Re: XP SP2 bootup issues

From: Test User (test_at_dev.null)
Date: 11/03/04 

Date: Tue, 2 Nov 2004 21:19:20 -0500

"Andrew Gericke" <amgerick@mweb.co.za> wrote in message
news:uuuTFKSwEHA.908@TK2MSFTNGP11.phx.gbl...
> Thanks, yes looks like hot on trail, but it turns out there are currently
> six similar files in the Windows Temp Folder - and all have a little brown
> dog for an icon. Easy enough to delete them,

Yes. They will replicate. It's a bit of a wrestle to get all of them. You
probably want to pick a time where you can unplug the machines from the
network and leave them off till you've finished cleaning all of them, to
keep the ratty ones from sending stuff back to the cleaned ones.

You should just completely empty the temp folders, all of them. By
definition, the contents are supposed to be temporary.

There are temp folders for every user account and for Windows. Be sure to
get them all.

> but clearly these files are coming from somewhere in the first place.

Yes, and if you examine the user habits you'll probably find it. If you see
any sort of file-sharing apps, that's usually a huge clue.

> I can almost bet that deleting
> them all now wont be the end of it, another one will just re-appear in a
few
> hours/days time,

Depends on what the users do and how much you manage to remove. It's
probably not a bad idea to also purge the restore points too; these things
often hide there.

> so the question is, where are these files coming from,

They often are invited, but unwanted, "guests". A user clicks Yes to
install some piece of software from the web. That's all it takes.

> and even more interesting, how are they getting past Windows XP2's
Windows
> Firewall, Trend AV, and the SBS2000 box's Firewall?

Probably, a user let them in, and they are carefully crafted to not appear
to those apps. If you know the rules they use you can get around them.

> Why also on XP SP2 machines?

Those machines may be targeted, but it may also be a question of the habits
of those specific users.

HTH
-pk
>
>
> "Test User" <test@dev.null> wrote in message
> news:wqShd.12834$OD3.753246@news20.bellglobal.com...
> > "Andrew Gericke" <amgerick@mweb.co.za> wrote in message
> > news:eLN8LyRwEHA.3716@TK2MSFTNGP15.phx.gbl...
> >> And here is another bit of info I just found. In Task Manager,
Processes,
> > I
> >> have just noticed a file running invoked by User "System" called
> > GGB65A.EXE.
> >> On scanning my hard drive this file currently resides in my Windows
Temp
> >> folder. Does anyone know what this file may be? It just looks a bit
> >> suspicious.
> >
> > More than a bit. No applications should be running from the temp
folders.
> > End the process and then rename that to *.bad, or just delete teh
contents
> > of teh temp folders.
> >
> > You may need to restart in safe mode to get to this, but you are hot on
> > the
> > trail.
> >
> > HTH
> > -pk
> >
> >
> >>
> >>
> >> "Andrew Gericke" <amgerick@mweb.co.za> wrote in message
> >> news:%23CuzoqRwEHA.2568@TK2MSFTNGP11.phx.gbl...
> >> > And just got another one of these error messages on bootup: MFDC2.EXE
> > (not
> >> > 8 characters as I thought), encountered a problem and needed to
> >> > close...
> >> > "Send / Dont send" buttons.
> >> >
> >> >
> >> > "Andrew Gericke" <amgerick@mweb.co.za> wrote in message
> >> > news:OM18OkRwEHA.1228@TK2MSFTNGP10.phx.gbl...
> >> >> Hi thanks for this advice, unfortunately Hijack This only shows
about
> > 40
> >> >> cookies on the one machine as being possible suspect items, but all
> > with
> >> >> a "non-Critical" status. I have used Ransack Agent to find and
delete
> >> >> content.ie5 folders, that I can, because even with all explorer
> >> >> windows
> >> >> closed I am getting a message to the effect that file index.dat is
in
> > use
> >> >> by another program. All apps are closed. I cant spot any strange
dll's
> > or
> >> >> exe's in the windows or system32 folders, although I may not be
seeing
> >> >> the wood for the trees in there.
> >> >>
> >> >>
> >> >>
> >> >> "Test User" <test@dev.null> wrote in message
> >> >> news:cLQhd.12741$OD3.741377@news20.bellglobal.com...
> >> >>> "Andrew Gericke" <amgerick@mweb.co.za> wrote in message
> >> >>> news:eC0ILsQwEHA.1192@tk2msftngp13.phx.gbl...
> >> >>>> Hi,
> >> >>>>
> >> >>>> I hope someone can help me. We have about 10 computers in our
> >> >>>> office,
> >> >>>> all
> >> >>>> connected to a Windows 2000 SBS server. On a few of these
machines,
> > we
> >> >>> have
> >> >>>> installed XP SP2. Two of these machines on which we have installed
> > SP2
> >> >>>> are
> >> >>>> notebooks, and two others desktop computers. Since loading SP2,
> >> >>>> after
> >> >>> typing
> >> >>>> in the password to login, we intermittently get the message
> >> >>>> "xxxxxxxx.exe
> >> >>>> has caused an error" with the two buttons, "Send to Microsoft" /
"Do
> >> >>>> not
> >> >>>> send to Microsoft" on this dialog box / message. The xxxxxxxx.exe
> > file
> >> >>> name
> >> >>>> always changes, and is never the same. The only consistency is
that
> > it
> >> >>> seems
> >> >>>> to always be 8 characters (I think), and always seems to be an exe
> >> >>>> of
> >> >>> sorts.
> >> >>>> The file name is also made up of a combination of alphanumeric
> >> >>>> characters.
> >> >>>
> >> >>> Sounds trojan-ish to me.
> >> >>>
> >> >>>>
> >> >>>> So, in summary:
> >> >>>>
> >> >>>> Only happening on machines on which I have installed SP2 -
currently
> >> >>>> loath
> >> >>>> to install SP2 on any of the other computers.
> >> >>>> Does not always happen
> >> >>>> Happens on desktops and notebooks - cant see how it is a driver
> >> >>>> issue
> >> >>> thus.
> >> >>>> The filename reported in the error does not exist on the hard
disk -
> >> >>>> full
> >> >>>> search done
> >> >>>> At this point the machine slows to a snails pace, and only a
reboot
> >> >>>> helps.
> >> >>>> All computers run Trend Anti-Virus - Office Scan, kept right up to
> > date
> >> >>> all
> >> >>>> the time.
> >> >>>> Full Anti-Virus scan shows no virus.Also searched Trend's and
other
> >> >>> websites
> >> >>>> for reference to any of these filenames - nothing.
> >> >>>
> >> >>> If the files do not exist, a trojan or virus may be creating them
on
> > the
> >> >>> fly. Is Trend set to quietly delete viruses?
> >> >>>
> >> >>>> Hard disk scan for bad sectors etc done - nothing picked up
> >> >>>> Hard disk defrag done
> >> >>>>
> >> >>>>
> >> >>>> Any advice would be most appreciated.
> >> >>>>
> >> >>>> Thanks
> >> >>>>
> >> >>>> Andrew
> >> >>>
> >> >>> I would suggest examining the systems closely for trojans and
> >> >>> malware,
> >> >>> using Hijack This, explorer and Google. Also, use Agent Ransack
to
> >> >>> locate
> >> >>> and then delete the content.ie5 folders (after closing all IE
> > windows).
> >> >>> This will be the fastest way to clear all the caches, which is a
> >> >>> prime
> >> >>> location for launchers to hide.
> >> >>>
> >> >>> Pay attention as you run Hijack This, adn rescan after removing
> > suspect
> >> >>> items. You'll probably notice a behaviour of registry lines being
> >> >>> re-inserted - this is often a trojan trying to maintain infection.
> > The
> >> >>> names involved should give you clues as to what to look for.
> >> >>>
> >> >>> Also examine the .exe and .dll contents of the \windows and
\system32
> >> >>> folders. You'll probably find some suspects.
> >> >>>
> >> >>> If you find problems on one machine, you can probably assume that
the
> >> >>> same
> >> >>> type of problem exists on *all* machines on the local network.
> >> >>>
> >> >>> HTH
> >> >>> -pk
> >> >>>
> >> >>>
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>

Loading