Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

Archive for June, 2012

The Case of the Missing Task Manager and Registry Editor part II (Windows Advanced ToolKit Malware)

Posted by William Diaz on June 28, 2012


I was originally introduced to this by co-worker who wanted me to look at someone’s netbook and wrote about it here. The malware-scareware program had already been removed from the system, but the damaged it done had been left behind. Cleaning it up manually, though, would not be too difficult. As pointed out, its counters the user attempt to stop it by taking advantage of a built in process that Windows uses for debugging applications by pointing the Task Manager and Regedit to its own fake anti-virus process. Further, it also counters anti-malware utilities and virus security suites by creating reg keys and using the same Debugger string to point to svchost.exe, which is not able to run other executables. The key to getting access to the registry and the task manager directly was to use AutoRuns.

As it happened, a couple days ago the wife starts complaining that she keeps getting persistent firewall popups. I told her to click allow and let me sleep. Then she mentioned another popup that she says is scanning the system and finding virus. This sounds like classic scareware and when I take a look I see this:

Posted in Troubleshooting, Troubleshooting Tools | Tagged: | Leave a Comment »

When RDP “Disconnects”, It Might Be Crashing

Posted by William Diaz on June 18, 2012


It was reported by a local office technician that over the course of a few days several users were connecting to a site over the web that used Remote Desktop Connection to connect a remote desktop/terminal services session. Shortly after connecting, users complained the their session was being disconnected. The issue was initially troubleshot as possibly a local setting in the OS, such as the IE proxy or maybe the TMG firewall client, but switching to different proxy made no difference. It was then assumed that perhaps our network work was part of the problem. Port issue? Not likely, ports 443 and 3389 are too common and since the users were able to connect initially, this could be eliminated as the cause. Last, the remote site technical support was contacted and asked at what point inactive sessions were being dropped. The answer to that was 1 hour and so this, too, was eliminated as the cause.

Eventually, the issue made it my way, and the first thing I thought was that this was not specifically a “disconnect”. When I think disconnect, I’m thinking along the lines of excessive packet loss or corruption between the client and the server which results in a dropped connection. Another cause for a disconnected application could be that the client app or one of its components that handles the connection is crashing. To confirm my suspicion, I asked the local tech to provide me the name of one of the affected workstations. All the affected workstation were running Windows XP, which meant that if the RDP client was crashing, the post mortem debugger might be capturing this. I navigated across the network to \\computername\c$\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson and saw a recent drwtsn32.log and user dump.

Read the rest of this entry »

Posted in Troubleshooting | Tagged: | Leave a Comment »

Making My Unusable USB Stick Usable Again

Posted by William Diaz on June 11, 2012


I had a USB flash device that just stopped working suddenly. When I plugged it in, the following message popped up in Windows: “You need to format the disk in drive before you can use it.”

SNAGHTMLa4832c8

That was odd because earlier it was formatted with FAT32 and seemed to be working normally (copied files to it). Luckily, I didn’t have anything important stored on it, clicked Format disk and was the presented with the format options and selected Start.

Read the rest of this entry »

Posted in Troubleshooting, Troubleshooting Tools | 57 Comments »

Windows SDK Setup Failure

Posted by William Diaz on June 7, 2012


While trying to install one of the utilities within the Windows SDK, the setup was failing. Clicking the View Log option within the SDK Setup GUI pulls up the log (you can also find it at C:\%user%\AppData\Local\Temp\SDKSetupLog.txt). I scanned to the end of the log and saw these details:

MSI (s) (60:D8) [12:10:44:541]: Windows Installer removed the product. Product Name: Microsoft Windows SDK for Windows 7 (7.1). Product Version: 7.1.30514. Product Language: 1033. Manufacturer: Microsoft Corporation. Removal success or error status: 0.

12:10:39 PM Wednesday, June 06, 2012: SFX C:\Program Files\Microsoft SDKs\Windows\v7.1\Setup\SFX\vcredist_x64.exe installation started with log file C:\Users\w7test06\AppData\Local\Temp\Microsoft Windows SDK for Windows 7_f83227e1-caa8-4d71-a809-43745c870815_SFX.log
12:10:43 PM Wednesday, June 06, 2012: C:\Program Files\Microsoft SDKs\Windows\v7.1\Setup\SFX\vcredist_x64.exe installation failed with return code 5100
12:10:44 PM Wednesday, June 06, 2012: [SDKSetup:Error] Config_Products_Install: Installation of Product Microsoft Windows SDK for Windows 7 (failed): Please refer to Samples\Setup\HTML\ConfigDetails.htm document for further information. Stack:    at SDKSetup.Product.ConfigureRelatedSfx()       at SDKSetup.Product.ConfigureNewProduct(ManualResetEvent CancelEvent)
12:10:44 PM Wednesday, June 06, 2012: [SDKSetup:Info] Config_Products_InstallNew: End installation of new product: Microsoft Windows SDK for Windows 7

It looks like there is an issue with the version of the Microsoft Visual C++ Redistributable 2010 x64 currently installed on the system.

6-6-2012 12-07-05 PM

I removed both the x64 and x86, ran the SDK setup again and the installation was successful. Slightly earlier versions of both redistributables were installed:

image

SDK setup also seems to be sensitive to environmental variable TEMP if it is anything else besides %temp% as noted in an earlier blog.

Posted in Troubleshooting | Leave a Comment »

The Case of the Missing Task Manager and Registry Editor

Posted by William Diaz on June 5, 2012


I was recently given a netbook to look at after it was hit by some malware. The malware exe had already been removed but it left a few common system utilities like the Task Manager and the Windows Registry Editor in a dysfunctional state. Furthermore, popular anti-malware utilities and anti-virus utilities were also not able to run. For example, trying to run taskmgr.exe or regedit produced the following error: “Windows cannot find ‘C:\Windows\system32\taskmgr.exe’…

image

Read the rest of this entry »

Posted in Troubleshooting, Troubleshooting Tools | Tagged: , | 3 Comments »

Some Emails May Prompt You To Install Foreign Language Pack

Posted by William Diaz on June 4, 2012


From time to time, we have seen some standard company emails as well as non-company emails throw the following message prompt when clicking on or opening: “Language pack installation. To display language characters correctly you need to install the following language pack…

image

Posted in Troubleshooting | Tagged: | 1 Comment »

The Case of the Rebooting Workstation

Posted by William Diaz on June 1, 2012


This was initially described as a log off each time the user opened Outlook. This was the first time I heard of Outlook logging someone off their system when it was opened. This sparked my curiosity, of course, so I asked the techs working on this to leave it alone until I had a chance to look after hours. I started by connecting remotely to the Windows Event Viewer for the problem workstation to see if anything obvious stood out. After about a minute, the MMC console became hung and I could no longer browse events. I thought maybe the workstation became disconnected from the network, so I waited and tried again a few minutes later. I resumed browsing the event logs … only to get disconnected again. Logging in via RDP or VNC was also a no go, as I was getting disconnected after about 2 minutes, barely enough time to get pass the initial desktop and application loading and analyze what was happening. My next approach was to query the workstation for all the running processes via PsList from SysInternals (using the Front End for PsTools); maybe something might stand out and allude to what was happening:

image

Read the rest of this entry »

Posted in Troubleshooting, Troubleshooting Tools | Tagged: , , , , | 2 Comments »

CMYK Encoded Images Not Supported Previous to IE 9

Posted by William Diaz on June 1, 2012


This mysterious issue arrived to me as an email from another technician. His caller wanted to know why an HTML linked image was not displaying in her Outlook message, instead displaying the red X. When I received the message, I could see the image. The obvious difference was that I was using Outlook 2010 & IE 9. The user and the technician were Outlook 2003 and IE 8. The difference between the two is that Outlook 2003 uses IE to render html content, whereas Outlook 2010 uses Word. Figuring the message content was privy to Outlook 2010, I wanted to open the image link in IE9. To get the image link, view the email as raw html by right-clicking an empty portion of the message and selecting View Source. You might need to scroll a bit depending upon how much html formatting there is but you can locate the image link by looking for src= like in the example below or the image extension:

image

Read the rest of this entry »

Posted in Troubleshooting | Tagged: | Leave a Comment »