Interesting PC Holiday Repairs?

Hang out, sip some ice tea, and shoot the breeze with TR regulars.

Moderators: emkubed, Captain Ned

Re: Interesting PC Holiday Repairs?

Postposted on Thu Dec 29, 2011 10:29 pm

Going to clean a virus off my mother's laptop soon. Looks like my workplace's Bomgar device is set up to allow outside-to-outside support, so I can remote into her machine from my home and not have to faff around with LogMeIn or the like.
Think for yourself, schmuck!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|1.5TB 7200.11|1988 Model M|Saitek X-45 & P880|Logitech MX 518|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
bthylafh
Grand Gerbil Poohbah
 
Posts: 3168
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: Interesting PC Holiday Repairs?

Postposted on Sat Dec 31, 2011 2:09 am

I decided to clean my keyboard a few days ago, but in my haste to get back to playing Arkham City I must not have dried a few of the caps sufficiently because I have about a dozen or so keys that no longer work. Fortunately while I wait for a new one, I can use my parents' keyboard since their system conveniently refused to start that evening. I can't tell if it's the motherboard or an issue with the Windows install, but they decided it was time for a new PC anyway so I may be hitting up the SBA forums soon. :wink:
i5 750 | GA-P55-USB3 | 8GB DDR3 1600 | Radeon HD 6950 | 256GB m4 + 500GB Spinpoint F3 | Audigy 2 ZS | Corsair VX550W | Freezer 7 Pro | Lian Li PC-7FN | X-Silent fans | U2413 + 2209WA | Corsair K90 | Logitech G5 | ProMedia 2.1 | Win 7 Pro x64
MixedPower
Gerbil Elite
Gold subscriber
 
 
Posts: 739
Joined: Fri Aug 18, 2006 7:10 pm
Location: Indianapolis

Re: Interesting PC Holiday Repairs?

Postposted on Sun Jan 01, 2012 9:10 pm

MixedPower wrote:I decided to clean my keyboard a few days ago, but in my haste to get back to playing Arkham City I must not have dried a few of the caps sufficiently because I have about a dozen or so keys that no longer work.

Try using a blow dryer on it, or baking it on your oven's lowest setting. You've got nothing to lose since it is already dead.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37705
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Interesting PC Holiday Repairs?

Postposted on Sun Jan 01, 2012 9:23 pm

Yeah, there is a thread somewhere regarding mechanical keyboards....

I paid $125 for DAS KEYBOARD... a great product but I like the old Microsoft split keyboard design.
They Don't make the exact model any longer , so I bought(3) $35 versions of what is available now....(shot gun approach)

Still ahead if only one works ....

Spares..how to make holiday repairs much less painful.

Yeah, your (replace whatever you are talking about) is complete ****...but I have a spare that I can give you. :wink:

The time and aggravation saved always make the donation more than worthwhile. :D :D :D :D
mdk77777
Gerbil XP
 
Posts: 346
Joined: Fri Dec 12, 2008 3:42 pm

Re: Interesting PC Holiday Repairs?

Postposted on Tue Jan 03, 2012 10:04 am

Postscript on the sister-in-law's box -- It still wasn't running 100% stable, and seemed rather slow even for an Athlon XP. Turns out that in spite of having an active copy of AVG it was a cesspool of malware. A two-pronged assault on the hard drive with MBAM and MSE took care of most of it, but I just figured out this morning before leaving for work that it still has a lingering rootkit infection (detected by RootkitRevealer). I'll probably take a stab at surgically removing the rootkit tonight, but it is now looking like this will be a nuke-from-orbit after all... :roll:

At least the thing reliably boots into Windows now, so recovering the XP product key from the registry should be a no-brainer.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37705
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Interesting PC Holiday Repairs?

Postposted on Tue Jan 03, 2012 11:38 am

axeman wrote:Try Kapersky's tool for removing some of the more common rootkits:

http://support.kaspersky.com/faq/?qid=208283363

Yup, already found that one via some Google searches right before I left home. It is the first thing I plan to try this evening.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37705
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Interesting PC Holiday Repairs?

Postposted on Tue Jan 03, 2012 12:00 pm

My mom had one of those fake AV malware kits on her Dell laptop around Thanksgiving that I had fixed for her remotely. I find it very interesting that the easiest fix for these is often to enter the serial number to "activate" the software. it actually makes it loosen its ties to the system so removal is easier. Still a pain in the butt though. On a different note, I would highly recommend Logmein.com and their software. It was super easy to connect to her system and do what I needed. I have my entire immediate family setup on that software for troubleshooting and it has worked great (as long as they don't mind your anytime access to their system).

Over a Christmas visit I opened her laptop to multiple software update screens, so I ran the usual updates (MS Updates, Adobe, Flash, Java). Installed Windows 7 SP1 and it had a 2 part pre-login screen update. First part went okay, but second part hung and I had to hard reboot. On reboot, the 2nd part took but the next reboot prompted a windows repair. The first time I had it go in and try to repair, but i didn't have a windows disk handy. Exited out and was given the option to boot normally. Tried that and everything looked good.

A pet-peeve of mine is logging into a machine and getting thrown update alerts for all kinds of things. I told my mom to update what she can and she said "well thats what i tried to do when I got the fake antivirus virus". Point taken. I guess it is better to not install any updates than risk installing something bad?
Image
njenabnit
Gerbil Elite
 
Posts: 642
Joined: Mon Sep 13, 2004 5:33 pm
Location: Oklahoma City, OK

Re: Interesting PC Holiday Repairs?

Postposted on Tue Jan 03, 2012 12:25 pm

Yeah, that's a tough call. With all the Flash, PDF, Java, etc. exploits out there, you really do want to keep everything as up-to-date as possible. But for someone who isn't good at spotting fake/scam software updates, the cure may be worse than the disease.

A major contributing factor here is that each software vendor has their own update mechanism, so users can become confused about what's a legit update, and/or desensitized to random popups asking to update things on the system. It is also a drag on system resources, since (for reasons I can't fathom) almost nobody uses the Task Scheduler, opting instead to use an always-resident background app that periodically "phones home" to check for new versions.

This is one area where the package management paradigm used by the major Linux distros is a distinct advantage. By funneling all updates through a single tool, you eliminate a lot of the potential confusion and inefficiency. (There are of course downsides to this approach as well, but that's a topic for another thread/rant... :wink:)
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37705
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Interesting PC Holiday Repairs?

Postposted on Tue Jan 03, 2012 12:38 pm

just brew it! wrote:since (for reasons I can't fathom) almost nobody uses the Task Scheduler, opting instead to use an always-resident background app that periodically "phones home" to check for new versions.


I think Task Scheduler requires you to enter your password for each task that gets created.
Think for yourself, schmuck!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|1.5TB 7200.11|1988 Model M|Saitek X-45 & P880|Logitech MX 518|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
bthylafh
Grand Gerbil Poohbah
 
Posts: 3168
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: Interesting PC Holiday Repairs?

Postposted on Tue Jan 03, 2012 12:46 pm

bthylafh wrote:
just brew it! wrote:since (for reasons I can't fathom) almost nobody uses the Task Scheduler, opting instead to use an always-resident background app that periodically "phones home" to check for new versions.

I think Task Scheduler requires you to enter your password for each task that gets created.

Requiring the user to re-enter their password to install an auto-updater is a fine idea. It serves as an explicit reminder that you're doing something to your system that you may regret later!
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37705
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Interesting PC Holiday Repairs?

Postposted on Tue Jan 03, 2012 1:48 pm

The holiday season is now over, and I thankfully escaped all PC troubleshooting. Seems to help that so many people these days are using smartphones, tablets, and iPod Touch-type devices for casual browsing and email. Much more like an appliance, and therefore harder to corrupt.
He who laughs last, laughs first next time.
ludi
Gerbil Elder
 
Posts: 5439
Joined: Fri Jun 21, 2002 10:47 pm
Location: Sunny Colorado front range

Re: Interesting PC Holiday Repairs?

Postposted on Tue Jan 03, 2012 9:06 pm

just brew it! wrote:
MixedPower wrote:I decided to clean my keyboard a few days ago, but in my haste to get back to playing Arkham City I must not have dried a few of the caps sufficiently because I have about a dozen or so keys that no longer work.

Try using a blow dryer on it, or baking it on your oven's lowest setting. You've got nothing to lose since it is already dead.

Thanks for the advice, I'll be sure to try that when I have a chance!
i5 750 | GA-P55-USB3 | 8GB DDR3 1600 | Radeon HD 6950 | 256GB m4 + 500GB Spinpoint F3 | Audigy 2 ZS | Corsair VX550W | Freezer 7 Pro | Lian Li PC-7FN | X-Silent fans | U2413 + 2209WA | Corsair K90 | Logitech G5 | ProMedia 2.1 | Win 7 Pro x64
MixedPower
Gerbil Elite
Gold subscriber
 
 
Posts: 739
Joined: Fri Aug 18, 2006 7:10 pm
Location: Indianapolis

Re: Interesting PC Holiday Repairs?

Postposted on Thu Jan 05, 2012 9:54 am

Post-postscript... backed off on the nuke-from-orbit, because the product key recovered from the system's registry refuses to work with any of the installation media I've tried (OEM, Retail, MSDN subscription, you name it). Fortunately I'd saved an image of the drive...

So that Kaspersky tool appeared to disable the rootkit successfully, but RootkitRevealer was still saying there was something there. After a bit more digging, I discovered why: malware files were still present, in a folder which was hidden by having a reparse point (symbolic link) with the same name. The reparse point linked to an innocuous folder elsewhere in the Windows system folder hierarchy, effectively disguising the folder with the crap in it.

XP would not allow me to remove the reparse point even in Safe Mode or Recovery Console (Access Denied in all cases), but I was able to nuke it as follows:
1. Attach hard drive to a Windows 7 system as a data drive.
2. Add myself to the ACL for the reparse point with "Full Control" permission.
3. Use the fsutil tool from an elevated command prompt to nuke the reparse point.
4. Remove the (now visible) folder the reparse point was previously hiding.

All I can say is... :roll:
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37705
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Interesting PC Holiday Repairs?

Postposted on Thu Jan 05, 2012 4:52 pm

just brew it! wrote:So that Kaspersky tool appeared to disable the rootkit successfully, but RootkitRevealer was still saying there was something there. After a bit more digging, I discovered why: malware files were still present, in a folder which was hidden by having a reparse point (symbolic link) with the same name. The reparse point linked to an innocuous folder elsewhere in the Windows system folder hierarchy, effectively disguising the folder with the crap in it.
Wow, that's devious. It didn't even occur to me that you could do that.
XP would not allow me to remove the reparse point even in Safe Mode or Recovery Console (Access Denied in all cases),
I wonder if the SysInternals' Junction tool (with the -d option) would've worked? There's also the delrp.exe tool from the old Win2K Resource Kit, but if the permissions were an issue you probably would've been forced to move it to another machine as a non-system drive regardless.
UberGerbil
Gerbil Khan
 
Posts: 9980
Joined: Thu Jun 19, 2003 3:11 pm

Re: Interesting PC Holiday Repairs?

Postposted on Thu Jan 05, 2012 5:04 pm

UberGerbil wrote:
just brew it! wrote:So that Kaspersky tool appeared to disable the rootkit successfully, but RootkitRevealer was still saying there was something there. After a bit more digging, I discovered why: malware files were still present, in a folder which was hidden by having a reparse point (symbolic link) with the same name. The reparse point linked to an innocuous folder elsewhere in the Windows system folder hierarchy, effectively disguising the folder with the crap in it.

Wow, that's devious. It didn't even occur to me that you could do that.

I'm assuming there was some sort of invalid character in the name (embedded null, perhaps?) which was confusing Windows' filename parsing logic. Either that or the malware accessed the raw block device and munged the filename to create the duplicate directory entry. Either way, yes it was quite devious in that it accomplished the cloaking function of a rootkit without requiring active interception of system calls...

I guess RootkitRevealer is still good for something even if it is getting a bit long in the tooth! For those who don't remember, RootkitRevealer was the original semi-manual rootkit detection tool from Sysinternals (before Microsoft acquired them), which was used to detect the original Sony DRM rootkit.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37705
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Interesting PC Holiday Repairs?

Postposted on Thu Jan 05, 2012 5:04 pm

You're both more skilled and more dedicated than I am!
Ugly people have sex all the time. We wouldn't have 6 and a half billion humans if you had to be beautiful to get laid.
paulWTAMU
Gerbil Elder
 
Posts: 5519
Joined: Wed Nov 24, 2004 5:14 am
Location: Amarillo, Texas

Re: Interesting PC Holiday Repairs?

Postposted on Thu Jan 05, 2012 5:07 pm

paulWTAMU wrote:You're both more skilled and more dedicated than I am!

Or more OCD.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37705
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Interesting PC Holiday Repairs?

Postposted on Thu Jan 05, 2012 5:36 pm

I wonder if you could have deleted that directory from Knoppix without bothering with the reparse point stuff; we've used Knoppix sometimes to get into ACL'd folders and copy data out because it ignores those ACLs.
Think for yourself, schmuck!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|1.5TB 7200.11|1988 Model M|Saitek X-45 & P880|Logitech MX 518|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
bthylafh
Grand Gerbil Poohbah
 
Posts: 3168
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: Interesting PC Holiday Repairs?

Postposted on Thu Jan 05, 2012 5:41 pm

bthylafh wrote:I wonder if you could have deleted that directory from Knoppix without bothering with the reparse point stuff; we've used Knoppix sometimes to get into ACL'd folders and copy data out because it ignores those ACLs.

I had already tried with an Ubuntu live CD. The reparse point confused it about as badly as it confused WinXP.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37705
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Interesting PC Holiday Repairs?

Postposted on Fri Jan 06, 2012 6:50 pm

JBL - fun times it seems.


Also had a few funny cases.
First case i my own comp. Somewhere between my last full calibration this summer and my calibration last week, both my displays have lost in green extension on the gamut. Notwithstanding they are of different age, different make, even different gamut(one makes sRGB the other makes AdobeRGB). So right now I'm trying to eliminate either the graphics card or the colorimeter as faulty. Cant rule out the colorimeter until I test another comp at the same displays, and that comp is right now busy with my second case.


Second case
A few friends Laptop that had hanged and just wouldnt boot. Took out the laptop drive and attached to another comp to look at. Windows says it has a ntfs partiion but throws a faulty parameter when you try to actually use it from within windows, and niether checkdisk nor any windows utility seems to acknowledge it as anything other then broken and unfixable.

So I looked at it with more specialized utilities. Yeah, boot sectors is crap, partition tables is partily crapped and mft's are crapped. Ended up doing a full image on the original drive, recovering files through a utility from that first before taking on the disk itself. Did a boot-sector backup to a file and BAM. The antivirus throws an alarm for a virus, probably some form of rootkit. Also got positives on a bunch of recovered files. Although for some reason, the windows utilities I had couldnt do any MBR or boot-secor operations, so I ended up booting up Helix and ran Gparted, deleting the partition and doing a new partition, then once into windows again, I manually replacing both the primary and secondary boot sector and than the partition tables from templates. Then restoring the trashed partition with also redone tables. Still, the MFT's are crapped, both of them so still no easy quick fix to get windows seeing the partiion as a whole one ever again.

What I dont get is how data recovery utilities can both look at the partially corrupted MFT's, parse all the mft records it can find, and manage to find all files, but not be able to even rebuild or make a new MFT with that information. Sure it's a destructive act for the original mft, but once that is aknowledged, I'd rather have a functionion MFT missing say 2 files, then a fully unworking partition and having to rebuild the whole system from scratch, of course, since it having had a bad virus infection, that part was surely needed anyway.

At least it was able to parse the mft and rebuild both the directory struction and get all files back. Otherwise I would've have to have done a low-level search and use file signatures, which usually makes me end up with a long list of folders of each filetype, all with plain numbered recovered files. I've had to sort through that once before, when drives were only a couple of GB's, and that was bad enough. Now in the day and age where drives are 100's to 1000'nds of GB's, that is a next to impossible task.
Aphasia
Grand Gerbil Poohbah
 
Posts: 3455
Joined: Tue Jan 01, 2002 7:00 pm
Location: Solna/Sweden

Re: Interesting PC Holiday Repairs?

Postposted on Fri Jan 06, 2012 7:48 pm

Stop me if you have heard of this one.

I was at my aunt's house out of state when she mentioned to me that she cannot print from her HP desktop from three years ago to her HP Fax/Scanner/Printer from about the same time. Indeed, the print spooler said that the last print job that worked dated from 5/26/2011. So I deleted all the printer drivers, cleared out the print queqe, went into Safe Mode and uninstalled the printer driver and rebooted normally. None of it worked. I reinstall the drivers and the printer is not detected. The printer is still plugged into the USB port on the back of the desktop, so I let the driver finish (and unplug and plug the device in a different USB port). I then look at the back of the printer and find the real issue: the USB plug was in the telephone jack rather than the USB port on the printer. Once plugged in correctly, the drivers find the printer and all is well. Except that the ink was kind of faded. So I run a head clean using the HP software and print a test page. Now all is well.... all because somebody plugged the USB cable in the wrong port on the printer and it could not print for seven months!
Laptop: HP Pavilion 17-e016dx. AMD A8-5550M, 4GB RAM, 750GB HDD, AMD Radeon HD 8550G integrated video, 17.3" display, 1600*900 (HD+) resolution, SD card reader, Windows 8.1 (DL Classic Shell)
riviera74
Gerbil Elite
 
Posts: 864
Joined: Mon May 29, 2006 6:14 am
Location: FM, FL, USA

Re: Interesting PC Holiday Repairs?

Postposted on Fri Jan 06, 2012 8:52 pm

I had a fun filled christmas! Had to retire my brother's old Athlon 64 based system since it was constantly giving him issues. Gave him my old Phenom II 720 HTPC rig. Than my main Phenom II 940 rig I turned into my current HTPC, and got myself a nice nmediapc HTPC case off newegg on sale. Than for my own pleasures bought myself a i7-2600k! :) It's been a good Christmas, all I need is that 7970.... ;D
StuG
Graphmaster Gerbil
Silver subscriber
 
 
Posts: 1459
Joined: Wed May 23, 2007 11:19 pm
Location: Florida

Previous

Return to The Back Porch

Who is online

Users browsing this forum: Exabot [Bot] and 5 guests