A recent malware removal session gave a very frustrating error in trying to boot into safe mode. I was unable to boot into safe mode, safe mode with networking or even safe mode with the command prompt. The Stop Error was a Stop 0×0000007B Error. The instructions on the screen talk about running chkdsk on the drive (which I did.) There were a few things found and corrected, but the problem was still there. On investigation I went into the registry editor (regedit) and found that the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot registry key had been emasculated. There were two subkeys for minimal and network profiles…. So… I found a way to rebuild them.

Didier Stevens has spent a lot of time on this and has developed a registry patch file. There are patches for Xp sp2 and sp3 as well as 2003 server and Windows 2000 SP4 in his download zip.

There is an https and an http download link for safeboot. The registry patches worked and allowed safe mode to work. I did further scans on the system and ultimately all is clean.

This article may come in handy if you are out there battling the latest rogue du jour. Occasionally I have been through a cleaning process for these rogues and got to a point where the scanner had run and cleaned things out (whether it was malwarebytes antimalware or superantispyware.) It was time to reboot and the system reboots, starts to load the desktop wallpaper and then…. You see the windows login screen and the words “saving settings” under the username followed by the words “logging out”. You may try again, but it doesn’t even load the desktop icons it just boots you back out to the login screen. If you try safe mode you may get the same behavior (it was in my case), administrator or the typical system user didn’t seem to make a difference. I couldn’t even get to safe mode with the command prompt. No choice but to reinstall right? Wrong….

For this you will need to get access to the registry. Obviously given that this system is problematic we have limited options. If you have been able to access the registry remotely over the network that may work for you, but in my case I have an Ultimate boot CD which includes a Windows live cd environment. One catch with windows live boot cds though is that they need to be made from a working windows system. So, if you don’t already have one in your toolkit, you will need to scrounge your way to a working windows xp system with your windows disk, internet connection and then get your boot cd setup.

You may be able to use a linux boot cd to edit the registry (using wine perhaps as this article suggests.) Although that’s a path I haven’t gone down before… Other than that though I don’t know another way to edit the registry from linux.

Here’s what you will need to check in the registry.

HKeyLocalMachine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

You are looking for the userinit value which should be c:\windows\system32\userinit.exe and shell should be explorer.exe

In my case userinit was set to c:\windows\system32\winlogon32.exe or some such nonsense. Fixing this restored the ability to login.

However, if it appears set correctly it may be that your copy of userinit.exe is corrupted and you may need to extract it from the windows install disk in recovery console mode…

expand d:\i386\userinit.ex_ c:\windows\system32\userinit.exe

So, if you’re stuck in a windows login logout loop that you just cannot login to windows it automatically logs you back out before you see the desktop the above may solve the problem for you.

I came across an interesting one in the last few days. This system was a Windows XP system with current updates – SP3, IE 8…. and among other things there was a complaint of very sluggish behavior. I updated the antimalware software installed and ran scans. Malware Bytes antimalware actually found and removed two suspect files, but that didn’t seem to sole the sluggishness. The web browser (internet explorer) would take what seemed like a minute or so to respond to any action. One thing I discovered is that Internet explorer 8 can behave VERY slowly if there are a lot of sites in the restricted zone. (Spybot S&D immunization puts lot’s of sites in restricted zones.) So, I found a way to remove them all and retry and things seemed quicker, but… after running for 15-20 minutes the system really started to become unresponsive and so I had to start looking for another cause…. services.exe was running at 99% cpu or 100% cpu from time to time and the memory footprint was growing – the high mark I saw was 350MB of memory in use for it (!)

The first hint I had was a site claiming that if the event logs get to be too large it could cause services.exe to respond this way – taking up 98% or 99% cpu and more and more memory. So, after attempting to skim the logfiles for any helpfull info, I cleared them and restarted to wait and see what would happen next. It wasn’t long before the same behavior came back.

So, I searched quite a bit online (the even log items didn’t seem to give ANY clues) and found many discussions about the same issue. Most were a bit old (2-3 years), but in one discussion someone mentioned that they disabled the windows firewall and internet connection sharing service and their problem went away. So, I gave this a try and waited….. services.exe remained well behaved for a couple hours.

Not wanting to leave the system without the firewall, I tried resetting the windows firewall to it’s default settings and restarted it as a service. I let the system reboot and sit for a couple hours without the issue recurring. So, hopefully this reset of the windows firewall settings has solved the problem on this machine!

Side notes: Internet Explorer really shouldn’t respond differently if there is 1 site in restricted zones or 5000 – I mean really – Microsoft should address this problem. I do read that apparently there are features in IE 8 that should make spybot’s immunization unnecessary. Also, re: the firewall being the culprit here, it’s not wise to run a windows machine connected directly to the internet without a firewall of some sort. If this problem seems to affect you and resetting the firewall to it’s defaults doesn’t resolve it, you might consider looking at the free software firewalls that are available, or consider a hardware firewall (router) between your machine and the internet.

Utility to remove all sites from restricted zone is available here.

I’ve been struggling off and on with an issue on my Dad’s computer the last month or so. He said that it would occasionally just shut off completely out of the blue. (He also admonished me not to spend much time on it. Unfortunately problems like this are usually the ones that take the most time to solve because they seem random and it’s hard to pin down the cause.) He runs Windows XP primarily (although we have an ubuntu install setup as a dual boot choice.) In the last year the power supply and video card have been replaced for similar behavior. Although it’s been several months since the replacement with little “misbehaving” since. One of the things I did was run a memory test, which came out fine.

The hard drive also tests fine. So, I tried a stress test of the cpu, cpuburn.

The system died and it took several minutes before it would restart. It sounds like an overheating issue.

I installed speedfan under windows so I could see the reported CPU temperature and sure enough when it came back up it was in the 50-55 degree celsius range. After testing a few online videos and observing the temperature (and a few online searches for the expected temperature range and auto-cut off levels) it appeared that it would shut down at around 57 degrees celsius (maybe 56) and then refuse to reboot until it had cooled well below the threshold.

So, we ordered a new cooling fan. Unfortunately it didn’t do much better than the initial fan. The temperature still hovered in that borderline high range of 53-55 degrees celsius. So, I looked in the bios to see if there was any way to adjust the auto cutoff. (At this point in time it was annoyingly frequent.) No way to adjust (bios on this by the way is identified as F15 revision (for the long string of GA – 7VT600 F15 that shows on system boot…. the revision date is 8/16/2004-kt600-8235……etc.etc. The processor is an AMD Athlon XP 2800+ Socket A)

SO…. new cooling fan not being productive, no bios updates to allow us to tinker with the threshold temperature for cutoff… so I did the smarter thing which was add a second fan to the case. This fan was placed to blow air out of the back of the case from just behind the cpu heat sink. Since that fan has been installed I think the highest temperature I’ve seen registered was 51 degrees celsius (under heavy load – 10 minutes of an online flash video running fullscreen.) Most of the time it settles in the mid 40’s celsius.

My hope is that has at least bought us a few more months of use out of the system.

Not too long ago I had the opportunity to take a look at synchronizing a Blackberry to Outlook 2000. They said that the phone tech support told them it was a really easy thing to do and if they had an onsite computer technician they could probably click a couple options and have it set up in less than ten minutes.

Well – they were using Blackberry Desktop Manager 4.3 and had Outlook 2000 which is NOT supported under Blackberry Desktop Manager 4.3

!

The last version of Blackberry Desktop Manager to support Outlook 2000 synchronization is version 4.2 so…. if you’re trying to do that, you need to look for version 4.2 I started the download (20 minute download) and then started talking about some of the other options. (Yahoo Calendar being the primary one.)

I expressed some concern over device compatibility (this was a new phone and I know one of the main version increase reasons for some sync software is compatibility with more devices.) Before the download was finished they were signed up with a Yahoo Calendar account, loved the idea of being able to edit it from either computer they had and then sync to the blackberry through the version 4.3 of their Desktop software.

Not quite ten minutes – you would think that the phone support would have known that you couldn’t “get there from here”.

Take a look at the official announcement. They’ve moved outside the usual update cycle for this one. VERY good move Microsoft to get this patch in before the holidays as it looks as though there’s been a spike in the use of this particular exploit and with people doing a lot of home pc browsing over the next two weeks, hopefully they can have a patched Internet Explorer to browse with. These are one more good reason to have an alternative browser such as firefox installed “just in case”. That’s not to say that Firefox is immune to all such security issues, but it is targeted less frequently and perhaps most importantly by DIFFERENT things than Explorer is targeted by. (I should note that version 3.0.5 of firefox is out to address it’s own list of issues.)

By the way, this Internet Explorer vulnerability is listed as critical for Internet Explorer 5.01 on NT SP4, for Internet Explorer 6 on NT SP4 as well as pretty much every combination of Internet Explorer 6 or Explorer 7 on XP, Server 2003, Vista or Server 2008 AND those using Internet Explorer 8 beta 2 users are encouraged to update to a new release as well. In other words IF you use any currently supported version of Internet Explorer on any currently supported version of Windows you need to make sure this update installs.

In the wake of a huge patch Tuesday, Microsoft has two new fires to be fighting. There are apparently “limited and targeted” attacks against a flaw with the Text converter component of Wordpad. Affected systems include Windows 2000 SP4, XP up to SP2, Server 2003 SP1 and 2. Vista is not affected Server 2008 is not affected, XP SP3 is not affected. Read on for more on this one (AND the Explorer 0-day)

This particular exploit requires user interaction. So, this one seems to be exploited by sending a specially crafted file as an email attachment. The user clicks to open it and they’re bit.

Computer World has more details.

On the OTHER front – that is Internet Explorer:

Sans is reporting a 0-day vulnerability in the wild for Internet Explorer that affects a fully patched XP system (yes INCLUDING December’s patch Tuesday updates.) The exploit is not in wide use currently, but the source code is available so…. buckle up it’s going to be an interesting month. I wonder if we’ll see them actually break their patch cycle for this one. It would be a GOOD candidate to patch before the holidays.

It looks as though the XML parser is under attack in this one – The attack tests to run on Internet Explorer 7 only on Windows XP or Windows 2003.

They haven’t tested on Internet Explorer 6 or Vista.

Microsoft had a mammoth patch Tuesday this month with 28 bug fixes (23 critical). (Computerworld article linked above. This is one of the largest update releases in five years (!) Those fixes were wrapped up in 8 updates for Internet Exporer, Office, Sharepoint, Windows media player and visual studio and Visual basic. (Oh and it looks like there are two more they SHOULD have fixed – reports of 0-days in the wild.)

It looks as though GDI is still a problem child, getting more updates this time around. The Internet Explorer update itself fixes 4 critical issues.

0-days information developing and will be posted seperately.

Patch quickly because with this many flaws in Explorer there are going to be even more sites out there trying to exploit these. (Not to mention the new one in the wild today.)

The title says most all, the system would start to act as though it was powering up. The LED would come on for a second and the fans would start. The fans stayed on, but the LED went right back off and the system didn’t seem to POST, or show anything on the onboard video. This is a Gateway gt4022 with a 64 bit AMD processor and I think was Media Center edition of Windows XP. Anyway, I pulled the memory and CPU hoping to hear some sort of BIOS beep code, but no such luck. I pulled everything at one point with the exception of the power to the main board. It still gave the same symptoms. I tried another power supply just in case, same…. So, as I started to read online it seems that the motherboard in these Gateway gt4022’s may be a problem….

There seemed to be a disproportionate share of posts claiming that their system had died the same or a similar way. I read of one person saying they replaced the motherboard in their gt4022 after one year and then THAT board died within another year. (I wonder about heat and the CPU though.) I didn’t have another CPU to test with, but…. I recall AMD processors tended to run hot (the old Athlon line did). The venting for this doesn’t have a fan directly on the CPU heat sink, but indirectly pulling air over the heat sink. I’m not sure that’s as effective in getting the heat out.

Anyway, the hard drive was still fine, so the data can at least be pulled off.

Here are some notes from a recent spyware cleanup. The system came in and there were complaints that “Ron Ads by NetupBanner” kept coming up all the time as well as popups claiming that the dll c:\windows\system32\nolomipu.dll is not a valid windows image – mismn.exe bad image.

I ran malwarebytes antimalware and that cleaned out a LOT…

I installed the new version of AVG (8.0) – AVG 7.5 had been on the system (fairly up to date (within 2 days)) Webroot Spysweeper was installed, but the subscription was expired. Internet Explorer is the primary browser.

then I started looking at the invalid image errors – here are the notes:

ron ads netupbanner

lot’s of popup errors at boot:

lsass.exe – bad image

the application or dll c:\windows\system32\nolomipu.dll is not a valid windows image. please check this against your installation diskette.

[ok]

services.exe same
avgrsx.exe
userinit.exe
explorer.exe
hpwuschd.exe
alcxmntr.exe
reader_sl.exe
jusched.exe
qttask.exe
hpcmpmgr.exe
kbd.exe
avgtray.exe
spysweeperui.exe
msmgs.exe
aro.exe
weather.exe
ctfmon.exe
wkcalrem.exe
hpqtra08.exe
osa9.exe
quickstart.exe
wkscal.exe
soffice.exe
soffice.bin

And then for each program that you try to open after that as well…. the programs open anyway.

In the registry – I found an entry for nolomipu.dll in the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
hive at AppInit_DLLS there was c:\windows\system32\nolomipu.dll,avgrsstx.dll

From that registry string value I removed nolomipu.dll, so that the value read c:\windows\system32\avgrsstx.dll

At this point I ran combofix which deleted several pests including the nolomipu.dll file. Installed firefox and java update among other things. All seems to be clean I’m going to take one more look over things to verify.