XP SP2 bootup issues

  • Thread starter Thread starter Andrew Gericke
  • Start date Start date
A

Andrew Gericke

Hi,

I hope someone can help me. We have about 10 computers in our office, all
connected to a Windows 2000 SBS server. On a few of these machines, we have
installed XP SP2. Two of these machines on which we have installed SP2 are
notebooks, and two others desktop computers. Since loading SP2, after typing
in the password to login, we intermittently get the message "xxxxxxxx.exe
has caused an error" with the two buttons, "Send to Microsoft" / "Do not
send to Microsoft" on this dialog box / message. The xxxxxxxx.exe file name
always changes, and is never the same. The only consistency is that it seems
to always be 8 characters (I think), and always seems to be an exe of sorts.
The file name is also made up of a combination of alphanumeric characters.

So, in summary:

Only happening on machines on which I have installed SP2 - currently loath
to install SP2 on any of the other computers.
Does not always happen
Happens on desktops and notebooks - cant see how it is a driver issue thus.
The filename reported in the error does not exist on the hard disk - full
search done
At this point the machine slows to a snails pace, and only a reboot helps.
All computers run Trend Anti-Virus - Office Scan, kept right up to date all
the time.
Full Anti-Virus scan shows no virus.Also searched Trend's and other websites
for reference to any of these filenames - nothing.
Hard disk scan for bad sectors etc done - nothing picked up
Hard disk defrag done


Any advice would be most appreciated.

Thanks

Andrew
 
Andrew Gericke said:
Hi,

I hope someone can help me. We have about 10 computers in our office, all
connected to a Windows 2000 SBS server. On a few of these machines, we have
installed XP SP2. Two of these machines on which we have installed SP2 are
notebooks, and two others desktop computers. Since loading SP2, after typing
in the password to login, we intermittently get the message "xxxxxxxx.exe
has caused an error" with the two buttons, "Send to Microsoft" / "Do not
send to Microsoft" on this dialog box / message. The xxxxxxxx.exe file name
always changes, and is never the same. The only consistency is that it seems
to always be 8 characters (I think), and always seems to be an exe of sorts.
The file name is also made up of a combination of alphanumeric characters.

Sounds trojan-ish to me.
So, in summary:

Only happening on machines on which I have installed SP2 - currently loath
to install SP2 on any of the other computers.
Does not always happen
Happens on desktops and notebooks - cant see how it is a driver issue thus.
The filename reported in the error does not exist on the hard disk - full
search done
At this point the machine slows to a snails pace, and only a reboot helps.
All computers run Trend Anti-Virus - Office Scan, kept right up to date all
the time.
Full Anti-Virus scan shows no virus.Also searched Trend's and other websites
for reference to any of these filenames - nothing.

If the files do not exist, a trojan or virus may be creating them on the
fly. Is Trend set to quietly delete viruses?
Hard disk scan for bad sectors etc done - nothing picked up
Hard disk defrag done


Any advice would be most appreciated.

Thanks

Andrew

I would suggest examining the systems closely for trojans and malware,
using Hijack This, explorer and Google. Also, use Agent Ransack to locate
and then delete the content.ie5 folders (after closing all IE windows).
This will be the fastest way to clear all the caches, which is a prime
location for launchers to hide.

Pay attention as you run Hijack This, adn rescan after removing suspect
items. You'll probably notice a behaviour of registry lines being
re-inserted - this is often a trojan trying to maintain infection. The
names involved should give you clues as to what to look for.

Also examine the .exe and .dll contents of the \windows and \system32
folders. You'll probably find some suspects.

If you find problems on one machine, you can probably assume that the same
type of problem exists on *all* machines on the local network.

HTH
-pk
 
Hi thanks for this advice, unfortunately Hijack This only shows about 40
cookies on the one machine as being possible suspect items, but all with a
"non-Critical" status. I have used Ransack Agent to find and delete
content.ie5 folders, that I can, because even with all explorer windows
closed I am getting a message to the effect that file index.dat is in use by
another program. All apps are closed. I cant spot any strange dll's or exe's
in the windows or system32 folders, although I may not be seeing the wood
for the trees in there.
 
And just got another one of these error messages on bootup: MFDC2.EXE (not 8
characters as I thought), encountered a problem and needed to close... "Send
/ Dont send" buttons.
 
And here is another bit of info I just found. In Task Manager, Processes, I
have just noticed a file running invoked by User "System" called GGB65A.EXE.
On scanning my hard drive this file currently resides in my Windows Temp
folder. Does anyone know what this file may be? It just looks a bit
suspicious.
 
Andrew Gericke said:
And here is another bit of info I just found. In Task Manager, Processes, I
have just noticed a file running invoked by User "System" called GGB65A.EXE.
On scanning my hard drive this file currently resides in my Windows Temp
folder. Does anyone know what this file may be? It just looks a bit
suspicious.

More than a bit. No applications should be running from the temp folders.
End the process and then rename that to *.bad, or just delete teh contents
of teh temp folders.

You may need to restart in safe mode to get to this, but you are hot on the
trail.

HTH
-pk
 
Thanks, yes looks like hot on trail, but it turns out there are currently
six similar files in the Windows Temp Folder - and all have a little brown
dog for an icon. Easy enough to delete them, but clearly these files are
coming from somewhere in the first place. I can almost bet that deleting
them all now wont be the end of it, another one will just re-appear in a few
hours/days time, so the question is, where are these files coming from, and
even more interesting, how are they getting past Windows XP2's Windows
Firewall, Trend AV, and the SBS2000 box's Firewall? Why also on XP SP2
machines?
 
Andrew Gericke said:
Thanks, yes looks like hot on trail, but it turns out there are currently
six similar files in the Windows Temp Folder - and all have a little brown
dog for an icon. Easy enough to delete them,

Yes. They will replicate. It's a bit of a wrestle to get all of them. You
probably want to pick a time where you can unplug the machines from the
network and leave them off till you've finished cleaning all of them, to
keep the ratty ones from sending stuff back to the cleaned ones.

You should just completely empty the temp folders, all of them. By
definition, the contents are supposed to be temporary.

There are temp folders for every user account and for Windows. Be sure to
get them all.
but clearly these files are coming from somewhere in the first place.

Yes, and if you examine the user habits you'll probably find it. If you see
any sort of file-sharing apps, that's usually a huge clue.
I can almost bet that deleting
them all now wont be the end of it, another one will just re-appear in a few
hours/days time,

Depends on what the users do and how much you manage to remove. It's
probably not a bad idea to also purge the restore points too; these things
often hide there.
so the question is, where are these files coming from,

They often are invited, but unwanted, "guests". A user clicks Yes to
install some piece of software from the web. That's all it takes.
and even more interesting, how are they getting past Windows XP2's Windows
Firewall, Trend AV, and the SBS2000 box's Firewall?

Probably, a user let them in, and they are carefully crafted to not appear
to those apps. If you know the rules they use you can get around them.
Why also on XP SP2 machines?

Those machines may be targeted, but it may also be a question of the habits
of those specific users.

HTH
-pk
 
Andrew Gericke said:
And here is another bit of info I just found. In Task Manager, Processes, I
have just noticed a file running invoked by User "System" called GGB65A.EXE.
On scanning my hard drive this file currently resides in my Windows Temp
folder. Does anyone know what this file may be? It just looks a bit
suspicious.


I am having the exact same phenomenon on a Windows 2K laptop. I
deleted everything in my TEMP folder except for the running process
because it won't let me delete it. Then I booted into Safe Mode w/
Command Prompt. When I navigate to the offending directory, it shows
no files. However, when I boot back into Windows ("Un-Safe Mode"), a
new executable with a random filename is created and runs in the
background as a process.

Is there any update on this problem? Thanks in advance.

drew
 
I don't get any of these files appearing on my PC, running Windows XP Pro SP1
with 512MB RAM. Could it be that you don't have much memory on these machines,
and these are virtual memory overflows? Or is it simply that you have a trojan.
Can you see what is run at startup? Have you run msconfig?
--
Mark Jacobs

| > And here is another bit of info I just found. In Task Manager, Processes, I
| > have just noticed a file running invoked by User "System" called GGB65A.EXE.
| > On scanning my hard drive this file currently resides in my Windows Temp
| > folder. Does anyone know what this file may be? It just looks a bit
| > suspicious.
| >
|
|
| I am having the exact same phenomenon on a Windows 2K laptop. I
| deleted everything in my TEMP folder except for the running process
| because it won't let me delete it. Then I booted into Safe Mode w/
| Command Prompt. When I navigate to the offending directory, it shows
| no files. However, when I boot back into Windows ("Un-Safe Mode"), a
| new executable with a random filename is created and runs in the
| background as a process.
|
| Is there any update on this problem? Thanks in advance.
|
| drew
 
Mark,

Thanks for the prompt response. There is nothing unusual running
during startup either in the registry
(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) or in the Startup
Folder. I have run Spybot, Adaware, HiJack This, and a-squared and
found nothing. The laptop is protected with TrendMicro and it finds
nothing. The only way that I can kill the process is to use EndItAll2,
which is a PC Magazine utility from several years ago that can be used
to kill just about any system process. After I kill the process, the
file is automatically deleted from the TEMP folder. However, when I
reboot, another randomly named exe file is created in the TEMP folder
and runs as a system process. Upon further review, the file always has
a date-time stamp of "7/6/2004 8:07 PM" and it always has the little
brown dog icon. The random file name is always 5 or 6 all CAPS
alphanumeric (currently, I have "YCB2DF.EXE" in my TEMP folder).

I suspect that this is some sort of Trojan but I have not found
anything about it anywhere in the electronic universe. As far as I can
tell, it is not doing anything "harmful" to my computer, but I know
that it should not be there.

Thanks in advance for any info!

drew
 
Thanks for the prompt response. There is nothing unusual running
during startup either in the registry
(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) or in the Startup
Folder. I have run Spybot, Adaware, HiJack This, and a-squared and
found nothing. The laptop is protected with TrendMicro and it finds
nothing.
However, when I
reboot, another randomly named exe file is created in the TEMP folder
and runs as a system process. Upon further review, the file always has
a date-time stamp of "7/6/2004 8:07 PM" and it always has the little
brown dog icon. The random file name is always 5 or 6 all CAPS
alphanumeric (currently, I have "YCB2DF.EXE" in my TEMP folder).

Maybe this is not malware. Check if the file is equal to OfcDog.exe
from the TrendMicro folder. They seem to have grown strange habits...

I found another report on
http://dotnetjunkies.com/WebLog/anoras/archive/2004/11/19/32676.aspx .

FF,

Daniel
 
Back
Top