oooops - fluffed it ... need advice

  • Thread starter Thread starter Martin Spencer-Ford
  • Start date Start date
M

Martin Spencer-Ford

Hi group, got asked to help a friends heavily infected machine, which
had too numerous Trojans and ad ware to remember them all, but went to
kaspersky to do an on-line scan, worked through the log killing files
that had been highlighted as infected. All was successful other than one
one file which went by the name guard.tmp. This file wouldn't delete and
was not found in any of the usual places, hijackthis failed to see it
and there was no entry in the process list or in the registry, so i did
the bold move and took ownership of the file removing all inheritance,
and try to delete it that way .... no luck there either.

So feeling confident that it was the only one left to hammer, i thought
that maybe the blighter is called through one of the many dll's i had
already nobbled, and decided a reboot would probably free up the file
for deletion. But now on reboot, I can not get access, winlogon.exe is
terminated in an "unusual way" and the error message displays
"\??\c:\windows\system32\winlogon.exe"

Any body have any advice that may recover this station or is it kill it
and start again. All accounts fail whether in safe mode or normal.

Any help appreciated

Martin Spencer-Ford
(TpwUK)
 
From: "Martin Spencer-Ford" <[email protected]>

| Hi group, got asked to help a friends heavily infected machine, which
| had too numerous Trojans and ad ware to remember them all, but went to
| kaspersky to do an on-line scan, worked through the log killing files
| that had been highlighted as infected. All was successful other than one
| one file which went by the name guard.tmp. This file wouldn't delete and
| was not found in any of the usual places, hijackthis failed to see it
| and there was no entry in the process list or in the registry, so i did
| the bold move and took ownership of the file removing all inheritance,
| and try to delete it that way .... no luck there either.
|
| So feeling confident that it was the only one left to hammer, i thought
| that maybe the blighter is called through one of the many dll's i had
| already nobbled, and decided a reboot would probably free up the file
| for deletion. But now on reboot, I can not get access, winlogon.exe is
| terminated in an "unusual way" and the error message displays
| "\??\c:\windows\system32\winlogon.exe"
|
| Any body have any advice that may recover this station or is it kill it
| and start again. All accounts fail whether in safe mode or normal.
|
| Any help appreciated
|
| Martin Spencer-Ford
| (TpwUK)

If it was truly "...a friends heavily infected machine, which had too numerous Trojans and
ad ware to remember..." I suggest creating a Ghost uimage of gthe PC. Wiping it,
reinstalling the OS, Service Packs and Critical Updates. Then install AV software on the PC
then restore *only* data from the Ghost image.
 
David said:
From: "Martin Spencer-Ford" <[email protected]>

| Hi group, got asked to help a friends heavily infected machine, which
| had too numerous Trojans and ad ware to remember them all, but went to
| kaspersky to do an on-line scan, worked through the log killing files
| that had been highlighted as infected. All was successful other than one
| one file which went by the name guard.tmp. This file wouldn't delete and
| was not found in any of the usual places, hijackthis failed to see it
| and there was no entry in the process list or in the registry, so i did
| the bold move and took ownership of the file removing all inheritance,
| and try to delete it that way .... no luck there either.
|
| So feeling confident that it was the only one left to hammer, i thought
| that maybe the blighter is called through one of the many dll's i had
| already nobbled, and decided a reboot would probably free up the file
| for deletion. But now on reboot, I can not get access, winlogon.exe is
| terminated in an "unusual way" and the error message displays
| "\??\c:\windows\system32\winlogon.exe"
|
| Any body have any advice that may recover this station or is it kill it
| and start again. All accounts fail whether in safe mode or normal.
|
| Any help appreciated
|
| Martin Spencer-Ford
| (TpwUK)

If it was truly "...a friends heavily infected machine, which had too numerous Trojans and
ad ware to remember..." I suggest creating a Ghost uimage of gthe PC. Wiping it,
reinstalling the OS, Service Packs and Critical Updates. Then install AV software on the PC
then restore *only* data from the Ghost image.
Click to expand...
ohhh yes it was a friends pc - idiotically funny really, he had
bitdefender pro suite on and had allowed such things as
"sexy_blonde_babes.exe" through the firewall among others, but happy to
see you are drawing the same conclusion that i am dave. That somehow
gives me a warm fuzzy feeling :)

Martin Spencer-Ford
(TpwUK)
 
From: "Martin Spencer-Ford" <[email protected]>


| ohhh yes it was a friends pc - idiotically funny really, he had
| bitdefender pro suite on and had allowed such things as
| "sexy_blonde_babes.exe" through the firewall among others, but happy to
| see you are drawing the same conclusion that i am dave. That somehow
| gives me a warm fuzzy feeling :)
|
| Martin Spencer-Ford
| (TpwUK)

Martin:

I usually do NOT suggest a wipe of a PC and usually suggest a series of clensing attempts
and performing a Cost Benifit Analysis based upon time and futility.

In this case somohow I get the feeling futility is at hand and a wipe is the better way to
go. Note my suggestion of Ghosting the PC as is such that NO personal data is lost prior to
wiping said PC.
 
Martin:

I usually do NOT suggest a wipe of a PC and usually suggest a series of clensing attempts
and performing a Cost Benifit Analysis based upon time and futility.

In this case somohow I get the feeling futility is at hand and a wipe is the better way to
go. Note my suggestion of Ghosting the PC as is such that NO personal data is lost prior to
wiping said PC.
Click to expand...

I agree - wiping is a last resort. The sad thing with this case is that
i just cleaned out over 270 pieces of Trojans and ad wares not more than
two weeks ago, and I managed to save all his data then, but nothing went
wrong that time and all was fine. Now I face the moral dilemma, do I
ghost and leave him with the comfort that he can be rescued as and when
he needs (false impression), or do i teach the bitter taste of lost data
and try and educate him to the values of backing up and being more
sensible with his data and with what is allowed in and out of the
firewall...


Hmmm decisions decisions ... i can feel a coin flip coming

Martin Spencer-Ford
(TpwUK)
 
I agree - wiping is a last resort. The sad thing with this case
is that i just cleaned out over 270 pieces of Trojans and ad
wares not more than two weeks ago, and I managed to save all his
data then, but nothing went wrong that time and all was fine.
Now I face the moral dilemma, do I ghost and leave him with the
comfort that he can be rescued as and when he needs (false
impression), or do i teach the bitter taste of lost data and try
and educate him to the values of backing up and being more
sensible with his data and with what is allowed in and out of
the firewall...


Hmmm decisions decisions ... i can feel a coin flip coming

Martin Spencer-Ford
(TpwUK)
Click to expand...

If this was a commercial situation, you could point out that the
fee for recovery this time is #xx, and if you don't mend your ways
in using the Internet, you'll be calling me back again fairly soon.

Works well for me: job satisfaction or repeat revenue, suits me
fine either way :-)
 
Martin said:
Hi group, got asked to help a friends heavily infected machine, which
had too numerous Trojans and ad ware to remember them all, but went
to kaspersky to do an on-line scan, worked through the log killing
files that had been highlighted as infected. All was successful other
than one one file which went by the name guard.tmp. This file
wouldn't delete and was not found in any of the usual places,
hijackthis failed to see it and there was no entry in the process
list or in the registry, so i did the bold move and took ownership of
the file removing all inheritance, and try to delete it that way ....
no luck there either.

So feeling confident that it was the only one left to hammer, i
thought that maybe the blighter is called through one of the many
dll's i had already nobbled, and decided a reboot would probably free
up the file for deletion. But now on reboot, I can not get access,
winlogon.exe is terminated in an "unusual way" and the error message
displays "\??\c:\windows\system32\winlogon.exe"

Any body have any advice that may recover this station or is it kill
it and start again. All accounts fail whether in safe mode or normal.

Any help appreciated

Martin Spencer-Ford
(TpwUK)
Click to expand...

I will assume you have tried Microsoft Knowledge Base. If not here is
a link to some articles that may be helpful.
http://support.microsoft.com/search/default.aspx?qu=winlogon.exe
 
McSpreader said:
If this was a commercial situation, you could point out that the
fee for recovery this time is #xx, and if you don't mend your ways
in using the Internet, you'll be calling me back again fairly soon.

Works well for me: job satisfaction or repeat revenue, suits me
fine either way :-)
Click to expand...
Agreed.
Have you tried BART PE recover CD ?? boots a CD version of WinXP -
providing there are no physical problems on drive (looks just like windows
system file errors to me) should be able to read all data and reciver either
to CD or USB device.
works well for me the times i have used it.

Believe it is a free/open source download of the web

HTH JonMaC
 
Martin Spencer-Ford said:
Hi group, got asked to help a friends heavily infected machine, which
had too numerous Trojans and ad ware to remember them all, but went to
kaspersky to do an on-line scan, worked through the log killing files
that had been highlighted as infected. All was successful other than one
one file which went by the name guard.tmp. This file wouldn't delete and
was not found in any of the usual places, hijackthis failed to see it
and there was no entry in the process list or in the registry, so i did
the bold move and took ownership of the file removing all inheritance,
and try to delete it that way .... no luck there either.

So feeling confident that it was the only one left to hammer, i thought
that maybe the blighter is called through one of the many dll's i had
already nobbled, and decided a reboot would probably free up the file
for deletion. But now on reboot, I can not get access, winlogon.exe is
terminated in an "unusual way" and the error message displays
"\??\c:\windows\system32\winlogon.exe"

Any body have any advice that may recover this station or is it kill it
and start again. All accounts fail whether in safe mode or normal.

Any help appreciated

Martin Spencer-Ford
(TpwUK)
Click to expand...


Install the drive into another computer and scan it with an up to date AV
and adaware/spybot etc, works 95 % of the time.

Mich...
 
But now on reboot, I can not get access, winlogon.exe is
terminated in an "unusual way" and the error message displays
"\??\c:\windows\system32\winlogon.exe"

Any body have any advice that may recover this station or is it
kill it and start again. All accounts fail whether in safe mode
or normal.
Click to expand...

Two suggestions that might get it booting up again:

1) Run the system file check utility
- Start>Run>sfc /scannow<enter>

2) Do a repair installation of Windows, see
<http://www.michaelstevenstech.com/XPrepairinstall.htm>
 
Martin said:
Hi group, got asked to help a friends heavily infected machine, which
had too numerous Trojans and ad ware to remember them all, but went to
kaspersky to do an on-line scan, worked through the log killing files
that had been highlighted as infected. All was successful other than one
one file which went by the name guard.tmp. This file wouldn't delete and
was not found in any of the usual places, hijackthis failed to see it
and there was no entry in the process list or in the registry, so i did
the bold move and took ownership of the file removing all inheritance,
and try to delete it that way .... no luck there either.

So feeling confident that it was the only one left to hammer, i thought
that maybe the blighter is called through one of the many dll's i had
already nobbled, and decided a reboot would probably free up the file
for deletion. But now on reboot, I can not get access, winlogon.exe is
terminated in an "unusual way" and the error message displays
"\??\c:\windows\system32\winlogon.exe"

Any body have any advice that may recover this station or is it kill it
and start again. All accounts fail whether in safe mode or normal.

Any help appreciated

Martin Spencer-Ford
(TpwUK)
Click to expand...

Well it actually went better than anticipated. Link2Me was having a hay
day in their as were several others. However the original not being able
to log on was fixed by booting the WinXP cd and selecting repair, then
deleting manually after a successful admin log on. This enable me to get
back in. Hosts needed replacing with a new file, over 50 registry keys
had to removed and then win.ini had some bizzar device entries (two of
them to be precise) that appeared to have been randomly named zzTH the
rest was random, they were remarked out. Further runs with CWShredder
and careful use of HiJackThis and SpyBot cleaned up the rest, but it was
a good four hour excercise ... Oh and before I forget .... as soon as I
regained entry, i backed up all the good stuff.

Thanks for all your input guys.

Martin Spencer-Ford
(TpwUK)
 
Back
Top