WinXP home system corruption?

[lideho]

I had a client this week with a unique problem. When he starts his computer with WindowsXP Home with SP2, instead of loading his startup items, a series of Notepad windows containing unreadable text are opened and something attempts to access the internet. Each window is titled "Notepad-program or service name" and after the bootup is finished, he ends up with 31 of these windows. Each window is for a different startup item or service but has a common readable line near the beginning of each window which states "this program cannot be run in dos mode". Any attempt to open a program resulted in another notepad window being opened.
1. I ran Mcafee antivirus from a PE disc and found 1 virus with no improvement after the virus was cleaned.
2. I booted in safe mode and did system restores to Jan 1, Dec.1 and Oct. 23 and no improvement was found each time.
3. I did a repair installation of Windows and no improvement was found.
4. I did a clean installation of Windows and the problem was fixed.

Any idea what could have caused this problem?

Dennis H. A+

 

[bcastner]

This sounds like a variant of Bagle.
This is an email distributed malware, so you might review with the end user the cautions about opening attachments.

 

[NoobX]

I would have also defragged! Did you ask the client when this happened?

 

[dakota81]

I'd say McAfee didn't do a super-job of finding all the virii on the machine, possibly one that attaches itself to evey excecutable file on the drive?

 

[bcastner]

I believe that no single antivirus tool does a complete job. One of the nicer features of the internet is the ability to do an online antivirus scan from several of the leading antivirus vendors. Pick two that are different from your installed antivirus program.

http://www.mvps.org/sramesh2k/Scanners.htm

 

[tchatzi]

Go to
start->run->services.msc
check to see the services that are in 'Started' Status and close and put to Status 'Manual' those that are not from windows
You can find out which of the services are not windows at

http://www.blackviper.com/WinXP/service411.htm

Do Ctrl-Alt-Del and close all exept
(svchost.exe, smss.exe, taskmgr.exe, services.exe, winlogon.exe, lsass.exe, explorer.exe, ctfmon.exe,crss.exe)

Do a search in 'C:\' for *.tmp files and delete them all.

Erase all files from 'Internet Temporary files'

Go to [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
and check for unknown programs running. delete them.(back up the registry first.)

Do the same here
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
but leave this untouch 'CTFMON.EXE' if it is there.

Install 'Kaspersky Anti Virus' update and run.
Install 'Zone Alarm'.


Thats about it.

 

[lideho]

Thanks for the replies
bcastner: couldn't find a varient that did this

NoobX: customer said last week. I didn't defrag it after reinstalling Win.

Dakota81: I agree. I used the latest definitions available, too.

bcastner: Thanks for the link. I agree with you and use 3 different antivirus programs on my network. Unfortunately, this computer wasn't able to run anything including internet or networking.

perluserpengo: I couldn't perform any maintenance or run any programs after booting into Windows.

Thanks any folks, but I am still stumped about what caused this problem.

 

[NoobX]

lol lideho not defrag i meant fdisk lol!