Outside of the box thinking? - Tilted Forum Project Discussion Community

MikeSty · 11-11-2005, 04:38 PM

So I've been assigned to work on an average home desktop running WinXP, a machine that would usually come in as a quick and easy maitenance job. You know, destroy spyware/virii, delete some icons and other bad stuff, etc.

I was told that the machine "locks up when you get to the desktop", and I booted it up, and on all five users accounts, it certainly did. No problem, I thought, I'd just boot up into safe mode, run MSCONFIG, wipe all the nasty crap out and I'd be on my way to my usual domination of icky stuff.

Boy was I wrong. Safe mode cut out the majority of the crap, but whatever the hell was causing the UI (explorer.exe, namely) to spazz was still running. In fact, I was able to use CTRL+ALT+DEL (keep in mind, start menu doesnt work, icons don't work, keyboard shortcuts except ctrlaltdel dont work. the UI is completely frozen.) to get to MSCONFIG and disable what was surprisingly still running.

Of course, when I rebooted, the crap came back and the UI was locked. I manually deleted them from the registry. They came back. I went as far as killing all of the services. They came back. Keep in mind, I AM using the same user (administrator, which no one is using, I use this so A) I have all access and B) if I f'ck something up, it won't be anything personal at first) every time.

Tis been a while since I found a problem in this genre that really has stumped me. Any outside of the box suggestions? Or am I really gonna just have to sit down and use DOS scrape off the fungus?

cyrnel · 11-11-2005, 10:54 PM

Sounds like something(s) heinous.

You're turning off system restore? If you can't get to it, stop it in the registry:

Code:

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\SystemRestore\ set DWORD DisableSR to 1

Disable the service:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr set DWORD Start to 4.

Looking just outside this box of a home, there's a barbecue on the back porch. Does that inspire?

MikeSty · 11-12-2005, 07:29 AM

I haven't touched system restore yet. I could, but that would be my last option.

cyrnel · 11-12-2005, 08:06 AM

What I got from your description was that you took some corrective actions, fixed some reg entries, but found things unfixed later. I don't know what actions you took but it sounds as if you're being toyed with by an active agent (virus, etc.) or system restore, or both. (Sounds a bit like an evil helper object.)

If system restore is active and it senses an inconsistent state from deletions or whatever, it'll restore files from the last checkpoint. If that checkpoint contains the problem then it'll keep coming back. To get around this turn off system restore, do your things, if the problems come back then something else is involved.

No, system restore won't save the new fixed files in safe mode, but if it decides things are inconsistent it will write over the fixes the next time you boot in normal mode.

What scans have you tried? Hijackthis?

Did you find a barbecue?

MikeSty · 11-12-2005, 08:23 AM

No BBQ yet.

I can't scan anything, though, because the UI just doesn't ... work. I suppose I could put HJT or some scan onto a disk and try to load it through DOS, but there was trouble loading norton through DOS as well. Then again, I didn't try all seven hundred Norton .EXE's.

I'll turn off system restore when I get the chance

cyrnel · 11-12-2005, 08:44 AM

I prefer installing a suspect drive as a slave or external on a known system. Tools, speed, and unknown hardware gone. Just don't run anything off the leper drive.

For a simple viral scan try a knoppix boot CD with f-prot. It's easy once you download the iso.

MikeSty · 11-12-2005, 08:57 AM

Quote:

Originally Posted by cyrnel

I prefer installing a suspect drive as a slave or external on a known system. Tools, speed, and unknown hardware gone. Just don't run anything off the leper drive.

Right, but then how will I access the registry of the inactive drive?

I was curious if there was any sort of simple virus scan boot CD. I'll make a copy of Knoppix while I'm at it. Any other virus boot utilities? I'll double check, but I dont think UBCD has one.

cyrnel · 11-12-2005, 09:13 AM

When things are as bad as you describe I'd first scan for anything unnatural. If it passes viral and spyware scans then something is wrong with Windows itself. You may have to do a recovery install, but I wouldn't want to try that if it may be infected. With a user system like you describe I suspect something besides or in addition to Windows problems.

Knoppix & f-prot are a very good boot bootcd a/v combo.

billege · 11-13-2005, 09:55 AM

When it's as bad a mess as you're running into I think you have to ask the question: Why haven't I done a re-install yet?

I mean, what's on this box that's so important it can't be lost? I guess it's a safe bet that there's no backups in existance, and no disaster recovery options. Hopefully, you're at least getting paid well to fix this; but, what's worth the bucks on the drives? Can you just recover the files that can't be lost?

It's a simple value judgement, I guess, that each person must make. Is what's on the drive worth all the effort?

MikeSty · 11-13-2005, 10:08 AM

I am not being paid for this. I should be getting credit for it, but ATM I'm not, that's a long story, but don't worry about that. The thing is, I really only have a max of 1.5 hours daily on it. I'm also doing other menial tasks during that time, such as making CAT5e :/

Reformatting is my last choice because it's not very satisfying. Perhaps a backup and reformat may be the only option in the end, but for the sake of my own education, for the sake of the people who I'm doing this for, and for the sake of good problem-solving, I want to explore other options at first.

It really isn't my judgement call as to how much the stuff on their is worth. With the bizarre state it is in, I can't even begin to analyze things (OK, i could dir around via DOS...). If the person who submitted this for repair begins to show doubt or becomes fussy over it, I'll just say "You have two options - you let me take my time and use a good solution, or we just wipe everything".

flat5 · 11-13-2005, 12:05 PM

One trick that may work to restore the GUI enough to use it:
Delete or move all very recent files (esp. small ones) in the windows and system(32) dirs.
You could just zip them up together for now.

tenchi069 · 11-13-2005, 12:15 PM

Install Problem Drive as a slave to a known good drive with updated AntiVirus. Then scan the slave/problem drive with updated antivirus AND online scans www.trendmicro.com and panda free scan. Then run lavasoft adaware and spysweeper to scan the problem drive. After all of that, take the problem drive and put it back as master, attempt to boot into safe mode and msconfig everything away, reboot and see if that doesnt let you function in windows.

MikeSty · 11-13-2005, 12:24 PM

But how well of a job will said scanning do to an INACTIVE partition?

I always use AVG AntiVirus + Trend Micro + occasionally Panda Scan, then Ad Aware + Xoftspy and occasionally Spybot S&D, however

cyrnel · 11-13-2005, 12:27 PM

It'll scan everything. Even zips & cabs. That's what I was suggesting with Knoppix or just mounting it as a slave. You might miss something very sneaky but it's more likely you have a bunch of junk from unsafe surfing.

MikeSty · 11-13-2005, 12:29 PM

Good point. It'll probably knock out enough that when I put it back as the active drive, I'll be able to owninate the dormant remains.

Nimetic · 11-13-2005, 02:52 PM

I had an experience on my 'puter with Explorer hanging (the windows one.. not i-explorer).

Solved the problem by logging as a different user... Running "Autoruns Utility" and removing some entries that appear to be triggered by explorer starting.

I reckon the problem was... explorer had been hacked to run stuff... but I'd deleted those files as part of general cleanup. So explorer would hang, at least for some users.

Look on the net for info on about:blank and smitRem I reckon. These were the issues I was dealing with at the time.

MikeSty · 11-13-2005, 03:14 PM

It's toast for all users

flat5 · 11-14-2005, 06:49 AM

Mike I had your problem recently. I put the drive as slave on another machine. Norton av, Ad-Aware, Spybot, NoAdware found nothing.

Deleted very recent files in the System32 dir.

Reinstalled as master drive and could run the machine.

Here is a thread about it
http://www.tfproject.org/tfp/showthread.php?t=96934

MikeSty · 11-14-2005, 08:03 AM

Great thinking there

I'll try that.

I'm feeling sick right now so i didn't go in today, but I'll get to it tomorrow.

11-11-2005, 04:38 PM	#1 (permalink)
MikeSty The Computer Kid :D Location: 127.0.0.1	Outside of the box thinking? So I've been assigned to work on an average home desktop running WinXP, a machine that would usually come in as a quick and easy maitenance job. You know, destroy spyware/virii, delete some icons and other bad stuff, etc. I was told that the machine "locks up when you get to the desktop", and I booted it up, and on all five users accounts, it certainly did. No problem, I thought, I'd just boot up into safe mode, run MSCONFIG, wipe all the nasty crap out and I'd be on my way to my usual domination of icky stuff. Boy was I wrong. Safe mode cut out the majority of the crap, but whatever the hell was causing the UI (explorer.exe, namely) to spazz was still running. In fact, I was able to use CTRL+ALT+DEL (keep in mind, start menu doesnt work, icons don't work, keyboard shortcuts except ctrlaltdel dont work. the UI is completely frozen.) to get to MSCONFIG and disable what was surprisingly still running. Of course, when I rebooted, the crap came back and the UI was locked. I manually deleted them from the registry. They came back. I went as far as killing all of the services. They came back. Keep in mind, I AM using the same user (administrator, which no one is using, I use this so A) I have all access and B) if I f'ck something up, it won't be anything personal at first) every time. Tis been a while since I found a problem in this genre that really has stumped me. Any outside of the box suggestions? Or am I really gonna just have to sit down and use DOS scrape off the fungus?

11-11-2005, 10:54 PM	#2 (permalink)
cyrnel Adequate Location: In my angry-dome.	Sounds like something(s) heinous. You're turning off system restore? If you can't get to it, stop it in the registry: Code: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\SystemRestore\ set DWORD DisableSR to 1 Disable the service: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr set DWORD Start to 4. Looking just outside this box of a home, there's a barbecue on the back porch. Does that inspire? __________________ There are a vast number of people who are uninformed and heavily propagandized, but fundamentally decent. The propaganda that inundates them is effective when unchallenged, but much of it goes only skin deep. If they can be brought to raise questions and apply their decent instincts and basic intelligence, many people quickly escape the confines of the doctrinal system and are willing to do something to help others who are really suffering and oppressed." -Manufacturing Consent: Noam Chomsky and the Media, p. 195

11-12-2005, 08:06 AM	#4 (permalink)
cyrnel Adequate Location: In my angry-dome.	What I got from your description was that you took some corrective actions, fixed some reg entries, but found things unfixed later. I don't know what actions you took but it sounds as if you're being toyed with by an active agent (virus, etc.) or system restore, or both. (Sounds a bit like an evil helper object.) If system restore is active and it senses an inconsistent state from deletions or whatever, it'll restore files from the last checkpoint. If that checkpoint contains the problem then it'll keep coming back. To get around this turn off system restore, do your things, if the problems come back then something else is involved. No, system restore won't save the new fixed files in safe mode, but if it decides things are inconsistent it will write over the fixes the next time you boot in normal mode. What scans have you tried? Hijackthis? Did you find a barbecue? __________________ There are a vast number of people who are uninformed and heavily propagandized, but fundamentally decent. The propaganda that inundates them is effective when unchallenged, but much of it goes only skin deep. If they can be brought to raise questions and apply their decent instincts and basic intelligence, many people quickly escape the confines of the doctrinal system and are willing to do something to help others who are really suffering and oppressed." -Manufacturing Consent: Noam Chomsky and the Media, p. 195

11-12-2005, 08:44 AM	#6 (permalink)
cyrnel Adequate Location: In my angry-dome.	I prefer installing a suspect drive as a slave or external on a known system. Tools, speed, and unknown hardware gone. Just don't run anything off the leper drive. For a simple viral scan try a knoppix boot CD with f-prot. It's easy once you download the iso. __________________ There are a vast number of people who are uninformed and heavily propagandized, but fundamentally decent. The propaganda that inundates them is effective when unchallenged, but much of it goes only skin deep. If they can be brought to raise questions and apply their decent instincts and basic intelligence, many people quickly escape the confines of the doctrinal system and are willing to do something to help others who are really suffering and oppressed." -Manufacturing Consent: Noam Chomsky and the Media, p. 195

11-12-2005, 09:13 AM	#8 (permalink)
cyrnel Adequate Location: In my angry-dome.	When things are as bad as you describe I'd first scan for anything unnatural. If it passes viral and spyware scans then something is wrong with Windows itself. You may have to do a recovery install, but I wouldn't want to try that if it may be infected. With a user system like you describe I suspect something besides or in addition to Windows problems. Knoppix & f-prot are a very good boot bootcd a/v combo. __________________ There are a vast number of people who are uninformed and heavily propagandized, but fundamentally decent. The propaganda that inundates them is effective when unchallenged, but much of it goes only skin deep. If they can be brought to raise questions and apply their decent instincts and basic intelligence, many people quickly escape the confines of the doctrinal system and are willing to do something to help others who are really suffering and oppressed." -Manufacturing Consent: Noam Chomsky and the Media, p. 195

11-12-2005, 07:29 AM	#3 (permalink)
MikeSty The Computer Kid :D Location: 127.0.0.1	I haven't touched system restore yet. I could, but that would be my last option.

11-12-2005, 08:23 AM	#5 (permalink)
MikeSty The Computer Kid :D Location: 127.0.0.1	No BBQ yet. I can't scan anything, though, because the UI just doesn't ... work. I suppose I could put HJT or some scan onto a disk and try to load it through DOS, but there was trouble loading norton through DOS as well. Then again, I didn't try all seven hundred Norton .EXE's. I'll turn off system restore when I get the chance

11-13-2005, 09:55 AM	#9 (permalink)
billege Watcher Location: Ohio	When it's as bad a mess as you're running into I think you have to ask the question: Why haven't I done a re-install yet? I mean, what's on this box that's so important it can't be lost? I guess it's a safe bet that there's no backups in existance, and no disaster recovery options. Hopefully, you're at least getting paid well to fix this; but, what's worth the bucks on the drives? Can you just recover the files that can't be lost? It's a simple value judgement, I guess, that each person must make. Is what's on the drive worth all the effort? __________________ I can sum up the clash of religion in one sentence: "My Invisible Friend is better than your Invisible Friend."

11-13-2005, 10:08 AM	#10 (permalink)
MikeSty The Computer Kid :D Location: 127.0.0.1	I am not being paid for this. I should be getting credit for it, but ATM I'm not, that's a long story, but don't worry about that. The thing is, I really only have a max of 1.5 hours daily on it. I'm also doing other menial tasks during that time, such as making CAT5e :/ Reformatting is my last choice because it's not very satisfying. Perhaps a backup and reformat may be the only option in the end, but for the sake of my own education, for the sake of the people who I'm doing this for, and for the sake of good problem-solving, I want to explore other options at first. It really isn't my judgement call as to how much the stuff on their is worth. With the bizarre state it is in, I can't even begin to analyze things (OK, i could dir around via DOS...). If the person who submitted this for repair begins to show doubt or becomes fussy over it, I'll just say "You have two options - you let me take my time and use a good solution, or we just wipe everything".

11-13-2005, 12:05 PM	#11 (permalink)
flat5 Very Insignificant Pawn Location: Amsterdam, NL	One trick that may work to restore the GUI enough to use it: Delete or move all very recent files (esp. small ones) in the windows and system(32) dirs. You could just zip them up together for now.

11-13-2005, 12:15 PM	#12 (permalink)
tenchi069 Lost Location: One step closer to the padded cell...	Install Problem Drive as a slave to a known good drive with updated AntiVirus. Then scan the slave/problem drive with updated antivirus AND online scans www.trendmicro.com and panda free scan. Then run lavasoft adaware and spysweeper to scan the problem drive. After all of that, take the problem drive and put it back as master, attempt to boot into safe mode and msconfig everything away, reboot and see if that doesnt let you function in windows. __________________ ERROR- PLBSAK Problem Lies Between Seat and Keyboard.

11-13-2005, 12:24 PM	#13 (permalink)
MikeSty The Computer Kid :D Location: 127.0.0.1	But how well of a job will said scanning do to an INACTIVE partition? I always use AVG AntiVirus + Trend Micro + occasionally Panda Scan, then Ad Aware + Xoftspy and occasionally Spybot S&D, however

11-13-2005, 12:27 PM	#14 (permalink)
cyrnel Adequate Location: In my angry-dome.	It'll scan everything. Even zips & cabs. That's what I was suggesting with Knoppix or just mounting it as a slave. You might miss something very sneaky but it's more likely you have a bunch of junk from unsafe surfing. __________________ There are a vast number of people who are uninformed and heavily propagandized, but fundamentally decent. The propaganda that inundates them is effective when unchallenged, but much of it goes only skin deep. If they can be brought to raise questions and apply their decent instincts and basic intelligence, many people quickly escape the confines of the doctrinal system and are willing to do something to help others who are really suffering and oppressed." -Manufacturing Consent: Noam Chomsky and the Media, p. 195

11-13-2005, 12:29 PM	#15 (permalink)
MikeSty The Computer Kid :D Location: 127.0.0.1	Good point. It'll probably knock out enough that when I put it back as the active drive, I'll be able to owninate the dormant remains.

11-13-2005, 02:52 PM	#16 (permalink)
Nimetic Junkie Location: Melbourne, Australia	I had an experience on my 'puter with Explorer hanging (the windows one.. not i-explorer). Solved the problem by logging as a different user... Running "Autoruns Utility" and removing some entries that appear to be triggered by explorer starting. I reckon the problem was... explorer had been hacked to run stuff... but I'd deleted those files as part of general cleanup. So explorer would hang, at least for some users. Look on the net for info on about:blank and smitRem I reckon. These were the issues I was dealing with at the time.

11-13-2005, 03:14 PM	#17 (permalink)
MikeSty The Computer Kid :D Location: 127.0.0.1	It's toast for all users

11-14-2005, 06:49 AM	#18 (permalink)
flat5 Very Insignificant Pawn Location: Amsterdam, NL	Mike I had your problem recently. I put the drive as slave on another machine. Norton av, Ad-Aware, Spybot, NoAdware found nothing. Deleted very recent files in the System32 dir. Reinstalled as master drive and could run the machine. Here is a thread about it http://www.tfproject.org/tfp/showthread.php?t=96934

11-14-2005, 08:03 AM	#19 (permalink)
MikeSty The Computer Kid :D Location: 127.0.0.1	Great thinking there I'll try that. I'm feeling sick right now so i didn't go in today, but I'll get to it tomorrow.