I had a user getting grey X’s when accessing a network share. I tried some of the standard fixes including trying to get to other mapped drives, the internet, logoff-logon. Nothing worked. I started searching and found this post from SevenForums. I tried it and it worked…
I am using Microsofts imaging (Imagex.exe) tools to set up Windows 7 Machines. I have switched between Enterprise and Professional versions of Windows 7. It turns out the imaging tools don’t like that.
If you get error “the product key entered does not match any of the Windows images available for installation” Go to the ei.cfg file in installation files and change the version from Enterprise to Professional or other way around.
I tried installing Windows 7 Enterprise x64 on a Dell Optiplex 760. I used the Windows Media. The installation was so slow that I didn’t let it complete. I tried a 32bit version and there was no difference. I did some searching online and found a comment on Microsoft’s site that updating the BIOS should work.
I was using BIOS version A02. Updating to the latest version (A08) worked.
I then had a problem where the Windows 7 installer couldn’t see the physical hard drives. I went into the BIOS and changed the SATA mode from its default setting to something which I don’t currently remember and it worked. Windows detected the disk drives.
I’ve seen talk about installing the drivers and the problem goes away, but that’s not practical in manual pre-installation.
My machine got infected with a version of the “Internet Security 2010” virus. It was a nasty little critter. I’ve seen it a bunch of times over the years. It keeps getting smarter and smarter. It used be possible to remove it by killing the process it started and deleting the files. Now, there’s a lot more steps.
The virus came from clicking on a link on a mainstream website. McAfee popped up right away and said it caught two files (warning.html and IS2010.exe). Unfortunately that didn’t matter. The virus installed itself and McAfee proved once again that it’s a useless piece of crap. Here’s what I did to get rid of it.
I first tried getting “Task Manager” to pop up. That wouldn’t work. I checked the folder that the virus created in program files (c:\Program Files\Internet Security 2010). It was empty. That’s probably because the IS2010 file was deleted by McAfee. I shut the machine down and restarted. The “Task Manager” item was grayed out. I tried launching it by typing in taskmgr.exe. Windows popped up a message stating that Task Manager was disabled. I knew that it was something I could fix in the local group policy editor. I ran gpedit.msc and enabled it. Instructions are here.
Method 4: Using Group Policy Editor – for Windows XP Professional
- Click Start, Run, type gpedit.msc and click OK.
- Navigate to this branch:
User Configuration / Administrative Templates / System / Ctrl+Alt+Delete Options / Remove Task Manager
- Double-click the Remove Task Manager option.
- Set the policy to Not Configured.
It says that you can set it to “Not Configured.” In my case it was already set that way. I set it to “Disabled.” I had to reboot the machine a couple times before the virus was cleaned up. Task Manager was disabled every time. Switching between “Not Configured” and “Disabled” seems to be good enough.
I then tried to run Task Manager. The virus itself would pop up an error saying that’s not allowed. I found instructions saying that if I hit cntl-shift-esc over and over Task Manager will pop up. That worked!!!
Follow these instructions to continue:
1. Open Task Manager by continually pressing Ctrl+Shift+Esc.
2. Navigate to the Processes tab.
3. Locate for the processes called IS2010.exe, winlogon86.exe, winupdate86.exe and 41.exe. End their processes one at a time by click the End Process button at the bottom left hand corner of Task Manager and click Yes.
4. Continue with the instructions listed below to remove Internet Security 2010 completely.
I didn’t have any of those files running in Task Manager, Processes, so I looked for those files in c:\Windows\System32. I found some of the files there and deleted them. I also saw a file called “winlogon32.exe.” It didn’t look right, so I checked it out. I found out that file was a virus, so I deleted it. Big Mistake….Sorta. I decided to install MalwareBytes and then reboot in Safe Mode to run it. I rebooted into safe mode. I logged into the machine. It accepted the password and tried to load my profile, but it would just log itself right out. I suspected that it had something to do with the file I deleted. I tried to login in normal mode and had the same problem. I found this site saying that the problem was either with the userinit.exe file or the registry entry that points to it.
1. C:\WINNT\system32\userinit.exe , this file is corrupt or invalid or infected.
2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit, This registry key is tempered by virus/spyware.
At this point I’m stuck with a machine that’s infected and I can’t log into it. I tried to use an XP disk to repair it, but my drive is encrypted, so the repair disk couldn’t see the hard drive. The other suggestion the site gave was accessing the registry from a remote machine. That WORKED!!! I went to another machine and ran regedit. I then clicked on “File, Connect Network Registry” and inserted the name of my machine. I was able to connect. If the name doesn’t work for you, try the IP address. I found that the registry key and it was incorrect.
I found: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Userinit = “C:\WINDOWS\system32\winlogon32.exe”
I changed it to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Userinit = “C:\WINDOWS\system32\userinit.exe”
I rebooted and it worked.
So I got logged back into the machine. At this point I had pinpointed most of the files that were causing the problem. I knew not to mess with the winlogon file just yet. I also know I needed to get MalwareBytes running ASAP. I decided to run Task Manager again to see if I could find and kill “winlogon32.exe.” Something better happened. I hit cntl-shift-esc a few times to get Task Manager up. The virus pops up an error saying something about the administrator disabling Task Manager. Do not close the error! I noticed that the error message was loaded as an “Application” in Task Manager. I had a feeling that the application would lead me back to the “process” and it did. I right clicked on the application and selected “Go to process.” That took me to a file I previously hadn’t noticed called SMSS32.exe. And that’s the key to this whole ridiculous incident. I searched Google for SMSS32.exe and found this post from McAfee. I killed the process and the virus finally stopped. I then ran MalwareBytes. It found a bunch of infected files and registry entries. Here are the results:
Malwarebytes’ Anti-Malware 1.44
Database version: 3680
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.112/2/2010
mbam-log-2010-02-02 (16-16-43).txtScan type: Full Scan (C:\|)
Objects scanned: 268870
Time elapsed: 59 minute(s), 48 second(s)Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 12
Folders Infected: 1
Files Infected: 12Memory Processes Infected:
(No malicious items detected)Memory Modules Infected:
C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) -> Delete on reboot.Registry Keys Infected:
(No malicious items detected)Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\winlogon32.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Folders Infected:
C:\Program Files\InternetSecurity2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.Files Infected:
C:\Documents and Settings\%username%\Local Settings\Temporary Internet Files\Content.IE5\C2XSPTAA\SetupIS2010[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BAD358BA-17F3-4527-AB8D-40D9BEF7514D}\RP533\A0065516.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BAD358BA-17F3-4527-AB8D-40D9BEF7514D}\RP533\A0066516.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BAD358BA-17F3-4527-AB8D-40D9BEF7514D}\RP533\A0071545.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\IS15.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\Winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\%username%\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\%username%\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\%username%\Start Menu\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Here’s what I learned. I’m posting this before the removal instructions because there are so many versions of this virus that your version of the virus might be different than mine.
Here are my instructions on dealing with this. Their usefulness will vary depending on what you’re dealing with.
I hope this post helps people that are dealing with this virus. Please post any questions and I’ll try to help. I just cannot understand how the anti-virus companies can’t prevent people from getting infected. I know of people using supposedly updated versions of McAfee and Kaspersky get infected. I’m not surprised about McAfee. It’s always been bloated garbage. Good luck!
http://bytes.com/topic/windows/answers/752011-xp-logs-off-immediately-after-log/2#post3384974
http://www.bleepingcomputer.com/tutorials/tutorial44.html
Posted in Computers, Internet, Internet Security, IT, Microsoft, PC's, Technology, Useful, Windows XP
I came across an article on InfoWorld about a blog post from a Microsoft tech regarding Windows Machine SID’s and the myths that surround them. The InfoWorld article is mostly fluff, but the blog post is well worth the read. Basically, machines that are imaged without being sysprepped usually have the same machine SID’s. It’s long been believed that this is a security issue. It turns out that’s not the case. Machines can be on the same network with the same SID”s if the machine is not already connected to a domain, not going to be promoted to a Domain Controller, and if there isn’t an application that reacts badly to it. (The example given is applications that use the Machine SID as their own ID’s.) The bottom line is that machines SHOULD BE SYSPREPED to prevent any known and unknown issues. Also, Microsoft will not support machines that don’t have unique SID’s. Sysprep is easy to run. Don’t slack off just because it might not cause a problem.
The reason that I began considering NewSID for retirement is that, although people generally reported success with it on Windows Vista, I hadn’t fully tested it myself and I got occasional reports that some Windows component would fail after NewSID was used. When I set out to look into the reports I took a step back to understand how duplicate SIDs could cause problems, a belief that I had taken on faith like everyone else. The more I thought about it, the more I became convinced that machine SID duplication – having multiple computers with the same machine SID – doesn’t pose any problem, security or otherwise. I took my conclusion to the Windows security and deployment teams and no one could come up with a scenario where two systems with the same machine SID, whether in a Workgroup or a Domain, would cause an issue. At that point the decision to retire NewSID became obvious.
I realize that the news that it’s okay to have duplicate machine SIDs comes as a surprise to many, especially since changing SIDs on imaged systems has been a fundamental principle of image deployment since Windows NT’s inception. This blog post debunks the myth with facts by first describing the machine SID, explaining how Windows uses SIDs, and then showing that – with one exception – Windows never exposes a machine SID outside its computer, proving that it’s okay to have systems with the same machine SID. Note that Sysprep resets other machine-specific state that, if duplicated, can cause problems for certain applications like Windows Server Update Services (WSUS), so MIcrosoft’s support policy will still require cloned systems to be made unique with Sysprep.
You can read the full article here.
You should also read this follow-up post by Microsoft tech Aaron Margosis that explains the difference between Machine SID’s and Domain SID’s. The key statement in his post: “So while it’s OK to clone a system before it joins a domain, doing so after it joins a domain (and is assigned a domain computer account and a corresponding domain SID) will cause problems.”
Posted in Computers, Internet Security, IT, Microsoft, PC's, Technology, Useful, Virtualization, Windows, Windows 7, Windows Vista
I’ve been playing around with Windows 7 for a few weeks now. I have tried to concentrate on features and configuration because I want to understand how it works, and how Microsoft intends some features to work. Windows 7 is Vista with a new taskbar and some reaaranged menus.
I like:
I don’t like:
What does that mean for my companyand I? An upgrade is likely in the works…. Windows XP is going out of support in a few years (though none of my current HW will be around then). I want to get off of the old Windows XP platform and so does the IT management in my company. Users feel like we’re “Out of date” on the desktop and Office (they don’t buy that Office 2007 is the latest version). This put together with a Microsoft “Enterprise Licensing Agreement” means that we’re moving forward with Windows 7. I plan to post about my experience with Windows 7 and the upgrade.
We’ve been getting sporadic, but steady reports of the TROJ_DLOADER.SPI virus being detected on machines. Trend Micro claims it’s not “in the wild.” That’s not true. I haven’t seen this many virus reports for XP in a long time. Trend Micro’s fix is to update DAT’s and scan the machine. I’ve tried to figure out what other anti-virus program providors are calling this virus to see if they recommend a different fix. The virus appears to come from webpages. Here’s a sample error:
Threat Alert from Anti-Virus ServerOfficeScan detected TROJ_DLOADER.SPI on PCname in my domains.
File: C:\Documents and Settings\<username>\Local Settings\Temporary Internet Files\Content.IE5\XFE1E8MF\_YzFvdDRpbmc_NzI4X2FvXzM5NThfMF8xMDIyOF9hb18_a2V5aW4_[1].exe
Detection date: 11/13/2007 14:33:05
Action: Virus successfully detected, cannot perform the Quarantine action
I’ll keep an eye on this. Let me know if you see anything.
UPDATE: I got some more info on this. Some of our SA’s have been tracking it. The virus alerts come up when people visit a certain media industry website. The site either pops up another site, or somehow redirects to “malware-scan.com”. Don’t go to that site unless you want to get infected. You should consider blocking that site using Websense or other tools. I hope this additional info helps.
Posted in Internet Security, PC's, Windows
What???? My boss dropped this bomb on us last week. I was shocked. There was no context for that remark. No one had brought this up seriously before. There was talk about migrating from Netware to AD. There was talk of VDI. There was even a rumor about Macs. But this was new. My first thoughts were:
After the meeting adjourned, I took a moment to find out when Windows XP goes “End of Life.” It turns out that XP goes End of Life April 8, 2014. Also, I don’t foresee a justifiable reason to upgrade to Vista in the next three years. That means that a Desktop Linux project doesn’t make financial sense until at least 2011. That gives us three years to migrate off of XP.
I took the rest of the day to think about it and brought it up the next day. I found out that my boss hadn’t really thought about it at all. He was just throwing the idea out there as something to think about long term. He understood my point of view and I think that’s going to be the end of that for a while.
Coincidentally, that afternoon I received the InfoWorld Editors Newsletter titled Is Desktop Linux for Real? from Steve Fox at InfoWorld. Freaky huh?
Posted in IT, Linux, Microsoft, PC's, Technology, Windows, Windows Vista
I’ve begun researching VDI because I believe that the PC is no longer necessary in medium to large environments that can operate with less than workstation class performance. The potential advantages of replacing PC’s with Thin Clients that connect to full fledged XP installations are compelling. I’ve been researching all of this for a couple weeks now, and I have to say that VDI, CCON, CCI, is in a pre-1.0 state. I’ll explain it all below.
There are three terms going around to describe Client Consolidation technology. They are:
They all essentially mean the same thing. My definition of CCON is centralizing desktop/PC systems by hosting them in the data center. All computing functions other than KVM are hosted and managed in a computer room away from the user. The user uses a client device or application to access the centralized computer. There are multiple terms battling to be the methodological name for this technology. VDI was the first term that I saw used. VDI is the trendy name in my view, and has been co-opted by VMware and turned into a product. CCON is the name used by an IBM employee named Massimo Re Ferre’ who is a heavy contributor to VDI technology research. Client Consolidation happens to be the name of IBM’s implementation of VDI (what a coincidence). CCI is a product name used by HP after they abandoned the use of VDI. Another name that’s out there is “Centralized Computing.” Centralized Computing is the term used to define the days of mainframes and dumb terminals.
My preference for the academic name of this technology is Client Consolidation (CCON). I believe that CCON is the most descriptive, most open name of all. CCON is general enough to encompass all of diverse technologies in this area.
There’s a lot of overlapping information and noise out there. I want to explain the bottom line as I see it.
The technology “models” (Re Ferre’, 2007) for CCON are:
You will ultimately have to select one (or more) of those methedologies for a production rollout.
Client consolidation is all about the use of RDP to connect to Windows systems. RDP is what it’s all about (some solutions prefer/support ICA). If you know how to use Remote Desktop, you’re most of the way to understanding what CCON is all about. Everything after this is about services and features built around the use of RDP accessed Windows systems (VM’s, Blade PC’s).
The components of CCON are:
Client Access Devices are straight forward. You need a device that can understand how to connect to remote systems using RDP. The client device can be a full blown XP/Vista PC, or a thin client running the proper client software. You’re going to hear a lot about Windows XPe in this space. XPe is a stripped down version of Windows XP often used for development and loaded onto many thin clients.
Host systems are also straight forward. You can run your XP/Vista/Other hosts as VM’s or on Blade PC’s.
Connection Brokers is where all the fun is. Connection Brokers handle the setup, and advanced features of CCON. Brokers decide (based on policy) which VM/Blade should be assigned, the features that are available to the user, and in some cases the robustness of the service. I think of Brokers as travel agents. A client shows up to the broker with a request. The Broker knows how to handle the request based on requirements and makes all of the arrangements including the connection. The broker is usually finished at that point, though the broker is an intermediary in some solutions.
That’s basically what CCON is all about.
CCON is barely at a 1.0 level. There’s very little information out there (other than Citrix) and all of the solutions are patch up jobs. There’s no long standing, widely accepted solution. Most of the solutions that I have found have been assembled piecemeal. The absolute best information that I have found comes from Massimo at http://it20.info/misc/brokers.htm. He’s created a table with extensive descriptions of all the features he’s been able to confirm for brokers and clients. It’s not a complete list of brokers and features, so do your own research and testing (HP SAM, IBM TMP missing). Regardless, it is a must read if you are going down the CCON road.
Two other items of interest are VMware’s VDI forum and HP’s CCI forum. Notice that there is very little activity at those forums. That’s because most people still aren’t working on this. Also, VMware’s product is in Beta. That’s right…VMware’s broker is vaporware, yet they’re calling it VDM 2.0. Now that’s good marketing.
That’s it for now. Please let me know if you have any questions or if you have something to add. There is so much information out there that I’m positive there is more to come.
Posted in Computers, HP, IT, NAS, PC's, SAN, Storage, Surface Computing, Technology, Virtualization, VMware, Windows, Windows Vista
An alert just came in from Trend Micro that says they are concerned about a potential Internet attack. This is vague and I know it sounds like it’s coming from the US Department of “Homeland Security.” Here it is:
High Probe Traffic Seen on ServerProtect Port 5168
PSP Announcement – 8/23/2007 6:53:13 AM – Proactive Notification: High Probe Traffic Seen on ServerProtect Port 5168 – Dear All:ICS [1] has reported a spike in the probe traffic on port 5168 which is used by ServerProtect. This might be an indication that hackers are preparing to launch an attack against this port. At this point however, we have not received any reports or samples which demonstrate the exploit.Please ensure that your Server Protect Systems have applied security patch 4 to ensure that known vulnerabilities are patched.
Please download the latest Server Protect Patch from the Trend Micro URL:
Posted in Internet Security, IT, PC's, Technology, Windows
Techno babble from an IT guy named Harry 