The Windows Recovery Console is required to fix many startup issues caused by malware, viruses, and corrupt system files. The Recovery Console can be booted from the Windows Setup disc, but many machines (including Netbooks) do not have CD drives or easy access to the Windows Setup disc.

Below are the instructions to install the Recovery Console on any Windows XP machine as a boot list option. You will no longer need physical access to the Windows Setup disc (except to install initially) when things go wrong.

• Insert the Windows XP setup disc.
• Click Start -> Run and type: “%windir%\i386\winnt32.exe /cmdcons“
• Click YES on the Windows Setup box to install the Recovery Console.

• Setup will attempt to connect to the Internet to update any setup files from the disc. Press ESC to interrupt the setup and use the files on the disc only.
• Once the Recovery Console is installed a confirmation box will pop up. Click OK.

Some Windows XP passwords will not be recognized by the Recovery Console. To remove the password requirement, modify the following registry key:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Setup\RecoveryConsole
• Set the DWORD SecurityLevel value to 1.

No Comments |  Print This Post |

The PC-OFF.BAT virus loads a shutdown script when logging onto Windows XP. A few seconds after logging in, Windows will shutdown. This also affects safe mode. The countdown timer is set to only a few seconds, not allowing the user to enter “shutdown – a” in the run box. You may not even see the emergency shutdown dialog before you are automatically shutdown.

In order to remove the files, you’ll need the Windows XP CD. Other options include putting the hard drive into another computer, or using a LiveCD (BartPE or Linux) to remove the files.

Remove the files from your hard drive using the Windows XP CD

1. Insert the Windows XP disc into the CDROM. You may need to adjust your BIOS settings to boot the CDROM first.
2. When the “Welcome to Setup” screen appears, press “R.”
3. Select the installation you wish to access (there should be only one option for most systems).
4. Enter the administrator password when asked.
5. Once at the Recovery Prompt, press ENTER after typing the following command: chdir c:\windows
6. Press ENTER after typing the following command: del bar311.exe
7. Press ENTER after typing the following command: del password_viewer.exe
8. Press ENTER after typing the following command: del photo.zip.exe
9. Press ENTER after typing the following command: del pc-off.bat
10. Press ENTER after typing the following command: exit
11. Remove the Windows XP disc and restart your computer.

Once pc-off.bat is removed from the Windows directory, you’ll be able to logon to Windows without it shutting down immediately. There are still remnants left over in the registry though – best to clean those up.

1. Go to Start -> Run and type “regedit” and press ENTER.
2. Go to HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon and find the key: “Userinit=C:\WINDOWS\system32\userinit.exe,xxxxxx.exe” where xxxxxx.exe is bar311.exe, photo.zip.exe or password_viewer.exe.
3. Delete bar311.exe, photo.zip.exe or password_viewer.exe from the key, but be sure to leave userinit.exe! If you delete that, you will be unable to logon to Windows.
4. Go to HKEY_CURRENT_USER \software\microsoft\windows\currentversion\explorer\advanced and set the following key values: “Hidden=dword:00000001 (1)” “HideFileExt=Dword:00000000 (0)” “ShowSupperHidden=Dword:00000001 (1)”
5. Go to HKEY_CURRENT_USER \software\microsoft\Command Processor and find the key: “autorun=c:\windows\pc-off.bat” and remove “c:\windows\pc-off.bat”

No Comments |  Print This Post |

February’s Patch Tuesday was eventful to say the least. Many have noticed that Patch #977165 (Security Bulletin MS10-015) causes a blue screen on some systems (Stop Error: PAGE_FAULT_IN_NONPAGED_AREA). While the initial outrage was directed at Microsoft for a shoddy patch, eventually it was found that the Alureon Rootkit was the cause of the blue screen after KB977165 was installed.

But don’t worry! – the makers of the Alureon Rootkit have actually updated it and patched the flaw! Hurray!

For everyone else there are two options:

1. Use a LiveCD to scan your hard drive for the rootkit and remove it. This will resolve the issue. Try Knoppix STD (http://www.knoppix-std.org/) or BartPE (http://www.nu2.nu/pebuilder/).
2. Remove MS10-015 (977165) from your system.

How to remove Security Bulletin MS10-015 (977165) from your system

1. Insert the Windows XP disc into the CDROM. You may need to adjust your BIOS settings to boot the CDROM first.
2. When the “Welcome to Setup” screen appears, press “R.”
3. Select the installation you wish to access (there should be only one option for most systems).
4. Enter the administrator password when asked.
5. Once at the Recovery Prompt, press ENTER after typing the following command: CHDIR $NtUninstallKB977165$\spuninst
6. Press ENTER after typing the following:  BATCH spuninst.txt
7. Press ENTER after typing the following:  systemroot
8. Press ENTER after typing the following:  exit
9. Remove the Windows XP CD and restart.

No Comments |  Print This Post |