in our company, we had complaints of sudden loss of passwords in windows xp pro computers. the password which was working till the day before failed them suddenly..
i had known about 7 computers with same problem over a period of 2 weeks and got a doubt there was something wrong, searched the internet for lost passwords, but got only password reset tools
then one day i got a call saying there was an error message at start up saying "The system DLL user32.dll was relocated in memory. The application will not run properly. The relocation occurred because the DLL C:\WINDOWS\system32\SHELL32.dll occupied an address range reserved for Windows system DLLs. The vendor supplying the DLL should be contacted for a new DLL" which is seemingly associated with Microsoft KB 935448. i got him install the update, still no use with the same error message referring to flashy.exe
searched for flashy.exe and then Glupsy was found to be the name of the infection.. refer http://fileinfo.prevx.com/spyware/qqe5ae33...FLASHY.EXE.html , http://www.trendmicro.com/vinfo/virusencyc...Y.B&VSect=T and then realised in symantec info http://www.symantec.com/security_response/...-99&tabid=2
only going through symantec's info , i got a clue when it said the worm could change ur password to 'hacked' , tried it on the lost password computers, it works..
the infections i faced were,
1. lost folder options menu item
2. flashy.exe and systemid.pif errors at startup
3. password changed to 'hacked' (only on computers that had an administrator account password - people infected without any admin passwords were the clue which lead us to flashy.worm's true identity)
this is what i did
1. disable system restore (my computer > right click > system restore > turn off system restore)
2. restart in safe mode (press F8 twice before windows boots) and disable any realtime protection from your antivirus / antispyware.
3.run the tools Stinger and AntiVir Removal Tool for Windows (all were run just in case there were other similar worms / trojans)
4. run AutoRuns and search for all entries containing flashy.exe flashybot systemId.pif
5. if folderoptions still doesnot show up , goto registry editor (startmenu > run > regedit) and browse to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer and if NoFolderoptions is having a value 1, then change it to 0 or remove (back up before doing it) and search for Nofolderoptions
and change it too
6. restart ur computer, run a compete scan with ur regular antivirus and antispyware (updated definitions of course)
7. restart again and then enable system restore (remove turn off)
PLEASE NOTE IF U HAVE ANY FLASH DRIVES, KEEP THE FLASH DRIVES PLUGGED IN WHEN DOING THE REMOVAL / SCANNING PROCESS
i am posting this only with the intention of helping out people who could be under the impression that they lost their password and be suffering!!
(PS: we have got couple of dozen pcs infected so far and it is spreading rapidly through flash drives easily on a network)
and, we do have symantec corp edition installed in our pc but not knowing why it was not caught out in the first place (this virus is known to symantec definitions since a while now!)
Edited by Papakid, 03 May 2007 - 08:54 AM.