Got a Vista machine where I suspect either malware or some drive
problem.

User opens up Outlook, and it just clocks and clocks. The PC is
effectively locked up and only a reboot will get it back.

I open up a Command Line and no problem: I can Ping, list C:
directories, and so-forth.

But the Command window wants to be opened with "Elevated Mode", which I
take to be Admin authority before it will let me do a CHKDSK C:... and
therein lies a problem.

When I try to open a Command Line window as Admin ("Run as
administrator") , it never opens. Without Admin, no problem... with
Admin nothing...

I want to run CHKDSK, Malwarebytes, and a few other utilities, but none
of them can be opened.

TaskMan says the PC is idling along at between 20 and 50% CPU usage -
with no apps running.

Can anybody shed some light?

Workarounds to let me do some diagnosis from a non-Admin command line?
--
Pete Cresswell

(PeteCresswell) wrote:
Got a Vista machine where I suspect either malware or some drive
problem.

User opens up Outlook, and it just clocks and clocks. The PC is
effectively locked up and only a reboot will get it back.

I open up a Command Line and no problem: I can Ping, list C:
directories, and so-forth.

But the Command window wants to be opened with "Elevated Mode", which I
take to be Admin authority before it will let me do a CHKDSK C:... and
therein lies a problem.

When I try to open a Command Line window as Admin ("Run as
administrator") , it never opens. Without Admin, no problem... with
Admin nothing...

I want to run CHKDSK, Malwarebytes, and a few other utilities, but none
of them can be opened.

TaskMan says the PC is idling along at between 20 and 50% CPU usage -
with no apps running.

Can anybody shed some light?

Workarounds to let me do some diagnosis from a non-Admin command line?

There is RKill.

http://www.bleepingcomputer.com/download/rkill/

Other than that, I'd look for a Kaspersky rescue CD or Bitdefender CD,
which are means of doing offline scans. You boot the CD and the OS is
Linux (on the Kaspersky one). And that scans using signature analysis.

MBAM on the other hand, is supposed to do a bit more, and is run
on a system "hot", for heuristic (behavioral) analysis. So what the
malware is messing with, gives it away. But by doing so, MBAM must
face the defenses of the malware, and can be hard to start. While
MBAM has its "chameleon" technique (renamed executables), sometimes
that's not enough. And MBAM has enough dependencies, that for
some users, even if the .EXE starts to run, some other portion
of it has problems and it falls over. And the MBAM forums never
discuss how to "help it", for fear of giving more information
to the bad guys than is necessary. So that's a disadvantage for
the home user, no really useful help info available.

Maybe you'll get lucky with a little RKill help. I haven't used
RKill either, but I understand it helps occasionally before using
other tools.

Since all these tools are freely available, any malware developer
worthy of the title, is constantly testing against them. Which is
why it's so hard to have a set of tools to use.

Paul

PeteCresswell wrote:

User opens up Outlook, and it just clocks and clocks. The PC is
effectively locked up and only a reboot will get it back.

Have the user load Outlook in its safe mode to check if an add-on is the
problem. Users will install 32-bit add-ons when they have installed the
64-bit version of Microsoft Office hence Outlook is also 64-bit. Users
will install an add-on that works okay in an old version of MS Office
they were using to then upgrade to a later version of MS Office which
makes the add-on crash.

When Outlook loads, it loads the enabled add-ons. If an add-on crashes
on loading, it takes Outlook with it. When Outlook exits, it first
unloads all currently loaded add-ons. If an add-on crashes on exit, it
takes Outlook with it.

I open up a Command Line and no problem: I can Ping, list C:
directories, and so-forth.

But the Command window wants to be opened with "Elevated Mode", which I
take to be Admin authority before it will let me do a CHKDSK C:... and
therein lies a problem.

Not if you run cmd.exe from the Start - Run menu. That will load the
command shell but in non-privileged mode. Sounds like the user is using
a shortcut to load the command shell (cmd.exe) but the shortcut is
configured to Run As with admin privileges. That means you get a prompt
asking if you really want to load the command shell with admin
privileges. Either use a different shortcut that loads cmd.exe without
admin privileges or use Start - Run or the Start menu searchbox to load
cmd.exe as a normal process. That means that command shell can't do
anything that requires admin privileges.

You, er, the client could sacrifice the added security of UAC by
disabling it. That would eliminate the UAC prompt whenever you load any
program that wants admin privileges. That means malware can run, too,
without any prompt.

Has this user yet rebooted his computer. I don't mean shutting down
into hibernate mode because on reload of Windows then it is restored to
the same state (in the memory image). Have then completely shutdown
Windows to make sure any pending changes from updates get completed.
Many updates require a restart of Windows so in-use files can be
replaced on startup. If that doesn't work, have then boot into Windows'
safe mode (go into the boot menu), log into Windows to get to their
desktop, and then reboot into Windows' normal mode. Sometimes an update
requires a kick in its ass by using safe mode and then go into normal
mode.

When I try to open a Command Line window as Admin ("Run as
administrator") , it never opens. Without Admin, no problem... with
Admin nothing...

Load Task Manager and look at its Processes tab. Position the list of
processes so you can see the load of any process that begins with "c".
Try loading (however is not clearly mentioned) cmd.exe again and see if
a same-named process shows up in Task Manager.

There may already be a slew of cmd.exe processes already loaded. Kill
them and then retry just loading one instance of it.

I want to run CHKDSK, Malwarebytes, and a few other utilities, but none
of them can be opened.

Run anti-malware from bootable media; e.g., bootable CD/DVD or USB flash
drive.

Could be malware. Could be the client hosed their own system, like they
used a tweaker or double-clicked on a .reg file they got from somewhere
and that removed the filetype associate for .exe files. Even in a
non-privileged command shell, you can run "assoc .exe" to see what
handler was assigned to that filetype. You should get:

assoc .exe
..exe=exefile

exefile is the class ID for the .exe filetype handler. If you can run
regedit (that will require admin privileges), look at the registry key:

HKEY_CLASSES_ROOT\exefile

Make sure that registry key is defined. Under it is a 'shell' subkey
and under that should be 'open', 'runas', and runasuser' subkeys. Under
those should be a 'command' subkey whose default data item's value
should be:

"%1" %*

The handler isn't exposed here. "%1" means the environment variable %1
that holds the name of the .exe file on which you double-clicked in
Windows Explorer (I assume you can still load that). The %* means to
add all the rest of the parameters passed to the command shell that
loads to handle the executable process. For example, a command line of
"notepad.exe c:\docs\myfile.txt" would have "%1 = notepad.exe" and
"%* = c:\docs\myfile.txt".

Alas, if the symptom is .exe files won't load then you also cannot load
regedit.exe to look at the registry. You may be stuck with using
bootable media with anti-malware usable from that.

Have you tried booting into Windows' safe mode yet?

TaskMan says the PC is idling along at between 20 and 50% CPU usage -
with no apps running.

Did you click the button to Show All Users in Task Manager's Processes
tab? If there is 50% CPU usage then one, or more, processes are using
up that much. It may not be just 1 process but a couple of them.

Per VanguardLH:
Run anti-malware from bootable media; e.g., bootable CD/DVD or USB flash
drive.

Could be malware.

I think that's the strongest possibility. The wife is OK, but the macho
husband has a history of overriding Avast's "Warning" dialogs... totally
hosed the box a couple years ago. Can't recall the name of the malware,
but it was one of the nastiest at the time.


Could be the client hosed their own system, like they
used a tweaker or double-clicked on a .reg file they got from somewhere
and that removed the filetype associate for .exe files. Even in a
non-privileged command shell, you can run "assoc .exe" to see what
handler was assigned to that filetype. You should get:

assoc .exe
.exe=exefile

exefile is the class ID for the .exe filetype handler. If you can run
regedit (that will require admin privileges), look at the registry key:

HKEY_CLASSES_ROOT\exefile....

I'd working this from about 90 miles away via TeamViewer, so anything
that requires Safe mode or booting a DVD will have to wait until I get
down there.

Stumbled on to http://support.microsoft.com/kb/2688326 awhile ago - and
that's what your instructions seem to boil down to.

They're using the PC now (it will do web stuff, no problem...although
that raises the question of how Chrome.exe gets launched....). But when
they're done, I will try the registry fix and report back.

Thanks for all the detailed info. If the registry fix does not do it,
I'll work the rest of it.
--
Pete Cresswell

Per (PeteCresswell):
Stumbled on to http://support.microsoft.com/kb/2688326 awhile ago -

Seems like a Catch-22 situation: the problem is that a .EXE cannot be
open, yet the proposed solution is to open RegEdit.exe.

Strangely, assoc .exe seems to return the expected result:
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\xassoc .exe
.exe=exefile

Also strangely, in a Command Line window I can navigate to C:\Program
Files\DVD Shrink and run the DVD Shring .exe...

OTOH, C:\Windows\Regedit.exe just causes the window to freeze - I guess
because it wants Admin authority, although my recollection is that it
should issue a prompt to that effect.

Unable to open up a Command Line window with Admin privileges, I guess
my next task is to figure out how to disable UAC (whatever that is....
-)) without using RegEdit. Google is probably going to be my friend
for the next hour or so...
--
Pete Cresswell

Per (PeteCresswell):

Unable to open up a Command Line window with Admin privileges, I guess
my next task is to figure out how to disable UAC (whatever that is....
-)) without using RegEdit. Google is probably going to be my friend
for the next hour or so...

I think I'm SOL on this one.

MyComputer | Control Panel | User Accounts | Turn User Account Control
on or off causes the window to hang - just like trying various other
operations. It's like somebody had this thing sewed up really tight.

Oh well... haven't seen the New Jersey shore in the dead of winter for a
few years.... and I'll certainly get a free meal out of it...
--
Pete Cresswell

Per (PeteCresswell):
I think I'm SOL on this one.

And... It's just dawned on me that Avast is no longer running on the
box.

Logical because I've rebooted it many times and if .exe's can't run, i
stands to reason that the Avast .exe could not auto start.

Call me paranoid, but more-and-more this is sounding like malware and,
maybe even.... that PC is doing somebody's dirty work right now as I
write this.
--
Pete Cresswell