Hi gang. I have a client that has 5 workstations - all running Windows XP Professional and running Windows 2000 on the server. Yesterday, they called, complaining that one of the workstations could not connect to the Internet and lost network connectivity. I went in, brought the system back to my office. Interestingly, I plugged the system in and had an Internet connection. I started the system in safe mode with networking and ran the following: TDSS Killer, Rkill, Malwarebytes. Malwarebytes reported pum.bad.proxy. It removed it. I wasn't satisfied with the resolution and googled the malware. A post from this site suggested running SuperAntiVirus, so I installed and ran that. It found numerous cookies and tossed them (it tosses its cookies. :-) ). A second scan showed clean results. I checked the LAN settings and they were fine.
I returned the system to the client and found that another system was suffering from the same thing.
I hooked up the initial system and brought back the second system... same results as the first system above. I got a call from the client about 20 minutes saying the same thing had happened again.
I am now thinking there is something on the server causing the problem as it seems to be the malware is making is rounds throughout the network. As I mentioned, the server is running Windows 2000 - so I can't load my preferred malware removal software. As Windows 2000 is no longer supported, I'm not about to do the old fashioned wipe and reload. I don't even know if they have the original install cd's.
Their tape back up failed long ago and they aren't spending any money on replacement backup software until they replace their technology.
Any suggestions? I believe the malware is on the server... could the server have been hijacked?