A possible infection: No start button, Task Bar tiny grey line, All services stopped and cannot start, no netlogon

I have had three windows XP Pro SP3 Systems get infected today April 21, 2010 within a half an hour of each other.  We are running McAfee Antivirus total virus defence.  The syptoms are as listed in the title: "A possible infection: No start button, Task Bar tiny grey line, All services stopped and cannot start, no netlogon" The system reports that it will reboot in 15 seconds then continues with many failed reboot attempts.  When it finally restarts the Start button is gone the task bar is minimized so that you cannot see it and services are all stopped.  There is no networking support and no ability to start services.  When I reboot in safe mode the conditions described above still exist.  We have run the normal antivirus, anti spyware, antimalware on these systems be remving the drive and attaching to an isolated good system.  All tests come back clean with no report of problems.  Any advice is welcomed.
muskoka_guyAsked:
Who is Participating?
 
centralityConnect With a Mentor Commented:
Hello,

as requested please find below the two recommended options for recovering a compromised system:
 
also attached is Centrality's after action report explaining the cause, and why only certain XP machines are affected.
Regards
Mike

Option 1 - Try this first

Download the extra.dat file from McAfee (http://vil.nai.com/vil/5958_false.htm) and place on a USB stick (assuming no network access) 
As an administrator on the affected machine copy the Extra.dat file to the Engine folder.On most machines this will be:
"c:\program files\common files\mcafee\engine" 
Reboot your PC 
Log back on as an administrator user 
Run the following command: sfc /scanfile=<Sys32>\svchost.exe eg:
sfc /scanfile=c:\windows\system32\svchost.exe 
Reboot your PC 
Login and manually update your DATs to 5959 or above 
 
Option 2 - Safe Mode Recovery

This process works well when you have no ability to get any new files on to an affected machine as all recovery steps use files already present on an affected PC.

Boot Windows in to Safe Mode 
Log on and get to a command prompt 
Using the command line, copy the contents of the McAfee OldEngine folder to the parent "Engine" folder.
On most machines this will mean:
copy c:\progra~1\common~1\mcafee\engine\oldeng~1\*.* c:\progra~1\common~1\mcafee\engine
Note: You MUST use the 8.3 notation (e.g. with ~1) for file and directories that are longer than 8 characters 
Using the command line, copy svchost.exe from the DLLCache to Sys32. 
Again, on most machines, this will mean:
copy c:\windows\system32\dllcache\svchost.exe" to c:\windows\system32 
Reboot your machine  
Go in to McAfee Console and prevent any automatic updates until you are confident it is safe to re-enable them.

Open in new window

0
 
DarksquireCommented:
I would remove the drive and place it as a secondary drive in another un-infected computer and hit it with every virus protection solution you've got. Combofix and Malwarebytes are great

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

http://www.malwarebytes.org/
0
 
centralityCommented:
Hi,

This could be related to the McAfee DAT 5958 release.

While McAfee have pulled the release it won't help you fix machines affected by the problem.

Please check our web-site:  http://www.mycentrality.com  for manual steps you need to follow to fix this problem.

Many thanks
Mike Davies
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
centralityCommented:
The biggest problem is that once affected, machines lack basic functionality such as network and even some USB drive access, making this a tricky one to resolve.

Mike
0
 
uescompCommented:
Sounds like your system got hit by a virus, and when i say hit i mean hit hard, one thing you can check is hitting ctrl + esc, this will display the start panel and taskbar.  Another thing for you internet is to check if the virus placed a proxy, open up internet explorer, select tools/internet options, under the connections tab click LAN settings, make sure there is no checkbox under proxy, if so clear the checkbox.  Then test your connectivity.

Another question is are you recieving popups of system being infected by a bogus antivirus etc.  Some fake antiviruses like to lock down the system.  Otherwise to save you some time I would backup the data and wipe the system, this virus that you have probably did alot of damage and you would spend more time fixing the system which will probably have some issues eventually vs. wiping.

Hope everything works out for you.
0
 
centralityCommented:
Do not wipe your system!

There is seriously a 5 minute fix!

Mike
0
 
uescompCommented:
Are you also able to open the task manager? to see what processes are running, there could be a process (aka virus) causing this issue, if you are unable to open task manager I would log off, as soon as you log back into the system spam ctrl + alt + delete, this will give you a chance to start task manager before the virus kicks in.  In which case the virus will start after task manager so you can kill the process.

Viruses can also tamper with your host files, for xp go to local drive/windows/system32/drivers/etc folder, open the host file in notepad or drag the file and drop it into notepad to view the contents.  The only thing you should see is as follows:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#      127.0.0.1       localhost

Anything below the localhost address that points to a website might be whats causing the issue.
0
 
muskoka_guyAuthor Commented:
For Mike at centrality
step 1 I completed
step 2 there is no such file of that name in the directory you specified.
BTW copy and paste do not work in the safe mode all services are disabled and cannot be started had to use command line copy using ~1 yuk.
Scott
0
 
centralityCommented:
Hi Scott,

Option 1 should be enough to get you up and running again.

Agreed about the ~ usage, XP seems to be in a very limited mode in several areas.

Option 2 was something we were developing to automate the fix, but MS licensing restrictions prevent us from publishing.  

 To re-iterate You do not need Option 2 or any files to fix your PC.

Thanks
Mike
0
 
centralityCommented:
Hi,

Have updated our web-site

http://www.mycentrality.com

with additional breaking info.

thanks
Mike
0
 
younghvCommented:
I was just reviewing the Article here: http:/A_2914.html

Please take a look and see if that helps.
0
 
centralityCommented:
With file attached this time!
McAfee5958AfterActionReportv10.pdf
0
 
muskoka_guyAuthor Commented:
Thanks to all for your prompt and helpful responses.  A special thanks to Centrality for the solution and to younghv whise link I am sure will help some others as well.  A footnote is that this morning McAfee has released a superdata fiel that fixes this problem and also appears to recover any missing files.
regards
Scott
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.