BiggAndyy

The blacK Screen Of Death.  Well, the black screen of waiting to see if it eventually boots.

It won’t.

And I tried ALL the poindexter solutions on the web.  Hitting the left shift key about a bazillion times.  Using BART-PE and renaming the event log folder.  Spinrite’d the entire hard drive.  Let Vista try to autofix the problem.

None of them worked.  Except one.

Let Vista go back and restore from a backup that at one time worked (assuming you are allowing Vista to do that).

That is the only reliable fix I have found for Vista’s KSOD.  YMMV.

OWA – Outlook Web Access.

My machine was updated from Windows XP64 to Windows 7 64.  Well, by updated I mean Windows reinstalled itself since there is no clear upgrade path from XP64 to 7 (except using the FAST wizard).  But that only saves profile information, NOT the programs themselves.

So I am sitting with a nice, clean Windows 7 installation and no Outlook until I can get hold of the Office 10 DVDs.  (RABBIT CHASING TIME: I can remember when Windows came on 4 3.5 inch diskettes and now it is an entire DVD??? anyway…)

I am logging into OWA to get my mail and I am eminently annoyed that I must relogin every ten minutes or so.  Until I realize I am logging is as a PUBLIC computer.  The autologoff feature for OWA is 10 minutes.  If I select PRIVATE computer I can stay logged in for 6 hours.

Just passing this along… it’s easy to forget.

After speaking with some other folks in the know they have steered me to the correct solution (or so it seems at this point).

All the big to do is about Java and NOT having it updated.  Older versions of Java on Windows boxes lead to all types of troubles, and the Find-Quick-Results is no exception.  In fact, it’s the primary vehicle of distribution.

And it’s not the websites you visit that is delivering the corrupted code, it is the ubiquitous ads on most webpages that is doing the harm.  The ads themselves have the compromised code injected into them (either knowingly or unknowingly), and when we visit websites that are normally and sometimes conscientiously monitored for malware, it can still get through because the ad in the rotation at the time (whether delivered by Google or some other ad provider) is infected.

So, visit java.com and get the latest updates to your Java addons and see if that makes the difference for you as well.  Don’t forget to clean your system too, no telling what has been injected into it by rogue ads.

Ever get the error message at boot “missing or corrupt HAL.DLL”?

Ever copy HAL.DLL to WINDOWS\SYSTEM32\ and get the same error at boot time?

Ever swear at the top of your lungs…

Yup, yup, and yup.

Never fear, it is just Microsoft lying to you (once again).

More often than not the error is not with the HAL.DLL file at all but with the boot.ini file.  HAL.DLL just happens to usually be the first file windows looks for to boot with.  (BTW: HAL stands for Hardware Abstraction Layer).

To fix this it may simply be editing the boot.ini file to reflect the actual physical hardware present.  But usually it can be fixed by booting from an install CD and doing a repair console repair.  A fixboot, fixmbr, and bootcfg will get the master boot record, the boot.ini file and everything else playing nice.

Believe me, I spent 4 hours trying to make HAL.DLL work before I found out about the boot.ini and boot record problem.

Sounds easy, find a file on your hard drive to be used in your BATCH script.  Usually you don’t need to.  Microsoft keeps fairly well the directory structure from one version to the next.  Usually.  What about files like PRNPORT.VBS and all those files in printer administration?

In Windows XP they can be buried down 4 levels, but maybe only two.  In VIST/7 maybe just 2, and in other versions if you have to deal with them, who knows if they are even there.  Let’s face it, not every IT enabled business has up to date standards, machines, and uniform OS’s throughout.

Sometimes you have to write an awful lot of code to do a simple thing, like when a network printer changes it’s IP address, the printers are not on a print server, and all the mappings on the local machines are pointing to the IP address.  Simple thing to write a script to change the IP address.

Not so much.  Remember, I don’t have access to the AD tree, even though I am an administrator.  Since I am considered an outside “contractor” by the powers that be (even though I am paid from the same pool as the general IT staff), I have much less access.  So let’s try some guerrilla administration and solve this problem, writing a script that doesn’t care where PRNPORT.VBS lives, it will find it and use it.

Here is the code I cobbled together and I think it warrants passing along:

@echo off
@CLS
::
:: Initializing variables used
::
SETLOCAL ENABLEDELAYEDEXPANSION
SETLOCAL ENABLEEXTENSIONS
SET curdr=
SET myvar=
SET targetfile=
SET diritup=
::
:: Ask for file to find.
::
SET /P targetfile=”File to look for: ”
::
:: Initialize the target file,
:: the @ is important to keep the display uncluttered
::
@SET diritup=”dir /s /B %targetfile% 2>NUL”
::
:: Find the target file
:: It can take a while on a hard drive with a lot
:: of data.  If you have a way to search faster
:: let me know.
ECHO Finding %targetfile% (This may take a few moments)…
ECHO Note this will return only the LAST file found if there
ECHO are multiple copies of the file.
set curdr=%cd%
cd\
for /f “tokens=*” %%a in (
‘%diritup%’
) do (
set myvar=%%a
)
cd\
cd %curdr%
IF “%MyVar%”==”" GOTO :FILENOTFOUND
ECHO.
ECHO Found the file found at
ECHO %myvar%
ECHO.
ENDLOCAL
Exit /b 0
:FILENOTFOUND
ECHO File Not Here.
ENDLOCAL
Exit /b 0

Wow.  That’s a lot of typing to just do this: CSCRIPT PRNPORT.VBS -T -R %OLDPORT% -H %NEWIP%

Yeah, that’s what happens when you can’t depend on where PRNPORT.VBS lives.  The script does a couple of things, first it remembers where you started the script, goes to the root of the drive, executes a DIR /B to return the file with it’s path (IMPORTANT) and finally switches back to the original directory to do whatever you want the rest of the code to do.

One trick built in, if there are multiple copies (say you type *.JPG) for the search term (this is a generic portion of the script I wrote), the only file displayed will be the last one found.  To see all of the files insert ECHO %%a in the FOR loop just after SET MYVAR=%%a

You are asking, is this really necessary?  Yeah, in order to pass a directory result to a variable WITHOUT using a temporary file, this is one way.  You could also pipe a FINDSTR on the DIR command but I have found a FOR loop to be a bit faster and a smaller hit on the performance of the machine.

Copy it and give it a try.

Looks like everything cleared up on it’s own automagically.

Yeah, right.  And I eat Limburger and crap rainbows.

Seems like it did clear up all by itself, no more redirects.  No patches from MS, no updates from antivirus programs nor from Malwarebytes.  I wonder…

Google recently released into the wild their Google+ product.  Could it have lead to a vulnerability that allowed those folks at find-quick-results.com to inject their code into the product?  Google will probably never admit to it if they did.

Even if the website was shutdown the redirects would have continued, just going to a dead site.  But since Yahoo, Bing, Google, and others were affected I really wonder if it was a TCP/IP injection malware on a DNS server or routers.

Whatever the case, glad it’s gone.  Now back to getting rid of the easily removed fake Antivirus alerts going around my clients computers.

It’s baaaack.

There are a lot of sites that suggest what I have done.  Most others are variations on the same theme: download, run, reboot and automagically the problem is gone.

It wasn’t gone, and if you are a propeller-head wannabe like myself I want to know WHAT the thing is, WHERE it hides, and HOW to manually remove it.  Since many viruses are polymorphic these days, the file names change but the M.O. usually does not.  I want to be able to recognize the pattern to get rid of the redirects when I see the patterns.

To this end I began to question the methodology of how this thing works, what method of infection and propagation it uses, and even where it may be actually hiding.  Since Firefox, Internet Explorer, and Opera are all affected on my machine I naturally went to [HKCR]\applications\firefox.exe\shell\open\command\ to see if there is a redirect in the Default key.  There was not, nor were there redirects in IE, and Opera registry keys.

I checked several more of the popular places in the registry but nothing suspicious at a glance so I moved on to JAVA.  I disabled JAVA script execution in Firefox, no help.  I removed JAVA script from the machine, no help, reinstalled with newest version, no help.

Same with Flash, disable, unintstall, reinstall, no help.  I broke out sysinternals and watch the process log when visiting Google and Bing and Yahoo, nothing interesting there.

I am still in the beginning phases of the forensics but I am wondering if the redirects are being made to the results pages at the machine.  Perhaps there is a compromised DNS server(s) or switches that is perpetrating this redirect?  Since no one appears to be able to stay clean for very long I am wondering.

Next step will be to redirect my TCP/IP settings to OPENDNS and see if there is a difference.  I’ll keep you posted.

Ok folks, this took some time but I was able to remove this stupid thing from my computer.  Here is the simple two step process (thanks to bleepingcomputer.com for the assist).

Here were the offending files from my system, once they were removed the problem went away.

HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO)

c:\documents and settings\%username%\application data\Sun\Java\deployment\cache\6.0\19\3233acd3-2c60c271 (Trojan.FakeAlert)

Once this file was removed and the HKEY deleted the browsers were back to normal.  I used

• RKILL.COM – from bleeping computer This program will kill the processes of most known root kits.
• Malwarebytes – from Malwarebytes.org This will scan your entire computer and find malware very effectively.

Here is the process:

1. Download the programs and update Malwarebytes by logging in and letting it update automatically.
2. Start your computer in SAFE MODE.
3. Run RKILL.
4. Run MALWAREBYTES.
5. Enjoy a newly malware free computer and no more of the find-quick-results redirect trojan.

You can also try manually removing the entries above.  I usually like to manually fix a system just because the more I know how trojans and viruses work the better I can get the problem taken care of quickly for the user.

Are you administrator for a few OUs in an organization but don’t have AD Forest or Tree privileges?

Maybe you have AD privileges but only need to lock down one or two trouble machines in high traffic areas during the weekends.

My problem was this; there is a Windows box that is being accessed on the weekends and the department chairman wants to have locked down.  Ok, easy.  In Windows 98 I remember there being nice grids available to select when a machine can be accessed and when it is unavailable.

Oops, wait, too bad, 2XV7 (2000-XP-Vista-7) doesn’t do that.  But rather than go through all the profiles and Event Viewer Security logs of a high traffic public box I decided it was easier to go the route of “Voo Doo” System Administration  and just make it work (or in this case, NOT work).’

So, how do you restrict users from logging in on weekends without setting up BIOS passwords that EVERYONE needs to memorize or petitioning the bureaucracy to get an AD change made for one or two machines?

Answer: Google didn’t have it, at least not easily.  And forget asking the propeller-head tech forums!  I spent two days justifying my request by answering all manner of needless questions like “isn’t that the job of the sysadmin?”  And after navigating their gauntlet of the absurd the self dubbed “guardians of the guts” proclaimed my request beneath their lofty intellect to even address.

The desired result: No Weekend Access.

The solution: have Windows check the day and if it is a Saturday or Sunday, disallow user logins.

The how to do it: Time to break out the BATCH!  It is actually quite a simple implementation.  A small BATCH script is run at the USER login.  If the login is on a weekend day logout the user immediately.

The code to do it:

@ECHO OFF
CLS
IF “%username%”==”<username>” GOTO :BYPASS
SET DAY=%date:~0,3%
IF /I [%DAY%] == [Sat] GOTO :LOGOFF
IF /I [%DAY%] == [Sun] GOTO :LOGOFF
:END
ECHO NOT Logging off.
EXIT /b
:LOGOFF
ECHO Logons are not permitted on the weekends for this terminal.  Shutting down the system.
SHUTDOWN -s -f -t 00 -c “Weekend access attempted”
EXIT /b
:BYPASS
ECHO Resuming Logon
EXIT /b

The script is very straightforward.  The day is extracted from the DATE command and if Saturday or Sunday a shutdown command is executed and a comment made in the Security Log.  One important addition, the BYPASS.  Make sure there is a user granted an exception to this rule, otherwise if the box needs to be accessed it is easier to be able to login with your account than go through the backdoor with a SAFE MODE login to disable the script.

After you make the script (I called it WEEKEND.BAT and saved it here: C:\WINDOWS\System32\GroupPolicy\User\Scripts\Logon\weekend.bat)) then use GPEDIT.MSC and add it to the USER LOGON script.

There you have it, some Guerrilla AND Voo Doo administration all in one!  Good luck.