Nasty Windows 2000 virus?

vCole

I have a machine that yesterday would not launch a DOS program for one of our tool room guys.

So I went up there today to see what happened.

The computer:

a) no antivirus
b) Command Prompt would open and immediately close
c) If trying to go to antispyware/antivirus websites (malwarebytes.org,symantec.com, etc.) would say page cannot be displayed.

So, I took the hard drive out of the computer and put it in a spare desktop we have (not on the network...)

because when trying to boot into safe mood, I would get the BSoD.


Malwarebytes & Symantec don't seem to be seeing anything. (Not in safe mode currently.)

Any suggestions?

rfult001

Reformat. But if you must...try some other programs, ie Mcafee, spybot, superantispyware, etc... also run hijackthis.

the_Grinch

I'd run regedit and check to see what is set to start when the computer starts. Another program you can run is Hijackthis! Great program to run and then post what you find, should help you out. But yeah does sound like a virus to me, possibly Conflicker, but not a 100% on that.

MS08-067 Worm, Downadup/Conflicker - F-Secure Weblog : News from the Lab

vCole

the_Grinch wrote: »

I'd run regedit and check to see what is set to start when the computer starts. Another program you can run is Hijackthis! Great program to run and then post what you find, should help you out. But yeah does sound like a virus to me, possibly Conflicker, but not a 100% on that.

MS08-067 Worm, Downadup/Conflicker - F-Secure Weblog : News from the Lab

Kills regedit once I open it. Probably is the Conflicker

Megadeth4168

Get yourself a copy of Ultimate Boot CD for Windows
ubcd4win.com

This utility has been awesome in assisting me fight malware.

vCole

Megadeth4168 wrote: »

Get yourself a copy of Ultimate Boot CD for Windows
ubcd4win.com

This utility has been awesome in assisting me fight malware.

Boss won't let me.

Megadeth4168

FadeToBright wrote: »

Boss won't let me.

Wow! That's a major downer.

What are you allowed to do? Are you allowed to create a CD/Thumb drive with a collection of tools to install on the non-networked computer that is being used to host the drive in question?

vCole

Megadeth4168 wrote: »

Wow! That's a major downer.

What are you allowed to do? Are you allowed to create a CD/Thumb drive with a collection of tools to install on the non-networked computer that is being used to host the drive in question?

I'm not allowed to use my personal thumb drive, and only approved software from her network guy on a company thumb drive.

contentpros

Symantec has a removal tool that you can get here:

W32.Downadup Removal Tool | Symantec

Kaminsky

Doesn't sound like conficker/downadup. That worm is for remote control and I don't think it has those side effects.

Not letting you into regedit is a new one. If it's clever enough to protect itself like then your probably left with only one option as how can you be sure you have erradicated it/

SPLAT the drive and save yourself a lot of time and grief. Lesson learnt for the end user.

the_Grinch

Did you run Hijackthis?

vCole

the_Grinch wrote: »

Did you run Hijackthis?

I'll try to, my boss may yell at me.

shednik

FadeToBright wrote: »

I'll try to, my boss may yell at me.

This is the same boss to cheap to take the time and road map her technology plans and buy equipment that will be reliable not just cheap...I don't know about you from what I have heard I wouldn't want to work for this person....Sounds like she's very out of touch with technology and thinks she knows everything.

If you really want to find out what is causing this I'd do it but maybe get the user back up and running first IMO, thats always the goal of course....Now I remember why I don't miss doing desktop support with know it all help desk managers.

vCole

shednik wrote: »

This is the same boss to cheap to take the time and road map her technology plans and buy equipment that will be reliable not just cheap...I don't know about you from what I have heard I wouldn't want to work for this person....Sounds like she's very out of touch with technology and thinks she knows everything.

If you really want to find out what is causing this I'd do it but maybe get the user back up and running first IMO, thats always the goal of course....Now I remember why I don't miss doing desktop support with know it all help desk managers.

Yeah it is.

It's just me and her for IT support here....

shednik

I found another solution if you're still looking to clean the drive...it's about a year old but looks to have a good tutorial if your not too familiar with linux

Neil's Open Source & Linux Blog: Virus scan Windows using a Linux live CD

Booting into a live linux session and scanning the windows partition that way. I'm sure your boss won't like this because she doesn't have it approved but its also safer this way as the partition isn't active and running while its being scanned.

the_Grinch

Not saying that you should, but sometimes I've had to do things my way to solve a problem. Problem gets solved and no one asks questions

shednik

the_Grinch wrote: »

Not saying that you should, but sometimes I've had to do things my way to solve a problem. Problem gets solved and no one asks questions

I can see that working in teams larger then 2 though but it sounds like her boss likes to have her finger in everything going on. How many users do you support Fade just out of curiosity?

vCole

shednik wrote: »

I can see that working in teams larger then 2 though but it sounds like her boss likes to have her finger in everything going on. How many users do you support Fade just out of curiosity?

Well, it's a factory, so the office is about 30 and the factory has about 20 computers.

cisco_trooper

Yeah, your boss needs to get a clue....

It's malware. Clean it up. It should be that simple. I'd walk right out of that place.

macdude

I would download msconfig for windows 2000 and disable all startup and services not microsoft related and see if the machine runs any better, then try all of the tools, that you are allowed to.

If your not allowed to use some of the tools mentioned, how does she expect you to fix this issue? I can understand formatting but after everything else being tried first.

vCole

cisco_trooper wrote: »

Yeah, your boss needs to get a clue....

It's malware. Clean it up. It should be that simple. I'd walk right out of that place.

If I could afford to, I would.

She doesn't trust anything I say, not one word. She always says "let me ask my network guy..."

Who is coming in tomorrow, and we pay for all his expenses.

the_Grinch

Heh if that is the case, I'm free tomorrow to come up and fix it

vCole

the_Grinch wrote: »

Heh if that is the case, I'm free tomorrow to come up and fix it

I'm really kind of frustrated because when I was hired they said that I could start doing network related things since they outsourced it, but she won't let me touch ANYTHING.

undomiel

If you weren't in RI I'd swear you were dealing with my old boss! Unless she moved there ... uh oh ...

vCole

undomiel wrote: »

If you weren't in RI I'd swear you were dealing with my old boss! Unless she moved there ... uh oh ...

she's been working for this company for 20 years so

KGhaleon

People like that are know-it-alls and you have to instill a sense of trust and knowledge on them, otherwise she will always be like that. If I were you I wouldn't bother explaining what I'm going to do to resolve the issue.
You just want to get the machine back up and working normal again as quickly as you can.

I would install WinPatrol, which is quite small and see what it finds running in the background. Hijackthis will show you if there are any usual processes running.

Reimaging the machine is the best idea though, and you'd just have to reinstall apps and transfer data. Would probably take less time to do also. Just make sure the system you transfer the stuff back onto is properly virus-protected.

You should make sure they are using good antivirus protection at your workplace. If a computer isn't patched and protected, it shouldn't even be on the network.

Kaminsky

FadeToBright wrote: »

She doesn't trust anything I say, not one word. She always says "let me ask my network guy..."

If she is the main lassie in the department, why T F isn't SHE trying to sort this then ? ... To be fair, bringing in outside contractors to fix this so quickly does show good management potential as far as I am concerned so don't beat up on her too much.


Your obviously considered "the junior" so from now on, just try to help (goes a long way in our eyes - that's where we all come from so we know your pain very well)

The "network Guy" obviously commands her respect in so much that she will listen to him but not you.... BIG CLUE HERE !

My 20 year vet advice..... back off, shut up and stop getting in the way! They don't want you to be the one to fix this. Remember.. nobody likes a smartarse !

Most importantly, cover their backs. Let them get on with it regardless of the outcome! I promise that the world will not end because of this...

Get on with your normal day to day. Don't try to impress anymore ... You have already shown willing..... That's enough now!

It isn't conficker et al [ regardless how much it is in the press ] so let them run with it and just back off and make sure you handle all (or as much of) the normal day to day whilst they fanny about... There will be a lot more cudos in it for you in the long run... [you tried to help a few times but knew the show had to go on so covered their backs] ... whilst they were fannying about ! Don't let them know you are dooing this or give them a running update of how much you are coverkng their backs... remember... shush now !

Trust me on this... back away and take care of normal day to day.... This is what "juniors" are for in a crisis ... If your not being listened too... shut your mouth and make yourself look good in the background for later... Will show a lot more maturity in the long run and show the "network guy" (apparantly being the only knowledgable person on site) you are pro material... make a point to ask him, once it is all done and dusted, what actually happened and how it got fixed... ( shows interest but you knew you had to keep things going ...)

Learn how to turn a crisis into an opportunity.. If you have 10,000 users and 200 of them have a massive, catastrophic problem, means you only have 5% of your user base that are experiencing problems....

valuable support lesson that !

vCole

Kaminsky wrote: »

If she is the main lassie in the department, why T F isn't SHE trying to sort this then ? ... To be fair, bringing in outside contractors to fix this so quickly does show good management potential as far as I am concerned so don't beat up on her too much.


Your obviously considered "the junior" so from now on, just try to help (goes a long way in our eyes - that's where we all come from so we know your pain very well)

The "network Guy" obviously commands her respect in so much that she will listen to him but not you.... BIG CLUE HERE !

My 20 year vet advice..... back off, shut up and stop getting in the way! They don't want you to be the one to fix this. Remember.. nobody likes a smartarse !

Most importantly, cover their backs. Let them get on with it regardless of the outcome! I promise that the world will not end because of this...

Get on with your normal day to day. Don't try to impress anymore ... You have already shown willing..... That's enough now!

It isn't conficker et al [ regardless how much it is in the press ] so let them run with it and just back off and make sure you handle all (or as much of) the normal day to day whilst they fanny about... There will be a lot more cudos in it for you in the long run... [you tried to help a few times but knew the show had to go on so covered their backs] ... whilst they were fannying about ! Don't let them know you are dooing this or give them a running update of how much you are coverkng their backs... remember... shush now !

Trust me on this... back away and take care of normal day to day.... This is what "juniors" are for in a crisis ... If your not being listened too... shut your mouth and make yourself look good in the background for later... Will show a lot more maturity in the long run and show the "network guy" (apparantly being the only knowledgable person on site) you are pro material... make a point to ask him, once it is all done and dusted, what actually happened and how it got fixed... ( shows interest but you knew you had to keep things going ...)

Learn how to turn a crisis into an opportunity.. If you have 10,000 users and 200 of them have a massive, catastrophic problem, means you only have 5% of your user base that are experiencing problems....

valuable support lesson that !

Wow.

and actually, I was the one asked to fix this. He's coming in to see where we're moving our offices to.

the_Grinch

I don't have 20 years in, but I have to respectfully disagree. In situations like this I took it as a personal challenge and solved the issue. In all cases management respected me more for having solved the issue and even asked what I did for future reference. There are times when you shut-up and listen, but if that is what you do for every situation then you won't ever be taken seriously. Plus, consultants come and go so you have to prove you can get things done...or at least that's my opinion.

(Opinions are like buttholes, everyone has one and everyone believes everyone else's stinks)

vCole

the_Grinch wrote: »

I don't have 20 years in, but I have to respectfully disagree. In situations like this I took it as a personal challenge and solved the issue. In all cases management respected me more for having solved the issue and even asked what I did for future reference. There are times when you shut-up and listen, but if that is what you do for every situation then you won't ever be taken seriously. Plus, consultants come and go so you have to prove you can get things done...or at least that's my opinion.

(Opinions are like buttholes, everyone has one and everyone believes everyone else's stinks)

I forgot to mention the backstory.

When I was hired they said they'd revisit my pay after 6 months to see how much networking I had taken over (and less they had to outsource)

hence the frustration.

Kaminsky

FadeToBright wrote: »

Wow.

and actually, I was the one asked to fix this. He's coming in to see where we're moving our offices to.

Doh ! my bad. Must have completely misread the issue