Focus on Microsoft
Re: Compromised WinXP box prob Mar 18 2008 01:22PM
Mike Moratz-Coppins (mike mikeymike org uk)
Thank you for all of your responses. I had decided to go with a new
installation of WinXP unless anyone had any further ideas, which I have
already gone ahead with (customer data backed up already). The clean
install has worked without incident.

There were one or two suggestions about taking the disk out and
virus-scanning it. I did do this already, there were a few extra
infected executables such as lsass.exe (and the files were cleaned not
removed), but the installation still didn't work properly.

A few people suggested system restore - the only way (AFAIK) that this
could be done with things as they were would have been if I had
substituted logonui.exe for the system restore exe, which considering
the limited success I had with registry editor and the command prompt, I
don't think this would have worked (I think the customer/Symantec had
also tried to use system restore without success before the current
situation got as bad as it did). Also, do people here think that system
restore could have handled a situation where the whole CurrentControlSet
key structure was unavailable?

I tried one last thing before going with a clean install, which was a
repair install, however that tripped up on the problem that I couldn't
start the computer in normal mode, it just went straight into safe mode.
Does anyone know why WinXP might automatically go into safe mode even
if normal mode is chosen? I would bet that a lack of CurrentControlSet
key might do it, but I would have thought a repair install would disgard
that key structure anyway.

The other thing I would like to know is where the rights and privileges
settings are stored on an XP installation. I snooped around using the
registry editor in the security hive on the ntpasswd boot CD but I don't
have any experience with that hive.

There was a suggestion or two along the lines of that it wasn't worth my
time or money and/or that it wasn't in the best interests of the
customer for me to try and troubleshoot the problem any further.
Personally I don't consider myself to be at the pinnacle of knowledge
when it comes to problems like these but I will always as many of my
ideas a shot as possible, as this and/or customers might benefit from
this investigation. I also think that doing a clean install for
customers is an absolute last resort as that itself can bring
complications, such as the loss of the customer's settings, and the
possible finger-pointing that "the computer doesn't run as well as it
used to since you messed with it", justified or not. Of course it is a
case of picking the right time to close the investigation and to correct
the overall problem the quick way, but I am sure that everyone on this
list used to use an OS reinstall as the answer to their problems more
often than they do now.

--
Mike Moratz-Coppins
mike (at) mikeymike.org (dot) uk [email concealed]
http://www.mikeymike.org.uk/

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus