itSaviours
New Member
- Reaction score
- 0
I recently got a call that was a referral from another customer who I've done frequent work for in the past so i was keen to help.
The machine in question was probably on the edge of the area i'm prepared to work in purely due to distance reasons and the customer had said that it was an XP machine that was running really slow, there were warning messages at startup and IE was freezing up his machine.
So off i go one evening to meet them, really nice folks, no problems there and get down to work, fresh cup of tea in hand.
First thing i notice is that its a really old XP machine, one of the old Athlon models and only has 512meg of ram in it.
Well that and that its stuffed full of bloatware like useless HP printer addons, Roxio CD software etc all trying to load at startup and AVG 2011, which had a warning against it saying it needed to update.
On top of this the hard disk light is constantly flashing away (i assumed due to excess paging due to lack of memory) and its running like a pig.
So i gets out the USB drive and runs up Malwarebytes, possibly my first mistake, and starts off a quick scan which makes the machine even slower.
While that's going on i open up msconfig and look for anything awry, nothing really stood out, when i goggled processes i didn't know (via chrome that was working fine) they were all checking out. Either way i eventually clicked on disable all in order to get to the bottom of the IE issue and applied, eager for the "quick scan" to finish.
Coming up on 3 hours later....
It still wasn't done, it turns out the machine, which hadn't been rebuilt / formatted in years had been restored many times and there were loads of old accounts on the machine which had massive IE caches with thousands of files in then and countless directories slowing down the scan. I set about removing all the cache files to the recycle bin whilst pausing the scan in between the remove/delete cycle.
Seeing the apprehensive look on my clients faces as time ticked on and the fact it was getting later at night i decided that as the machine was on the net and that there was no real issue here preventing me doing remote support to installed showmypc, explained what i was going to do (i.e. fix it from office rather than sit around for x hours more waiting for the scan to complete).
They very kindly asked what i was due and i accepted what i thought was a fair fee for the time that i had already spent on the PC but no more as i didn't feel comfortable accepting any more without fixing it. Generously they offered me a little bit extra for my time and for "the petrol" given the distance they knew i had travelled for them.
Anyway - got back and tried to login to check the progress of the still ongoing scan via showmypc, no joy. It just wouldn't connect. Cue a frustrated nights sleep thinking im going to have to go back out there again (it was too late to phone them).
Fortunately, in the morning i spoke to the client who i talked through simply closing and opening showmypc again - this time i was in - Phew!
Malwarebytes had now finished after a stonking 7:30hr scan, finding 370 infections (isnt AVG great). So i click on select all and clean them off where it asks for a restart.
Back onto the phone to the customer to open showmypc again and eventually im back in. Still running like a pig, no evident processes using much of the CPU so its all disk polling.... hmmm.
So i log into control panel and thinking if there were so many infections AVG cant really be working right and its a bit of a hog on low memory systems so, i go to uninstall, click the button and nothing happens.
So back to chrome, download the AVG remover and run; eventually it asks to reboot the machine, (back on phone to customer, open showmypc etc) and it starts working MUCH better, much faster, everything responding quicker etc, more like a normal pc now.
So i goto Chrome to download MSE from Microsoft (much better IMO on low memory systems) and it wont let me, my searches for MSE specifically are getting redirected to some other site and if i go directly to Microsoft.com i get a blank page. Clearly there's still something up in Compton.
So i do a registry check and notice that under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
I have a trojan trying to load after the userinit.exe so the key looks like:-
=C:\windows\system32\userinit.exe,c:\windows\badprogram.exe
And sure enough, badprogram.exe was still in place and trying to delete it fails as its already running.
So in a moment of madness/tiredness/frustration i delete the key, the whole key, and restart.
If you dont know what i did wrong there then let me explain - you need to have the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit=C:\windows\system32\userinit.exe or you cant login, period, on ANY account, guest, administrator etc. instead of =C:\windows\system32\userinit.exe,c:\windows\badprogram.exe it should have just been =C:\windows\system32\userinit.exe but i deleted the whole thing.
Now there's no way i can login and i quickly realise what i've done. Given there is no way even from recovery to edit the registry i come to the realisation that im going to have to go back out there, boot disk in hand with a remote registry editior just to re-enter the key i deleted. ARGGGH!!
So off i go in the car, another 2 hour round trip.
When i get there i put in the boot CD (which i tested back in the office to be sure it was working) and wait, for half an hour, while the pc sllllllooooowwwlly boots up of the CD before i start to think, this isn't working, the CD drive is borked. So i open up the case and there's dirt everywhere, reseat the cables, blow any dust out of the cd drive and try again.
Mercifully, this time its a different beast and im in and running on my xp boot disk in around 15 mins, something must have been loose on the drive or there was dust on the lens.
I now reapply the key, restart and boot into the desktop.
From here, it was a simple case of installing IE8 (quickest way to fix IE) and installing MSE before running a quick scan (which detected the remnants of the trojan and removed it).
I then restarted and ran a full scan before heading off back to remote in later to finish the job after the full scan had completed.
However when i got back the scan had stalled halfway through at a file called C:\Windows\System32\Com\mtsadmin.tlb, turns out via google im not the only one with this issue (it only happen on a full scan) and the answer is to contact microsoft support, so im in the process of going through this with them now.
So what started out like a smallish job turned out to be an epic nightmare, although having to go back was my fault.
Anyway - can you match or better this PC from hell?
The machine in question was probably on the edge of the area i'm prepared to work in purely due to distance reasons and the customer had said that it was an XP machine that was running really slow, there were warning messages at startup and IE was freezing up his machine.
So off i go one evening to meet them, really nice folks, no problems there and get down to work, fresh cup of tea in hand.
First thing i notice is that its a really old XP machine, one of the old Athlon models and only has 512meg of ram in it.
Well that and that its stuffed full of bloatware like useless HP printer addons, Roxio CD software etc all trying to load at startup and AVG 2011, which had a warning against it saying it needed to update.
On top of this the hard disk light is constantly flashing away (i assumed due to excess paging due to lack of memory) and its running like a pig.
So i gets out the USB drive and runs up Malwarebytes, possibly my first mistake, and starts off a quick scan which makes the machine even slower.
While that's going on i open up msconfig and look for anything awry, nothing really stood out, when i goggled processes i didn't know (via chrome that was working fine) they were all checking out. Either way i eventually clicked on disable all in order to get to the bottom of the IE issue and applied, eager for the "quick scan" to finish.
Coming up on 3 hours later....
It still wasn't done, it turns out the machine, which hadn't been rebuilt / formatted in years had been restored many times and there were loads of old accounts on the machine which had massive IE caches with thousands of files in then and countless directories slowing down the scan. I set about removing all the cache files to the recycle bin whilst pausing the scan in between the remove/delete cycle.Seeing the apprehensive look on my clients faces as time ticked on and the fact it was getting later at night i decided that as the machine was on the net and that there was no real issue here preventing me doing remote support to installed showmypc, explained what i was going to do (i.e. fix it from office rather than sit around for x hours more waiting for the scan to complete).
They very kindly asked what i was due and i accepted what i thought was a fair fee for the time that i had already spent on the PC but no more as i didn't feel comfortable accepting any more without fixing it. Generously they offered me a little bit extra for my time and for "the petrol" given the distance they knew i had travelled for them.
Anyway - got back and tried to login to check the progress of the still ongoing scan via showmypc, no joy. It just wouldn't connect. Cue a frustrated nights sleep thinking im going to have to go back out there again (it was too late to phone them).
Fortunately, in the morning i spoke to the client who i talked through simply closing and opening showmypc again - this time i was in - Phew!
Malwarebytes had now finished after a stonking 7:30hr scan, finding 370 infections (isnt AVG great). So i click on select all and clean them off where it asks for a restart.
Back onto the phone to the customer to open showmypc again and eventually im back in. Still running like a pig, no evident processes using much of the CPU so its all disk polling.... hmmm.
So i log into control panel and thinking if there were so many infections AVG cant really be working right and its a bit of a hog on low memory systems so, i go to uninstall, click the button and nothing happens.
So back to chrome, download the AVG remover and run; eventually it asks to reboot the machine, (back on phone to customer, open showmypc etc) and it starts working MUCH better, much faster, everything responding quicker etc, more like a normal pc now.
So i goto Chrome to download MSE from Microsoft (much better IMO on low memory systems) and it wont let me, my searches for MSE specifically are getting redirected to some other site and if i go directly to Microsoft.com i get a blank page. Clearly there's still something up in Compton.
So i do a registry check and notice that under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
I have a trojan trying to load after the userinit.exe so the key looks like:-
=C:\windows\system32\userinit.exe,c:\windows\badprogram.exe
And sure enough, badprogram.exe was still in place and trying to delete it fails as its already running.
So in a moment of madness/tiredness/frustration i delete the key, the whole key, and restart.
If you dont know what i did wrong there then let me explain - you need to have the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit=C:\windows\system32\userinit.exe or you cant login, period, on ANY account, guest, administrator etc. instead of =C:\windows\system32\userinit.exe,c:\windows\badprogram.exe it should have just been =C:\windows\system32\userinit.exe but i deleted the whole thing.
Now there's no way i can login and i quickly realise what i've done. Given there is no way even from recovery to edit the registry i come to the realisation that im going to have to go back out there, boot disk in hand with a remote registry editior just to re-enter the key i deleted. ARGGGH!!
So off i go in the car, another 2 hour round trip.
When i get there i put in the boot CD (which i tested back in the office to be sure it was working) and wait, for half an hour, while the pc sllllllooooowwwlly boots up of the CD before i start to think, this isn't working, the CD drive is borked. So i open up the case and there's dirt everywhere, reseat the cables, blow any dust out of the cd drive and try again.
Mercifully, this time its a different beast and im in and running on my xp boot disk in around 15 mins, something must have been loose on the drive or there was dust on the lens.
I now reapply the key, restart and boot into the desktop.
From here, it was a simple case of installing IE8 (quickest way to fix IE) and installing MSE before running a quick scan (which detected the remnants of the trojan and removed it).
I then restarted and ran a full scan before heading off back to remote in later to finish the job after the full scan had completed.
However when i got back the scan had stalled halfway through at a file called C:\Windows\System32\Com\mtsadmin.tlb, turns out via google im not the only one with this issue (it only happen on a full scan) and the answer is to contact microsoft support, so im in the process of going through this with them now.
So what started out like a smallish job turned out to be an epic nightmare, although having to go back was my fault.
Anyway - can you match or better this PC from hell?
Last edited:
-
