Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Infection and Spreading


  • This topic is locked This topic is locked
5 replies to this topic

#1 cotesy

cotesy

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochdale, UK
  • Local time:03:38 AM

Posted 02 November 2009 - 04:36 PM

Hi,

I've read many posts on here in the past and spend a lot of time cleaning up infected computers.

I've stumbled across one of those 'challenge problems' that is just not getting anywhere.

It all started when a client asked me to go and see one of their office PC's - a Dell unit a few years old. Boot up was fine and reasonable for the spec. of the machine. When Windows was ready to go, I found multiple issues:

1) The taskbar had minimised to a thin grey line at the bottom of the screen. The usual method to stretch this out was not working. The Windows Key brought up the Start Menu as expected. I right clicked on the bit I could see and the only way to make the bar appear was to open the quicklaunch toolbar
2) The usual Windows XP coloured taskbar and Start Menu had been replaced with the older Windows Classic style grey one
3) After selecting Copy on any file, the Right Click Paste option was greyed out on the right click, Control+V did not work either
4) Files cannot be dragged or dropped
5) Internet Explorer no longer opened
6) The installed Firefox browser no longer opened
7) The installed AOL 9 Software no longer opened
8) The installed AVG 8.5 appears to work fine, including update which confirms Internet Connection is active. No infections found on Scan
9) The installed Malwarebytes appears to work fine, including update as per AVG. No infections found on Scan
10) The network connections folder shows no network connections
11) There are no network connection icons on the taskbar near the clock
12) When any window is open, it does not show on the taskbar. Alt-Tab allows the change of open windows and is the only indication of what is open at the time.

The lady in the office said she had been away on holiday and come back to find the PC in this state. It is a small family business working from a home office with three machines. The owner of the company has a Russian partner who frequently uses the machines to access Russian websites and ICQ.

The machine was rebooted and loaded into Safe Mode. The system behaviour is the same as in Normal Mode.

As files cannot be copied onto the machine or downloaded from the Internet, the options are limited. A USB memory stick was plugged in and installed as usual without problems. The machine accessed the memory stick fine but files could not be copied from it.

To copy files it was back to basics - Start > Run > CMD - copy files from memory stick using XCopy.

Combofix was run and returned no unusual results. It managed to update itself but could not install the recovery console as it stated Microsoft.com was unreachable.

The machine failed to allow HiJackThis to run.

The client decided the most cost effective course of action was to copy their files off the machine and reinstall the operating system. The Hard Disk was cleaned using Windows XP DiskPart > Clean option before a fresh copy of XP Pro was installed, the files were copied back on afterwards and all seems well.

A few days later another one of the machines switched itself off during use and on reboot got stuck in the BSOD loop. Running the Safe Mode option also did the same. Using the XP original disk, the repair console was used and chkdsk used to check the file structure. Errors in the file structure were reported as fixed and the machine rebooted fine.

On reboot the machine showed exactly the same problems as the original Dell PC. Rather than reinstall this machine, it has been isolated to determine what is going on.

Since then another machine has also gone down making that 3 to date.

Anyone any ideas? The reinstalled machine is behaving fine.

The machines all operate AVG 8.5, Malwarebytes, Spybot, and ZoneAlarm. The Dell unit is XP Pro, the second PC is XP Media Center Edition, and the third PC is XP Home.

Any help greatly appreciated.

Edited by cotesy, 02 November 2009 - 04:42 PM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:11:38 PM

Posted 04 November 2009 - 08:46 PM

I'd look for rootkits
Try these

Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.
--------------------------------------


Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 cotesy

cotesy
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochdale, UK
  • Local time:03:38 AM

Posted 06 November 2009 - 07:59 AM

Thanks Garmanna,

You will note in my post that Paste and Ctrl-V have been disabled by whatever is going on, making this one of those really awkward clean ups.

Latest on this one is if the machine is booted on the Windows CD, it reports No Hard Drives found then goes to reboot, stopping the chances of a reinstall!

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:11:38 PM

Posted 06 November 2009 - 07:30 PM

Can you change the boot order to the CD?
Maybe try Vipre rescue disk
http://live.sunbeltsoftware.com/
or
http://www.ultimatebootcd.com/
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 cotesy

cotesy
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochdale, UK
  • Local time:03:38 AM

Posted 09 November 2009 - 09:46 AM

Thanks Garmanna,

Whatever the infection is, it seems terminal. Yes I changed the boot order to CD but after that for some odd reason the Windows Install Disk reports no drive found.

As I'm on a timescale with this kinda thing the only option was to remove the hard drive, take the clients files and low level format the drive. This has been done on both of the machines but the original one remains infected as the client has replaced it anyway. New Virus? I dont know, no idea how to even submit the drive to someone for analysis. All I know is the client has a Russian girlfriend so could be something thats doing the rounds over there.

Thanks for you help, hoping it doesnt reappear!

#6 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:11:38 PM

Posted 09 November 2009 - 07:29 PM

Good luck to you
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users