CyyberSpaceCowboy
IS-IT--Management
I need help identifying a virus that has resisted identification and elimination by every anti-malware program I through at it. So far, the symtoms have only manifested on the Vista machines on my network (yes, I know I should take the whole thing down, but until I can come up with a solution I can't expect the users to go without computers).
The signature of this infection is unique, I'm hoping someone can identify it by the symptoms. First, it shuts down the LAN connection, and the disconnected LAN connection icon appears on the taskbar. You cannot connect to any hosts on the local network, but the Internet connection (over the same network) stays up (i.e., I can't access the servers but I can get on the web). However, if I boot into Safe Mode with Networking, the LAN comes back. The first tunneling adapter listed in IPConfig /all is disabled, it normally shows a connection:
Tunnel Adapter Local Area Connection* 7:
Media State .... Media Disconnected
In normal mode (as opposed to Safe), if I right click on the Disconected LAN icon in the Taskbar and select "Diagnose and Repair", I get "Network Diagnostics cannot run because the Diagnostics Policy Service is not Running". If I click "Click to open "Service Control Manager", nothing happens. If I run Services.msc in normal mode, nothing happens. I can run it in Safe mode, but setting Diagnostics Policy Service to Autorun doesn't make it run when I return to normal mode. If I open Start->Network, I get an empty folder Window (ditto Safe Mode). Control Panel->Networking and Sharing Center, I get an empty folder with the "wait" cursor, unless I've tried other diagnostics or opening a file browser first, then I just get the disallowed “ding”. I general, the more you do the more systems become locked out. However, productivity apps seem to stay up, so a user could continue to use the workstation unaware of the infection.
Our current AV scanner, Lightspeed Systems Security Agent, came with our new web filter. It runs but says the system is clean. We still have a few months left on Live OneCare, but I disabled the active scanning function so it won't conflict with Security Agent. When I try to run OneCare in normal mode, I get "The Windows Live OneCare Service is not running or has been stopped" and it won't run in Safe Mode by design. Spybot installs but does not run, nor does SuperAntiSpyware. The current version of Hijack This does not install. I can run the old 1.8x version, but there is nothing unusual in the results. A-Squared, Kaspersky, and Sophos, and MalwareBytes demos say the system is clean. Symptoms manifested on one workstation after I disabled UAC to finish a third party software update that refused to complete otherwise. This leads me to believe the infection can lie dormant.
Printer definitions have been deleted from the Printers section of the Control Panel, USB flash drives are not recognized (I plugged mine in before I noticed the infection).
I recently found “VistaPE” on the Internet. Assuming the infection is a rootkit, I plan to build a Live CD with anti-malware tools over the weekend. Unlike Bart PE for XP, I've not found as many tutorials and resources on the web to help me with building a tools CD for Vista. If anyone can suggest resources or prebuilt images (like UBCD for XP), I would be thankful.
The signature of this infection is unique, I'm hoping someone can identify it by the symptoms. First, it shuts down the LAN connection, and the disconnected LAN connection icon appears on the taskbar. You cannot connect to any hosts on the local network, but the Internet connection (over the same network) stays up (i.e., I can't access the servers but I can get on the web). However, if I boot into Safe Mode with Networking, the LAN comes back. The first tunneling adapter listed in IPConfig /all is disabled, it normally shows a connection:
Tunnel Adapter Local Area Connection* 7:
Media State .... Media Disconnected
In normal mode (as opposed to Safe), if I right click on the Disconected LAN icon in the Taskbar and select "Diagnose and Repair", I get "Network Diagnostics cannot run because the Diagnostics Policy Service is not Running". If I click "Click to open "Service Control Manager", nothing happens. If I run Services.msc in normal mode, nothing happens. I can run it in Safe mode, but setting Diagnostics Policy Service to Autorun doesn't make it run when I return to normal mode. If I open Start->Network, I get an empty folder Window (ditto Safe Mode). Control Panel->Networking and Sharing Center, I get an empty folder with the "wait" cursor, unless I've tried other diagnostics or opening a file browser first, then I just get the disallowed “ding”. I general, the more you do the more systems become locked out. However, productivity apps seem to stay up, so a user could continue to use the workstation unaware of the infection.
Our current AV scanner, Lightspeed Systems Security Agent, came with our new web filter. It runs but says the system is clean. We still have a few months left on Live OneCare, but I disabled the active scanning function so it won't conflict with Security Agent. When I try to run OneCare in normal mode, I get "The Windows Live OneCare Service is not running or has been stopped" and it won't run in Safe Mode by design. Spybot installs but does not run, nor does SuperAntiSpyware. The current version of Hijack This does not install. I can run the old 1.8x version, but there is nothing unusual in the results. A-Squared, Kaspersky, and Sophos, and MalwareBytes demos say the system is clean. Symptoms manifested on one workstation after I disabled UAC to finish a third party software update that refused to complete otherwise. This leads me to believe the infection can lie dormant.
Printer definitions have been deleted from the Printers section of the Control Panel, USB flash drives are not recognized (I plugged mine in before I noticed the infection).
I recently found “VistaPE” on the Internet. Assuming the infection is a rootkit, I plan to build a Live CD with anti-malware tools over the weekend. Unlike Bart PE for XP, I've not found as many tutorials and resources on the web to help me with building a tools CD for Vista. If anyone can suggest resources or prebuilt images (like UBCD for XP), I would be thankful.