Sorry Folks! I Rebooted the Mail Server and caused some Problems

Posted at 7:47:09 PM in Recovery (44)

Sorry about that. I was updating, or trying to update the servers and with so many people logging in during the workday, the repeated hits on the server while the authentication module was down showed up as failed login attempts from various legitimate addresses and they got blocked. When that happens, I recommend you check your IP address at http://www.whatismyipaddress.com and send me the ip address so I can check it.

 

Written by Leonard Rogers on Tuesday, October 31, 2017 | Comments (0)

Mozilla Thunderbird Can't delete emails

Posted at 6:07:51 PM in Recovery (44)

I had the weirdest experience today. I have some local folders (the one no email address is attached too) that I dump and organize my spam and ham and of course, some ham gets mixed in, so when I do a retest on the spam filters, sometimes the ham shows up in the spam folder (sorry for all the hammy spammy talk). So, I'm able to reclassify email in the spam folder, but I can't delete the ham. In fact, I can't move the ham. Can't get rid of it at all. Shutting down and restarting Thunderbird doesn't help and I get this spinning wheel, but nothing is happening. Well, I have to get the ham out of the spam folder or I'll be training by bayes filters incorrectly. I finally when to the folder settings and found where my local folders are being saved. I take a look at the trash folder and discover, while manually deleting the files in the trash folder, that the main file there requires administrative permission to remove it. Clue!

I deleted the file anyway, but I've found that sometimes when programs don't behave themselves, it's sometimes because it doesn't have the rights to make changes. It's part of the UAC (user access control) feature that came out after Windows XP. It was a pain in Vista and sometimes in Windows 7. Back in those days, I'd disable UAC, but that became a problem so I had to re-enable it. The fix I use now is right click the program icon and select "Run as Administrator." the program complains with a pop-up window asking for permission to run. In that mode it has the rights to access files it doesn't normally have when run normally.

The problem was probably fixed when I deleted the file that needed admin rights to do so, but I ran Thunderbird as Administrator anyway, just in case there were other anomalies that needed to be fixed. I can now delete emails again. 

Written by Leonard Rogers on Friday, March 6, 2015 | Comments (0)

RCVD_IN_XBL_SPAMHAUS_ORG

Posted at 11:51:41 PM in Recovery (44)

Spamhaus black lists have gone bonkers. I'm seeing tons of false positives coming across with grades in RCVD_IN_XBL_SPAMHAUS_ORG at 3.0 and 3.3 in RCVD_IN_PBL,

These false positives appear to be coming form one chain in the mail relay servers. Or so I thought. When gmail and yahoo IP addresses are listed in the black lists above, then that creates a real problem. Both providers have extensive rules that prevent outbound mail abuse. So when gmail and yahoo show up in these blacklists, I think that should flag that there is a problem with the blacklist.

I prefer not to use black listed relays when they are in a chain. I also don't care if the sender's IP address is in a blacklist. I do care if the first server in the relay is blacklisted.

I am only a student of the internet and email and spam lists. It appears the first "Received: from" line identifies the originating device and the relay server it connected too. 

Therefore when the line continues: [192.168.101.1] ([172.16.30.212]), the first address is the local device,  in my case a laptop. And the second would be the relaying server. I noted when the device has a reverse lookup pointer it will show the name and the IP address in the square brackets.

I made up the IP addresses. i was researching where these block was coming from and found it difficult when there is no reverse lookup on the IP address. After some search, I used itools.com/tool/arin-whois-domain-search to find who the block belonged to. In this case, it was a mobile phone company. I have noticed that most mobile phones will provide automatic setup for big name providers like gmail. If this was used, the relaying server should have been google.com which isn't listed on the blacklist at the moment, but the mobile IP is.

I took out the relay checking when this first occurred and after a week I was able to put it back on. However, on this investigation (6/7/2014), I left the relay checking in place. There is not much I can do when devices are not setup properly.

Written by Leonard Rogers on Thursday, March 27, 2014 | Comments (0)

Trillian Account is Constantly Offline

Posted at 7:04:55 PM in Recovery (44)

Just had an ongoing issue with Trillian. All of the other IM accounts I added were connecting except the Trillian account which is required if you want to stay up-to-date. The trillian account also publishes your other account settings so any trillian device will be updated, so this connection is important.

The closest thing I could find to my problem was this post: http://help.trillian.im/discussions/windows/4399-why-am-i-in-offline-mode-and-how-can-i-repair-this

The last entry suggests checking the port. That user set it to 443, but that's where mine was already set.

To get to the port settings (and the password settings) go to the Trillian pull down menu and select "Manage Accounts." Then click on the account name where it says <accountname> via Trillian. A window will open that will allow you to set your password. There is also a button that says Disconnect/Connect and one the says Settings.  In the settings screen on the Server settings near the top of the page, I have "Use DNS to discover server" selected. The hostname is login.trillian.im, but I didn't set that. The port said 443 but that wasn't working. What I did was click the reset button which changed the port to 3158.

Once that new port number was present, I was able to connect Trillian again and was immediately notified that there was an update to be downloaded and installed.

Written by Leonard Rogers on Wednesday, January 15, 2014 | Comments (0)

Acronis Disk Cloning Issue with Windows 7

Posted at 12:50:28 AM in Recovery (44)

Had an issue with cloning a bad disk to a new replacement disk in Windows 7 64 bit. When I started the new drive the I got a message stating that there was no BOOTMGR. I've seen this before and knew all the data was there, but there are some hidden files that Windows 7 requires to boot, among them are NTLDR and BOOTMGR, actually a whole sector of data didn't come over. I thought it was because these files were in an unreadable area of the old drive and so I wasn't too worried about it.

I found all the info I needed to fix the boot sector and get the new drive working on this site.

The solution that worked for me was added by Jesse Lohisto, so credit to him. tedka wrote a useful overview that includes what Jesse and all the run around we got from the other posts. Here's tedka's post:

Jesse Lohisto deserves an MVP - he nailed it and his solution is spot on. No need to run anything else
bcdboot.exe C:\Windows /s C:
in command prompt fixed it for me first try and I've tried a whole bunch of other things including /FixMbr, /FixBoot, /RebuildBcd and wasted hours on what should have been simple 30 min task swapping SATA for SSD.

I only wish I found Jesse's post sooner ...

Granted Acronis support should know this by now and at least should include this in Knowledge Base as #1 thing to check or even better add it directly into product.

bcdboot.exe can be run in the Windows 7 installation disk from the repair screen. Select repair instead of install, then select to use the tools to fix the installed system and in that window there will be a link to access the command prompt. On my system, it came up on drive X. I changed the drive to c: and ran the bcdboot.exec line as listed above and it worked out great.

Written by Leonard Rogers on Sunday, December 22, 2013 | Comments (0)

FBI Warning Malware Holding Computer Ransom

Posted at 8:53:26 PM in Recovery (44)

Just got another FBI warning message on a PC that had it before. My client said he got it from a web site and he knew when it started running. That by itself is unusual because this type of virus usually slips in the backdoor.

The symptoms are the entire screen is covered with an FBI warning and gives you information to get a money card and send 30 or 35 dollars through the screen. Of course that doesn't work either. The screen holds your PC ransom, blocking access to your menus, desktop icons or even the task manager. Trying to start in safe mode only reboots the PC. Recovery softare that will scan your hard drive from a bootable CD like Avira or Windows Defender don't report any problems. The first time, Avira did find the files in the My Documents directory, but I could never find out how that program was being launched. 

Now, with this virus, I started poking around in registry (there are several programs, both Linux and windows bootable CDs that will allow editing the windows registry) and found a Shell command entry in the Users registry which are normally stored in the users documents and settings sub-directory. Going into HKEY_USERS\software\microsoft\Windows NT\CurrentVersion\Winlogon which in the previous infection used cmd.exe to launch the virus. This one used explorer,c:\documents and settings\<name>\Application Data\cache.dat.

After removing that line and renaming the cache.dat file (I don't remove them until after I knew it won't break anything) the FBI warning was gone.

Written by Leonard Rogers on Thursday, October 17, 2013 | Comments (1)

Playing FLV files through the IIS Server on Server 2003

Posted at 12:07:22 AM in Recovery (44)

I moved my sites to a 2003 server I've been using mostly for email and ran into a problem that the FLV file was not found. The site owner hasn't noticed it since the move 2 months ago, but I'm working on the SEO organic reports and found several 404 errors.

I use the flowplayer-3.1.5. The swf files the flowplayer uses to display the video worked fine, but the actual video kept showing: 200, Stream not found, NetStream.Play.StreamNotFound, clip: '[Clip] in the flowplayer screen. When I tried to access the file directly, I got a 404 error, file not found. When I researched that. I found this for Server 2003 issues of this type 

Basically, the steps to fix it, because windows 2003 doesn't know what to do with that file, you have to tell it, though I don't know why it doesn't just open as a text file or attempt to download it.

In IIS, open the properties for the IIS server

1. Select the MIME Types (button on my server)

2. Click New and enter the following information:

Associated Extension box: .FLV
MIME Type box:flv-application/octet-stream
Click OK.

3. Restart the World Wide Web Publishing service.
 

Written by Leonard Rogers on Sunday, July 21, 2013 | Comments (0)

Can't uninstall Carbonite

Posted at 7:02:31 PM in Recovery (44)

My Carbonite backup software stopped backing up on July 1, 2013. Checking the settings in the Carbonite software, gave every indication it was working okay, except an odd backup counter that said my last backup was 49,675 days ago. If it wasn't for the notice from Carbonite that our backup hasn't been performed in 2 weeks, I would have never known to look into the problem. After I went into services and restarted Carbonite, I finally got the message that an update was available (actually required ... apparently).

Downloading and installing the update file only wrecked havoc. The service changed to disabled, the icon on the desktop and the in the service tray were both removed, but the installation kept breaking... Error extracting installation program, retry or cancel. It might have said unpacking instead of extracting. I couldn't uninstall Carbonite because there was no uninstall in add and remove programs. So, I went about it manually and couldn't remove the program files folder for Carbonite because the files were still being used. It turns out the program that was using the files was explorer.exe. So I killed the process to see if it would let go of the DLL file, but every time explorer started, those files started also.

Killing the explorer process and restarting it again, which you can do in the task manager by going to File, run and entering explorer in the process you want to run and it'll start again, is about as close to rebooting as you can get without rebooting. So, after I killed and restarted the explorer process, I tried to do the Carbonite install again and it worked this time.

A reboot would have worked just fine, but this runs on a shared machine and everyone would be using it until late at night. I didn't have the luxury of rebooting at the moment and had already missed a day. now the number of days since last backup correctly reflects 16 days or since July 1.

Written by Leonard Rogers on Tuesday, July 16, 2013 | Comments (0)

Scanners and Cameras Windows 7

Posted at 2:44:41 PM in Recovery (44)

Where is the Scanners and Cameras icon in Windows 7? It doesn't appear to exist.

I changed a wireless printer from one network to another and the PCs needed to be able to find it on the new network. With all the printers set to static, this created a problem on the new network. The printer portion was easy. Just change the IP address in the Port settings on particular printer properties you need to change. But the scanner on the same printer isn't so easy. I looked for scanners everywhere and couldn't find it.

Then I found that if you just type in the keyword scan in search from the start menu, under control panel you will see the Scanners and Camera's icon. It must be a sub icon of another set, but I couldn't find it for anything. Once I found the Scanners and Cameras in the search menu, I was able to open my scanner properties and select the network tab and change the network settings for the scanner.

Everything fixed. 

Written by Leonard Rogers on Tuesday, June 25, 2013 | Comments (0)

Acer Aspire 5250-0639 LED issues

Posted at 5:33:26 PM in Recovery (44)

Acer is also making laptops with no hard drive activity indicator lights. I guess this is the new wave of laptops. Maybe the manufactures think that no one looks at those lights, but we really do. If the laptop isn't working properly, all the indicators we can get help.

I also noted on this laptop, that Caps Lock and Num Lock flash an image up on the screen when it's depressed. This is not very useful when the screen isn't working or we're troubleshooting. 

Written by Leonard Rogers on Wednesday, February 13, 2013 | Comments (0)

Dell Inspiron 1440

Posted at 9:25:27 AM in Recovery (44)

I don't know what Dell was thinking. Perhaps LED indicator lights are the next thing is cost savings. This laptop only appears to have one LED and a power light in the power button. It doesn't even have a charging light. Frustrating to troubleshoot as there is no hard drive light to show there is any activity at all and no numlock light and no capslock light. 

Written by Leonard Rogers on Wednesday, February 13, 2013 | Comments (0)

Dell Vostro 220 with Windows Vista Business

Posted at 3:40:09 PM in Recovery (44)

I really never liked Vista, but I realize the reason it got such a bad rap was because vendors were selling Vista on machines made for Windows XP. Dell would sell Vista licenses and install Windows XP for you which is one of the main reasons I buy from Dell.  However, Windows XP is getting past it's prime and installing it back on a scraped Dell machine is a problem without the media or a license key (product code). The certificate of authentication on the Dell box has the Windows Vista key and even though they "say" that Dell PCs are setup to automatically recognize and register with the correct key, I have run into instances where that didn't work. Since I deal with hundreds of PCs I think it's probably that I mixed up the actual CD that came with the computer with another CD even though it was the correct operating system. 

Nevertheless, this PC was at the customer location and he didn't have any media though I'm certain that I ordered it with Windows XP. I decided to go ahead with the install of Windows Vista since there was plenty of RAM in this machine. The install went really well (not) until I got to the network drivers. Vista recognized that the hardware was a Realtek RTL81XX  Gigabit network card built into the mother board. Funny thing though the driver on the Dell support site (here) doesn't work on the Vista machines. It pops up with a message saying the driver doesn't support Vista. How disappointing!

So, I tried downloading a driver from the Realtek site: here but when I tried to update the driver, it claimed that the driver I had was already up-to-date. So, back to the Dell site. I tried to download a previous version from the site, and found that no matter what driver you are downloading in that section, "previous version" just means some executable that remotely applies to this driver but was dated prior to the date of the driver you are downloading. If you look under previous versions, you will see a version 2.0.0.9, A03 and a 2.0.0.6, A02. The 0.9 A03 version is also listed on the front page as the diagnostic. I installed that only to find out that I wasn't even installing the correct software and figured out (apparently) the A## group similar drivers together. I was looking for 5.718, A01 the version that didn't work was 5.764, A01.

Before I got a chance to try the previous version, I found a link to HP's web site that had a Realtek RTL81XX Vista Driver (here) and decided to try that. It worked great. Problem solved no thanks to Dell. 

Written by Leonard Rogers on Wednesday, November 21, 2012 | Comments (0)

Where's all the ODBC drivers in Windows 7???

Posted at 6:19:41 PM in Recovery (44)

New Windows 7 64 Bit installation and old programs.  Excellent explanation on this web page  http://www.vistax64.com/drivers/168477-installing-32-bit-odbc-drivers-vista-x64.html on why they don't show up. I read several accounts that said use c:\windows\sysWow64\odbc32.exe, which I didn't understand. I kept trying to find how to install it to run in the existing ODBC admin from the control panel, but didn't know I was already running that program and the problem is simply that both programs are named the same, one is for 64 bit and one is for 32 bit.  So, just double click the executable in that directory and you'll get a new ODBC admin tool that shows all the missing ODBC drivers.

Written by Leonard Rogers on Monday, September 24, 2012 | Comments (0)

Menu items disappear after unhide.exe restores hidden files

Posted at 1:20:02 PM in Recovery (44)

 Luckily the missing menu items get moved to a location in the user's temp directory under c:\Documents and Settings\<user>\local settings\temp\smtmp. They usually show up in subfolders numbered 1 and 2. Nothing was in my 2 folder, but 1 had all the menu items.

Check this link: http://www.thecomputergroup.com/blog/how-to-restore-missing-desktop-icons-and-start-menu-items-after-malwarevirus-infection#comment-903

Written by Leonard Rogers on Thursday, August 2, 2012 | Comments (0)

Windows XP Programs Run but don't show on the Desktop

Posted at 3:32:40 PM in Recovery (44)

This computer had several bugs and virus issues, but the problem wasn't a virus. The symptoms were a blank desktop no mouse but the task bar displayed with the start button and the start button would respond to keyboard commands, but all the programs that showed on the task bar did not show up on the screen.  Therefore, screen properties (which doesn't show an icon on the task bar) wouldn't appear in the viewable area in order to make or view any changes. Safe mode worked fine however. All the icons and all the programs worked fine in safe mode. Resetting the video in safe mode did not help. In fact, Safe mode didn't show the actual configuration of the video settings that were employed in real mode.

I scanned for virus' in safe mode and found several and removed them, but this didn't fix the problem. What I noticed was that the mouse would disappear off the left side of the screen and when moving it back to the right again, it would take some time before it appear. This indicated to me that there was additional desktop real estate that I couldn't see. To test this, there was a program that was running on every boot where I used msconfig to disable everything that wasn't windows. I couldn't see the message on that window. I assumed it was behind an active desktop virus that was hiding it. So I tried moving it. It runs in a window by default, so I just pressed Alt-Space and then M(ove) and used the arrow keys to move the window to the right. The window area showed up and every time I selected an option, it'd snap right back to the left. The options worked, the dialog boxes requesting the next step, such as reboot now, popped back to the center of the screen off to the left. Obviously, the screen was in dual monitor mode and the screen I was looking at was not the primary monitor, though I am puzzled about why the taskbar and start button showed up on the single monitor I was using.

The move command as I used it here worked on the properties window for the desktop and I was able to move it into the visible area. On the settings tab, there were to monitors and they were extended. I just needed to select the monitor where I could turn off the extending function and then select the monitor I had plugged in as the primary monitor and the problem was fixed. 

Written by Leonard Rogers on Wednesday, July 11, 2012 | Comments (0)

logmein and Windows 7 remote desktop fails

Posted at 10:02:31 AM in Recovery (44)

Brand new laptop right out of the box with Windows 7 Home Premium and we cannot connect to the remote PC. The message is connection refused in Chrome and IE 9 shows no information without expanding the details link. However, under that link, there is a message that states if your using an HTTPS connection, check out the security section in Internet options under the Advanced tab. 

Apparently, IE 9 new installs only have TLS 1.0 enabled and SSL 2.0 and 3.0. I don't know which is required for logmein to work, so I enabled all of them. So, SSL 1.0, and TLS 1.1. and TLS 1.2. We are now able to connect to the remote desktop.

Written by Leonard Rogers on Wednesday, July 11, 2012 | Comments (0)

Moving or Copying files too Server takes Forever or Network timeout

Posted at 3:18:02 PM in Recovery (44)

Recently had a server with a brand new drive upgrade. While the server was down, everyone continued using the internet through our Comcast business class router.  Being the wonderful IT guy that I am, naturally I think I'm the only one who's right and installation teams are stupid and just do what they were taught in school, no matter how wrong it is.

The server is a Windows 2000 Domain with only one domain controller. Active Directory Services installed, DNS and DHCP services also utilized (pretty much basic domain controller setup). After the upgraded drive was installed, which should have given us huge performance improvements, the server started hanging about every 15 to 30 seconds. It would freeze then start again. Everything was sticking. During the normal course of working on the server, opening dialog boxes such as Network Properties and Control Panel would click, hang for several seconds then open and continue for another 15 to 30 seconds before it would hang again. This really was quite annoying. There was no processes eating up CPU and the memory usage was well below available RAM. There was also, no system or application log errors that would account for the problem.

Our first really big indication came when moving files back to the server. We have several files that are in excess of 300MB. All of the files would start out fast, then hang and take forever to finish. Large files would hang and disconnect with a network error. The certainly seemed like a network issue, but we didn't change anything on the network. Ping times were all less that 10 msec. So I started suspecting the new hard drive was the problem, but it wasn't.

Active Directory Services depends on all clients including itself to look to the DC (domain controller) for DNS activity. This is mostly for svr records that don't play a role in the internet, but also for general client location. If the clients are not looking to the DC for DNS activity, the network gets flooded with requests looking for a DC to answer and there isn't one to be found. The entire network falls apart. I know this is probably and over simplified description and it may not be 100% accurate, but the basic concept is, if the clients (including the server itself) are not looking to the DC for DNS look up, then the network will fall apart. 

When the server was down for the drive image and installation, all the workstations picked up new IP addresses from the Comcast Router. Normally, if there are 2 DHCP servers on a network, one will fail to allow the other to assign addresses. Occasionally, both will fail in favor of the other. My experience has been that Microsoft's DHCP will will fail. Why is this important? It's not he DNS server. DHCP assigns the information to the clients that tell it where to find the DNS server, among other things. When the workstations (clients) got the IP information from the DHCP server on the Comcast router, it pointed to itself for DNS services and thus all the clients were spraying lookups everywhere but the right place. To temporarily fix this on the workstation the files were being transferred from, I set a static IP address with the correct DNS information.

My arrogance at the beginning comes only because Comcast setup their router. Of course, they it up with the DHCP services started because that's what they are taught to do. In most residential situations, this is acceptable, but in a business environment having the router assign addresses is a catastrophe in a Active Directory network. A lot of my most irritating problems come from people who can't think outside the box or don't know how to. That being said... I have my own box that I'm stuck in.

Written by Leonard Rogers on Tuesday, June 26, 2012 | Comments (0)

Allway Sync removal

Posted at 9:53:53 AM in Recovery (44)

Allway Sync is a (sort of) free program to synchronize the files on two hard drives. It, however; has a limit to it's free version. When doing a backup of your computer, the entire C drive, the software complains that you are synchronizing too many files to be for private use.  So using it to schedule file synchronization is useless. There is no information on how many is too many. Just the iTunes directory should be plenty of many.

So, I wanted to uninstall the product, but it kept complaining it was running. It's not easy to find. The service running Allway Sync isn't named Allway. Look in the task manager for a process named SyncAppw.exe. Kill that and you can uninstall the software.

Written by Leonard Rogers on Friday, May 18, 2012 | Comments (0)

CONVERT9.WIZ: BC.Exploit.CVE_2012_0142

Posted at 8:45:14 AM in Recovery (44)

If you have Office 2000 installed and are using Clamwin for virus protection, this is a new false positive that just popped up today. I've already analyzed the file and submitted it to Clamwin for review.

Check this site for both review and submission: http://www.clamwin.com/content/view/40/27/ 

Written by Leonard Rogers on Saturday, May 12, 2012 | Comments (0)

MacBook Air and Airprint; serious wireless connection issues

Posted at 4:04:52 PM in Recovery (44)

MacBook Air and iPhone have serious WiFi connection issues when using Airprint. Both seem to work fine surfing the internet and getting email, but when you need to print, the printer just doesn't seem to be there. The MacBook Air can see the printer, but nothing ever comes out. It just sits and spins and spins. Some solutions that people try is to restart the printer. I have connected regular PCs to the wireless printer as well and they seem to work fine (but they aren't using Airprint). But the problem isn't with the printer or the network. MacBook Air, iPad and iPhone all have issues staying connected to Airprint printers.

The problem is easy enough to solve with a work around, though it is annoying. Simply click on the WiFi connection on the top system bar and turn off the WiFi service, then turn it back on and that's it. Annoying, but it works. 

Written by Leonard Rogers on Thursday, May 10, 2012 | Comments (0)

chrome.dll: W32.Virut.Gen.D-148

Posted at 4:41:40 PM in Recovery (44)

Clamwin is reporting chrome.dll: W32.Virut.Gen.D-148 and chrome.7z: W32.Virut.Gen.D-148 as virus' when they are not. Please see this link as it seems these two files keep going in and out. I monitor several PCs and find it way to frustrating to go in and filter this false positive out on every PC. But I get a report from each of PC that it has this virus which is quite annoying. It seems that the database admins for Clamwin are making an effort to fix this, but it still keeps appearing almost daily.

 

Written by Leonard Rogers on Wednesday, May 2, 2012 | Comments (0)

IE8 displays pages in mobile mode

Posted at 7:14:07 PM in Recovery (44)

We had one IE 8 browser that refused to show certain web sites in anything other than mobile mode. When the same site was tested against every other IE 8 browser in the office, the page showed fine. I found one site that suggested it might be the Creative Software Autoupdate program, which when uninstalled fixed the problem. The PC we had this problem on didn't have Creative Software Autoupdate or any Creative devices / software installed.

Another site suggested that the headers might be overlong. I followed out the link for  http://www.enhanceie.com/ie/troubleshoot.asp which showed several very long headers and explained where to find the entries in the registry. 

These were the registry key locations: 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

The keys were not in the format that I expected. They are not long strings, but rather separate key entries. I believe based on the enhanceie web site, IE concatenates the keys to form the string. Here's a screen shot of the registry.

 Not all keys have the same values. In the problem we had, the key that caused the problem was only in

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform

And contained one value TabletPC2.0. Once I removed that entry and closed all the Internet Explorer windows and reopened the site we were having problems with, it worked perfectly.

Written by Leonard Rogers on Thursday, February 16, 2012 | Comments (0)

QooBox and BackEnv Permission denied

Posted at 7:08:10 PM in Recovery (44)

Couldn't delete BackEnv folder from inside the QooBox file, which I understand is created by Combofix. I found several posts which suggests using some other application to delete the folder, but I found it was a simple windows security issue. Here's what I did:

1. Right-click on BackEnv, select properties

2. Select security Tab (won't work in home versions, but if you have the pro version OS and that tab is missing, change your folder options and clear Use Simple File Sharing under the View tab).

3. You will note you have full control. Click the Advanced button. Note the first option is to deny Everyone.

4. Clear the Allow inheritable permissions from parent. It will ask if you want to copy, Select Remove button

5. Add the Administrator for the PC. You will not be able to save this change just yet.

6. Select Owner tab and take ownership using Administrator account. Then go back to Permissions and replace permission on all child objects and click OK

You should now be able to delete the folder without any problem.

Written by Leonard Rogers on Wednesday, February 15, 2012 | Comments (0)

BC.Exploit.CVE_2011_3412 clamwin (false positive???)

Posted at 2:33:23 PM in Recovery (44)

Got several virus alerts from Clamwin in several old .xls files. Looking up the info, it appears that this was a false positive last year. See this post: http://forums.clamwin.com/viewtopic.php?t=3396. Did a little research and this particular file seems to be imbedded in publisher files and emailed to victims per NIST: (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3412). Not sure if the code executes in an excel file or not, but Clamwin is finding code that it believes to be this virus.

Written by Leonard Rogers on Saturday, February 4, 2012 | Comments (0)

Windows 7 Lost the Menus After Virus

Posted at 2:48:57 PM in Recovery (44)

I lost the right side of the Windows 7 menu. All the program short cuts showed up, but Documents, Pictures, Music, Connect To, Control Panel, Devices and Printers, Default Programs and Help and Support didn't show. The %temp%\smtmp folder was present, but all the short cuts there were restored.

I restored the right side menu by right clicking on the start button and selecting properties. Then Customize button on the Start Menu tab. On the bottom of the Customize Start Menu is a button "Use Default Settings" I clicked that button, then okay and close and all the right side options showed again.

Written by Leonard Rogers on Tuesday, January 17, 2012 | Comments (0)

consrv.dll virus

Posted at 2:35:10 PM in Recovery (44)

I have a windows 7 64bit laptop that had a virus, obviously as it hid all the icons on the desktop and files. I ran unhide and malwarbytes and tdskiller and thought I got rid of it. But a new virus popped up a couple of days later, so I knew there had to be a rootkit that wasn't discovered before. When I ran eset's online virus scanner, I didn't clear the check mark and it removed the virus infected file. Unfortunately, I can't get back into it. I'm certain the registry thinks that file is required to start up. It boots, tries to repair, then boots and tries to repair.

I am able to get in using a Windows PE boot disk and I can get in using the windows 7 startup disk, but I have no idea what I'm looking for. The file that was removed as it shows in the Eset log is C:\Windows\system64\consrv.dll It says it's a Win64/sirefif.e trojan. The file is no longer in that directory. Eset cleaned by deleting - quarantined

This was a post I had place to get help to repair the registry so I could get back in to the laptop after Eset had quarantined the consrv.dll file. When this file was removed, it prevented access to the laptop and kept asking to repair the Windows 7 installation. That process failed with a message that any new hardware or software should be removed and try again. This wasn't very easy to do since I had no access to the PC, except through Windows PE.

Through Windows PE, I was able to load the hive from the laptop's system32\config directory. Windows 7 registry is a little confusing now. There appears to be couple of files named SYSTEM and one named SYSTEM.LOG2. One of the files named SYSTEM is only 1K. The actual registry is a much larger file. When loading an external hive, there is no CurrentControlSet, so I had to edit both ControlSet001 and ControlSet002

Open the registry to HKLM\ControlSet001\Control\SessionManager\Subsystems in the key Windows look for the string consrv:ConServerDllInitilization,2 That consrv is calling the consrv.dll virus file. If it gets removed, you won't be able to get back into the OS. Change consrv to winsrv and reboot. Make sure to change both ControlSet's

Written by Leonard Rogers on Tuesday, January 17, 2012 | Comments (3)

IE8 Internet Explorer 8 search provider selection

Posted at 2:44:07 AM in Recovery (44)

Recently had several clients with issues where the search provider selection site did not scroll. IE8's new search engine provider screen now alphabetically lists several search engines that you can select from. The error shows only the 2 top search engines and does not scroll. I recently had this problem when I downgraded from IE9 because that version seems to have issues with Java. After uninstalling IE9, IE8 would not allow me to select the search engine provider I wanted.

I found a alternative method, which was to use the search engine to narrow down the options, but when I managed to get the one I wanted to show, I got an error message that the provider could only be added to IE8 or IE9. I was using IE8 and used that error to find the solution. It appears that the uninstall sets IE8 to compatibility mode always. Open Tools/Internet Options/Comparability and clear the check mark in the option for compatibility always on. This apparently makes IE look like IE7. After clearing this check, the scrolling list of search providers showed correctly and i was able to add the one I like.

 

Written by Leonard Rogers on Monday, November 21, 2011 | Comments (0)

Peachtree 2012 and GotoMyPc Printer

Posted at 8:59:30 AM in Recovery (44)

We just recently installed Peachtree 2012 on a PC that we use GotoMyPC for remote access. I'm not sure if the new Sage Peachtree Remote Access feature which uses GotoMyPC removed the gotomypc printer or not, but right after we installed Peachtree 2012, the gotomypc printer disappeared and we were unable to print remotely. The problem was fixed after I called GotoMyPC who directed me to be at the computer that is the GotoMyPC host and not in a remote session. Then to open the browser and got to gotomypc.com/uninstall.tmpl. This link provides a reinstall option which is not in the add and remove programs for gotomypc. Reinstall then added the gotomypc printer without losing the login credentials for the host PC. 

All fixed and ready to go.

Written by Leonard Rogers on Friday, November 18, 2011 | Comments (0)

mapi was unable to load the information service mspst.dll Outlook 2007

Posted at 3:00:37 PM in Recovery (44)

During a recent job, I created another user profile with the intent that the second profile would use Outlook with different email credentials. However, during the setup process, Office 2007 failed with several errors. Then when I rebooted and started Outlook again, I got an error that "mapi was unable to load the information service mspst.dll".

First off, there is no mspst.dll. The file that is causing the problem in my case was mspst32.dll. There are several links that suggests that it is in the system32 directory, but that's not the case. It's actually in Program files\Microsoft\Office 12\. There are several comments that reinstalling didn't help or that in some cases it did help. There is also the common files directory which holds the mapi settings for Microsoft mail in the \common files\system\msmapi\1033 directory and one thought was to rename the msmapi.dll file in there. That does cause Outlook to reinstall that file, but it didn't fix the problem.

I downloaded some bogus copy of mspst32.dll (by bogus, I mean a file offered by a .dll download site) into the system32 directory, but that didn't change the problem. Finally, when I realized that there was a copy in the program files directory, I deleted the one I copied into the system32 directory and renamed the one in the program files directory. Outlook reinstalled the correct version of mspst32.dll and outlook started up fine.

This problem forced me to troubleshoot it to solution because the corrupted mspst32.dll file also broke outlook for all users on that PC. I didn't want to reinstall because I'd lose the user settings. Once the correct mspst32.dll file was loaded again, both accounts worked without further problems.

 

Written by Leonard Rogers on Thursday, November 10, 2011 | Comments (2)

hello4 and Blankwindow2 virus issues

Posted at 5:38:51 PM in Recovery (44)

I just received a laptop that had a virus on it. At first it appeared to be the standard rogue virus that displayed a message Windows Antivirus 2012 has found 34 problems on your PC. This type of virus isn't hard to get rid of, but after removing that virus, I started getting pop up windows that said hello4 and blankwindow2. I could also tell a process was continually spawning new processes. When I looked in the taskmanager, I found several ILO.exe programs running and new ones spawning. I couldn't stop them and so rebooted.  Then I got the message that hello4 wasn't responding and I couldn't shut down windows. I forced it off by holding the power button down for 10 seconds.

All my work from this point was done in safe mode. I ran Malwarebyte's Anti-malware which required and extensive update. (note: any installation before June of 2011 downloads the updated signatures and then a 9 meg file which is a new release of Malwarebyte's I believe version 1.51.1. This new version offers a trial of the full version and also tells you how old the signature's database is) After the update completed, it required a reboot, which I didn't want to do, but I got an error that it couldn't connect to the internet, so did the reboot anyway. After the reboot, the Malwarebyte's icon lost it's picture and appeared to be an empty link.  Then I check the properties and used the find target, which took me to the correct location, but I found there 2 mbam.exes, but one had a space between the mbam and .exe and that one had the icon.

I ran kapersky's tdskiller and removed 2 rootkits. Installed Malwarebyte's again and ran it removing 5 infections. Then rebooted the machine and got infected again right away.  This time I ran combofix and was alerted that I might have the virut virus which I've run across before which required that I scrape the hard drive and start over. Looking on the internet for virus's that put a blank between the original file name and the .exe is very hard to find. In fact, I found it looking hello4. The writer there was very helpful stating that the infection came back because all the programs that run at start up had been renamed just as I found mbam.exe had been renamed.  Apparently, there was a rootkit that was doing the renaming on any program that was run, which would include all of the startup programs and any that I ran to try to fix the problem, including combofix. He said he looked for all the .exe programs and renamed them back to the way their were before, since the program renames them and leaves the original in the same directory. I modified my search for all .exe's created on the date if the infection or later.

During the process, one of my reboots was in the non-safe mode because I thought I was clear. AVG's resident shield showed nearly every necessary startup file being infected. This also led me to believe the renaming process is just as was mentioned by the users on this forum: http://forums.g4tv.com/showthread.php?t=164532

Since combofix won't run with AVG installed, I uninstalled it amidst all the pop ups from the resident shield and went back into safe mode (it is possible to remove avg with the avgremover while in safe mode, but I wanted to see if I was clear of the virus and check avg at the same time. With the virus still there, I uninstalled it so I could use combofix). After getting back into safe mode, I went through all the exe's that had been modified since the infection and cleaned those up. I did find that one registry entry did not get modified. It had some switches following the .exe portion of the registry entry. Apparently the writer just performed a rename without checking if the name was actually a file name or had parameters. Then I ran combofix and discovered yet another rootkit and removed several files, including the xlo.exe file which I had renamed.

 I further read the information on the link I provided. A couple of people suggested using Superantispyware. It's the first time I used this product, but I ran it just to be safe. It did find additional infections and removed those as well.

For now, this machine looks like it's working clean.

Note: Virus is still present in the PC. After booting clean and installing AVG, several programs popped up with the resident shield detection showing a virus Win32/Katusha.A. Can't find any info on the virus.  The files infected showed as iPodService.exe, RegSrvc.exe, NicConfigSvc.exe, MDM.exe, jps.exe, iDriverT.exe, mDNSResponder.exe, AppleMobileDeviceService.exe, WLKEEPER.exe, S24EvMon.exe, EvtEng.exe and some game programs. I ran the Superanitspyware.exe after the updates completed for AVG. It ran all the way through, then closed automatically without letting me make any selections. When I tried to run the program again, it was unusable and the icon changed to an empty link.

Frustrating.

Written by Leonard Rogers on Tuesday, August 9, 2011 | Comments (0)

Windows update options greyed out

Posted at 11:23:23 PM in Recovery (44)

I had to do an update on a Windows XP PC. The system was still running SP2 and IE6. My task was to install SP3 and then all of the updates. I was especially looking for IE8. I like to install SP3 before installing IE8.

This time, when I finished with the updates, the Windows Update options were grayed out and automatic updates was enabled. Sometimes after a windows update the automatic updates gets set on, but t his time I couldn't modify that selection. 

When I finished the manual update, I had 2 reboot messages. One from the automatic update and one from the manual update that I was just finishing. Seems the software should be able to figure out that I'm doing a manual update and stop the auto updates from happening, but that's not the case.

I looked at this site which registering the wuaueng.dll file after checking to see if the Automatic Update service is running. When I registered the dll, it would stop the service and when I started the service again, the options were still grayed out.  I did check the user's rights on that PC login and found they were in the administrators group, so that wasn't the problem. 

After looking at that info, I went to this site which suggested changing some registry settings, which is what I was looking for and this worked for me.

Written by Leonard Rogers on Wednesday, June 15, 2011 | Comments (0)

GOTOASSIST unattended services appears to be disconnected

Posted at 10:44:13 AM in Recovery (44)

I had a problem where several of my remote support clients unattended support suddenly shut down.  They appeared in my list of unattended computers as being off line.  Most of these issues occurred on Microsoft servers.  I don't know if this might be part of the issue.  On the server itself, the golden clover had a red X on it indicating that there was no connection to the internet.  

In order to fix this issue, I right-clicked the clover on the system tray and selected exit.  Then started services.msc and scrolled down to the Gotoassist service.  It showed it was running. I believe it was running because I had started a GoToAssist session from the regular attended setup. My problem here was that i couldn't setup another unattended session. So I stopped the service which booted me out of the attended session and then started it again. That placed the gold clover back in the system tray and the machine showed up in my list of unattended computers again as being online. 

Written by Leonard Rogers on Friday, May 6, 2011 | Comments (0)

Vista run CMD as administrator from the Task Manager

Posted at 8:23:32 AM in Recovery (44)

One of the big problems I get when trying to trouble shoot Vista is trying to run the CMD command as administrator. There are tons of ways to do it if everything is running okay, but I sometimes find myself locked out of the normal start button or menu and have to start programs from the task manager. When you do this by simply running CMD, certain programs such as chkdsk /f will not work as it requires administrator access, so how do you start CMD as administrator?

If you can start the task manager and use New Task (Run)..., select the browse button. CMD.exe is located in the system32 directory. Locate the program and from within the browser, right-click the icon and select run as administrator. The task will run, but the browser will not shut down. Then you can run diagnostic apps such as chkdsk. 

Written by Leonard Rogers on Saturday, April 30, 2011 | Comments (1)

You cannot use Peachtree right now ...

Posted at 12:34:55 AM in Recovery (44)

 The error message from Peachtree Accounting stating "You cannot use Peachtree right now because the serioal number(s) you have (###) are already in use by the maximum number of computers... Try logging on again."  Which after running through the recommended steps by peachtree, i.e. deleting the lck files, 4 access .dat files (which I really don't get why they'd have anyone delete those) or the *.ptl files only resulted in a new error message. "You cannot access Peachtree right now.  Please reboot and try again."

The problem on my PC was the .net 2.0 files had been deleted.  Perhaps this took place when installed software that wanted .net 4.0 files or when I intentionally upgraded my .net.  For what ever reason, all the files were missing from this path: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790.  The files missing were, System.EnterpreiseSErvices.Wrapper.dll and System.EnterpriseServices.dll.  This later file is one that Peachtree specifically looks for and if it's missing, you will not log out of Peachtree properly nor will you be able to log in.

I was able to recover the files from C:\WINDOWS\Microsoft.NET\Frameworkv2.0.50727, but just copying the files from this directory to the one listed above.

Now to find out why the SSN tax values are not calculating correctly.

 

Written by Leonard Rogers on Friday, April 29, 2011 | Comments (0)

Update on SR5 update and corrected tax tables

Posted at 7:53:34 AM in Recovery (44)

Just an update on the Peachtree SR5 update... After I installed the update, peachtree completely crashed.  I don't know if it was SR5 that did it or not, but there was nothing I could do to get any peachtree product to work in the original workstation. I finally had to install Peachtree 2010 on a new PC in order to get back to work. The data was fine.  I was able to bring that over from the corrupted PC and use it, but the tax calculations for SSN withholdings is still not correct. Peachtree 2010 doesn't have an SR5 update so I'm left holding the dirty end of the stick again. 

I believe the tax issue is in the data and updated incorrectly. It appears the only way to fix this issue is to make a new company and import the data from the old company database. There's a couple of ways to do that. I will report if any of it worked for me.

Written by Leonard Rogers on Thursday, April 28, 2011 | Comments (0)

SQL Connection issue Vista to SQL 2005

Posted at 8:12:55 AM in Recovery (44)

Just had an issue where Vista Home Premium could no longer connect to SQL 2005 on a remote server after a weekend Microsoft update.  The error that kept coming back was that the server could not be found.  I at first thought it was a firewall issue, but being told it that a recent Microsoft Windows update had been performed, I decided to look into that.

The application that uses the SQL 2005 server is called AllOrders by NumberCruncher.  However, there are many applications that connect to SQL, but the errors the application gives might be different. In this application, the error was "could not associate file with server. Associate now?"  Then you'd click yes and it would return with an error that it could not find the SQL server.  After some trouble shooting, I finally pinged the server and found that it was pinging on the IPv6 protocol.  Apparently, an update had made IPv6 the default.  When I used the SQL helper utility, which in vista doesn't appear to much different than the standard odbc interface and specified the IPv4 IP address, everything worked fine.  

After some thought, I think I could have specified the host in c:windowssystem32driversetchost and given the host name an IPv4 address and it would have worked as well.

Written by Leonard Rogers on Tuesday, April 19, 2011 | Comments (0)

Windows Event 51 \Device\Harddisk1\DR4

Posted at 8:48:45 AM in Recovery (44)

 I'm getting this error with Event ID: 51 in the System Event log.  It only comes up as a warning and the confusion is on what device is DR4.  I just replaced the existing Dell Raid because it was soooo slow and appeared to have many errors when doing backups or other system checks.  It was in a mirrored configuration but neither hard drive had actually failed.  So I did some research.  DR4 translates to Disk Removable.  There is some inidcation that the 4 is the USB slot it is in, but I have some reservations about that.  I looked my exact error message up and it came up more than once.  I'm not even sure my server has 4 USB slots.

Anyway, check out the research on this site:  http://www.vistax64.com/vista-performance-maintenance/134740-what-where-device-harddisk1-dr4.html

By the way, my system is a Windows Server 2000 SP4.

Written by Leonard Rogers on Friday, April 8, 2011 | Comments (1)

Verizon DSL Modem Reset Actiontek

Posted at 6:33:10 PM in Recovery (44)

I had a customer who lost their DSL connection and knowing Verizon's usual troubleshooting techniques, I went through them myself before I called. Unfortunenately, the problem was that the customer had not paid for their service.  The phone line worked for incoming calls just fine so that wasn't an indicator.  The DSL line was the fax line.  I did notice that when I connected to the DSL modem admin page, the public IP address was 10.xxx.xxx.xxx.  Now that the service is running again, the IP address is 72.xxx.xxx.xxx, so apparently, Verizon blocks the service by assigning a non-routed IP address.

The troubleshooting steps I took were: restart the modem, reboot the PC, connect the modem directly to the PC and restart the modem again.  The last resort step is to reset the modem.  There is a reset button on the back of the modem.  After holding this button down for 10 seconds, the power light changed from green to orange.  I held it down for 30 seconds and then released the button.  Shortly after releasing the button the modem shutdown and then the power light turned red and started back up.  All the lights eventually turned green again.

The sequence is:

power green flashing

DSL green flashing, power green flashing

DSL green rapid flashing, power green flashing

DSL green solid, power green flashing, ethernet green (flashing intermittently)

DSL green solid, power green flashing, internet green, ethernet green

All 4 lights green.  When the power light quits flashing and stays green the internet traffic actually starts flowing.

When this didn't get us back on the internet, that's when I called Verizon.  We paid for the service, but the internet service did not come back on as expected. Gotomypc worked. AOL worked. And name services worked.  From this, ports 53, 8200 and whatever port AOL was using were not being blocked.  It appeared only the normal internet ports were blocked such as 80, 443, 25, 21. However, the AOL client could connect to their service and could browse the internet. Once AOL was running, we could browse the Internet using the regular IE browser as well. When AOL was disconnected, we couldn't browse again. Apparently, the AOL client acts as a proxy server routing internet traffic through a different port.

I called Verizon about these unusual anomalies which they couldn't explain.  Everything appeared to be working fine on their end. After poking around the modem  administration page, I finally suggested that we just reset the modem and start from scratch.

The part I missed was directing the modem to 192.168.1.1/verizon/redirect.  At first the technician suggested redirect.htm, but that producted a 404 error page, then she said to drop the htm and it worked.  It came up with a username and password screen which is the same as the default for the Actiontek modem, admin and password.  The next screen only had one button on it. This was called the Verizon security screen.  The button showed the word OFF.  I was told to click it.  It changed to the word ON.  

After restarting the router, we were able to ping.  Apparently there is a port block on the Verizon security page which blocks the normal internet traffic ports.  After that was completed, I put the modem back in the network and all the machines worked fine.

 

Written by Leonard Rogers on Thursday, March 10, 2011 | Comments (0)

Blackberry Intellisync error 0x8004fceb

Posted at 3:42:27 PM in Recovery (44)

 I followed the suggestions on this site: http://supportforums.blackberry.com/t5/BlackBerry-Desktop-Software/8830-Syncronization-Error-code-0x8004fceb/m-p/44843 which recommended deleting the intellisync folder from the appsdata folder, however; those instructions were for a Windows 7 PC, possibly a Vista machine also.  This is the path I used to fix the error on a Windows XP PC with Outlook 2007 installed...

c:\documents and settings\<me>\application data\Research in Motion\Blackberry.  

The intellisync folder is in that last folder.  Remove the folder and everything inside it.  When you start the Blackberry Manager and connect the phone, it will re-create the intellisync folder.  You will have to setup the folders to synchronize again.  After doing that the error went away.

 

Written by Leonard Rogers on Thursday, February 10, 2011 | Comments (1)

Peachtree reports and forms missing

Posted at 1:06:43 PM in Recovery (44)

Recently I had an issue with Peachtree.  All the reports and forms disappeared based on the customer's report.  I connected to their server and used Peachtree to check the symptoms.  Every report in the reports window was missing.  No custom reports and no standard reports. 

After searching the web, this link was most helpful.  StephenC's entry about the difference between the custom reports and the standard reports pointed me in the right direction.  In my case, it was both report groups and I didn't know they'd be in different data files and on top of that that the files would be in different directories.  It would make sense that the standard files would be in a common directory to all of the companies.  At this particular location, we make a backup every year-end and then create a new company from the backup so they can access old info.  I had the controller open an old company and sure enough, the custom reports were there, but not the standard reports.

RPTDATAI.DAT in the main datapath for peachree was truncated to 14K.  The standard reports file in the backup was 2900K.  I was able to restore rptdatai.dat in the main datapath and restore rptdata.dat in the company directory and all the reports and forms showed up again.  There is no indication what caused this.  None of the users reported any odd activity when closing down peachtree or during it's use.

This installation uses Quantum 2009 on a Windows 2000 platform using active directory services for authentication.  All the workstations are WinXP Pro SP3.

Written by Leonard Rogers on Monday, January 10, 2011 | Comments (0)

Rant on Antivirus Software

Posted at 4:29:45 PM in Recovery (44)

I got a call today from a customer who uses Outlook 2007 to access his Gmail account which is branded to their domain name.  He said that for some reason this morning, his Outlook stopped working.  The error message said it was unable to connect to the server.

I checked all the settings in Outlook and made one change to the outbound port number but that didn't fix the problem.  Then I checked Google's Gmail settings and everything there was fine.  I then took a look at the antivirus they were using, Trend micro, and started turning off services.  I have had this kind of problem before with Norton and never could figure out how to get Norton to behave.  My theory is that a virus infected email was blocked by the anti-virus software but it blocked all of the rest of the emails like plugging up a hole.  Unfortunately, it never unplugs the hole again.  For Norton, I would have the customer uninstall the it and then reinstall.  It was amazing that email worked fine after the Norton Antivirus software was reinstalled, so apparently there wasn't a virus infected email server after all.

However, with Trend micro, we found the problem in the Internet protection section.  When we disabled the web protection, the software warned that we should restart the browser. From the description, this didn't appear to be the problem area, but with that disabled, email started coming through.  When I enabled it again, the email stopped.  The customer mentioned that the antivirus gave an indication there was a problem earlier but didn't know what the message meant and just accepted the default answer. I suspect that a warning about a port opening may have popped up asking him what he wanted to do and he blocked it.  It's easy to block things in antivirus software applications, but it's not so easy to undo it.

Now comes the part where I make my recommendations about anti-virus software and what it should and shouldn't do.  I've re-written this several times because I find it very self-incriminating.

I believe antivirus companies should work on protecting you from virus' and leave the other items like firewall and spam protection to other companies. Microsoft's Windows Defender is one of those that should be left to other companies develop. Microsoft installed it on Vista and Windows 7 and provided no way to uninstall it and it complains when it's turned off.  For spyware, I like to use my own choice of software. Microsoft's apparent motto is "protect the user, don't let them open anything." There was a lot of grief because Outlook simply blocked certain attachments from coming through in email.  The attachment was there, but it wouldn't allow anyone to open it (without a hack), you couldn't even see it.

Antivirus software vendors should not add firewall services to their software, but they do.  In fact, I don't think you can buy any antivirus software without the firewall option being available.  I realize that virus' can spread through a network and a firewall can help prevent it.  But it isn't virus protection and the email example above is typical.  The user gets blocked and no one, not even the vendor's support persons know how to unblock it.

Now we have a whole array of protection being offered by AV companies, i.e. anti-phishing and identity theft protection among them.  I think most of them are gimmicks to show how much better they are than the other product.  If Norton adds something, then all the other AV companies have to add it too. It doesn't matter if it actually works. Some vendor's alert you when another antivirus is already installed. Trend micro won't allow you to install if the other antivirus software was there. They alerted me to having the free version of Malwarebytes Anti-malware software, which doesn't run real time and shouldn't have been a problem. I called tech support at Trend micro and found this was by design. So, I uninstalled Malwarebytes software and reinstalled it after I installed Trend micro.

Most of these antivirus softwares eat CPU. With more features, they eat more CPU. In almost all of my installations, I move the virus scanning for email, anti-phishing and spam protection to a firewall appliance.   One server does most of the work protecting the network and the PCs only worry about virus'.  For the firewall appliance protection, I use IPCOP with the COPFILTER addon.  I use the free version of CLAMAV and it seems to work very well.  IPCOP developers are now coming out with version 2 of the server after many years of supporting version 1.4.3.  Copfilter will have to catch up.  Copfilter has been a great product.  They have a disclaimer that no antivirus will catch all virus' and that is true, but this package has worked very well for me.  

That's my rant on Antivirus softwares.

5/21/2013 - edit.

I'm now using IPCOP V2.06 and Copfilter 2.0.91beta3. Spamassassin seems to be working pretty good. I'm not happy with the 3rd party signatures (part of Copfilter's CLAMAV component). The idea behind the 3rd party signatures is to use CLAMAV to identify email patterns that are commonly used to phish or spamvertise .i.e One looks for emails that consist only of a image which is one way spammers circumvent spamassassin which is a word database... no words, no spam, but the 3rd party signatures component addresses this and many other patterns.

The reason I'm not happy with it is because the installation isn't consistent. I have two identical machines and one isn't catching any virus' and therefore no patterns and the other one is. I cannot upgrade the 3rd party signatures at all. Frustrating at this point.

Written by Leonard Rogers on Friday, January 7, 2011 | Comments (0)

Activation context Internet Explorer issue

Posted at 5:28:15 PM in Recovery (44)

I got this message when I tried to enter a web site address in the internet explorer address bar: "THE REQUEST LOOKUP KEY WAS NOT FOUND IN ANY ACTIVAITON CONTEXT" which didn't make any sense.  Firefox worked fine.  The initial home page worked fine, but I couldn't go to any of the links.  I googled the issue and found that no one else seemed to have an answer either.  After reading several posts, I noticed that several people had tried to downgrade from IE7 or it appeared that in an effort to correct the issue, they did a repair install with the original installation disk. 

In my case, I used the Windows XP SP3 disk to repair files that had been removed by the anti-virus (AVG) before the IE error occured (see post).  The repair install doesn't just restore files that are missing.  It restores all the service packs, patches and internet explorer to the original installation, but makes a copy of the computers registry at the beginning of the repair operation and restores that after setting everything back to it's original state.  Before I did the repair, I had IE8.  After the repair I had IE6.  So, iexplorer.exe gets called the same as it did before, but with registry entries that expect certain files to be in place which aren't.  This creates other problems as well since all the patches that were installed before are also reverted.

I had a copy of the IE8 installation file and ran it.  You can obtain a copy from here.  I used the WinXP 32-bit version in the United States section.  Once that was installed, the error "THE REQUESTED LOOKUP KEY WAS NOT FOUND IN ANY ACTIVATION CONTEXT" no longer showed.  I had about 87 patches to apply using Windows Update and after those were completed, everything seemed to work fine.  Other programs that aren't part of the original disk don't seem to be affected, i.e. Microsoft Office, Peachtree, Quickbooks, etc.  If they used any of the files that came with the original operating system, applying the patches would restore those files to the version expected.

 

Written by Leonard Rogers on Thursday, December 30, 2010 | Comments (0)

AVG issues

Posted at 2:59:23 PM in Recovery (44)

One of my issues with anti-virus software is their brute force removal of infected files regardless of that file's importance. In this situation, the cure is far worse that the illness.  The computer I worked on today wouldn't start.  It halted with a BSOD (Blue Screen of Death) saying that windows shut down in order to prevent more damage to the system.  AVG 9.0, found a virus in Explorer.exe and winlogon.exe and quarantined them without asking the user.  I'll be the first to admit that most users just press the go button anyway, but in this case, the user said that the computer just shutdown on it's own and then wouldn't restart.  

I didn't know what files had been removed because the quarantine renames the files and gives it a .fil extension.  I used Windows PE to access the hard drive and look around.  I knew that Explorer was one of them as that file is commonly attacked and it was missing and the file size of the last quarantined file matched that of a working explorer.exe.  I couldn't tell what the second file name was and was forced to do a repair install of WinXP SP3.

After the reinstall, I was able to open the virus vault and see what files had been infected and removed.  A common tool I use from this web site: www.bleepingcomputer.com is MalwareBytes Anti-malware.  On this site, you'll find most of the virus infection removal procedures involve malwarebytes software which you can download here.  Another one I use regularly is combofix.exe from the same site.  (Combofix won't work on 64-bit systems or on systems after WinXP as of this writing).

Both of these applications take the time to determine the threat and extract the problem without damaging the system.  I'm not sure why antivirus writers can't make .fil files of critical files and save them for later restoring in case a critical file is infected.  Certainly they must know what files are needed and critical to the PC's health.

Written by Leonard Rogers on Thursday, December 30, 2010 | Comments (0)

NTBKUP recovery details

Posted at 9:05:26 PM in Recovery (44)

Due to the corrupted bkf files, the headers did not properly contain the drive letter designation required to use the -p option with ntbkup. I also had problems using the -d option. I got the prompt message like this:

DIR Tree warning, 1st node not a VOLUME! Force '?:'

This prompt lead me to believe that it wanted some info to replace the drive letter, so I tried a drive letter or enter Y, but to no avail. However, as of this writing, I discovered that it was working in the background. I was working with 20Gig files when I did this originally and was expecting some kind of response which it didn't give me and so aborted the operation. While writing this document, I used a 6Gig file and as I was writing, the directory listed was produced. I now noticed that the harddrive was very busy after I pressed enter.

The normal script to run ntbkup.exe is:

ntbkup sample.bkf -x -pc:dump

But all this did was start dumping all the files into one directory which the author states that it will do. This cause a huge problem because the directory structure was important, but also that many of the files had the same name. It required the directory structure to keep them from being overwritten. Ntbkup is very happy about overwriting files, so this would not do.

What I needed was to create the directory structure, change into a single directory at a time and extract the files from the backup file that belonged in that folder and then move/create to the next folder. This required that I know the directory that's coming and the contents that should be in that directory and additionally, I didn't want to process the entire 20Gig backup file just to extract 255 files and then start over. That would have been very time consuming and wasteful.

Enter the verbose mode

I ran ntbkup with this command:

ntbkup sample.bkf -v > sample.txt

This produced results that can be seen by following this link. The file size ended up being 32Meg, but the link only has a portion of the file which has some areas of interest which I will include here.

I was interested in this section of the file:
FILE found keyword at offset 0x3ad1800 data from 0x3ad192e to 0x3af3acc
DIRB found keyword at offset 0x3af3c00 1st Stream: NACL
Dir Name[94]: ilesFTRXAcctgInvoicesINVOICES.000U

This had the directory structure, the offset to the beginning of the directory structure and it has the end of the previous directory structure. I indexed the file on the keyword DIRB and extracted the offset to the beginning of the directory, used the next record to find the end of the directory structure and also extracted the directory name. From this information I produced a batch file which would create the directory, change into that directory and then begin extracting only the data from the DIRB offset and end at the last file of the directory or the line before the next DIRB.

Here is a sample of the batch file:
mkdir "%bkfile% ilesFTRXAcctgInvoicesINVOICES.000T"
cd "%bkfile% ilesFTRXAcctgInvoicesINVOICES.000T"
"%bkfile% tbkup" "%bkfile% tbkup2.bkf" -x -jh0:hd58
mkdir "%bkfile% ilesFTRXAcctgInvoicesINVOICES.000T"
cd "%bkfile% ilesFTRXAcctgInvoicesINVOICES.000T"
"%bkfile% tbkup" "%bkfile% tbkup2.bkf" -x -jh62000:hc5d58

As you can see, I made use of the -j option which allows ntbkup to start extracting at the first offset, specified in hex which is the same number system produced in the verbose listing and exit when it's reached the end of the block specified by the second hexadecimal number.

The process of getting these numbers was very involved and I intend to explain that also. The process is procedural and could be scripted, but my understanding of vbscript in MS Access is limited. I could probably write it, but it seems cumbersome that Microsoft didn't include built-in methods to easily access the databases and queries in the same VB database. If I was using a separate VB engine and accessing the databases in another program, I could understand the process of defining each connection and name of each object all the way down the field levels, but since they are in the same program, I find this to be very annoying.

I only have one major stumbling block with the layout of the verbose extract from ntbkup. In the middle of a block of data, say from folder T to folder U the offset suddenly jumps back. Sometimes this jump is huge, going to the beginning of the file, which happily causes ntbkup to start extracting everything into folder 124 until the new end is reached. I don't know why it would make such an erratic shift except that because these files were erased and frequently overwritten by other backups that some overlaying may have taken place. These jumps back to beginning points in the file are not frequent, but needed to be looked at in order to keep from dumping the whole backup file into one directory and then doing it again later on in the restore process.

See this sample for a jump back in between one folder group.

Written by Leonard Rogers on Thursday, December 23, 2010 | Comments (0)