User was sleep-coding?
So somebody put on a timebomb
Exactly. (-:
So. I got this on the bench and did pretty much what everyone else has suggested. There's a few minor things we've missed though.
The "Webroot" AV was presumably bundled trial software that came with the machine. The subscription had lapsed so it wasn't actually doing anything! Seems she's a serial torrenter too, so at first I was pretty sure it was some sort of infection. Oh, and the fact it hadn't been updated in forever, not even SP1, added weight to this. Trying to install SP1 failed which could be suspicious, though that's far from unusual even in normal circumstances.
I did all the usual suspects, ckdsk / SFC / MBAM scans, all clean. I tore out Webroot and installed MSE. This came back clean also. Checked for startup items in folders / registry and ruled out third party apps with a msconfig selective startup.
When everything came back clean and with it working in Safe Mode but symptomatic in normal mode, I was about to start looking for rootkits when it suddenly hit me that it was doing it [i]regularly.[/i] Looked in Scheduled Tasks and from there it all unravelled.
The behaviour of this "infection" is no malware I've ever come across and Google didn't come up with anything, which makes me think it was a deliberate hack. But no-one else had used the PC in months and there was no sign of any sort of exploit.
Wait a minute... "no-one else has used it in months" implies that months ago, someone else [i]was[/i] using it. I asked the question, it and transpires that her then-boyfriend also used to use it. Very messy split apparently, back end of last year.
The two scripts were created in October 2015. The problem didn't start happening until recently. Logically then, her boyfriend must have created the scripts to crash her PC, but set up a scheduled task to [i]start running the script in a year's time,[/i] presumably to absolve himself of suspicion / blame.
If he'd not been greedy and set it to crash every hour rather than every five minutes I probably wouldn't have spotted it. I'd have ended up formatting it in the end, unless I'd noticed the scripts in the root of C:\ which was a bit of a schoolboy error (him and me, for different reasons). I was lining up a W10 upgrade as a last resort before blatting it - which wouldn't have fixed it and would have properly broken my head.
Well done everyone.
Do I win five pounds?
Thanks Cougar! Can the next one be a bit more Christmasy?
Do I win five pounds?
Yes! You just need to pay a £10 release fee to get the money. Paypal Gift please.
Thanks Cougar! Can the next one be a bit more Christmasy?
Mince pie in the air vent?
You're welcome. I thought it was an interesting and unusual "fault," which is why I shared it.
Yes! You just need to pay a £10 release fee to get the money. Paypal Gift please.
No need.
* remotely runs payperchyafiver.exe
Did you find out why? Is b/f still on the scene?
Gaslighting with a pre-installed scrips after all (perchyowesmetreefiddy.bat)?
Dunno TBH. Not really my place to ask. As aracer said, I reckon it was a timebomb. Set it up but defer the task for a year, when it fires she'll end up taking it to a shop who won't look twice at it before factory restoring it. Who would know?
Plus I suppose, if they were to have got back together in the interim 12 months, it'll be brownie points for him to fix it for her.
<note to self, make timebombs a bit more sneaky in case gf takes computer to Cougar>
TBH it wouldn't exactly be difficult to do such a thing in a way you'd never have found it - but then the use of the vbs and a bat suggests a relative amateur.
TBH it wouldn't exactly be difficult to do such a thing in a way you'd never have found it - but then the use of the vbs and a bat suggests a relative amateur.
Yeah, that puzzled me a bit. It was simultaneously really clever and really stupid. He clearly knows quite a bit about computers, but not quite enough to do it properly.
I'd probably have used AT instead of the GUI for a start. It's a separate task list from Task Scheduler, so it wouldn't have been visible other than from the command line.