Any advice - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: Any advice

  1. #11
    Member
    Join Date
    Oct 2001
    Posts
    31
    Thanks for your input. It happened again to him this morning. As was mentioned I do not believe it is pebkac because no matter how high up the admin chain you go you still can't delete the contents of the windows folder while it is running (so far I haven't not seen a way)... I have tried. Even so he is a normal domain user meaning he has no admin rights.

    Hardware issues I ruled out because it happens on his virtualbox, normal desktop (tried two different models) and his laptop. We used three different OS versions with different sp's (about 12 different cd's/dvd's thinking that the install was bad. It happens in XP, Vista, and Win 7 with no prompting and most times he isn't at his desk when it occurs (here was in the field yesterday afternoon and this morning his machine was all hosed again).

    Enlighten me on the new Window's Feature... is it similar to the meat virus?

    In the meantime I'll mimic his environment on a honey pot and see what happens... if I find out I'll let you all know

  2. #12
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    In the meantime I'll mimic his environment on a honey pot and see what happens... if I find out I'll let you all know
    Hi, that suggests to me that you suspect a targeted malicious attack?

    I wonder about that, given that you must have one hell of a knowledge of the inner workings of Windows to pull it off?

    My advice remains:

    1. Create a new account, new password, new everything.
    2. Do not copy anything from the old account..........manually enter it yourself.
    3. Give it to him and tell no-one.............in particular NOT your IT colleagues............if this is malicious it isn't a bloody prole that is doing it; it is one of your own!

    Then see what happens.............obviously he should log into the "old" account as well as the new one, just to provide a smokescreen. And make sure that he knows to keep his mouth shut!

    If there are no problems with the new account then stop logging in and out of the old one.

    If you start to get the old problem again then it is almost certainly a deliberate attack by someone in the IT department

    Is he screwing somebody's wife/daughter?............he must be pretty mild mannered to have let this go on for two years?

    Your handle suggests that you are a Linux fanboi?.............forget it, and do this the Winders way............he needs a "witness protection scheme"?

    I hope that you don't mind if I am brutally frank and honest with you?.....these circumstances are so unusual that I would swallow my professional pride and actually involve Microsoft...............something that I could count on the fingers of one hand in the last 25 years!!!

    You see this affects XP, Vista and & 7, so it has to be endemic?.......that alone should get M$ interested?

    BTW, you couldn't set up a Win 2000 instance on a test machine could you?...........I would suspect that you will get the same, as I suspect some deeply embedded Windows flaw...........probably exploitable?

    I can see what dino is thinking, but you have tried this on more than one physical hardware setup? so it isn't the physical machine?

    Please do not mess with the machine.............this could be your moment of glory?
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #13
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,250
    Not sure if this will help, but here is how to delete the windows folder while windows is running:

    From a command line:
    takeown /f C:\Windows\*.*

    you may have to do this once or twice and specific files. Also run the command line as administrator.

    Once you own the files, change permissions
    cacls C:\Windows\*.* /G username:F

    Repete the process on the WIndows directory and then hit delete. In explorer, the shell will crash half way through the system32 dir.

    kill network services and explorer process, open a comman line and delete the entire windows directory. You should be able to get most of the files deleted before the system stops.

    This process works best as a post boot command.
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  4. #14
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Hey dino................that is well kewl

    I guess it doesn't explain why it happens on different machines, and must be pretty sporadic, or the guy would have popped his cork?

    And why doesn't he see some residuals?

    I still think that this is some sort of Winders corruption issue.............hell, just humour me and create a new user profile?

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #15
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Either someone is playing games (sounds like an epic games, going to try it on my mate sitting next to me) or its a user profile issue.

    With alot of wierd things incl malware issues, a new user profile > all.
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  6. #16
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,250
    I have ran across issues related to profiles where creating new profiles didn't work. i.e.,
    rename profile to profile.old

    logon and create new profile - problem comes back...

    FIX Delete Profile

    Logon and create new profile - problem doesn't come back...

    I agree. Different boxes and only one user has the problem. Has to be profile related.

    OP Please post what you find...
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  7. #17
    Member
    Join Date
    Jul 2009
    Posts
    45
    I'm pretty curious on this one too ...

    what are you logging from the respected installs of the os?

    Did you go into gpedit and manually set the audit policy to enabled for pretty much any event? (I know you're getting the logs remotely, but if you didn't increase the audit policy, then you're not getting a full picture)

    As to the deletion ... remember "system" can do anything. So if the files really are getting deleted, its easier for a "system" task or someone elevated to system rights, to perform the tasks.

    and how often has this happened over the 2 years?




    PS. Here's a link for detailed process auditing on Vista which might help.
    http://blogs.technet.com/b/askds/arc...-and-2008.aspx
    Last edited by TG2; February 27th, 2011 at 07:07 AM. Reason: addt'l info

  8. #18
    Member
    Join Date
    May 2003
    Location
    Somewhere in Texas
    Posts
    76
    Did I miss this part in all this discussion: what are common denominators each time? User and hardware, if I read it right (granted, I only skimmed the postings). Random BSODs are going to be a memory issue (hardware) -- will happen in both the VM and the host O/S.

    Something else I missed further discussion on: "Upon inspection the windows folder is totally empty." -- all the files are *gone* when the happens, as in, an empty directory? Hard drive.

    Forgive me if these are talked about already, but it sounds hardware related -- assuming they've all been constant throughout this. Or even power supply -- where the unit is plugged into. For example: the guy in the office across the hall from me had no issues until he got a new machine, then we noticed that every Monday when the backup generator came on and the power switched over to backup, it would BSOD and reboot. Didn't happen with the old computer -- we're chalking it up to a more sensitive power supply to the temporary drop in voltage -- most power supplies can handle this OK.

  9. #19
    Member
    Join Date
    Jul 2009
    Posts
    45
    Yeah, you might have missed stuff ... unless I'm reading too much into the OP ... but it seems
    1) only happens to this user
    2) yes, files gone in the \windows directory
    3) hardware not issue (as 4 points out, but also believe there was hardware swapping)
    4) happens to user when using a Virtual Machine too

    it clearly is associated with "user", forgiving stupid user doing it themself, it leaves a malicious *other* user, or rouge progam/app that user uses, reinstalls, site browsed too, etc.. before suddenly "poof" gone in 60 seconds (lol)

    again.. *I* could be reading more into it ... but that's the gist of it so far...

  10. #20
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Mykol,

    I think that this is the bit you missed?

    Hardware issues I ruled out because it happens on his virtualbox, normal desktop (tried two different models) and his laptop. We used three different OS versions with different sp's (about 12 different cd's/dvd's thinking that the install was bad. It happens in XP, Vista, and Win 7 with no prompting and most times he isn't at his desk when it occurs (here was in the field yesterday afternoon and this morning his machine was all hosed again).
    So we have 3 different PCs and 3 different OSes................that cannot be hardware.

    The only thing vaguely hardware like that I could think of was some sort of authentication token. But we don't know if he has one.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

Similar Threads

  1. Need Advice For Getting Into Network Security Field
    By LiquidFlame in forum Newbie Security Questions
    Replies: 5
    Last Post: February 14th, 2008, 10:33 AM
  2. Need help advice in certification.
    By Jazzmaster in forum Training/Conference Reviews
    Replies: 4
    Last Post: December 4th, 2006, 07:12 AM
  3. Advice on protecting a new website
    By domtheboy in forum Web Security
    Replies: 10
    Last Post: July 15th, 2004, 12:52 PM
  4. Need some advice for a topic for my term paper (and maybe a thesis too)
    By Viper2026 in forum AntiOnline's General Chit Chat
    Replies: 9
    Last Post: December 2nd, 2003, 03:53 PM
  5. FBI Advice For Win Usrs
    By Remote_Access_ in forum Security Archives
    Replies: 7
    Last Post: January 8th, 2002, 08:58 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides