|
got a virus? 
|
|
|---|
My PC Computer Repair Diary |
|||||||||||||||||||||||||
| Jan. 23, 2012 |
Problem:
Client says she cannot send email, although she can receive
mail.
Analysis and solution: I went to the client's house and sure enough I was unable to send an email message to myself - and I could see that she was able to receive mail. The computer was a Windows XP SP 3 dell computer and her email client was Outlook Express ( latest version and latest upgrade). When I sent a message here is what I got - see below: 
The message did not say what was wrong - as the only message I got said "0 of 1 tasks have completed successfully". Yeah, I can see that the message was not sent because the email did NOT appear in her "Sent Items" folder. What the hell good is this message - it has no information about what failed. The other confusing part was this was characterized as a "warning" and when I looked under the Errors tab - no messages! So what is wrong - I then looked a little deeper and discovered that she had over 6 thousand messages in her "Sent Items" folder and about 6 thousand messages in the "Deleted Items" folder. I also noticed that in the "Sent Items" folder the same email was sent multiple times to different recipients , ie, instead of sending only one message to multiple recipients - she sent out the same message one at time to each person. Usually, there were about 6 or 7 people she sent the same message to and thus her "Sent Items" folder was bigger by a factor of 6. Yikes! So I showed her how to send a message to multiple recipients resulting in only one message instead of 6. While mucking around in Outlook I did get a message about compacting folders. Then I tried to delete the messages in both the "Sent Items" and "Deleted Items" folders. Well, if you try to delete too many ( more than 200 ) messages - Outlook slows down to a snail's pace - so I was forced to delete about 50 at a time. In the "Sent Items" folder - this is what I did - I finally got down to about 60 messages ( I had a hunch that the problem may have to do with the number of messages in this folder which prevented the "send email" task from completing). After cleaning out this folder to 60 messages - I then ran the compact folder task - which took about 10 minutes ( for this folder only ). Now with a small and compact "Sent Items" folder - I tried to send an email - Voila - it worked !!!! My hunch was correct - the problem has to do with a bloated and uncompacted folder. I now deleted all the messages in the "Deleted Items" folder - all at once - and this operation took about 20 minutes - ridiculous - why don't these operations scale properly - when I deleted 50 message - it did it in a blink of an eye but delete 6 thousand and it takes 20 minutes. Now, after these messages were finally deleted - I ran a compact folder task - which took about 10 minutes. I personally use a third party email client - and have not experienced anything like this. In fact, my email program doesn't even have a compact folders function so I assume the database cleanup must be done behind the scene, which, is exactly how it should be done. My philosophy is "let the computer do it" and not the user - if you want a well designed computer application. Fini! 
|
| Dec. 27, 2011 |
Problem:
Client complained can't open email
Analysis and solution: Customer dropped off computer at my shop. Sure enough, as soon as the desktop appeared a pop-up program called "XP Home Security 2012" opened. see image below: 
Well, this is a bogus program as all it wants to do is extort money from you. This kind of exploit does a lot of harm - it prevents many applications from opening and just keeps re-opening itself to a point where your computer is essentially un-useable. So where do I start? I first do what I normally would do - run HJThis. HJThis is a free program to analyze the entries in the windows registry ( google HJThis to get a copy ). The registry didn't show anything that looked harmful ,ie, program names that were not recognizable - all the names seemed to be legit. Look especially at the BHO entries - and if program has a strange name - like wisxcy.exe or some such nonsense - then this would be a candidate for deletion. I did clear out some entries that by my experience told me it was safe to do so. I then tried ( after a reboot) to run AVG - it wouldn't start. I then got into safe mode and ran two more programs rkill and tdsskiller ( you can google both of these to get a copy). Still had problems with the bogus home security program. After some poking around the internet - I got some ideas. I looked into this folder: C:\Documents and Settings\[UserName]\Local Settings\Application Data and here I found 3 files with names like xxx.exe - and the strange thing about these files - was they all had the same file size and date stamp (today's date). This is very suspicious, so I deleted them. Now for my favorite pastime - I rebooted. Okay, I felt like this would now clear up the problem. Ha! - No! Yes, the "XP home security 2012" bozo did stop popping up but I could not execute anything - eg, the command prompt or the display program ( I wanted to change the display resolution ) the message said it could not find application rundll32.exe. So I ran xp_exe_fix.reg - this cleared up the execution problems. Now I rebooted and executed AVG free program and then ran malwarebytes program. Three or more hours later with both of these programs finding more threats - I figured I finally finished - but no - oh cruel and unjust world, a new problem appeared, and this is the fun part - my malwarebytes program would periodically pop-up an info window - which is shown below: 
I wanted to find out what was causing my malwarebytes program to continually warn me that E.T. wants to call home. I could have left it as is - ie, do nothing and return the computer to the client but this is most unsatisfying. The computer was running fine, no pop-ups and no problem with IE8 as this was re-directing google searches to ad sites. I suppose that malwarebytes, by preventing an E.T. phone call, solved the problem with IE8. But the client would have to endure the continuous annoyance of malwarebytes telling him about blocking outgoing traffic. I would find it hard to return the computer ( even though it was now completely useable ) to the client like this, as I try to treat all repairs like it was mine. I looked for a solution and all I could really find were two suggestions - run a scan with Kaspersky and combofix. I tried to install Kaspersky but ran into a problem as it would attempt to remove "incompatible programs" - even though it showed ( in the incompatible dialog box ) no programs , ie, this box was empty. So when I clicked next - it went on a search for null program names! It then searched for 20 minutes and then hung. I abandoned this "fix". I then tried to load combofix and not sure what happened as it ran and exited before I could read any completion messages. So I dropped this also. By the way, at some point in all of these attempts to fix things - I had to do a windows upgrade ( 27 patches - took about 20 minutes) - more time lost. I am now at the point of rebooting - oh joy of joy - and I ran malwarebytes again. About an hour and a half - it found two more pieces of crapware - called PUP.adware.... or some such nonsense and was forced to reboot again by malwarebytes. I am now looking at the desktop and will wait about an hour before doing anything. Well two hours passed - no pop-up from Malwarebytes. Opened IE8 and poked around for a while - still no problems. Will run one more AVG scan. Scan completed after 2 hours - no threats - FINI.
|
| Dec. 20, 2011 |
Problem:
Solution to the problem reported on Dec. 7, 2011
Analysis and solution: As promised, I waited about 2 weeks to see if my changes to the clients computer actually worked. Well, the client said "everything is just great" . So it seems the programs I removed ( uninstalled) did the job. One was a commercial version of an anti-virus program and the other was a weather program that runs continuously in the background. I did not do further analysis as to which was the culprit. But, I have removed commercial versions of anti-virus programs a number of times before and this seemed to fix problems experienced by more than a few computers. As for the weather program ( a free download ) I suspect may have caused some lock-up problems as well. The lesson is - be careful of "free" programs that run in the background.
|
| Dec. 07, 2011 |
Problem:
Two Computers -
One computer allegedly freezes up and the second computer required file organization. Analysis and solution: The computer that freezes up - I didn't experience any freeze ups while working on the computer so I took the client at his word and proceeded to remove some applications (that run in the background) and an anti-virus program. I then installed AVG free to replace the uninstalled anti-virus program. So I will have to wait a while to see if my changes worked. Will report back on this issue. On the other computer - the user was having trouble locating and managing files. This is a windows 7 computer and the trouble she was having had to do with understanding the "Libraries" feature - which is new to windows 7. I have to admit, I could see why she was having problems as the concept of how files are organized and how the libraries feature works. You can see this new feature by opening windows explorer. Look at the left hand side and you will see the libraries organization. see below: 
As you can see - it looks like the folders are stored in -> Libraries -> Documents -> But where is this? It turns out some of the files are stored in Users -> dad -> my documents and Users -> public -> public documents So you would think that the libraries feature is like a virtual storage area - and that the word "Libraries" is synonymous with the directory structure "User -> dad" . But if you go to the User->dad directory there is no folder called documents. In fact the folders you see in the above image are stored in two locations - "user->dad->my documents" and "user->dad->public documents". So now let us look at the "real" locations 
------------------------------------------------------------------------------- 
As you can see the virtual library is both of these combined. So if you think, as the client did, that "libraries" is the same as "user->dad" then got confused as there is no folder called "documents" under "user->dad" - but in reality the folder is "my documents". So I explained all this to the user and she can now navigate to the folders correctly. To further explain this windows 7 feature you can watch this video.
|
| Oct. 26, 2011 |
Problem:
Two problems -
Client cannot print and 2nd computer running slow. Analysis and solution: The problem with the printer, according to the client, was that after somebody printed some documents from a database application - he could no longer print from another program. Well, I looked at the printer icon from Start > Printers and Faxes and noticed that the default printer was marked as "offline". So, I doubled clicked on the icon and then the Printer tab and saw that there was a check mark on the "Use Printer Offline" line. Why this was checked - was a mystery to me - but maybe the person who was printing things from the database application changed this. See the image below which now shows the "Use Printer Offline" is now unchecked. 
Now I tried to print a test page - still no dice. So, I deleted the printer ( from "printers and faxes" ) and re-installed the printer making sure that the Port was correct. I also deleted any extra instances of this printer ( there was one extra one) and tried to print a test page - well, all's well in Mudville - it worked. As for the slow computer, I essentially used msconfig and disabled all non-essential background jobs. This seemed to do a good job of making the computer run faster. I left the client site with AVG (anti-virus program) running and left instructions to let it complete and to call me if there was a problem. So far, everything seems okay, I didn't get a phone call after several hours. Fini.
|
| Sept. 30, 2011 |
Problem:
Customer says he cannot get into windows
Analysis and solution: Okay, I turned on the computer and sure enough the minute I clicked on the user icon - windows said "logging on" and then it immediately said "logging off" and that's as far as it got. So I used my computer to search for a solution. Most solutions that were given were mostly not very good and a lot of people just gave guess work solutions. If you really don't know how to fix the problem - don't say any thing, period. But I did come across some interesting procedures, where one person thought the problem had to do with a corrupt registry ( I was also thinking along those lines). Even if the registry is corrupt how do I get at it since I could not get into windows to fix the registry key. That is, I could not even boot to safe mode. The suspected corrupt key is HLM\SOFTWARE\Microsoft\windowsNT\CurrentVersion\Winlogon\ Userinit This key should have the value: c:\windows\system32\userinit.exe And then I discovered, a way to edit the registry on a corrupt windows xp machine that has the symptoms similar to mine - ie, it gets at least to a logon screen. So, from another computer on the nework - start the regedit program by going to Start > Run and type regedit to launch the registry editor. Click on "file" and select "Connect Network Registry" by using the infected computer's IP address or name. Set the value of the key to C:\windows\system32\userinit.exe . Well, I thought I discoverd gold - a way to get to the registry of another computer to fix it. Well, this didn't work because I suspected the broken computer was on a different network ( I am on "workgroup" and probably the other computer was on "mshome") Later on, when I did fix the problem - this was the case ( ie, mshome). By the way, to use this remote registry feature you need to have set up both computers beforehand 1. Both need remote administration enabled. 2. Both are running the remote registry service. So, in my case - this will not work. Okay, to continue - I now booted the corrupt computer with "PE Builder" which allows me to examine the windows harddrive and snakes alive - no userinit.exe file in the windows\system32 folder. So, I copied the userinit.exe file onto a CD ( from my computer) and then copied it from the CD to the corrupt computer and rebooted. Zounds! ( as Billy Shakespeare would say )- it now booted to the windows desktop. Now I was faced with a another problem. Internet Explorer did not display anything - ie, could not connect. I then ran HiJackThis to see what was wrong - and bingo, there were unknown modules in the LSP winsock stack. No problem, says I, just run LSPfix.exe and clean it up - sure enough I did just this. Notice the two files in the remove column - below 
I clicked on the checkbox - and then "finish". But I initially did not notice the name "Covenant Eyes NSP...." description. Now that I removed the two problem dll's - I got on the internet but the browser was still doing some bizzare things - I could not download a file ( I tried to get AVG free ). Now what? So I ran, and for no other reason but to do something - the rkill.exe program as described below in another problem see july 11,2011.) Well, running rkill did fix the problem - and I thought I was finished. I then rebooted and ran LSPfix.exe to double check - and both the bad dll files were reported again - even though I deleted both these files from the windows\system32 folder - so the LSP stack again caused failure to connect. Then, I remembered the description for the files ie, "Covenant Eyes" - so I went to control panel > add or remove folder and tried to remove a program called "Covenant Eyes". As I tried to remove it - it wanted a user code to remove the program. You've got to be kidding - this is totally stupid. I didn't have the code and most likely the client would not have this code as he inherited this computer from somebody else. So I just stupidly deleted the "CE - covenant eyes " folder which solved the problem - ie, the two files no longer were reported by LSP fix. As an aside, I looked up the "covenant eyes" program - and it turns out to be a program that reports on users visiting porn sites - Yikes and double yikes. Maybe a noble idea but if it screws up internet access and made me pull out what remaining hair I have - then the company needs to do a better job not to break the LSP stack. Here is an excerpt about this product: Benefits and Features: Tracks every web visit and sends an e-mailed report to the accountability partner(s) of your choice. Removes the secrecy of using the Internet. Reports can be sent every seven, 14 or 28 days. "I'm not religious, so I was pleased to find out that using this doesn't require religion. It is just common sense." Promotes self-control, self-discipline, and personal accountability. Provides direct accountability for Internet use and time spent on the Internet. "Thank you for an excellent program. For the last six weeks I have not looked at any porn. I hate to admit it, but I'm very grateful." What can I say to this???? I guess - Pobody's Nerfect
|
| NEXT PAGE |
 |
|
| THE GEEK SIDE |
