I just got done taking a look at my brother's computer, and boy is it a mess. It will boot to the Windows XP Pro welcome screen, and even let you choose an account to login. Once you login to an account it just sits there at a blank desktop! Even worse hitting Ctrl-Alt-Delete brings up a screen saying that the Admin has disabled Task Manager, which I didn't.

Booting into safe mode doesn't help all that much either. It will get me to a safe mode desktop, with icons and all, but doesn't allow me to run any programs. Going to a Safe Mode command prompt I am at least able to run an AV scan in from the prompt, but it can't access many files or even fix the problems that I find as access to the files is denied.

I really wonder if it is worth the time and effort to sit down and fix this or just format, nuke the HD about ten times, power down and let the RAM get clean, and install Windows fresh. Obviously in this case as I will be working for free, and he brought this on himself he will be losing anything he had on that HD. I just think that if I was doing this for a paying client it really couldn't be worth it to have me sitting and manually replace virtually every corrupt file manually from the recovery consule. At what point do you say it is time to just do a fresh install because the current one is to far gone for repair?

BTW, currently I have administratively shutdown all access from his PC to my network. Gotta love that Cisco equipment, a few quick commands via a telent session to the switch and he is no longer able to send or recieve anything. :)

If you can't get access to do scans, nuking and starting fresh may be the only option... If you can do scans, it would probably be worthwhile to clean it up, especially if your brother values anything on the drive... Even HJT run from a floppy may be enough to get more access so you can do more deep work...

I agree with Budfred.
This may be a time to bring up planning back up strategies so if this type of thing happens again it will be less painful in the time and the personal data lost.

There are decent imaging programs available that can let you restore the HDDs quickly and not lose anything:
Symantec Ghost
Acronis TrueImage
Terrabyte Unlimited Image for Windows

These programs restore the PC's HDD to the exact working condition when the image was created. You should always test the image created to be certain it works on these programs, but they are certainly less painful that starting all over with the Windows CDs and finding all the application keys.
They also are very handy for clients or relatives who seem to always find trouble with the Internet.
Apply the 2 Hour Rule: Can I fix the problems in two hours or will it be easier to start over?

You can also use a strategy of multiple partitions to allow you to selectively nuke/restore individual partitions without having to wipe the whole PC. Sylvander is one member here who does it that way. OS on one partition, applications on another, backup data on a third.

At what point do you say it is time to just do a fresh install because the current one is to far gone for repair?


When it takes less time or less dollars to re-install the OS or applications or restore from backup than it would to fix the problem.

"Sylvander is one member here who does it that way. OS on one partition, applications on another, backup data on a third"
I like to keep the OS and all programs on c: and move all data off c:
Especially the personal data that changes by the minute.
e.g.
[For win98]
a. My Documents. [Use “TweakUI” to move their home]
b. E-mails for all identities. [use the email client to move their home]
c. Internet Explorer Favourites. [Use “TweakUI” to move their home]
d. Temporary Internet Files. [use the browser (Internet Explorer) to move them]
e. Re-home the Windows Address Book as shown here http://tinyurl.com/24q6l . Use the key “HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab FileName” to specify its new address. [Its normal home address [in Win98] is C:\WINDOWS\Application Data\Microsoft\Address Book\(the name you gave your PC).WAB]
f. Any other storage of data files you wouldn’t want to “jump back” could be held on other partitions according to type/file size. Perhaps E: & F:
g. You might make a partition [perhaps G:] to hold backups and [Windows and/or MS Office] installation files.

1. How to make a free “Smart Boot Manager” floppy
http://www.pcguide.com/vb/showthread.php?t=41498
This makes it easier to boot a chosen drive [particularly the one holding the EBCD].

2. How to make a free EBCD bootable CD
http://www.pcguide.com/vb/showthread.php?t=41485
This has a number of useful utilities included including "Image" [for DOS, by Terabyte], "Unrecoverably Wipe Info", fdisk.exe, format.com.
In post #4 I showed how I used "Volkov Commander" [you could equally well use "File Manager"] to copy the Windows installation files to a FAT32 partition and run the Windows installation from there.

Killdisk = www.killdisk.com/downloadfree.htm
Alternatively, use this to zero-fill the HDD.

When I built his computer I did use the multiple partition strategy. One for the OS, one for Applications, and one for data. Then only problem is that when I was able to get to a DOS prompt and do a scan with the AVG shell I found many many infected files on all partitions. My feeling is basically that whatever he didn't backup to CD or DVD will get lost as I am in the process of nuking his HD using Boot and Nuke from a Linux boot CD.

I tried to save the thing, but spent a long enough time just to get to the point of being able to get any information out of it that I no longer care to save it. I spend something like 10 hours a day 5 days a week doing IT, and 8 hours a day on weekends working in a pharmacy. I don't really feel like spending hours on trying to save data that he lost through careless usage.

I know the problem came from him using those P2P programs, which is why I keep him on a seperate VLAN which can only access the internet gateway. He has no way of infecting my secure network. When I built the system I installed AVG, Sygate, Spybot, and Adaware. They must have been giving warnings and interfereing with his P2P stuff because he deleted them. Great solution. :rolleyes:

BTW, I think I have a pretty good backup startegy for the trusted systems in my network. Everything that is of any importance gets saved to the users drive on my server running Windows 2003 Server. From there everything is backed up on a seperate HD in my rig on a regular basis.

All user settings and such are stored as a part of the users roaming profile on the server. So in the event of a failure on my secure network all that need be done is install Windows on that PC and join it to my domain again.

If there is data that he wants saved then as long as he didn't set up any encryption you should be able to (1) logon as another Admin user and take ownership of the files and copy them to removeable media or (2) install a new parallel installation of Windows into a Windows2 partition or (3) slave the PC to another Win2K/XP installation on another PC and get access to the files that way or (4) even try access from a live linux Knoppix CD or Bart PE CD.

Then wipe and preferably setup a dualboot with a clean reinstall of an internet-ready installation of a Linux distro and an internet-disabled installation of Windows.

There was a time when trying to clean up systems was always the preferred method but unless there is a "simple infection" and no chance of rootkits I nowadays go for a clean reinstall of such systems much quicker than in the fairly recent past.