Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Center Showing Automatic Updates Turned Off


  • Please log in to reply
5 replies to this topic

#1 LCS_Tech

LCS_Tech

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri
  • Local time:04:59 PM

Posted 27 April 2012 - 05:13 PM

Hello all,

I hope I can find some answers as I have been searching through Google for half the day.

Background:
Windows XP Home SP3

Client machine came in infected with a Fake Alert and bundled with it was a TDSS Rootkit. The client was running AVG Free and the paid version of SuperAntiSpyware. SAS caught part of the infection and prompted the client to reboot their computer, upon the reboot they experienced a BSOD STOP: C21A
I used the saved copies of the registry from inside the system restore folder from a couple days earlier and was able to get the machine up and running.

Installed MBAM and ran a full scan....Clean
TDSSKiller scan detected no Rootkits but did find a TDSS File System and it was quarantined
Customer had outdated version of AVG Free, updated and experienced issues with the resident shield not starting
Uninstalled AVG and replaced with Microsoft Security Essentials.
Full Scan with MSE - No threats detected
AVG Rescue CD Full Scan - 1 threat detected inside System restore.
chkdsk several times to repair broken indexes and recover lost files



During this process I have rebooted the machine a few times, each time after a reboot the security center reports Automatic Updates are turned of. Inspection of the service through services.msc shows the service as disabled.

Now whats funny is that I can set the service to automatic and start the service and it will operate normally until the next reboot. then I have to go through the process again. I thought it might be a Group Policy setting but that's not available in Home Edition.

To troubleshoot the issue I have completed the following...
-Reregistered the DLL Files
-Ran the FixIt from Microsoft which found issues and fixed them but didnt report what they were
-tried to install the windows update agent but wouldnt take because it was already installed
-Reset all Services to their default startup states via a registry file found on the web
-checked the machine again for Rootkits using TDSSKiller and Blacklight - Nothing found.


and as a last ditch resort I ran ComboFix with my fingers crossed that it would find what I wasn't able to...Log file shows "other deletions" but nothing of to much importance from what I could tell.

And advice would be greatly appreciated. I'm sure the answer is in front of my face but I just cant see it.

BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:59 AM

Posted 27 April 2012 - 06:14 PM

Hi -
First - Can you back up / store anything important on the machine to CD or Flash drives ??
Try sfc /scannow , and failing that do a repair install of the O/S -

All I can think of for now -

#3 LCS_Tech

LCS_Tech
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri
  • Local time:04:59 PM

Posted 27 April 2012 - 06:50 PM

Thanks for your reply...

I forgot to mention that I also did a SFC /Scannow and a repair install has already been done. I might try another repair install just to see.
If need be I can back up their data to our server and wipe the machine but that means admitting defeat.

#4 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:05:59 PM

Posted 27 April 2012 - 10:23 PM

Worth a shot/reading IMHO: How to troubleshoot a "STOP 0xC000021A" error http://support.microsoft.com/default.aspx?scid=kb;en-us;156669

Note Follow the instructions in the Knowledge Base article to troubleshoot a process that shuts down with an exception. While you follow these instructions, monitor the following processes to troubleshoot the STOP 0xC000021A error:

Winlogon.exe
Csrss.exe

Note Most STOP 0xC000021A errors occur because Winlogon.exe fails. This typically occurs because of a faulty third-party Graphical Identification and Authentication (GINA) DLL. The GINA is a replaceable DLL component that Winlogon.exe loads. The GINA implements the authentication policy of the interactive logon model. The GINA performs all identification and authentication user interactions.

It is very common for certain types of remote control software to replace the default Windows GINA DLL (Msgina.dll). Therefore, a good first step is to examine the system to see if it has a third-party GINA DLL. To do this, locate the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value = GinaDLL REG_SZ

If the Gina DLL value is present and if it is anything other than Msgina.dll, it probably means that a third-party product has changed this value.
If this value is not present, the system uses Msgina.dll as the default GINA DLL.

If this error first occurred after the installation of a new or updated device driver, system service, or third-party program, the new software should be removed or disabled. Contact the manufacturer of the software to see if an update is available.


Edit to add: OOPS just re-read the Op " I used the saved copies of the registry from inside the system restore folder from a couple days earlier and was able to get the machine up and running."

Edited by Union_Thug, 27 April 2012 - 10:27 PM.


#5 LCS_Tech

LCS_Tech
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri
  • Local time:04:59 PM

Posted 28 April 2012 - 12:58 PM

Thanks union for that bit of information. Too bad the fix isn't as easy at fixing a c21a error. There's got to be something im missing...

#6 hamluis

hamluis

    Moderator


  • Moderator
  • 55,873 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:04:59 PM

Posted 30 April 2012 - 11:03 AM

<<Client machine came in infected with a Fake Alert and bundled with it was a TDSS Rootkit.>>

Your assumptions that all infections have been neutralized...may be inaccurate.

Louis




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users