Terminal Services Client Blue Screen Bug Fix; SMB Signing Hotfix Flaw; Adult Web Site Trojan Horse; and More

Terminal Services Client Blue Screen Bug Fix Do your Windows XP Home Edition, XP Professional Edition, and Windows 2000 Server Terminal Services clients crash with a stop code of 0x7F from win32k.sys? Microsoft attributes this system crash to a stack overflow that occurs when the OS closes a large number of nested windows. Given this description, I expect the Terminal Services client crash occurs when a user opens a large number of windows, either before or during a Terminal Services session. If this bug is causing the problem, after the client reboots and establishes another Terminal Services session, it crashes with the same stop code. Microsoft has released a patch that solves the stack overflow problem. The patch contains updated versions of 14 files with release dates of February 14 through March 4. You can get this update only from Microsoft Product Support Services (PSS); cite Microsoft article "Windows Stops Responding with 'Stop Error 0x7F' Error Message" (http://support.microsoft.com/?kbid=814789) as the reference.

SMB Signing Hotfix Flaw
Microsoft Security Bulletin MS02-070 (Flaw in SMB Signing May Permit Group Policy to Be Modified) introduces a spooler problem that causes Win2K Professional systems to take as long as 1 minute to log off. Microsoft has corrected the problem in a new version of the spooler service, with a file release date of January 28, 2003. If you distributed this Group Policy vulnerability hotfix, you probably need the bug fix for the hotfix. Call PSS and cite the reference article "Unexpected Delay When You Log Off Your Domain" (http://support.microsoft.com/?kbid=814770). According to the documentation, users can work around the problem by restarting the spooler service before they log off. However, if it takes a minute for the spooler service to restart, it doesn't seem like this workaround saves any time.

Adult Web Site Pop-Ups
I haven’t encountered this nasty problem, but if a system suddenly starts displaying pop-up ads inviting you to browse adult Web sites, the machine likely is infected with a Trojan Horse called W32.DSS.Trojan. The infection source is typically a mail message with an attachment named Open Me. The Trojan Horse inserts a Web page that invites you to visit adult sites in a hidden Microsoft Internet Explorer (IE) window. You can confirm this infection by checking the IE history list--in most cases, the URL http://voyour-cams.xww.de appears in the history list. The Microsoft article "Pop-Up Windows That Contain Advertisements to Adult Web Sites Intermittently Appear on Your Desktop" (http://support.microsoft.com/?kbid=810981) contains instructions about how to stop the Trojan process and how to rid a system of references to the openme.exe file on disk and in the registry.

Windows Installer 2.0 Bug Fix
Microsoft updated Windows Installer to version 2.0 in XP, XP Service Pack 1 (SP1), and Win2K SP3 systems. Version 2 of Windows Installer has a bug that prevents you from installing software from a shared network location, but only when the installer’s .msi file has entries in the IsolatedComponent table. If you distribute software by using a script that invokes the Msiexec command, the installer might fail with Error 1308 when you use a URL to identify the location of the .msi file--for example, when you use the command msiexec /i "http://appserver/outlook/test.msi." The installer responds with an error message stating that it was unable to locate the .msi file and displays a mangled version of the .msi file name that is part URL and part normal. PSS has a new msi.dll file that eliminates this bug. If you update XP and Win2K systems, you need to get the updated msi.dll for both platforms. The XP has a release date of February 20, and the Win2K version has a release date of March 3. When you call, cite the Microsoft article "FIX: Error 1308 When You Install a Program from an Internet Source Location" (http://support.microsoft.com/?kbid=811364) as a reference.

More Win2K Redirector Problems
The Win2K redirector mrxsmb.sys and its partner code rdbss.sys have morphed twice since my discussion of these components in October (To read the article, visit http://www.winnetmag.com/articles/index.cfm?articleid=27037). These two components implement remote access to shared resources. Between them, they create a remote session, perform requested file-system operations (e.g., opening, closing, reading, or writing a file or spooling a print job), and terminate the session when you no longer need the resource. When a system encounters a problem connecting to or accessing a remote resource, you see event-log warning and error messages from mrxsmb.sys. As Table 1 illustrates, when things go wrong, mrxsmb.sys bugs can crash a system eight different ways. If you haven’t reviewed the redirector components for a while, you can add two additional blue screen problems to mrxsmb.sys’s bag of tricks. The November 2002 update eliminates a blue screen with a stop code of 0x0E3 that occurs when the redirector attempts to release a lock it doesn’t own, plus a crash with a stop code of 0xCE that might occur during shutdown. If you don’t have a support contract or you haven’t updated the redirector for months, you might want to download the November update so that it’s available if your systems exhibit any of the known Microsoft Server Message Block (SMB) problems. Microsoft published the updated November versions at the Microsoft Download Center ( http://microsoft.com/downloads/details.aspx?familyid=83e6f78a-b2ed-4ff4-996e-d29fc44d6b43&displaylang=en). The March 2003 release fixes a bug that causes a system to crash with a stop code of 0Xd1, but no details on the cause of this blue screen are available. The March version is available only from PSS. To check the version number of these two files running on your systems, use Windows Explorer to locate both files in the system root; they should appear in two places: %systemroot%dllcache and %systemroot%drivers. The running version is the file that appears in the dllcache folder. Right-click the file, click Properties, then click the Version tab. If the version number is lower than 5.0.2195.6114, you should consider updating these components.