BM-Bloggers

The blogs of Black Marble staff

Book Review: Windows Virus and Malware Troubleshooting by Andrew Bettany and Mike Halsey

Summary: A very useful volume that discusses what malware is, how to defend against it and how to remove it. Clear and simple instructions are given on ways to improve security on your PC, as well as how to deal with malware that may end up on your PC. Recommended.

Presented in a very easy to read writing style, this book immediately appeals due to the clear, concise and no-nonsense approach taken when discussing malware, what it is, how it can attack and affect your PC, how to defend against it and what to do if the worst should happen and your PC gets infected.

The first chapter provides a nice potted history of viruses and malware on PCs, discussing the various types and how both the proliferation and seriousness of infections has risen from the very first, typically benign examples to the modern day infections such as ransomware that has been in the news so much recently.

Chapter 2 deals with prevention and defence, and introduces the many security features that are built into modern versions of Microsoft Windows to help stop the initial infection. There’s a clear progression in security features as newer versions of Windows have been introduced, and it’s interesting to compare the versions of Windows that were most susceptible to the recent ‘WannaCry’ ransomware attack. Looking at the features discussed (and having been to a few presentations on the subject), this provides an excellent set of reasons for an upgrade to Windows 10 if you’ve not already done so!

Chapter 3 discusses defence in depth and includes information on firewalls, including the Windows firewall, as well as organisational firewalls (I.e. hardware firewalls and appliances) and how to generate a multi-layer defence. While at first glance this section appears to be more targeted at the organisational user, it’s actually also targeted at the home user with a hardware router/firewall combination, and some clarification that this is the case would, I feel, have been useful here. This chapter also bizarrely includes a section on keylogging software, which I feel would have been more useful in the first chapter

This chapter also provides some information on blacklists and whitelists (I.e. internet filtering) and the Internet of Things (IoT). For both of these sections I feel that there’s perhaps been a bit of a lost opportunity, for example a brief discussion of the filtering options available might have been helpful for home users (e.g. my Netgear router at home comes complete with an OpenDNS-based filtering option that can be enabled and configured quickly and easily and seems to provide reasonable protection) and further information on IoT security recommendations, particularly changing the default username and password on devices would be beneficial here.

Chapter 4 deals with identifying attacks starting with how malware infects a PC and providing pointers on how to identify both internal and external attacks. I was very pleased in this section to see information on social engineering and the role that this plays in malware infections.

Chapter 5 provides a very useful list of external resources that can be utilised to help protect your PC and clean a malware infection, including the Microsoft Malware Protection Center, a great location for finding updates, additional security recommendations and products etc. This chapter also provides some limited information on third-party tools that are available. Again, I would have liked to see a more expansive list here, and it’s worth mentioning that many anti-virus vendors provide a free option of their products.

Chapter 6 deals with manually removing malware, and for me this was probably the most useful part of this book. What do you do when malware has ended up on your PC despite your best efforts and you’re now having issues running the automated tools to get rid if it? This chapter helps in this scenario, and provides some steps to take to identify what’s running on the PC, suspend and/or kill the process and remove the infection. In particular I’m pleased to see the Microsoft Sysinternals tools discussed (albeit briefly) as they are my ‘go to’ toolset when dealing with an infection on a PC. If you’re interested in these and how they can be used, it’s worth looking at some of Mark Russinovich'sCase of the Unexplained’ videos as Mark goes through the use of these tools in more detail.

There are one or two downsides; the book is only a slim volume. This has both plusses and minuses insofar as being slim, more people are likely to read it end-to-end and therefore benefit the most from it, however in one or two areas a few more details might be appreciated. For such a slim volume, it’s also more expensive than I would hope for at an RRP of £14.99, which may limit its take-up.

All in all however this is a very easily accessible book that provides great guidance on how to secure your PC, what to watch out for and how to deal with a malware infection. I’ll be encouraging a few people I know to buy a copy and read it!

Title: Windows Virus and Malware Troubleshooting
Author(s): Andrew Bettany, MVP and Mike Halsey, MVP
Publisher: Apress
ISBN-13: 978-1-4842-2606-3

Black Marble Events–now Online!

Do you enjoy our Black Marble events, but can’t always make it in person?  Busy day at the office, mean you can’t attend a full or even a half day event?  From 30 January 2012, we are introducing a series of online seminars – running most Mondays though to the end of June, we are covering a range of topics in bite-size sessions.  Follow the links for more information and to register – or call on 01274 300175 for more details.

30 Jan – Search Architecture

06 Feb – What is new in Azure?

20 Feb – Why Migrate from Visual SourceSafe to Visual Studio Team Foundation Server

12 Mar – Content Management with Avviso and SharePoint 2010

19 Mar – Visual Studio Team Foundation Server for Everyone

26 Mar – An Introduction to SQL 2012

16 Apr – Introduction to Azure

23 Apr – An Introduction to Lab Management

30 Apr – Microsoft Surface – It is not just Touch

14 May – Designing for SharePoint

21 May – How to Kickstart your ALM Process

28 May – Designing Applications for the Windows Phone

11 Jun – Creating Data Aware Visio Diagrams in SharePoint 2010

18 Jun – What is New in Azure?

More experiences upgrading my Media Center to receive Freeview HD

In my post experiences upgrading my Media Center to receive Freeview HD I said I thought the reason my Windows 7 Media Center was hanging at the "TV signal configuration” step was down to using mixed tuner cards. Well my second PCTV nanoStick T2.arrived yesterday so I was able to try the same process with a pair of identical USB T2 tuners.

Guess what? I got the same problem!

However, being USB devices it mean I could test the tuners on my laptop, a Lenovo W520 (Core i7, 16Gb, Windows 7). So I plugged them both in, they found drivers from the web automatically, I ran Media Center, select setup the TV signal and……. it worked! A few worrying pauses here and there, but it got there in about an hour.

So why did it work on a laptop and not on my Media Center PC?

I considered performance, but it seemed unlikely,the Media Center is aCore2 Duo based system about 3 years old and has had no performance problems to date. So the only difference was that the laptop had never seen a TV Tuner before, the Media Center had.

Unused drivers

So I wondered if the old Hauppauge drivers were causing the problem. Remember in Windows if you removed an adaptor card then the drivers are not removed automatically. If  the driver was automatically added (as opposed to you running a setup.exe) then there is no obvious way to removed the drivers. The way to do it as detailed in this Microsoft Answers post. When you load device manager this way you see the Hauppauge devices and you can uninstall their drivers.

And it makes no difference to the problem.

Media Center Guide Data and Tuner setup

Using task manager I could see that when Media Center TV setup appeared to hang the mcupdate.exe program was running and using a lot of CPU. I had seen this on the Lenovo, but it has passed within 30 seconds or so, on my 3 years old Intel based Media Center PC I would expect it to be a bit slower, but I left it overnight and it did not move on. So it is not just performance.

The mcupdate.exe is the tools that updates the TV guide data for Media Center. It is run on a regular basis and also during the setup. So it seems the issue as far as I can see that

  1. There is corrupt guide data so that it cannot update the channel guide
  2. There is data about a non-existent tuner that locks the process
  3. There is just too much data to update in the time allows (but you would expect leaving it overnight would fix this)
  4. There is an internet problems getting the guide (which I doubt, too much of a coincidence it happens only when I upgrade a tuner)

Simply put I think when the TV setup gets to the point it needs to access this data, it gets into a race condition with the mcupdate.exe process which is trying to update the guide.

The Hack7MC blog post seems to suggest the problem is that the guide data and tuner setup needs to be cleared down and provides a process. post suggest the problem can be addressed by cleared down the data; it provides a process to do this. However I though I would try to avoid this as I did not want really to loose the series recording settings I had if I could avoid it.

So I loaded Media Center and select update guide from the Task menu. This started the mcupdate process and  caused a 50% CPU load, and showed no sign of stopping. Again pointing to a probably one of the issues listed above. So I unloaded Media Center, but mcupdate.exe was still running as was the tool tray notification application. Again I left this a while to no effect. So I used task manager to kill mcupdate and the ectray.exe application.

I had at this point intend to run the process from the Hack7MC post, so stopped all Media Center services, but thought i would give the setup one more try. When I ran the setup TV dsignal I got a message along the lines of ‘guide data corrupt will reload’ and then the setup proceeded exactly as it should have done in the first place. I ended up will all my channels  both HD and non-HD accessible from both tuner, and all my series recording settings intact.

So a success, I am still not clear which step fixed the issue, but I am sure it was down to needing to clear down the guide data and tuner setting fully.

Bitlocker keeps asking for my recovery key after a change in my disk’s MBR

My development laptop is bitlocker’ed, and yours should be too. It provides a great and non-invasive way (assuming you have a TPM chip) to protect you and your clients data on a machine that is far to easy to steal or loose. However, whilst fiddling with Windows 8 I did trip myself up.

I have my PC setup for a boot to Windows 7 from a bitlocker’ed drive C with a non bitlocker’d drive D used to boot to Windows 2008 for demos (and hence no production data). To try out Windows 8 I added a new boot device, a boot from VHD partition. This edited the PC’s master boot record (MBR) and bitlocker did not like it. It thought the PC had a root kit or something similar to prompted me to enter a my bitlocker recovery key (which is 48 characters long) when I tried to boot to Windows 7. However, once this is done my bitlocker’ed Windows 7 partition worked find, but on each reboot I had to type the key in, bit of  pain. Removing the new VHD boot entry did not help, the MBR has still be edited, so bitlocker complained

The solution was actually easy, but took me a while to find as it does not seem to be clear in any documentation or via a search.

When the WIndows7 partition is booted open the control panel, select the bitlocker option and then suspend bitlocker, then restart it

image

This has the effect of telling the bitlocker system that you are accepting the current hardware/MBR setting are correct. After this the PC boots as expected

If I were being more sensible I would suspend bitlocker prior to any fiddling about with Windows 8 – but the bits from Build was just too tempting……….

Solving a mystery: Windows 7 games won’t work on HP TouchSmart TX2

This one has been nagging at me for a long time. My grandmother has an HP TouchSmart TX2 tablet. It was bought with Windows Vista, but as with her main computer, I upgraded it to Windows 7.

It was a good plan – Windows 7 should make it perform better, and the touch capabilities of 7 are better than Vista. There was, however, a small matter of the N-Trig digitiser drivers not being great at point of release – something which would lead me down the wrong path over the problems I encountered.

Windows 7 went onto the TX2 with no problems, except for the phone call I got soon after the rebuild – Mah Jong wouldn’t load, and Tinker (courtesy of Live) was crashing on startup.

Weirdly, when I looked at the system, they all ran when I was logged in as an admin user. However, my standard user-level grandmother got errors. I played with UAC and discovered that having switched it off, rebooted, run the games, switched UAC back on and rebooted again, they worked.

I told myself that it was something to do with the recently-installed N-Trig drivers not having configured things right (the last change to the system) and went away. Except things weren’t working…

The next time, I spent hours examining the system using Process Monitor and Process Explorer. I was thinking that file rights or registry rights would be the culprit, as the games still worked for the admin user. Sadly, I found no errors, no access denied messages, no failures at all. Still things didn’t work.

I’d largely given it up as a bad job, until today, when I installed the Touch Pack. I thought that the additional games might be fun for my Grandmother to play. Had they worked… The newly installed games failed in the same way as Tinker – a shiny ‘program has stopped working’ message and nothing more.

When I tried Bing Maps 3D, however, I got a different error. There in front of was a message about being unable to initialise the Direct 3D system, and so Maps 3d couldn’t load.

Aha! I thought. I downloaded the ATI graphics drivers for the Mobility Radeon 3200 and installed the latest set. No difference.

So I resorted to the hive-mind of the web again. This time I found a thread on a Microsoft forum talking about a problem with ATI drivers properly recognising the hardware at install time on the TX2. That sounded promising, and led me to the AMD support article. Unfortunately, installing the hotfix drivers still didn’t work.

I then found another article on a Microsoft forum talking about a similar issue, fixed with a BIOS update. I hadn’t thought about a BIOS update for the TX2 – I tend not to think about that kind of thing when it’s not my PC. Sure enough, the TX2 had an older BIOS (version F.03) than the latest on the HP site – F.25.

Updating the BIOS still didn’t fix things, but I then reinstalled the ATI drivers supplied by the hotfix article and that did it. All the games worked, Tinker fired into life, and Bing Maps 3d started without a problem. before the driver reinstall I got a slightly more informative error from the games saying ‘A problem has occurred with the 3d driver’.

So, if you get the same problem, here is a quick summary:

Symptoms:

  • Windows 7-included games fail to load. Click the icon to fire them up and nothing happens.
  • Microsoft Tinker dies on startup.
  • Microsoft Touch Pack games die on startup.
  • Bing Maps 3D says it failed to initialise Direct3D.

System:

  • HP TouchSmart TX2 tablet, model 1015ea

Solution:

Unable to remote control Hyper-V VM after installing SharePoint 2010 on Windows 7

True to form, you only discover something isn’t working when you’re in a desperate hurry. We use lots of Hyper-V VMs here at Black Marble and they are mostly running on our four node cluster. I use Failover Cluster Manager and this morning I couldn’t connect remotely to any of the Hyper-V VMs. I kept getting an error:

Virtual Machine Connection:
A connection will not be made because credentials may not be sent to the remote computer. For assistance, contact your system administrator.
Would you like to try connecting again?

A quick search suggested that the credssp settings on the host servers were broken. A quick test showed that they weren’t – the problem was local to my machine.

The only thing I had changed recently (try yesterday!) was to install SharePoint 2010 on my workstation. OK, I’ll be fair – that means a whole load of pre-requisites, so it’s not that simple!

I decided to check my machine and look at the settings which had been suggested as being wrong on the hyper-v servers. Sure enough, my workstation now had the credssp elements and sure enough, they didn’t match the example I’d found.

So if you get the same problem, copy the text below into a .reg file and import it into your registry. It should fix the problem.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowDefaultCredentials]
"Hyper-V"="Microsoft Virtual Console Service/*"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowDefaultCredentialsDomain]
"Hyper-V"="Microsoft Virtual Console Service/*"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentials]
"Hyper-V"="Microsoft Virtual Console Service/*"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentialsDomain]
"Hyper-V"="Microsoft Virtual Console Service/*"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentialsWhenNTLMOnly]
"Hyper-V"="Microsoft Virtual Console Service/*"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentialsWhenNTLMOnlyDomain]
"Hyper-V"="Microsoft Virtual Console Service/*"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowSavedCredentials]
"Hyper-V"="Microsoft Virtual Console Service/*"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowSavedCredentialsDomain]
"Hyper-V"="Microsoft Virtual Console Service/*"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowSavedCredentialsWhenNTLMOnly]
"Hyper-V"="Microsoft Virtual Console Service/*"

VHD boot and c00002e2 Errors

For some reason that is beyond me now I did not setup my Lab Manager test system to be a VHD boot. So before installing the 2010 RC version I decided to P2V this system (on the same hardware) to make backups easier whilst testing. All seemed to go well

  1. I used IMAGEX to create a WIM of the disk
  2. Created an empty VHD
  3. Used IMAGEX to apply the WIM to the VHD
  4. Formatted the PC with a default Windows 7 install
  5. Added a VHD boot Windows Server 2008R2 to the PC, tested this all booted OK
  6. Replaced the test VHD with my own and rebooted

…. and it just went into a reboot cycle. Pressing F8 and stopping the reboot on error I saw I had a “c00002e2 Directory Services could not start” error. I managed to get into the PC by pressing F8 and using the AD recovery mode (safe mode did not work). After much fiddling around I eventually noticed that my boot drive was drive D: not C: as I would have expected. My VHD and parent drive had reversed letter assignments. So when the AD services tried to start they look on the parent Windows 7 partition (C:) for their data and hence failed.

I think the root cause was the way I had attached the empty VHD to used IMAGEX. I had not done it using WINPE, but just created in my Windows 7 instance and attached the VHD as drive D: before copying on the WIM

So my revised method was

  1. I used IMAGEX to create a WIM of the disk (actually used the one I already had as there was nothing wrong with it, which was a good job as I had formatted the disk)
  2. Formatted the PC with a default Windows 7 install
  3. Added a VHD boot Windows Server 2008R2 to the PC, tested this all booted OK
  4. Copied my WIM file to the same directory as my newly created W2k8R2.VHD
  5. Copied IMAGEX to this directory
  6. Booted of a Win7 DVD
  7. Pressed Shift F10 to get a prompt at the first opportunity
    1. Ran DISKPART
    2. Select Disk 1
    3. Select Part 1
    4. Detail Part – this was the 100Mb system partition Windows 7 creates and was assigned as drive C: (note when you boots Windows 7 the drive letters get reassigned just to confuse you, as to look at this you would expect your Windows 7 boot drive to be D:)
    5. Assign Letter = Q – this set the system partition to be drive Q, but any unused letter would do
    6. Select vdisk file:d:\vhd\w2k8r2.vhd
    7. attach vdisk – this loaded the VHD and assigned it the letter C: as this was now not in use
    8. list disk
    9. Select disk 2
    10. Select Part 1
    11. detail Part – checked the drive letter was correct
    12. I then exited DISKPART and from the same command prompt ran IMAGEX to put the WIM on this new drive C:
  8. Rebooted and it worked

So the technical tip is make sure your drive letter assignments are what you think they are, it may not be as obvious as you expect.

Tech Update Wows the Crowd

Some of the Tech Update CrowdBlack Marble's Rik Hepworth and Microsoft's Matt McSpiritOur Annual Tech Update went well – a good turnout, asking intelligent questions over a great lunch and soaking up our view of the Microsoft Roadmap for 2009, 2010 and beyond. 

Feedback was positive as ever, with comments that it exceeded expectations which were already high!  Rik Hepworth has blogged on the key Microsoft technologies to look out for.    

Guest Starring in today’s event was Microsoft’s Virtualisation Specialist, Matt McSpirit, aka Virtual Boy pictured here on the right with Black Marble’s Rik Hepworth.

Twitter clients: Twinbox and Tweetz

Anybody who follows me on twitter will know that @rikhepworth is by no means a prolific tweeter. However, I do follow a number of people around the planet, and in addition to the ubiquitous Tweetie2 on my iPhone, I have found two clients to be useful and reliable.

The first is Tweetz, from Blue Onion Software. This is a great gadget for the Windows 7 desktop (or Vista Sidebar). The UI is simple and extremely usable (I love the way I can scroll the history for older tweets) and it makes posting a breeze.

The second reflects just how much I live by Outlook and the resulting ability to search and collate unread mails, blog posts and now tweets. Twinbox from TechHit allows you to tweet directly from Outlook and incoming tweets are collated by sender. No integration with the Office 2010 fluent UI but the add-in works, and there is a 64-bit version available as well.

New Year … More Free Events

Welcome to 2010 … and more great events from Black Marble!  The 27th January kicks off with our Annual Tech Update – a complete roadmap of all things Microsoft.  We will shine a light on the big releases of 2009, the highlights of Office and Visual Studio 2010, as well as the releases you might have missed.

The afternoon tackles Azure for the IT Manager and Decision Maker – what is the business value of Microsoft’s cloud offering? Is it the way forward for your business? Black Marble will be joined by Microsoft’s Simon Davies to explore how your business can benefit, and how the model will work for you.

The evening brings Social Media Expert Eileen Brown on board to discuss Using Digital Marketing and Social Media to Build and Maintain your Online Brand.

Come along and join us for our first event of the year … it’s FREE and the food is always great!