[ad]

[ad]

Issues that I have had:

No reboot: This seems to be the most common issue I encountered. If the patch was installed and the computer was no rebooted you will experience things like not being able to type in text input fields. Rundll32.exe memory dumps, and missing menus and toolbars. To fix this rebooting seems to do the trick.

No Header or title in internet explorer: For some reason I have seen this a few times when the computer went from IE6 to IE8 directly. The browser window will not show any title, and will not allow you to open any menus. The fix I found for this is to give the user account local admin rights and login again. Go through the setup wizard and change the rights back again.

Internet explorer will not open after upgrade: I have seen this a few times. First try running the browser as another user. If it opens, try giving the user that is having issues local admin rights. If this does not fix it I found that recreating the user profile works ( I had to resort to this only twice out of 12 browsers that would not open)

Website Incompatibility: MANY products and websites are not compatibly with internet explorer 8. Microsoft chose not to follow internet conventions when developing the browser so there have been a ton of issues encountered. This is actually so prevalent that Microsoft introduced compatibility view to allow people to render websites in Internet Explorer 7. Check out THIS
Spybot – If you have spybot installed on your computer unfortunately it will not work with internet explorer 8. The people at spybot are working to fix this but the only solution I found as of writing this is to uninstall either IE8 or spybot.

ADP – a very common workflow and payroll management provider. If you are using IE8 you cannot log into ADP unless you view the page in Compatibility Mode.

Centricity – A common medical Practice management software, this does not seem to work at all with IE8 installed. I found uninstalling to be the only option.

Solidworks – a Design and CAD application, once installed IE8 will cause web help to stop functioning as well as some other web based services. Uninstalling IE8 seems to be the best option for this as well.

Quickbooks – IE8 will break the web-help application and case older versions of quickbooks to crash on first load. Again until there is a hotfix uninstalling IE is the best option.

General Browsing – About 2400 websites are not compatible with IE8. A bunch of banking sites and smaller sites do not work or allow for login, most of these are fixed with compatibility view. Some big name sites like amazon.com ebay.com and download.com are having issues with the browser rendering. I list of sites that are not rendered correctly is available HERE. 

[ad]

Options:

Microsoft seems to have messed up again. The browser does not follow conventions, it does not have nearly all the bugs and kinks worked out. It causes a ton of applications and websites to not work, so much so they included a compatibility option out of the box. It seems hardly finished to me.

That said rollback may be a good option for you. Microsoft allows several uninstall options:

Add and remove programs wizard – This will let you remove the browser and all subsequent patches in one wizard.

Restore – Sometimes it is just too messed up, the uninstaller wont work, or something else goes wrong. By defult the install creates a restore point. This may be a option in some situations to rollback the mess.

Login Script: My favorite! This is what I have been using on some domains to remove it.

Kaseya – It for things like this I love kaseya.

Preventing the patch for reaching your system – Microsoft admits that the patch might not be for everyone. Check out THIS. It included a group policy template to prevent the update from installing via automatic updates, and a login script option that can also be used with kaseya.

[ad]

Essentially this will uninstall the trend client from the computer with no user interaction required. Though the silent switch is employed there is still a progress window that I can’t seem to suppress.

[ad]

This can be used as a login script by importing the registry key and then running the uninstaller.  Save the below as trend.reg:

And run this batch file at login, change the red to match your paths:

When run on login the Trend Product will be automatically removed thus preparing the computer for a Trend reinstall, or a new anti-virus install.
[ad]

[ad]

1. Download:  Download the path from Microsoft HERE
2. Copy: Copy the ENTIRE contents of your windows CD to a working directory.  Your windows CD must have SP2 already. For this example we will make believe my CD is in my “E” drive and I am working out of a folder called “c:SP3_cd”  I would copy everything from the E drive to c:sp3_cd, this can be done with drag and drop or by using xcopy:
   xcopy /e /r /y  e:*.* c:sp3_cd

[ad]


3. Integrate:  From command prompt CD to the location of your downloaded SP3 file and run the integrate command.  For my example I will use:
    WINDOWSXP-KB936929-SP3-X86-ENU.exe /integrate:c:sp3_cd
4. Rip: Using a utility called bbie (click HERE) rip the boot sector off your windows CD.  Again from command line navigate to the location of your bbie and simply input the source CD.  To drop a file called “image1.bin” in the same directory as your bbie.exe I would run:
   bbie.exe e:
5. Make: Make a ISO with your folder and boot file.  Use Nero, or Magic iso to burn the contents of your patched CD.  Be sure to use the boot file we created.  Select bootable form them menu.  Alternitivly you can download barpe builder HERE. This package contains a file called mkisofs.exe from command line we can pass it a ton of arguments to make it output a iso. Change the colors to match your paths.
   
   mkisofs.exe -force-uppercase -iso-level 4 -A mkisofs -sysid “dos” -b c:image1.bin -no-emul-boot -boot-load-size 4 -hide “boot.catalog” -o c:SP3.iso c:sp3_cd
6. Rejoice:  If you are like me and install windows a lot this will save you lots of time.  

Note: mkisofs is insanely complex switches.  If you have nero or a application with a GUI to browse to the source, boot image and output it makes it much easier.

[ad]

http://www.magicaljellybean.com/keyfinder/

[ad]

Symptoms of the virus are expected to include and have been confirmed to include:

• Services disabling on their own. Namely windows defender, BITS, windows firewall, and some third party antivirus services such as live update.
• Massive increase in network traffic.  Up to a 10-15% increase in total network traffic is expected on infected networks. This is due to attacks on shares and accounts, as well as spreading of the virus and payload.
• Account lockouts reset.  If the virus is on a DC it will dictionary attack the admin account and admin shares, if the account locks out, it will automatically reset the lockout.
• Lastly some or all AV websites, security websites, and windows update sites are inaccessible.  they reply to ping and answer to telnet on port 80, but they are not accessible to any browser.  This appears to be done through a virtual proxy system.

Microsoft has teamed up with ICANN, AOL, Symantec and other big names in computer security and network technologies to attempt to curtail the infestation of the virus.  A $250,000 reward is available for anyone that can provide information leading to the arrest of the coder.  
[ad]
Microsoft released a patch MS08-067 on october 15th 2008, that fixes this exploit however, it is estimated that about 30% of computers do not have this patch installed.  This patch is available from Microsoft HERE.  The patch is available for windows 2000 sp4 – windows server 2008 with the exception of windows xp service pack 1 (service pack one has reached its end of support).  Windows 7 has the patch integrated in it already.  Many antivirus makers are releasing removal tools for the virus already.  Microsoft has a removal tool available HERE.  And bit defender has a network/domain removal tool HERE.

What you can do to limit and prevent conflicker spread as a network administrator.

• Follow best practice passwords.  Require password that include special characters and are at least 6 characters long.  This makes brute forcing the password very difficult.  
• Turn off all unnecessary network shares.  Any computer on the network that has a opened share is a vulnerability. Check this out to discover shares.
• Turn off auto run.  You don’t need it in most cases.  Turn it off, it allows for the potential execution of code.
• Update antivirus.  Make sure you have the last definitions and scan engine.  Note that sometimes the scan engine is not an auto update and may require manual processing.  Also make sure that all of your computers are showing in the antivirus console.  If not you might have a potential issue.  Look into it ASAP before it becomes a problem.  
• Windows update.  Update everything.  Every computer should have every critical rated patch, always.  Check out my past post on autopatcher, and check this out for a alternative way to investigate the security of your network.
• Be a bouncer.  Do not allow people to bring in home computers, set up wireless, connect external harddrives and other strange stuff to the network.   They are not on the domain, not subject to group policy, and they might not have AV or patches.  This is a huge vulnerability that often goes unnoticed, but it allows for another way to accidently introduce an infection into a network.

April 1st will be interesting at the least.  I have taken a ton of percautions so I can just sit back and watch the news all day while my network stands strong.

[ad]

Kaseya

Script Description: Turns the computers power configuation to the ‘always on’ setting

IF True 

THEN

   Execute Shell Command

     Parameter 1 : powercfg /setactive “always on”

     Parameter 2 : 1

         OS Type : 0

ELSE

 
[ad]

Windows logon script or batch file:

If you are using kasaya you can import that script directly and run it to remove the ‘feature’. You can also add the above line to a login script or batch file. This will automatically, silently remove the update with no user intervention or popup.  it literally just disappears.

WARNING: running this on a terminal server with users logged in will cause new users to not be able to authenticate until you restart the server.  Always follow best practice for software uninstalls.  Careful when you run it on servers

Just a nice simple way to remove windows search 4.0 infection from your network.

[ad]

http://www.devolutions.net/products/remotedesktopmanager.aspx

And no I have no affiliation with them, just a good chunk of code

[ad]