Focus on Microsoft
Re: Compromised WinXP box prob Mar 18 2008 01:22PM
Mike Moratz-Coppins (mike mikeymike org uk) (3 replies)
Re: Compromised WinXP box prob Mar 19 2008 08:36PM
Geekwench (geekwench hotmail com) (1 replies)
RE: Compromised WinXP box prob Mar 19 2008 10:36PM
Mark Brunner (mark_brunner hotmail com)
Re: Compromised WinXP box prob Mar 18 2008 08:36PM
Kurt Buff (kurt buff gmail com)
Google for BartPE, and Ultimate Boot CD for Windows - you'll find good
stuff there.

On Tue, Mar 18, 2008 at 6:22 AM, Mike Moratz-Coppins
<mike (at) (dot) uk [email concealed]> wrote:
> Thank you for all of your responses. I had decided to go with a new
> installation of WinXP unless anyone had any further ideas, which I have
> already gone ahead with (customer data backed up already). The clean
> install has worked without incident.
> There were one or two suggestions about taking the disk out and
> virus-scanning it. I did do this already, there were a few extra
> infected executables such as lsass.exe (and the files were cleaned not
> removed), but the installation still didn't work properly.
> A few people suggested system restore - the only way (AFAIK) that this
> could be done with things as they were would have been if I had
> substituted logonui.exe for the system restore exe, which considering
> the limited success I had with registry editor and the command prompt, I
> don't think this would have worked (I think the customer/Symantec had
> also tried to use system restore without success before the current
> situation got as bad as it did). Also, do people here think that system
> restore could have handled a situation where the whole CurrentControlSet
> key structure was unavailable?
> I tried one last thing before going with a clean install, which was a
> repair install, however that tripped up on the problem that I couldn't
> start the computer in normal mode, it just went straight into safe mode.
> Does anyone know why WinXP might automatically go into safe mode even
> if normal mode is chosen? I would bet that a lack of CurrentControlSet
> key might do it, but I would have thought a repair install would disgard
> that key structure anyway.
> The other thing I would like to know is where the rights and privileges
> settings are stored on an XP installation. I snooped around using the
> registry editor in the security hive on the ntpasswd boot CD but I don't
> have any experience with that hive.
> There was a suggestion or two along the lines of that it wasn't worth my
> time or money and/or that it wasn't in the best interests of the
> customer for me to try and troubleshoot the problem any further.
> Personally I don't consider myself to be at the pinnacle of knowledge
> when it comes to problems like these but I will always as many of my
> ideas a shot as possible, as this and/or customers might benefit from
> this investigation. I also think that doing a clean install for
> customers is an absolute last resort as that itself can bring
> complications, such as the loss of the customer's settings, and the
> possible finger-pointing that "the computer doesn't run as well as it
> used to since you messed with it", justified or not. Of course it is a
> case of picking the right time to close the investigation and to correct
> the overall problem the quick way, but I am sure that everyone on this
> list used to use an OS reinstall as the answer to their problems more
> often than they do now.
> --
> Mike Moratz-Coppins
> mike (at) (dot) uk [email concealed]

[ reply ]
RE: Compromised WinXP box prob Mar 18 2008 05:44PM
Devin Ganger (DevinG 3sharp com)


Privacy Statement
Copyright 2010, SecurityFocus