Had a fun time today cleaning off some trojans and rootkits.  On this one client system, while trying to go online, the Internet  turned into the Inertnet! (Hahahha! I love that one!)  As usual, I have lots of ideas why, but no real evidence and clients saying “I don’t know how it got there.”  Doesn’t really matter though, it’s there and I am going to clean it off.  I managed to easily scan for and clean off a couple of them, but one would’t detect with any scanner.  AV.exe kept popping up, showing the fake windows security center and Antivirus 2010.  I used Process Explorer to see the offender, but I couldn’t find the file, it was hidden.

I rebooted with UBCD4Win, found the file and deleted it.  Problem is, this caused a mess in Windows. Nothing would load, I always got a “Open With” dialog box.  After some Googling, I found out where to fix that in HKCR in the registry.  In there, there was a setting for .exe files to open, and it was set to use av.exe in the user profile to open them!  How do you like that?!!

I wasn’t able to fix that in the current user profile, it was locked down somehow.  Opening in the Administrator account of XP allowed me to fix it though.  The default value for “exefile” should be set to:

“%1″ %*

(Just google that for more info.)

Ok, so got that all fixed.  Fun how you clean off these bugs, only to leave windows all messed up after!  Next, did all my final scans, tweaks and other items. (lock down IE, disable scripts/Flash/Adobe, add a windows update to Trusted Sites, and force user to use Firefox.  I also changed the icon on Firefox to the one for IE so the user will pretty much always use it!)  Then I tried to get all the updates caught up, only no go!  Wait, I am on the same Internet connection as my system, and it works for me, why not the client system?  Hmm… well they are on an isolated subnet, going through the firewall separately. (keeps their bugs off my systems!)  But, wait, those are the same DNS settings?

AH! Take a look at those NIC properties in XP.  DNS is hard set to 93.188.x.x!  Nslookup shows that as some place at a .com.ua domain. Well, let’s fix that one, and set to DHCP like it should be!  Problem solved, Windows Update works!

Fun stuff!  I’ve cleaned a lot of bugs over the years, and I’ve heard of DNS hijacking, but that’s the first one I’ve seen like that.

I only need to update this once in a while, but twice now I’ve forgotten what to run after an update to /etc/login.conf.  Run this:

cap_mkdb /etc/login.conf

Well, if you’re like me, you probably love Google Chrome browser.  And although the latest version of Firefox (3.6) is much improved in speed, it launches fast and browses quick, I still like Chrome better now that I am used to it.  Especially now that it’s got my two favorite extensions, Lastpass and mouse gestures.

Anyway, to the point. Using Chrome 4.x. (It did say Beta still? weird?) Chrome has been acting kind of laggy lately on my desktop system.  It opens quick, but then is slow to show any pages and on mouse clicks they pause for a second before any action.  First I thought, disable any extensions.  Ok, did that. Relaunched Chrome, same thing.  Alright, this time I’ll remove all the extensions.  Relaunch and same thing.

At this point I thought, is there some sort of weird proxy or dns thing going on here?  No, not DNS.  If it was, my laptop would be slow too, right?  We all use the same DNS.  And I even benchmarked it with DNS Benchmark at GRC.com. (search for that at that site to download, cool little tool!) 

Firefox and IE don’t exhibit the same issues. Hmm…  not sure about this one.  Ok, fairly quick test.  Uninstall Chrome, completely, including any saved/cached data.  Make sure I don’t have any profile data in c:\users\username\appdata\google\chrome folder.  If there is, delete that folder.  (keep in mind, you will be deleting EVERYTHING saved in chrome, FYI)  No big deal though, I have all my bookmarks synced on my Gmail account and I use Lastpass to store passwords and sites. 

Reboot the computer, find and download Chrome again, run the installer.  Get my two favorite extensions and I am in business!  Now Chrome is launching fast, like it normally does!  And mouse clicks are responsive again.

Just a note, it says my version is now: 4.0.249.89 (38071)
And it doesn’t say “beta” anymore.

Maybe that’s what the issue was, there was something not upgraded automagically by Google and there was still older beta code used somehow.  Whatever it was, problem solved.

By the way, this is one of my favorite reasons to use Firefox or Chrome over Internet Explorer. There are many others, but this is a big one, IMHO.  You can actually remove the browser and all the settings and cached data from your system.  You can’t with IE.  Even with the options to delete any saved data in IE, the program is still on your system, doing who-knows-what in there.  The only way I know of to really clear out any issues with IE is to create a new user profile on the system, login as that user and test if IE still has an issue. If it does not, your problem is in IE in your old user account.  That’s really a huge pain!  Much easier to remove the program and any associated data and reload it to clear out any bugs.

I had a client recently that had their browsers hijacked. Everything they typed in the browser ended up redirecting them to some test_s.php file at “www.fes.sk”.  (Don’t open that, or you might end up with a virus!  I just wanted people to find this in case it might help clean this bug off!)

Not sure what this virus was, but it disable Microsoft Security Essentials and blocked even MalwareBytes and SuperAntispyware from detecting it.  I couldn’t find it and I was almost to the point of just reloading the computer because in this case it would have been faster to just copy the docs of and reload Windows XP.

I thought, let’s search that URL?  This was key, because it brought up some forum posts and someone mentioned HitMan PRO.  www.surfright.nl/en/hitmanpro

Never heard of this program, but thought since it had a 30 day trial I’d give it a quick shot.  I was very impressed, it scanned in litterally a few minutes. (like 2 or 3!)  It found a “Rootkit”, nothing more than that though, in a file called “ipsec.sys” in the system32/drivers directory.  Then it said, “Reboot to clean.” 

My client was very pleased to see it reboot, do another very quick scan, and he was able to browse the web again.

Hitman Pro was free for 30 days, but you had to activate it.  I believe it has a subscription price of just under $30/year for 3 PC’s. (as of 02/09/2010)  That’s not too bad I think.  Keep in mind though, this looks like a “remover” , not a real-time antivirus protection program.  You’ll still want Norton, NOD32, MSSE, whatever you like, for that.

Now, I have to ask… because all my clients are starting to ask… why do they need this when they already have MSSE, Norton, etc?  Why doesn’t the AV real-time protection actually protect them in the first place?  Well, I can’t answer that one.  But it drives me nuts, and it make it worthless to pay for a subscription to Norton or McAfee (or any other) when all they do is get subverted and taken down, even if it’s the clients fault.  Because of this I will only suggest a free product for now, at least until I start seeing the “for pay” products doing what they were paid to do.  And if I see a Rootkit or Trojan that I can’t easily clean off, I’ll recommend HitmanPro for now.  If that can quickly remove bugs for my clients every time I use it, I’ll tell them (my clients) to use it and even purchase it as a quick cleaning tool in addition to MSSE.

I have Windows 7 Ultimate x64, but I think this might be problem in any version. I keep having issues with MsMpEng.exe hogging the cpu.  Basically, using a large amount of resources, like 100%!  It’s eating the CPU time and a lot of memory.  The system will work just fine, even after running for hours, when suddenly the system slows to a crawl, almost to the point I have to reset the system.  I finally narrowed the culprit to MsMpEng.exe, the scanner for MSSE (Microsoft Security Essentials).

Good news is, I think the cpu hog problem is solved! I found a link on a Google search about adding exclusions, which I suspected would be a problem for things like my backup programs.  I added Crashplan and Syncback programs already, but what I found in that Google search was that you need to add the MSSE directories in C:\ProgramData to the exclusion list.  WHAT!!???  Are you kidding me?  MSSE doesn’t already exclude itself?  Come on MS!!  I really like MSSE,  but that’s pretty stupid.

I went ahead and added these to MSSE exclusions:

C:\ProgramData\Microsoft\Microsoft Antimalware

C:\ProgramData\Microsoft\Microsoft Security Essentials

C:\Program Files\Microsoft Security Essentials

Now, for a couple days, I have had no more issues!!!  We’ll see in a week if it really fixes it.  That’s an easy fix, but completely annoying!  I still like MSSE regardless.  It’s not perfect, but I’d rather have it than anything else.

I am curious to know if anyone else found this fix to work?

Note:  I do recommend people run a manual scan with MalwareBytes and SuperAntispyware once in a while, along with the real time scanner in MSSE.  MSSE didn’t catch a recent trojan at one of my clients, same one was blocking MalwareBytes too.  Only SuperAntispyware cleaned the system properly.

EDIT 02/10/2010:

It’s been about a week and a half, still working fine! It appears that this fixed the problem!

So I never took the time to look these up, but I just heard about them recently.  I always wanted to know how to create a new folder in Windows Explorer without having to use menu’s, by just using a keyboard shortcut.

In the right side of the Explorer window, where you want the new folder, press your “CTL+SHIFT+N” keys.  You’ll get a new folder ready to type in a new name.

Also, you can hit “CTL+N” to get a new window in the same location.

I was not able to access a newly joined Windows 7 computer on our domain from our Windows 2000 Server.  I just received that error.  “Cannot perform the requested operation”  Sharing was setup ok, permissions and security set ok, firewall was turned off.  I saw an Event ID 2017 on the Windows 7 system, too. Something about “unable to allocate from the system nonpaged pool”.

I found this online. Add the MaxNonpagedMemoryUsage value below in the client’s registry. (Windows 7 system)  Make a restore point first so you can undo if any problems arise.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\MaxNonpagedMemoryUsage

DWORD VALUE: 0xFFFFFFFF

Next, restart the “Server” service on the Windows 7 machine.  Then go back to Windows 2000 Server and try to connect to \\window7machine and see if it can access it now.

This worked great for me, hopefully it works for you too.  However, it may be wise to increase that value in small increments from the default, which I THINK is 0×100000.   I just maxed it out and on my client system to test, and it’s working fine.  Just thought I’d make note of it.  If you have further problems, or this doesn’t fix the issue, remove the value and reboot.  This should return it back to the default.

Get the test commands available:

get-help test*

Should list out the tests available to you.

Test overall system health:

test-systemhealth

Check Outlook Web services:

test-outlookwebservices –identity:amailblox@organization.com | fl

(note the “fl” at the end, helps reading output, otherwise it will not wrap the lines)

I setup my share right, followed all the instructions, set the /etc/pam.conf entry.  Couldn’t get into my share, and my password wouldn’t work.

I found that you can test your PAM mapping like so:

smbutil login –c username

But that gave me:

Keychain entry not found.

Ok, had to do a little searching…  found out that you can SET THE STORED PASSWORD FOR SMB!  Duh!  Why didn’t I think of that in the first place?  LOL!

All you need to do is this:

smbutil login username@server

It will ask you for a password and suddenly your login from windows will work! Nice!

Keep in mind, that is assuming your server is setup in workgroup mode, joined to your workgroup not the domain.  I think you would just specify “username@netbiosdomain” in that case.

This is one of several, little, quick notes about OSOL config. I have done several installs now, and each time I forget some of the little things.  That’s what a Blog is for though, right?  There are lots of sites describing this online, so it’s not tough to find.  I just wanted to find it easier on my own site.

I am using OSOL 2009.06 in this, might change a bit on other versions.

1. Install the service/pkg if it is not already. I think it is though. I think I just had to enable it on 2009.06.

2. Edit the service.  There’s probably an easier way, but this is an example of how I learned one way and stuck to it.  And in OSOL, like Linux, there’s probably twenty different ways to do something.

svccfg -s xvnc-inetd

editprop

There are two lines I like to change. 1. is to add the WAIT for persistent connections.  2. Geometry, so I have a larger vnc window.  All I do is uncomment and add geometry and replace false with true.

setprop inetd_start/exec = astring: /usr/X11/bin/Xvnc -geometry 1280x800 -inetd -query localhost -once securitytypes=none

setprop inetd/wait = boolean: true

[security]

DisallowTCP=false

AllowRoot=true

AllowRemoteRoot=true

[xdmcp]

Enable=true

@echo off

rem IP of the server

set SVR=1.1.1.1

rem SSH port, update your sshd_config to match

set SSHPORT=222

set SSHUSER=username

set SSHPW=passwdnotshownhere

rem this is the port on your system, not the server

set LPORT=5992

set LIP=127.0.0.92

rem this is the port on the server, below should work by default

set RPORT=5900

set RIP=127.0.0.1

rem Path to Uvnc, maybe other vnc clients will work too

rem Just update the cmd below

set VNCPATH=C:\Program Files\UltraVNC

set VNCCMD=%VNCPATH%\vncviewer.exe

rem Have plink/pskill in your path or in the same dir as this script

start plink -ssh -P %SSHPORT% %SVR% -l %SSHUSER% -pw %SSHPW% -C -v -batch -L %LIP%:%LPORT%:%RIP%:%RPORT% -T -N 

CHOICE /N /T 7 /D Y > NUL

"%VNCCMD%" %LIP%::%LPORT%

CHOICE /N /T 2 /D Y > NUL

pskill plink.exe

Check the /etc/pam.conf has the smb line:

   other    password required    pam_smb_passwd.so.1    nowarn

If not, add that to the end of the file.  If you, check /var/smb/smbpasswd you should also see a line for your account with a hashed password listed.  In my case, I had my username and an ID listed, but not hashed password.  I didn’t have the line in pam.conf.  After I added it, I had to run the passwd username command on my account, which generated the smb password and inserted it into the smbpasswd file. Then the error about password not being correct went away and I could get in from Windows.  (Windows 7 too! With the “NTLMv2 if negotiated” option in policy.)

I am testing Windows 7 Pro on my laptop and wanted to decide if I can get by with that instead of Ultimate.  Well, my time is running out and I need a couple day to backup everything before I change it.  So…  I need to “rearm” the activation system.

Go to the start menu, and in search box type “cmd” and hit CTL-SHIFT-ENTER to open the command prompt with elevated rights.  Type this:

   1: slmgr -rearm

You’ll get a popup telling you it was successful and you need to restart a few seconds later.

Go to C:\windows\pchealth\helpctr\binaries.

helpsvc.exe /regserver /svchost netsvcs /rainstall

Run that.
Now we have Help and Support available again.

Notes to self:

Install your system to a PARTITION, NOT the whole drive.  I seem to remember reading somewhere that this was required.

My system had 2 disks.  rpool was setup on disk 0.  (those are ZERO’s not O’s.)

c8t0d0s0  (disk 0 with rpool)
c8t1d0s0   (disk 1 we want to mirror)

After installed and booted into new system…  (as root)

format
(choose your second disk, should be 1 and in this sys it was c8t1d0)
fdisk
(here, choose Y to select the 100% Solaris partion)
exit to save changes

Now do…

prtvtoc /dev/rdsk/c8t0d0s0 | fmthard -s - /dev/rdsk/c8t1d0s0

(notice the “rdsk”, it’s not “dsk”, and it includes the slices.  If you installed on a full drive, I don’t think you see the “s0″ slices)

zpool attach -f rpool c8t0d0s0 c8t1d0s0

And last setup grub on the second disk…

installgrub -m /boot/grub/stage1 /boot/grub/stage2 /dev/rdsk/c8t1d0s0

All done!  Make note that you use “rdsk” on the prtvtoc command.  I kept getting “must be raw device” errors because I missed the “r” and had only /dev/dsk in the drive path.  Also, on first attempts, I somehow messed up my second drive partitions and labels and it was EFI labeled.  Nothing worked when it was EFI, and I couldn’t remove it either.  Since I did this initially in a VMware guest,  I just deleted the disk and added a new one.  But that’s important to note, do not do anything to that drive except run “format” and then use the “fdisk” command on the new drive.  It will come up and say something like you need a 100% Solaris partition, just say Y and exit that to save.  THEN… you can do the prtvtoc thing to copy the partition table to the new drive.

This is just another one of those things that didn’t make any sense and only partially does now. At least NOW I know there is more at play here than the simple solutions in Samba using create mask and create directory mask. In Linux, that’s how I would get around the issues of Windows directory permissions running on a Linux SMB share.

Now, I am learning to do things the OpenSolaris way. I am loving OpenSolaris and ZFS! However, coming from a Linux and Windows “way of life”, there are some differences that just aren’t clear. What kills me is, I try the RTFM thing, and somehow completely miss that one little thing that makes it all work. Off topic, but an example, coming from Linux, I would just type “su” and get root access. In OpenSolaris, that won’t work. Neither will “pfexec su”, nor “sudo su”. Then one day, after dealing with it for a week or so, I stumble upon a post where someone in an unrelated sample script typed “pfexec su – root”. There ya go! Argh!

Anyway, back on the ZFS/CIFS/ACL thing. It was driving me nuts that I couldn’t figure it out. I wanted a folder with this setup:
/pool/sharefs – owner:greg – group:domusers
greg and domusers should have full control and all folders under “sharefs” should inherit that.

So under linux/samba, that’s where I would do like “create mask = 770″ or simlar, and “force create group = domusers”. Something like that, can’t remember exactly. made it simple actually. It always wrote files with the right perms and ownership and other people in that group could read/write just fine.

Problem is, you can’t get very specific about who get’s what, where, and you can’t use more than one group. Well, sure enough, there’s a thing called “ACL” that handles that stuff now. It’s been around for a while now, but I never even heard of it until I started using OpenSolaris. I like how it seems to be more compatible with the way Windows handles ACL’s. What I don’t like is, it’s confusing. I get the NTFS/Share perms in Windows, been doing that a long time now. The CIFS/ZFS ACL thing kind of makes sense, and it will “click” at some point the more I use it.

After spending hours on this, I reached a point where I had to figure it out. Here’s what I did.

On the ZFS file system, create it normally for SMB access. Then I changed some properties for aclinherit and aclmode. Change those to “passthrough”:
zfs set -o aclinherit=passthrough -o aclmode=passthrough pool/sharefs

Then chmod/chown. OH! That’s another thing. You need to use /bin/chmod and /bin/ls! Not just type: chmod … That wont work. In OpenSolaris the default path points to /usr/gnu/bin/chmod, which doesn’t have the “A” or “V” options to set/view ACL’s. That was another thing that DROVE ME CRAZY!!! I read the man pages and manuals and docs online and I didn’t catch anything that said, “Hey, there are different versions of chmod and ls here!” I can’t believe the time wasting here! Back to the point, do this to put your own default perms on:

/bin/chmod 2774 /pool/sharefs
(I actually am not positive that is needed, but I think it set group as inheritable)

/bin/chmod -R A- /pool/sharefs
(that will wipe out the current perms)

/bin/chmod -R A=owner@:full_set:fd:allow /pool/sharefs
(resets perms with only that acl)

/bin/chmod -R A+group@:full_set:fd:allow /pool/sharefs
(that appends the group perms, full control)

/bin/chmod -R A+everyone@:read_set:fd:allow /pool/sharefs
(above appends everyone read access)

In all the above that will preset INHERITABLE permissions for the subdirectories.  Notice above there is one with “A=” on it?  That will reset the perms and set only that perm.  So I guess you may not even need the previous line for “A-” to reset.  (I am just learning here ya know!)

It looks as if that makes a little sense now.  You can view the current ACL’s like so:  ”/bin/ls -V /pool/sharefs”

In my case, I might want to add another user or group:

/bin/chmod -R A+user:stacy:full_set:fd:allow /pool/sharefs
/bin/chmod -R A+group:othergroup:full_set:fd:allow /pool/sharefs
/bin/chmod -R A+group:yetanothergroup:read_set:fd:allow /pool/sharefs

So with this setup I can now open the share on the server and create a file or folder with inherited permissions.  It does, however, save my username as a new owner, so keep that in mind.  But if the group stays in there with “domusers” as full read/write access, I am happy.

Well, now I get it just a little and it makes more sense compared to Windows ACL’s.  I didn’t go over any share specifics and authentication issues, this was just ACL’s!  I still have to RTFM my way around that for a while.  Next project, join OpenSolaris to a Windows domain.  (Which, BTW, does not work in NT Domain style connections, you have to use Active Directory.)