Sampson Info Systems

Thursday, April 26th, a CPA client gave me a call reporting odd computer behavior. The system was shutting down after a couple of minutes. Luckily this was after the first big deadline of the season, April 15th. Since this system was the server in the office with all the shared data no one could work. This particular computer was right around 3 years old where a number of warranties expire.

These calls always make me a bit nervous. It could be almost anything: a failing motherboard or CPU, power supply, or even a virus. Would I be able to properly diagnose and fix it? Would correcting this entail a significant outage or cost for the client? I could feel a sense of anticipation and dread as I told the client that I would get over shortly.

When I arrived I did a careful inspection and observation of the computer. Luckily the motherboard was one of the newer ones with solid capacitors, a Gigabyte in this case. None of the capacitors was bulging and the rest of the board looked good. The memory was seated properly and dust free. In fact the entire inside of the case looked brand new. The video card seemed quite warm so I filed that information away. This system does run dual monitors, though.

I left the cover off as I powered it on. I looked at all the fans in the system: CPU, case fans, power supply, and video card. Hmmm the video card fan wasn’t spinning. So, I shut it down and lubed all the fans and tried again. Still no video fan. However, I was able to jump start it with a finger flick and it kept spinning.

Next, I went looking for clues in the system event log by running EVENTVWR. Ah, here was some corroborating evidence. “System shutting down due to excessive video card heat”. It was time to arrange for a replacement video card. Right after I applied some additional cooling to the video card with an area fan in the office. Now, the card was cool enough to touch.

The failed card was a Radeon HD 3400 so I stayed in the same family, but I did want to get a bit more high powered one. I couldn’t go too high since this system only had a 350 watt power supply and no PCI-E power connectors. The Radeon HD 5550 looked like a winner; it was much higher performing and reasonably priced,  so I got the order placed and waited.

The client was able to install the card himself and with a bit of phone help from me got things running properly.

A happy result with minimal downtime for another valued client.

Last Saturday I got a call from a regular client. Her sons laptop wasn’t starting up. She brought it over and I found another of the never ending Windows Catch 22s. Her son had started to install the Windows 8 Consumer Preview, but something had gone horribly wrong. The automated start up repair wizard was launching, but couldn’t repair the problem. All of the “Advanced” repair options said to log on with an administrator account. Unfortunately, he was the administrator and the system didn’t recognize him as one.
Tried as I could, but there was no way out of this one…

So, I pulled out the hard drive and mounted it in a spare system in the lab. Then, I imaged it. Next I put the drive back into the system. Luckily, the recovery partition on this laptop was intact and I was able to go through the factory system recovery. Then, I applied Windows 7 service pack 1 and all Windows updates. Then, I pulled the drive out and reattached it to the lab system. Now, I was on the home stretch. I restored all the documents, pictures, other data and settings I could locate from the backup.

Lastly, I put the drive into the system, and called the relieved mom to pick up her son’s computer. When she brought him over I educated them both a little about administering a system, and why it wasn’t a good idea to install the Windows 8 preview on the son’s production (school) system. I also talked a little about the advantages of having two accounts: one to operate the system (95%), and one to administer the system (5%). This is is one my dozen Computer Best Practices. Contact me to get the whole list.

The odds are good that I will be seeing them again, I think!

A client gave me a call. He just couldn’t get this HP printer that he bought to work properly. It worked, then it wouldn’t. This was on a pretty brand new Windows 7 Home system. I suspected that he might have plugged it in before installing the drivers for the printer. That could be a huge mistake. These things are supposed to be plug and play, but the driver needs to be available when it  is attached for the first time. Otherwise, you can end up with some funky, dead devices out in device manager.
So, I popped over and messed with it for too long (uninstalling/reinstalling/fixing spooler corruption, etc)  before deciding that this was just a flawed printer model. I told him to return it, and then I gave him an alternative printer and left. The next day I got an email thanking me that I thought I’d share:

————————————————————————————————————–
Jeff,

Nice to see you today as always.  Thanks for defining the mess and cleaning it up.  It was actually rather impressive to observe.

FYI I bought the Canon XX printer you recommended and installed it carefully following the instructions step by step (which took about a half hour as predicted in the manual!) with complete success.  Or so it would seem thus far!   Printer installed without a hiccup, printing fine, no delays or hang-ups along the way, printer/device folder opens instantly w/ the XX happily taking its place among the others.  I hope all stays peaceful.  I expect it will.  After what I went through during the last 5 days it was a welcome relief to have such a systematic, uneventful install process.

In all I spent at least 13 hours on that damned HP not to mention what I incurred with S.I.S. today.  You think HP will sympathise?  Nevertheless, I’m going to inform them.

Thank you again.  Be well.  Go Giants.  (I’m pretty sure you’re not a Giants fan but I had to add that anyhoo)

A client brought over a Dell Inspiron Duo netbook telling me  it was Virused and running slowly. I agree – it ran like a dog. Because the initial problem had started about two months ago using system restore wasn’t a good alternative. This system presented an interesting challenge or two since it had no CD/DVD drive. I had to transfer things using a USB flash drive.

Before this system was finally clean and virus free I went through an amazing number of steps. In retrospect it would have been much faster to simply restore the system to the factory issued state using the built in recovery partition. However, the education was worth it, and I hope you find the journey interesting, too.

As always the utilities from Mark Russinovich at Sysinternals played a huge role in helping sort out what was going on with this system, primarily Process Explorer, Process Monitor, and Autoruns.

Here are the steps I followed:
System File Checker helped restore several files that were corrupted.
Two runs of Malwarebytes and the system was getting a bit less cumbersome to work on.
Ccleaner removed almost 3 GB of trash.
Hijack This showed me that the browser should be operating normally. Hmmm. Something’s still not right since there are some browser redirects going on. I better file that away for later and possible Rootkit activity.
There was a version of McAfee Internet Security on the system, but I ran Trend Micro’s Housecall. It came up clean.
I noticed that the McAfee was using between 30-50% of the Atom processor in the netbook and that it was an expired trial version anyway! Time to uninstall it.
Pieces of that darned McAfee remained so it was time to use the McAfee remover.
Then I applied all Windows 7 updates, Service Pack 1, and Internet Explorer 9 which is getting to be a pretty good version. Since all systems should have at least two browsers handy I installed Firefox, too.
I noticed that this system hadn’t EVER been defragmented, so I did that. Then, I defragged the Windows 7 boot files, too.
Next, I installed the free version of AVG 2012 and did a full system scan. I think it’s great that AVG offers a very complete version for free – especially since their paid version is so reasonable. I always encourage my clients to pay for a version. (Disclaimer: I think highly enough of AVG to be a reseller. Contact me to purchase)
Well, the full AVG scan said that a system driver file netbt.sys was infected. By the way the full system scan examined over 1 million items.

but that it couldn’t remove it. I tested this file at Virustotal, where it got mixed reviews and sent it off to AVG research, too. It turned out that this was the ZeroAccess Rootkit.
TDSSKiller to the rescue. It cured this file.
Finally, another full AVG scan that came up clean. Yay!!!

The reasonable bill that the client received was much less than the time I spent on this project. Even expert consultants sometimes end up taking the long way around…

Wednesday, January 4, 2012 I received a voice mail: “Jeff I need you. My computer has a virus. Please come ASAP!” Since it was pretty late in the day I made arrangements to come over first thing Thursday. When I arrived I discovered that this system had a case of the disgusting fake antivirus XP Antivirus 2012. What’s really annoying about this particular infestation is its effectiveness in preventing you from running any programs that might be helpful. It does this through some fancy registry editing. It also deactivates all the major antivirus programs. A pretty nasty visitor that can be installed through a single prompt or even through no prompting if you visit a compromised website. This scam like a number of others wants to coerce you into purchasing their removal program. Once you pay up the program stops its fake warning messages. But, is it really gone? If you have paid this extortion, please dispute the charge with your credit card company. Rewarding evil doers only encourages them.

Generally, when trying to assess a new security problem one of the first steps is to use a clean system for some research. You will quickly discover a number of things: You aren’t the first to become infected; There is a lot of information about this malady; Other people want to make money off of you, and; While there is a lot of helpful information some of it does not match your specific situation. What this means is that you need to be careful about what information you trust, and be careful about what you do. As a rule of practice I generally ignore the ad sponsored results. Keeping a list of the steps followed and findings can be helpful, too.

In this case I had a couple of good alternatives to clean up this problem: Safe Mode which helped stop the main executable from running, and; System Restore and a good selection of restore points to chose from. The date of the main executable told me when the system was initially infected so that I could do a restore from prior to that. While a bit tedious this process went well. Even so, it took about an hours time over a three hour period to do the clean up and system scans. I left a thorough scan running when I left which would take a couple more hours to run.

As always, having done a little preparation prior to the problem can be the difference between being able to fix the problem and recover the system or being forced to reinstall the system from scratch. Having use of all the built in tools like System Restore as well as a solid disk imaging program is extremely helpful. Please don’t neglect these basics.

This was about my fifth rematch against the XP Antivirus opponent and I was successful in removing it in all cases. However, in one case the end result was a corrupted user profile which required setting up a new user on the system. Still, that was a better outcome than having to reload Windows and all applications on the system.

One of my good clients gave me a call. One of the workstations on their network refused to start. The message was direct and to the point: STOP: C0000218 {Registry file failure} The Registry cannot load the hive (file): \SystemRoot\System32|Config\SOFTWARE or its log or alternate. This computer happens to be a Dell Optiplex, and at this time 4 months out of its three year warranty.

I popped by for a look see and booted from one my favorite recovery disks – The Ultimate Boot CD for Windows. I use a modified one, but the generic version had the basic tools in this case: CHKDSK c: /R, and Registry Restore. There were a number of disk errors on this neglected system. Unfortunately, one of the bad spots was over one of the five registry hive files. The CHKDSK ran for quite awhile, but finally finished up. The display from the utility ran about two screenfuls with notes about moving bad clusters to spares. Then, the registry was restored from an earlier version and we were back in business. At least for phase one of this project.

So, I ordered a replacement hard drive and discovered that prices had spiked due to the major floods in Thailand where most drive makers have manufacturing facilities.

The next week I came back and cloned the drive with Acronis True Image. Then I sealed the box up and things were running as good as new. Well, as goo as that machine could. Unfortunately, this model had just two RAM slots, and each could support a maximum of 1GB for a total of 2GB. Not quite enough to run a mature Windows XP system to the full capacity of the processor. So, I helped them spec out a more current system which should give them a better service life.

Since moving to outside of New York City from San Francisco in 2000 I have seen more power problems caused by lightning than I did in the previous 25 years. In San Francisco we did not get such great displays as we do here. The show can be really incredible. Originally, I was a bit surprised that this area seemed so “country” and a bit rural. A fair number of power outages, and going back to a dial up internet connection for over two years were a couple symptoms. Power outages have become less common, but can happen in any good storm. The internet connection has gotten a lot better too, and my cable provided service now tests regularly at 30 Mbps download and 5 Mbps upload.

Anyway, last Sunday, 8/21/11 we experienced an especially lively display with flashes and several BOOMS that made you jump due to their closeness. I was expecting it to, but the power never went out, and the lights had one good flicker. The UPSs never started their chriping. All four of them seem to sing in disharmony when we are without power.

As a result of this minor power event two pieces of equipment were damaged. Apparently, this surge came in over the phone line. One of the 1500va UPSs was being used to shield the phone line. Now, there is a phone signal on the input side at the UPS, but nothing on the output side. Also, I had foolishly not shielded the phone line that goes to my Plantronics portable headset. It took a hit too, and the power switch became inoperable with the unit stuck in the “on” position. First, I had a bit of fun looking for the failed phone device among the 9 extensions.

This points out the fact that power surges and undesirable electrical events can come in over a number of avenues: Electrical circuits, the most common; cable coaxial; and phone lines. For the most complete coverage all of the paths need to be protected from surges. Many surge protectors and UPS batteries have the capability to surge protect coax and phone connections in addition to the common one we all take for granted – electrical plugs. Please use power protection before your delicate equipment gets fried. I have reconfigured the perimeter to use a front end surge protector to surge protect the coaxial cable, and the initial phone connection. This is in front of the UPS battery that protects the cable modem and networking router and switch.

You should also remember that the surge protector you use is being used up while it is silently protecting you. These generally have a life of from 3-5 years and should be replaced. UPS batteries get weak, and the protection circuitry can also be damaged so they should be self tested and replaced at intervals too.

As in many things a little bit of advance planning and preparation can save you lots of aggravation and substantial money, too. Please pay attention to these details.

Yesterday, I got a call from a client. His neighbor in the office building told him that he could see all his files! Now that was a true kindness because there were several glaring security issues in play and the neighbor wasn’t required to speak up. Most obviously, they were using a wireless router without any security on the wireless. In fact they hadn’t considered that they were using a wireless router since the stations in the office were all wired.

I popped by and quickly upgraded the firmware in the router and set up reasonable wireless security. I chose WPA2 for its quality and wide acceptance. I also changed most of the defaults which is something I always try to do.

There were also a couple of other issues I brought to the clients attention: Default passwords, subnetting, and sharing more than required – in this case the root of the system drive, and a terrible option that Microsoft defaulted XP systems with – “Simple File Sharing“. For those of you who don’t know about simple file sharing – it’s basically sharing without any security. Its the only choice with XP Home, but you can turn it off in XP Professional.  Maybe, we’ll address these on a future visit.

Another very happy client. A little surprised at the reasonableness of the bill for the prompt service, quick fix, and free advice about other potential security issues in the office.

Sunday, July 3rd was a funny day. First, the phone rang at 9 am. A friend had an offer that I couldn’t refuse: A ticket to the Yankees-Mets crosstown series. I’m not a big baseball fan, but was getting excited to go. He’d pick me up at 10. At 9:10 the phone rang – this time with a client who wanted to work, but his computer, the server in the office wouldn’t start. I raced over there to see if this could be instantly fixed. No soap, so I called my benefactor and begged off of the game. Here, if a client wants to work on Sunday and has problems we support them. That’s one way we provide super service.
I was able to take the hard drive from his AMD based system and put it into an Intel based system and get him going. While I worried that there would be problems that part went seamlessly. Then I started the push to fix his system. Because of the July 4th holiday I wasn’t able to start that process until Tuesday. The motherboard was out of it’s three year warranty by a month and the manufacturer wouldn’t cover it. Even though an identical system had had a motherboard failure after one year. That’s probably the last time I’ll by a _______ motherboard. I mail ordered a compatible replacement motherboard so that the CPU, and memory could be reused.
It was after I reassembled the AMD based system and fired up the hard drive from the Intel based system that the real aggravation, I mean fun began.

First up was the Blue Screen of Death (BSOD) 0x0000007e, with the first parameter 0xc0000005. When, I started in safe mode however Windows Product Activation noticed the hardware changes and required immediate activation. Catch 22 #1: Windows cannot be activated in safe mode. Using the recovery console I disabled some drivers & services to solve the BSOD as advised by KB330182 without complete success. Then, I decided to do a repair install. Now, this step often helps, but in this case it introduced a new wrinkle by reverting to Internet Explorer version 6 from the v8 that was installed. More on that aggravation later. Further research led me to this article that pointed to the intelppm driver. Hey! I had already turned that one off, but the repair install brought it back. Yay, now I got past the BSOD only to run into:

“This copy of Windows is not activated. In order to be properly licensed this copy must be activated.” When you log on in normal startup mode you get prompted to activate now, and the only choice is Yes, because No logs you off. However, the activation process does not proceed. It turns out that activation uses some pieces from IE8, but downloading it is not an option on a system that is forced to run without internet access until it is activated. Thank you, Microsoft! While the clever article quoted above used the scheduler in a novel way my approach was slightly different. I downloaded IE8 on another computer, and installed it in safe mode without getting updates, etc. Once it was installed, I was able to activate it in normal mode.

All this fun did take about 5 hours, but really it’s only worth about 1 to the client. Now, I have the satisfaction of passing another course at Microsoft University under my belt.

One of my clients clicked on the wrong “OK to let this program update your system” prompt and inadvertantly installed the Windows XP Repair Virus.  This delightful variant of the fake antivirus extortion scam has the charming behaviors of: Dimming links on the desktop, emptying the Program Files menu, disabling Task Manager. Even so, on the surface this doesn’t seem to be a terribly difficult one to remove. A woman in this office is extremely knowledgeable about computers and was working to remove this. Over the course of a day she asked a couple questions which I was happy to answer, but after spending close to a day trying to remove this malware without success she sent me an email “crying Uncle” and asking me to come in.

Well, this is a very good client and several years ago they had me set up weekly imaging of desktop computers and retaining several generations of image sets for each. This client is using Norton Ghost and some others are using Acronis True Image.  I was able to come in, restore the image over the network to a pre-infection state and leave within an hour!

If you don’t have a backup plan this good please contact us to help you set one up inexpensively.