Blog: Networking

Recently a customer had opened a phishing e-mail making rounds starting around the first of September.  This was an e-mail that is reported as an IRS version of Zeus Bot (some additional info: http://garwarner.blogspot.com/2009/09/irs-version-of-zeus-bot-continues.html).

After the virus definitions caught up with this, it was quarantined off and seemed to only affect the user profile on the terminal server where it was opened.  However, users started reporting also that Internet Explorer was crashing randomly. [more]

Looking through the event logs, I could see that IE was crashing from a faulting module named RASADHLP.dll.   This file is a remote access dialup helper and shouldn’t even be in use.  After comparing the files in Windows\system32 directory with another terminal server at the location, the files appeared identical.  However, the problematic server had another copy of RASADHLP.dll under C:\Program Files\Internet Explorer.

Further investigation of this file showed the creation date as the same day that the user received and opened the phishing e-mail.  Also it showed the user as the Owner of that file.  It is likely that IE was trying to use this file in it’s program directory first before the one in system32.

After renaming the file, IE was working without any problems.  The file was removed from the system.  Users running as non-admins likely helped to isolate the malware, but it still had written a bogus file to IE’s program directory.

Be mindful about what filtering software you use.  Some web filtering software gathers data on chats.  Software produced by EchoMetrix and sold under the Sentry and FamilySafe brands reads private chats then the company sells information to third parties. The company reportedly collects data on what kids are saying about movies, music or video games in chats carried out through services such as Yahoo, MSN, AOL, and other services.  Supposedly, no identifiable information is disclused because the program does not record children's names or addresses.  This is definitely an example of why it's good to read through the user agreements of the software you use.

Click here to read the original article.

Initial symptom:  After pairing an iPhone using Bluetooth, Windows 7 would show the phone icon with a yellow exclamation point stating it could not find a driver for Bluetooth Peripheral Device. 

To fix this and get tethering to work over Bluetooth, go to the properties of the phone in the Bluetooth devices and click on Services tab.  Uncheck “Wireless iAP” (wireless internet access point).  Windows will stop saying that it needs a driver and you can right click on the phone and select “connect using -> access point”.

If you are not using 7-zip, you need to install it.  It will unzip just about anything, including install shield files, msi files, gzip files, tar files, rpm, deb, iso – over 20 different kinds of files.  It will create compatible compressed files, but it also has it’s own 7z format that has a higher compression ratio that zip.  It will make encrypted files and self-extracting executables with better encryption that regular zip.  Of course it’s open source, mostly LGPL.

Example:  The other day I needed to install a printer driver on a machine that a customer connects to with remote desktop.  HP had the humongous 205 MB download with all the utilities, but all I needed was the driver, so I downloaded the huge basic driver package, which was only 61 MB.  It was an executable, so I tried running it and it complained that the USB was not working while looking for the printer.  This was a virtual machine and I didn’t need USB.  I tried renaming the file to .zip and unzipping it using the Vista built in feature, but it could not read it.  So I installed 7-zip and was able to extract all the files and just install the driver. One more happy customer.

Desktop Restore is a free shell extension that records the position of desktop icons and lets you restore your favorite layout when things have been rearranged by things such as having the screen resolution change.  [more]

www.midiox.com/desktoprestore.htm

This is a context menu where you can save or restore the desktop but there is also a custom save/restore option that saves multi-monitor information:

I was recently configuring an ISA server for a network support customer including automatic configuration using WPAD.  The customer had a 2008 SBS server and a 2003 ISA server (running ISA 2006).  I added a "wpad" alias (CNAME) to the DNS server on the SBS box to allow clients to automatically detect the new ISA server.  However, when I tried to resolve the entry on the SBS server as well as other hosts on the network, it never would resolve.  I tried other CNAME entries on the server, and they all worked fine.  I tried removing the entry and reading it, but got the same behavior.  I decided to let it sit overnight to see if it was a timing issue.  The next day, I still couldn’t resolve "wpad" or "wpad.bofc.local".  I started digging and found that the DNS service on Windows Server 2008 has a built-in "block list" for some potentially dangerous DNS names.  The default list includes "wpad" and "isatap".  Gotcha!  Since I wasn’t concerned with blocking any DNS names, I decided to turn off the "block list".  I used the following dnscmd command: [more]

dnscmd /config /enableglobalqueryblocklist 0

Other helpful commands when dealing with this include (from http://technet.microsoft.com/en-us/library/cc995158.aspx):

To check whether the global query block is enabled, type the following:
dnscmd /info /enableglobalqueryblocklist

To display the host names in the current block list, type the following:
dnscmd /info /globalqueryblocklist

To disable the block list and ensure that the DNS Server service does not ignore queries for names in the block list, type the following:
dnscmd /config /enableglobalqueryblocklist 0

To enable the block list and ensure that the DNS Server service ignores queries for names in the block list, type the following:
dnscmd /config /enableglobalqueryblocklist 0

To remove all names from the block list, type the following:
dnscmd /config /globalqueryblocklist

To replace the current block list with a list of the names that you specify, type the following:
dnscmd /config /globalqueryblocklist name [name]…

Have you run MSINFO32 to get OS information and been greeted by this error: "Windows cannot open Help and Support because a system service is not running. To fix this problem, start the service named 'Help and Support'."  You then go to the services listing and find that 'Help and Support' is not there.

Microsoft indicates this is a known issue on SBS 2003 after installing SP2 (I have seen and resolved this same behavior on Standard Edition as well).  Here is the fix: [more]

1. open a command prompt and change directory to %windir%\PCHealth\HelpCtr\Binaries
2. -run 'start /w helpsvc /svchost netsvcs /regserver /install'
3. -once complete, refresh your Services listing and you should see 'Help and Support' ready to be started
4. -after starting that service, run MSinfo32 again

http://support.microsoft.com/kb/555912

NTFS Undelete is a free software utility that recovers deleted files that are no longer in the recycle bin.  Of course, you're hoping something hasn't overwritten any of the deleted file.  An ISO image is also provided if you want to run NTFSUndelete from a CD rather than installing the program after deleting a file.  (The ISO image is not bootable, just used to run NTFSUndelete from the CD.) [more]

http://ntfsundelete.com

The user interface is easy to understand and there are some helpful advanced search options (date, size filters as well as file names, etc.)

 

Find the container for the software within the Uninstall path in the registry.  Usually there is a description within that says what program it is tied to.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*Install Container*

Registry DWORD values that can be added are “NoRemove”, “NoRepair”, and “NoModify”.  Setting these values to 1 enables the setting or use 0 to disable.  You can use these settings to keep users from manually being able to remove, repair, or modify specific programs.