I completely understand why they would immediately go to delete group instead of remove member. You see the big X signifying delete and just assume that’s what it will do when you have the user highlighted. I know how to recover the lists when they do delete them. You have to hunt through the deleted items and find it. If you sort by date it will sort the list based on the date it was created, not when you deleted it. Click on the group and drag over to the left where it says contacts or in our case go to folder list view and click and drag it to the appropriate contacts list under public folders.

The next time the person tried to send an email to the group they would get an error that said “unexpected error.” *sigh* So I finally got the bright idea to start typing in the group name into the To: field to make the auto-fill show up and delete that entry. I clicked the To: button and added it that way, sent the email and it worked. For some reason the auto-fill entries break if you delete the group and restore it. There must be some way outlook is identifying the auto-fills and when you restore the group it gives it another ID number or something.

Go to your start menu and type firewall in the search box, then click on Windows Firewall with Advanced Security.

1. Click inbound rules on the left and then new rule on the right
2. Custom rule, next
3. All programs, next
4. You can either leave protocol type to any or change it to UDP, next
5. Under “which local IP addressses does this rule apply to?” choose “these IP addresses:” and click add. I just put the range of IPs of the computers on my network. Hit OK.
6. Then allow the connection, next
7. Only selecting private should work fine for a home network.
8. Finally, name the rule so you know what it is. I just called it Shareport Utility. Hit finish.

If you want to turn on firewall logging open your command prompt and use either/both of these commands depending on what you want to see:

netsh firewall set logging droppedpackets = enable
netsh firewall set logging connections = enable

By default your log file is %systemroot%\System32\LogFiles\Firewall\pfirewall.log

I was having another issue printing where it would print all jumbled up with text overlapping itself and the colors being completely wrong. I saw a post that suggested going into the printer properties to disable spooling. For my printer it’s under the advanced tab in the printer properties. I told it to print directly to the printer instead – so far so good.

Being the curious person that I am I downloaded the attachment to see what was in it. I found an exe file, Deposit_Posted_Details_USAA_122012.exe. I scanned the exe with our corporate version of Malwarebytes and it was detected as Trojan.Zbot.CBCGen. I scanned it with GFI’s Vipre anti-virus, but it was not detected.  I then uploaded it to virustotal to see what other scanners were detecting it. As of this post, only 3 scanners are seeing it, one of which was added while I was putting this post together – ByteHero, Kaspersky, and McAfee. You can see the report here.

My next step is do some research based on the names the scanners that detect it have given it to see what kind of infection this is. Hopefully if any of you have it Malwarebytes will just take care of it for you.

Update: It now looks like 6 scanners are able to find this virus. I did some looking around online and from what I see it sounds pretty nasty.

It specifically targets passwords used in Internet Explorer, along with those for FTP and POP3 accounts. It also deletes any cookies stored in Internet Explorer. That way, the user must log in again to any commonly visited Web sites, and the threat can record the login credentials at the time.

From the report Symantec put together and the report I received from submitting this to GFI’s sandbox I can see that it creates a file to dump all your login information into and tries to phone home to suck those passwords off your computer. Symantec lists this as a low threat, but if there is any sign of this being on your computer you need to change all your passwords. That is not something I would want to risk. At least it appears to use the same names to create the files and keys over and over, which would hopefully mean that it wouldn’t be terribly difficult for the anti-virus scanners to find and remove – once they update their definitions to get this newest variation.

Also, this virus can possibly inject forms into your web browser that make it look like your banking site, or whatever site your logging into, is asking extra security questions to confirm who you are. But if the it’s something beyond the basic “what’s your mother’s maiden name?” be careful. I saw on another forum somewhere that when someone tried to log into their banking site it asked them the basic questions, but then asked him what his debit card number is – why would your banking site be asking that?

Here are the DNS requests from the report that GFI sent me after submitting it to their sandbox.

In response to Mosey’s question about whether Filezilla’s credentials would be at risk: it doesn’t sound like they would be based off the the Symantec report and a couple others things I found about it (see the two links I added below). It sounds like it is only monitoring what you type into your web browser. I have not seen anything yet that tells me otherwise. But I did find another blog that describes how Filezilla stores your credentials in a plain text file that is very easy to find. This trojan is also known as Zeus, there are a lot of variations – so I suppose someone out there creating their version of the Zeus trojan could target the Filezilla files that hold your credentials.

Sources:

• Symantec – Trojan.Zbot Technical Details
• F-Secure – Trojan-Spy:W32/Zbot
• Beware: FileZilla Doesn’t Protect Your Passwords

Faulting application name: Skype.exe, version: 5.0.0.152, time stamp: 0x4cb31516
Faulting module name: KERNELBASE.dll, version: 6.1.7600.16385, time stamp: 0x4a5bdaae

What does that mean? I have no idea. The only thing I can think of is if maybe recent windows updates broke something for Skype. I haven’t changed anything else on my computer recently.  I’m also not sure if this is a Windows 7 thing or not. My aunt has Windows XP still and she was not having any issues, another family member who has Windows 7 also couldn’t Skype with her. So maybe windows update strikes again.

Anyway, go here and download the beta version. It’s about half way down the  page under their windows section if you go directly to Skype’s website.

If you want to bypass all my troubleshooting that it took for me to get this to work then click here to go straight to the solution.

July 5, 2011

This adventure began late last week. I need to figure out how to image our encrypted hard drives in a manner that keeps the encryption intact. I’m not going to wait hours for a drive to decrypt just so I can image it and then have it spend another few hours, or however long, to re-encrypt it. The plan is to get this to work so that I can pull an image of each of our laptops every time we have huge software changes. I’m not sure what’s going to qualify as large enough changes to make me go through this, but I’ll figure it out when I get there. After I get this process to work properly I’ll just use the ghost client on the machines to back up the user files every 2 weeks or so.

Well last week I started my experiment with ghosting one of our unused encrypted laptops. It took me forever to realize that I can’t use the windows client to pull or push an image because ghost doesn’t like that I have to enter the password before the computer will finish booting up. Even though I was standing at the laptop when the client forced a reboot and typed the password in right when it prompted for it, it wouldn’t go into the WindowsPE environment. I thought I was being too slow at first, but that wasn’t the case.

I created a boot disk with the right NIC drivers on it for these laptops and had it boot to the CD. I finally got it imaging and then noticed it was splitting the image into the default 2GB chunks. With these laptops being 500GBs, that just isn’t going to work. I kept thinking of spanning, not splitting, so it then took me awhile to find the correct switch to add to the settings /facepalm. I finally got it to pull the image, it took 4 or 5 hours to do it and the next day I turned around and pushed the image back out to it – I’m using the ghostcast server on one of my servers since I don’t have a large enough external hard drive for a 500GB image and I don’t feel like buying one right now.

I came in this morning and rebooted the machine to see if the image worked. Well it prompted me for my encryption password but then it won’t boot into windows so I need to run the repair command. But I can’t do that until I decrypt the drive because the repair boot disk won’t see the hard drive until I do. So now I get to yank the hard drive out and hook it up to another laptop in order to decrypt it, that will take 12-24 hrs.

But, there is one more thing I will try before I become stumped. I used the split=0 switch, but not the switch to force a sector-by-sector copy (-ia). I thought I read in the documentation or in their forum that it would detect whether it needed to be sector-by-sector, but I don’t know how to find out and it didn’t work. The last time I had to decrypt a drive by hooking it up to another laptop as an external it took at least 20 hrs to finish. I’ll start that process shortly and try to image it again tomorrow.

If anybody has any advice please feel free to share it.

To be continued….

Continued:

Well I tried imaging it again after waiting 20 hrs for it to decrypt, then 20 more hours for it to encrypt itself again. The image failed. I tried using both the -split=0 and -ia switches and did see an error where it was saying something about -split=0 not being used properly or whatever. So now I have to decrypt it again (20 hrs), run the fixboot command, and let it encrypt itself again (20 hrs). Then I will try imaging one more time only using the -ia switch for sector-by-sector copy. I will report back once this has been attempted. I will figure this out, damn it.

October 11, 2011

So 3 months have past since I last spent much time trying to figure this out. I’m too stubborn to admit defeat and let something like this go without exhausting all resources first. I just knew there had to be a way to get it to work. I came across a KB article on Symantec’s website that sounded like exactly what I needed to do. Why this was never mentioned in any forum posts about PGP (or encryption in general) and Symantec Ghost (that I found anyway) is beyond me. I only ever saw mention of sector-by-sector copying and if you read my original post, then you know how well that worked out. I just realized the new article that  I found also refers to the -IR switch, which is a raw disk image, as sector-by-sector. What the hell? Let’s be a little more confusing please /sarcasm.

Solution:

1. Use a ghost boot CD or usb drive to get into the WindowsPE environment.
2. After it boots up and pops the Ghost GUI up, close that so you’re at the black command prompt.
3. From here I had to go back a couple directories by typing cd.. to find the directory the ghost executable lives in. I think it’s Ghost32.exe.
4. The switches you need to use are -IR, -FRO, and -SPLIT=0. So type ghost32.exe -IR -FRO -SPLIT=0 and hit enter. Now go through the normal steps to select the disk to image and the place to save it.

You are going to need a removable hard drive or the ability to ghostcast from a server that has enough space for the image to be the entire size of the hard disk, even if the disk only has 50GB of information on it. Since the image is a raw disk image (the -IR switch) it is imaging the entire disk. You can use the -SPLIT switch to chop the image into smaller bits, but that doesn’t make the image any easier to manage with hard disks being so large these days. Unless you need to chop the image into files that will fit on DVDs or Blu-Rays, I don’t see that being useful. Or maybe you have small usb hard drives to split the image onto, I suppose that’s helpful.

I pulled an image and turned around and pushed it back out and it worked perfectly. I rebooted the laptop this afternoon and it was like nothing happened – encryption and everything is intact. It looks like, based off the switch descriptions linked below, that the only difference between raw disk image and sector-by-sector is that the raw disk image ignores the partition table. Funny how the KB article still refers to it as sector-by-sector, yet their own switch description page does not.

Sources:

1. Ghost and PGP – Norton Community
2. Symantec KB Article TECH104163
3. Switches: Alphabetical list of switches