How to remove win64/sirefef.AE trojan & c:\windows\system32\services.exe win64 patched b.gen trojan
I’m kind of the default “go to” guy for all PC issues with friends and family. One of the most common problems people bring to me is malware. Going forward, I’m going to document the removal process for some of the more difficult ones I encounter.
The most difficult trojan I’ve encountered thus far is the sirefef.AE trojan. It infects the PC by replacing c:\windows\system32\services.exe which is pretty ingenious in that it’s extremely difficult to remove since Windows requires it and it’s always in use which keeps the antiviruses and applications from being able to remove it.
I just spent a few days battling this one and successfully cleaned it off the system.
To remove it:
- Run the ESET Online Scanner (http://www.eset.com/us/online-scanner/). Have it scan archives and let it remove whatever it finds.Side note: If you use Norton or McAfee for antivirus protection, now’s a good time to dump them for an antivirus that actually works and doesn’t hog resources: http://go.eset.com/r/7NQZN
- Run ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) in safe mode. It will find and remove some of the trojans already downloaded. Instructions are on the bleepingcomputer page on how to use it but for the most part it’s mostly automated.
- Download and install MalwareBytes (http://majorgeeks.com/download.php?det=5756). The free version will suffice. Run a full system scan and remove whatever it finds.
- You will need a Recovery Disc from Windows 7 for the next step. Make one on a non-infected computer if you don’t have one already.
- Download Farbar Recovery Scan Tool x64 (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save to a flash drive.
Enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:
- Restart the computer.
- As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
- Use the arrow keys to select the Repair your computer menu item.
- Select US as the keyboard language settings, and then click Next.
- Select the operating system you want to repair, and then click Next.
- Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
- Insert the installation disc.
- Restart your computer.
- If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
- Click Repair your computer.
- Select US as the keyboard language settings, and then click Next.
- Select the operating system you want to repair, and then click Next.
- Select your user account and click Next.
On the System Recovery Options menu you will get the following options:Startup Repair System Restore Windows Complete PC Restore Windows Memory Diagnostic Tool Command Prompt
Uninstalling Trend Micro Client/Server Security without a Password
Lost or forgot your Trend Micro Client/Server Password? How about inheriting a computer that had the software installed by an IT team or consultant that won’t give up the password? I had to work on a network with the latter and it’s rather annoying. The product is utter crap as the machine is spyware infested even though the antivirus is running and present. I went to uninstall it but can’t because the previous person/company password protected it and nobody has it.
Here’s how to bypass the protection:
- Load up Regedit and browse to:
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\Allow Uninstall - Change the value to 1.
Now you can uninstall TrendMicro’s crappy product and replace with a real solution like Eset.
TrustedInstaller.EXE CPU Usage
Solution 1: Clear Problem History
The following fix is intended for situations where trustedinstaller.exe causes problems due to the Problem Reports and Solutions history maintained in Windows Vista.
- Go to Start and then select Control Panel.
- Turn on Classic View.
- Select Problem Reports and Solutions.
- Click Clear Solution and Problem History in the left panel.
- Confirm your decision.
- Exit the Problems Reports and Solutions Window and Control Panel.
You can also click Change in the Problems Reports and Solutions Window. And then change the configuration from Check for solutions automatically setting to Ask me to check if a problem occurs.
Solution 2: Change Microsoft Update Startup Settings to Manual
- Go to Start and then select Control Panel.
- Select Administrative Tools and then select Services.
- Scroll down to Microsoft Update, right-click on it and then select Stop.
- Right-click on Microsoft Update again and select Properties.
- On the General tab, set Startup type as Manual.
- Next, display the Recovery tab.
- Choose Take No Action and click OK for First Failure.
- Exit the properties dialog box.
- Bring up your Task Manager by pressing on Ctrl + Alt + Del or Ctrl + Shift + Esc.
- On the Processes tab, look for and select trustedinstaller.exe.
- Click End process to kill trustedinstaller.exe.
Solution 3: Disable Automatic Update
- Go to Start and then select Control Panel.
- Go to System and Maintenance.
- Click Turn automatic update on or off option.
- Next, depending on your preference choose one of the following options:
- Never check for updates (not recommended)
- Check for updates but let me choose whether to download and install them
- Download updates but let me choose whether to install them
- Click OK to save your changes and exit the dialog box.
Solution 4: Stop the Windows Module Installer That Runs Trustedinstaller.exe
- Click on Start, in the Start Search box, type msconfig and then press Enter.
- Click Continue when User Account Control prompt is displayed.
- In the System Configuration window that is displayed, open the Services tab.
- Locate and clear the Windows Module Installer check box.
- Click OK save your changes and exit the dialog box.
- Next, open Services window again and change the Startup type of Windows Module Installer to Manual.
Drobo Dashboard Can’t Connect to Drobo when ESET Firewall is Active
Have a Drobo storage unit? If you have ESET Smart Security Firewall enabled, you’ll probably find Drobo Dashboard can’t connect while the firewall is on even after adding all the required ports and services to ESET’s rules from the Drobo online help site (http://goo.gl/iVKVU).
After enabling the detailed logging in ESET, I found that ESET’s firewall was flagging Drobo Dashboard as an intrusion attempt and blocked it. From the Drobo help page (http://goo.gl/iVKVU):
Drobo Dashboard connects to port 5000 and then randomly picks a port in the range for broadcasting.
This is definitely not the most intelligent way to build a product when users who are trying to secure their home or business network and it’s no wonder that ESET flagged the behavior as suspicious. Luckily there’s a fix to keep ESET from blocking the Drobo connection:
- Make sure you add the rules as per Drobo’s site (http://goo.gl/iVKVU).
- Open the main program window by clicking ‘Start’ -> ‘All Programs’ -> ‘ESET’ -> ‘ESET Smart Security’.
- Click on ‘Setup’ on the left, and then click ‘Enter Advanced setup’ on the right to open the Advanced Setup tree.
- From the Advanced Setup tree on the left, Expand ‘Network’, and Click on ‘Personal Firewall’, and then select ‘Interactive mode’ from the Filtering mode drop-down menu on the right.
- From the advanced setup tree, click ‘Personal Firewall’ -> ‘Rules and zones’. Click the ‘Setup…’ button in the Trusted zone section and then choose ‘Allow sharing’. Click ‘OK’.
- Click ‘Personal Firewall’ -> ‘IDS and advanced options’. In the ‘Allowed services’ section, make sure all services are selected. Click ‘OK’.
Drobo Dashboard should now be able to connect to the unit with no issues.
Round Up to Whole Numbers in Excel (10s, 100s, 1000s, etc)
After years of using Excel, I realized today I have never had to round up to the nearest whole number before – until today that is. I was organizing my finances and realized that I wanted to round some of the amounts up to the nearest 10. So to round to the nearest decimal place in Excel, the formula is:
=ROUNDUP([Range],[Position])
Count the number of places after the 0 to round to and set [Position] to that value
So if you had 1234.25 in Cell A1 and wanted to round up to the nearest cent, =ROUNDUP(A1, 1) would produce 1234.30.
1234.25 ^ 1 |
1234.25 ^ 2 |
=ROUNDUP(A1,1) | =ROUNDUP(A1,2) |
Want to go the other way? Simply start at the decimal as 0 and count backwards in the negated position.
1234.25 ^ -1 |
1234.25 ^ -2 |
1234.25 ^ -3 |
1234.25 ^ -4 |
=ROUNDUP(A1, -1) | =ROUNDUP(A1, -2) | =ROUNDUP(A1, -3) | =ROUNDUP(A1, -4) |
To round to the nearest ten (10)
To round to the nearest hundred (100)
To round to the nearest thousand (100)
Kill Multiple Processes at Once Via Command Line with Taskkill
Ever have a program or process that doesn’t end properly and runs in the background continuously?
I recently encountered this issue with VLC on one Windows 7 machine where it keeps the process never terminates. Since I never reboot the machine for other than Windows Updates, this amounted to 633 copies of VLC running in memory. Each process only used about 633k so it wasn’t an astronomical memory hog but multiply that by 633, you begin to feel the machine slowing down. Task Manager doesn’t let you kill multiple processes in bulk and I didn’t want to go through killing them one by one or rebooting.
The solution? Good old command line. Open up command prompt (start -> run -> cmd.exe). This snippet will kill all processes that start with the taskname:
TASKKILL /IM [TASKNAME]* /F
To kill all VLC processes, you’d use:
TASKKILL /IM vlc* /F
All running VLC processes will be terminated automatically.
Drobo Dashboard Can’t Connect to Drobo when ESET Firewall is Active
Have a Drobo storage unit? If you have ESET Smart Security Firewall enabled, you’ll probably find Drobo Dashboard can’t connect while the firewall is on even after adding all the required ports and services to ESET’s rules from the Drobo online help site (http://goo.gl/iVKVU).
After enabling the detailed logging in ESET, I found that ESET’s firewall was flagging Drobo Dashboard as an intrusion attempt and blocked it. From the Drobo help page (http://goo.gl/iVKVU):
Drobo Dashboard connects to port 5000 and then randomly picks a port in the range for broadcasting.
This is definitely not the most intelligent way to build a product when users who are trying to secure their home or business network and it’s no wonder that ESET flagged the behavior as suspicious. Luckily there’s a fix to keep ESET from blocking the Drobo connection:
- Make sure you add the rules as per Drobo’s site (http://goo.gl/iVKVU).
- Open the main program window by clicking ‘Start’ -> ‘All Programs’ -> ‘ESET’ -> ‘ESET Smart Security’.
- Click on ‘Setup’ on the left, and then click ‘Enter Advanced setup’ on the right to open the Advanced Setup tree.
- From the Advanced Setup tree on the left, Expand ‘Network’, and Click on ‘Personal Firewall’, and then select ‘Interactive mode’ from the Filtering mode drop-down menu on the right.
- From the advanced setup tree, click ‘Personal Firewall’ -> ‘Rules and zones’. Click the ‘Setup…’ button in the Trusted zone section and then choose ‘Allow sharing’. Click ‘OK’.
- Click ‘Personal Firewall’ -> ‘IDS and advanced options’. In the ‘Allowed services’ section, make sure all services are selected. Click ‘OK’.
Drobo Dashboard should now be able to connect to the unit with no issues.
SQL 2008 DTSX
The Problem
Earlier today, I was working on setting up DTSX so some end users could run some packages. After loading and testing the packages successfully, the users tried running the package and encountered an interesting error:
SSIS Execution Properties
Failed to open package file “C:\Program Files\Microsoft SQL Server\100\DTS\Packages\dts_filename.dtsx” due to error 0x80070005 “Access is denied.”. This happens when loading a package and the file cannot be opened or loaded correctly into the XML document. This can be the result of either providing an incorrect file name was specified when calling LoadPackage or the XML file was specified and has an incorrect format. ({FFEE8F2F-A0A6-40BE-8CDA-86BEC124F874})
The packages were provided by another vendor so I wasn’t keen on trying to modify things within the packages themselves. I was able to run the packages under my admin account but the end users kept running into the error which lead me to believe that the user needed some special permissions. The users were connecting to this virtual server via remote desktop. While it was a dedicated virtual machine specifically for this project, I really didn’t want to give users admin rights because…well I don’t think that needs to be explained so I hunted around and of course there are no settings for controlling access via permissions in management studio. It was time to take to the interwebs and use my Google-Fu and see what others have found on this error. I found others who had similar errors but none had the exact issue. Some similar errors:
- http://msdn.microsoft.com/en-us/library/aa337083.aspx – This was the closest except that it dealt with remote access which wasn’t the case here. I tried it anyways in case it was the problem.
- http://www.mssqltips.com/tip.asp?tip=1199 – Proxy permissions for SQL agent which is useful to know when creating scheduled jobs.
The Solution
I remembered that SQL Management Studio had issues with accessing files in different locations (i.e. My Documents). With the new security settings in Windows, you may have noticed you need admin rights to add, run, or or modify folders/files in locations like c:\Program Files in Windows 7/2008. I wondered if DTSX used a special permission that allowed it to access files and checked the groups under the Server Manager. I found a group called SQLServerDTSUser$[MachineName]. I added the users who were executing the packages to this group and then checked the permissions on the folder C:\Program Files\Microsoft SQL Server\100\DTS which didn’t have the group listed. I added the group to the folder permissions, tested the package and voila – it worked.
‘Windows XP Mode’ could not be started because there are not enough system resources or memory in your computer. You can shut down other virtual machines or close open applications and try again.
If you’re running Windows 7 and try to install Windows XP mode, you might run into the error “‘Windows XP Mode’ could not be started because there are not enough system resources or memory in your computer. You can shut down other virtual machines or close open applications and try again.”
You’ll need to find the app causing the problem. You can use msinfo to figure out which apps are resource intensive.
- Click Start, click Run, type msinfo32 in the Open box, and then click OK.
- Expand Software Environment, and then click Running Tasks.
- View the values in the Min Working Set and the Max Working Set columns for each process to determine the process that uses a lot of physical memory.
Actual Cause
In my case, I discovered Stardock Tiles and Virtual PC are not compatible. Kill the Tiles process and you’ll be able to run Virtual PC. You can run Stardock Tiles after loading up Virtual PC though.
Update 3-23-12
A few people (Thanks Tom!) have commented on the issue and have pointed out for them that Google’s CrashHandler process also interferes with Virtual PC. You can either kill it through task manager or disable it completely by doing the following:
2. Go to File Menu >Options
3. Click the tab Under The Hood, and uncheck the option which says – Help Google Chrome better by automatically sending the usage statistics and crash reports to google
Did you know…?
Windows 7 sports tons of new features and surprises that have gotten little to no fanfare.
Did you know that Microsoft has updated the Windows Calculator with Windows 7 with some really new and useful features? Previously, most of these features often required you to open Excel or use some website to solve the problems they address. The calculator sports new features including Unit Conversion, Date Calculation, Mortgage, Vehicle Lease, Fuel Economy (in both MPG and KM no less!) You can find the different options under the View menu after opening the calculator up. See screenshots below for examples of what the calculator can do.