11-11-2005, 04:38 PM | #1 (permalink) |
The Computer Kid :D
Location: 127.0.0.1
|
Outside of the box thinking?
So I've been assigned to work on an average home desktop running WinXP, a machine that would usually come in as a quick and easy maitenance job. You know, destroy spyware/virii, delete some icons and other bad stuff, etc.
I was told that the machine "locks up when you get to the desktop", and I booted it up, and on all five users accounts, it certainly did. No problem, I thought, I'd just boot up into safe mode, run MSCONFIG, wipe all the nasty crap out and I'd be on my way to my usual domination of icky stuff. Boy was I wrong. Safe mode cut out the majority of the crap, but whatever the hell was causing the UI (explorer.exe, namely) to spazz was still running. In fact, I was able to use CTRL+ALT+DEL (keep in mind, start menu doesnt work, icons don't work, keyboard shortcuts except ctrlaltdel dont work. the UI is completely frozen.) to get to MSCONFIG and disable what was surprisingly still running. Of course, when I rebooted, the crap came back and the UI was locked. I manually deleted them from the registry. They came back. I went as far as killing all of the services. They came back. Keep in mind, I AM using the same user (administrator, which no one is using, I use this so A) I have all access and B) if I f'ck something up, it won't be anything personal at first) every time. Tis been a while since I found a problem in this genre that really has stumped me. Any outside of the box suggestions? Or am I really gonna just have to sit down and use DOS scrape off the fungus? |
11-11-2005, 10:54 PM | #2 (permalink) |
Adequate
Location: In my angry-dome.
|
Sounds like something(s) heinous.
You're turning off system restore? If you can't get to it, stop it in the registry: Code:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\SystemRestore\ set DWORD DisableSR to 1 Disable the service: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr set DWORD Start to 4.
__________________
There are a vast number of people who are uninformed and heavily propagandized, but fundamentally decent. The propaganda that inundates them is effective when unchallenged, but much of it goes only skin deep. If they can be brought to raise questions and apply their decent instincts and basic intelligence, many people quickly escape the confines of the doctrinal system and are willing to do something to help others who are really suffering and oppressed." -Manufacturing Consent: Noam Chomsky and the Media, p. 195 |
11-12-2005, 08:06 AM | #4 (permalink) |
Adequate
Location: In my angry-dome.
|
What I got from your description was that you took some corrective actions, fixed some reg entries, but found things unfixed later. I don't know what actions you took but it sounds as if you're being toyed with by an active agent (virus, etc.) or system restore, or both. (Sounds a bit like an evil helper object.)
If system restore is active and it senses an inconsistent state from deletions or whatever, it'll restore files from the last checkpoint. If that checkpoint contains the problem then it'll keep coming back. To get around this turn off system restore, do your things, if the problems come back then something else is involved. No, system restore won't save the new fixed files in safe mode, but if it decides things are inconsistent it will write over the fixes the next time you boot in normal mode. What scans have you tried? Hijackthis? Did you find a barbecue?
__________________
There are a vast number of people who are uninformed and heavily propagandized, but fundamentally decent. The propaganda that inundates them is effective when unchallenged, but much of it goes only skin deep. If they can be brought to raise questions and apply their decent instincts and basic intelligence, many people quickly escape the confines of the doctrinal system and are willing to do something to help others who are really suffering and oppressed." -Manufacturing Consent: Noam Chomsky and the Media, p. 195 |
11-12-2005, 08:23 AM | #5 (permalink) |
The Computer Kid :D
Location: 127.0.0.1
|
No BBQ yet.
I can't scan anything, though, because the UI just doesn't ... work. I suppose I could put HJT or some scan onto a disk and try to load it through DOS, but there was trouble loading norton through DOS as well. Then again, I didn't try all seven hundred Norton .EXE's. I'll turn off system restore when I get the chance |
11-12-2005, 08:44 AM | #6 (permalink) |
Adequate
Location: In my angry-dome.
|
I prefer installing a suspect drive as a slave or external on a known system. Tools, speed, and unknown hardware gone. Just don't run anything off the leper drive.
For a simple viral scan try a knoppix boot CD with f-prot. It's easy once you download the iso.
__________________
There are a vast number of people who are uninformed and heavily propagandized, but fundamentally decent. The propaganda that inundates them is effective when unchallenged, but much of it goes only skin deep. If they can be brought to raise questions and apply their decent instincts and basic intelligence, many people quickly escape the confines of the doctrinal system and are willing to do something to help others who are really suffering and oppressed." -Manufacturing Consent: Noam Chomsky and the Media, p. 195 |
11-12-2005, 08:57 AM | #7 (permalink) | |
The Computer Kid :D
Location: 127.0.0.1
|
Quote:
I was curious if there was any sort of simple virus scan boot CD. I'll make a copy of Knoppix while I'm at it. Any other virus boot utilities? I'll double check, but I dont think UBCD has one. |
|
11-12-2005, 09:13 AM | #8 (permalink) |
Adequate
Location: In my angry-dome.
|
When things are as bad as you describe I'd first scan for anything unnatural. If it passes viral and spyware scans then something is wrong with Windows itself. You may have to do a recovery install, but I wouldn't want to try that if it may be infected. With a user system like you describe I suspect something besides or in addition to Windows problems.
Knoppix & f-prot are a very good boot bootcd a/v combo.
__________________
There are a vast number of people who are uninformed and heavily propagandized, but fundamentally decent. The propaganda that inundates them is effective when unchallenged, but much of it goes only skin deep. If they can be brought to raise questions and apply their decent instincts and basic intelligence, many people quickly escape the confines of the doctrinal system and are willing to do something to help others who are really suffering and oppressed." -Manufacturing Consent: Noam Chomsky and the Media, p. 195 |
11-13-2005, 09:55 AM | #9 (permalink) |
Watcher
Location: Ohio
|
When it's as bad a mess as you're running into I think you have to ask the question: Why haven't I done a re-install yet?
I mean, what's on this box that's so important it can't be lost? I guess it's a safe bet that there's no backups in existance, and no disaster recovery options. Hopefully, you're at least getting paid well to fix this; but, what's worth the bucks on the drives? Can you just recover the files that can't be lost? It's a simple value judgement, I guess, that each person must make. Is what's on the drive worth all the effort?
__________________
I can sum up the clash of religion in one sentence: "My Invisible Friend is better than your Invisible Friend." |
11-13-2005, 10:08 AM | #10 (permalink) |
The Computer Kid :D
Location: 127.0.0.1
|
I am not being paid for this. I should be getting credit for it, but ATM I'm not, that's a long story, but don't worry about that. The thing is, I really only have a max of 1.5 hours daily on it. I'm also doing other menial tasks during that time, such as making CAT5e :/
Reformatting is my last choice because it's not very satisfying. Perhaps a backup and reformat may be the only option in the end, but for the sake of my own education, for the sake of the people who I'm doing this for, and for the sake of good problem-solving, I want to explore other options at first. It really isn't my judgement call as to how much the stuff on their is worth. With the bizarre state it is in, I can't even begin to analyze things (OK, i could dir around via DOS...). If the person who submitted this for repair begins to show doubt or becomes fussy over it, I'll just say "You have two options - you let me take my time and use a good solution, or we just wipe everything". |
11-13-2005, 12:15 PM | #12 (permalink) |
Lost
Location: One step closer to the padded cell...
|
Install Problem Drive as a slave to a known good drive with updated AntiVirus. Then scan the slave/problem drive with updated antivirus AND online scans www.trendmicro.com and panda free scan. Then run lavasoft adaware and spysweeper to scan the problem drive. After all of that, take the problem drive and put it back as master, attempt to boot into safe mode and msconfig everything away, reboot and see if that doesnt let you function in windows.
__________________
ERROR- PLBSAK Problem Lies Between Seat and Keyboard. |
11-13-2005, 12:27 PM | #14 (permalink) |
Adequate
Location: In my angry-dome.
|
It'll scan everything. Even zips & cabs. That's what I was suggesting with Knoppix or just mounting it as a slave. You might miss something very sneaky but it's more likely you have a bunch of junk from unsafe surfing.
__________________
There are a vast number of people who are uninformed and heavily propagandized, but fundamentally decent. The propaganda that inundates them is effective when unchallenged, but much of it goes only skin deep. If they can be brought to raise questions and apply their decent instincts and basic intelligence, many people quickly escape the confines of the doctrinal system and are willing to do something to help others who are really suffering and oppressed." -Manufacturing Consent: Noam Chomsky and the Media, p. 195 |
11-13-2005, 02:52 PM | #16 (permalink) |
Junkie
Location: Melbourne, Australia
|
I had an experience on my 'puter with Explorer hanging (the windows one.. not i-explorer).
Solved the problem by logging as a different user... Running "Autoruns Utility" and removing some entries that appear to be triggered by explorer starting. I reckon the problem was... explorer had been hacked to run stuff... but I'd deleted those files as part of general cleanup. So explorer would hang, at least for some users. Look on the net for info on about:blank and smitRem I reckon. These were the issues I was dealing with at the time. |
11-14-2005, 06:49 AM | #18 (permalink) |
Very Insignificant Pawn
Location: Amsterdam, NL
|
Mike I had your problem recently. I put the drive as slave on another machine. Norton av, Ad-Aware, Spybot, NoAdware found nothing.
Deleted very recent files in the System32 dir. Reinstalled as master drive and could run the machine. Here is a thread about it http://www.tfproject.org/tfp/showthread.php?t=96934 |
Tags |
box, thinking |
|
|