Terminal Services Client Blue Screen Bug Fix; SMB Signing Hotfix Flaw; Adult Web Site Trojan Horse; and More

Learn the details about a Terminal Services Client blue screen, a flaw in an SMB signing hotfix, a Trojan Horse associated with an adult Web site, and Win2K redirector problems.

Paula Sharick

March 24, 2003

7 Min Read
ITPro Today logo in a gray background | ITPro Today

Terminal Services Client Blue Screen Bug Fix Do your Windows XP Home Edition, XP Professional Edition, and Windows 2000 Server Terminal Services clients crash with a stop code of 0x7F from win32k.sys? Microsoft attributes this system crash to a stack overflow that occurs when the OS closes a large number of nested windows. Given this description, I expect the Terminal Services client crash occurs when a user opens a large number of windows, either before or during a Terminal Services session. If this bug is causing the problem, after the client reboots and establishes another Terminal Services session, it crashes with the same stop code. Microsoft has released a patch that solves the stack overflow problem. The patch contains updated versions of 14 files with release dates of February 14 through March 4. You can get this update only from Microsoft Product Support Services (PSS); cite Microsoft article "Windows Stops Responding with 'Stop Error 0x7F' Error Message" (http://support.microsoft.com/?kbid=814789) as the reference.

SMB Signing Hotfix Flaw
Microsoft Security Bulletin MS02-070 (Flaw in SMB Signing May Permit Group Policy to Be Modified) introduces a spooler problem that causes Win2K Professional systems to take as long as 1 minute to log off. Microsoft has corrected the problem in a new version of the spooler service, with a file release date of January 28, 2003. If you distributed this Group Policy vulnerability hotfix, you probably need the bug fix for the hotfix. Call PSS and cite the reference article "Unexpected Delay When You Log Off Your Domain" (http://support.microsoft.com/?kbid=814770). According to the documentation, users can work around the problem by restarting the spooler service before they log off. However, if it takes a minute for the spooler service to restart, it doesn't seem like this workaround saves any time.

Adult Web Site Pop-Ups
I haven’t encountered this nasty problem, but if a system suddenly starts displaying pop-up ads inviting you to browse adult Web sites, the machine likely is infected with a Trojan Horse called W32.DSS.Trojan. The infection source is typically a mail message with an attachment named Open Me. The Trojan Horse inserts a Web page that invites you to visit adult sites in a hidden Microsoft Internet Explorer (IE) window. You can confirm this infection by checking the IE history list--in most cases, the URL http://voyour-cams.xww.de appears in the history list. The Microsoft article "Pop-Up Windows That Contain Advertisements to Adult Web Sites Intermittently Appear on Your Desktop" (http://support.microsoft.com/?kbid=810981) contains instructions about how to stop the Trojan process and how to rid a system of references to the openme.exe file on disk and in the registry.

Windows Installer 2.0 Bug Fix
Microsoft updated Windows Installer to version 2.0 in XP, XP Service Pack 1 (SP1), and Win2K SP3 systems. Version 2 of Windows Installer has a bug that prevents you from installing software from a shared network location, but only when the installer’s .msi file has entries in the IsolatedComponent table. If you distribute software by using a script that invokes the Msiexec command, the installer might fail with Error 1308 when you use a URL to identify the location of the .msi file--for example, when you use the command msiexec /i "http://appserver/outlook/test.msi." The installer responds with an error message stating that it was unable to locate the .msi file and displays a mangled version of the .msi file name that is part URL and part normal. PSS has a new msi.dll file that eliminates this bug. If you update XP and Win2K systems, you need to get the updated msi.dll for both platforms. The XP has a release date of February 20, and the Win2K version has a release date of March 3. When you call, cite the Microsoft article "FIX: Error 1308 When You Install a Program from an Internet Source Location" (http://support.microsoft.com/?kbid=811364) as a reference.

More Win2K Redirector Problems
The Win2K redirector mrxsmb.sys and its partner code rdbss.sys have morphed twice since my discussion of these components in October (To read the article, visit http://www.winnetmag.com/articles/index.cfm?articleid=27037). These two components implement remote access to shared resources. Between them, they create a remote session, perform requested file-system operations (e.g., opening, closing, reading, or writing a file or spooling a print job), and terminate the session when you no longer need the resource. When a system encounters a problem connecting to or accessing a remote resource, you see event-log warning and error messages from mrxsmb.sys. As Table 1 illustrates, when things go wrong, mrxsmb.sys bugs can crash a system eight different ways. If you haven’t reviewed the redirector components for a while, you can add two additional blue screen problems to mrxsmb.sys’s bag of tricks. The November 2002 update eliminates a blue screen with a stop code of 0x0E3 that occurs when the redirector attempts to release a lock it doesn’t own, plus a crash with a stop code of 0xCE that might occur during shutdown. If you don’t have a support contract or you haven’t updated the redirector for months, you might want to download the November update so that it’s available if your systems exhibit any of the known Microsoft Server Message Block (SMB) problems. Microsoft published the updated November versions at the Microsoft Download Center ( http://microsoft.com/downloads/details.aspx?familyid=83e6f78a-b2ed-4ff4-996e-d29fc44d6b43&displaylang=en). The March 2003 release fixes a bug that causes a system to crash with a stop code of 0Xd1, but no details on the cause of this blue screen are available. The March version is available only from PSS. To check the version number of these two files running on your systems, use Windows Explorer to locate both files in the system root; they should appear in two places: %systemroot%dllcache and %systemroot%drivers. The running version is the file that appears in the dllcache folder. Right-click the file, click Properties, then click the Version tab. If the version number is lower than 5.0.2195.6114, you should consider updating these components.

TABLE 1: Known Redirector Problems

Article

Title

Mrxsmb.sys File Release Date

Mrxsmb Version Number

Rdbss.sys File Release Date

Rdbss.sys Version Number

816036

Windows 2000 Crashes with a ‘Stop 0x000000d1’ Error Message

March 3, 2003

5.0.2195.6676

March 3, 2003

5.0.21956676

810038

Stop 0x0E3 Error Occurs When Redirector Thread Tries to Release a Lock

November 5, 2002

5.0.2195.6114

November 5, 2002

5.0.2195.6114

321613

Stop 0x0a Error in nt!ExpBoostOwnerThread() Occurs on a Large Terminal Server Installation

September 23, 2002

5.0.2195.6067

September 23, 2002

5.0.2195.6067

329175

Rdbss.sys May Cause STOP 0xA Error

September 17, 2002

5.0.2195.6062

September 17, 2002

5.0.2195.6062

315819

STOP 0x50 Error Occurs in Mrxsmb.sys When the Digital Dashboard Is Loaded

September 17, 2002

5.0.2195.6060

September 17, 2002

5.0.2195.6060

328776

A "Stop 0x000000C2" Error Occurs When You Try to Close a File on a Network Share

September 4, 2002

5.0.2195.60

August 23, 2002

5.0.2195.60

327643

You Receive a "Stop 0x000000CE" Error Message During Shutdown

August 23, 2002

5.0.2195.6026

August 23, 2002

5.0.2195.6026

327498

Files May Appear to Be Empty with an Older Redirector

August 15, 2002

5.0.2195.6018

August 15, 2002

5.0.2195.6018

325988

A "Stop 50" Error Occurs in the Browser (Mrxsmb.sys)

July 19, 2002

5.0.2195.5955

July 19, 2002

5.0.2195.5955

324224

"Stop 0xc5" Error Message in Windows 2000

July 19, 2002

5.0.2195.5956

July 19, 2002

5.0.2195.5956

322019

Data Loss Occurs When You Copy Files Over the Network Files

May 13, 2002

5.0.2195.5786

May 13, 2002

5.0.2195.5786

321733

A "Delayed Write Failed" Error Message Occurs When You Write a File to a Server

May 8, 2002

5.0.2195.5754

April 4, 2002

5.0.2195.5535

319967

You Cannot Open a File That You Moved to a DFS Share

April 5, 2002

5.0.2195.5535

April 5, 2002

5.0.2195.5535

318789

Redirector Does Not Cache Files When the SPARSE Attribute Is Set

April 4, 2002

5.0.2195.5534

April 4, 2002

5.0.2195.5534

SP3

---

September 22, 2002

5.0.2195.5434

September 22, 2002

5.0.2195.5434

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like