Chris007
2010-01-30, 19:20
I was trying to help my client remove some malware of his website and got myself infected. My #1 sympton is that the possible malware is blocking most applications from executing when logged in with default Admin login.
Applications which are being blocked right now are most of the popular anti malware applications including spybot, sas but also other applications such as Adobe apps and it's also blocking newly installed software from executing.
Another sympton I have is that the desktop constantly refreshes (blinking) immediately upon login. I checked the event viewer which basically says that the winlogon.exe is crashing explorer.exe. The only way I am able to stop this constant refreshing is by running combofix.exe via task manager right upon login.
I found this very interesting as comobofix isn't really supposed to run on my system which is WIN2k Advanced Server SP4. But it seems to be the only tool I found that stops the desktop refresh and I am actually very very happy about that, as my symptoms when logged into safe mode are almost identical.
I found a workaround by connecting to the machine via Remote Desktop Connection (RDC). When connected with RDC everything works fine. I am able to run all programs.
Hopefully this will help someone who is in the same situation and unable to run Anti Virus programs even in safe mode. In order to establish a successful RDC connection, make sure that all required services are started such as Terminal Services and others.
Unfortunately, the scanners that I ran including the ones mentioned above + Malwarebytes, even Kaspersky and Panda online scans did NOT pick it up and I still have both symptons.
Does anybody know if there is a way to overwrite the current admin profile with the same profile that's created when a RDC connection is established?
Or should I approach this a different way?
Any advice, comments or assistance you may be able to provide is highly appreciated.
Thank you all in advance,
Chris
Applications which are being blocked right now are most of the popular anti malware applications including spybot, sas but also other applications such as Adobe apps and it's also blocking newly installed software from executing.
Another sympton I have is that the desktop constantly refreshes (blinking) immediately upon login. I checked the event viewer which basically says that the winlogon.exe is crashing explorer.exe. The only way I am able to stop this constant refreshing is by running combofix.exe via task manager right upon login.
I found this very interesting as comobofix isn't really supposed to run on my system which is WIN2k Advanced Server SP4. But it seems to be the only tool I found that stops the desktop refresh and I am actually very very happy about that, as my symptoms when logged into safe mode are almost identical.
I found a workaround by connecting to the machine via Remote Desktop Connection (RDC). When connected with RDC everything works fine. I am able to run all programs.
Hopefully this will help someone who is in the same situation and unable to run Anti Virus programs even in safe mode. In order to establish a successful RDC connection, make sure that all required services are started such as Terminal Services and others.
Unfortunately, the scanners that I ran including the ones mentioned above + Malwarebytes, even Kaspersky and Panda online scans did NOT pick it up and I still have both symptons.
Does anybody know if there is a way to overwrite the current admin profile with the same profile that's created when a RDC connection is established?
Or should I approach this a different way?
Any advice, comments or assistance you may be able to provide is highly appreciated.
Thank you all in advance,
Chris