Re: Compromised WinXP box prob
- From: Mike Moratz-Coppins <mike@xxxxxxxxxxxxxxxx>
- Date: Tue, 18 Mar 2008 13:22:13 +0000
Thank you for all of your responses. I had decided to go with a new installation of WinXP unless anyone had any further ideas, which I have already gone ahead with (customer data backed up already). The clean install has worked without incident.
There were one or two suggestions about taking the disk out and virus-scanning it. I did do this already, there were a few extra infected executables such as lsass.exe (and the files were cleaned not removed), but the installation still didn't work properly.
A few people suggested system restore - the only way (AFAIK) that this could be done with things as they were would have been if I had substituted logonui.exe for the system restore exe, which considering the limited success I had with registry editor and the command prompt, I don't think this would have worked (I think the customer/Symantec had also tried to use system restore without success before the current situation got as bad as it did). Also, do people here think that system restore could have handled a situation where the whole CurrentControlSet key structure was unavailable?
I tried one last thing before going with a clean install, which was a repair install, however that tripped up on the problem that I couldn't start the computer in normal mode, it just went straight into safe mode. Does anyone know why WinXP might automatically go into safe mode even if normal mode is chosen? I would bet that a lack of CurrentControlSet key might do it, but I would have thought a repair install would disgard that key structure anyway.
The other thing I would like to know is where the rights and privileges settings are stored on an XP installation. I snooped around using the registry editor in the security hive on the ntpasswd boot CD but I don't have any experience with that hive.
There was a suggestion or two along the lines of that it wasn't worth my time or money and/or that it wasn't in the best interests of the customer for me to try and troubleshoot the problem any further. Personally I don't consider myself to be at the pinnacle of knowledge when it comes to problems like these but I will always as many of my ideas a shot as possible, as this and/or customers might benefit from this investigation. I also think that doing a clean install for customers is an absolute last resort as that itself can bring complications, such as the loss of the customer's settings, and the possible finger-pointing that "the computer doesn't run as well as it used to since you messed with it", justified or not. Of course it is a case of picking the right time to close the investigation and to correct the overall problem the quick way, but I am sure that everyone on this list used to use an OS reinstall as the answer to their problems more often than they do now.
--
Mike Moratz-Coppins
mike@xxxxxxxxxxxxxxxx
http://www.mikeymike.org.uk/
- Follow-Ups:
- Re: Compromised WinXP box prob
- From: Geekwench
- Re: Compromised WinXP box prob
- From: Kurt Buff
- RE: Compromised WinXP box prob
- From: Devin Ganger
- Re: Compromised WinXP box prob
- Prev by Date: Re: Compromised WinXP box prob
- Next by Date: RE: Compromised WinXP box prob
- Previous by thread: Re: Compromised WinXP box prob
- Next by thread: RE: Compromised WinXP box prob
- Index(es):
Relevant Pages
|
