Windows Freezes After Possible Virus

[Ben]

Hi,

I have a user who is running Windows XP SP2. Apparently he visited a
'font' website this morning, a while after he visited the site, his
desktop hung, so he rebooted, after logging in he found that windows
freezes just after loading the desktop. Clicking on the start menu
causes it to freeze with the menu up, but unable to select anything,
doing ctrl+alt+delete and trying to open task manager just leaves a
blank desktop, showing only the background.

When I took a look at the machine, the only way I could get into
Windows to do anything useful was to boot into safe mode. Once in, I
looked at the registry, and found a strange looking exe called
punnet.exe (I think this was the name) under hklm\software\microsoft
\windows\currentversion\run, googling shows this as a backdoor/trojan,
so I deleted the registry entry, and the exe from windows\system32,
where I also found a number of randomly named DLL files. I also
updated the symantec AV dat files, and ran a full scan, which found no
other viruses. I also ran a scan using bitdefenders online scanner,
and trend micro's, neither found anything.

So I rebooted, and logged in, but once again, windows freezes just
after the desktop loads. I booted into safe mode again, and added
taskmgr.exe to the startup folder, then rebooted into normal mode
again. This time I got task manager up before windows froze. Much to
my surprise, the cpu utilization didn't jump up to 100% when it froze,
in fact it was down around 10%, there didn't seem to be any out of
place processes running, and nothing was hogging memory, I couldn't
see any reason for windows to be frozen.

I rebooted into safe mode again, then downloaded and installed SP3,
which completed succesfully. But when I rebooted this time,and logged
in, the desktop doesn't even load before it freezes, windows does the
whole 'loading personal settings...' which runs through, but then just
hangs with an empty screen, and just the background showing, it never
gets any further. I've tried logging in as another user, creating a
new user and logging in, just in case it was a corrupt user profile,
but Windows still freezes.

I'm not sure what else to try, besides scraping the data off, and
doing a clean install.

Anyone got any ideas?

Cheers

Ben

 

[Kayman]

Hi,

I have a user who is running Windows XP SP2. Apparently he visited a
'font' website this morning, a while after he visited the site, his
desktop hung, so he rebooted, after logging in he found that windows
freezes just after loading the desktop. Clicking on the start menu
causes it to freeze with the menu up, but unable to select anything,
doing ctrl+alt+delete and trying to open task manager just leaves a
blank desktop, showing only the background.

When I took a look at the machine, the only way I could get into
Windows to do anything useful was to boot into safe mode. Once in, I
looked at the registry, and found a strange looking exe called
punnet.exe (I think this was the name) under hklm\software\microsoft
\windows\currentversion\run, googling shows this as a backdoor/trojan,
so I deleted the registry entry, and the exe from windows\system32,
where I also found a number of randomly named DLL files. I also
updated the symantec AV dat files, and ran a full scan, which found no
other viruses. I also ran a scan using bitdefenders online scanner,
and trend micro's, neither found anything.

So I rebooted, and logged in, but once again, windows freezes just
after the desktop loads. I booted into safe mode again, and added
taskmgr.exe to the startup folder, then rebooted into normal mode
again. This time I got task manager up before windows froze. Much to
my surprise, the cpu utilization didn't jump up to 100% when it froze,
in fact it was down around 10%, there didn't seem to be any out of
place processes running, and nothing was hogging memory, I couldn't
see any reason for windows to be frozen.

I rebooted into safe mode again, then downloaded and installed SP3,
which completed succesfully. But when I rebooted this time,and logged
in, the desktop doesn't even load before it freezes, windows does the
whole 'loading personal settings...' which runs through, but then just
hangs with an empty screen, and just the background showing, it never
gets any further. I've tried logging in as another user, creating a
new user and logging in, just in case it was a corrupt user profile,
but Windows still freezes.

I'm not sure what else to try, besides scraping the data off, and
doing a clean install.

Anyone got any ideas?

Upgrading a compromised operating system (SP2 to SP3) won't solve your
problem.

1.How to remove Windows XP Service Pack 3 from your computer
http://support.microsoft.com/kb/950249

2.Clear the (IE) temporary Internet files and the history cache.
Click 'Start' and then click 'Run'... then type (or copy/paste)
"inetcpl.cpl" (w/out quotation marks) into the box, then click the 'OK'
button.
In Internet Properties panel 'General' tab, under 'Browsing history', click
'Delete...'button, in 'Delete Browsing History' panel, click the 'Delete
all...' button then place a checkmark into the box beside 'Also delete
files and settings stored by add-ons', Click 'Yes' and exit the Internet
Properties panel by clicking the 'OK' button.

3.Clean HDD
Click 'Start' and then click 'Run...' then type (or copy/paste) "cleanmgr"
(w/out quotation marks into the box, then click the 'OK' button. Select
your drive
(presumably WinXP (C and click OK.

4.Download/execute:
Malwarebytes© Corporation - Anti-Malware
http://www.malwarebytes.org/mbam/program/mbam-setup.exe
--and--
SuperAntispyware - Free
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

--and/optional--
Kaspersky® Virus Removal Tool
http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
http://www.kaspersky.com/support/viruses/avptool?level=2
--and/optional--
Dr.Web CureIt!® Utility - FREE
http://www.freedrweb.com/cureit/
--and/optional--
a-squared Free or a-squared Command Line Scanner
http://www.emsisoft.com/en/software/download/
--and/optional--
BitDefender10 Free Edition (*NOT FOR VISTA*)
http://www.bitdefender.com/site/Downloads/browseEvaluationVersion/1/42/

NOTE:
The above mentioned applications are not capable for real-time protection
of your computer; They are on-demand scanners.

Kaspersky® Virus Removal Tool, Dr.Web CureIt!® have no update feature (so
they don't turn into full blown scanners). As soon as your computer is
cleaned you are supposed to remove these tools from your operating system
and revert back to your (updated) resident (real-time) AV application.
Re: Kaspersky® Virus Removal Tool; To uninstall/move this program 'enable
self-defense' must be unchecked!

BitDefender10 Free Edition, a-squared Free or a-squared Command Line
Scanner and the free version of Malwarebytes© and SuperAntispyware have an
update feature; Keep the latter two (2) installed in addtion to your
resident AV/A-S applications and scan frequently.

BTW: "Malwarebytes actually performs better in Normal Mode" says Dustin
Cook, co-author of MBAM.

To scan your computer with the most up-to-date Kaspersky® AVPTool and
Dr.Web CureIT!® virus databases next time you should download new
Kaspersky® AVPTool and Dr.Web CureIt!® packages.

5.After the software is updated, it is suggested scanning the system in
Safe Mode (this does not apply to MBAM).
"Malwarebytes actually performs better in Normal Mode" says Dustin Cook,
co-author of MBAM.
How do you boot to Safe Mode?
By pressing/tabbing F8 (or F5 on some keyboards) during re-boot.
A description of the Safe Mode Boot options in Windows XP
http://support.microsoft.com/default.aspx?scid=315222

Alternatively:
Click Start==>Run... then type (or copy/paste) "msconfig" (without
quotation marks), click OK. Then click onto BOOT.INI tab and 'check'
/SAFEBOOT then OK and click Restart. To go back to Normal Mode, you must
access the System Configuration utility again and click the General tab
then click/check the radio button 'Normal Startup'- load all device drivers
and services'.

6.Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

Please, do not post HJT logs to this newsgroup.
Fora where you can get expert advice for HiJack This! (HJT) logs.

http://www.thespykiller.co.uk/index.php?board=3.0
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.tomcoyote.org/index.php?showforum=27
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.theeldergeek.com/forum/index.php?s=2e9ea4e19d3289dd877ab75a8220bff6&showforum=29

NOTE:
Registration is required in any of the above mentioned fora before posting
a HJT log and read the 'stickies' (instructions/guidelines) for the
respective HJT forum.

7.Steps to take before you install Windows XP Service Pack 3
http://support.microsoft.com/kb/950717

8.Routinely practice Safe-Hex.
http://www.claymania.com/safe-hex.html

Additional references:
How to optimize or reset Internet Explorer 7
http://support.microsoft.com/kb/936213
Applies to: Windows Internet Explorer 7 in Windows Vista

How to use Reset Internet Explorer Settings (RIES)
http://support.microsoft.com/kb/923737
Read: "What you must know"
Applies to: Windows Internet Explorer 7 for Windows XP and
Windows Internet Explorer 7 in Windows Vista

Good luck

 

[Randem]

Processes to try to rid yourself of malware
http://www.randem.com/virusproblems.html

You see to be the victim of "Drive by Downloads".

 

[Kelly]

While in Safe Mode, clear out the run keys: Local Machine and Current User.
Also uncheck everything under msconfig/startup. In addition run disktop
cleanup to remove all but the last system restore point.

Run HijackThis and Malawarebytes while there. Then boot into Normal Mode to
complete the cleaning.

The above mentioned programs and more are listed here:

Sypware Cleaners that WORK!

Line 393 - Right Hand Side: http://www.kellys-korner-xp.com/xp_tweaks.htm

Or see: http://www.kellys-korner-xp.com/xp_s.htm#spy

*Note: Update all (except HijackThis) before using.

Good luck and keep us posted.

--

All the Best,
Kelly (MS-MVP/DTS&XP)

Taskbar Repair Tool Plus!
http://www.kellys-korner-xp.com/taskbarplus!.htm

 

[Kelly]

While in Safe Mode, clear out the run keys: Local Machine and Current User.
Also uncheck everything under msconfig/startup. In addition run disktop
cleanup to remove all but the last system restore point.

Run HijackThis and Malawarebytes while there. Then boot into Normal Mode to
complete the cleaning.

The above mentioned programs and more are listed here:

Sypware Cleaners that WORK!

Line 393 - Right Hand Side: http://www.kellys-korner-xp.com/xp_tweaks.htm

Or see: http://www.kellys-korner-xp.com/xp_s.htm#spy

*Note: Update all (except HijackThis) before using.

Good luck and keep us posted.

--

All the Best,
Kelly (MS-MVP/DTS&XP)

Taskbar Repair Tool Plus!
http://www.kellys-korner-xp.com/taskbarplus!.htm

 

[Ben]

Upgrading a compromised operating system (SP2 to SP3) won't solve your
problem.

1.How to remove Windows XP Service Pack 3 from your computerhttp://support.microsoft.com/kb/950249

2.Clear the (IE) temporary Internet files and the history cache.
Click 'Start' and then click 'Run'... then type (or copy/paste)
"inetcpl.cpl" (w/out quotation marks) into the box, then click the 'OK'
button.
In Internet Properties panel 'General' tab, under 'Browsing history', click
'Delete...'button, in 'Delete Browsing History' panel, click the 'Delete
all...' button then place a checkmark into the box beside 'Also delete
files and settings stored by add-ons', Click 'Yes' and exit the Internet
Properties panel by clicking the 'OK' button.

3.Clean HDD
Click 'Start' and then click 'Run...' then type (or copy/paste) "cleanmgr"
(w/out quotation marks into the box, then click the 'OK' button. Select
your drive
(presumably WinXP (C and click OK.

4.Download/execute:
Malwarebytes© Corporation - Anti-Malwarehttp://www.malwarebytes.org/mbam/program/mbam-setup.exe
--and--
SuperAntispyware - Freehttp://www.superantispyware.com/downloadfile.html?productid=SUPERANTI...

--and/optional--
Kaspersky® Virus Removal Toolhttp://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/http://www.kaspersky.com/support/viruses/avptool?level=2
--and/optional--
Dr.Web CureIt!® Utility - FREEhttp://www.freedrweb.com/cureit/
--and/optional--
a-squared Free or a-squared Command Line Scannerhttp://www.emsisoft.com/en/software/download/
--and/optional--
BitDefender10 Free Edition (*NOT FOR VISTA*)http://www.bitdefender.com/site/Downloads/browseEvaluationVersion/1/42/

NOTE:
The above mentioned applications are not capable for real-time protection
of your computer; They are on-demand scanners.

Kaspersky® Virus Removal Tool, Dr.Web CureIt!® have no update feature(so
they don't turn into full blown scanners). As soon as your computer is
cleaned you are supposed to remove these tools from your operating system
and revert back to your (updated) resident (real-time) AV application.
Re: Kaspersky® Virus Removal Tool; To uninstall/move this program 'enable
self-defense' must be unchecked!

BitDefender10 Free Edition, a-squared Free or a-squared Command Line
Scanner and the free version of Malwarebytes© and SuperAntispyware havean
update feature; Keep the latter two (2) installed in addtion to your
resident AV/A-S applications and scan frequently.

BTW: "Malwarebytes actually performs better in Normal Mode" says Dustin
Cook, co-author of MBAM.

To scan your computer with the most up-to-date Kaspersky® AVPTool and
Dr.Web CureIT!® virus databases next time you should download new
Kaspersky® AVPTool and Dr.Web CureIt!® packages.

5.After the software is updated, it is suggested scanning the system in
Safe Mode (this does not apply to MBAM).
"Malwarebytes actually performs better in Normal Mode" says Dustin Cook,
co-author of MBAM.
How do you boot to Safe Mode?
By pressing/tabbing F8 (or F5 on some keyboards) during re-boot.
A description of the Safe Mode Boot options in Windows XPhttp://support.microsoft.com/default.aspx?scid=315222

Alternatively:
Click Start==>Run... then type (or copy/paste) "msconfig" (without
quotation marks), click OK. Then click onto BOOT.INI tab and 'check'
/SAFEBOOT then OK and click Restart. To go back to Normal Mode, you must
access the System Configuration utility again and click the General tab
then click/check the radio button 'Normal Startup'- load all device drivers
and services'.

6.Download and execute HiJack This! (HJT)http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

Please, do not post HJT logs to this newsgroup.
Fora where you can get expert advice for HiJack This! (HJT) logs.

http://www.thespykiller.co.uk/index...com/forum/index.php?s=2e9ea4e19d3289dd877ab75...

NOTE:
Registration is required in any of the above mentioned fora before posting
a HJT log and read the 'stickies' (instructions/guidelines) for the
respective HJT forum.

7.Steps to take before you install Windows XP Service Pack 3http://support.microsoft.com/kb/950717

8.Routinely practice Safe-Hex.http://www.claymania.com/safe-hex.html

Additional references:
How to optimize or reset Internet Explorer 7http://support.microsoft.com/kb/936213
Applies to: Windows Internet Explorer 7 in Windows Vista

How to use Reset Internet Explorer Settings (RIES)http://support.microsoft.com/kb/923737
Read: "What you must know"
Applies to: Windows Internet Explorer 7 for Windows XP and
Windows Internet Explorer 7 in Windows Vista

Good luck - Hide quoted text -

- Show quoted text -

HI Kayman,

Thanks for the info!

I had another go this morning following your instructions, the
Malwarebytes' Anti-Malware seemed to do the trick! I ran it across the
system, and it found 13 infections that Symantec, and a number of
other virus scanners had missed - Impressive!. After removing these,
and rebooting Windows was back up and running normally again. I also
went through the rest of your post and took those steps, along with
running Windows Updates, and MBAM again just to double check!

I've posted the MBAM log below, just incase anyone else wants to
compare their registry with what MBAM found.

Thanks again!

Ben

-------------------------------------------------------
Malwarebytes' Anti-Malware 1.32
Database version: 1627
Windows 5.1.2600 Service Pack 3

07/01/2009 09:56:54
mbam-log-2009-01-07 (09-56-44).txt

Scan type: Quick Scan
Objects scanned: 70569
Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action
taken.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> No action
taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> No
action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}
(Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\simon\Local Settings\Temp\prun.tmp
(Trojan.Downloader) -> No action taken.
C:\Documents and Settings\simon\Local Settings\Temp\winvsnet.tmp
(Rogue.Installer) -> No action taken.
C:\Documents and Settings\simon\Local Settings\Temp\xpre.tmp
(Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\senekavxcimxsd.dll (Trojan.Agent) -> No action
taken.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> No action
taken.
C:\WINDOWS\system32\drivers\senekambnpvudn.sys (Trojan.Agent) -> No
action taken.

 

[Kayman]

HI Kayman,

Thanks for the info!

I had another go this morning following your instructions, the
Malwarebytes' Anti-Malware seemed to do the trick! I ran it across the
system, and it found 13 infections that Symantec, and a number of
other virus scanners had missed - Impressive!. After removing these,
and rebooting Windows was back up and running normally again. I also
went through the rest of your post and took those steps, along with
running Windows Updates, and MBAM again just to double check!

<snip>

Good! Please do a HJT scan as well and send the log to a forum as suggested
in #6 to be examined by an expert. You may wish to consider removing Norton
from your operating system and go for another freely availble AV
application.

Good luck

 

[David H. Lipman]

From: "Ben" <[email protected]>


| HI Kayman,

| Thanks for the info!

| I had another go this morning following your instructions, the
| Malwarebytes' Anti-Malware seemed to do the trick! I ran it across the
| system, and it found 13 infections that Symantec, and a number of
| other virus scanners had missed - Impressive!. After removing these,
| and rebooting Windows was back up and running normally again. I also
| went through the rest of your post and took those steps, along with
| running Windows Updates, and MBAM again just to double check!

| I've posted the MBAM log below, just incase anyone else wants to
| compare their registry with what MBAM found.

| Thanks again!

| Ben

As noted by Kayman, never install a Service Pack to deal with a malware infection.

Indeed, the installation could have gone terribly bad and corrupted the OS beyond repair.
Always throughly clean the PC of malware and only after scans of several different anti
malware scanners indicate a clean PC should you install the Service Pack.