Sean's Blog

One of the computers I was working on as of late (a Dell Inspiron B130) appeared to have eleventy billion malware infections of one kind or another. The staff who had been out there before attempted to remove some of the malware, with varying levels of success. At some point, a chunk of malware was removed, but not all of it, and the hooks it had placed in the system caused a blue screen to appear with PAGE_FAULT_IN_NONPAGED_AREA (with a STOP message of 0×00000050, or just 0×50) when Windows XP loaded either in normal mode or safe mode with networking. I never tried to load with just regular safe mode (no networking), but I figured that it wouldn’t matter and I went straight to using the UBCD.

Let me say now: I <3 the UBCD. If I didn’t have this particular tool, my job would be a pain. Or I could work on less computers.

Anyway, I could tell immediately by examining CurrentVersion\Run keys and values that there were a number of issues on the computer. I manually took care of what I could, and used the EZ-PC-FIX on the UBCD to check other registry values/keys running at startup, in the control set, etc, and the files they were using. Eventually I was able to weed out enough malware (let’s say about 50+ registry and file deletions) to feel safe booting up into safe mode and running Spybot. How wrong I was. There was something in the malware that was causing a window to open saying shell.exe was not found and was preventing .exe files form being launched. I checked HKEY_CLASSES_ROOT .exe and exefile, and for one of those the malware and added a call to a program whenever a program was launched. Since that program was no longer around, nothing would load. Once I resolved that (again through the UBCD since regedit didn’t want to run), I was able to run Spybot in safe mode. After what seemed like an hour, Spybot found just over 220 malware items. It was able to resolve most of these, but would need to run at startup in normal mode to clean the few up that it couldn’t. Ok, so I should no be safe to load Windows normally. Or not.

I continued to get PAGE_FAULT_IN_NONPAGED_AREA when booting windows. While trying to recall the manner in which to try and restore save points in XP via the UBCD (never did find it; it may no longer be there), I was checking some of the information they had for resolving stop messages. One solution to the issue was for a Microsoft knowledge base article I hadn’t come across while searching Google for “page fault in nonpaged area”: KB894278. It referenced a particular rootkit that installs a kernel driver (or two). While these aren’t the files on the system in question, the following were present, and had the same creation date as a number of the malware files I had dealt with:

• Flee46.sys
• grande48.sys
• Wek86.sys (This file may or may not be an issue.  It says it is part of the SCSI Class group, but nothing comes up with a Google of this file, so it may still be malware.)
• ctfmon.exe (an .exe in with a bunch of .sys files?)
• Vgkm39.sys

I had been watching flee46.sys load in safe mode, as it was the last file that was being called, and I had never seen it before. My curiosity was further piqued when I could not get a Google result for “flee46.sys”, which meant to me it was malware. Regardless, I appended “.malware.old” onto the end of all of those and rebooted. The blue screen was no where to be found, Windows XP was loading in normal mode, and Spybot was running. There are a couple minor items I need to take care of now, but the computer is probably 90% resolved of its malware issues. Huzzah!

UPDATE: The .sys files in question were related to what McAfee calls Srizbi.

To start with, I’m not quite sure how this particular incident happened. The explanation from the student was that their computer was on, they left the room or went to sleep, and when they next went to use the computer, the USB keyboard an mouse suddenly no longer worked, and that they had to restart the computer a number of times before they were recognized. This was the computer that was given to me. However, I hadn’t initially heard the explanation of what happened; I just had a computer that wouldn’t connect to the network for some unknown reason.

When I began to work on the computer, I could not get the USB keyboard and mouse I have for desktops that come in to work either. At first, I was trying to figure out what was wrong with the computer, as they would work fine when I was using the UBCD, but when booting up normally, the keyboard and mouse would go unresponsive sometime after POST as the Windows XP Professional loading screen/progress indicator appeared. Then, for no apparent reason what-so-ever, the keyboard and mouse suddenly worked. I’m not sure why, nor do I really care at this point. I was able to get to the login screen and actually take a look at why the comptuer couldn’t connect to the network. It had to be something with the system, as the UBCD could connect just fine.

Between using the UBCD and logging into the computer, I knew that formatting and re-installing Windows was not something I wanted to do; there were far too many programs installed to want to try and find every directory that needed to be backed-up. I tried some of the same things my staff had tried, only due to the fact that sometimes, things just work for me when they didn’t for others, but such was not the case. The issue seemed to be that Windows had something corrupt that was affecting it’s ability to connect to the network. The biggest indicator that something was fubar was the following message (or something very similar) when you tried to use ipconfig:

Windows IP Configuration

An internal error occurred: The request is not supported.

Please contact Microsoft Product Support Services for further help.

Additional information: Unable to Query host name.

However, as far as error messages go, it really isn’t helpful. As I said, I had tried stuff my staff had already done, such as the winsockfix we use, but to no avail. When using a USB NIC, the same error occurred and I could not connect to the network. Not surprisingly, that meant that I was going to have to do some research and keep throwing fixes at it until it worked.

I noticed the the 1394 Net Adapter in Device Manager was not correctly installed, which is when I started to suspect it was a driver issue, as the firewire port is on-board, and I would find it odd that Dell would ship an XPS 200/5150C without it correctly installed, or the drivers for it. Every time that I tried to update it, it would fail. I really didn’t want to deal with drivers, but apparently I had to.In the process of trying to resolve the issue, I attempted to boot into safe mode, but never succeeded at doing so. Part of this was due to the system very quickly telling me to press escape to bypass loading sptd.sys, and if I didn’t, it would hang. I decided to check this driver out first. I knew that Daemon Tools was installed on this system, and that this process is related to it, so I tried to update this file from the distributor. That didn’t seem to do the trick.

After goign to one of the sites listed at the end of this post, I eventually started to review services that were running, and found that DHCP was not. When I tried to start it, I got the following error:

Error: Could not start the DHCP Client Service on local computer

Error 1068: The dependency service or group failed to start.

Searching for the first line of the error brought me to an article of the same name, which listed a number of ways to trouble shoot this issue. It was during step 3 in that article (Verify that the dependency service/components are running) that I found a number of issues with this computer. When I ran Device Manager and set it to show hidden devices, a number of the items in the Non-Plug and Play Devices section had exclamation marks on them. I tried to delete/re-install AFD (the first item listed with an exclamation mark, as well as the first listed in that step) when I couldn’t get it to start, but I could not get it to come back once it had been deleted. While that component was not working before, I knew it needed to be there, so I went looking for how to get it back.

That’s when I came across the article Fixing Winsock on Icrontic.com. As a resource for dealing with winsock, it seems to be rather complete. From the article, they listed a number of issues and fixes, and I went down the list. The abbreviated items, and my conclusions are as listed.

1. Norton Internet Security or other bloatware installed. – Not an issue from what I could tell. McAffe Security Center was installed, but this was not causign any issues.
2. Winsock is corrupt. – It wasn’t, and I ran the fix an extra time to be sure.
3. Protocols need to be re-installed. – Nope, they were there and it didn’t help.
4. Issue with Non-Plug and Play devices. – As listed previously, there were issues, but I couldn’t delete all items, and there wasn’t any way to bring them back.
5. Replace C:\WINDOWS\INF\ and C:\WINDOWS\SYSTEM32\DRIVERS\ – YES!

I got a hold of the two directories from an installation of Windows XP my co-worker had up and running at the time I was doing this. After I backed up the current files, I copied the copies over the existing ones and rebooted. Once the computer started up again, running ipconfig from the command prompt returned not just information, but the correct IP it should have as well. After updating Windows and McAfee, the system was still connected and running fine.

Additional Notes

In the process of researching this issue, I came across a number of sites that seemed like they could help, but the issues were either just a little bit different than what I was facing, or the resolution to the problem did not, well, resolve the problem. They are listed below in case others need them.

• Ipconfig fails in XP
• Unable to query host name
• Solved: Windows XP network problem

Recently, I worked on a student’s computer, a Dell desktop of some kind, that had issues starting up. It could begin to load Windows XP (Professional I believe) but would hang prior to the login screen. After some malware cleaning and whatnot, I managed to get past that point, only to then hang at an empty desktop. After reviewing the system even more, I found plenty of remnants of previous malware infections (100s of files) and decided that a format/reinstall would be the best option to make sure everything was taken care of. The big issue, of course, was that the student couldn’t find the installation discs that came with their computer.

Previously, this hadn’t been much of a concern, as we would direct students to the bookstore to purchase a new copy of Windows XP Professional (if they hadn’t already purchased a copy) and then use that to reinstall the operating system. Now that Vista is out, there are either very few or no copies of XP to be found at the bookstore, and some computers come to us that installing Vista on is simply not an option.

I thought I was out of options, but then I recalled that the UBCD has a program that could be helpful, Windows XP Setup Launcher. What it does, is allow you to pick a path to install Windows XP from. You cannot pick the Windows directory itself, as these are the post-installation files, but the computer did have an I386 directory, which has the compressed files that are used in installing Windows. I copied that directory to an external hard drive and ran Windows XP Setup Launcher. Using another UBCD program, Keyfinder, I got the computer’s Windows product key, which I needed to complete the setup process.

There were some issues along the way of course.

At one point, I was getting an error message of some kind because mstask.ini could not be found in the I386 folder. Now, for creating the UBCD, I have the contents of a Windows XP installation CD stored on my computer, and it just so happened that mstask.ini was already there. The contents were simply:

[.ShellClassInfo]
CLSID={d6277990-4c6a-11cf-8d87-00aa0060f5bf}

However, in case this was a file that was or needed to be different per computer, I searched for the entire second line shown above. While there were a number of sites that came up, this was the first site listed, and the inline comment for that CLSID of “Makes the task folder work” was enough for me to assume that this was something standard that could be copied over. Sure, most of the information that initially comes up is for Windows prior to XP, but it my assumption was correct, as I was able to continue on to bigger and better errors.

The next error was a pain to deal with, as the installation would through the following message at me:

Windows cannot load internet configuration utility ICFGNT.DLL. The specified module could not be loaded.

This is where I, unfortunately, get forgetful. I wasn’t taking exact notes on this, and as the case was, there were multiple errors going on at the same time that I was trying to resolve. Always remember: fix one thing at a time. In regards to this, I’m sure I did the following, and as listed later, I tried some of these multiple times:

• I will say that this site/forum post offered the most assistance. I applied the edits to txtsetup.sif that are listed, even though I was not using the exact software listed. It didn’t appear to harm the system and I do believe it helped. These were as follows:All added to the [FileFlags] section of txtsetup.sif
  BNTS.DLL = 16
TSHOOT.DLL = 16
SNIFFPOL.DLL = 16
SSTUB.DLL = 16
SSDPSRV.DLL = 16
SSDPAPI.DLL = 16
UPNP.DLL = 16
UPNPHOST.DLL = 16
UPNPCONT.EXE = 16
UDHISAPI.DLL = 16
• I downloaded a copy of icfgnt.dll, as I could not really found a copy in the I386 folders I had access to.

Something there did the job, as I was able to get the computer up and running. I had also saved the drivers and dell directories to the external drive so that I would be able to install the hardware Windows couldn’t, and fortunately, everything was there as needed. You’d think that would be the end of it, but you would be wrong; so very, very wrong.

Sure, the computer was running, but one of the Windows Security Alert balloons that pops up after a fresh install caught my eye. If I’m correct, it may have been telling me that the computer did not have any antivirus software installed. I don’t know for sure, as the message was not in English; in fact, it was definitely a Middle Eastern language, but I’m not sure which. For the purpose of listing it, I’m going to say it was Arabic. I didn’t think this was going to be an issue, but then I started to use Windows. Here’s what I remember finding in Arabic:

• All of the Windows Security Center
• The Start menu item for setting default applications and settings
• The Hardware and Remote tabs of System Properties

So, I try the re-installation process again, making sure to do an attended install and not an unintended one, which of course, did not solve the problem. This was starting to bother me, as I could find no real reason why it was happening, then it hit me: everything that was showing up in Arabic was something that had been changed with Service Pack 2. I grabbed one of the SP2 discs we have from a couple years ago and “installed” it on the computer. One reboot later, and all but one item (default applications and settings) was in English. I connected to the Internet and initiated an update of 90-some items, and following that reboot, the computer was, as far as I could tell, all in English again.

Was this computer a pain to deal with? Yes. Did I enjoy working on it? You better believe it. It was nice to have a computer come in that was fubar and find a unique way to solve the problem, which I can now tuck away as an option for further issues I may face. Also, since nothing jumped out at me when I was searching for this, I’m more than glad to add it to the collective knowledge of the web. Just be sure to leave a comment if you find this useful.

I was reading an article on Ars Technica about a consumer advocacy group in the the Netherlands who suggest that customers should downgrade to XP if they end up with Vista.

I’m convinced that maybe, just maybe, I’ve ended up with a different version of Windows Vista than other people. While I may have just upgraded my computer from Windows XP to Windows Vista within the last month, I have been using it at work since sometime in May, and have few problems. Hell, in some cases I’ve had things work better than they did in Windows XP. One example of this is my secondary monitor I use, which connects to the docking station my Latitude D820 uses throughout the week. I use the extended display option, and the monitor is on the left hand side and the laptop is on the right. Whenever I would undock for the weekend and use the computer at home, when I was next at work, XP was always convinced that the monitor was on the right hand side. While not a big issue, I then had to go into the settings each and every time. I don’t recall having to do that with Vista once, or if I did, it was the first time and the first time only.

Of course, this is just one of the many instances of people voicing issues that Vista isn’t ready. Again, it might just be me, but I have had better performance on both machines with Vista than I had with XP. On my home computer, I run Lord of the Rings Online, and I play in windowed mode so I can still easily get to Firefox, Pidgin, or Thunderbird while I’m playing in case I want to look something up or I’m doing something (riding between cities or crafting) that doesn’t require my attention. XP used to hate when I tried to do this, even with the full 2GB of memory I had in the system when I did a quick test run, whereas Vista has no issue. Since I have a decent video card, when I tab around between windows, via the Alt or Windows key method, it still displays what is going on in LotRO while I’m doing so. Sure, Macintosh OS X had this as one of their big things when they would talk about how awesome it was, so I see no reason not to say it about Windows.

I do agree with the article that Vista’s security model is superior to XP, and unlike the “Mac & PC” commercials (which to me is like saying, if it was for comparing cars, “Prius & American cars”), Vista does not prompt to stop you from doing something all the time. It’s just another step to get users to realize that they are about to do something that will affect their system. Sure, when you are trying to administer a system, those prompts might get annoying, but I like them nonetheless, and consider them good for normal, everyday users, especially since they prevent you from clicking anywhere else on the screen until you make a choice.

Due to the fact that computers are coming with Vista, and the users will need to get used to it, I personally don’t recommend downgrading from Vista to XP. My mom had asked me to do that on a new laptop she had and I simply said no, as the computer would no longer have many of the default programs that were set up for that laptop model, and eventually she would have to use Vista anyway and XP would no longer be supported, which require an upgrade back to Vista. On another note, since I don’t have to administer computers on a network or domain, install software that isn’t Vista compliant, or deal with locking down computers from users, I have no problem using Vista or recommending it to others, provided that the computer it’s going on can handle it. While I’m interested in Ubuntu, I also am interested in LotRO, and don’t want to have to boot back and forth between OS environments, so I’m sticking with Windows for now.

Then again, that’s just me.

read more | digg story

So, for whatever reason, Meghan’s computer went stupid this morning and kept rebooting; I couldn’t even get it into safe mode and her monitor did not want to work, something I’ve seen on three separate HP Pavillion monitors. After all, I had problems when I had my HP Pavillion (monitor and hard drive), Ryan had problems (hard drive), and Meghan has had problems (2 Pavillion monitors and hard drive), so I’m not too surprised.

Anyway, I had to connect her computer up to my monitor to even see what was going on, and even then, I couldn’t actually get to see the error message. I realized, though, there was one thing I could do: set my digital camera to video mode and simply record the screen as the computer booted. Once I captured the flicker of information before the reboot, I played the recording back, and then went frame by frame to the point that the message was displayed. All in all, that took about 2 minutes to do, which took less time than had I tried to boot to the command prompt to try and then run the registry to turn off the registry key that causes the reboot after a system crash. Sometimes you just have to be resourceful.

I was able to get the information off of the hard drives by connecting them to my computer, but there were some files that were corrupt. While I was copying some of the files, I kept getting an error message that couldn’t be true. The hard drive on Meghan’s computer was 40 GB, and mine is 233 GB. There was one folder that didn’t want to copy, because it supposedly had over 4 PB of data and I didn’t have enough room.

How much room do I need again?

One TB (terabyte) is 1000 GB, so one PB (petabyte) is 1000 TB. Somehow, what ever quantum particle hit the hard drive really did a number on it. I’m just goin gto leave it at that for now and deal with it tomorrow after I can go to work and get a UBCD.

3.99 PB. Sheesh.

Also, since I had never really had to boot her computer into safe mode, I noticed that the option available to me was “Microsoft Windows Whistler Professional”. I really don’t recall ever seeing this, but a quick google found an article on PC World:

Though still whistling, Microsoft’s next desktop operating system is finally stepping out of the dark with this week’s release of Whistler Beta 1 to a limited group of developers and hardware vendors. (See “Microsoft Releases Whistler Beta.”)

The successor to both its consumer-oriented Windows Millennium Edition and business-strength Windows 2000 operating systems, Whistler is due on store shelves in the second half of 2001. But Windows 95 stalwarts beware: you won’t be able to simply upgrade Windows 95 machines to Whistler.

So, Meghan’s computer, which she would have purchased sometime in 2001, technically has one of the earliest versions of XP on it. Every other aspect tends to report that it is Windows XP Home, not Whistler, so I’m surprised by this. Well, you learn something new every day.

On campus we had a nice piece of malware appear on some computers in the Bowen-Thompson Student Union. My sample required that I open a file that was either on the desktop or on a USB drive, which was made to look like a Microsoft Word document, and unless you had the option to show file extensions, you would assume it was a .doc, but it was actually an .exe. Once this was done, the malware would infect the C:\ drive and the USB drive with at least 3 files I am sure of, apply a handful of policy settings, and make other changes to the registry. One of my student workers, Matt Sigley, assisted me in determining which files and settings were added or changed.

I would have expected Google to give me a better answer, but I was really unable to find anything that met my search criteria. As a result, I’m posting this here so that other’s can see was needs to be done. This is as complete a list of what needs to be done that we were able to determine, and the machine otherwise appears to be clean. I do not take responsibility if you remove files or change a setting you need as a result of these items, but again, it worked for us.

Remove
------------------------------------------------
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system\\DisableTaskMgr: 01 00 00 00
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system\\DisableRegistryTools: 01 00 00 00
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\NoFolderOptions: 01 00 00 00
HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\LimitSystemRestoreCheckpointing: 01 00 00 00
HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\DisableMSI: 01 00 00 00
HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableConfig: 01 00 00 00
HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableSR: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoClose: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Nofolderoptions: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableCMD: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoDispCPL: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\WinOldApp\\Disable: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\winxp: "C:\\WINDOWS\\winxp.exe"
HKLM\\SYSTEM\\ControlSet001\\Control\\SafeBoot\\AlternateShell: "C:\\WINDOWS\\winxp.exe"
HKLM\\SYSTEM\\ControlSet002\\Control\\SafeBoot\\AlternateShell: "C:\\WINDOWS\\winxp.exe"
HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell: "C:\\WINDOWS\\winxp.exe"
C:\\WINDOWS\\winxp.exe
C:\\WINDOWS\\winword.exe
C:\\Win Firewall.txt
C:\\The Science of becoming Rich.exe
C:\\My Cv.exe
C:\\The Biography of Adolf Hitler.exe
Also possible: C:\\Database.exe
Also possible: C:\\Tasks.exe

Change
------------------------------------------------
HKLM\\SOFTWARE\\Classes\\exefile\\shell\\open\\command\\: ""C:\\WINDOWS\\winword.exe" "%1" %*"
to
HKLM\\SOFTWARE\\Classes\\exefile\\shell\\open\\command\\: ""%1" %*"

HKLM\\SOFTWARE\\Classes\\lnkfile\\shell\\open\\command\\: ""C:\\WINDOWS\\winword.exe" "%1" %*"
to
HKLM\\SOFTWARE\\Classes\\lnkfile\\shell\\open\\command\\: ""%1" %*"

HKLM\\SOFTWARE\\Classes\\batfile\\shell\\open\\command\\: ""C:\\WINDOWS\\winword.exe" "%1" %*"
to
HKLM\\SOFTWARE\\Classes\\batfile\\shell\\open\\command\\: ""%1" %*"

HKLM\\SOFTWARE\\Classes\\comfile\\shell\\open\\command\\: ""C:\\WINDOWS\\winword.exe" "%1" %*"
to
HKLM\\SOFTWARE\\Classes\\comfile\\shell\\open\\command\\: ""%1" %*"

HKLM\\SOFTWARE\\Classes\\exefile\\: "File Folder"
to
HKLM\\SOFTWARE\\Classes\\exefile\\: "Application"

HKLM\\SOFTWARE\\Classes\\piffile\\shell\\open\\command\\: ""C:\\WINDOWS\\winword.exe" "%1" %*"
to
HKLM\\SOFTWARE\\Classes\\piffile\\shell\\open\\command\\: ""%1" %*"

HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell: "Explorer.exe "C:\\WINDOWS\\winxp.exe""
to
HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell: "Explorer.exe"

HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit: "C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\winxp.exe"
to
HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit: "C:\\WINDOWS\\system32\\userinit.exe"

HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR: 0x00000001
to
HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR: 0x00000000

The keys that begin with HKU\S-1-5-21- may have different numbers than those listed above, but just keep going and ignore whatever you have in place of 1482476501-1606980848-1957994488-1003. Also, if you have any other iterations, such as HKU\S-1-5-22-, HKU\S-1-5-23-, etc, check those directories and keys as well.

Some comments about the files it makes

The only .exe files I had were C:\The Science of becoming Rich.exe, C:\My Cv.exe, and C:\The Biography of Adolf Hitler.exe, and the two listed as possible were reported to me by our network security people. The files created by the malware were C:\WINDOWS\winxp.exe, C:\WINDOWS\winword.exe, and C:\Win Firewall.txt. That last one tries to mislead you by listing some information about two pieces of malware, so this one could be a derivative work of either or both of those malware, and based on my Google Web History, I believe they were rontokbro and sircam, as I don’t have a copy of that txt file still around. However, when looking to see what those could do, I found none of their signatures on the computer. There’s also the fact that C:\WINDOWS\winxp.exe is typically related to bagle. This is also one of the few cases where C:\WINDOWS\winword.exe is related to the malware.

The other thign to keep an eye out for is that if you try and runa a program while infected, let’s say Firefox, you may end up with some files in C:\Program Files\Mozilla Firefox or elsewhere on the hard drive. Fortunately, it’s easy to find exactly where they go, as they share the same file size and creation date as winword.exe and winxp.exe, so you may just have to do a search to find all of them.

Overall, we used the following programs to keep track of what was happening and/or resolve things:

• We did have to use the UBCD in order to get access to these files and the registry, as the malware prevents the use of the registry and .exe files without making it reference the malware. If you would try and boot into Safe Mode, you’d also be using the malware, which would still prevent you from getting to regedit easily. We used RegEdit (Remote) to change the registry.
• We used Regshot to track what the registry looked like before and after the infection happened, though we did have to use to UBCD to make the change below to run the .exe file first.
• While it gave much the same information as Regshot, Deckard’s System Scanner was also used in stead of just using HiJack This.
• We also used a program to fix IE and the explorer shell, just to be sure. I’m not sure if we made it or found it, but we call it FixShell.bat.

Here is some VB6 code to set the startup mode of a service in either Windows XP or Vista. Here is the code for disabling a service:

Private Function DisableService(strServiceName)
  Dim ErrorArray(24)
  Dim strComputer As String
  Dim oInstance

  ErrorArray(1) = "The request is not supported."
  ErrorArray(2) = "The user did not have the necessary access."
  ErrorArray(3) = "The service cannot be stopped because other services that are running are dependent on it."
  ErrorArray(4) = "The requested control code is not valid, or it is unacceptable to the service."
  ErrorArray(5) = "The requested control code cannot be sent to the service because the state of the service."
  ErrorArray(6) = "The service has not been started."
  ErrorArray(7) = "The service did not respond to the stop request in a timely fashion."
  ErrorArray(8) = "Unknown failure when stopping the service."
  ErrorArray(9) = "The directory path to the service executable was not found."
  ErrorArray(10) = "The service is already stopped"
  ErrorArray(11) = "The service database is locked."
  ErrorArray(12) = "A dependency which this service relies on has been removed from the system."
  ErrorArray(13) = "The service failed to find the service needed from a dependent service."
  ErrorArray(14) = "The service has been disabled from the system."
  ErrorArray(15) = "The service does not have the correct authentication to run on the system."
  ErrorArray(16) = "This service is being removed from the system."
  ErrorArray(17) = "There is no execution thread for the service."
  ErrorArray(18) = "There are circular dependencies when stopping the service."
  ErrorArray(19) = "There is a service running under the same name."
  ErrorArray(20) = "There are invalid characters in the name of the service."
  ErrorArray(21) = "Invalid parameters have been passed to the service."
  ErrorArray(22) = "The account, which this service is to run under is either invalid or lacks the permissions to run the service."
  ErrorArray(23) = "The service exists in the database of services available from the system."
  ErrorArray(24) = "The service is currently paused in the system."

  strComputer = "."
  Set oInstance = GetObject("winmgmts:{impersonationLevel=impersonate}!\" & strComputer & "rootcimv2:Win32_Service.Name=" & Chr(34) & strServiceName & Chr(34))
  Set oMethod = oInstance.Methods_("ChangeStartMode")
  Set oInParam = oMethod.inParameters.SpawnInstance_()
  oInParam.StartMode = "Disabled"
  Set oOutParam = oInstance.ExecMethod_("ChangeStartMode", oInParam)
  If oOutParam.returnValue <> 0 Then
    MsgBox "Change of startup mode of " & oInstance.DisplayName & " to disable failed.  Reason: " & ErrorArray(oOutParam.returnValue)
  End If
End Function

Currently, the code is written as two different functions, DisableService and ManualService, with the code only being different on two lines, one functional and one for a message box, so technically it could be combined into one function, which accepts two strings: the service name and what to do. However, on my installation of VB6, it doesn’t want to call the function with parenthesis, which looks wrong and, well, I don’t trust it as a result. This could technically be a standard for VB6, but I’ve seen plenty of other code samples online that use parenthesis around functions accepting multiple parameters, so it could just be an issue with my machine, or me just not understanding VB6. Anyway, the chunk of code that would change would be:

  oInParam.StartMode = strSomeValue

and

  MsgBox "Change of startup mode of " & oInstance.DisplayName & " to " & strSomeValue & " failed.  Reason: " & ErrorArray(oOutParam.returnValue)

The value of strSomeValue could be any of the following:

• Boot
• System
• Automatic
• Manual
• Disabled

With that said, if you had two functions, DisableService and ManualService, one way to call them could be:

Private Sub SetServices()
    On Error Resume Next
    ' Computer Browser
    DisableService ("Browser")

    ' Messenger
    DisableService ("Messenger")

    ' NetMeeting Remote Desktop Sharing
    DisableService ("mnmsrvc")

    ' Remote Access Auto Connection Manager"
    DisableService ("RasAuto")

    ' Remote Desktop Help Session Manager
    DisableService ("RDSessMgr")

    ' Remote Registry
    DisableService ("RemoteRegistry")

    ' Server
    DisableService ("lanmanserver")

    ' SSDP Discovery
    DisableService ("SSDPSRV")

    ' Telnet
    DisableService ("TlntSvr")

    ' Universal Plug and Play Device Host
    DisableService ("upnphost")

    ' Volume Shadow Copy
    ManualService ("VSS")

    ' Windows Image Acquisiton
    ManualService ("stisvc")

    MsgBox "Computer services have been analyzed and configured."
End Sub

To find out how to call a service, just open the Services window, my personal favorite method is Start->Run->services.msc, and just double-click on a given service. You’ll want to call a service via its service name, which, in Windows XP, is the first item on the General tab. At the moment, I’m not sure what the display looks like on Windows Vista, but I believe it to be very close to the same. If all else fails, you can also easily find a list of Windows services by searching the web, and the site will typically have suggested settings for each one and common uses.

So, all day long I kept noticing the Automatic Updates shield down in my systray on my work laptop. I knew eventually I was going to have to take care of it, but I figured I was going to wait until later this evening. When work was over, I shut down my laptop. Frak, I already had the updates downloaded and ready to install. So I let the machine start updating as I get ready to go.

svchost.exe — application error the instruction at “0x########” reference memory at “0×00000000″. the memory could not be ‘read’

Frak again. Immediately I knew nothing good was going to come of this, so I closed the lid and took it home. I figured the following were going to be in my list of problems:

1. My computer was, for all intents, dead. It had locked up during an installation of an update while Windows XP was shutting down. Reinstall is my only way out.
2. Some portion of Windows XP was now corrupt, and I was going to waste some time figuring out what by going through Safe Mode and fixing it before I could get into Windows.
3. Windows was going to be fine, except for one thing, and I would at least be able to get into Windows normally.

Fortunately, my fears were unfounded, as my computer did start up with no problems. Well, it did seem to take a bit longer to load the user profile, but then again, that could have been normal and I just didn’t notice. When I got into Windows, I was given an error message about a generic service being shut down. A quick Google of “svchost dies during windows update” led me to a list of feeds about windows updates, from which then led me to an article called “Windows Update Broke My Machine” which lists what they did to solve the problem, which worked for me as well, as the files that were already downloaded to my machine didn’t appear to want to install.

1. Boot the PC, right click “My Computer” and hit properties.
2. Click the Automatic Updates tab.
3. Turn off Automatic Updates.
4. Reboot the computer.
5. When the machine is booted, manually go to Windows Updates.
6. Do a complete Windows Update.
7. Reboot if the Updates don’t already insist that you do.

Fortunately, that worked. After all, I don’t work tomorrow, so I didn’t want to spend my day off trying to get my laptop working so I could use it over the weekend.

Over a year ago, I wrote a VB6 program for configuring students’ machines on the network at BGSU; something they could run before they got here to make sure some basic settings were already configured. Previously, I have posted VB6 code for configuring Windows Automatic Updates, which, of course, sets the Automatic Updates for Windows. I was looking at this code to see what I was going to have to do to get it to work in Windows Vista, but I first decided to run it and see what would happen. Lo and behold, it worked as it was supposed to, which was a surprise.

Private Sub SetFirewall()
    On Error Resume Next
    Dim objFwMgr
    Dim objProfile

    Set objFwMgr = CreateObject("HNetCfg.FwMgr")
    If Err <> 0 Then
        MsgBox "Unable to access Windows Firewall."
    Else
        ' Get the current profile for the local firewall policy.
        Set objProfile = objFwMgr.LocalPolicy.CurrentProfile

        'Verify that the Firewall is enabled. If it isn't, then enable it.
        If objProfile.FirewallEnabled = False Then
            MsgBox "Windows Firewall has been detected as being disabled." & vbCrLf & "It will be enabled with Exceptions Allowed"
            objProfile.FirewallEnabled = True
            profile.ExceptionsNotAllowed = False
        End If
    End If
End Sub

At work, we use a tool called Ultimate Boot CD for Windows (UBCD). What this does is allows us to place the CD into a computer that isn’t booting, such as with malware issues, missing .dll files, etc, but not hardware issues, and boot up a version of Windows that is loaded into the system’s memory. By doing this, we can then edit the registry, even if there is malware that would hide the registry entry via a rootkit, delete problem causing files, such as worms that have a known file name, and even back up the files to an external USB HD, so that a client’s information can be saved prior to a format of an otherwise dead system.

I had been asked by my boss, as well as searching independently prior to his asking, for a way to laod the UBCD version of Windows off of a USB drive instead. I had found some sites that gave ways to attempt it, such as Windows In Your Pocket off of Tom’s Hardware, but for whatever reason, that method proved to not work. Earlier this week I decided to give it another go, and I managed to find a program that would make a USB drive bootable and then load a BartPE (Bart Preinstalled Environment) installation onto it. BartPE is what the UBCD is built around, with the UBCD adding many more plugins and other tools to BartPE.

In order to do this, you will need the items listed below. I’m am going to mention the items needed to create the UBCD build as well.

1. Follow the directions on how to build the UBCD4Win:
   1. A Windows XP CD, with at least Service Pack 1. I know that at BGSU, the bookstore is selling Windows XP on DVDs. I imagine that it really doesn’t affect the process, but don’t quote me on that. If your CD does not have Service Pack 1, you could the service pack and create a bootable CD.
   2. BartPE, UBCD4Win, and the UBCD4Win drivers, from the UBCD4Win download page.
2. Download PeToUSB and extract it to a folder on your hard drive.

Now that’s left is to follow the directions for building the UBCD4Win and then the readme file for Boot BartPE from USB, and eventually, you’ll have a bootable USB ready to go. I personally used a 512MB Cruzer Titanium. The only downside was that I ended up only having 70MB free once everything was said and done. As UBCD4Win has more on it than BartPE, you could remove items you don’t need from UBCD4Win, or just use BartPE, to get more available room on the USB. Prior to placing UBCD4Win on the USB drive, I had placed BartPE on it, and it worked no problem.

Yes, not every computer out there can boot from USB, but most computers made in the last couple years can. So, if you are going to be working on older computers, you should make sure you have a actual UBCD around.

Now I have a bootable version of Windows with me on my keychain where ever I go.