Technoogies Techno Blog

I was working in my favorite finance program on my Vista machine last night, and when it went to back up to the flash drive an error came up “Back up drive “F” is not accessible.”  At first I thought I might have removed it when doing some hardware update, but upon checking it was firmly plugged in.  I removed it, heard the “Bong” sound, plugged it back in, another “Bong” but no access.  I went into explorer and it was there, but when I clicked on it, the message that popped up read “Please insert a disk into removable disk drive “F.”  I have never seen this message before and was shocked since it worked 7 days ago.  I had not added any programs or updated any applications for awhile, so had no idea what was causing this.  I started researching this error message on Google, and noticed it was not acting normal.  Usually when I type something in Google, it brings up lots of matches and sites related to the query. It now brought up advertising sites only on the first page, and I had to go to the second page to get any normal results.  I found lots of hits but went with the easy ones first.

I plugged the flash drive into my Win 7 machine and found it worked perfect.  No virus using Avast.  I plugged it into my XP machine running AVG, and again it worked perfect.  I returned to my Vista machine and it was there but not accessible.  I went into disk management from control panel, and checked it out there.  It showed up but had readings of “0” bytes, “No media detected”, and “0” storage available.  I could change the drive letter on it, but that made no difference.  I decided to back up the data onto another machine and then tried to format it on the Vista machine.  It could not access it to format giving me an error of “No media.”  Back to Google with some new keywords, only this time I got an error that the “TCP-IP pass through filter has stopped working.”  Once that message came up, no more internet.  Now I had a new failure to contend with.  Maybe the net card was flaking out?  Maybe the hard drive or mother board?  Not sure where to start, I went into the registry to find out where the “TCP-IP pass through filter” was.  I found it in lots of places and referring to an “msippsth.dll” file.  I found the file in the “windows\system32” folder, but it did not scan as a virus or anything bad with AVG or Avast.  I went back to Google on a working machine and typed in this new information.

I finally found the answer on a site www.threatexpert.com by typing in the file I found, “msippsth.dll.”  It came up with a “Trojan.Gen, backdoor” dated 7/28/2010.  It detailed all the keys made and other files that might be installed.  Back to the Vista machine and using a different program that will allow deletion of protected keys, in case they were secured, I proceeded to remove all traces of this infection.  I then restarted and still had no Internet.  Back to Google on a good machine and after spending hours with all the different combinations of keywords I had, finally found I needed to run the command “netsh winsock reset” from a command prompt with admin rights.  That fixed it and now when I plugged in my flash drive, it could be seen and accessed, and Google started working properly, no more advertising on the first screen of information.

Not sure what this was, how long it has been on my machine, how it got installed or got past Vista’s UAC, firewall, virus and malware protection, what information it was intercepting, but it did and never showed any problems until I tried to use the flash drive.  Not sure what caused the “TCP-IP pass through filter” to stop either but I am glad it did or I might not have been able to figure this out in the few days that it took.

- Jeff
(2010-11-08)

Today we just recovered from a SCSI drive failure. Usually I have everything running on RAID 5 Array’s but this host machine was a temp installation that got forgot about and had two stripped drives. One started failing on Saturday.

The controller placed the drive set into a RO (Read Only) mode to save the data on it. I then made a sector copy with Acronis 10 and restored it to a new array but had to use the same configuration because there isn’t enough room for a RAID 5 setup. Because the controller created the array with a new ID the VM’s had to be edited because the path to the VMFS had changed. The file to change is the VMname.VMX file.

I apologize for the down time if you were looking for something yesterday.

- Cory L. Curtis
(2010-07-18)

I’ve come across a few not so well documented problems when using an i7, i5, or i3 900 and 800 series processors on an Intel DQ57TM mainboard. One is in the addendum they have placed in the box that you won’t know about until after you’ve ordered your board and memory modules. When using any of the i series CPU’s you’ll need to use low voltage DIMM’s at 1.6 volts or less. Crucial.com isn’t privy to this crucial piece of information so when you look for what’s compatible with the DQ57TM on there website it offers the Ballistix modules as an option. To be fair Crucial is a top notch outfit and will take them back if you bought them from their website. But still takes up your time though.

The other issue is the Intel post beep codes of two long beeps with a pause and a repeat of two long beeps. This information can be found in the PDF manual on the CD that comes with the board. More is available in the TPS PDF on Intel’s website. The TPS document seems to have two conflicting pattern statements about the beep code.
Table 39 says:

On-off (1.0 second each) two times, then 2.5-second pause (off), entire pattern repeats (beeps and pause) once and the BIOS will continue to boot.

This however is not what happens. After the pattern completes twice, it sounds like it reboots and the system halts and the integrated video displays nothing.

Table 40 says:

On-off (1.0 second each) two times, then 2.5-second pause (off), entire pattern repeats (blink and pause) until the system is powered off.

This also isn’t what happens because it only beeps twice for one second each, then the 2.5 second pause, then two one second beeps again and then does a reboot beep and the system halts.

As I understand it, the 4MB cache CPU’s have graphics support for the integrated graphics on the board, and the 8MB or greater CPU’s don’t.
So if your going to use an i 800 or 900 series processor in this board, get yourself some low voltage DIMM’s and an x16 video card.

if there is more to this than I have or if I have something wrong here please post a comment or use the “Contact” tab at the top.
Thanks,

- Cory L. Curtis
(2010-07-09)

In the past month I’ve encountered two boot sector viruses. I haven’t seen this kind of black magic for more than a decade, not since the old Steal Boot virus.
The real nasty one had an EXE in the profile temp of khvcol.exe. It would also create these two files in “C:\System Volume Information\Whistler”.
smss.exe
svchost.exe

These two files show up in the system processes. You can suspend them and then close the process but they keep coming back after each reboot. I just couldn’t believe I was seeing a boot sector virus so I copied the HEX values of the first sector of the hard drive, then ran “fixmbr” and copied the first sector again. I then examined the two files in ExamDiff Pro to see if they were different and they were quite different.
I repaired the boot sector from an alternate boot CD. If you have a recovery console installed you can fix it that way but if you encounter a virus like the steel boot a recovery console on the same drive will never work. Once I had the sector repaired I then scanned the drive with an antivirus program in an alternate machine.

- Cory L. Curtis
(2010-06-10)

I’ve been working on a new logo for “Secure Point Backup” and after about 4 hours of work decided it was time to save the file and couldn’t because this Adobe Illustrator error, “An unknown error has occurred” when saving the file. I found that most people cured this with deleting the AI Preferences file from the user profile but that was after closing AI. I wasn’t about to loose my work. I then noticed that my little text blurb was missing but in the object manager it was listed as visible. After deleting the text from the file I was able to save it. I don’t get it but if that’s what it takes, so be it. What else can you do?

- Cory L. Curtis
(2010-04-09)

Update :
Twas a corrupt font.

(2009-04-17)

I was trying to fix a clients backup problem and Avast said it had an update so I let’er fly. I wish I hadn’t because this error, “You might not have permission to use this network resource”, came after that update. Apparently this happens with a number of other Antivirus softwares like Symantec’s Norton stuff too.

Some of the other error text’s that you might see are:
 "Not enough server storage is available to process this command."
 "Not enough memory to complete transaction. Close some applications and retry."

The event log will have:
  Event ID : 2011
 Source : Srv
 Description: The Server's configuration parameter "IRPStackSize" is too
 small for the server to use a local device. Please
 increase the value of this parameter.

The short answer is you need to either add or change this registry key.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\IRPStackSize = XX (DWord in decimal format. Case sensitive.)

I’d start with 15 and increase the increment in value of 3 until it works. You’ll probably need to reboot each time to get it implemented. I just went for broke and set this one to 50 and rebooted.

The microsoft KB 177078 is here: Antivirus software may cause Event ID 2011

Another possible cause for the “You might not have permission to use this network resource” error is in a registry key called “restrictanonymous“.

The exact error is:
ComputerName or IP is not accessible. You might not have permission to use this network resource. Access is denied.

The Key is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and you change the value of “restrictanonymous” to “0“.

The Microsoft KB 913628 : Error message when you try to access a Windows XP-based network computer: “You might not have permission to use this network resource”

There are probably others, like maybe you really don’t have permission.

- Cory L. Curtis
  (2010-03-16)

I just recently built a hot rod Microsoft® Windows 7 system for a client and we decided to wait for the release of Office 2010 before I bought Office for them. In the interim we put the Office 2003 license they already had on it. The problem that occurred was that it would ask for you to agree to the license again and again, every time you opened Word, Excel, or any other Microsoft® Office product.
The problem is because of a lack of user privilege to write changes to certain registry keys, in this case being the end user license agreement for Office. All that needed to be done was to launch Word or any or any other Office program with administrative privilege. If you try to do it from a link that is pinned to the taskbar or program menu you’ll need to hold down the ‘shift’ key as you click on it with the right mouse button. Select “Run as Administrator” from the context menu towards the top.

See the Microsoft® KB here : You must accept the Office End User License Agreement every time that you start an Office program

Cory L. Curtis
(2010-03-15)

Eventually that day comes when a domain controller dies an sudden or ignominious death and a secondary controller needs to take it’s place. Well in the last month I’ve had two such occurrences. One on a 2003 domain and another on a 2008 domain. The problem I encountered is that the exact commands that are used by Ntdsutil.exe to seize FSMO roles isn’t easily found. Even Microsoft’s own website didn’t have the commands listed in their article about FSMO seizure. It does have a great deal of very good detail and outlines some important steps to take and some alternative options. Like how to transfer FSMO roles if your PDC is still online.

How to Seize FSMO roles

To seize the FSMO roles by using the Ntdsutil utility, follow these modified steps:

1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being seized. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer schema or domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
3. Type roles, and then press ENTER.
4. Type connections, and then press ENTER.
5. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
6. At the server connections prompt, type q, and then press ENTER.
7. Type seize role, where role is the role that you want to seize. For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and then press ENTER. For example, to seize the RID master role, type seize rid master. The one exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator.
   The actual commands to seize roles are:
   • Seize Schema Master
   • Seize Naming Master
   • Seize PDC
   • Seize RID
   • Seize Infrastructure Master
8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

One of the Microsoft notes states, (Do not put the Infrastructure master role on the same domain controller as the global catalog server. If the Infrastructure master runs on a global catalog server it stops updating object information because it does not contain any references to objects that it does not hold. This is because a global catalog server holds a partial replica of every object in the forest.)

If you only have one domain controller at this point you must turn on the “Global Catalog” option after seizing the Infrastructure Master role.

For More Info : FSMO placement and optimization on Active Directory domain controllers

Next you’ll need to remove the old PDC data from Active Directory. It’s a somewhat lengthy procedure.
The link : How to remove data in Active Directory after an unsuccessful domain controller demotion

- Cory L. Curtis
- (2010-01-08)

New blog post: Promote Domain Controller to PCD and Seize FSMO roles http://www.technoogies.com/?p=366

HighPoint RocketRaid 1740 with 2TB drives has a spin-up issue. Only 2of3 are seen until you reset the system, then it sees all array drives.