Posted 28 October 2008 - 04:02 AM
My sister's computer has a problem that's got me stumped. I don't know how long it's been going on, because I've only just come over for a visit, and wound up giving the local PCs and LAN a checkup. Here's the problem, when I check for attached devices in the wireless router's UI, all of them show up as they should, except for my sister's. Hers reports a pseudo-random computer name instead of the real one. Let me clear about this: Every time I refresh the attached devices list, it spits out another pseudo-random computer name. I say pseudo-random, because the names appear to be drawn from some list, and occasionally reoccur, but there is no particular pattern to it. I tried to search for a file that contains some of these names, but failed to find one.
Let me also make this clear: Nothing is actually changing the computer name, it's just getting spoofed on the network. My Netgear router shows her MAC and IP addresses correctly, and only shows the computer/device name as the spoof. However, when i use nbtstat -A to check, it shows that her MAC address is also being spoofed, and it's just not fooling the router.
I've done a complete system scan with AVG 8, SpyBot S&D, Adaware and MS Windows Defender for what it's worth. It picked up a few minor things like tracking cookies, but nothing serious. I was actually surprised at how clean the system was. Anyway, I tried booting in safe mode, with networking, and found that the problem did not manifest. But it came right back when I booted back to normal mode. So I did a diagnostic startup, with the bare minimum, and added on items one-by-one 'til the problem reappeared. It turned out that two services had to be running in order for the problem to appear: DHCP Client Service, and Workstation service. If either one of these is disabled, the problem does not show up, but if they are both running, it rears its ugly head.
Obviously both of these are normal Windows services. So this begs the following question: Is one or both of these services infected with some kind of malware, or is some malware simply dependent upon the both of them? I tend to suspect the latter, because both of these services auto-start under safe mode with networking, and yet the problem fails to show up in that scenario.
I've googled around for any clues, but this produced very few hits, and all of those were inquiries, not solutions. I'm really at a loss as to what to do next.
In case it makes any difference, the computer in question is a Toshiba Satellite M35X-s114 running the original factory install of Windows XP Home Edition. I made sure it had all all the critical updates from Microsoft, and most of the others as well. Drivers are also mostly up to date. And aside from this weird spoofing issue, it runs perfectly fine. ::shrugs::
Well, it's very late here, and I'm tired from working on this way too long. The details above should be a good start. I'll provide any additional info upon request. Please help me solve this blasted problem before I go mad. Thanks is advance :-)