Re: XP SP2 bootup issues

From: Andrew Gericke (amgerick_at_mweb.co.za)
Date: 11/02/04 

Date: Tue, 2 Nov 2004 23:25:46 +0200

Thanks, yes looks like hot on trail, but it turns out there are currently
six similar files in the Windows Temp Folder - and all have a little brown
dog for an icon. Easy enough to delete them, but clearly these files are
coming from somewhere in the first place. I can almost bet that deleting
them all now wont be the end of it, another one will just re-appear in a few
hours/days time, so the question is, where are these files coming from, and
even more interesting, how are they getting past Windows XP2's Windows
Firewall, Trend AV, and the SBS2000 box's Firewall? Why also on XP SP2
machines?

"Test User" <test@dev.null> wrote in message
news:wqShd.12834$OD3.753246@news20.bellglobal.com...
> "Andrew Gericke" <amgerick@mweb.co.za> wrote in message
> news:eLN8LyRwEHA.3716@TK2MSFTNGP15.phx.gbl...
>> And here is another bit of info I just found. In Task Manager, Processes,
> I
>> have just noticed a file running invoked by User "System" called
> GGB65A.EXE.
>> On scanning my hard drive this file currently resides in my Windows Temp
>> folder. Does anyone know what this file may be? It just looks a bit
>> suspicious.
>
> More than a bit. No applications should be running from the temp folders.
> End the process and then rename that to *.bad, or just delete teh contents
> of teh temp folders.
>
> You may need to restart in safe mode to get to this, but you are hot on
> the
> trail.
>
> HTH
> -pk
>
>
>>
>>
>> "Andrew Gericke" <amgerick@mweb.co.za> wrote in message
>> news:%23CuzoqRwEHA.2568@TK2MSFTNGP11.phx.gbl...
>> > And just got another one of these error messages on bootup: MFDC2.EXE
> (not
>> > 8 characters as I thought), encountered a problem and needed to
>> > close...
>> > "Send / Dont send" buttons.
>> >
>> >
>> > "Andrew Gericke" <amgerick@mweb.co.za> wrote in message
>> > news:OM18OkRwEHA.1228@TK2MSFTNGP10.phx.gbl...
>> >> Hi thanks for this advice, unfortunately Hijack This only shows about
> 40
>> >> cookies on the one machine as being possible suspect items, but all
> with
>> >> a "non-Critical" status. I have used Ransack Agent to find and delete
>> >> content.ie5 folders, that I can, because even with all explorer
>> >> windows
>> >> closed I am getting a message to the effect that file index.dat is in
> use
>> >> by another program. All apps are closed. I cant spot any strange dll's
> or
>> >> exe's in the windows or system32 folders, although I may not be seeing
>> >> the wood for the trees in there.
>> >>
>> >>
>> >>
>> >> "Test User" <test@dev.null> wrote in message
>> >> news:cLQhd.12741$OD3.741377@news20.bellglobal.com...
>> >>> "Andrew Gericke" <amgerick@mweb.co.za> wrote in message
>> >>> news:eC0ILsQwEHA.1192@tk2msftngp13.phx.gbl...
>> >>>> Hi,
>> >>>>
>> >>>> I hope someone can help me. We have about 10 computers in our
>> >>>> office,
>> >>>> all
>> >>>> connected to a Windows 2000 SBS server. On a few of these machines,
> we
>> >>> have
>> >>>> installed XP SP2. Two of these machines on which we have installed
> SP2
>> >>>> are
>> >>>> notebooks, and two others desktop computers. Since loading SP2,
>> >>>> after
>> >>> typing
>> >>>> in the password to login, we intermittently get the message
>> >>>> "xxxxxxxx.exe
>> >>>> has caused an error" with the two buttons, "Send to Microsoft" / "Do
>> >>>> not
>> >>>> send to Microsoft" on this dialog box / message. The xxxxxxxx.exe
> file
>> >>> name
>> >>>> always changes, and is never the same. The only consistency is that
> it
>> >>> seems
>> >>>> to always be 8 characters (I think), and always seems to be an exe
>> >>>> of
>> >>> sorts.
>> >>>> The file name is also made up of a combination of alphanumeric
>> >>>> characters.
>> >>>
>> >>> Sounds trojan-ish to me.
>> >>>
>> >>>>
>> >>>> So, in summary:
>> >>>>
>> >>>> Only happening on machines on which I have installed SP2 - currently
>> >>>> loath
>> >>>> to install SP2 on any of the other computers.
>> >>>> Does not always happen
>> >>>> Happens on desktops and notebooks - cant see how it is a driver
>> >>>> issue
>> >>> thus.
>> >>>> The filename reported in the error does not exist on the hard disk -
>> >>>> full
>> >>>> search done
>> >>>> At this point the machine slows to a snails pace, and only a reboot
>> >>>> helps.
>> >>>> All computers run Trend Anti-Virus - Office Scan, kept right up to
> date
>> >>> all
>> >>>> the time.
>> >>>> Full Anti-Virus scan shows no virus.Also searched Trend's and other
>> >>> websites
>> >>>> for reference to any of these filenames - nothing.
>> >>>
>> >>> If the files do not exist, a trojan or virus may be creating them on
> the
>> >>> fly. Is Trend set to quietly delete viruses?
>> >>>
>> >>>> Hard disk scan for bad sectors etc done - nothing picked up
>> >>>> Hard disk defrag done
>> >>>>
>> >>>>
>> >>>> Any advice would be most appreciated.
>> >>>>
>> >>>> Thanks
>> >>>>
>> >>>> Andrew
>> >>>
>> >>> I would suggest examining the systems closely for trojans and
>> >>> malware,
>> >>> using Hijack This, explorer and Google. Also, use Agent Ransack to
>> >>> locate
>> >>> and then delete the content.ie5 folders (after closing all IE
> windows).
>> >>> This will be the fastest way to clear all the caches, which is a
>> >>> prime
>> >>> location for launchers to hide.
>> >>>
>> >>> Pay attention as you run Hijack This, adn rescan after removing
> suspect
>> >>> items. You'll probably notice a behaviour of registry lines being
>> >>> re-inserted - this is often a trojan trying to maintain infection.
> The
>> >>> names involved should give you clues as to what to look for.
>> >>>
>> >>> Also examine the .exe and .dll contents of the \windows and \system32
>> >>> folders. You'll probably find some suspects.
>> >>>
>> >>> If you find problems on one machine, you can probably assume that the
>> >>> same
>> >>> type of problem exists on *all* machines on the local network.
>> >>>
>> >>> HTH
>> >>> -pk
>> >>>
>> >>>
>> >>
>> >>
>> >
>> >
>>
>>
>
>

Loading