Problem Coming Out of Stand-By Mode

[thmcg]

I am using XP Pro SP1 and have had no problem for more than 6 months
using the Stand-By mode. Recently, however, my pc has started
shutting down when I bring it out of Stand-By. Not every time. No
pattern to it. It acts like it's coming right up, the desktop is
loaded, and then the "Windows is Shutting Down" screen comes on. I
then have to reboot.

I don't know if this is related, but recently my pc was infected with
the Blaster worm, even though I use Symantec Antivirus with the File
System Realtime Protection enabled. During a routine Friday morning
virus scan, the program found two files, labelled TFTP692 and TFTP868,
infected with the W32Blaster.Worm and put them in quarantine. I was
quite surprised that the worm had gotten into my pc. And, yes, I have
frequently updated my pc with the appropriate MS updates, so I thought
I was protected.

I deleted these two files, and have re-scanned for viruses and none
have been found. Yet, this Stand-By problem continues, with no
pattern to it.

Any clues?

Thanks!

Tom.

 

[Michael Solomon \(MS-MVP Windows Shell/User\)]

It got into your system because it didn't use conventional means against
which virus scanners usually protect. You need a firewall to protect
against blaster, sasser and any other such worm that invades systems through
open ports.

That said, try the following to resolve the issue:
Since you've already run a virus scan, you should also run a check for any
malware on your system as well. Download, install and run Ad Aware:
www.lavasoftusa.com

The following assumes you have an actual XP CD as opposed to a restore CD or
restore partition supplied by your PC manufacturer.

Go to Start, type sfc /scannow in the run box and press enter. Note, there
is a space between sfc and the forward slash. You will be asked for your XP
CD. Be aware, upon inserting the CD the XP setup screen may appear, this is
not a part of sfc /scannow, rather it is being invoked by autorun. Simply
minimize the screen and allow sfc to continue.

If the above fails to resolve the issue, try a repair install as follows:

Be sure you are well backed up in case there is a problem from which you are
unable to recover. NOTE, while a repair install should leave your data
files intact, if something goes wrong during the repair install, you may be
forced to start over and do a clean install of XP. If you don't have your
data backed up, you would lose your data should that eventuality occur.

Assuming your system is set to boot from the CD-ROM drive, boot with the XP
CD in the drive. If it isn't or you are not sure, you need to enter the
system's BIOS. When you boot the system, the first screen usually has
instructions that if you wish to enter setup press a specific key, when you
see that, do so. Then you will have to navigate to the boot sequence, if
the CD-ROM drive is not first line, set it first in the boot sequence. Save
your settings and exit with the XP CD in the drive. The system will reboot.

Boot from the CD. If your system is set to be able to boot from the CD, it
should detect the disk and give a brief message, during the boot up, if you
wish to boot from the CD press any key.

Once you have pressed a key, setup should begin. You will see a reference
asking if you need to load special drivers and another notice that if you
wish to begin the ASR (Automatic Recovery Console) depress F2. Just let
setup run past all of that. It will continue to load files and drivers.

Then it will bring you to a screen. Eventually, you will come to a screen
with the option to (1) setup Windows or (2) Repair Windows Installation
using the Recovery console.

The first option, to setup Windows is the one you want and requires you to
press enter. When asked, press F8 to accept the end user agreement. Setup
will then search for previous versions of Windows. Upon finding your
version, it will ask if you wish to Repair your current installation or
install fresh. Press R, that will run a repair installation. From there
on, follow the screens.

 

[thmcg]

Hello, Michael,

First of all, thank you for your very in-depth response. However, I
do have a few comments and questions at this point.

Your response is primarily directed, it seems to me, at getting rid of
any vestiges of the Blaster worm, which I may need to do. But, I'd
like to know if that is what is causing the problem I described. Is
the behavior I have described typical of a Blaster worm infection?
Why does it happen on a sporadic basis, instead of every time?

As to the firewall, I have had the Windows "Internet Connection
Firewall" enabled right along since I installed XP. I just
double-checked and it was still showing as "enabled."

I already had Ad-Aware, as well as Spybot S&D, on my pc. Nonetheless,
per your recommendation, I ran them. AA found 0 "new objects," while
Spybot found a few advert cookies, which I find to be "normal"
occurance on the Internet.

I do have an actual XP CD, however, it is pre-SP1, which I had to
download. I would really hate to have to go thru all that again.

I don't understand how the Blaster worm could have infected the two
files I mentioned since I have had the Windows firewall, as well as
NAV protection, enabled all the time. Could the worm have snuck in
somehow? And is the behavior I've described typical of this worm?

Michael, I really appreciate your help, but I think I will just have
to forget about using the "Stand-By" mode, unless there was something
else I could try. To do all the stuff you've outlined would not be
worthwhile for me, and I'm sure I would screw something up and make
matters worse!

Further comments?

Thanks, Tom.

It got into your system because it didn't use conventional means against
which virus scanners usually protect. You need a firewall to protect
against blaster, sasser and any other such worm that invades systems through
open ports.

(...snip, snip...)

 

[thmcg]

Hello again, Michael,

Again I want to thank you for your in-depth response. I appreciate
the help and education. I do have a few further questions for you.
Please see below.


(...snip, snip...)

SFC /scannow is pretty simple and straight forward, very little you have to
do and I would advise at least doing that. You don't need to do a repair
install unless you see your system is having problems that just can't be
fixed; i.e. you start crashing all the time, the system hangs or locks up.

Michael, what does SFC stand for? I tried the "SFC /scannow"
procedure per your recommendation. A dialog box came up, entitled
"Windows File Protection." The message said "Please wait while
Windows verifies that all protected Windows files are intact and in
their original versions." However, during this scanning procedure a
second dialog box came up, having the same title, but a different
message that said "Files that are required for Windows to run properly
must be copied to the DLL Cache. Insert your Windows XP Professional
CD-ROM now." Since my CD was in the drive all along, I simply hit the
"Retry" button, and then the program would proceed. However, this
dialog box kept coming up, so it makes me wonder if something else is
wrong! Every time I would hit the "Retry" button and then it would
proceed. It took quite a while for the "SFC /scannow" program to
finally finish, but it eventually did. When it finished, the pc just
sat there. I sort of expected a message of some kind, but none showed
up.

At that point, I thought it prudent to reboot. After which, I tested
to see if the original problem (crashing while coming out of StandBy
Mode) might have been fixed. I put the pc into StandBy mode, waited
one minute, then restarted the pc. If the screen came up correctly, I
waited one minute, then put it back into StandBy mode. I figured if
it would work successfully 10 times in a row, the problem was probably
fixed. The first run, I got to the 5th restart before it crashed.
The second run, it crashed on the 4th restart. The third run, it
crashed on the 2nd restart. At that point, I concluded the SFC
/scannow program must not have resolved the issue.

Since this is a "minor" problem, more of an irritant to me, I think I
will take your advice and *not* do a "repair install" unless things
get a lot worse. I have printed off your recommendations and I'll
keep them handy.

One final question, please...would it be possible to simply replace
the two system files that I deleted (that contained the virus)? The
files were named TFTP692 and TFTP868 in the Symantec Antivirus
program, which had put them in quarantine. Since they couldn't be
"repaired," I had simply deleted them. Was this dumb? Are these file
names legitimate? Or are they a Symantec name?

Thanks once again, Michael, for your kind assistance!

Tom.

 

[Michael Solomon \(MS-MVP Windows Shell/User\)]

You're welcome...again!

See replies inline.

--
Michael Solomon MS-MVP
Windows Shell/User
Backup is a PC User's Best Friend
DTS-L.Org: http://www.dts-l.org/

Hello again, Michael,

Again I want to thank you for your in-depth response. I appreciate
the help and education. I do have a few further questions for you.
Please see below.

message
(...snip, snip...)


Michael, what does SFC stand for? I tried the "SFC /scannow"
procedure per your recommendation. A dialog box came up, entitled
"Windows File Protection." The message said "Please wait while
Windows verifies that all protected Windows files are intact and in
their original versions." However, during this scanning procedure a
second dialog box came up, having the same title, but a different
message that said "Files that are required for Windows to run properly
must be copied to the DLL Cache. Insert your Windows XP Professional
CD-ROM now." Since my CD was in the drive all along, I simply hit the
"Retry" button, and then the program would proceed. However, this
dialog box kept coming up, so it makes me wonder if something else is
wrong! Every time I would hit the "Retry" button and then it would
proceed. It took quite a while for the "SFC /scannow" program to
finally finish, but it eventually did. When it finished, the pc just
sat there. I sort of expected a message of some kind, but none showed
up.

SFC stands for "System File Checker."

I don't think anything was wrong. I've seen this behaviour even on setups
of mine from time to time. If it said it couldn't find the files, or unable
to proceed or some sort of message to that effect, then you might have cause
to worry.

At that point, I thought it prudent to reboot. After which, I tested
to see if the original problem (crashing while coming out of StandBy
Mode) might have been fixed. I put the pc into StandBy mode, waited
one minute, then restarted the pc. If the screen came up correctly, I
waited one minute, then put it back into StandBy mode. I figured if
it would work successfully 10 times in a row, the problem was probably
fixed. The first run, I got to the 5th restart before it crashed.
The second run, it crashed on the 4th restart. The third run, it
crashed on the 2nd restart. At that point, I concluded the SFC
/scannow program must not have resolved the issue.

Since this is a "minor" problem, more of an irritant to me, I think I
will take your advice and *not* do a "repair install" unless things
get a lot worse. I have printed off your recommendations and I'll
keep them handy.

Based on having run SFC and the information you describe, it would appear
this issue is either related to some device driver on your system or some
issue with an application you have installed on your system. If that's the
case, I'm not sure a repari install would solve it. Usually, when this is
indicated, you have to use trial and error. You can check your device
manufacturers respective websites for the latest drivers and check your
application websites for any updates or patches and even to be sure your
apps are all XP compatible. If they all check out, the next step would be
to remove things one by one, then run the system and test to see if the
problem reappears. When it appears to know longer be an issue, whatever you
removed is the likely culprit.

One final question, please...would it be possible to simply replace
the two system files that I deleted (that contained the virus)? The
files were named TFTP692 and TFTP868 in the Symantec Antivirus
program, which had put them in quarantine. Since they couldn't be
"repaired," I had simply deleted them. Was this dumb? Are these file
names legitimate? Or are they a Symantec name?

Those are not system file names, they may be a reference Symantec gave them.
Whatever the case, it was SFC's job to locate missing or corrupted files and
replace them and you've already done that.