be on the safe side, reboot your PC and run the process again. RKill then ComboFix.

 

Rest coming soon.

How to reset Cisco Router to Factory Settings

Download PDF

Method 1

This method uses the config-register 0x2102 command in global configuration mode.

  1. Check the configuration register on the router by issuing the show version command.

The configuration register setting is displayed in the last line of the show version command output and should be set to 0x2102. If this is not the case, enter the config-register 0x2102 command once in global configuration mode.

router#configure terminal

router(config)#config-register 0x2102

router(config)#end

router#

If the show version command is issued again, the same line in the command output will have ‘(will be 0x2102 at next reload)‘ appended to the current register setting.

  1. Erase the current start-up configuration on the router with the write erase command.
  2. Reload the router with the reload command. When prompted to save the configuration, DO NOT save.

router#reload System configuration has been modified. Save? [yes/no]: n Proceed with reload? [confirm]

Once the router reloads, the System Configuration Dialog appears.

— System Configuration Dialog — Would you like to enter the initial configuration dialog? [yes/no]:

The router is now reset to the original factory defaults.

Method 2

This method uses the config-register 0x2142 command in global configuration mode.

  1. Enter the config-register 0x2142 command in global configuration mode.

router(config)#config-register 0x2142

This causes the router to ignore the start-up configuration on the next reload. If a show version is issued, the last line in the command output will have ‘(will be 0x2142 at next reload)‘ appended to the current configuration register setting.

  1. Reload the router using the reload command in enable mode. It is not necessary to save when prompted to save the system configuration.

router#reload System configuration has been modified. Save? [yes/no]: n Proceed with reload? [confirm]

After the router has reloaded, the System Configuration Dialog appears.

  1. Enter no to the question “Would you like to enter initial configuration dialog?”
  2. Change the configuration register setting to 0x2102 by entering the config-register 0x2102 command once in global configuration mode.
  3. Issue the write memory command in enable mode to overwrite the existing start-up configuration with the current running configuration.
  4. Reload the router with the reload command in enable mode.

Once the router reloads, the System configuration Dialog appears.

— System Configuration Dialog — Would you like to enter the initial configuration dialog? [yes/no]:

The router is now reset to the original factory defaults.

Note: The configurations below are stored in ROMMON, and cannot be reset to Factory Default Settings by the write erase orconfig-register 0x2142 commands.

  • warm-reboot
  • memory-size iomem <not default>

 

Method 3

Press the RESET button on the router, within the first 5 seconds of the boot.

Replace Dell PERC H310 to H710 Raid Controller without losing data

Download PDF

I have successfully upgraded Dell PERC H310 Raid Controller with H710 without losing any data. The process was very simple, pretty much plug and play. Before the upgrade I tried to consult with the Dell techs, but they had no idea about the process and its outcome since apparently no one ever had a need to do it, but me. Well, i guess I am a pioneer now 🙂

To assure everyone it really works, I took a video, watch bellow.

Any questions feel free to ask.

1. Remove the old PERC H310 card

old_perc_h310_in_server_large        old_perc_h310_in_server

 

2. Insert new PERC H710 (make sure to plug in the SAS connectors)

perc_h710_box        perc_h710_in_server

3. Watch the video.

How To Setup Server 2012 as a Domain Controller

Download PDF

OVERVIEW

In Windows Server 2012, dcpromo has been deprecated.

dcpromo-deprecated-ws2012-1

In order to make the windows server 2012 domain controller we will install ADDS (Active Directory Domain Services) role from the server manager on Windows Server 2012.

First we will change the server name let say server2012dc and  the IP address 10.10.21.1 (try to avoid using default 192.168.0.1)

renamecomp

renamecomp-1

INSTALLING AD DS ROLE

adds

“Before You Begin” screen provides you basic information such as configuring strong passwords, IP addresses and Windows updates.

adds-011

On Installation Type page, select the first option “Role-based or Feature-based Installation“.

Scenario-based Installation option applied only to Remote Desktop services.

adds-021

On the “Server Selection” Page, select a server from the server pool and click next.

adds-031

To install AD DS, select Active Directory Domain Services in turn it will pop-up to add other AD DS related tools. Click on Add Features.

adds-041

After clicking “Add Features” above, you will be able to click “Next >” as shown in the screen below.

adds-051

On the “Select Features” Page, Group Policy Management feature automatically installed during the promotion. Click next.

adds-061

On the “Active Directory Domain Services” page, it gives basic information about AD DS. Click Next.

adds-071

On the “Confirmation” Page, You need to confirm this to continue with this configuration. It will provide you an option to export the configuration settings and  also if you want the server to be restarted automatically as required.

adds-081

After clicking “Install” the selected role binaries will be installed on the server.

adds-091

After “Active Directory Domain Services” role binaries have been installed and now it is time to promote the server to a Domain Controller.

adds-0101

 

PROMOTING WINDOWS 2012 SERVER TO DOMAIN CONTROLLER

To create a new AD forest called “ArabITPro.local”, select add a new forest.

adds-0112

Type the name ArabITPro.local

adds-0122

Specify the FFL, DFL, whether or not it should be a DNS Server and also the DSRM administrator password. As you can see, it has selected the GC option by default and you cannot deselect it. The reason for this is that is the very first DC of the AD forest and at least one needs to be a GC.

adds-0132

DNS delegation warning.

adds-0142

Checks the NetBIOS name already assigned.

adds-015

Specify the location of the AD related folders and then click next.

adds-016

Summary Of All Installation Options/Selections.

adds-017

Click View script for single command  line PowerShell script for dcpromo.

adds-018

Before the actual install of AD, all prerequisites are checked. If All prerequisite checks are passed successfully then click Install.

adds-019

When you click Install, DNS and the GPMC are installed automatically.

adds-020

After the promotion of the server to a DC finished server restart automatically.

Once the server is booted and you logon to it, click on  Server Manager | Tools ,  will notice that following have been installed :

•   Active Directory Administrative Center
•   Active Directory Domains and Trusts
•   Active Directory Module for Windows PowerShell
•   Active Directory Sites and Services
•   Active Directory Users and Computers
•   ADSI Edit
•   DNS
•   Group Policy Management

adds-022

original tutorial – Microsoft

 

Can’t create files on the C drive of Windows 8 A required privilege is not held by the client

Download PDF

A required privilege is not held by the client when you try to create a file or folder on the c drive of Windows 8.

Do not turn UAC off from Windows 8 control panel.

Instead, go to registry and do the following:

  1. Press keys “Windows Key + R”, type regedit
  2. Locate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
  3. Update the EnableLUA value to 0 (turn if off)
  4. Restart Windows.

 

Tested, works 🙂

Yet again, thanks Microsoft for a great OS!

How to fix: Hotmail & Gmail mark me as SPAM – Be careful! This sender failed our fraud detection checks.

Download PDF

If your emails keep going to people’s “Junk” or “Spam” folders on either GMAIL or HOTMAIL this is how to fix it:

GMAIL, HOTMAIL and many other public email systems use Sender Policy Framework (SPF) to recognize legit senders.

If you do not have a valid SPF Record in place, your emails won’t pass the security check and will me marked as SPAM.

 

1. You need to access your Hosting Control Panel, where the domain in question is hosted. In our case we use cPanel.

cpanel

2. Find DNS Zone Editor icon (either Simple or Advanced)

dns_editor

3. Chose the domain you want to add the records to and add the following details

add_txt_record

 

v=spf1 ip4:ipaddress/24 -all

v=spf1 a mx include:serverhostname.com ~all

v=spf1 +a +mx +ip4:ipaddress ?all

 

First option is to use the public ip address /24 in that subnet

Second option uses the server FQDN no matter what the IP is

Third option uses the public ip address regardles of subnets

 

Second option us usually the most correct option since it uses a FQDN regardles of it’s public IP address..

 

Hope this helps 🙂

If any questions feel free to comment or private message me.

 

 UPDATE 04.10.2013.

SPF Record Generator

By Microsoft, works great.

 

\Device\Ide\iaStor0 did not respond within the timeout period – Intel RAID

Download PDF

UPDATE 21.09.2013.

DO THIS FIRST.

power-1

 

power-2

 

power-3

 

ALSO, check this out:

http://www.intel.com/support/chipsets/imsm/sb/CS-025783.htm

*********************************************************************************************************************************

ONLY DO THIS IF THE TOP DOESNT WORK.

1. First, check if your hard drive(s) support “Link Power Management (LPM)”. This error usually appears on drives that do not support LPM, “feature described by the Serial ATA specification to overcome the power demand of a high-speed serial interface, SATA and providing the capability of SATA at the minimum power cost.”

 

2. If your drives do not support LPM we can disable it, since default is enabled. To disable LPM selectively by port go to,  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\iaStor\Parameters\Portn\

where n represents the port number, starting from 0. Within each of those keys are the following DWORD values:

LPM: 0 (disable) or 1 (enable); default = enable
LPMSTATE: 0 (partial), 1( slumber); default = disable; ignored when LPM = 0
LPMDSTATE: 0 (partial), 1 (slumber); default = enable
DIPM: 0 (disable), 1 (enable); default = enable

Capture

 

Change the states on all SATA ports, restart the computer.

Hopefully this helps.

Dell PERC H310 slow performance

Download PDF

Do not buy Dell PERC H310 raid controller no matter what.

Thanks to our Dell account and sales manager we ended up with one. He made a mistake during the ordering process, bless him.

So instead of H710 we got this H310 rubbish.

UPDATE 26.10.2013 >>>>

http://blog.osmicro.org/replace-dell-perc-h310-h710-without-losing-data/

 

We have 2x 300GB SAS drives runing in RAID 1 and we have 5x 2TB SAS drives in RAID 5.

RAID 1 works sort of ok, but RAID 5 was so slow, it took 4 days for the RAID Controller to do it’s first initialisation. During that time, RAID 5 was so slow it was impossible to work with.

After the initial initialisation was complete, i intended to install few virtual machines on it. It took more then 2.5 hours to install Windows Server 2008 R2 vm!! Not to mention if you try to install 2 at the same time it bluescreens..

A total joke..

But what kills me, PERC H310 still comes as an available option during server build, even though Dell acknowledges it is not to be used with anything other then RAID 1 (max 500GB size).

Dell has agreed to send us a new PERC H710 replacement for free (pff like i would agree on anything less then that).. Once it arrives I will try to migrate to it without breaking the RAID arrays. Will see what happens..

UPDATE 26.10.2013 >>>> http://blog.osmicro.org/replace-dell-perc-h310-h710-without-losing-data/

 

In the mean time, the poor server stays offline..

 

Server Del PERC H310

WHM & cPanel Ports

Download PDF
PORT	PROTOCOL	OPEN	SERVICE	NOTES
20	TCP-UDP	I/O-I/O	FTP	File transfers (data port)
21	TCP-UDP	I/O-I/O	FTP	File transfers (control port)
22	TCP	I/O	SSH	ssh, scp copy, sftp
25	TCP	I/O	SMTP	Outgoing email
37	TCP	O	rdate	Network time
43	TCP	O	WHOIS	Domain lookup
53	TCP-UDP	I/O-I/O	DNS	Inbound is only needed if you run public DNS server
80	TCP	I/O	HTTP	Web server
110	TCP	I/O	POP3	Incoming email
113	TCP-UDP	O-O	Ident	Client identification
123	UDP	O	NTP	Network time
143	TCP	I	IMAP4	Incoming email
443	TCP	I/O	HTTPS	Web server SSL
465	TCP	I	SMTP 	Outgoing email SSL/TLS
587	TCP	I/O	SMTP	Outgoing email
873	TCP-UDP	O-O	rsync	File, directory sync	
993	TCP	I	IMAP4 	Incoming email SSL
995	TCP	I	POP3	Incoming email SSL
2077	TCP	I	WebDAV	Distributed authoring
2078	TCP	I	WebDAV	Distributed authoring SSL
2082	TCP	I	CPanel	CPanel control panel
2083	TCP	I	CPanel	CPanel control panel SSL
2086	TCP	I	WHM	WHM control panel
2087	TCP	I	WHM	WHM control panel SSL
2089	TCP	O		CPanel licensing
2095	TCP	I	Webmail	Web based email	
2096	TCP	I	Webmail	Web based email SSL
2703	TCP	O		Razor email scanning
3306	TCP	I	MySQL	Out only if you need to connect remotely
4643	TCP	I		Virtuozzo control panel
6277	UDP	O		SpamAssassin
6666	TCP	I	Chat	CPanel built in Java chat

Hyper-V – VSS Snapshot (Online Backup) of Server 2012 or Windows 8 Virtual Machine puts in saved state

Download PDF

If you are running a Hyper-v Role on Server 2008 R2 (not tested on Hyper-v 2012) and you have a Windows 8 or Server 2012 running as guest OS (virtual machine) you may have a problem when trying to execute a VSS backup snapshot of the whole server (including its VMs). For example using Windows Server Backup or Acronis or Storage Craft Shadow Protect etc.

It will do the backup, but while doing it, it will put above mentioned virtual machines into “Saved” state, making them unusable during the backup process.

The Windows 8 or Windows server 2012 guest needs to have scoped VSS snapshots turned off in order to support online backups. This is a new feature apparently in Win8/2012 and the default is enabled.

Implement this registry key on EACH Windows 8 or Windows 2012 guest to resolve the issue.  You must add a key called SystemRestore, then add a value called ScopeSnapshots as follows.

Run>regedit>HKLM\Software\Microsoft\Windows NT\CurrentVersion\ > create key SystemRestore > Create DWORD ScopeSnapshots > value 0

scopesnapshots