Focus on Microsoft
Re: Compromised WinXP box prob Mar 18 2008 01:22PM
Mike Moratz-Coppins (mike mikeymike org uk) (3 replies)
Re: Compromised WinXP box prob Mar 19 2008 08:36PM
Geekwench (geekwench hotmail com) (1 replies)
RE: Compromised WinXP box prob Mar 19 2008 10:36PM
Mark Brunner (mark_brunner hotmail com)
Re: Compromised WinXP box prob Mar 18 2008 08:36PM
Kurt Buff (kurt buff gmail com)
RE: Compromised WinXP box prob Mar 18 2008 05:44PM
Devin Ganger (DevinG 3sharp com)
Actually, I've found that I'm much more likely to go for a system reinstallation in the case of weird problems. I've had far too many cases where I'd sink tens of hours into trying to fix things that had gotten messed up and get it to where it seemed like I'd done it, only to have a host of little minor things that never worked quite right from then on that I eventually traced back to consequences of that repair attempt. (I'm one of those guys who kept the same desktop installation of Windows 2000 Pro running for four years, across two motherboard upgrades, including the switch from SCSI boot disk to IDE boot disk.)

It's one thing to make that decision for myself, but another thing to put that kind of time investment in for customers. They generally don't care about you furthering your knowledge, and definitely aren't paying for you to do so on their time; they want their computer and data back running. Every customer has a different tolerance for what they'll put up with; the trick is figuring it out.

For the record, I never had anyone whose computer I worked on tell me that things didn't work right after a reinstall. In fact, since I have a policy of removing Norton, Symantec, and McAfee whenever I see them, I usually hear just the opposite -- that the computer has never worked as well as it is now!

Devin L. Ganger, Exchange MVP Email: deving (at) 3sharp (dot) com [email concealed]
3Sharp Phone: 425.882.1032
14700 NE 95th Suite 210 Cell: 425.239.2575
Redmond, WA 98052 Fax: 425.558.5710
(e)Mail Insecurity:

> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Mike Moratz-
> Coppins
> Sent: Tuesday, March 18, 2008 6:22 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: Re: Compromised WinXP box prob
> Thank you for all of your responses. I had decided to go with a
> new
> installation of WinXP unless anyone had any further ideas, which I
> have
> already gone ahead with (customer data backed up already). The
> clean
> install has worked without incident.
> There were one or two suggestions about taking the disk out and
> virus-scanning it. I did do this already, there were a few extra
> infected executables such as lsass.exe (and the files were cleaned
> not
> removed), but the installation still didn't work properly.
> A few people suggested system restore - the only way (AFAIK) that
> this
> could be done with things as they were would have been if I had
> substituted logonui.exe for the system restore exe, which
> considering
> the limited success I had with registry editor and the command
> prompt, I
> don't think this would have worked (I think the customer/Symantec
> had
> also tried to use system restore without success before the current
> situation got as bad as it did). Also, do people here think that
> system
> restore could have handled a situation where the whole
> CurrentControlSet
> key structure was unavailable?
> I tried one last thing before going with a clean install, which was
> a
> repair install, however that tripped up on the problem that I
> couldn't
> start the computer in normal mode, it just went straight into safe
> mode.
> Does anyone know why WinXP might automatically go into safe mode
> even
> if normal mode is chosen? I would bet that a lack of
> CurrentControlSet
> key might do it, but I would have thought a repair install would
> disgard
> that key structure anyway.
> The other thing I would like to know is where the rights and
> privileges
> settings are stored on an XP installation. I snooped around using
> the
> registry editor in the security hive on the ntpasswd boot CD but I
> don't
> have any experience with that hive.
> There was a suggestion or two along the lines of that it wasn't
> worth my
> time or money and/or that it wasn't in the best interests of the
> customer for me to try and troubleshoot the problem any further.
> Personally I don't consider myself to be at the pinnacle of
> knowledge
> when it comes to problems like these but I will always as many of
> my
> ideas a shot as possible, as this and/or customers might benefit
> from
> this investigation. I also think that doing a clean install for
> customers is an absolute last resort as that itself can bring
> complications, such as the loss of the customer's settings, and the
> possible finger-pointing that "the computer doesn't run as well as
> it
> used to since you messed with it", justified or not. Of course it
> is a
> case of picking the right time to close the investigation and to
> correct
> the overall problem the quick way, but I am sure that everyone on
> this
> list used to use an OS reinstall as the answer to their problems
> more
> often than they do now.
> --
> Mike Moratz-Coppins
> mike (at) (dot) uk [email concealed]

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus