Tilted Forum Project Discussion Community  

Go Back   Tilted Forum Project Discussion Community > Interests > Tilted Technology


 
 
LinkBack Thread Tools
Old 11-11-2005, 04:38 PM   #1 (permalink)
The Computer Kid :D
 
Location: 127.0.0.1
Outside of the box thinking?

So I've been assigned to work on an average home desktop running WinXP, a machine that would usually come in as a quick and easy maitenance job. You know, destroy spyware/virii, delete some icons and other bad stuff, etc.

I was told that the machine "locks up when you get to the desktop", and I booted it up, and on all five users accounts, it certainly did. No problem, I thought, I'd just boot up into safe mode, run MSCONFIG, wipe all the nasty crap out and I'd be on my way to my usual domination of icky stuff.

Boy was I wrong. Safe mode cut out the majority of the crap, but whatever the hell was causing the UI (explorer.exe, namely) to spazz was still running. In fact, I was able to use CTRL+ALT+DEL (keep in mind, start menu doesnt work, icons don't work, keyboard shortcuts except ctrlaltdel dont work. the UI is completely frozen.) to get to MSCONFIG and disable what was surprisingly still running.

Of course, when I rebooted, the crap came back and the UI was locked. I manually deleted them from the registry. They came back. I went as far as killing all of the services. They came back. Keep in mind, I AM using the same user (administrator, which no one is using, I use this so A) I have all access and B) if I f'ck something up, it won't be anything personal at first) every time.

Tis been a while since I found a problem in this genre that really has stumped me. Any outside of the box suggestions? Or am I really gonna just have to sit down and use DOS scrape off the fungus?
MikeSty is offline  
Old 11-11-2005, 10:54 PM   #2 (permalink)
Adequate
 
cyrnel's Avatar
 
Location: In my angry-dome.
Sounds like something(s) heinous.

You're turning off system restore? If you can't get to it, stop it in the registry:

Code:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\SystemRestore\ set DWORD DisableSR to 1

Disable the service:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr set DWORD Start to 4.
Looking just outside this box of a home, there's a barbecue on the back porch. Does that inspire?
__________________
There are a vast number of people who are uninformed and heavily propagandized, but fundamentally decent. The propaganda that inundates them is effective when unchallenged, but much of it goes only skin deep. If they can be brought to raise questions and apply their decent instincts and basic intelligence, many people quickly escape the confines of the doctrinal system and are willing to do something to help others who are really suffering and oppressed." -Manufacturing Consent: Noam Chomsky and the Media, p. 195
cyrnel is offline  
Old 11-12-2005, 07:29 AM   #3 (permalink)
The Computer Kid :D
 
Location: 127.0.0.1
I haven't touched system restore yet. I could, but that would be my last option.
MikeSty is offline  
Old 11-12-2005, 08:06 AM   #4 (permalink)
Adequate
 
cyrnel's Avatar
 
Location: In my angry-dome.
What I got from your description was that you took some corrective actions, fixed some reg entries, but found things unfixed later. I don't know what actions you took but it sounds as if you're being toyed with by an active agent (virus, etc.) or system restore, or both. (Sounds a bit like an evil helper object.)

If system restore is active and it senses an inconsistent state from deletions or whatever, it'll restore files from the last checkpoint. If that checkpoint contains the problem then it'll keep coming back. To get around this turn off system restore, do your things, if the problems come back then something else is involved.

No, system restore won't save the new fixed files in safe mode, but if it decides things are inconsistent it will write over the fixes the next time you boot in normal mode.

What scans have you tried? Hijackthis?

Did you find a barbecue?
__________________
There are a vast number of people who are uninformed and heavily propagandized, but fundamentally decent. The propaganda that inundates them is effective when unchallenged, but much of it goes only skin deep. If they can be brought to raise questions and apply their decent instincts and basic intelligence, many people quickly escape the confines of the doctrinal system and are willing to do something to help others who are really suffering and oppressed." -Manufacturing Consent: Noam Chomsky and the Media, p. 195
cyrnel is offline  
Old 11-12-2005, 08:23 AM   #5 (permalink)
The Computer Kid :D
 
Location: 127.0.0.1
No BBQ yet.

I can't scan anything, though, because the UI just doesn't ... work. I suppose I could put HJT or some scan onto a disk and try to load it through DOS, but there was trouble loading norton through DOS as well. Then again, I didn't try all seven hundred Norton .EXE's.

I'll turn off system restore when I get the chance
MikeSty is offline  
Old 11-12-2005, 08:44 AM   #6 (permalink)
Adequate
 
cyrnel's Avatar
 
Location: In my angry-dome.
I prefer installing a suspect drive as a slave or external on a known system. Tools, speed, and unknown hardware gone. Just don't run anything off the leper drive.

For a simple viral scan try a knoppix boot CD with f-prot. It's easy once you download the iso.
__________________
There are a vast number of people who are uninformed and heavily propagandized, but fundamentally decent. The propaganda that inundates them is effective when unchallenged, but much of it goes only skin deep. If they can be brought to raise questions and apply their decent instincts and basic intelligence, many people quickly escape the confines of the doctrinal system and are willing to do something to help others who are really suffering and oppressed." -Manufacturing Consent: Noam Chomsky and the Media, p. 195
cyrnel is offline  
Old 11-12-2005, 08:57 AM   #7 (permalink)
The Computer Kid :D
 
Location: 127.0.0.1
Quote:
Originally Posted by cyrnel
I prefer installing a suspect drive as a slave or external on a known system. Tools, speed, and unknown hardware gone. Just don't run anything off the leper drive.
Right, but then how will I access the registry of the inactive drive?

I was curious if there was any sort of simple virus scan boot CD. I'll make a copy of Knoppix while I'm at it. Any other virus boot utilities? I'll double check, but I dont think UBCD has one.
MikeSty is offline  
Old 11-12-2005, 09:13 AM   #8 (permalink)
Adequate
 
cyrnel's Avatar
 
Location: In my angry-dome.
When things are as bad as you describe I'd first scan for anything unnatural. If it passes viral and spyware scans then something is wrong with Windows itself. You may have to do a recovery install, but I wouldn't want to try that if it may be infected. With a user system like you describe I suspect something besides or in addition to Windows problems.

Knoppix & f-prot are a very good boot bootcd a/v combo.
__________________
There are a vast number of people who are uninformed and heavily propagandized, but fundamentally decent. The propaganda that inundates them is effective when unchallenged, but much of it goes only skin deep. If they can be brought to raise questions and apply their decent instincts and basic intelligence, many people quickly escape the confines of the doctrinal system and are willing to do something to help others who are really suffering and oppressed." -Manufacturing Consent: Noam Chomsky and the Media, p. 195
cyrnel is offline  
Old 11-13-2005, 09:55 AM   #9 (permalink)
Watcher
 
billege's Avatar
 
Location: Ohio
When it's as bad a mess as you're running into I think you have to ask the question: Why haven't I done a re-install yet?

I mean, what's on this box that's so important it can't be lost? I guess it's a safe bet that there's no backups in existance, and no disaster recovery options. Hopefully, you're at least getting paid well to fix this; but, what's worth the bucks on the drives? Can you just recover the files that can't be lost?

It's a simple value judgement, I guess, that each person must make. Is what's on the drive worth all the effort?
__________________
I can sum up the clash of religion in one sentence:
"My Invisible Friend is better than your Invisible Friend."
billege is offline  
Old 11-13-2005, 10:08 AM   #10 (permalink)
The Computer Kid :D
 
Location: 127.0.0.1
I am not being paid for this. I should be getting credit for it, but ATM I'm not, that's a long story, but don't worry about that. The thing is, I really only have a max of 1.5 hours daily on it. I'm also doing other menial tasks during that time, such as making CAT5e :/

Reformatting is my last choice because it's not very satisfying. Perhaps a backup and reformat may be the only option in the end, but for the sake of my own education, for the sake of the people who I'm doing this for, and for the sake of good problem-solving, I want to explore other options at first.

It really isn't my judgement call as to how much the stuff on their is worth. With the bizarre state it is in, I can't even begin to analyze things (OK, i could dir around via DOS...). If the person who submitted this for repair begins to show doubt or becomes fussy over it, I'll just say "You have two options - you let me take my time and use a good solution, or we just wipe everything".
MikeSty is offline  
Old 11-13-2005, 12:05 PM   #11 (permalink)
Very Insignificant Pawn
 
Location: Amsterdam, NL
One trick that may work to restore the GUI enough to use it:
Delete or move all very recent files (esp. small ones) in the windows and system(32) dirs.
You could just zip them up together for now.
flat5 is offline  
Old 11-13-2005, 12:15 PM   #12 (permalink)
Lost
 
tenchi069's Avatar
 
Location: One step closer to the padded cell...
Install Problem Drive as a slave to a known good drive with updated AntiVirus. Then scan the slave/problem drive with updated antivirus AND online scans www.trendmicro.com and panda free scan. Then run lavasoft adaware and spysweeper to scan the problem drive. After all of that, take the problem drive and put it back as master, attempt to boot into safe mode and msconfig everything away, reboot and see if that doesnt let you function in windows.
__________________
ERROR- PLBSAK
Problem Lies Between Seat and Keyboard.
tenchi069 is offline  
Old 11-13-2005, 12:24 PM   #13 (permalink)
The Computer Kid :D
 
Location: 127.0.0.1
But how well of a job will said scanning do to an INACTIVE partition?

I always use AVG AntiVirus + Trend Micro + occasionally Panda Scan, then Ad Aware + Xoftspy and occasionally Spybot S&D, however
MikeSty is offline  
Old 11-13-2005, 12:27 PM   #14 (permalink)
Adequate
 
cyrnel's Avatar
 
Location: In my angry-dome.
It'll scan everything. Even zips & cabs. That's what I was suggesting with Knoppix or just mounting it as a slave. You might miss something very sneaky but it's more likely you have a bunch of junk from unsafe surfing.
__________________
There are a vast number of people who are uninformed and heavily propagandized, but fundamentally decent. The propaganda that inundates them is effective when unchallenged, but much of it goes only skin deep. If they can be brought to raise questions and apply their decent instincts and basic intelligence, many people quickly escape the confines of the doctrinal system and are willing to do something to help others who are really suffering and oppressed." -Manufacturing Consent: Noam Chomsky and the Media, p. 195
cyrnel is offline  
Old 11-13-2005, 12:29 PM   #15 (permalink)
The Computer Kid :D
 
Location: 127.0.0.1
Good point. It'll probably knock out enough that when I put it back as the active drive, I'll be able to owninate the dormant remains.
MikeSty is offline  
Old 11-13-2005, 02:52 PM   #16 (permalink)
Junkie
 
Location: Melbourne, Australia
I had an experience on my 'puter with Explorer hanging (the windows one.. not i-explorer).

Solved the problem by logging as a different user... Running "Autoruns Utility" and removing some entries that appear to be triggered by explorer starting.

I reckon the problem was... explorer had been hacked to run stuff... but I'd deleted those files as part of general cleanup. So explorer would hang, at least for some users.

Look on the net for info on about:blank and smitRem I reckon. These were the issues I was dealing with at the time.
Nimetic is offline  
Old 11-13-2005, 03:14 PM   #17 (permalink)
The Computer Kid :D
 
Location: 127.0.0.1
It's toast for all users
MikeSty is offline  
Old 11-14-2005, 06:49 AM   #18 (permalink)
Very Insignificant Pawn
 
Location: Amsterdam, NL
Mike I had your problem recently. I put the drive as slave on another machine. Norton av, Ad-Aware, Spybot, NoAdware found nothing.

Deleted very recent files in the System32 dir.

Reinstalled as master drive and could run the machine.

Here is a thread about it
http://www.tfproject.org/tfp/showthread.php?t=96934
flat5 is offline  
Old 11-14-2005, 08:03 AM   #19 (permalink)
The Computer Kid :D
 
Location: 127.0.0.1
Great thinking there I'll try that.

I'm feeling sick right now so i didn't go in today, but I'll get to it tomorrow.
MikeSty is offline  
 

Tags
box, thinking

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -8. The time now is 01:28 AM.

Tilted Forum Project

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
Search Engine Optimization by vBSEO 3.6.0 PL2
© 2002-2012 Tilted Forum Project

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360