Stop Conficker from spreading via Group Policy

Please note the below instructions will only help stop the spread of Conficker Viruses. If you would like to know more about the virus or how to remove it from a network – See Remove Conficker from network

* Please carefully read and understand the below instructions. If unsure seek help from a professional.
* Read the notes below task 4 (Very important)

Task 1: Set a policy to remove write permissions to the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
This prevents the random named malware service from being created in the netsvcs registry value.

To do this, follow these steps:
1. Open the Group Policy Management Console (GPMC).
2. Create a new Group Policy object (GPO). Give it any name that you want.
3. Open the new GPO, and then move to the following folder:
Computer Configuration\Windows Settings\Security Settings\Registry
4. Right-click Registry, and then click Add Key.
5. In the Select Registry Key dialog box, expand Machine, and then move to the following folder:
Software\Microsoft\Windows NT\CurrentVersion\Svchost
6. Click OK.
7. In the dialog box that opens, click to clear the Full Control check box for both Administrators and System.
8. Click OK.
9. In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions.
10. Click OK.
Task 2. Set the policy to remove write permissions to the %windir%\tasks folder. This prevents the Conficker malware from creating the Scheduled Tasks that can re-infect the system.

To do this, follow these steps:
1. In the same GPO that you created earlier, move to the following folder:
Computer Configuration\Windows Settings\Security Settings\File System
2. Right-click File System, and then click Add File.
3. In the Add a file or folder dialog box, browse to the %windir%\Tasks folder. Make sure that Tasks is highlighted and listed in the Folder: dialog box.
4. Click OK.
5. In the dialog box that opens, click to clear the check boxes for Full Control, Modify and Write for both Administrators and System.
6. Click OK.
7. In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions.
8. Click OK.

Task 3. Set AutoPlay (Autorun) features to disabled. This keeps the Conficker malware from spreading by using the AutoPlay features that are built into Windows.

To do this, follow these steps:
1. In the same GPO that you created earlier, move to one of the following folders:
* For a Windows Server 2003 domain, move to the following folder:
Computer Configuration\Administrative Templates\System
* For a Windows 2008 domain, move to the following folder:
Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies
2. Open the Turn off Autoplay policy.
3. In the Turn off Autoplay dialog box, click Enabled.
4. In the drop-down menu, click All drives.
5. Click OK.

Task 4. Disable the local administrator account. This blocks the Conficker malware from using the brute force password attack against the administrator account on the system.

Note DO NOT follow this step if you link the GPO to the domain controller’s OU because you could disable the domain administrator account. If you have to do this on the domain controllers, create a separate GPO that does not link the GPO to the domain controller’s OU, and then link the new separate GPO to the domain controller’s OU.

To do this, follow these steps:
1. In the same GPO that you created earlier, move to the following folder:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
2. Open Accounts: Administrator account status.
3. In the Accounts: Administrator account status dialog box, click to select the Define this policy check box.
4. Click Disabled.
5. Click OK.
5. Close the Group Policy Management Console.
6. Link the newly created GPO to the location that you want it to apply to.
7. Allow for enough time for Group Policy to update to all computers. Generally, Group Policy replication takes five minutes to replicate to each domain controller, and then 90 minutes to replicate to the rest of the systems. A couple hours should be enough. However, more time may be required, depending on the environment.
8. After the Group Policy has propagated, clean the systems of malware.

Source: Symantec

Remove Windows service via registry

1) Click start
2) Click run
3) Type regedit and click OK
4) Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
5) Locate the service you wish to delete (Be careful when amending the registry. Always take a backup)

To backup your computer registry see http://www.online-it-support.co.uk/?p=507

How to create a Windows services

1) Click start
2) Click run
3) Type cmd and click ok
4) Type sc create <service name> and press enter

How to delete a Windows service

1) Click start
2) Click run
3) Type cmd and click ok
4) Type sc delete <service name> (Service name can be located by right clicking on the service and clicking properties)

A request to enable the Out of Office agent is in progress

The below error appears when a Lotus Notes user tries to enable the out of office agent but does not have manager or designer access to their mailbox. Change the permissions and test again.

“A request to enable the Out of Office agent is in progress. Please wait momentarily for the server to enable the agent”

February 1, 2010 • Tags:  • Posted in: Lotus Notes • No Comments

More managed computers in group than MOM licenses

If you receive the below message:

‘There are more managed computer in the managment group than specified MOM management licenses’

1) Open MOM administrator Console
2) Expand Administration
3) Click Global Settings
4) Double click licenses
5) Click the licenses tab
6) Under ‘Licenses Purchased’ type the number of licenses you have purchased and click OK

February 1, 2010 • Tags: , • Posted in: Software • No Comments

How to remove pending comments in bulk (Word Press)

Pending links with a Word Press powered blog can grow really quickly and most is spam. Word Press allows you to remove such comments but only 20 at a time. What if you have thousands?

If you login to your hosting panel, access phpadmin, access your database, click SQL, input the below command click ok, all pending comments will be removed.

If unsure, seek help from a professional

DELETE FROM wp_comments WHERE comment_approved = '0'

Comments are now dofollow

I would like to announce that comments made on this blog are now dofollow which means your author link will be followed by search engines which will benefit your website and it’s rankings. All comments will continue to be held and moderated and any spam comments will be reported. If you’re here to submit spam comments you’re wasting your time. If you’re here to participate in discussions and post useful comments, you are welcome.

Thank you to those who have continued to participate in discussions on this blog.

Enjoy!

The COM+ Event System failed to create an instance of the subscriber

If you receive the below alert within your event viewer, you’ll find that the id relates to mobsync.exe

To resolve unregister mobsync by typing regsvr32 “%systemroot%\system32\mobsync.dll” /u within the run box and click ok

Event Type: Warning
Event Source: EventSystem
Event Category: Firing Agent
Event ID: 4100
Date: date
Time: time
User: N/A
Computer: computer name
Description: The COM+ Event System failed to create an instance of the subscriber {6295DF2D-35EE-11D1-8707-00C04FD93327}. CoCreateInstanceEx returned HRESULT 8000401A.

January 29, 2010 • Tags:  • Posted in: Software • No Comments

Deploy Sophos AntiVirus via script

Pushing out Sophos AntiVirus via the Sophos console does not always work and you can never be sure that all machines are protected until you go check each one manually. The below script will run at startup and install AntiVirus on those machines without. Amend the scripts as required.

@ECHO OFF
REM — Check for an existing installation of Sophos Anti-Virus
if exist “C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe” goto _End
REM — Deploy to Windows 2000/XP/2003
\\<SERVER>\InterChk\ESXP\Setup.exe -silent \ -updp “\\<SERVER>\InterChk\ESXP” -user “USER” -pwd “PWD” -mng yes
REM — End of the script
:_End

 

If you wish to exlude certain machines from the script, use the script below:

@ECHO OFF
REM — Check for an existing installation of AutoUpdate
if exist “C:\Program Files\Sophos\AutoUpdate\ALsvc.exe” goto _End
REM — Check for servers not to install to
if %COMPUTERNAME% == SERVER1 goto _End
if %COMPUTERNAME% == SERVER2 goto _End
REM — Deploy to Windows 2000/XP/2003
\\<SERVER>\InterChk\ESXP\Setup.exe -updp “\\<SERVER>\InterChk\ESXP” -user “USER” -pwd “PWD” -mng yes
REM — End of the script
:_End