MS10-015 bulletin - possible BSOD with never ending boot cycles

14. February 2010 by Myke.

“…oops I did it again…”  No we are not going to discuss Britney Spears but some folks at Microsoft are scrambling for answers after a serious update failure.  The MS10-015  update bulletin is causing some systems to lock up and then during the boot up they BSOD into a never ending boot cycle.  Ouch.

Here is the crazy part of the equation, some systems do just fine.  I have tested the updates on 10 workstations and 4 have crashed out and died while the other 6 were perfectly fine.  I need to clarify one piece though, each of these systems are exactly the same…EXACTLY.  Each one is a virtual desktop with the exact same applications, updates and I used the exact same disc to build the machines.  I ran updates on all 10 systems one at a time.

On the four dead systems here is what I did to repair them.

• Boot from your Windows XP CD or DVD and start the recovery console
• Once at the repair screen - Type this command: CHDIR $NtUninstallKB977165$\spuninst and hit ENTER
• Type this command: BATCH spuninst.txt and hit ENTER
• Type this command: systemroot and hit ENTER
• When complete, type this command: exit and hit ENTER

Of course this may or may not fix your system, but so far it has worked for my dead test systems.

Confused?  You are not alone on this one.  Folks have been trying to figure out what happened and everyone seems to be testing this like crazy.  My final thought on the issue…TOO MANY security fixes and tweaks in one bulletin.  Each time Microsoft tries to update systems with a large amount of security fixes and tweaks it seems like they get a large amount of failures.  Seems like they should have broke this months updates into 2 for the month…which they have done before.

Other related stories on this issue.
MS update gives some XP boxes the Blue Screen
New Patches Cause BSoD for Some Windows XP Users

Microsoft Blog post on this issue.
Restart issues after installing MS10-015

Microsoft’s workaround for this issue.
Microsoft Security Advisory: Vulnerability in Windows Kernel could allow elevation of privilege

As always, enjoy your updating and let us know if you encounter any other nasty issues.

posted by: Myke Reinhold

Posted in Security, Microsoft, Desktops, Laptops | No Comments »

Windows 7 - Explorer.exe keeps crashing

24. November 2009 by Myke.

This post contains information on how to edit and modify your Windows Registry.  It is always recommended that you take a backup of the Registry before editing any of the values because any improper editing can cause strange behaviour and at worst could even corrupt your operating system completely, requiring you to re-install Windows.

We encourage you to try out the registry changes,  but only if you know what you are doing and if you do it with care.

After building a brand new Windows 7 ENT x64 laptop I ran into some issues.  The issues started shortly after finishing some updates.  Explorer.exe kept crashing every time I would right-click on an icon or try to use anything that used explorer.exe.  After searching the web for hours I found nothing that actually resolved the issue.  Pretty much everything out there pointed to doing a full restore or a clean installation.  I also found a couple posts that said once they deleted their profile and rebuilt it, everything worked.  Each of these is true but why waste the time and effort.  I am not sure about you but hearing from a Microsoft employee and having them tell you to do a clean install because it is hardware related or due to 3rd party software is getting real old.  Well you are in luck folks, because I have a solution that does not harm the machine and it can be done within 2 minutes.

Here is the error we were getting in our event logs;
The program Explorer.EXE version 6.1.7600.16404 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: 810
Start Time: 01ca6d1f1aca747c
Termination Time: 0
Application Path: C:\Windows\Explorer.EXE
Report Id: 3fe9620d-d913-11de-8a55-00242cbe9d84

I ran every application I had that would point me in a direction of figuring out what was causing it and found nothing.  I decided to go through the 34 updates I had applied the day before and found an issue finally.  One of the updates was forcing the CEIP to execute.  *Dear Microsoft, why place something like this in an OS when you know it causes problems?*

The cause of the Windows Explorer crash is related to the SQM Client, which is part of the Customer Experience Improvement Program (CEIP). Under the default setting, where MachineThrottling is enabled in the registry, any calls to WinSqmStartSession in ntdll.dll file will cause Explorer to crash, or Windows Installer installation to fail.

So instead of waiting for a hotfix or an update from Microsoft, just remove and delete the MachineThrottling registry entry from system registry. The MachineThrottling registry entry is located inside the following registry key: HKLM\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions

*NOTE*  If you do not know what you are doing within the registry, stop and do not proceed.  Ask someone for help that knows what they are doing and can recover your registry if a failure occurs.

To make it easy you can just create your own little batch file with the following command;
reg delete HKLM\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions /v MachineThrottling /f

At this point you can close the registry and right-click on your file or icon and you should be good to go.

 

posted by: Myke Reinhold

Posted in Scripting, Registry, Microsoft, Desktops, Laptops | No Comments »

Microsoft Outlook NK2 file location

6. October 2009 by Myke.

Going back to an old school issue.  What do you do when you switch out an end user’s computer and they freak out because all of their auto fill addresses in outlook are no longer there?  Easy, switch over their .nk2 file to the new computer and call it a day.

Do you miss the convenience of Outlook automatically completing people’s names as you begin to type them on your new computer? Are you upgrading to a new computer and don’t want to lose all the names stored in your Outlook AutoComplete feature? Wouldn’t it be nice if Outlook installed on your new computer just “remembered” the names and filled them in for you?

You can copy the names in AutoComplete from your old computer to your new one.

Copy the names in AutoComplete to another computer

Important  You must exit Outlook before starting the following procedure. The names will be included in AutoComplete when you restart Outlook.

1. On the computer with the saved AutoComplete names, go to drive:\Documents and Settings\user name\Application Data\Microsoft\Outlook.Note  Depending on your file settings, this folder might be hidden. To view the files in this folder, do one of the following:

   Microsoft Windows XP

   1. Click Start, and then click My Computer.
   2. On the Tools menu, click Folder Options.
   3. Click the View tab, and then, under Advanced settings, under Hidden files and folders, click Show hidden files and folders.

   Microsoft Windows 2000

   1. Double-click My Computer on your desktop.
   2. On the Tools menu, click Folder Options.
   3. Click the View tab, and then click Show hidden files and folders.

2. Right-click profile name.nk2, and then click Copy.Tip  You can copy the file to removable media, such as a floppy disk or a CD, and then copy the file to the correct location on the other computer. Or you can attach the file to an e-mail message and send the message to yourself. On the new computer, open the attachment in Outlook, and then save it to the correct location.
3. On the computer where you want to populate the AutoComplete feature, copy the file to drive:\Documents and Settings\user name\Application Data\Microsoft\Outlook.
4. If the Outlook user profile name is different on the computer where you are moving the .nk2 file, you must rename the file with the same Outlook user profile name after you copy it to the correct folder. For example, if you move Kim Akers.nk2 from the original computer with an Outlook user profile name of Kim Akers, and you copy the Kim Akers.nk2 file to the new computer, you must rename it with the Outlook profile name being used on the new computer.
5. When prompted about replacing the existing file, click Yes.
6. Open Outlook to view changes.

source: Microsoft Office Online

Posted in Technical Questions, Microsoft, Desktops, Laptops | No Comments »

Make a mapped drive available offline

30. July 2009 by Myke.

As simple and easy as this task is, we received about 10 emails over the last 2 weeks asking, “I have my users set up to use a mapped drive for their personal data stored on the network.  How can I make that available to them while they are not on the network?”

Easy, open up My Computer and right-click on the mapped drive and select “Make available offline”.  That’s it.  Once the wizard pops up you can detail what you want the offline files to do and once you complete the wizard, it will begin the sync of the files to the local PC.  You are now done.  Cheers.

Posted in Technical Questions, Networking, Microsoft, Desktops, Laptops, Storage | No Comments »

GFI Backup 2009 Home Edition - FREE

15. May 2009 by Myke.

GFI has released a fully functional free version of their backup software.  This software works great compared to NT backup and you can even backup to a remote location such as an FTP site.  The greatest thing about the backups is that it uses ZIP files for the backup files as opposed to a proprietary file.  This means you can restore your backup files anywhere from any machine.

GFI note:
To assist home PC users in these troubled economic times and to help them understand the importance of data backups, GFI Software is offering for free its newly-developed backup and recovery software GFI Backup 2009.

GFI Backup 2009 will allow all home PC users to keep regular and updated copies of their precious memories in the form of pictures, video, and other files and safeguard their data in case something goes wrong.

Loss of data for individuals can be heartbreaking as memories, personal documents and important files are lost due to hard disk failure or a virus attack. With this free software, we are assisting people to be better prepared, especially when they are trying to cut costs wherever possible. Because we care!

GFI Backup 2009 is an easy-to-use backup and recovery software solution that allows users to backup all their important files and, when-needed, recover the data within minutes using the product’s wizard-driven interface. GFI Backup 2009 does not use a proprietary format; all data is saved to common ZIP files. This makes it easy to restore data to a computer that may not have GFI Backup installed on it.

Data can be stored on virtually any storage device available such as internal or external hard disks, on local area network (LAN) locations, CD/DVD media, removable media devices (USB sticks, memory sticks, flash memory, floppy disks, ZIP disks, JAZ, etc.) and remote locations using FTP with upload auto-resume. Data can also be protected with military-strength 256-bit AES strong encryption.

Download your free copy of GFI Backup 2009 from here:
http://www.gfi.com/downloads/register.aspx?pid=bkuphm&lid=en

For more information about GFI Backup and its features visit:
http://www.gfi.com/backup-hm/

Posted in Desktops, Laptops, Servers, Backups | No Comments »

Conficker C worm - do you have it?

29. March 2009 by Myke.

There is a ton of buzz all over the media world about this worm and what it will do and how to tell if you have.  As complex as this worm is, it is also very simple to determine if you have it or not.

Step 1 - If you have Automatic Updates turned on, check to see if it is now turned off.  These reason is that this worm actually turns off updates to protect itself.

Step 2 - Manually run Microsoft Updates.  If you can run updates manually on your computer then you are okay.  This worm will actually prevent you from connecting to the update sites.

Now that we know how to check for it, how do you prevent it.  Very simple.  Keep your computer updated and make sure your anti-virus software is running and current.

What do you do if you have this worm?  You will want to contact your anti-virus software vendor and see if they can help you out.  If not and they want to charge you an arm and a leg, give it a go yourself.  There is a couple very easy to use and free tools you can use to remove it but it will take some patience.

• Malwarebytes Anti-Malware - You can grab this GREAT tool from www.malwarebytes.org.
• LavaSoft Ad-Aware - You can grab this great little removal tool from www.lavasoft.com.

Now that you have a couple of removal tools, start running them and cleaning.  A great tip is to update both pieces of this software and then run them from Safe Mode with your computer not on the network/Internet.

Good luck and happy hunting, so to speak.

Posted in Networking, Internet, Registry, Scripting, Security, Technical Questions, Laptops, Desktops, Microsoft, General Hardware, Servers | No Comments »

Windows 7 - What you should know

14. February 2009 by Myke.

With the upcoming release of Windows 7, there is a lot of anticipation and a lot of haters that claim we can expect another failure.  Now we personally do not feel that Vista was a failure in the IT eyes but as a consumer with moderate to no IT knowledge it was a bust.  We have been playing with Windows 7  for some time now and have been pretty impressed to say the least (Travis’s take on Windows 7).  With that we felt like we should let you know what to expect with Windows 7.  There has been quite a bit of hype from Microsoft and others but what can the average IT person and moderate end user expect?  Improved task bar, jump list, Internet Explorer 8, Windows Live, better device management and HomeGroup are the main features to look at.  But in the end we have put together a list of the ten things that should know about Windows 7.

Application compatibility- The Windows Vista operating system introduced architectural changes down to the kernel level that made the OS inherently more secure than Windows XP. However, this came at a cost; many applications needed modification to function properly in a Windows Vista environment. While at this point in the life-cycle of Windows Vista (post Service Pack 1) most applications are now compatible, deploying Windows Vista into the desktop environment early on required some “heavy lifting” and creative shimming—not to mention a few late nights.  Windows 7 is built on the same basic architecture as Windows Vista, so most applications will retain their compatibility between these operating systems. This alone will make adopting Windows 7 much less challenging than migrating from Windows XP to Windows Vista. If your organization is like many that are still standardized on Windows XP, you will need to transition to updated versions of your key applications, but the availability of Windows Vista–compatible versions and well-proven shims will make this task more manageable.

Hardware compatibility and requirements- Much like the application compatibility issues, adopting Windows Vista early-on was a challenge because of the higher system requirements—such as RAM and graphics.  On the flip side, Windows Vista provides manageability and security that just isn’t available on Windows XP, and with more capable hardware, Windows Vista is able to perform a number of useful functions that improve productivity (such as Windows Search 4 and the Windows Aero desktop experience) and increase PC responsiveness (the ReadyBoost technology launches applications more quickly by maintaining a portion of frequently used applications in memory).  Windows 7 was designed to perform well on the same hardware that runs Windows Vista well, while delivering additional performance and reliability improvements. The design team for Windows 7 had a specific focus on the fundamentals—as well as maintaining compatibility with existing applications and hardware. In operation, you will find that Windows 7 boots faster and has a smaller memory footprint than Windows Vista.

 Best relationship with Server 2008- One of the key benefits of the modern operating system is that Windows 7 and the Windows Server 2008 operating system share a common code base, and are maintained with a single servicing model. This servicing model means updates and security updates are shared across both client PCs and servers, simplifying the process of maintaining an up-to-date infrastructure.  In addition, environments with both Windows Server 2008 and Windows 7 unlock capabilities that extend functionality and help ensure a more secure environment. One example is DirectAccess, which allows management and updating of remote mobile PCs that are connected to the Internet, even when they are not connected to the corporate network. This capability helps ensure that remote users receive security patches on a timely basis, and allows IT to update configuration setting via Group Policy. For the end user, DirectAccess allows access to locations on the corporate network without using a virtual private network (VPN) connection. (In addition to Windows Server 2008 R2, DirectAccess requires IPSec and IPv6 implementation.)

Data encryption extended to removable media- News reports are rife with stories about companies losing control over sensitive information. In some industries, this is an issue with grave legal implications, while in other situations the issue is inconvenience. Regardless, smart compliance policy dictates that sensitive information be safeguarded in the event of a lost or stolen laptop. Further, preventing sensitive information from being removed from corporate resources is a pillar of effective compliance management.  Windows 7 includes BitLocker technology, first implemented in Windows Vista, which now provides full encryption of all boot volumes on a PC; along with introducing BitLocker To Go that offers data protection on portable storage, such as USB flash drives. In addition, BitLocker Drive Encryption and BitLocker To Go can be managed via Group Policy, placing more control over sensitive information in the hands of the professionals.

AppLocker- Windows 7 features AppLocker, a new capability that allows IT administrators to specify which applications are permitted to run on a laptop or desktop PC. This capability helps you manage license compliance and control access to sensitive programs, but also importantly, it helps reduce the opportunity for malware to run on client PCs. AppLocker provides a powerful rule-based structure for specifying which applications can run, and includes “publisher rules” that keeps the rules intact though version updates.  To see how AppLocker is set up and managed, click herefor a screencast demonstration.

Scripting with PowerShell 2.0- To help IT administrators better maintain a consistent environment and improve personal productivity, Windows 7 includes an updated graphical scripting editor, Windows PowerShell 2.0—a powerful, complete scripting language that supports branching, looping, functions, debugging, exception handling, and internationalization.

• PowerShell 2.0 has an intuitive, graphical user interface that helps make script generation easier, especially for administrators who are not comfortable in command-line environments.

• PowerShell 2.0 supports two types of remoting—fan-out, which delivers management scripts on a one-to-many basis, and one-to-one interactive remoting to support troubleshooting of a specific machine. You can also use the PowerShell Restricted Shell to limit commands and command parameters to system administrators, and to restrict scripts to those who have been granted rights.

• PowerShell 2.0, with the Group Policy Management Console (available as a separate download), allows IT professionals to use scripting to manage Group Policy Objects and to create or edit registry-based group policy settings in Windows 7. Similarly, you can use PowerShell to configure PCs more efficiently, using richer logon, logoff, startup, and shutdown scripts that are executed through Group Policy.

Click hereto take a quick tour of PowerShell 2.0.

Troubleshooting made easier - Windows 7 provides rich tools to identify and resolve technical issues, often by the end users themselves. If a help desk call is unavoidable, Windows 7 includes several features and troubleshooting tools to help speed resolution.

• The Problem Steps Recorder allows end users to reproduce and record their experience with an application failure, with each step recorded as a screen shot along with accompanying logs and software configuration data. A compressed file is then created that can be forwarded to support staff to help troubleshoot the problem.

• Windows 7 includes a suite of troubleshooting packs, collections of PowerShell scripts, and related information that can be executed remotely by IT professionals from the command line, and controlled on the enterprise basis through Group Policy Settings.

• Windows 7 also includes Unified Tracing to help identify and resolve network connectivity issues in a single tool. Unified Tracing collects event logs and captures packets across all layers of the networking stack, providing an integrated view into what’s happening in the Windows 7 networking stack and aiding analysis and problem resolution.

Deployment image servicing and management- Windows 7 includes several tools to streamline the creation and servicing of the deployment image, and to get users up and running as quickly as possible.  The Deployment Image Servicing and Management (DISM) tool in Windows 7 provides a central place to build and service Windows images offline. With DISM, you can perform many functions with one tool: mount and unmount system images; add, remove, and enumerate packages and drivers; enable or disable Windows features; configure international settings, and maintain an inventory of offline images that contain drivers, packages features, and software updates. Windows 7 also enables the same processes and tools to be used when managing virtual machine (VHD) and native file-based (WIM) image files.  Windows 7 also includes Dynamic Driver Provisioning, where device drivers are stored independent of the deployed image and can be injected dynamically based on the Plug and Play ID of the hardware, or as predetermined sets based on information contained in the basic input/output system (BIOS). Reducing the number of drivers on individual machines reduces the number of potential conflicts, ultimately minimizing setup time and improving the reliability of the PC.  When you are ready to deploy Windows 7, Multicast Multiple Stream Transfer enables servers to “broadcast” image data to multiple clients simultaneously, and to group clients with similar bandwidth capabilities into network streams to permit the fastest possible overall transfer rate while optimizing bandwidth utilization.  Watch a screen cast demonstration of the deployment tools for Windows 7 here.

User state migration tool- Windows 7 includes enhancements to the User State Migration Tool (USMT), a command-line tool that you use to migrate operating system settings, files, and other user profile data from one PC to another. In Windows 7, USMT adds a hardlink migration feature for computer refresh scenarios, a capability that stores user data and settings in a common place on a drive, eliminating the need to “physically” move the files during a clean install.

BranchCache- Windows 7 introduces BranchCache, a technology that caches frequently accessed content from remote file and Web servers in the branch location, so users can access this information more quickly. The cache can be hosted centrally on a server in the branch location, or can be distributed across user PCs. One caveat: to take advantage of BranchCache, you will need to deploy Windows Server 2008 R2 on the related servers.

I would like to thank Microsoft for the information within this article.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, this document should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

Microsoft Corporation may have patents or pending patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. The furnishing of this document does not provide the reader any license to the patents, trademarks, copyrights, or other intellectual property rights except as expressly provided in any written license agreement from Microsoft Corporation.

Microsoft does not make any representation or warranty regarding specifications in this document or any product or item developed based on this document. Microsoft disclaims all express and implied warranties, including but not limited to the implied warranties or merchantability, fitness for a particular purpose, and freedom from infringement. Without limiting the generality of the foregoing, Microsoft does not make any warranty of any kind that any item developed based on these specifications, or any portion of a specification, will not infringe any copyright, patent, trade secret, or other intellectual property right of any person or entity in any country. It is your responsibility to seek licenses for such intellectual property rights where appropriate. Microsoft shall not be liable for any damages arising out of or in connection with the use of these specifications, including liability for lost profit, business interruption, or any other damages whatsoever. Some states do not allow the exclusion or limitation of liability or consequential or incidental damages; the above limitation may not apply to you.

Microsoft, Aero, AppLocker, BitLocker, BranchCache, PowerShell, ReadyBoost, Windows, Windows Server, and Windows Vista are either trademarks or registered trademarks in the United States and/or other countries.

posted by: Myke Reinhold
information credit: Microsoft Corporation

Posted in General Hardware, Microsoft, Desktops, Laptops | No Comments »

Hard drive death is coming

27. January 2009 by Myke.

So you know that your hard drive will die sooner or later, but how do you proactively figure that out?  Magic 8-ball used to be the best method but as of recently we can do a much better job.

The standard IDE/SATA hard drive today is still the most mechanical piece of equipment sitting in your present day PC. And this will continue to be the case until solid state drives become much cheaper and much more compatible for present day hardware. The most unfortunate part of the problems with these drives, is how incredibly critical they are to the state of your computer. A hard drive failure means a dead computer - unless you are lucky enough to be running in some type of RAID environment, which most home users won’t be.

So those of us here at Homerun decided maybe we should put together a list of tools to help everyone else out that would like a better Magic 8-ball.  Below you will see our four choices and a brief description of the tool.  One thing to remember, these are Windows based tools and they are to be used at YOUR own risk, not ours. 
Crystal Disk Info

CrystalDiskInfo is a S.M.A.R.T. based utility that supports not only internal drives, but both USB and IEEE1394’s as well. It displays an incredible amount of simple and advanced disk information, and may always be running in the background. This includes temperature readings, read/write errors and power management tools, running at all times of the day.

General Drive Info

Advanced Diag of your drive

 HD Tune

HD Tune is a much simpler hard drive disk scanning utility that has benchmarking, advanced diagnostics, similar to Crystal and a disk scanning utility, very similar to the Windows version, but can be run in real-time. It also includes real-time temperature monitoring.

Benchmarking

Disk Scanning

HDD Health

HDD Health is another similar product. It includes temperature and real-time monitoring, but includes a health indicator, simply by percentage and nothing more. It does include the same advanced diagnostic tools as the other SMART utilities as well.

General Information

Extended Drive Information

HDD Scan

HDD Scan not only includes many SMART diagnostic utilities, but other disk utilities as well. It includes many advanced testing modes, such as reading, writing and erasing in linear. In comparison to the other products, HDD Scan might get you more bang for the free buck.

Various HDD Scan Tools

Available Surface Tests

Manufacturer Specific Products

Some people might trust products designated for their specific hard drive more then any other. So I’ve provided a list of all the major manufacturers with a link to their diagnostic tools. A few of these may even support different manufacturers.

Fujitsu - Supports all forms of internal connection and is capable of doing in depth surface and diagnostic testing.

Hitachi - Several diagnostic tools for Hitachi drives. Analyze, optimize and protect your drive from failure.

Samsung- The Samsung utility will only work with Samsung drives and is an offline bootable disk that can be run no matter what the state of your drive.

Seagate/Maxtor- The Seagate tools, also known as Seatools, are Windows specific tools that can quickly and comprehensively determine the state of your present Seagate or Maxtor hard drive.

Western Digital - In order to determine your appropriate tools, you’ll first have to select your specific product and browse to a compatible ‘Data Lifeguard Diagnostic Tools’. Thorough test and repair utilities for West Digital drives.

All of the tools above may or may not be able to resolve serious disk errors on your drive. But if you are worrisome about the state of your current HDD and you’d like to confirm it, these tools will help to do so. It will force you to begin transferring data, or backing up your data on a regular basis before the inevitable happens. Play with each of tools, and find the best that suits your situation.

Posted in Microsoft, General Hardware, Desktops, Laptops, Backups, Servers, Storage | No Comments »

Lexmark Trojan - lx_Cats?

11. December 2008 by Myke.

If you are the proud owner of any Lexmark product you may wonder why you have a program called lx_Cats on your PC.  Well after further investigation and tracking what this file does, it is Spyware.

A user calling himself “Commander” has posted to the printer-focused Usenet group, comp.periphs.printers, that:

“Just the other day I purchased a new Lexmark X5250 All-in-one printer. I installed it as per the instructions and monitored the install with Norton as I do with all new software.

On reviewing the install log I noticed a program called Lx_CATS had been placed in the c:program files directory. I investigated and found a data log and an initialisation file called Lx_CATS.ini. Further investigation of this file showed that Lexmark had, without my permission, loaded a Trojan backdoor on to my computer. Furthermore, it is embedded into the system registry, so average users would likely never know it was there and active.”

Commander noticed that the spyware was programmed to surreptitiously report back to a URL, www.lxkcc1.com, every thirty days. lxkcc1.com is registered to Lexmark International, Inc..

When Commander called Lexmark to demand an explanation, the company first denied that they had installed any spyware at all. Ultimately the person with whom he spoke conceded that Lexmark installs “tracking software” on their users’ computers“to report back on printer and cartridge use for survey purposes.” While the Lexmark representative avowed that they did not transmit any personal information, they also admitted that the program does transmit the printer’s serial number, which of course is registered to the user. No personal information my foot!

Rumours of the installation of spyware along with their printer software have swirled around Lexmark for several years, and posts to Usenet complaining of Lexmark spyware date from as early as 2001. Some users complain of their computer trying to connect to the Internet every time they print a document; others worry that the program is reporting not only their cartridge usage, but whether they are using non-Lexmark cartridges, or even refilling their own cartridges, thus possibly setting the stage for a denial of warranty service.

According to “Commander”, the offending files include a program file called lx_CATS, and a related .ini file, lx_CATS.ini, as well as 2 DLL files in the c:program fileslexmark500 folder.

In order to remove Lexmark’s spyware from your system, delete the file (probably in your c:program directory) called “lx_cats.exe”, and also search for and remove a file called “lx_cats.ini” (and, for that matter, any other file including the term “lx_cats”).

Nice job Lexmark…really.

posted by: Myke Reinhold

Posted in Security, Internet, Rant, General Hardware, Desktops, Laptops | No Comments »

Hong Kong strikes again

9. December 2008 by Myke.

Starting Wednesday December 3rd of 2008, some very nice little script kitties decided to bomb the world with some very nice fun filled SPAM/Virus/Malware/Spyware/Adware.  You may or may not have seen these e-mails yet.  The claim to be from McDonald’s, Coca-Cola and Hallmark. As you can venture to guess, they are not.  They are full of all kinds of good little toys for end users to play with and help make the life of an IT person fun.

So what can you do if your end user opens one of these emails?  If you have a solid anti-virus product (NOT McAFEE) on your network and on your local machines, you should be sitting very pretty.  But lets say for grins, you use McAfee or nothing at all, which is pretty much the same thing.  You will have some cleaning to do to get rid of your annoying pests.

If you want to just fix the issue, scroll down for solution but for others we will now try and explain the issue.  These e-mails that were sent out contained a few different types of virus files.  They had the every infamous Virtumonde (Vundo) and VirTool:Win32/CeeInject.gen!J (named by Microsoft). 

The Vundo family of Trojans is one of the most common infections we find on user’s computers. This infection can cause popups that include advertisements for rogue anti-spyware programs. Some common rogue antispyware programs that are advertised include WinFixer, SysProtect and WinAntiSpyware. Users are normally targeted by false positives, fake alerts, and warning of infections on their computer. An example of this type of misleading advertisement would be popups alerting users that they are infected with a blackworm virus. The most common method of infection is through outdated versions of the Sun Java platform; older versions are being exploited so it is important to firstly make sure that your Java software is fully up to date. This infection is normally detectable by users receiving popups when they use the Internet. Your antivirus program might also notify you via an alert that you have a Vundo Trojan on your computer.

The Vundo infection has evolved over time to include harder and harder protection methods so that it cannot be easily removed. These methods are random names, random autorun locations, random CLSIDs, and rootkits to hide these locations from removal tools. Due to this, specialized tools have been created in order to target this specific infection and remove it. The following guide will explain how to use the tool, and hopefully rid your system of this malware.

VirTool:Win32/CeeInject.gen!J is a mass mailing worm that also spreads through removable media using autorun.inf, and also by copying itself to Shared folders of Peer-2-Peer applications.

Upon execution, this worm displays the following picture, to trick the user to believe that this is a harmless image file.

                                                                

Meanwhile, the worm connects to “Whatismyip.com” to get the victim’s IP address.

Depending on the variant, it then copies itself to the following locations:

• %WinDir%\system32\vxworks.exe or
• %WinDir%\system32\daemon.exe 

It injects itself into multiple running processes.

Depending on the variant, it drops one or more of the following malicious files:

• %WinDir%\system32\qnx.exe
• %WinDir%\system32\awtustsr.dll
• %WinDir%\system32\ddcBTLfd.dll
• %WinDir%\system32\efcDTLEX.dll
• %WinDir%\system32\kvslgsfk.dll

Some variants create a new task to run one of the dropped DLLs in the following location:

• %WinDir%\Tasks\dgzqcscz.job

Some variants then launch an instance of Iexplore.exe in the background and uses it to log keystrokes to a file at the following location.

• %WinDir%\drm.ocx

This instance of iexplore.exe communicates with ip-68-226-[removed]-235.tc.ph.cox.net

Certain variants also download the following malicious dlls:

• APSTPLDR.DLL from http://www.zylon.net/[blocked]
• kb600179.dll from 82.98.235.65

This worm spreads by copying itself into any removable media connected to the system and creates an “autorun.inf” file to execute itself whenever the device is connected to another system.

It also has mass mailing capabilities. The worm sends e-mails, attached with a copy of itself to harvested E-mail addresses on the system.

It uses the following “Subject”, “Attachment Name” and “From address” combinations for these E-mails.

Subject of E-mail                                                                   | Attachment name   | From Address
——————————————————————————————————————–
You’ve received A Hallmark E-Card!                                        | postcard.zip           | postcards@hallmark.com
Coca Cola is proud to announce our new Christmas Promotion. | promotion.zip         | noreply@coca-cola.com
Mcdonalds wishes you Merry Christmas!                                  | coupon.zip             | giveaway@mcdonalds.com

                          

                                    

Some variants create SMTP connections to the following servers on various outbound ports:

205.134.188.162
211.233.80.119
212.7.64.23
217.167.29.246
64.26.62.254
dom-reg.mediaways.net
fmx.freemail.hu
imas.ahnlab.com
lb.acantho.net
mail.samba.org
mailprot.hilton.com
maxx.shmoo.com
mx.acantho.net
origin.hilton.com
persephone.instanthosting.com.au
relais-ias89.francetelecom.com
www.alinet.it 
www.pacbell.net

This worm also spreads by copying itself into the shared folders of Peer-2-Peer Applications using the following file names.
(Generally, the file names used are of popular applications and their cracks/keygens)

Absolute Video Converter 6.2.exe
Acker DVD Ripper 2009.exe
Ad-aware 2008.exe
Adobe Acrobat Reader keygen.exe
Adobe Photoshop CS4 crack.exe
Alcohol 120 v1.9.7.exe
BitDefender AntiVirus 2009 Keygen.exe
CleanMyPC Registry Cleaner v6.02.exe
Daemon Tools Pro 4.11.exe
Divx Pro 6.8.0.19 + keymaker.exe
Download Accelerator Plus v8.7.5.exe
Download Boost 2.0.exe
FOOTBALL MANAGER 2009.exe
G-Force Platinum v3.7.5.exe
Google Earth Pro 4.2. with Maps and crack.exe
Half life 3 preview 10 minutes gameplay video.exe
Internet Download Manager V5.exe
Joannas Horde Leveling Guide TBC Woltk.exe
Kaspersky Internet Security 2009 keygen.exe
K-Lite codec pack 4.0 gold.exe
LimeWire Pro v4.18.3.exe
Microsoft Visual Studio 2008 KeyGen.exe
Motorola, nokia, ericsson mobil phone tools.exe
Myspace theme collection.exe
Nero 8 Ultra Edition 8.0.3.0 Full Retail.exe
Norton Anti-Virus 2009 Enterprise Crack.exe
Opera 10 cracked.exe
Password Cracker.exe
Perfect keylogger family edition with crack.exe
Power ISO v4.2 + keygen axxo.exe
Red Alert 3 keygen and trainer.exe
Silkroad Online guides and wallpapers.exe
Smart Draw 2008 keygen.exe
Sophos antivirus updater bypass.exe
Super Utilities Pro 2009 11.0.exe
TCN ISO cable modem hacking tools.exe
TCN ISO SigmaX2 firmware.bin.exe
Tuneup Ultilities 2008.exe
Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe
Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck My Back Like My Pussy And My Crack,Mario - Let Me Love You,R. Kelly - The Worlds Greatest).exe
Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe
Ultimate xxx password generator 2009.exe
VmWare keygen.exe
Winamp.Pro.v6.53.PowerPack.Portable [XmaS edition].exe
Windows 2008 Enterprise Server VMWare Virtual Machine.exe
Windows XP PRO Corp SP3 valid-key generator.exe
WinRAR v3.x keygen RaZoR.exe
Wow WoLTk keygen generator-sfx.exe
xbox360 flashing tools and guide including bricked drive fix.exe
Youtube Music Downloader 1.0.exe

It also injects malicious code into explorer.exe and opens backdoor by connecting to the following domain:

• web1.ser[removed].org

The backdoor has the following functions:

• restart/shutdown computer
• start/stop services
• start/stop keylogger
• download/upload files
• create/terminate/list process
• perform port scanning
• modify host file
• spread itself by instant messenger
• gather passwords that firefox, internet explorer saved
• gather account information of instant messenger (msn,yahoo,miranda,aim)

Registry changes may vary according to the variant.

The following registry keys are added:

•  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\XMAS
•  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
•  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U}
•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper
•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\XMAS
•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtustsr

The following registry values are created to load the worm at system startup

•  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run “QnX”
    Data: %WinDir%\system32\qnx.exe
•  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “QnX”
    Data: %WinDir%\system32\qnx.exe
•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U} “StubPath”
    Data: “%WinDir%\system32\qnx.exe”
•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “Wind River Systems”
    Data: %WinDir%\system32\vxworks.exe

Adds the following registry entires as part of its payload.

•  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures”
    Data: no
•  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper “bsd”
    Data: 03
•  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper “free”
    Data: 12
•  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes”
    Data: .zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.bat;.cmd;.pif;.scr;.mov;.mp3;.wav
•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “Daemon Tools”
    Data: %WinDir%system32\daemon.exe
•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “e887a2ae”
    Data: rundll32.exe “%WinDir%system32\kvslgsfk.dll”,b

It adds the following registry key to add itself to the Firewall’s Authorised applications list.

•  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List “C:\WINDOWS\system32\vxworks.exe”
    Data: %WinDir%\system32\vxworks.exe:*:Enabled:Explorer
•  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List “C:\WINDOWS\system32\daemon.exe”
    Data: %WinDir%\system32\daemon.exe:*:Enabled:Explorer

The following registry values are modified.

•  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures”
    Old data: yes
    New data: 01, 00, 00, 00
•  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “ShowSuperHidden”
    Old data: 00, 00, 00, 00
    New data: 01, 00, 00, 00

Symptoms

Symptoms -

• Network activity on TCP port 25 due to e-mails being sent by the worm.
• Presence of the files and registry entries mentioned above.

Method of Infection

Method of Infection -

• This worm spreads by harvesting e-mail addresses on the infected system and e-mailing a copy of itself to these addresses.
• This worm also spreads by copying itself to removable media.

REMOVAL

So to rid yourself of this stupid little “end user” hell, just follow these simple steps.

1 - Download Malwarebytes’ Anti-Malware, or MBAM, from the following location and save it to your desktop (or other download directory).
Malwarebytes’ Anti-Malware Download Link

2 - Once downloaded, close all programs and Windows on your computer, including this one.

3 - Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer.

4 - When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked. Then click on the Finish button.

5 - MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.

6 - On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for Trojan.vundo and Virtumonde related files.

7 - MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.

8 - When the scan is finished a message box will appear as shown in the image below.



You should click on the OK button to close the message box and continue with the Trojan.vundo and Virtumonde removal process.

9 - You will now be back at the main Scanner screen. At this point you should click on the Show Results button.

10 - A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.



You should now click on the Remove Selectedbutton to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.

11 - When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.

12 - You can now exit the MBAM program.

13 - Richyt-click on My Computer and select Search.  You will now want to do a search on your local C: for windaemon.exe and delete all instances of this file.  Once completed close all windows you have open.

NOTE: The following steps should only be done once a good backup of your registry has been completed.  Only modify registry settings if you are knowledgable and understand what can happen if you make a mistake.
14 - Click on Start/Run and type regedit and click Enter.

15 - With the Registry Editor open, click on Edit/Find… and search for windaemon.exe and delete all registry keys that refer to this name.  Once you hace deleted all the registry keys, close the Registry Editor.

16 - Reboot your computer.

17 - Your computer should now be free of all Virus/Malware/Spyware/Adware issues.

posted by: Myke Reinhold and Travis Sarbin
post credits: http://techtalk.homerun-networks.com, http://travis.sarbin.net/, http://www.bleepingcomputer.com/malware-removal/remove-vundo-virtumonde, http://news.cnet.com/8300-1009_3-83.html?keyword=%22worm%22, http://securitylabs.websense.com/content/Alerts/3250.aspx, http://securitylabs.websense.com/content/Alerts/3248.aspx, http://www.avertlabs.com/research/blog/index.php/2008/12/03/christmas-worm-uses-mcdonalds-and-coca-cola-as-bait/

Posted in Internet, Security, Desktops, Laptops | No Comments »