Sean's Blog

While looking for a solution to a registry issue last week, I came across this post on the UBCD4Win forums, and a specific quote caught my eye:

Ok… about the registry and some possible solutions. Note that there is no one correct answer for this problem because there can be a number of actual possible causes of a corruption and therefore several possible solutions. Repairing a Windows system is almost an art form so when a tech is working on one.. they will often base what procedure they choose from the way the system acts. This is not something that can be taught.. it just take time for them to learn it.

Truer words have not been said, and I cannot agree more with this statement.  While I have worked on computers that are the same make and model with the same issue, the solution is always just a little bit different, owning to how the owner used the computer or the manner in which the issue occurred.  Sometimes the standard method for fixing a computer needs to be abandoned due to the way the computer is responding, and this can be caused based on the time it takes a computer to load, a screen to render, or the sound of a fan, hard drive, or CD spinning up when it doesn’t need to.

On a some what related note, one of my staff had dropped off a computer for me to work on back in April of last year.  I kept it in my overhead cabinet until this afternoon, where he was giving me grief for not working on it (not that he has asked about it much before hand), and I grudgingly told him I would look at it.  The issue had been that the computer would not boot up, or when it did, he wouldn’t be able to access files.  He had tried a number of suggestions with using the UBCD4Windows from me previously, but to no avail.  I setup the laptop on my desktop and *BOOM!* it turned on.  I ignored this computer for almost a year and it now works.  After showing the computer who was boss (sticking it in solitary confinement and letting it bask in my computer-fixing presence) it is now ready to continue doing it’s job.

This is not the first time my mere presence has fixed a computer, nor will it be the last; my computer fixing techniques are innate.

I am the Computer Whisperer.

Today my personal blog proved useful, as one of my student staff was having issues getting any .exe files to run on a computer.  I know that if certain .exe files can’t run, it’s because of malware stopping them.  If it becomes ALL .exe files, it’s typically due to malware editing some registry keys.  I couldn’t recall what it was, and I had two choices: ask Google, or ask myself.  I knew that if I asked myself, I would get the answer, as I have a blog post about it, and all I would need to do is search my site for “.exe” and I’d find it.  More items came up then I expected, but I did come across Malware: My CV.exe and others. I was looking for the following:

HKLM\\SOFTWARE\\Classes\\exefile\\shell\\open\\command\\: ""C:\\WINDOWS\\winword.exe" "%1" %*"
to
HKLM\\SOFTWARE\\Classes\\exefile\\shell\\open\\command\\: ""%1" %*"

It’s minor, but it gives me a nice fall back if I know I’ve done it and blogged about it.  However, this would almost be worth me creating my own personal wiki site to house information instead of putting it into blogs.  I will have to consider this idea.

After reading an article over at TreeHugger about the Green Plug, I thought that it would be a nice piece of technology to have.  It’d be nice if every little piece of technology didn’t have to some with it’s own charger and it was accepted that there were existing chargers that could be used.  It’s why I’m glad I did get a Powermonkey Explorer for Christmas, but it’s still not helping that I still have a charger sitting around for our phones, DS Lite, iPod (from an earlier gen iPod), and other devices that are always plugged in (cable modem, router, etc).  (On a related note, it didn’t even have the correct adapter tips, so I had to order some, which means I can only power my iPod anyway.)  Regardless, I still think an widely accepted, universal plug would be nice.

I was working on a students computer, and after a restart following the removal of McAfee Security Suite, Vista did not want to update.  The solution was rather simple, once I found it.  After some googling, I found this, and the solution was both simple and elegant.  The short version: uninstall the wired network connection and have it installed by the system again.  While a winsock fix of some kind might have done the job, this was just as easy to do.

1. From the Start menu, select Control Panel.
2. Select Hardware and Sound.
3. Select Device Manager.  Click Continue when the User Account Control window appears.
4. Under network adapters, remove the wired Ethernet controller/connection.
5. If Windows does not re-detect the hardware, select Network adapters (or the name of the computer at the top of the item tree) and from the menu select Action > Scan for hardware changes.

I’ve been waiting to hear some information regarding the release of Sweetcron, and it looks like it’ll released on 8/28/08.  Just as well, as by then I should have most issues from move in resolved.  Once it is released, I’ll be able to see how much work it would take to migrate over to it; I like the look and feel yongfook.com.

You can read about what I did or you can just click here to go to the steps you need to take.

After using my bluetooth keyboard with my laptop while on vacation, I returned to the apartment and attempted to use it on the desktop.  For whatever reason, it stopped working.  It wasn’t the batteries, as I could connect and type the passkey, but it would lose the connection almost immediately.  The keyboard also connected to the laptop computer just fine.  One resolution to this issue was to make sure that the check box for “Drivers for keyboard, mice, etc (HID)” was selected in the bluetooth properties for the keyboard.  It wasn’t, but when I tried to check it an hit apply, I got a Bluetooth Service Error “Access is denied” messageI made sure the Bluetooth Support Service was running by checking services.msc, and it was supposedly was running just fine.  After reading this thread, I checked the Log On tab for the service, and found that it was running as This account:NT AUTHORITY\LocalService.  Once I stopped the service, changed it to Local System account, I was able to select the driver service listed above and my keyboard was able to type.

Sure, this means I cannot go get a Logitech G15 keyboard, but that’s just as well.  What really gets me is that there is no reason I could think of as to why that service would (1) no longer work the way it was or (2) when it would have changed to log on differently.  I used the keyboard on the desktop up until we left.

Edit 8/31/08: Paul lists the ordered list of what needs to be done, and I’ll move it up here so that those trying to get the issue resolved can find the info.  While Paul does list how I did got to Services, some might be wondering what do you do when the keyboard doesn’t work, as is the case here.  There are two methods, listed in step 1:

1. Open Services:
   1. To still type things out, start the on-screen keyboard by going to Start > Programs > Accessories > Accessibility > On-Screen Keyboard.  From there, you can then do Start > Run and then type services.msc
   2. To directly access Services, do Start > Control Panel > Administrative Tools > Services
2. Find & select the Bluetooth Support Service, right click and select Properties.
3. Click the Stop button on the General tab.
4. Select the Log On tab, and select the radio button next to Local System account, then click Apply.
5. Go back to the General tab and click the Start button.
6. Click OK to close the Properties dialog.
7. Restart computer to make sure the change takes and things work.

I’m going to be keeping an eye on Yongfook’s website, as I think the format of it could be something worth doing.  I like how it pulls the different services he uses together.  If you’re interested, take a look at his definition and use of the word lifestream to get a better feel for what he’s doing.  I think that if I go to something like this, I’ll need to change web hosts again, as my current host has limitations on what can and cannot be done by my website.  I also cannot argue his reasons for ditching WordPress, and I agree with him; it gets the job done, but tries to do everything.

Initially, I wanted to host everything on my own site as well, but have found that it’ll take a lot of work.  As long as services like flickr, digg, del.icio.us, twitter and others become permanent and don’t develop a tendency to delete “old” information or restrict access to it, having a personal website like Yongfook’s would be enjoyable to use and read.

One of the computers I was working on as of late (a Dell Inspiron B130) appeared to have eleventy billion malware infections of one kind or another. The staff who had been out there before attempted to remove some of the malware, with varying levels of success. At some point, a chunk of malware was removed, but not all of it, and the hooks it had placed in the system caused a blue screen to appear with PAGE_FAULT_IN_NONPAGED_AREA (with a STOP message of 0×00000050, or just 0×50) when Windows XP loaded either in normal mode or safe mode with networking. I never tried to load with just regular safe mode (no networking), but I figured that it wouldn’t matter and I went straight to using the UBCD.

Let me say now: I <3 the UBCD. If I didn’t have this particular tool, my job would be a pain. Or I could work on less computers.

Anyway, I could tell immediately by examining CurrentVersion\Run keys and values that there were a number of issues on the computer. I manually took care of what I could, and used the EZ-PC-FIX on the UBCD to check other registry values/keys running at startup, in the control set, etc, and the files they were using. Eventually I was able to weed out enough malware (let’s say about 50+ registry and file deletions) to feel safe booting up into safe mode and running Spybot. How wrong I was. There was something in the malware that was causing a window to open saying shell.exe was not found and was preventing .exe files form being launched. I checked HKEY_CLASSES_ROOT .exe and exefile, and for one of those the malware and added a call to a program whenever a program was launched. Since that program was no longer around, nothing would load. Once I resolved that (again through the UBCD since regedit didn’t want to run), I was able to run Spybot in safe mode. After what seemed like an hour, Spybot found just over 220 malware items. It was able to resolve most of these, but would need to run at startup in normal mode to clean the few up that it couldn’t. Ok, so I should no be safe to load Windows normally. Or not.

I continued to get PAGE_FAULT_IN_NONPAGED_AREA when booting windows. While trying to recall the manner in which to try and restore save points in XP via the UBCD (never did find it; it may no longer be there), I was checking some of the information they had for resolving stop messages. One solution to the issue was for a Microsoft knowledge base article I hadn’t come across while searching Google for “page fault in nonpaged area”: KB894278. It referenced a particular rootkit that installs a kernel driver (or two). While these aren’t the files on the system in question, the following were present, and had the same creation date as a number of the malware files I had dealt with:

• Flee46.sys
• grande48.sys
• Wek86.sys (This file may or may not be an issue.  It says it is part of the SCSI Class group, but nothing comes up with a Google of this file, so it may still be malware.)
• ctfmon.exe (an .exe in with a bunch of .sys files?)
• Vgkm39.sys

I had been watching flee46.sys load in safe mode, as it was the last file that was being called, and I had never seen it before. My curiosity was further piqued when I could not get a Google result for “flee46.sys”, which meant to me it was malware. Regardless, I appended “.malware.old” onto the end of all of those and rebooted. The blue screen was no where to be found, Windows XP was loading in normal mode, and Spybot was running. There are a couple minor items I need to take care of now, but the computer is probably 90% resolved of its malware issues. Huzzah!

UPDATE: The .sys files in question were related to what McAfee calls Srizbi.

While perusing the Consumerist, I came across the following quote:

Drive past the big box stores when your computer breaks. Their employees are trained to upsell, not repair computers. Instead, seek out the young, the ones who aren’t old enough to hold advanced degrees or a driver’s license—those who can be paid with extended curfews are ideal. Then, watch in amazement as they sprightly get your computer back to checking AOL so you can forward us that hilarious email Snopes disproved last year.

Isn’t that the truth? Read the article here.

At work, when the (college) student workers cannot resolve an issue, I’m the last stop in our support line.  As a result, I sometimes get computers for which there is nothing we can do about it.  For example, I had two Acer desktops a couple weeks ago, nearly the same model, crash and these came into the office.  Everything I tried didn’t get the computers working, but part of that is due to the fact that the CDs provided consistently encountered errors; all other hardware appeared to function correctly.  I had to tell the students that the computers needed more work than we could do, and fortunately, one of the computers was still under warranty.  Today I had a student pick up another laptop which had, from what I could tell, a dead hard drive, as a spare hard drive was detected by the system in BIOS, whereas the original was not.

That’s one of the most frustrating things I have to deal with when working on someone else’s computer: having to be right about what I’m telling them.  I mean, I don’t have to be right, but I don’t feel right telling them something that might be false.   It’s part of the reason that fixing a computer with an issue, or even correctly diagnosing the issue, is such an accomplishment; it gives me something to push off of.  At least I’ll be 1-1 this week, as the second computer is working, and should be back with the student tomorrow.