Got the ‘Popureb’ rootkit/bootkit? Time to find your Windows recovery disc!

June 27th, 2011

Rootkit malware dig themselves deeply into an operating system, so deeply in fact that removing them can be a major pain in the rear. If you have a system infected with the Trojan:Win32/Popureb.E then Microsoft is now recommending that users find their Windows recovery disc and use than to fix the MBR (Master Boot Record):

If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state (as sometimes restoring a system may not restore the MBR). To fix the MBR, we advise that you use the System Recovery Console, which supports a command called "fixmbr".

Rootkits/bootkits are a major pain in the rear to remove, and because they burrow themselves so deeply into the OS, and also create such a massive security vulnerability, the best thing to do might be to either recover the system from a clean backup or wipe the system and reinstall.

It's the only way to be sure that the malware is all gone.

Here are instructions on how to fix the MBR for XP, Vista and 7.

Outlook 2007 crashing after IE9 Install

April 19th, 2011

Hmmmm have noticed that since I've upgraded to IE9, Outlook is continually crashing (and restarting). You can also reproduce the fault by clicking

Tools | Trust Center

I've tested it on three machines (both 32 and 64 bit) and does it every time.

I've done some searches but so far no one at Microsoft seems to be aware of this bug.

My only hope right now is to reinstall Outlook 2007 although if I'm going to do that I might as well save my time and upgrade to the newer version (something I've been procrastinating for ages!) I will let you know if it fixes the problem!

Update: Upgraded one machine to 2010 and it didn't fix the problem. It's possible that it's an add-in problem. Unfortunately add-ins are found within Trust Center, which immediately crashed Outlook. Running Outlook in safe mode doesn't seem to help.

OK this works: Solution (at least for now) - uninstall IE9. I did this by:

Windows Control Panel | Programs and Features | View Installed Updates

Select Windows Internet Explorer 9. Click Uninstall.

If you try this always back up first! The system will need to restart in order to complete the process, so make sure you save any unsaved work.

Update: It's possible the problem is caused by GFI Vipre Antivirus. Anyone else seeing this perfect storm of programs causing the problem??

Update: Have uninstalled Vipre and the problem remains. It seems possibly to end the intermittent crashing but the Trust Centre crash still happens. Disabling all the add-ins doesn't seem to fix the problem. So ... it's still a mystery. Stay tuned!

- Kathie 🙂 (Hey, what am I? The PC Nurse???)

Useful code in 1.5KB!

April 14th, 2011

I love tight code, I especially love it when that tight code does something useful!

Here's an application called HideAutoUpdate that combines usefulness with tight code. If you like coding, you'll want to take a look at this!

Windows Stability Center – Removal Instructions

April 2nd, 2011

Windows Stability Center is the latest in a long line of rogue anti-spyware program that tricks the PC user into thinking that their machine is loaded with malware and convinces them to buy the full version of the fake program in order to remove supposed system threats.

Windows Stability Center has become widespread thanks to the recent spate of hack attacks on websites called the "LisaMoon" attack.

If installed Windows Stability Center is installed will it start automatically when you login to Windows and it will run a fake scan your computer and claim to have discovered a number of security and system problems that require immediately attention.

Manual removal of this malware can be tricky and it is recommended that you use an antivirus tool. However, if you want to attempt to remove this manually, here's how:

First, find and kill he following process:

  • [random].exe (where random is a random filename)

Next remove the following registry entries:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell “%AppData%\[random].exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwserv.exe “Debugger” = ’svchost.exe’
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe “Debugger” = ’svchost.exe’
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe “Debugger” = ’svchost.exe’
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe “Debugger” = ’svchost.exe’
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe “Debugger” = ’svchost.exe’
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe “Debugger” = ’svchost.exe’
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe “Debugger” = ’svchost.exe’
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe “Debugger” = ’svchost.exe’
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore “DisableSR ” = ‘1′

IE 9 Where did the Search Box go?

March 31st, 2011

Hi, Kathie here.

Well if you've installed IE9 you may have noticed that your search box has gone. This is because in IE9 the search box has gone! 🙂 Instead you will see a rather small search icon in the address bar.

If, like me, you had searching from the address bar disabled in IE8, this will all seem rather confusing however because no such little search icon appears when you upgrade to IE9.

In this circumstance re-enabling search from the address bar is not straight forward either as that option has also moved. (It used to be under Tools | Internet Options | Advanced.) In IE9 however it has moved to Tools | Internet Options | General | Search. Check the "Search in the address bar" box.

Hey presto you can now search again!

- Kathie 🙂 (Hey, what am I? The PC Nurse???)