OT: Windows Disaster Time

From Safe mode you can selectivly turn off services and other drivers that load during the boot phase. Possible remove the software you wanted to.

load during the boot phase.

Oh, run 'cmd' and then run a chkdsk /f. See if your disk is corrupt.

Martin

On Thu, 21 Jul 2005 14:45:37 -0700, Jim Thompson Gave us:

Probably a viral attack. Got Norton? Likely a corrupted registry as well, so even re-installing or repairing windows will yield problems.

You could always load Linux. (not a smart-ass remark, more so an intelligent suggestion) Download and boot the ultimate Linux machine repair tool known as Knoppix! It doesn't write to any of your hard drives, and allows access to them after it is up and running. If you know exactly what files comprise your registry, you could back them up, re-load windows, then reload the old registry to see if the problem returns. If not, then you'd have all your installed programs back.

Hard drives are dirt cheap, dude. Get a cheap drive, make it your number 2 drive, and load Suse Linux (a Novell product) onto the second drive. You'll likely be using the OS more and more as you discover things that it will do that windows won't as well as things windows does that it does just as well. The big difference... The price.

If you can get to the Internet you might want to run the free version of Spybot Search and Destroy. A highjacked search icon is one symptom I've heard of for Spyware/Malware. And Norton's not so good about picking that kind of thing up. If you can, run it more than once.

The $30 version of Pest Patrol is supposed to be pretty good as well.

Robert

Thanks! I'll try that.

...Jim Thompson

--
|  James E.Thompson, P.E.                           |    mens     |
|  Analog Innovations, Inc.                         |     et      |
|  Analog/Mixed-Signal ASIC\'s and Discrete Systems  |    manus    |
|  Phoenix, Arizona            Voice:(480)460-2350  |             |
|  E-mail Address at Website     Fax:(480)460-2142  |  Brass Rat  |
|       http://www.analog-innovations.com           |    1962     |
             
I love to cook with wine.      Sometimes I even put it in the food.

Tell me if I'm inferring the wrong thing here, but you take the fact that 70% of webmasters are running Apache means that they thing IIS is insecure or fragile!?

I'd say it reflects the fact that IIS is free whereas Apache isn't, and there are a lot of people out there running low-end web servers where saving the price of Windows Server 2003 (far from free) and IIS is more important than getting the fastest, most secure web server out there.

OK, ok, I don't REALLY know that IIS is inherently more secure than Apache, but I know there are enough ultra-high volume web sites out there using IIS that, in general, IIS is secure. And again, keep in mind that IIS is a much more alluring target than Apache -- the warped motivation of being able to "get back at THE MAN" (Bill Gates) warps statistics on the number of attacks on Windows vs. *NIX platforms so severely that it's pretty much impossible to definitively say one OS is truer "more secure" than another.

---Joel

That's also my understanding. Over-the-top reinstals accept the existing registry, warts and all. If the problem is registry-based (and most unwanted "features" entrench themselves in the registry to execute at startup) then it won't fix the issue. If it is a corrupted WinExploder file then an O-T-T

*should* fix it.

I'd be inclined to try identifying the "feature". Try AdAware and Spybot S&D for starters, and also try an alternative virus scanner. I use F-Prot's free DOS version for that task.

Got that backwards. . .

If you have some time, the stats are available. 8-)

Remember Vulnerability Note VU#713878 ?

It was even covered by the national corporate [1] news media. Some even pointed out **gasp** that it only affected *Microsoft Windows*.

The advisory dealt with a flaw in MSIE that combined with a flaw in IIS to make for a real mess.

[1] Notice that I didn't say "mainstream".

Sorry, my bad.

Is that the one where Microsoft had security patches out roughly a month before the attacks started showing up, but of course many systems were vulnerable because the system administrators hadn't bothered to apply them?

I suppose I would give you that you have to be _much_ more diligent about security when running a Windows system than a *NIX system, in much the same way that someone with a really fancy car needs to be a lot more diligent about security than someone driving a clunker. (Not to imply that Apache is a clunker, just that it's not as attractive to criminals as IIS.)

---Joel

Did your test distinguish between the Windows Explorer file, and the new icon and whatever file it references?

Is this built into Win2K or do I need to download it from somewhere?

...Jim Thompson

--
|  James E.Thompson, P.E.                           |    mens     |
|  Analog Innovations, Inc.                         |     et      |
|  Analog/Mixed-Signal ASIC\'s and Discrete Systems  |    manus    |
|  Phoenix, Arizona            Voice:(480)460-2350  |             |
|  E-mail Address at Website     Fax:(480)460-2142  |  Brass Rat  |
|       http://www.analog-innovations.com           |    1962     |
             
I love to cook with wine.      Sometimes I even put it in the food.

Yes., and it still give the same error, "Explorer.exe error: Instruction at location 0x.... can't read memory at 0x0000000" >

...Jim Thompson

--
|  James E.Thompson, P.E.                           |    mens     |
|  Analog Innovations, Inc.                         |     et      |
|  Analog/Mixed-Signal ASIC\'s and Discrete Systems  |    manus    |
|  Phoenix, Arizona            Voice:(480)460-2350  |             |
|  E-mail Address at Website     Fax:(480)460-2142  |  Brass Rat  |
|       http://www.analog-innovations.com           |    1962     |
             
I love to cook with wine.      Sometimes I even put it in the food.

Understand that this is NOT *cloning* the drive. The Registry (as well as M$-fanagled pseudo-files) get left behind.

You may as well not bother to copy most of the contents

--just data directories.

Ghost, Aloha Bob, PC Relocator, etc. can make an image of the disk INCLUDING Windoze stuff that a COPY operation won't.

just that it's not as attractive to criminals as IIS.)

Ah, and here we can mention the old *Security through obscurity* chestnut. Apache vs IIS is the **classic** example.[1]

You would think that with 70% of the market, Apache WOULD be an attractive target.

It's NOT because Apache is far more secure BY DESIGN. . . [1] BIND vs Microsoft DNS being the next in line. (Has M$ EVER written ANYTHING with a modicum of security?)

Uh, no. It's FAR more prestigious if some would-be hacker manages to bring down part of the military-industrial complex that is Microsoft than if they manage to mess up the lives of those daisies-in-gun-barrels programmers who write Apache. :-)

Surely you mean SFC.

[snip] [snip]

I have a 4-machine network. And the "sick" machine "talks" just ducky across the network. Can I run a backup across the network?

...Jim Thompson

--
|  James E.Thompson, P.E.                           |    mens     |
|  Analog Innovations, Inc.                         |     et      |
|  Analog/Mixed-Signal ASIC\'s and Discrete Systems  |    manus    |
|  Phoenix, Arizona            Voice:(480)460-2350  |             |
|  E-mail Address at Website     Fax:(480)460-2142  |  Brass Rat  |
|       http://www.analog-innovations.com           |    1962     |
             
I love to cook with wine.      Sometimes I even put it in the food.

Have you installed a new program lately (eg. one boot sequence before the problem occurred)?

It is highly unlikely that Explorer.exe got modified (and extremely easy to check). It is very likely that some new program installed a new version of some DLL that explorer relies apon.

In any case, if explorer.exe has been damaged, it should show up when you do a scandisk.

-Chuck

[snip]

Get a Mac!

-- Paul Hovnanian mailto: snipped-for-privacy@Hovnanian.com

------------------------------------------------------------------ "Si hoc legere scis nimium eruditionis habes." (If you can read this, you're overeducated.)