Funky machine

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Can't validate. XpPro
Multiple shop repair yields following: current to oldest.
No update when put on-line long time after repair behind hardware firewalled
network while typing on another system.

After shop never on-line: (Note: am only admin I see on a standalone set of
xp)
Start|Control Panel| etc to Event Viewer |Security
"Unable to complete the operation on "Security". A required privledge is not
held by this client."

Limited login odd will be locked out for logs full, let it run for a bit
with screen saver and clears.

ADD/Remove Windows Component
"Setup was unable to open information file hidei with carrot top BOX BOX
Contact your system administrator. The specific error code is 0x7b at line
2088999411."

System will not load Xp without hardware failure unless:
Network present at boot
All BIOS enabled.
Specific failures relate to BIOS Shadowing & ACPI
Resetting, changing every insanely possible piece of hardware fails but put
on network loads mostly cleanly.

Stopping IM messenger for one boot, lost video card and dual boot causing a
shop repair to fix.
 
You seem to have multiple issues that could be a result of multiple malware
infections. I suggest that you have your data files backed up and files
encrypted with EFS encrypted first and then have a clean install of the
operating system done. It probably would be a good idea to document current
cmos settings for the motherboard and then choose default settings before
installing the new operating system. Steps in the link below need to be
taken to minimize chances of future operating system problems. --- Steve

http://www.microsoft.com/athome/security/protect/windowsxpsp2/Default.mspx
 
I meant to say that any EFS encrypted files should be decrypted before an
new install of the operating system to insure the user can access them in
the new operating system. --- Steve
 
Thanks, how do you decrypt EFS? This system was new & patched and never
on-line. This system, and large sample of new retail small build hardware,
as been flatten hard many times.

Update, Made the mistake of updating Norton sys05.

A clean reboot;
Lost connect to on-board hardware firewall but not web(still behind network)
Windows Explorer shutdown by DEP, sent error report.

Anyway thanks,
Scott
 
There would not be any files encrypted with EFS unless a user using the
computer intentionally did so. You can use the cipher command to check for
encrypted files and folders. --- Steve
 
Hey Steve,

There are no cfiles that I know of but but I'll look into it. Also, any
leads on flattening order of op's \ procedures would be appreciated.

Thanks for the time,
Scott
 
With dual boot operating systems it depends on the operating systems being
used. If they are all Windows operating systems you want to install the
oldest operating system first as the newer operating system may overwrite
files in the root directory and if the files are versions that the operating
system does not understand you will have failure upon booting into the
operating system.

Always make sure that you have some sort of firewall protection enabled
before you ever connect to the internet with any of your operating systems
and be sure to download and install critical security updates from Windows
Updates after you install your service pack. Make it a habit to check the
logs via Event Viewer after an install and thereafter to see if any problems
are shown that may need attention and also check Device Manager for any
hardware issues. The link below has tips on how to help you secure your
computer. If you have any more specific questions on install procedures let
me know. --- Steve

http://www.microsoft.com/athome/security/protect/windowsxpsp2/Default.mspx
 
I meant to say that the "older" operating system would cause a problem by
overwriting files such as ntldr in the root directory if installed after a
newer operating system in which case the newer operating system would not
recognize the older version though newer versions are compatible with older
operating systems. In other words Windows 2000 could use ntldr from XP but
XP could not use Windows 2000 version. --- Steve
 
Hey Steve, thanks, I'd like to put a few screen shots out but the bugger is
being resistant to that. This bug is very defensive and has made nothing
easy. I can't look at the logs because "this client doesn't have the
permissions to view security logs." Can't Add\remove Win componets by same,
yet I'm the only admin I can see on the system.

I'm trying Ms support for the update problem & a privledge reset tool didn't
work for the same reason.

I went thru the steps and the system failed to install the new genuine tool
up until the 18th. As I seen lately, no other updates can be seen until that
tool is installed. Do you agree? I checked the update & history everyday and
it only showed failure and one success. After installing Halflife2, Autodate
somehow installed the updates for the past 6 months on the 15th when I had
auto update off and didn't see, download, or install any of these.

I'm getting ready to try to flatten it again to get the malware to it's most
primitive and try to capture or kill it with a network above monitoring the
traffic.

Any ideas on that would again be greatly appreciated,
s.
 
Sounds like you have your hands full. The info in the link below may be
helpful in restoring security settings to default defined levels using
secedit if you can run it as malware may have changed user rights and
permissions for administrators though that in itself will not remove any
malware. It is also worth a try to boot into Safe Mode to attempt repairs
and do malware/spyware scans. You can try downloading and installing Windows
Updates directly from the update download site but again that may not have
much effect on your problems. Trend Micro has a great free malware detection
and removal utility called Sysclean that does not need to be installed that
you might want to try. You just download it and the latest pattern file to a
common folder, unzip the patter file, and then run Sysclean. In your case a
clean install is most likely going to be the best and shortest path to
success. --- Steve

http://www.trendmicro.com/download/dcs.asp --- Sysclean
http://www.trendmicro.com/download/pattern.asp --- TM pattern files
http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222 --- using
secedit to restore all default defined security settings. Just copy and
paste the command into a command screen on your computer and hit enter.
 
Thanks, Lots of great info. It's been a learning experinace. Especially in
that the Web is like the wild west and, like the beginnings of the west, good
citizens had to bring the law with them.

I hate to keep asking for more, but if you have any input on the below it
would be appreciated.

Flattening:
From boot from XP cd, Delete partions & kill power without
shutdown(supposedly to stop memory based virus from re-writing)

Format drives using format command from cd.
(I think there maybe more but my reference doesn't have all the syntax??)
Re-install
Install another license of the trend 3 pack I just bought for the new system.
Scan from the network with internet off.
Scan from clean machine to safe-mode with networking of suspect??
If clean, go on-line, update.

Should Xp install from CD with no network connection?
If, not any pointers on monitoring the switch above from another machine.
(the web interface the switch uses isn't very friendly and doesn't as much
info as I'd like.)
Thanks again you been a great help,
Scott
 
Hi Scott. My comments are inline


SoCo6 said:
Thanks, Lots of great info. It's been a learning experinace. Especially in
that the Web is like the wild west and, like the beginnings of the west,
good
citizens had to bring the law with them.

I hate to keep asking for more, but if you have any input on the below it
would be appreciated.

Flattening:
From boot from XP cd, Delete partions & kill power without
shutdown(supposedly to stop memory based virus from re-writing)
Click to expand...

Yes I would boot from XP cd howerver I would not kill power. I have never
heard of the need to do such and would not want to jepordize the
installation. I have done a LOT of installs. You will have the opportunity
to delete and repartition during operating system install which is what I
would do. Select the size partition you want for the first install and then
format and do NOT use fast format. Proceed with installation of the
operating system. I assume here you are installing from genuine Windows
install disk and not a copy you got somehwere that may not be wholesome.
Format drives using format command from cd.
(I think there maybe more but my reference doesn't have all the syntax??)
Re-install
Install another license of the trend 3 pack I just bought for the new
system.
Scan from the network with internet off.
Scan from clean machine to safe-mode with networking of suspect??
If clean, go on-line, update.
Click to expand...

Yes you should install the operating system while the computer is not
connected to any network connection - even your LAN. Install Service Pack2
if it is not part of the install disk or if you have it on media. Service
Pack2 will by default enable the Windows Firewall but verify that it is
enabled and no exceptions are allowed at this time. If you need to install
SP2 from Windows Updates make SURE that the Windows Firewall is enabled
first. Install your antivirus program. Now with the Windows Firewall enabled
connect to the network and go directly to Windows Updates to download and
install your critical security updates. After that is done which will
require a reboot immediatley update your antivirus definitions. Then install
your applications and data. Use your virus scan to scan the media that you
have your data files stored on before restoring to your computer. Scan any
application files that are not on authentic install disk from the publisher
before you install them. Though I wold not expect a problem at this point
you can now scan the whole computer with your applications and data files
retored. --- Steve
 
Hi Steve, thanks so much! What your doing is close to what I doing.

I've built good amount of hardware & installed a good amount of MS OS's and
have never had these problem's.
"I assume here you are installing from genuine Windows
install disk and not a copy you got somehwere that may not be wholesome."
Click to expand...

The system was definately all retail sealed box hardware & software. This is
the crux of the problem for me. How does sealed box retail system that was
patched & protected get hacked before the administrator can setup accounts?

I've come to the understanding that large use OS's like Xp will be a child
of a business model that has a professionally managed network infrasture
above the end user OS.

If the industry or the enduser don't address these issues the hackers will
gladly be the administrator of a machine.

That is the nature of this expliot and what I failed to address. I shouldn't
have spent $650 on video cards when that would have bought me a 5 cal part
SMB2003 Dell server. I should have bought all that and a commercial hardware
firewall & ran $400 emachine instead of NEW SLI & "intergrated" hardware
firewall in the Nf4 chipset.

I'll bet this problem child wouldn't take the OS with out the network so I
need to have the monitoring fully in place. I think the expliot uses UPNP &
Netbios and I want to get a better view of the traffic. I'm also wondering
if Nvidia boot agent is part of the exploit or a way out of this rabbit's
hole.

Well thanks for the help, appreciate it,
Scott
 
OK. Well good luck. I have never had a problem installing the operating
system while not connecting to the network. If you want to be connected to a
network for some reason use a network cable between the computer and a
switch or router/switch that is turned on but not connected to anything
else. I disable the UPNP and SSDP discovery service on my computers as it is
not needed for ME and adds to network noise. If you want to try a better
firewall at a reasonable price and have an Ebay account checkout the used
Netscreen 5XPs on auction there. That is what I use at home and I can use it
to create a block all outbound rule and then allow the authorized
exceptions. If you would consider one be sure to get firmware version of at
least 4.0. The affordable ones have a limit of ten outbound connections at
a time using unique source IP addresses from your network. --- Steve

http://search.ebay.com/ws/search/Sa...7&nojspr=y&pfid=0&fsop=1&fsoo=1&fcl=3&frpp=50
 
Thanks, I agree 100% Xp should install standalone & should not have hardware
failure if no connection.

The set up errors on "this client doesn't have the privledge, so I can't
disable UPNP yet.

Appreciate the firewall advise. I have a Netgear but the logging and
controls are that great.

Thanks again,
Scott
 
Hey Steve Hoping for some more advise.

Replaced Mobo & got 2 new Sata drives.

Reinstalled with cheap non-programable video card
Keep DVD & Cd, Memory & processor.
Loaded SATA drivers from manuf floppies (F6 on XP install)
Installed new drives RAID 0 in Nvidia BIOS utility.

NO network on XP install--YES, properly it installed & additional screens
(ie. organization, admin, networking) showed
This is a 1st for (6 different NF4 Mobo from a mix of manufacturers)

Left Xp install options default (ie Client for Ms, F&S sharing, TCIP drivers
loaded & not part of Domain.
very Very hard password on built-in admin account and 1st load into that
account.

installed Nvidia NF4 drivers, Sil 3232, audio from manufact CD.
Didn't install Nvidia Smbus??
Didn't install Nvidia Network access manager.(supposedly a hardware firewall
in chipset in case your not familar and that many forums say has issues.)

I found a few things in event viewer that I don't understand & ms references
did help?
"A provider," 1. "HiPerfCooker_v1" 2,3,4. "CmdTriggerConsumer"

"has been registered in the WMI namespace, Root\WMI to use the localSystem
account, etc about security violation if not properly impersonating user
requests"

5. samilar with "Rsop Planning Mode Provider" and reviewing that Hosting
model for least priviledges.

I think this stuff has to do with the "intergrated Nvidia active armor
firewall" but have installed no drivers for it and I'd like learn about WMI
and shut it down because I don't think I'm gonna use.

Scanned with thumb drive A/V & copied log, texts and screenshoots
Installed another lic. of PCchillin 3 pack
Set up accounts & did some very basic hardening.

SO, I should have a clean & fresh install of Xp.

Phase 1.Questions: "getting this base protected & hardened to Add "old
things with memory or BIOS that could be corrupt without compromising the
base build or network" I.e. drives, video cards, smart card readers &
programmable USB keyboards.

1. Getting to the point I can put the system on-line to; activate & update,
XP & A-Malware

2. Advise on order of install for a base system as built to put on-line
behind firewall to just update Xp & PCchillin.
2A. Do I attach to off-line firewall \switch and scan PcChillin from and
attach it off-line my clean Xp system & and have that network copy update the
problam machine.

3. Should I set up an Xp pro based network with the other system as admin be
I go on-line? (steps?)

4. Own GHOST 9 & Part Magic, should I install & backup before going on-line?
4A. How to better hide ghost, Part Magic on showed up in control panel where
as Ghost had to many access points and shortcuts.
5. Can I use a these retail copies on the other system and back up from there?

Phase 2. "Adding that hardware without compromising the base.
1. MOBO is hotswapable SATA with Nvidia Xp tool. Should I add that drive
that way?
2. Should I use the other SATA controller?
3. Video cards (SLI) are scary to me. After 1st shop, from new, turning off
messanger for one load lost video card BIOS post and card in Device manager
until BIOS of video cards were flashed in next shop.
4. USB printer with reader & programmable keyboard the same. When the
Keyboard was plugged into a completely different build, it attached from the
keyboard (2) 74 gb drives that were installed in that completely different
machine as now being installed in a machine that only had (1) new 36 gb non
raid drive.

Anyway, if you got a moment and any thoughts they'd be appreciated.
Thanks for all the help in the past,
Scott
 
Wow you are a busy guy! I can't help you with describing what your
errors/warnings mean in the logs. Searching Google and going to
http://www.eventid.net is about the best you can do and yes Microsoft has
sparse to no documentation on many of the Event Log warnings. Having said
that I would not worry that they indicate any sort of malware problem since
you have done a pristine installation and have not even connected to the
internet yet. I don't know if I have mentioned this yet but I like to use
some of the free tools from SysInternals to check my computers for rouge
processes. In particular Process Explorer, Autoruns, and TCPview are helpful
and you can use then to developed a baseline for your computer that you can
compare to a later points in time to try and determine is this process
legitimate or not. Process Explorer and Autoruns also will show a publisher
name associated with a process that maps to an executable which can help
identify a process and an executable that is spawning a process that does
not show a publisher name could be suspect though not necessarily
malicious.

http://www.sysinternals.com/Utilities/ProcessExplorer.html -- Process
Explorer and link to SysInternals

It sounds like you have a good start and using a strong password for
administrator account is a good thing. I am not familiar with the Nvidia
Network access manager but I don't like to install all the junk that some of
these manufacturers try to get you to use. If the device works fine without
the extra software I personally don't install it and instead count on my
hardware firewall and XP Firewall to protect my computer. I don't know that
much about WMI myself but have had no problem leaving it in default
configuration.

What I would do before connecting to any network is to make sure the
Windows Firewall is enabled, that file and print sharing is disabled, and
that Remote Desktop is disabled. You can enable them later after you make at
least one Ghost image. What I like to do is to make my first Ghost image
after a successful install of the operating system before connecting to a
live network before installing any security updates or Service Pack, and
before installing any applications including antivirus software. That would
be my basic baseline install. Then I like to install my service pack and go
online only to install critical security updates. I do another Ghost image
of the system partition after that. Finally I install my antivirus and go
online to update it and install my basic applications and needed utilities
from manufacturer provided media such as Office, etc and do another Ghost
image of the system partition. That gives me a couple different ways to
start over in case I have future problems. I like to use the floppy version
of Ghost to do the imaging and write the image to a different disk partition
and to DVD disks. Ghost has saved me from grief more than a few times in the
past. As far as hardware installation I don't see it being a risk related to
malware as long as you are installing only drivers/utilities provided from
the manufacturer on their offical media. --- Steve
 
Back
Top