Actually, I've found that I'm much more likely to go for a system
reinstallation in the case of weird problems. I've had far too many cases where
I'd sink tens of hours into trying to fix things that had gotten messed up and
get it to where it seemed like I'd done it, only to have a host of little minor
things that never worked quite right from then on that I eventually traced back
to consequences of that repair attempt. (I'm one of those guys who kept the
same desktop installation of Windows 2000 Pro running for four years, across
two motherboard upgrades, including the switch from SCSI boot disk to IDE boot
disk.)
It's one thing to make that decision for myself, but another thing to put that
kind of time investment in for customers. They generally don't care about you
furthering your knowledge, and definitely aren't paying for you to do so on
their time; they want their computer and data back running. Every customer has
a different tolerance for what they'll put up with; the trick is figuring it
out.
For the record, I never had anyone whose computer I worked on tell me that
things didn't work right after a reinstall. In fact, since I have a policy of
removing Norton, Symantec, and McAfee whenever I see them, I usually hear just
the opposite -- that the computer has never worked as well as it is now!
--
Devin L. Ganger, Exchange MVP Email: deving@3sharp.com
3Sharp Phone: 425.882.1032
14700 NE 95th Suite 210 Cell: 425.239.2575
Redmond, WA 98052 Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/
-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com] On Behalf Of Mike Moratz-
Coppins
Sent: Tuesday, March 18, 2008 6:22 AM
To: focus-ms@securityfocus.com
Subject: Re: Compromised WinXP box prob
Thank you for all of your responses. I had decided to go with a
new
installation of WinXP unless anyone had any further ideas, which I
have
already gone ahead with (customer data backed up already). The
clean
install has worked without incident.
There were one or two suggestions about taking the disk out and
virus-scanning it. I did do this already, there were a few extra
infected executables such as lsass.exe (and the files were cleaned
not
removed), but the installation still didn't work properly.
A few people suggested system restore - the only way (AFAIK) that
this
could be done with things as they were would have been if I had
substituted logonui.exe for the system restore exe, which
considering
the limited success I had with registry editor and the command
prompt, I
don't think this would have worked (I think the customer/Symantec
had
also tried to use system restore without success before the current
situation got as bad as it did). Also, do people here think that
system
restore could have handled a situation where the whole
CurrentControlSet
key structure was unavailable?
I tried one last thing before going with a clean install, which was
a
repair install, however that tripped up on the problem that I
couldn't
start the computer in normal mode, it just went straight into safe
mode.
Does anyone know why WinXP might automatically go into safe mode
even
if normal mode is chosen? I would bet that a lack of
CurrentControlSet
key might do it, but I would have thought a repair install would
disgard
that key structure anyway.
The other thing I would like to know is where the rights and
privileges
settings are stored on an XP installation. I snooped around using
the
registry editor in the security hive on the ntpasswd boot CD but I
don't
have any experience with that hive.
There was a suggestion or two along the lines of that it wasn't
worth my
time or money and/or that it wasn't in the best interests of the
customer for me to try and troubleshoot the problem any further.
Personally I don't consider myself to be at the pinnacle of
knowledge
when it comes to problems like these but I will always as many of
my
ideas a shot as possible, as this and/or customers might benefit
from
this investigation. I also think that doing a clean install for
customers is an absolute last resort as that itself can bring
complications, such as the loss of the customer's settings, and the
possible finger-pointing that "the computer doesn't run as well as
it
used to since you messed with it", justified or not. Of course it
is a
case of picking the right time to close the investigation and to
correct
the overall problem the quick way, but I am sure that everyone on
this
list used to use an OS reinstall as the answer to their problems
more
often than they do now.
--
Mike Moratz-Coppins
mike@mikeymike.org.uk
http://www.mikeymike.org.uk/
