wounded XP

[iamnotageek]

Customer brought in a XP Home SP2 system that is doing some rather strange things. For starters, the Start button is missing. The system does respond to the Windows key by presenting the start menu, but the only thing showing in the left column is All Programs, and the only thing showing in the right hand column is My Documents. Where the other common elements should be (Control Panel, Search, etc), there is nothing but start menu background. Browsing All Programs shows most things, minus the icons. In Explorer and Internet Explorer, File, View, Tools, etc do not appear. Again, there is just blank background color.

When I try to run any mmc, I get a message saying that "the application has failed to start because the application configuration is incorrect" and it suggests using regsvr32 to register an associated dll, but attempting this returns the same sort of error message. Attempting to run regedit and most other applications returns the same sort of error. For applications that do run, no button shows up on the task bar.

After running a repair reinstall of xp and finding no joy, I ran a couple relevant vbs scripts from Kelly'sCorner but these had little effect. I booted w/BartPE, loaded the machine's registry and checked some of the applicable reg fixes from his site and all seems well with respect to that.

The machine had been working fine until the other day when the customer saw the screen saver "in use and locked" prompt, hit OK to go back in and found that things weren't working.

While in BartPE, I ran hijackthis and did not see anything suspicious except for something called HookupFinder. Google did not reveal that this is malware, but disabling it made no difference. Since AutoRuns won't run on this machine, I haven't been able to peer more deeply into what is running
behind the scenes.

Anyone seen this before and/or know how to fix it, short of a clean reinstall?

 

[Turkbear]

Hi,
Can it be run in safe mode?

Are there multiple users/profiles..can you try another login?





To Paraphrase:"The Help you get is proportional to the Help you give.."

 

[iamnotageek]

Same results in safe mode. I was able to get into Control Panel and create a new user, and the new profile exhibits the same issues.

 

[linney]

What tweaking has the owner applied to the machine, any registry errors effecting settings would probably be carried across via any repair install?

Have you tried the Classic Theme or even just disabling the Theme Service?

As a last resort you could try a Registry Cleaner.

jv16 PowerTools,

http://www.macecraft.com

is highly recommended.

Saving valuable data, followed by a Format and clean install of XP maybe the way to go?

 

[iamnotageek]

The owner is computer illiterate, so no tweaking has likely been done. It is true that the XP repair reinstall is imperfect - no way that it could repair all faults - so clobbered registry settings could get carried over. However, before doing the repair reinstall, I had booted into BartPE and performed a manual system restore, regressing the system to a few days before the problem occurred, but ended up with the same symptoms, which tells me that it is not the registry.

I should mention that when the machine first came in, the first thing I saw was a SMART error, so the first thing we did was to use DriveImage to copy the failing hard drive onto a new one. I then ran chkdsk /r from the recovery console 3 times in succession (I repeat the process until it no longer says "found and fixed problems...")

I did try changing the start menu to classic, but get the same symptoms - no start button or icons on the programs menu. I haven't tried disabling the theme service as the problems with the GUI seem to be a symptom rather than the root cause, given that it won't run any mmc or most .exe.

The only hits I've seen on this error message have to do with a corrupted or incomplete Visual C++ environment, and this customer is not even close to being a programmer. Periodically, a Visual C++ runtime error comes up in conjunction with Norton autoupdate trying to run. I did try to run the VC++ redistributable on this machine, but it abends with the same type of error.

I suspect that the OS is wounded in such a way that compiled programs are failing to run and this error msg is put up. If no pertinent info surfaces, I will be pulling the data and doing a WAR.

 

[linney]

Have you been down this track apart from the running of "Hijack This"?

Is there anything in the in the Event Viewer logs (*.evt) in this location, C:\WINDOWS\system32\config, if you copy the .evt files onto another machine and use that machines Event Viewer to read them?

Removing adware & spyware
faq608-4650

Try the free version of "Ewido" now called "AVG Anti-Spyware 7.5"

http://www.ewido.net/en/download/

Windows Defender

http://www.microsoft.com/athome/security/spyware/software/default.mspx

 

[iamnotageek]

The only way that HijackThis will run on this machine is if you run it from within BartPE, using the plugin. It will then scan the remote registry instead of the local one. I've used HijackThis extensively to aid in the removal of infections from a great many machines. The other tools I usually use (e.g. Spybot S&D, AutoRuns) will not install or run on this machine. Most anti-malware tools will not scan a remote registry, but then I have never seen any type of infection cause this type of symptom. In the earlier days of adware, some of it would disable certain features (e.g. taskmanager, regedit, etc) to prevent the user from uninstalling it or prevent the system from running .exe files, but I haven't seen that in about a year. In this case, some .exe run and some don't so it is not the case that the file association registry key got changed. Slaving the hard drive to another machine and scanning it w/AVG found no sign of infection, but that really isn't conclusive, since it would not have parsed the remote registry.

My guess is that the failing hard drive caused some OS corruption that is not addressable with an xp repair reinstall. The problem seems to be a system-wide/environment type of problem, due to the variety of symptoms. For example, in addition to the aforementioned, if I use the sc command line tool to view the list of services, it does not display any service in the alphabetical list that precedes the letter 'N' in the alphabet. Weird. Even so, I can query a service that doesn't show up, if I know its name.

I did try viewing the evt logs on another machine, and mostly get the typical "description for event blah blah cannot be found..." for DCOM errors and others. sc query shows dcomlaunch status as start_pending. Since it is not_stoppable and mmc won't run, there isn't any way to disable it on this machine other than manually hacking the registry while booted into BartPe.

There are also errors pertaining to Remote Access Connection manager failing to start due to "access denied" and "unable to create buffers."

 

[Turkbear]

Hi,
Seems like a clean install and/or a new HD is the only option left..If you use a new HD,you can, of course, mount the existing drive as a secondary and copy any important documents, program files, etc..





To Paraphrase:"The Help you get is proportional to the Help you give.."

 

[G0AOZ]

Did you try to boot up the system immediately after imaging it onto a new drive, before you ran chkdsk?

Have you established that the hardware is all working one hundred percent?

Good as AVG is, and I use it myself, it doesn't find everything. Might be worth scanning with a couple of different programmes as well...

ROGER - G0AOZ.

 

[firewolfrl]

I have seen this and it is Very Very nasty
It is a form of ADware that follows as rogueware...it is somewhat a rootkit too. it does not scan as a virus most of the time. and most antivirus have issues finding it. it also has a tendancy to change the HOST file to block antivirus/anti adware software from updating

The costumer's web surfing practices let it in. They had to have said yes to something

the first thing to do is to pull the drive, Slave it to another computer, do a full antivirus scan of the drive, and then a chkdsk (driveletter) /R, and then copy the costumer's data on the drive to a spare drive.

The best fix for this is to wipe the drive and start over. it is the easiest fix too. This means ZERO the drive as a complete wipe...format is not enough

AVAST is pretty good at finding some of this bug when it is not part of the effected machine.

I don't have the name right now as I have to leave in a moment but this should get you started in the right direction...


I gave up trying to fix it and did a new install and transfered the costumer's data to the new install.

 

[iamnotageek]

Turkbear - as I stated, the current hard drive is a new one.

Roger - yes, I did try booting it before running chkdsk /r on the new drive - same results. The hardware seems to be running ok - just for grins, I did a parallel install and it boots to the desktop and functions normally. I also went back and tried booting from the old hard drive and get the same results.

Firewolfrl - the hosts file is untouched. Could be malware, but it would be self-defeating, since the system is in such a crippled state that most functions don't work. Don't know how that would serve their purposes. Most malware these days at least tries to function as a bot or steal personal info, and this system doesn't seem to be capable of either. Of course it is possible, since the bozos that write that stuff are such lousy programmers.

While I appreciate the advice, what I was really looking for is info as to why the error message is coming up and how to fix it. I fix computers for a living so I know how to rescue the data, do a fresh install, etc.

 

[IMCjhill]

Wow, a repair install and still problems. I am sorry. Any errors noted during the repair install?


check the shell extensions. can you run .exes from the cmd prompt? Use a shell extensions analyzer under bartpe for this.

create new profile in user manager? does the new account work or not? i would guess not

You can try taking back "ownership" of registry permissions and file permissions. (2 steps) it could be a permissions/security issue. Try brute force tatic of taking back all ownership c:\ and all registry hives

I know you did a system restore back a couple of days. Did you try to go back futher? Maybe a month? Maybe furter. this has helped me. you can do this in bartpe if sys restore does not work.

If you did a repair install and that didnt work then it could be a reg problem.

Virus? rootkit? If you have the time, let it sit for a week not connected to the internet and then run an offline virus scan with bartpe or pull the HD and run it from another viable system.

Runalyzer from safer-networking.org runs under bartpe for an offline startup assesment. It will mount a registry on your c:

 

[iamnotageek]

IMCjhill,

There were a few errors that popped up during the repair reinstall that had to do with some of the .dll files, such as wab32.dll, et al. I tried copying them from a working machine using BartPE (WFP won't otherwise let you overwrite) but it made no difference, but in the end, the machine acted as it did before the repair reinstall. I have run into a dozen or two machines that were not cured by a repair reinstall, so it doesn't surprise me that it didn't work in this case.

Every .exe I've tried to run from the cmd prompt results in "cannot execute the specified program"

I covered testing with a new user profile in a previous post - no change/help.

If I right click on C: in Explorer and click on Sharing & Security, all I get is the general properties screen that only has the General, Tools and Hardware tabs, so unless there is a way to view/change ownership/permissions from a command line that does not involve running an exe or msc...

It might be possible to get there by using the BartPE regedit plugin, but it would involve editing a remote registry and assigning ownership to a remote user SID as well. Not sure how that would work. If it is a permissions issue, it would appear that the system does not have permissions, rather than the user.

Going back further in time is no longer possible, now that I've run the repair reinstall, but I've found that going back a few days before the problem occurred us usually sufficient, if that is going to fix the problem. The fact that it didn't tells me that it wasn't a registry problem.

New info: I contacted the customer to find out what he was using for email and found that the folder that ordinarily contains the outlook.pst file is missing. When launched, Outlook likewise complains that it can't find the pst file. It appears that other folders under docs & settings are also missing.

I had slaved the hard drive and ran a scan and it came up clean. I think the system was wounded by the failing hard drive. At this point, the customer wants it running, so we have pulled his data and are going to do the WaR.

Thanks for your help.

 

[linney]

I wonder if something like this would have been able to run, too late now, but it's handy to know about it.

How To Reset Security Settings Back to the Defaults

http://support.microsoft.com/?id=313222#appliesto

 

[firewolfrl]

Bartpe OK in some situations...But, not in this case ....the virus I mentioned before takes over every EXE file that runs in the system...and if it is a bad hard drive then the data can corrupt .
running the drive as a slave is the best way to go right now

try a new drive in the system and see if the computer is throwing errors with a new drive...then its bad motherboard or CPU or even the ram