Malware deleting TrustedInstaller.exe, therefore crippling Windows

My sister’s computer is was infected with a bunch of stubborn malware. Even after cleaning the offending files, a lot of things won’t wouldn’t work.

Windows Update, run sfc /scannow, or DISM /Online /Cleanup-Image fails with unknown reasons, which I found it somehow related to “Windows Module Installer” service not running.

I saw something weird in services.msc: “Windows Module Installer” doesn’t exist, but I know the underlying name is “TrustedIntaller” and noticed a service named as such is there, but it cannot be started, nor there are any descriptive information.

So I searched registry for “TrustedInstaller” and got to its entry. I noticed these two:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TrustedInstaller]
"DisplayName"="@%SystemRoot%\\servicing\\TrustedInstaller.exe,-100"
"Description"="@%SystemRoot%\\servicing\\TrustedInstaller.exe,-101"

It means the meaningful names and descriptions I saw on services.msc are generated by calling the underlying  service executable file with switches. I checked my “C:\Windows\servicing” and found that “TrustedInstaller.exe” is not there at all! Of course you cannot start a service where the file does not exist at the promised path (ImagePath).

I searched the hard drive and found only one instance of the file stored somewhere (like C:\Windows\winsxs\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.1.7600.16385_none_90e389a7ae7a4b6c) and I tried to move the file to “C:\Windows\servicing”. However the ownership and permissions to write to “C:\Windows\servicing” goes to “TrustedInstaller” account, not “Administrator”, so I took the ownership, gave Administrator full rights, then move the file over.

Everything worked after that! Just the mere trick of deleting TrustedInstaller.exe is enough to make the user miserable trying to clean the system up! “sfc /scannow” or the like requires TrustedInstaller/WIM to be working in the first place, so you cannot use it to repair TrustedInstaller/WIM problems.

34 total views, 1 views today

Floppy Disk Drive Ribbon Cable Orientation

Hooking up a floppy drive after a decade of disuse today, I followed the notch/key on the connector/cable but it turns out to be incorrect! Turns out I should do the opposite, forcing the key to the side without the notch, by force (or trim the key)!

So stick with the conventional wisdom that the ribbon’s pin 1 (marked) should always stay close to the power connector, regardless of whether it’s IDE or FDD (3.5″ or 5.25″), EVEN IF FOOLPROOF MECHANISMS TELLS YOU OTHERWISE!

 

 

 

20 total views, 2 views today

Simple dialog box built in windows

Back in the days, we use “net send” to display dialog boxes (I used it to chat with my friend after we dial up to the other’s computer).

Since Windows XP, there’s a more intuitive tool to do the same. It’s convenient if you want to add GUI interactions so that the user won’t ignore the text on the command prompt screen:

msg %SESSIONNAME% "your message goes here"

 

80 total views, no views today

Visual C++ 2008 Redistributable (VC_RED) unpacks temp files to root folder

Over the last decade I was wondering if I did something wrong or my computer was infected by some rootkit that some random installation files shows up in the root folder.

Turns out it’s a stupid bug (didn’t expect something this low from Microsoft) that it unpacks temporary files of Visual C++ 2008 redistributables to whatever’s that’s largest storage space’s ROOT folder!

It’s fixed in SP1, but some old programs distributing the first revision will crap all over the root folder of seemingly random drives (actually, it’s the one with the most free space). Nasty!

https://support.microsoft.com/en-us/help/950683/vcredist-from-vc-2008-installs-temporary-files-in-root-directory

I made a batch file to clean it up. It’s not robust or up to any good programming standards (should have checked the hash signature before deleting if I was paid to write that, but I wasn’t). This batch file accepts an input like where the drive letter was littered (like E:\), or without input arguments, it will just pick the root folder of the current location.

@ECHO OFF
echo.Clean up Visual C++ 2008 temporary files (due to a bug)

set "old_dir=%cd%"

if "%~1" == "" goto Main
cd /d %1

:Main
REM must be a root folder of some drive
cd /

REM Display current drive
echo.%cd:~0,1% drive is going to be cleaned. Press Ctrl+C now to abort now or any other key to continue.
pause

del install.exe 
del install.res.1028.dll 
del install.res.1031.dll 
del install.res.1033.dll 
del install.res.1036.dll 
del install.res.1040.dll 
del install.res.1041.dll 
del install.res.1042.dll 
del install.res.2052.dll 
del install.res.3082.dll 
del vcredist.bmp 
del globdata.ini 
del install.ini 
del eula.1028.txt 
del eula.1031.txt 
del eula.1033.txt 
del eula.1036.txt 
del eula.1040.txt 
del eula.1041.txt 
del eula.1042.txt 
del eula.2052.txt 
del eula.3082.txt 
del VC_RED.MSI
del VC_RED.cab 

echo.Done
cd /d %old_dir%

No warranty or support of any sort if you use it. That’s why I wouldn’t even make it downloadable. Just copy and paste it to a batch file yourself, and keep in mind that you are on your own.

99 total views, no views today

Windows Gotcha: Cannot access other machine because time doesn’t sync

Newer Windows, starting with Windows 7 at least, requires the clocks to be in sync for the login/authentication to work. The confusing part is that if it fails, it doesn’t tell you why, leading you to think your password was wrong.

Turns out this time, I’m trying to inject files to a Windows 2000 machine (a logic analyzer). After some Googling, this website showed me it could be a time issue. The RTC on that motherboard was alright, and showing that it’s 2018, but after a close look, the timezone was EST (GMT-7) while I’m on PST (GMT-8), so the clock is off by one hour!

83 total views, no views today

MSI-based installer silent install summary

Recently I need to reorder the pre-req installation for a InstallShield installer package that has pre-reqs and MSI inside it. That means I’ll have to extract all the pre-req EXE and MSI files and write batch files to call them, then the installer again for the core software, all done silently.

I learned:

  • Administrative install (/a switch) only extracts the core firmware, not the pre-req files
  • /b”<target-folder>” extracts the pre-reqs as .prq files
  • Need to steal the extracted .exe files by monitoring temporary folder as they go
  • /s doesn’t always silent installs. Some with MSI packed inside the .exe files requires the ‘silent’ request passed to the MSI by adding /v/qn (/v passes the switch to the MSI, which is /qn, which means silent in this case)
  • .NET before v2.0 requires different switches to install without prompting for license agreement, namely
    /q:a /c:"install /q"

     

 

142 total views, no views today

Remove McAfee Enterprise Antivirus from Windows

I was asked to install McAfee Enterprise Antivirus v8.8 as a favor to somebody else’s client, turns out this piece of 5h1t is a nightmare.

After I installed the agent, the main software won’t proceed to install. I looked up error code 1603 in the MSI log and upgraded a fresh Windows XP to SP3 and updated Windows Installer to 4.5, set the time back (somebody suggested potential certificate problem) and it still fails.

Without being compensated for my time, I gave up and tried to uninstall it through Add/Remove programs. Now the uninstaller complained that the program cannot be uninstalled in managed mode. Normally, I’m quite understanding towards programmers since their job is wrestling complexities, but this time there is no excuse: if you add an item in Add/Remove programs, people are expected to be able to uninstall it directly from there by definition!

After some digging, being unable to uninstall McAfee is a known common problem. The IT-crowd at University of Oregon has written an article with the solution. It boils down to running:

C:\Program Files (x86)\McAfee\Common Framework\frminst.exe /remove=agent

I bet even stoners are more competent packaging the software for release! How much productivity across the world they have drained by shipping out an incompetent software bad as malware!

Stay away from McAfee. Won’t install it even if they pay me $8k. Refuse to service anything McAfee without charging an exorbitant sum, or you won’t make your lost time back.

 

133 total views, no views today

Symantec Ghost in Windows hangs for mSATA to SATA adapter board Solution: Start Ghost with -NOTRIM

I was trying to image a mSATA SSD with Ghost in Windows (I’m using version 12.0.0.8023 Corporate Edition as I bought the Altiris license) and I ran into internal consistency error 8027 right at the very beginning of the copying process.

For some reason, it doesn’t happen if I boot to the DOS version (provided by Agilent) to do the cloning.

Luckily the status bar tells me what’s going on during the process. I notice it always hangs when ghost tells me that it’s TRIMming the SSD. I looked up the help file (ghost32.exe -help) and noticed that there’s a “-NOTRIM” option. Tried it and the clone completed successfully.

Turns out Symantec is aware of it. The title of the support article is called “Cloning Solid State Disk (SSD) drives fails when using the UEFI 12.0.0.x Ghost executables“.

The summary says it since older versions (11.5.1.x) does not have TRIM, this isn’t a problem, and

“Build 12.0.0.8003 (from GSS 3.0 early build) resolved the issue with the partition restore”

I’m not sure what it means. But the solution is the same as what I did: disable TRIM when copying SSD in Windows (done by the -notrim switch).

903 total views, 2 views today