Here’s a listing of drives that still include that hardware write protection, along with some other options that might work though not as well. This listing is based on reports from several discussion boards in 2009-2010 as well as a list prepared and maintained by c’t Magazine (German) (or via Google Translate). Where available I provide links to the manufacturers and possibly to stores where the drives are available. Please comment with any corrections or additional drives to be added to the list.

(...)
Read the rest of List of USB Flash Drives with Hardware Write Protection Switch (2,296 words)

© Alan Miller/Fencepost Software & Consulting, 2010. All Rights Reserved. | Permalink & Comments
Post tags: Hardware, Malware, Reference, Security, USB

We’re using a bundled virtual machine called ESVA for spam filtering (currently not available, see ESVA Website (global-domination.org) Down, 2010-March) ; it’s basically a prebuilt CentOS server preconfigured with Postfix, MailScanner, SQLGrey (for greylisting), MailWatch, etc.. It’s worked quite well for us for several years – on our site for filtering our inbound email and that for our hosted customers, and at several customer sites where they’re running Exchange. I highly recommend it as a drop-in spam filtering solution with good reporting and manageability, plus a fairly active user community that can generally answer any questions they haven’t already answered.

Our internal ESVA server was slightly out of date, so last weekend was a good time to update it to 2.0.5.9 (a simple process using ‘esva-update‘) and update a few packages such as ClamAV (‘yum update‘). I ran the updates, verified that email messages were coming in correctly, and figured I was done with it. I also updated the nameserver entries in /etc/resolv.conf to point to our new internal DNS servers.

A brief digression on our network: We have external-facing DNS servers for domains that we host, but we also have internal servers that return internal addresses for some systems. Those internal servers report as authoritative because they are for the internal hosts that they serve. Thus from outside mail.example.com may resolve to 209.252.x.y but from inside it resolves to 10.3.4.5.

After the update, message traffic was fine – messages were coming in and being passed along to the mail servers, obviously there were no problems. By Monday morning, though it became apparent that while our customers were receiving outside email, we were not. This was easy to miss initially because we’re a small company and quite frankly we’re not getting a lot of message traffic overnight on weekends. A quick test from inside the network (‘telnet mail2.example.com 25‘ and manually entering a message) worked just fine so it wasn’t a problem with the actual handling of email messages, email for other domains that we host was being accepted and routed appropriately so it wasn’t a problem with firewall configuration, etc.

After spending more time than I like to think about digging through postfix trying to determine why it would be rejecting messages for just one domain (and the primary domain for which ESVA was set up), the problem ended up being completely different:

The new DNS servers didn’t have a host entry for the base domain example.com. All of the relevant subdomains were present (some with internal addresses, some with external ones depending on how they’re reached – they all have to be there since the DNS server thinks it’s the authoritative one for example.com and won’t forward queries for that domain. Thus example.com didn’t resolve (example.local did, which was what the domain was based on). Individual hosts had been set up in DNS (e.g. www.example.com, mail.example.com, mail2.example.com) but not a base record for the top-level domain itself.

Postfix accepted messages submitted from the internal network because it was a local network, and once it had those messages it had transport for the domain name so testing from an internal host worked. Messages from outside the local network were being checked to confirm that the top-level domain existed, but since it didn’t resolve from inside the network messages were being rejected with

Mar  1 15:12:36 mail2 postfix/smtpd[5578]: NOQUEUE: reject: RCPT from mta.sample.net[111.222.111.222]: 450 4.1.2 <recipient@example.com>: Recipient address rejected: Domain not found; from=<bounce-1234567_HTML-1234567-1234567-12345-0@bounce.example.net> to=<recipient@example.com> proto=ESMTP helo=<mta.example.net>

The fix was simple – correct the internal DNS server to allow example.com to actually resolve to a hostname. It didn’t really matter what it was (we used the IP of the web server which is pretty standard), just that it resolved to something so Postfix wouldn’t reject it.

While I feel a bit foolish for having this bit of misconfiguration happen, in searching for others who’d experienced similar problems I found nothing particularly useful except comments (generally for the error “Sender address rejected; Domain not found”) that it was probably a DNS error. Hopefully this will help someone with the same problem in the future.

Related posts:

1. ESVA Website (global-domination.org) Down, 2010-March, Back 2010-July Update 2010-08-07: Several updates of note pulled from the comments....
2. (Fix) When DNS and ping Fail but nslookup Works (Windows) Spent some time recently with a Windows XP laptop that...
3. Email Marketing – Use A Service I occasionally get requests from clients for assistance with sending...

Related posts brought to you by Yet Another Related Posts Plugin.

After a bit of searching, I ended up at this thread: OpenOffice-3.0.1 hangs if SCIM is active. Boiled down to something for those not interested in the technical details, OpenOffice.org 3.x has problems with some configurations of SCIM, the “Smart Common Input Method platform.”
(...)
Read the rest of (Fix) OpenOffice.org Hangs When I Start Typing (371 words)

© Alan Miller/Fencepost Software & Consulting, 2010. All Rights Reserved. | Permalink & Comments
Post tags: Fixes, Linux, Troubleshooting

Digging around on the console attempting to track down the source of the problems, I found multiple services listed as “Starting” – all of them malware-based, with the actual infection cleaned out. My suspicion is that these non-startable services were causing the startup of other services to be delayed, though in this case I’m not really planning on setting up a test system to verify that.

In the rest of this post I’ll give a bit more detail on the scenario, what I found, what was needed to clean it out, and a few more notes on what I suspect was happening.

Scenario

We haven’t been working with this client for very long, so I’m not sure when these infections were actually cleaned out; the antivirus software (VIPRE Antivirus from Sunbelt Software) was configured to only keep logs for a few weeks (now corrected) but it was at least a month ago. I’m not even certain whether the problems were cleared by the current antivirus package or by a CD-based virus scan when we first started working with them. I know they had a rash of Conficker in the office, so this may have been the aftermath of that.

VIPRE and other tools all showed the system as clean even with the service entries in place, because the files that were being referenced no longer existed, and I suspect that nobody’s noticed the slow startup times because A) the user-facing services (database, authentication) were up fairly quickly B) the system was generally not being restarted while staff was in the office and C) it’s a server, it’s really not restarted that often. In this case an overnight power outage had exceeded the available battery backup duration and the system was shut down when they arrived in the morning.

Findings

In general, I didn’t find any indications of specific causes for the slowdowns – nothing relevant in the event log, etc. The suspicious services were all running with “svchost -k netsvcs” which is not surprising – it’s the home for multiple services loaded from DLLs, see the TechNet article in the resources list at the end of this post. The list of services run as part of netsvcs is found at HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/SvcHost in the netsvcs value (not in the subkey by the same name); the malware entries in my case were at the end of the list.

The short names for the services were randomly generated, but the descriptive names were reasonable-sounding fakes and the descriptions were pulled from other services. The services were hanging at stage “starting” and until they died other services weren’t starting even though there were no dependencies.

Setting the problem services to Disabled was not possible because access to the registry for them was denied. Similarly, the simple way to get rid of some services is with Sysinternals’ Autoruns tool, but because only the System account had access to those registry keys the version of Autoruns already on the system didn’t show the services (I have not checked whether newer versions will detect this problem).

Resolution

Identifying the specific service entries in the Registry wasn’t hard – I was looking for keys with no descendants (no plus sign next to them) and with randomly-generated names. It’s helpful to have a good feel for how names get shortened and abbreviated – just because a name doesn’t make sense at first doesn’t mean it’s actually random. The keys in question also all lacked values (hidden along with descendants by the lack of security permissions) and had permissions set to allow only System any level of access.

Removing the service entries from the registry manually was simple – it just required changing the security for the affected keys to allow Full Control to an administrative account; in this case the permissions were inherited all the way down. I have encountered situations in the past where security needed to be set on the key, then on the child keys separately. The names were also removed from the netsvcs value found in HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/SvcHost/ (they are in the value, not the key by the same name).

All “infection” keys were then exported and deleted.

Resources

Getting Started with SVCHOST.EXE Troubleshooting (Microsoft TechNet)

Virus alert about the Win32/Conficker worm (Microsoft Support)

Help with svchost.exe (Sysinternals Forums)

Related posts:

1. (Fix) When DNS and ping Fail but nslookup Works (Windows) Spent some time recently with a Windows XP laptop that...
2. (Fix) r3953724.cn Malware/Adware Redirections Quick Fix: have a program named procmon.exe running (copy of...
3. (Fix) “Another Installation is Already In Progress’ installing Office 2007 over Office 2000′ Ran into an interesting problem this evening – I was...

Related posts brought to you by Yet Another Related Posts Plugin.

The standard fix for that is restarting the system to let the in-progress installation do the processing that it needs a system restart for, but in this case that wasn’t the issue.

Other options beyond that relate to removing the InProgress key from HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress, but that also wasn’t doing the trick so it wasn’t an existing installation – it was either something attempting an install behind the scenes (possible, but unlikely given the system setup) or it was something being triggered as part of the installation process.

Digging a bit, the .ipi file being referenced by that registry entry contained references to Office 2000 Professional Disk 2. That led to it being a problem with the uninstaller for the earlier version when started by the Office 2007 installer. Since it wasn’t critical to keep the other parts of Office 2000 on the system we went ahead and uninstalled that, but we received the same error attempting to uninstall Disk 2 (which contains Publisher and some Small Business Tools).

Since this was apparently an issue with the uninstall for that part of Office 2000, I did a bit of digging. It turns out that Microsoft has a cleanup utility designed to remove Office 2000 from a Windows 2000 (or earlier) system. It was last updated when Windows XP came out, and explicitly does not run on XP.

With that information, we ended up with Microsoft’s article How to remove Office 2000 CD2. This gives instructions on the files, directories and registry entries to remove after you’ve run the Disk 2 uninstallation (which was giving us problems all by itself).  Rather than individually remove all of the specified files, and since we had already removed the bulk of Office 2000, I took a bit of a shortcut.

Final Solution: While this is a little messy (there are no-longer-needed files and shortcuts left behind), the quick solution to getting the Office 2007 installer to stop trying to uninstall Office 2000 was to back up (export) the entire HKLM\Software\Microsoft\Office\9.0\ branch then remove it since no parts of Office 2000 are going to be remaining. This allowed the Office 2007 install to complete with no issues.

Followup: there are certainly files left behind that should be removed, but given the relative size of Publisher 2000 and modern hard drives I’m not too concerned about space consumed by the remaining files. There are some now-invalid shortcuts that should also be cleaned up, but since the user is above-average technically savvy she should be just fine cleaning those up herself.

Second Followup: Applies only if Outlook is being uninstalled. It turns out that the user in question was using Outlook Express but was using Outlook for storing Contacts – this was available up to Office 2000 but was removed in Office 2003 except for upgrades. Since the new version being installed didn’t include Outlook, I ended up needing to export the contacts from her PST on another system so she could use them in Windows Address Book. If you’re doing this and using Outlook Express, check first to see if you’re using Outlook Contacts and export as needed before proceeding. Microsoft’s article Copy Outlook contacts to the Outlook Express address book provides more information.

Related posts:

1. (Fix) When DNS and ping Fail but nslookup Works (Windows) Spent some time recently with a Windows XP laptop that...
2. Avoid VBScript for Web Apps Earlier this week I spent some time troubleshooting a browser-based...
3. Choosing Printers for the Office For many small businesses, when it’s time to add or...

Related posts brought to you by Yet Another Related Posts Plugin.

The application in question uses an ActiveX table control to display data provided as XML embedded in the body of the web page, and has assorted other components that need to be installed on the PC for it to work. After getting past the basic issues (the regular user of the PC isn’t a local administrator, so no ActiveX installs allowed), we had the page loading, the table control displaying, and no contents.

After removing, reinstalling and verifying the registration of the control and the supporting libraries, both I and the vendor’s support staff were stumped (and it got kicked around their offices for a day or so). I had glanced at the HTML enough to confirm that the data to be displayed was in fact present and we knew it wasn’t an account issue on their side since the same web-app login worked correctly from other systems, so it was something specific about that newly-built system.

After a bit more poking around on my own in the HTML to see what was happening, it occurred to me that the very first thing in the block of VBScript was the command to link the table control to the XML-formatted data in the page. Since that wasn’t executing, I figured that perhaps the VBScript support on the system was out of date. I remembered seeing an update for that a few years earlier (Windows Script 5.6 for 2000/XP, 2007 and Windows Script 5.7 for XP, 2007), and applying that did the trick.

I’m not sure whether it was a question of the scripting support being outdated or simply not being present at all in a new install. In theory 5.7 was supposed to be a part of SP3 and 5.8 is in Windows 7 and Server 2008 R2, but since it’s not based on .NET it’s clearly not the direction that Microsoft is headed – it’s legacy code. Since the .NET-based PowerShell is available for all current Microsoft operating systems, I’d expect that at some point in the not too distant future the older Windows Script Host is going to fall by the wayside. If you’re developing for the long term, I’d try to avoid falling with it.

Note: Of course, this all ignores the fact that VBScript and .NET-based browser development will only run in Internet Explorer. If you’d like to have your application run in multiple browsers or be usable on Macs and Linux (and eventually on mobile devices like the iPhone, Android and probably even Windows Mobile), you should be working with JavaScript and some of the frameworks for it. ActiveX controls and IE-only scripting languages may add unnecessary constraints to your market.

Related posts:

1. (Fix) When DNS and ping Fail but nslookup Works (Windows) Spent some time recently with a Windows XP laptop that...

Related posts brought to you by Yet Another Related Posts Plugin.

The first thing to do when facing any computer problem is to figure out where the problem lies, so it was time for a bit of sleuthing.

These days the first thing to run on any general-use computer with networking problems is standard anti-spyware / anti-malware / anti-virus software. Some malware infections wedge themselves into the network stack so they can intercept and redirect traffic, and redirecting DNS queries is one approach to send traffic to either advertising that they get paid for or phishing sites where they can steal banking or credit card information. Even if an infection has been cleaned, it’s possible that a part of it was left behind and could still be causing problems. Antivirus boot/rescue CDs are great for this for two reasons: first, they clean the system of many of the more obtrusive problems and second, if they’re able to update over the Internet then it indicates that there’s not a hardware problem – just a Windows problem. Result: Nothing Found, possibly because I wasn’t the first person to look at it.

While those scans were running, I also checked whether it was a firewall issue though that seemed unlikely since nslookup was working. I have seen a major brand of “Internet Security Suite” decide to block DNS queries in the past, so I always check that. Result: Not the firewall

Microsoft has a couple of options for doing repairs to the TCP/IP stack and Winsock, both of which can be damaged by some malware. Assuming that you’re reasonably up-to-date, you can look at How to reset Internet Protocol (TCP/IP) (KB299357) and How to determine and to recover from Winsock2 corruption (KB811259), both from Microsoft. Both of these apply to Vista and Server 2003 as well as XP. Read the cautions in these, you may need to reinstall some software that works with the Internet after using these. Result: these didn’t help either.

Windows does some caching (saving copies) of DNS lookup results, but the service that provides that isn’t critical – it just sometimes makes things faster. To see if that was the problem, I tried queries with the “DNS Client” service (as listed under Control Panel, Administrative Tools, Services) running and stopped. To start or stop it from the command line, use net stop dnscache and net start dnscache. Result: Not the DNS Client/dnscache

In the category of things I don’t expect most people to try, I checked the network traffic to and from the PC using Wireshark (formerly Ethereal, the portable version). The network traffic looked fine, but only DNS queries from nslookup were making it out – no other queries were being attempted. This is an advanced thing to check and for most users the results of using this tool will not make any sense, so unless you know what a packet sniffer is just ignore this step.

Finally, if nothing else has done the trick, you can try Winsock XP Fix. This depends on the fact that some important registry items are the same between different installations of Windows, so it’s able to completely remove those items and re-add them. In some ways this is a last resort because it’s kind of like taking a hammer to the problem, but it can do the trick when nothing else has worked. I’m also only going to suggest using it on Windows XP or older systems – it hasn’t been updated since before Windows Vista came out, so it’s quite possible that running it on Vista, Windows 7 or server operating systems would break things.The Microsoft links above both apply to Vista as well as XP, so try those first.

Winsock XP Fix is available from multiple locations, including Winsock XP Fix at PCWorld.com, Winsock XP Fix at Ramesh/MVPS, or other locations by searching for the name. Result: This did the trick.

Update: What’s Happening?

(Added November 29, 2009) Since I neglected to include details of what’s actually causing these symptoms, here are my suspicions.

All of the items that I tried for diagnosing the problem (including a simple Python program that I didn’t mention) are using the standard gethostbyname(name) call, which is part of the standard WinSock API. If you’re a developer you may note that it accepts only the name to be looked up with no way to specify name servers, because it uses the name servers specified for your current network connection. You can see what those name servers are by running the command “ipconfig /all” from a command prompt.

NSLookup is a tool that allows you to check what results a specific name server returns, using the default name server(s) if you don’t specify one. The advantage of the tool is that if you’re in an environment with multiple name servers, you can use nslookup to confirm that Name Server B is actually returning the correct values when queried. “dig” is another tool that can be used this way, but is not normally found on Windows systems.

Because nslookup allows you to specify what name server to use, it can’t just use the built-in gethostbyname() API call since that doesn’t allow you to specify a name server. For that reason, nslookup in effect has its own internal implementation of that same call which is unaffected by many problems with the WinSock portion of Windows as long as the lowest-level network communications are still working.

For a cooking analogy, nslookup always makes its own bread from scratch rather than buying a loaf at the bakery, so when the bakery’s oven fails nslookup is unaffected.

Updates:

2010-03-18 Added mention that the Microsoft Knowledgebase links apply to Vista and Server 2003, which the final solution does not do.

Related posts:

1. (Fix) r3953724.cn Malware/Adware Redirections Quick Fix: have a program named procmon.exe running (copy of...

Related posts brought to you by Yet Another Related Posts Plugin.

Update/Fix:

The system did indeed have a corrupted atapi.sys file as noted in the comments, though I did not end up using ComboFix to clean it – I was able to replace the file with the identically-sized but binary-different one from the most recent service pack (C:\Windows\ServicePackFiles\i386\atapi.sys) and have not seen the same problem recurring.

In addition, if you need to prevent it from redirecting while you download fixes, you may be able to simply copy notepad.exe (or another common executable) to the name procmon.exe and run that. Last night while I still had the infection active it did not seem to redirect while procmon was running under that name, possibly as a measure to avoid detection.

At this point (several days after initial infection, more than a week after initial reports in the wild) I suspect that many of the tools linked below are updated with definitions that cover this malware so you can probably get by with simply running updated versions of those.

(...)
Read the rest of (Fix) r3953724.cn Malware/Adware Redirections (348 words)