x404.co.uk
http://www.x404.co.uk/forum/

wierd behaviour
http://www.x404.co.uk/forum/viewtopic.php?f=4&t=322		 Page 1 of 1
Author:  Spreadie [ Mon May 04, 2009 6:27 pm ]
Post subject:  wierd behaviour
Lo all,

I have a confusing problem with a friend's PC.

About 60% of the time it just hangs at the XP welcome screen. It isn't completely locked up, because the mouse cursor still responds.

When it does boot correctly, I see several Run.DLL errors and NOD32 throws up worm and trojan warnings. This still happens after running a scan and clean, in safe mode.
After it reboots, the malware is back, maybe generated from a mule file by a script I suspect, and randomly named processes appear.

The annoying thing is it will not allow access to the net through a browser, nor will it display a USB drive in My Computer. The system still has access to the net, because NOD32 update and Itunes still work; I just cannot connect through a browser.

Finally, if I select windows update from the start menu, it displays the google homepage. :?

Anybody seen these symptoms before?

It is a real pain in the ar$e.
Author:  Angelic [ Mon May 04, 2009 6:57 pm ]
Post subject:  Re: wierd behaviour
My standard procedure when computer is playing up:

Step 1 - Download Lavasoft Ad-aware, Spybot Search and Destroy and whatever your Anti-Virus is (I favour McAffee).

Step 2 - Update all normally, run all normally (deep scans).

Step 3 - Restart in safe mode with networking, Update all again, run all again.

Step 4 - Restart in safe mode without networking, run all again.

Step 5 - Back up manually (drag and drop everything you need, make sure you get get everything like keys etc).

Step 6 - Format, reinstall windows.

Obviously if the strange behaviour stops between any of these steps then stop. Because it's fixed.
Author:  Spreadie [ Mon May 04, 2009 11:59 pm ]
Post subject:  Re: wierd behaviour
Thanks for the suggestion, though I have carried out all the usual stuff already, and managed to gain access to the web to download Ad-Aware; but it found nothing more than MyWebSearch and a few cookies.

Still no joy on USB drives, and I have since found out that access to drive C, through My Computer, is denied. Windows explorer still works though.

I'm currently searching for possible scripts that rebuild the nasties at boot. Unsurprisingly, folder options has been removed from the Control Panel and tools menu in My Comp, so there are obviously a few hidden files or folders the nasties don't want me to see. Regedit is also disabled at the moment, but I'm working on that.

You know, I used to love this kind of challenge, but nowadays I have to fight the urge to smack the PC owner with a cricket bat.

Regards

Spreadie
Author:  Spreadie [ Tue May 05, 2009 1:12 am ]
Post subject:  Re: wierd behaviour
Making some progress.

Regedit is fixed, so I have restored folder options.

Have also fixed the access denied on Drive C.

Microsoft update is still redirecting to Google.com, but there are (very lengthy) solutions on the net, so I'll have a crack at that tomorrow.

NOD32 is still finding nasties when run after a reboot, so there are still some considerable problems to address. I want to make sure the system is reasonably safe before I try backing his itunes and do a reinstall.
Author:  JJW009 [ Tue May 05, 2009 1:19 am ]
Post subject:  Re: wierd behaviour
Spreadie wrote:
I want to make sure the system is reasonably safe before I try backing...


I'd do a backup before you do anything else.
Author:  Spreadie [ Tue May 05, 2009 9:03 am ]
Post subject:  Re: wierd behaviour
I can't do a backup yet, the system will not recognise any new storage devices and I cannot use the DVDRW either.

I'm still trying to figure out why I cannot see USB drives in my comp.

The system detects them and states they are ready for use, and they are listed in the device manager, but I cannot see or access them. They don't show up is disk management either.

This is starting to get annoying.
Author:  Spreadie [ Tue May 05, 2009 10:09 am ]
Post subject:  Re: wierd behaviour
Sorted.

Was a nasty little rootkit, causing 90% of the problems. I have regained full control of the PC and have cleaned out all remaining nasties.

Spyware, rootkit and AV scans are now coming up clean. :D
Author:  JJW009 [ Tue May 05, 2009 8:37 pm ]
Post subject:  Re: wierd behaviour
Spreadie wrote:
I can't do a backup yet, the system will not recognise any new storage devices and I cannot use the DVDRW either.


For future reference, I'd have booted from a live CD or USB Flash and used that to backup the important stuff onto whatever media was available. Being independent of the installed OS, it wouldn't suffer from any of the malware problems. It reduces the risk of loosing data if the malware gets really nasty, or if the repair goes wrong.

Also note, the scans you run are unlikely to identify any as-yet unknown malware. I'd prefer a clean install, but at the very least you should run a software firewall on it to see if it detects anything "dialling home".
Author:  pcernie [ Mon Jul 27, 2009 11:28 am ]
Post subject:  Re: wierd behaviour
Just going through the old threads here ;) , I usually go for a clean install just to save time if nothing else, and it usually does 'Doze good to get wiped every so often. All that said, I haven't had any problems touch wood (touches crotch :lol: :oops: ;) since I started using 'Fox :D
Author:  Nick [ Sun Aug 02, 2009 3:32 pm ]
Post subject:  Re: wierd behaviour
A clean install would be the only thing that could give me the peace of mind.

Otherwise I would forever worry that I've missed something that is somehow hiding from my AV searches.
Author:  Linux_User [ Sun Aug 02, 2009 7:43 pm ]
Post subject:  Re: wierd behaviour
Nick wrote:
A clean install would be the only thing that could give me the peace of mind.

Otherwise I would forever worry that I've missed something that is somehow hiding from my AV searches.


+1.
Author:  Spreadie [ Mon Aug 03, 2009 6:37 pm ]
Post subject:  Re: wierd behaviour
I did do a clean install after I backed up the itunes stuff.

BTW JJ, you're absolutely right about using a linux boot cd. I have knoppix on a CD for future use.

Still, despite it being bloody annoying, I did learn a few tricks, but it would be nice to have the luxury of learning without the risk to his itunes library. He did receive a stern lecture on the merits of backing up his stuff.

Regards

Spreadie
Page 1 of 1 All times are UTC
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/