[dba-Tech] Not Sure Quite What I'm Dealing With Here - Update 2

Tina Norris Fields tinanfields at torchlake.com
Sat Apr 30 16:40:53 CDT 2011


Fascinating information, Jim.  I am going to download a rootkit scanner, 
for sure and add that trick to my "tool box."  Thank you for all the 
guidance.  It's my kids and grandkids' computer.  Time doesn't matter.  
I'll let you all know what more I find out before I simply reinstall 
Windows.

T

Jim Lawrence wrote:
> You do have a real problem there. As a systems support tech, I run into
> similar issues all the time and at that point have to decide whether to
> actually attempt to resolve the problem or re-image/re-install. (A client is
> not going to pay for me to spend 4 to 6 hours fixing desktop and there is
> just no way to do it fast or at least guarantee it fast.)
>
> You have done all the appropriate surface diagnostics but those types of
> processes can only go so far. If you do really want to solve the problem and
> time is not that important then its time to start becoming serious and start
> hacking.
>
> The first test I would do is check to see whether the kernel has been
> hacked. You can just download/run a rootkit scanner. Some of these apps
> actually say they can repair the kernel but I tend to be suspicious. In most
> cases if your kernel has been compromised it is time to re-install. 
> http://www.techsupportalert.com/best-free-rootkit-scanner-remover.htm
>
> The second problem is that apps can start in a dozen different places went
> Windows boots so the moment you re-boot all the work you may have done is
> just written over when some applications re-runs in the boot cycle and
> replaces all your handy-work. Below is an excellent app for finding various
> start points in a system and suggesting whether a start suspect or not. They
> also have a forum dump review service that may suggest solutions. 
> http://free.antivirus.com/hijackthis/
>
> The third problem is that Windows uses a system of cascading to find some of
> it components for an application. It does not necessarily do direct location
> calls. This gives a hacker a chance to stick a fake component further up the
> search chain. Finding and fixing this can be real grunt work. You have to
> start looking for duplicate files...one may be real, a backup or a hidden
> malware component. The app hackthis may supply you with a start point and
> then you have to work down the cascading chain.
> http://ask-leo.com/what_is_the_system_file_checker_and_how_do_i_run_it.html
>
> There are a thousand services that will allow you to search a questionable
> dll or executable and give you the location in a system where it should be
> and the appropriate size. Here is one of many: http://www.file.net
>
> Then there are some really deep bugs. Some malware can actually place itself
> on a hard drive and mark its position as a bad track so it can never be
> scanned or removed and all it needs is one of its' components to access it
> directly...not even spinwrite will remove it. You can try some daring
> tactics like making a file image of the computer on to a portable hard
> drive, doing a full re-format of the drive, installing a fresh copy of
> windows and restoring the file image. It has its risks but it will get most
> everything that is hidden in drive tracks and boot sectors.
> http://www.runtime.org/driveimage-xml.htm
>  
> HTH
> Jim
>
>
>  
> -----Original Message-----
> From: dba-tech-bounces at databaseadvisors.com
> [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Tina Norris
> Fields
> Sent: Saturday, April 30, 2011 6:56 AM
> To: Discussion of Hardware and Software issues
> Subject: Re: [dba-Tech] Not Sure Quite What I'm Dealing With Here - Update 2
>
> [Continued from Update 1]
>
> Having cleaned out the 54 infected items with MalwareBytes, I went back 
> to trying to install Vipre.  Guess what!  Right back to "the Windows 
> installer cannot be accessed."
>
> I gave another go to the unregistering and reregistering trick.  No 
> joy.  Tried another update - back to the houglass followed by nothing!
>
> Found some more information on repairing the windows update agent - 
> downloaded WindowsUpdateAgent30-x86.exe from 
> support.microsot.com/KG/946929, and following instructions, placed it in 
> the root, then ran it with the /wuforce switch.  This did not fix the 
> problem.  Yes, I rebooted - it did not fix the problem.
>
> Another bit of advice was to use the WinXP CD, and from the command line 
> run sfc /scannow - to verify whether all the protected Windows files are 
> intact and in their original versions.  Reboot.  Attempt to install 
> Vipre - "installer cannot be accessed."
>
> Next, I booted from the WinXP CD and ran the Repair Install.  After 
> that, I tried again to go to Windows Update to bring this fresh 
> installation of WinXP SP2 up to date, especially to get SP3 installed.  
> Failed - hourglass, followed by nothing.  I ran 
> WindowsUpdateAgent30-x86.exe /wuforce again - it failed with error 
> 0x80070020.  However, not I was able to reach the update site, with 
> error 0x8.DDD0007 message that I must restart the computer before 
> getting any more updates - turn off and install 5 updates.
>
> Next, I did a Windows update search for ServicePack 3 - found and 
> downloaded the ISO image file 
> xpsp3_5512.080413-2113_usa_x86fre_spcd.iso, with which I created my SP3 
> update CD.  I ran the SP3 update.  It did not complete - update.exe 
> extended error code = 0xf200.  Received instruction to run dcomcnfg, 
> attempting to verify DCOM security - expand Component Services > 
> Computers.  When I attempted to expand the Computers folder, the whole 
> Component Services window disappeared.  I repeated that effort enough 
> times to note that it happened consistently.  I opened Admin Tools in 
> the Control Panel, Computer Management - there is no entry for Local 
> Users & Groups.
>
> I tried the SP3 update CD again.  This time it said it did the job.
>
> But, Windows Installer is still not accessed, so I still cannot 
> re-install Vipre.  Clicking Windows Update link still produces an 
> hourglass and nothing more.
>
> Tried the hotfix for WindowsXP-KB942288-V3-x86.exe again, after making 
> sure it was unblocked.  Reboot.  Try to install Vipre.  Installer cannot 
> be accessed.
> Tried the hotfix for WindowsUpdateAgent30-x86.exe /wuforce, after making 
> sure it was unblocked.  Install failed with error 0x8007041d.
>
> Going directly to the windows update site, rather than trying to connect 
> through the link, I get through the "checking your system for the latest 
> software" screen, to the "Express" or "Custom" install screen - where no 
> matter which choice I select, I get the message to reset my Internet 
> Security options - error 0x800A0046.  I check those settings and they 
> are correct - they match exactly what I am instructed to set.  Even if I 
> unset them and Apply - and reset them and Apply - with or without IE 
> restarts - I get the same message from Windows Update.  The update 
> window acknowledges that the computer is set for automatic updates - 
> yet, it will not allow me to do any updates.
>
> I've decided to go back to the beginning.  I'm running Spin-Rite on the 
> computer right now, at level 4.  Once I get that finished, I'll do 
> another Repair Install, followed immediately by an SP3 update, and see 
> what I have at that point.  I'll keep you advised.  I'll welcome and 
> appreciate any more thoughts you guys have on this. 
>
> Thanks,
> T
>
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
>
>   



More information about the dba-Tech mailing list