Fix this laptop?

Is it an elaborate ruse to prevent the user seeing any internet spoilers for Rogue One?

there seems to be a suggestion that the month of October is significant, but not the year.

Does there?

Did you say system restore was not successful? That suggests the script’s been in place for some time (since Oct 2015), but has been triggered by a date change – the restore point you used contained the script, which is still triggered by the date condition.

Are we correct to assume a third party placed this?

When’s the user’s birthday?

Were there any earlier restore points to track down exactly when the scripts and task were added? If so, and based on the available information, when were they added?

I’m not sure I’m getting anywhere here, but more information is always better (eventually the penicillin spores might land in my culture).

Did the task have a start date or was it execute immediately?

I might be upset if this ends in confusion between Halloween and Christmas.

Did you say system restore was not successful? That suggests the script’s been in place for some time (since Oct 2015), but has been triggered by a date change – the restore point you used contained the script, which is still triggered by the date condition.

To be clear, the restore was “successful” in that it completed, er, successfully; it just didn’t solve the problem.

Are we correct to assume a third party placed this?

I believe so.

When’s the user’s birthday?

Dunno.

Did the task have a start date or was it execute immediately?

I didn’t see a start date, just “last run.”

Something to do with Christmas countdown?

With Jimmy Carr?

Is there any evidence the 3rd party created this interactively or are there any pointers that it was done programmatically (i.e. via an install) – for example any evidence in the user & windows temp folders?

Something to do with Christmas countdown?

It’s certainly a conundrum.

I believe so.
[/quote]

OK, so we come back to the contradiction in this post:

I believe her in this case.

My money’s still on prankage by a technically proficient third party who has gained illicit access to the machine without the users knowledge.

It would seem so, wouldn’t it.
[/quote]

So you believe that nobody else has used the computer, yet a third party has placed this?

…and you previously dismissed my looking at browsing history to find possible infection vector.

Is it just a scheduled task made via clicking buttons, or is it an actual script someone has written? (If the latter can you post the contents?)

Is there any evidence the 3rd party created this interactively or are there any pointers that it was done programmatically (i.e. via an install) – for example any evidence in the user & windows temp folders?

Not really.

So you believe that nobody else has used the computer, yet a third party has placed this?

That’s not quite what I said. I said no-one else has used it for months.

…and you previously dismissed my looking at browsing history to find possible infection vector.

I didn’t dismiss it, I just didn’t do it.

I’ll post up the conclusion now I think, because you’ve all but got it.

Aaargh – I didn’t get the distinction when we started discussing the date of the scripts. So somebody put on a timebomb – and have you established who did use the computer months ago?

(I think to be fair, you’ve made it a bit harder for us than it was for you 😉 )

User was sleep-coding?

So somebody put on a timebomb

Exactly. (-:

So. I got this on the bench and did pretty much what everyone else has suggested. There’s a few minor things we’ve missed though.

The “Webroot” AV was presumably bundled trial software that came with the machine. The subscription had lapsed so it wasn’t actually doing anything! Seems she’s a serial torrenter too, so at first I was pretty sure it was some sort of infection. Oh, and the fact it hadn’t been updated in forever, not even SP1, added weight to this. Trying to install SP1 failed which could be suspicious, though that’s far from unusual even in normal circumstances.

I did all the usual suspects, ckdsk / SFC / MBAM scans, all clean. I tore out Webroot and installed MSE. This came back clean also. Checked for startup items in folders / registry and ruled out third party apps with a msconfig selective startup.

When everything came back clean and with it working in Safe Mode but symptomatic in normal mode, I was about to start looking for rootkits when it suddenly hit me that it was doing it regularly. Looked in Scheduled Tasks and from there it all unravelled.

The behaviour of this “infection” is no malware I’ve ever come across and Google didn’t come up with anything, which makes me think it was a deliberate hack. But no-one else had used the PC in months and there was no sign of any sort of exploit.

Wait a minute… “no-one else has used it in months” implies that months ago, someone else was using it. I asked the question, it and transpires that her then-boyfriend also used to use it. Very messy split apparently, back end of last year.

The two scripts were created in October 2015. The problem didn’t start happening until recently. Logically then, her boyfriend must have created the scripts to crash her PC, but set up a scheduled task to start running the script in a year’s time, presumably to absolve himself of suspicion / blame.

If he’d not been greedy and set it to crash every hour rather than every five minutes I probably wouldn’t have spotted it. I’d have ended up formatting it in the end, unless I’d noticed the scripts in the root of C:\ which was a bit of a schoolboy error (him and me, for different reasons). I was lining up a W10 upgrade as a last resort before blatting it – which wouldn’t have fixed it and would have properly broken my head.

Well done everyone.

Do I win five pounds?

Thanks Cougar! Can the next one be a bit more Christmasy?

Do I win five pounds?

Yes! You just need to pay a £10 release fee to get the money. Paypal Gift please.

Thanks Cougar! Can the next one be a bit more Christmasy?

Mince pie in the air vent?

You’re welcome. I thought it was an interesting and unusual “fault,” which is why I shared it.

Yes! You just need to pay a £10 release fee to get the money. Paypal Gift please.

No need.

* remotely runs payperchyafiver.exe

Did you find out why? Is b/f still on the scene?
Gaslighting with a pre-installed scrips after all (perchyowesmetreefiddy.bat)?

Dunno TBH. Not really my place to ask. As aracer said, I reckon it was a timebomb. Set it up but defer the task for a year, when it fires she’ll end up taking it to a shop who won’t look twice at it before factory restoring it. Who would know?

Plus I suppose, if they were to have got back together in the interim 12 months, it’ll be brownie points for him to fix it for her.

<note to self, make timebombs a bit more sneaky in case gf takes computer to Cougar>

TBH it wouldn’t exactly be difficult to do such a thing in a way you’d never have found it – but then the use of the vbs and a bat suggests a relative amateur.

TBH it wouldn’t exactly be difficult to do such a thing in a way you’d never have found it – but then the use of the vbs and a bat suggests a relative amateur.

Yeah, that puzzled me a bit. It was simultaneously really clever and really stupid. He clearly knows quite a bit about computers, but not quite enough to do it properly.

I’d probably have used AT instead of the GUI for a start. It’s a separate task list from Task Scheduler, so it wouldn’t have been visible other than from the command line.