Holding your users accountable for their actions is one of the trickiest things about being an IT Consultant. If a user tells you he didn’t delete or move a file you can’t just sneer at him and accuse him of lying, no matter how much you want to. You must have proof. A nice solid document showing the who, when, and where of the users malfeasance. Enter file system auditing.

Read the rest of this entry »

I previously wrote a guide for End Users that gave a relatively simple and straight forward way to clean their PCs. This is a guide for professionals who have more experience and can delve into some of the more intricate details of their client systems.

Most people have their personal favorite Anti-Virus and Anti-Spyware tools, but by now you all know that I recommend AVG-Antivirus and SuperAntiSpyware, I also recommend AVG-Antirootkit. These tools are relatively simple to use and the only tip I’ll offer to other pros is to make sure you run AVG-Antirootkit before either of the other two.

The tools I’m going to talk about in this article are HiJackThis 2.0, Process Explorer, Killbox, and CCleaner. We’re also going to examine a few tools for specific malware removal like FixVundo and ComboFix.

I’ve developed a procedure that generally takes two hours on a given machine. At my rates that usually costs my client $160 which is about $90 less than most of the places in my area that offer this service. I have a machine specifically dedicated to System Cleaning that has all of the tools I use installed on it already. I have a USB thumb drive that has HiJackThis, ProcessExplorer and KillBox on it. My procedure is as follows:

1. Run AVG Anti-Rootkit
2. Remove the problem drive from the system.
3. Install the problem drive as secondary drive on Cleaning system, or using a SATA or IDE to USB converter install the drive.
4. Run SuperAntiSpyware and AVG Antivirus on the problem drive ONLY, do not select the systems main HD. I usually run these simultaneously.
5. Now move all files in the Startup folder of all user profiles including All Users and Default user into a temp directory. Some of them may be valid, but we don’t want them here for now.
6. Return the drive to the system.
7. Run FixVundo. (This may seem random and pointless right here, but in the long run it will save you a lot of trouble)
8. Run HiJackThis 2.0 and choose Analyze and Save a Log File.
9. Save the logfile to your USB drive and transfer it to a PC with internet access. Upload it to HiJackThis.de for an analysis. Check each item that is recommended by that analysis and click Fix Selected Items. All of these entries will be removed.
10. Reboot and repeat Step 7. If any entries came back you will need go to the next step.
11. Fire up Process Explorer and get ready to fight the hydra. A stiff drink might be necessary before continuing to step 12.
12. Run every .exe file through our friends over at LIUtilities and find out which ones are nasty.
13. Locate the nasty .exe’s on the problem drive.
14. Fire up KillBox and point it at the problem .exe’s. Do not try to delete them yet.
15. With process explorer select each of the nasty exe files and Suspend them.
16. Once they are all suspended kill each process tree one by one.
17. Tell KillBox to delete all of the exes, you’ll want tell it to kill explorer while it’s doing so and tell it to leave a dummy file. That should keep the Hydra for regenerating.
18. Reboot, repeat step 8.
19. Run CCleaner to remove any remaining invalid registry entries.
20. System = Clean

You may have to get creative with steps 15-17 in the way that you suspend and kill processes in order to get KillBox to delete them. You may also have to use the DeleteOnReboot option on some of the files. I’ve had rogue DLLs attach themselves to the Lsass.exe process, when you kill that process you have 60 seconds to do whatever you can do before the system automatically shuts down. When you have to get killbox to delete 8-10 files in that 60 second window or they all regenerate after the reboot it starts to feel like defusing a bomb.

When you are using HiJackThis you do have to be very cautious. It takes some experience to interpret the log file it generates, but after a while of using Hijackthis.de to analyze the files for you you will start to recognize bad entries on your own.

Combofix is the same way and I don’t currently know of an automatic analyzer for it, but there is a great guide for it over here. I recommend posting the ComboFix logs at ComputerHope for analysis until you start to get a feel for the log entries.

With this procedure you should be able to streamline your spyware removal process, undercut your competitors (And your local Best Buy) and make more of your clients happier faster. So how about using some of those increased profits to

Inheriting a network from a previous company or department, or even just a previous tech in your department, can be a nightmare of confusion. Documentation is never as good as it should be and the previous tech is rarely prepared to help you ease into things and show you all of the tips and tricks for dealing with the quirks of the network. One of those most annoying things can actually be finding all of the devices on the network and figuring out what the heck they are. If you are faced with that herculean task fear not my friend Look@LAN makes even the largest network a snap to manage, and it’s free.

As with almost every piece of software I come into contact with the installation consists of double clicking the executable and clicking next until you run out of screens. From there everything about Look@LAN is easy to use. The wizard gives you the option of creating a new profile, opening an existing profile, opening the last profile you had open, or analyzing an individual host.

When you create a new profile you give it a name, and choose the speed. Then you can either pick one of your interfaces and automatically scan that subnet, or manually specify a range of addresses to scan. This lets you scan multiple subnets in the same profile. For example if your office has one subnet for accounting and one for marketing, but they both share the first two octets (192.168.1.x and 192.168.2.x) you can use Look@LAN to scan both networks in one pass and monitor all of the machines at once.

Once you have chosen the IP range you would like to scan just click next and within seconds Look@LAN will have a complete list for you. I’ve scanned as many as 180 active IPs and it took less than one minute to complete. This thing is FAST. It’s so fast they should put racing stripes and a spoiler on it. Just for kicks I scanned my Windstream/Alltel subnet. It took 18 seconds and found 63 active IPs. My example network is going to be my personal home network.

You can see the status bars in the top left that show how far along the discovery is, obviouslythe discovery here is complete. On the right you can see the number of Online and Offline IPs, all 4 of my IPs are online. You can also see the Show Graphs button which will display a pie chart showing the operating system makeup, the netbios and SNMP status, and the online/offline ratio. You can also use the dropdown to change the statistics to view different IP ranges if you specified more than one scan range.

If you want to specify additional scan ranges click on the Scan Ranges button at the top. From here you can add another range or remove an existing one. You can configure as many ranges as you need to and monitor all of your clients from this one screen.

The Report button let’s you generate reports about the uptime of the objects you are monitoring as well as other monitored statistics. It is, admittedly, not a feature I use very often. If you click the Create New Report button you can configure the report to scan the network at preset intervals over a specific period of time. The default is every 60 minutes for 24 hours. I like every 10 minutes for 9 hours during the work day. You can then have it automatically generate and export the report to a directory.

Below that is the actual list of IP addresses with their status, the distance in hops, the detected OS, the hostname, the NetBIOS name, the NetBIOS user if it was detected, and the SNMP and Trap status. Double clicking on one of the entries brings up a page with more details, including all of the SNMP info if SNMP is enabled. Even if SNMP is not enabled you get a port scan, traceroute, and pings as well as the host information.

To get the most out of this tool you really should have SNMP enabled on the network. With that you can use this to monitor free disk space, RAM, installed programs, and a myriad of other items. Without it you’ve just a very fast network scanner and monitor. Which is still useful, but not as awesome as it can be.

Right clicking the list of IPs allows you to sort it by any of the available criteria, remove the IP from the list, set trapping for the IP, and copy the IP to the clipboard. Combined with Remote Task Manager you can manage almost every aspect of a PC without the user even knowing about it.

Look@LAN is another must have for anyone who works with networks. The speed and utility of this program is above and beyond any other free program I’ve used and even outperforms most commercial products. The speed of network discovery is lightyears ahead of products like NetworkView which can take hours to scan a network. Definitely add this one to your toolbox.

If you found this guide to be useful pleaseRemote Task Manager, Look@LAN, and Skype. I will address each of those tools briefly in this article, and more in depth in individual reviews. I keep the entire setup on both CD and my Flash drive for easy installation. I can also mail copies of the CD to potential clients or make the files available for download through my website.

Ultra VNC is the most obviously useful component of my remote access suite. Once it is installed on the client PC you can access the PC just as if you were sitting in front of it. When Ultra VNC is installed as a service you don’t even need a user to log on for you. From here you can troubleshoot any issues the client is having with the PC.

Remote Task Manager is the most powerful tool in the package in my opinion. It allows you to access the task manager, the services list, and the event viewer, as well as execute programs remotely. RTM can kill processes that the normal task manager can’t as well, which has proven invaluable to me in the past. It’s also less intrusive than UltraVNC for times when you may need to make an adjustment to a PC without disturbing the user. You will need an administrative password to install the RTM service on the client PC, but it installs silently and runs without bothering the users.

Look@LAN is a very fast and very powerful network discovery tool. It will give you all of the active IPs on the network as well as MAC addresses, open ports, ping times, and traceroutes. If SNMP is enabled it will also access the SNMP Data and display all kind of system info.

Skype is a well known and popular tool for video conferencing. I use it to meet with distant clients who like face to face contact. Those meetings are what really sell you as a consultant, so this piece of software can do more to make you money than any of the others.

Obviously maintaining a remote presence at a client requires a working internet connection at both ends and it helps to have a tech savvy user at the remote site in case you need to talk a user through something, but these tools will let you do an amazing amount of work from thousands of miles away. Everything from desktop troubleshooting to server configuration is at your fingertips.

Pro Tip: Don’t worry about trying to forward ports for every machine on the network. Just get make sure RDP is forwarded to the server and install your tools there. If your client doesn’t have a server then designate one as the “Helpdesk” PC that must remain on all the time and forward your Ultra VNC port to that PC and install your tools on it.

As always please

Just a quick warning, this is going to be a very long guide with a lot of screenshots. Remote Task Manager is a fairly in-depth tool with a lot of features which I would like to illustrate.

Like most things the installation is very simple, just download the file, run it, and click next until it stops asking. Once that’s finished fire it up and let’s take a look at it.

The first section is Applications and mirrors the first page of the regular Task Manager with a few exceptions. The most important feature here is what happens when you right click on a task. As you can see in the screenshot a menu pops up allowing you to end the task or Go To Process. The Go To Process option is very handy when you are trying to figure out what executable is responsible for a given task, which isn’t always obvious.

The next tab is the Process tab, again it looks a lot like the standard task manager with a few more columns, however right clicking on a process brings up a much more powerful menu than the basic task manager. Here you can Suspend a process which will leave it open, but not running. Very handy if you need to keep a piece of spyware from opening more windows while you hunt it down. You can also End Process from here and this End Process doesn’t mess around, it’s akin to the Kill -9 command in linux. When the regular task manager says Access Denied RTM doesn’t even blink; it kills the process. You also still have the option to End Process Tree, which kills the process and any process it has started.

The next option is one that I’ve just started playing with. It allows you choose which processor in a multi-processor (Or multi-core) machine the process should run on. I haven’t determined whether I can make any real performance difference or not with this option, but it’s pretty freakin cool nonetheless. You can also set the priority of the process from here, I like to keep things like antivirus and my firewall at a lower priority so they don’t bog my system down.

The next option is Go To Parent, which is one of the handier options I’ve found when hunting spyware, finding the process which spawned a known rogue process can make it a LOT easier to track down the real culprit and eliminate it. The Properties screen is also incredibly in depth showing the path the process is running from, the command line that executed it, all of the modules involved, the system threads, and performance stats. Very detailed. There’s also a Process Tree button in the bottom right which lets you view the processes in tree view which makes it very easy to track what is spawning what process.

The Services tab is something that the normal Task Manager doesn’t have and I’ve found this screen to be invaluable. The right click menu is like wielding some kind of magic wand on this screen, you can see the services that depend on a given service and from there you can create a new service which depends on the service you right clicked on! You can start and stop the services from here, edit the services, and go directly to the process which the service spawned. In the bottom right are a set of buttons which do essentially the same thing. Allowing you to start, stop, pause, restart, edit or delete an existing service or create a new service with the click of a button. This lets you run pretty much anything as a service.

The Devices screen works in much the same way. You can start and stop devices, create new device entries, edit existing entries and check the dependencies. You can also see where the driver file for each device resides in a convenient PATH column right there on the main screen.

The Events tab is a direct window to the Event Viewer including the ability to change which log you are viewing. There is no ultra powerful right click menu here, but there are several handy buttons in the bottom right. You can view the details of any log entry, change the log entry settings including the log size and you can filter the events in a myriad of ways with the filter button. You also have the option of saving or clearing the log from here with just one touch of the button.

The performance tab is your basic Task Manager performance tab showing your CPUs and your memory usage, nothing special here.

The Shares tab lets you delete connections, create connections, and edit the connection details. Useful, but not ground breaking.

The Networking tab is the same as your regular one. It shows your network connections and the bandwidth being used. Moving the slider bar lets you switch between total traffic, incoming traffic, and outgoing traffic which is a handy little addition.

The Hardware Resources tab contains a lot of information that I’ve never really needed, but some of you hardware fanatics might find it useful. In the lower left is a drop down box that lets you switch between DMA, I/O, IRQ, and Memory resources.

The Netstat tab is another of my personal favorites. Here it shows every network connection your system is making, along with the process associated with it, the local and remote address, the local and remote port, the protocol, the process ID and the connection state. Clicking on an established connection lets you close that connection with the button in the bottom right, and right clicking lets you jump to the process involved in the connection.

The Security Patch Analyzer is a feature that is only available in the registered version, but it’s very powerful. It checks your system against a database of known vulnerabilities and will let you know which ones affect you. This tab alone makes the program worth purchasing.

Now, even just having all of this info for your PC is great, but the fact is you can click on File, Connect and point this thing at any PC on your network. You’ll need login credentials on that machine, and it’s easiest if they are the same ones you use to log in to your own PC, but once you are connected you can get every bit of information without leaving your desk.

Now, I’ve saved the best for last. If you press F6 (or click on File, Remote Execute) you get the option to specify a program, the logon credentials, and a few other options and actually execute programs remotely on that PC. This can let you run scripts to change registry entries, alter the local security policies, change drive mappings, the possibilities are endless. Or of course you could use it to play pranks on your co-workers by opening and closing their browser windows, popping up games when the boss comes around, whatever floats your boat.

Remote Task Manager is one of the most highly regard tools I use and I can not recommend it highly enough. This is something EVERYONE can get some use out of.

I wanted to take a moment to talk about the two links at the top of the page, the first is the Petition for Aid link. If you are a regular user with an issue with your home PC you can send me an email with as much info about the problem as possible and I will see if I can solve your problem free of charge. I always appreciate donations, but I don’t mind working for free.

The second link is new and is setup through PayPerPost and is for any business, or fellow consultant that would like my help with a more complex issue. If you want to guarantee that I work on your issue then that is the button to use. My rates are reasonable but they are also realistic. I’ll be happy to negotiate a fair price with anyone and work side by side with existing IT personnel to insure that the issue is resolved. That link can also be used if you are a software developer, or have your own website which you would like me to review on the site. Reviews are a flat $10 fee and I make no guarantee that they will be positive. If your product is terrible then that’s what I am going to say.