Cry for techie help

[devi]

So here I am, on a Monday morning, having been roped in to cure the Headmaster's computer, which seems very ill indeed. Alarmingly, I'm the most technical person in the whole GCSE department. And not having worked in IT for four years now (and even then it was often Linux boxes I worked on rather than PCs) I feel quite clueless.

Is anyone bored out there? Do you fancy casting your eyes over the list of symptoms and seeing what you think? There'll be pints in it for helpful people. (Or any professional proofing/editing you should need. Or a piece of calligraphy. Or whatever)


It's a Dell Dimension 2350 running Windows XP. It has 128 megs of RAM.

Firstly, it has slowed down from merely lazy to glacial in the course of the last week. It takes three or four minutes for icons to appear on the desktop.

Symantec LiveUpdate is blocked from downloading new updates, and suggests a virus may be causing any strange behaviour in application programs. It says to reinstall Norton, which is the first thing I'm going to try.

MSN (*spit*) won't let me refuse to sign in or close the sign-in window, or even minimise it.

IE: Many sites (eg Gmail) are refusing to accept sign-ins. My webmail page won't appear at all. Livejournal is OK, but it's in a minority. The address bar is acting oddly, refusing to accept any input till IE's been running for a few minutes.

No Works Word Processor files can be opened at all - "necessary files have been renamed, deleted or moved. Reinstall Works and restart." Headmaster claims he hasn't deleted or renamed anything (though he could be wrong).

I've scanned for spyware using Spybot, found four pieces of spyware and deleted them, which hasn't helped.

And oddest of all, the main Windows directory is full of folders, highlighted in blue, about 40 of the things, all called something like "$NtUninstallKB810217$" and containing a variety of bits and pieces, but most of them contain another folder called "spuninst". Again, he claims he hasn't uninstalled anything.

Do you know of a virus that behaves like this? Or could something else have gone wrong?

I'm tempted to just do a complete reinstall (because it's always been flaky), and put a firewall on it first thing I do. Headmaster would allow this in theory, though he says he wants to save some files first, but worries that if he mails them to another computer he'll infect that one too.

Any suggestions appreciated.


Edit: With the freaky shit. It's running Service Pack 1, I've increased the virtual memory and there was lots of free space on the disk. I've also persuaded the Head to buy some more memory, goddamnit. But I've just discovered, in the course of trying to burn a CD to save some of the files -

THIS MACHINE DOES NOT CUT AND PASTE.
IT DOES NOT DRAG AND DROP.
Nothing. Not text in Word, not files in My Computer. I've never seen anything like it.
Oh, and it says Windows Installer is not present, so I can't uninstall or reinstall anything at the moment. I presume there's a nice heavy-duty way of doing format c:// without going through Windows Installer? Oh please let there be.

Comments

[natural20.livejournal.com]

Well, quite apart from the evils of running XP on 128MBs of RAM... the folders are the hotfix and service pack uninstall folders. Unless any of them are very big indeed you shouldn't have to worry about them at least. By very big I'm talking multiple GB.

It does sound quite virusy what with the file deletion and the like, although it is possible user error could have caused this. A few questions...

How up to date is the system?
Are there any other AV programs running on it?
If you go to start->run->cmd and enter netstat and netstat -a what does it return?

That's the start point anyway. We can take this to mail if you'd prefer, but equally there may be others out there who will see something I'm missing. To be honest a reinstall may be the only sane option here, but it seems like such a cop out.

[philipstorry.livejournal.com]

Those folders in the Windows directory aren't anything to worry about - they're servicepack/hotfix uninstall folders. Hence the names - $ntUninstallxxxxxxxx$ - an NT (Windows XP is based on the NT kernel) hotfix uninstall - the numbers being the hotfix name.

They were probably put there by Windows Update, as it installed hotfixes. Oh, and they're blue because they're on an NTFS partition and they've been compressed to save space - Windows does that in an attempt to be nice.

Does he have the Windows XP CD? If so, booting from that and trying recovery may return some results. Alternatively, apply the sledgehammer approach - back up the data, then format & re-install. It may sound extreme, but it can be simpler to backup/format/reinstall/restore than to fanny about trying to fix something that you don't know anything about, believe me. And if a virus/spyware is suspected, then it's probably wisest anyway. Make sure that the first thing you put back on is the virus checker, and the second is the spyware software. :-)

[alfaguru.livejournal.com]

The way I'd do it:

* Save the files that are wanted to a CD.
* Reformat before the reinstall (assuming you have a proper xp installation pack with serial numbers and all)
* reinstall
* install virus checker and get it up-to-date
* check the files on CD for viruses

If you have the opportunity to get a better virus checker, I would highly recommend NOD32 from Eset. Inexpensive, easy-to-use, fast and very accurate. Much better than Norton.

[thecesspit.livejournal.com]

I am not an expert, but I think virii is the most likely. Let him take his files off, quaratine them and then scan the disc. If their bog standard office docs, you'll be able to pick up any infection. If the copy itself writes the virus out, you can pick that up too.

The Unisntall files look right to me after Windows Updates and the like. If you do reinstall, make sure you service pack it... WinXp and IE without the service packs is as buggy and insecure as a very insecure thing.

You might want to convince him to use firefox, as thats got far less holes than IE (and as it's less used, people try to exploit it less, so perhaps I shouldn't be trying to get people to use it...)

If you can get it, try AdAware and 'Hijack This!', and just trying a virus scan with Symantec as is?

[bateleur.livejournal.com]

Symptoms are compatible with (but do not necessarily imply) a catastrophic shortage of either swap space or free HDD space generally.

In a more general sense, I normally try the following on sluggish machines:

1) Unplug all peripherals, including network (except monitor, mouse and keyboard, obv !).
2) Reboot.
3) Bring up the Task Manager and look at 'Mem Usage' stats (and CPU usage, but that should be near-zero).
4) Check free space on all HDD partitions (in this case, there's probably only one).
5) If the above reveals nothing, defrag all partitions. (Tip: for badly fragged partitions it can be faster to copy most of the files off, then defrag, then copy them back on !)
6) If reboots are still slow after this has been done, disable (eg. uninstall) one by one the pieces of software which run automatically on startup.
7) If you get down to nothing and it's still slow, you either have a virus which hides itself from the Task Manager (unlikely) or a hardware problem.
8) Once the thing does start moving again, reinstall and/or reattach things gradually unless you already know what the problem was.

[niallm.livejournal.com]

My first guess is that the machine has been spy-wared up the wazoo. Get Ad-Aware (and the other major clearing programs) and if you're lucky, you'll be able to get it usable without reinstalling. The second step is to get a non-IE browser, and to remove the icon for IE anywhere you can find it.

It's a sad fact that the design of Windows is such that normal operation of the computer is often a trapdoor function; you can't get back to where you were simply by reversing your steps. You have to start from ground zero every so often.

[absinthecity.livejournal.com]

Get Warlock to help! Why wasn't he called in anyway? seems most unfair :)

Utterly OT

[triskellian]

Small world blah blah blah. Does everyone in the universe know Warlock?

[caescarna.livejournal.com]

My first thoughts are the same as Bateleur's - sounds very much to me like a disk-space / swapfile issue, and this would be the first thing I would check.

Has there been a service-pack upgrade recently conducted on this machine that would chew-up available diskspace?

Re: Utterly OT

[absinthecity.livejournal.com]

I think we're talking about a different guy. Heh, you'd think there could only be one wouldn't you?

Re: Utterly OT

[triskellian]

How many guys called Warlock are there working with bluedevi? ;-)

[oneofthose.livejournal.com]

Have you tried switching it off and switching it back on again?
Banging it on the top?
I know, you cut a tennis ball in half and place it over the lock.
Rub salt into the stain.
Maybe it's the tracking?
Or is it white wine?

Re: Utterly OT

[absinthecity.livejournal.com]

OK, fair enough :) So what's your connection?

Re: Utterly OT

[triskellian]

We have several good friends in common from his time living in Oxford. What's yours?

[smiorgan.livejournal.com]

It's a Dell Dimension 2350 running Windows XP. It has 128 megs of RAM.

Hah hah hah! Dude, you're going to hell!

Sorry.

Re: Utterly OT

[absinthecity.livejournal.com]

Long story ;)

Re: Utterly OT

[cardinalsin.livejournal.com]

Shhh! You aren't supposed to talk about you-know-who on LJ!

[bluedevi.livejournal.com]

Heh. Warlock does not set foot in the hell that is the GCSE department. In any case, he's trying to pass his IT duties on to me. He's got me looking after the intranet as well (which is in PHP so it's more my sort of thing).

[bluedevi.livejournal.com]

*sigh* I know.

But it's not as bad as my mother's computer. She has installed XP on her 64 sorry megs of RAM, and then wonders why nothing works...

[bluedevi.livejournal.com]

Service pack upgrade - I think that's what all the weird blue folders are.

Re: Utterly OT

[absinthecity.livejournal.com]

I know...I was just about to point out that he-who-shall-not-be-named is a rampant non-LJer. So we shouldn't really.

[bluedevi.livejournal.com]

Well, I've talked the Head into using Mozilla, so that's a start. Ad-Aware turned up a few bits and pieces, but nothing stunningly huge. What other clearing programs would you rate?

[bluedevi.livejournal.com]

I'm going to reinstall Symantec this afternoon and see what happens. Thanks for the tips.

[bluedevi.livejournal.com]

He seems keen on getting NOD32, but I could talk this guy into investing in anything if he thought it would help. I could probably talk him into buying a barrel of magic smoke to replace the magic smoke that's escaped from the box. Thanks for the recommendations.

[bluedevi.livejournal.com]

Thanks for the explanation of the files. Windows! Nice! *hollow laughter*

[http://users.livejournal.com/_nicolai_/]

http://www.crucial.com/uk for memory.
They deliver next day free if you spend more than a tiny amount of money with them.
(order on Friday, receive on Saturday. Or in my case, do not receive on Saturday as you are down in London recovering from a night on the piss, therefore cycle to post depot on Monday :) )

[niallm.livejournal.com]

There's an article on arstechnica.com comparing a list of them.

[niallm.livejournal.com]

Also, firefox rather than mozilla. If possible. Especially with only 128M RAM.

[lostcarpark.livejournal.com]

Two things sprung to mind as I read that.

THe first is Spyware. You partially ruled that out by running SpyBot, but try running AdAware too just to be sure. Make sure you tell it to update its database.

The second has to do with the "uninstall" folders. As others point out, they're generated by Windows Update, which installs hotfixes (by the way, the blue means they're compressed folders). If it's set to install updates in without warning, it's partly good because it means the machine will be fairly up to date, but it also means it could have installed SP2. This could cause a couple of problems. First, check if it's been installed by opening Windows Explorer and looking under Help->About.

First of all, as it's rather huge, it could be taking up a lot of hard disk space, causing the swap file to be too small. First thing, check there's plenty of free disk space. Second, go to the System control panel, and go to the Advanced tab. Click on performance settings, and change the virtual memory settings. I would suggest for a system with 128MB to set the minimum size to 512MB and the Maximum to 1024MB. But as mentioned above, 128MB really isn't very much for an XP system - suggest an upgrade to at least 256MB would be a worthwhile investment.

The other problem SP2 can cause is that it installs its own firewall. Presumably you have a network firewall, so this is rather redundant, and it can block things you don't want it to in its default configuration. It could be that it's blocking HTTPS, which could be stopping you getting into things you ought to be able to.

SP2's improved security also causes conflicts with quite a number of applications, including quite a few Microsoft ones. Many software vendors have fixes on their websites, but you tend to have to it on an application by application basis.

Of course, it could be nothing to do with any of this. Reinstalling the virus checker is a good start. Reinstalling the OS might help, but you could find by the time you installed and patched (or it patched itself) that you'd be back where you started.

[philipstorry.livejournal.com]

Microsoft software always tries to be nice. You shouldn't sneer.

This, after all, is a "let's be sensible and store backups in a folder named after the change, and compress them so that they take up less space" nice. Obviously the Hotfix/Service Pack team had the Company Clue on the day that they designed this.

It's not "Hey, it looks like you're installing a service pack! Can I help?" paperclip-nice. Which should help you put into perspective just how bad it could be. :-)

[philipstorry.livejournal.com]

Look for System Restore - it's under Start -> Programs -> Accessories -> System Tools (I think), and can try to restore the machine to a point in time. Pick a time just after the last software install that was done - hopefully that's a month ago or some similarly long period - and it will try to reset the registry and copy back key system files that it knew were safe at that time.

Something else to try - the Windows XP CD, if left to boot by itself, will recognise that there's a copy of Windows on the machine and offer to repair it. It does this by resetting some key registry settings and copying all the files back from the CD. This could be helpful, as you KNOW That the copies on the CD can't have been changed.
(Well, not without a black & decker - and that tends to show up!)

Both these methods can help if you've had some key system files overwitten - which, by the sounds of your copy & paste experiments, you may well have. I'd try the System Restore method first.

If possible, data should be backed up of course. If that's not possible (and that's why you're trying to burn CDs), then the owner of the computer is about to find out why we bang on about making backups... Hopefully nothing will endanger the data. But the worst case for both of these actions is a computer that won't boot. Your data is still there, but inaccessible unless you stick the hard disk in another machine to copy if off...

[lostcarpark.livejournal.com]

THIS MACHINE DOES NOT CUT AND PASTE.

Very odd. I can't think why that could be. I've never come across a machine that wouldn't copy and paste at all, but I have found circumstances when it's behaved oddly.

Experiment with alternative methods:
1. Edit->Copy
2. Right-click->Copy
3. Ctrl+C (new shortcut)
4. Ctri+Ins (old shortcut)

Also Office 2000/2003 can do some funny things with the clipboard. Have a look in the clipboard toolbar.