[dba-Tech] Not Sure Quite What I'm Dealing With Here - Update 2

Jim Lawrence accessd at shaw.ca
Sat Apr 30 11:54:31 CDT 2011 

You do have a real problem there. As a systems support tech, I run into
similar issues all the time and at that point have to decide whether to
actually attempt to resolve the problem or re-image/re-install. (A client is
not going to pay for me to spend 4 to 6 hours fixing desktop and there is
just no way to do it fast or at least guarantee it fast.)

You have done all the appropriate surface diagnostics but those types of
processes can only go so far. If you do really want to solve the problem and
time is not that important then its time to start becoming serious and start
hacking.

The first test I would do is check to see whether the kernel has been
hacked. You can just download/run a rootkit scanner. Some of these apps
actually say they can repair the kernel but I tend to be suspicious. In most
cases if your kernel has been compromised it is time to re-install. 
http://www.techsupportalert.com/best-free-rootkit-scanner-remover.htm

The second problem is that apps can start in a dozen different places went
Windows boots so the moment you re-boot all the work you may have done is
just written over when some applications re-runs in the boot cycle and
replaces all your handy-work. Below is an excellent app for finding various
start points in a system and suggesting whether a start suspect or not. They
also have a forum dump review service that may suggest solutions. 
http://free.antivirus.com/hijackthis/

The third problem is that Windows uses a system of cascading to find some of
it components for an application. It does not necessarily do direct location
calls. This gives a hacker a chance to stick a fake component further up the
search chain. Finding and fixing this can be real grunt work. You have to
start looking for duplicate files...one may be real, a backup or a hidden
malware component. The app hackthis may supply you with a start point and
then you have to work down the cascading chain.
http://ask-leo.com/what_is_the_system_file_checker_and_how_do_i_run_it.html

There are a thousand services that will allow you to search a questionable
dll or executable and give you the location in a system where it should be
and the appropriate size. Here is one of many: http://www.file.net

Then there are some really deep bugs. Some malware can actually place itself
on a hard drive and mark its position as a bad track so it can never be
scanned or removed and all it needs is one of its' components to access it
directly...not even spinwrite will remove it. You can try some daring
tactics like making a file image of the computer on to a portable hard
drive, doing a full re-format of the drive, installing a fresh copy of
windows and restoring the file image. It has its risks but it will get most
everything that is hidden in drive tracks and boot sectors.
http://www.runtime.org/driveimage-xml.htm
 
HTH
Jim


 
-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Tina Norris
Fields
Sent: Saturday, April 30, 2011 6:56 AM
To: Discussion of Hardware and Software issues
Subject: Re: [dba-Tech] Not Sure Quite What I'm Dealing With Here - Update 2

[Continued from Update 1]

Having cleaned out the 54 infected items with MalwareBytes, I went back 
to trying to install Vipre.  Guess what!  Right back to "the Windows 
installer cannot be accessed."

I gave another go to the unregistering and reregistering trick.  No 
joy.  Tried another update - back to the houglass followed by nothing!

Found some more information on repairing the windows update agent - 
downloaded WindowsUpdateAgent30-x86.exe from 
support.microsot.com/KG/946929, and following instructions, placed it in 
the root, then ran it with the /wuforce switch.  This did not fix the 
problem.  Yes, I rebooted - it did not fix the problem.

Another bit of advice was to use the WinXP CD, and from the command line 
run sfc /scannow - to verify whether all the protected Windows files are 
intact and in their original versions.  Reboot.  Attempt to install 
Vipre - "installer cannot be accessed."

Next, I booted from the WinXP CD and ran the Repair Install.  After 
that, I tried again to go to Windows Update to bring this fresh 
installation of WinXP SP2 up to date, especially to get SP3 installed.  
Failed - hourglass, followed by nothing.  I ran 
WindowsUpdateAgent30-x86.exe /wuforce again - it failed with error 
0x80070020.  However, not I was able to reach the update site, with 
error 0x8.DDD0007 message that I must restart the computer before 
getting any more updates - turn off and install 5 updates.

Next, I did a Windows update search for ServicePack 3 - found and 
downloaded the ISO image file 
xpsp3_5512.080413-2113_usa_x86fre_spcd.iso, with which I created my SP3 
update CD.  I ran the SP3 update.  It did not complete - update.exe 
extended error code = 0xf200.  Received instruction to run dcomcnfg, 
attempting to verify DCOM security - expand Component Services > 
Computers.  When I attempted to expand the Computers folder, the whole 
Component Services window disappeared.  I repeated that effort enough 
times to note that it happened consistently.  I opened Admin Tools in 
the Control Panel, Computer Management - there is no entry for Local 
Users & Groups.

I tried the SP3 update CD again.  This time it said it did the job.

But, Windows Installer is still not accessed, so I still cannot 
re-install Vipre.  Clicking Windows Update link still produces an 
hourglass and nothing more.

Tried the hotfix for WindowsXP-KB942288-V3-x86.exe again, after making 
sure it was unblocked.  Reboot.  Try to install Vipre.  Installer cannot 
be accessed.
Tried the hotfix for WindowsUpdateAgent30-x86.exe /wuforce, after making 
sure it was unblocked.  Install failed with error 0x8007041d.

Going directly to the windows update site, rather than trying to connect 
through the link, I get through the "checking your system for the latest 
software" screen, to the "Express" or "Custom" install screen - where no 
matter which choice I select, I get the message to reset my Internet 
Security options - error 0x800A0046.  I check those settings and they 
are correct - they match exactly what I am instructed to set.  Even if I 
unset them and Apply - and reset them and Apply - with or without IE 
restarts - I get the same message from Windows Update.  The update 
window acknowledges that the computer is set for automatic updates - 
yet, it will not allow me to do any updates.

I've decided to go back to the beginning.  I'm running Spin-Rite on the 
computer right now, at level 4.  Once I get that finished, I'll do 
another Repair Install, followed immediately by an SP3 update, and see 
what I have at that point.  I'll keep you advised.  I'll welcome and 
appreciate any more thoughts you guys have on this. 

Thanks,
T

More information about the dba-Tech mailing list