I had a client recently that had their browsers hijacked. Everything they typed in the browser ended up redirecting them to some test_s.php file at “www.fes.sk”.  (Don’t open that, or you might end up with a virus!  I just wanted people to find this in case it might help clean this bug off!)

Not sure what this virus was, but it disable Microsoft Security Essentials and blocked even MalwareBytes and SuperAntispyware from detecting it.  I couldn’t find it and I was almost to the point of just reloading the computer because in this case it would have been faster to just copy the docs of and reload Windows XP.

I thought, let’s search that URL?  This was key, because it brought up some forum posts and someone mentioned HitMan PRO.  www.surfright.nl/en/hitmanpro

Never heard of this program, but thought since it had a 30 day trial I’d give it a quick shot.  I was very impressed, it scanned in litterally a few minutes. (like 2 or 3!)  It found a “Rootkit”, nothing more than that though, in a file called “ipsec.sys” in the system32/drivers directory.  Then it said, “Reboot to clean.” 

My client was very pleased to see it reboot, do another very quick scan, and he was able to browse the web again.

Hitman Pro was free for 30 days, but you had to activate it.  I believe it has a subscription price of just under $30/year for 3 PC’s. (as of 02/09/2010)  That’s not too bad I think.  Keep in mind though, this looks like a “remover” , not a real-time antivirus protection program.  You’ll still want Norton, NOD32, MSSE, whatever you like, for that.

Now, I have to ask… because all my clients are starting to ask… why do they need this when they already have MSSE, Norton, etc?  Why doesn’t the AV real-time protection actually protect them in the first place?  Well, I can’t answer that one.  But it drives me nuts, and it make it worthless to pay for a subscription to Norton or McAfee (or any other) when all they do is get subverted and taken down, even if it’s the clients fault.  Because of this I will only suggest a free product for now, at least until I start seeing the “for pay” products doing what they were paid to do.  And if I see a Rootkit or Trojan that I can’t easily clean off, I’ll recommend HitmanPro for now.  If that can quickly remove bugs for my clients every time I use it, I’ll tell them (my clients) to use it and even purchase it as a quick cleaning tool in addition to MSSE.

Well for the larger businesses out there, this may not be a useful tip. But for those of us that support small networks, like less than 50 or even 10 systems, utilizing shares on workstations is sometimes needed. For example, I have servers in most all of my networks, and their hard drives are fairly large, but I don’t want to save all my downloads and application CD’s on the server. With newer workstations loaded with larger drives than servers sometimes, I’d rather make use of that space there. Not with the main, business critical data, but only things that are not needed for backups or maybe read only archives. These 500+ GB drives give us a ton of space, and when you only have less than 10 people accessing this data periodically, this makes perfect sense. Constant read/write access with lots of users would require the server, rarely accessed stuff goes on a workstation.

Here’s the problem I ran into though. I like to use DFS and create a single shared, mapped drive for all the users. In there I might have a couple shares pointing to workstations. On XP SP2, this works fine, EXCEPT if you are accessing the DFS link from the system where the share resides. You will get an Access Denied error, even with all the correct permissions.

Here’s a registry fix that will overcome the issue.
(Remember, use the registry at your own risk. Back it up if you must. Heck, backup your whole system!)

Open this key on the XP system:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup\Parameters

Add a DWORD value:

EnableDfsLoopbackTargets

Change its value to 1.

Reboot the system.

Your share should now be working from DFS mapped drive from the local system. (the local system where the share is located.)

First thing, when you clone your Linux hard drive with Ghost or Drive Image (or any other imaging software) you might not be able to load Grub. Usually just running some Grub commands off a Linux System Rescue CD will fix it. I think most any bootable Linux Live CD will work. You would run these commands:

After boot, run “grub”. (the following lines are from the “grub>” prompt.)

……………………

find /boot/grub/stage1

    (hd0,0)

root (hd0,0)

setup (hd0)

quit

……………………

You would replace “root (hd0,0)” with whatever is output from the find command above. The above assumes you have /boot on the same root partition.

On IPCop, boot is on a separate partition. So you need to be a little fancier. The key is to tell it what device to use. In the example below, we will assume we know what drive the boot record is on. (hd0,0). Also note, that IPCop because IPCop has boot on a separate partition, running the find command would be like so:

find /grub/stage1

Ok, so using the device command, and since we know our root is on hd0 …
(all on the grub prompt)

……………………

device (hd0) /dev/hda

root (hd0,0)

setup (hd0)

quit

……………………

Now grub should load ok. This would apply to most images/clones made, I think. But, now, what if your distro uses symlinks to represent your hard drives? I ask, because this stopped me from running IPCop off an image. Took me a while to realize two things.

1. IpCop uses symlinks for /dev/harddisk instead of /dev/hda. (Can someone tell me why they do that? Why change that? Every other Linux distro I have used uses /dev/hda1 for the first partition on IDE drive.)
2. When I cloned the system, the grub.conf (also known as menu.lst on other systems) listed the root filesystem as /dev/hda4, and yet, there was no hda4 in dev directory. It didn’t even exist on the old drive, so I have no idea how IpCop was booting!

Solution to #2 above was again to boot to a Linux Live CD, mount the boot partition on hda1, edit grub.conf and change all the /dev/hda4 entries to /dev/hda3, where the root filesystem actually resided.

On number #1 above, I don’t think fixing it actually caused the system to boot, but I did it anyway. While booted to the Live CD, I edited the /etc/fstab file on the hard drive and changed all the entries for /dev/harddisk1 through 3, to point to /dev/hda1 through 3. There is probably a reason for them doing this, but ya got me why. ?? Changing this might bite me it the butt some day, but for now, it boots beautifully!

Oh, and one might ask, why make a drive image of IPCop when they provide a backup and restore feature using floppy? Well, here’s why: 1. I have a ton of add-on programs installed, and they don’t backup. 2. I like an image better than a floppy!

IpCop is an awesome system, and I’ve had zero problems with it over many years now. But, it doesn’t do enough by itself. I mostly like the BlockOutTraffic addon you can install, giving you detailed control over all communication. I also modify the SSH setup to work the way I like it, using certificate auth and custom ports for several users tunneling into our networks. (works way better than VPN!) On some networks, I have to use PopTOP, the PPTP addon for Ipcop VPN. (not by my choice, it’s a requirement by an application we use.) All these might not backup to a floppy, and it’s so fast to make a Ghost image of the drive. You just have to spend a few extra minutes during restore.

Note: I was using IPCop 1.4.16 during all this.

EDIT 10/22 (later that evening…)

For IPCop, YOU MUST boot to an existing drive on /dev/hda that contains a working copy of IPCop and have your newly cloned drive operational as /dev/hdc. When you run grub, and then all the device, root and setup commands, you need to do it like so.

……………………

device (hd0) /dev/hdc

root (hd0,0)

setup (hd0)

quit

……………………

Notice the /dev/hdc above? Don’t ask me why, but when you try to run this from a Live CD, it won’t work. I really would like to know though, because the fact that it doesn’t work drives me nuts. There must be a simple explanation, and I know it’s just my ignorance of the grub boot loader, but this shouldn’t be needed. (and yet it is!) I just don’t have time to figure it out, when I can simply boot an IPCop as hda and run this quickly. Sometimes it is easier to not ask why, and move on. So make a note of this, YOU MUST boot to and IPCop OS with your new drive installed, then run the grub setup. Stupid, but at least it works.

Some RAID controllers are not what I call *true RAID* drive controllers. They may have a hardware controller, but they run kind of a fake RAID on the host OS. It’s not really software raid, but the RAID is dependant on the OS.

This, as you might guess, causes some problems when we want to do some fun stuff on the system drive while we are not actually booted into the OS. Like when we want to restore an image of the C: drive! That’s ok though, we’ve got a work-around.

BIG NOTICE, DISCLAIMER, OR WHATEVER….

This is based on a RAID1 mirror.
My RAID controller allowed me to build the array based on one of my drives, yours may not.
Do this at your own risk.
Make sure you have a backup. (DUH!)
If you lose your data, it’s your fault.
Your mileage may vary.

Assuming you have made your image successfully already, here’s what we do. The trick is that you must turn off the RAID functions and break the array first. So that your drives look like they are single drives in the system. Delete the partitions you will be reimaging over. On my server, it was just an onboard BIOS setting.

Boot the system into a PE boot disc. You can get a free one called: Ultimate Boot CD for Windows. It’s a doctored up PE Disc, but you’ll need to “build” it. They have great instructions for that on their site. (just Google it) Anyway, you boot into this, and right when the CD starts to boot, you see the “Press F6″ option, like you see when you do a new Windows install. Insert your floppy disc and load the drivers when it asks. Then it will boot to a custom version of XP.

The PE disc should load and see your C: drive. Make sure you open Drive Manager and create your C: drive again. Only DON’T FORMAT it or make a drive letter. Now open Drive Image XML and load the image you made, and recover it to that C: drive.

Reboot when complete and before Windows loads, open the BIOS or RAID controller and turn on the RAID again. On my controller, I was able to recreate the Mirror by building off the first drive. Let that process complete and reboot. Your system should boot right to that image.

The keys to making this work was:
Make the drive appear as a single drive again, turn off RAID in the BIOS or Controller.
Drive Image XML always crashed on me, even if I loaded the drivers at the F6 prompt. It couldn’t deal with that Host based RAID. (but it appeared fine!)
After image is restored, turn on RAID1 again and build your array based on the newly imaged disk BEFORE you boot back to that drive in Windows.

All the logical fixes didn’t work. Reinstall, removed ide drivers, reinstalled again, no worky.

I was getting an Error code 39 (and 37 on another machine), and the DVD/CD drives would not show up in Windows.

“Windows cannot initialize the device driver for this hardware. (Code 37)”

The problem seems to be caused by CD Burner software that is not loading or installed properly. It’s odd because I’ve found this on several machines lately.  It occurred to me that there are a lot of programs now that can burn CD or DVD.  Itunes, or other music programs for one, they are very common now.  But there’s other things, like some accounting software that can backup to CD.  You have to watch for any of them that might install their own burning capability.

The solution was to remove the upperfilters and lowerfilters in the registry key below:

Find  "UpperFilters" and "LowerFilters" values in this key and delete them:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}

After that, I uninstalled the device in Device Manager, and scanned for new hardware.  The drive came right back up!

More details on this page:

http://support.microsoft.com/default.aspx/kb/314060

There’s lots of reasons to boot to a USB drive, but mainly I am interested in booting to a Pen/Key/Jump drive for utility purposes. Like making drive images, partition resizing, or other system maintenance.

One of the main problems I am running into these days, as a service technician, is I can’t see the drives or CD drives on the newer systems running SATA RAID controllers. Nor do I have floppy’s. Heck, I tried booting to a CD with my utilities, and it wouldn’t load the ASPI drivers for the CDRom or allow me to use a keyboard! Makes it difficult to do any system level work.

I had to do it. I had to figure out how to maintain these systems. Had to make a bootable USB drive.

Here’s how you make it. Easy…

1. Boot to a floppy or CD (on a different system possibly) where you can run PQMagic and DOS tools.

2. Make sure you see the key drive. Must be FAT.

3. Run: sys c: (or whatever the key drive is)

4. cd to the key drive, run: fdisk /mbr

5. run PQMagic, and set that FAT partition as Active. (I was not able to do that with FDisk, but if you removed the hard drives, so it looked like it was the primary drive, then that should work. Fdisk will only work if the drive is the primary drive.)

6. Don’t forget to set your boot priority on the BIOS. On one system, it just recognized it as a hard drive and I set that drive as first, on another it had to be set to boot to USB specifically.

Now you’ve got a bootable usb key drive. Just like setting up a DOS/Win98 drive anyway. After all that, I setup all my autoexec.bat info and menu’s to setup ramdrive’s and quickly boot into diag tools or imaging software.

This is really handy now! These new computers are setup so differently than the old style. After doing this, I had usb keyboard and mouse, and access to usb drives from my imaging software.

Next, I’d like to setup a Linux bootable pen drive with some of the great utilities available on Linux.

A few minutes ago I ran into a blog by someone that said something that needed to be said. IT Certs are not really worth getting. I just wanted to save my comments on my own blog to reiterate and edit later.

Here’s my comments on his blog:

Having spent a few years as an IT Manager for a small company, I can say that I never looked at Certs in my stack of resumes. (Except maybe, A+, maybe) In fact, I put very little importance on College education. I wanted to see a couple years providing real, and creative solutions. This gave me a good ground work to start the interview process, and then determine if the personality would work.
I have seen a couple educated people, looking to get certs, not even be able to replace a hard drive. Or even tell me why certain DNS issues were causing problems. In my IT world, these people will never do. Learn how to do pc repair, then networking (the non-microsoft way too, ie. Linux) and you’ll be 100% better off.
In my experience getting jobs (and now clients), having the NT cert from back in 98, not a SINGLE person has ever asked me about it! I was always hired because of a referral, and my experience spoke for itself.
Besides, I feel that Certs really say, “I know the books smarts that this vendor wants me to know, not necessarily what the real world needs.” I would even say that, having the NT cert, only half of it was useful information.