How to remove win64/sirefef.AE trojan & c:\windows\system32\services.exe win64 patched b.gen trojan
I’m kind of the default “go to” guy for all PC issues with friends and family. One of the most common problems people bring to me is malware. Going forward, I’m going to document the removal process for some of the more difficult ones I encounter.
The most difficult trojan I’ve encountered thus far is the sirefef.AE trojan. It infects the PC by replacing c:\windows\system32\services.exe which is pretty ingenious in that it’s extremely difficult to remove since Windows requires it and it’s always in use which keeps the antiviruses and applications from being able to remove it.
I just spent a few days battling this one and successfully cleaned it off the system.
To remove it:
- Run the ESET Online Scanner (http://www.eset.com/us/online-scanner/). Have it scan archives and let it remove whatever it finds.Side note: If you use Norton or McAfee for antivirus protection, now’s a good time to dump them for an antivirus that actually works and doesn’t hog resources: http://go.eset.com/r/7NQZN
- Run ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) in safe mode. It will find and remove some of the trojans already downloaded. Instructions are on the bleepingcomputer page on how to use it but for the most part it’s mostly automated.
- Download and install MalwareBytes (http://majorgeeks.com/download.php?det=5756). The free version will suffice. Run a full system scan and remove whatever it finds.
- You will need a Recovery Disc from Windows 7 for the next step. Make one on a non-infected computer if you don’t have one already.
- Download Farbar Recovery Scan Tool x64 (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save to a flash drive.
Enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:
- Restart the computer.
- As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
- Use the arrow keys to select the Repair your computer menu item.
- Select US as the keyboard language settings, and then click Next.
- Select the operating system you want to repair, and then click Next.
- Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
- Insert the installation disc.
- Restart your computer.
- If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
- Click Repair your computer.
- Select US as the keyboard language settings, and then click Next.
- Select the operating system you want to repair, and then click Next.
- Select your user account and click Next.
On the System Recovery Options menu you will get the following options:Startup Repair System Restore Windows Complete PC Restore Windows Memory Diagnostic Tool Command Prompt
Uninstalling Trend Micro Client/Server Security without a Password
Lost or forgot your Trend Micro Client/Server Password? How about inheriting a computer that had the software installed by an IT team or consultant that won’t give up the password? I had to work on a network with the latter and it’s rather annoying. The product is utter crap as the machine is spyware infested even though the antivirus is running and present. I went to uninstall it but can’t because the previous person/company password protected it and nobody has it.
Here’s how to bypass the protection:
- Load up Regedit and browse to:
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\Allow Uninstall - Change the value to 1.
Now you can uninstall TrendMicro’s crappy product and replace with a real solution like Eset.
TrustedInstaller.EXE CPU Usage
Solution 1: Clear Problem History
The following fix is intended for situations where trustedinstaller.exe causes problems due to the Problem Reports and Solutions history maintained in Windows Vista.
- Go to Start and then select Control Panel.
- Turn on Classic View.
- Select Problem Reports and Solutions.
- Click Clear Solution and Problem History in the left panel.
- Confirm your decision.
- Exit the Problems Reports and Solutions Window and Control Panel.
You can also click Change in the Problems Reports and Solutions Window. And then change the configuration from Check for solutions automatically setting to Ask me to check if a problem occurs.
Solution 2: Change Microsoft Update Startup Settings to Manual
- Go to Start and then select Control Panel.
- Select Administrative Tools and then select Services.
- Scroll down to Microsoft Update, right-click on it and then select Stop.
- Right-click on Microsoft Update again and select Properties.
- On the General tab, set Startup type as Manual.
- Next, display the Recovery tab.
- Choose Take No Action and click OK for First Failure.
- Exit the properties dialog box.
- Bring up your Task Manager by pressing on Ctrl + Alt + Del or Ctrl + Shift + Esc.
- On the Processes tab, look for and select trustedinstaller.exe.
- Click End process to kill trustedinstaller.exe.
Solution 3: Disable Automatic Update
- Go to Start and then select Control Panel.
- Go to System and Maintenance.
- Click Turn automatic update on or off option.
- Next, depending on your preference choose one of the following options:
- Never check for updates (not recommended)
- Check for updates but let me choose whether to download and install them
- Download updates but let me choose whether to install them
- Click OK to save your changes and exit the dialog box.
Solution 4: Stop the Windows Module Installer That Runs Trustedinstaller.exe
- Click on Start, in the Start Search box, type msconfig and then press Enter.
- Click Continue when User Account Control prompt is displayed.
- In the System Configuration window that is displayed, open the Services tab.
- Locate and clear the Windows Module Installer check box.
- Click OK save your changes and exit the dialog box.
- Next, open Services window again and change the Startup type of Windows Module Installer to Manual.
Rockstar Collection
Here are some photographs I took of various Rockstars at the Uproar Festival 2012 that I’m particularly proud of.
I’ve moved these to my photography blog as I had to disable my Flickr plugin due to extremely poor performance. You can view all of the photos at http://gregv.photography/portfolio/rockstar-collection/
Shinedown
[slickr-flickr tag=”Shinedown” items=”10″ type=”gallery” thumbnail_size=”small” thumbnail_captions=”on” flickr_link=”on” sort=”title”]
Godsmack
[slickr-flickr tag=”Godsmack” items=”10″ type=”gallery” thumbnail_size=”small” thumbnail_captions=”on” flickr_link=”on” sort=”title”]
In This Moment
[slickr-flickr tag=”In This Moment” items=”10″ type=”gallery” thumbnail_size=”small” thumbnail_captions=”on” flickr_link=”on” sort=”title”]
Adelita’s Way
[slickr-flickr tag=”Adelita’s Way” items=”10″ type=”gallery” thumbnail_size=”small” thumbnail_captions=”on” flickr_link=”on” sort=”title”]
Staind
[slickr-flickr tag=”Staind” items=”10″ type=”gallery” thumbnail_size=”small” thumbnail_captions=”on” flickr_link=”on” sort=”title”]
Fozzy
[slickr-flickr tag=”Fozzy” items=”10″ type=”gallery” thumbnail_size=”small” thumbnail_captions=”on” flickr_link=”on” sort=”title”]
mtouch exited with code 98
In an attempt to leverage my existing .NET skills, I started working on learning MonoTouch and MonoDroid. I tried following the simple HelloWorld tutorial on the documents section of MonoTouch and kept getting a random error during any build:
mtouch exited with code 98
This is a really good example of bad user experience. The error is extremely cryptic and tells the user nothing. I tried searching for documentation on error codes to no avail. Finally I stumbled upon the build output tab (which is hidden by default, unlike Visual Studio) to find a bit more useful information:
License file is missing. Please activate MonoTouch.
Looks like the IT team didn’t activate the license properly on the Mac they provided me but having this error description shown in the error list would have saved me 3 hours of hunting.
Dorco/DollarShaveClub vs Gillette Razor Review
TL;DR Version
- DollarShaveClub is a ripoff and waste of time. Buy the blades from DorcoUSA.com direct and save even more money and get the blades faster. You’ll get more blades for your money and you get them a lot faster.
- The Dorco requires more passes for the shave even though it has more blades. It also sucks on the neck area and caused an ingrown hair.
- Even though the Dorco is a fraction of the cost, I prefer the the Gillette as it provides a better shave, lasts longer, and shaves closer.
The Long Version
DollarShaveClub Review
After watching the hilarious viral video, I recently took advantage of DollarShaveClub through a deals site to give them a try. I’m wary of services that make me lazier but the prospect of saving money on expensive razors was too good to pass up. The premise of the service is you don’t need to remember buying your own razor blades and they’ll be cheaper than the Gillettes you’d buy at the store.
After signing up for the DollarShaveClub service, about two weeks later, I received a razor handle in the mail in a tiny cardboard envelope. Yes, that’s right, just a razor handle and no blades. While I’m all for giving businesses a second chance, there’s nothing convenient about having to remind the company that’s supposed to take the burden of remembering your blades to send you the blades, especially when you’re out of razor blades and they take two weeks to send them. I did send an e-mail to their customer service to alert them that the blades were missing and it took three days for them to respond. I don’t know their volume but that’s a long time for a response in internet time.
After inspecting the new “Executive” blades, I did some searching and found out that the blades were simply Dorco blades that they were reselling at a marked up premium. Dorco sells the cartridges in a 4 pack of blades. For some odd reason, DollarShaveClub removes one from the pack and sends you the pack with three and an empty slot.
Since my whole premise was saving money, I decided to explore Dorco directly. For the same price as two months worth of DollarShaveClub, which would equal 6 cartridges, I was able to buy 16 replacement cartridges. Additionally, I received the replacements in three days.
Dorco Pace6 vs Gillette Fusion ProGlide
I tried the Dorco Pace6 razor for two weeks. The verdict? It’s a decent razor. The handle is well designed and solid. My only complaint about the handle is that the base is really bulbous which makes it impossible to fit into my holder. The blades themselves only do a decent job overall. In comparing the Gillette vs. the Dorco, the Dorco requires more passes to do the shave even though it has an extra blade on it. They also absolutely suck shaving on my neck and have actually caused an ingrown hair. The Pace6 also does not provide as close a shave as the ProGlide so I have to shave more often. The Pace6 blade’s sharpness also doesn’t last as long as the ProGlide.
I’ve never had a cut, nick, or ingrown hair before with my ProGlide. After the negative experience, I’m sticking with the ProGlide even though it’s more money.
Drobo Dashboard Can’t Connect to Drobo when ESET Firewall is Active
Have a Drobo storage unit? If you have ESET Smart Security Firewall enabled, you’ll probably find Drobo Dashboard can’t connect while the firewall is on even after adding all the required ports and services to ESET’s rules from the Drobo online help site (http://goo.gl/iVKVU).
After enabling the detailed logging in ESET, I found that ESET’s firewall was flagging Drobo Dashboard as an intrusion attempt and blocked it. From the Drobo help page (http://goo.gl/iVKVU):
Drobo Dashboard connects to port 5000 and then randomly picks a port in the range for broadcasting.
This is definitely not the most intelligent way to build a product when users who are trying to secure their home or business network and it’s no wonder that ESET flagged the behavior as suspicious. Luckily there’s a fix to keep ESET from blocking the Drobo connection:
- Make sure you add the rules as per Drobo’s site (http://goo.gl/iVKVU).
- Open the main program window by clicking ‘Start’ -> ‘All Programs’ -> ‘ESET’ -> ‘ESET Smart Security’.
- Click on ‘Setup’ on the left, and then click ‘Enter Advanced setup’ on the right to open the Advanced Setup tree.
- From the Advanced Setup tree on the left, Expand ‘Network’, and Click on ‘Personal Firewall’, and then select ‘Interactive mode’ from the Filtering mode drop-down menu on the right.
- From the advanced setup tree, click ‘Personal Firewall’ -> ‘Rules and zones’. Click the ‘Setup…’ button in the Trusted zone section and then choose ‘Allow sharing’. Click ‘OK’.
- Click ‘Personal Firewall’ -> ‘IDS and advanced options’. In the ‘Allowed services’ section, make sure all services are selected. Click ‘OK’.
Drobo Dashboard should now be able to connect to the unit with no issues.
Reading JSON through JQuery from Cross Domain ASP.NET Web Service
Recently I had an issue with JQuery and accessing JSON from a cross domain ASP.NET Web Service. After much googling, I stumbled upon many articles that provided no fix that would solve the issue.
Every sample I found was some derivative of the following code:
$.ajax({
type: 'POST',
dataType: 'jsonp',
contentType: "application/json; charset=utf-8",
,
url: 'http://www.domain.com/webservice.asmx/function',
data: '{}',
success: function (response) {}
});
Nearly every post pointing out that the contentType argument was the issue but it still didn’t work when I included it. There were posts that said you can’t use GET and had to use POST. There might be valid security issues with not using GET but that’s another topic of discussion. in the case of an open web service where you’re providing raw data to be consumed, a GET should suffice just fine.
To support GET, you need to add the following attribute tags to your asmx.cs:
[sourcecode language=”csharp”][WebMethod(), ScriptMethod(UseHttpGet = true, ResponseFormat = ResponseFormat.Json)][/sourcecode]
This will cause ASP.NET to automatically serialize the returned data to JSON without requiring you to do it manually in code. There are no issues when making the call locally either. The second you go cross domain, the call fails.
A few articles mention JSONP (JSON with Padding) which is supposed to provide a workaround for the Same Origin Policy in JavaScript. Once I implemented the JSONP, the entire function
function getJSON() {
var url = 'http://www.domain.com/webservice.asmx/function';
$.ajax({
type: 'GET',
url: url,
async: false,
jsonpCallback: 'jsonCallback',
contentType: "application/json",
dataType: 'jsonp',
success: function (json) {
alert(json);
},
error: function (e) {
alert(e.toString());
}
});
}
Android/Printer/Windows7 Won’t Connect to WiFi
The Problem
I recently ran into an issue where random devices wouldn’t connect to my WiFi while others could. None of my android devices could connect including my phone and tablet but most Windows 7 devices could. A friend brought her Windows 7laptop over and was unable to connect it to my WiFi.
I just spent two weeks troubleshooting the issue which should have been more obvious. At first I thought it was because I had setup the encryption as WPA2 and the devices didn’t
It was definitely a stupid mistake on my part but one that is easily overlooked.
The Solution
Check your WiFi settings and verify the mode. It turns out I had set the router to Wireless N only and the devices that couldn’t connect only supported up to Wireless G. I switched the router to Wireless G/N and all the devices started working.
On Verizon’s router, go to Wireless Settings -> Advanced Security Settings
Under Level 3, you’ll see “802.11b/g/n Mode”.
Round Up to Whole Numbers in Excel (10s, 100s, 1000s, etc)
After years of using Excel, I realized today I have never had to round up to the nearest whole number before – until today that is. I was organizing my finances and realized that I wanted to round some of the amounts up to the nearest 10. So to round to the nearest decimal place in Excel, the formula is:
=ROUNDUP([Range],[Position])
Count the number of places after the 0 to round to and set [Position] to that value
So if you had 1234.25 in Cell A1 and wanted to round up to the nearest cent, =ROUNDUP(A1, 1) would produce 1234.30.
| 1234.25 ^ 1 |
1234.25 ^ 2 |
| =ROUNDUP(A1,1) | =ROUNDUP(A1,2) |
Want to go the other way? Simply start at the decimal as 0 and count backwards in the negated position.
| 1234.25 ^ -1 |
1234.25 ^ -2 |
1234.25 ^ -3 |
1234.25 ^ -4 |
| =ROUNDUP(A1, -1) | =ROUNDUP(A1, -2) | =ROUNDUP(A1, -3) | =ROUNDUP(A1, -4) |
To round to the nearest ten (10)
To round to the nearest hundred (100)
To round to the nearest thousand (100)