A possible infection: No start button, Task Bar tiny grey line, All services stopped and cannot start, no netlogon

I have had three windows XP Pro SP3 Systems get infected today April 21, 2010 within a half an hour of each other.  We are running McAfee Antivirus total virus defence.  The syptoms are as listed in the title: "A possible infection: No start button, Task Bar tiny grey line, All services stopped and cannot start, no netlogon" The system reports that it will reboot in 15 seconds then continues with many failed reboot attempts.  When it finally restarts the Start button is gone the task bar is minimized so that you cannot see it and services are all stopped.  There is no networking support and no ability to start services.  When I reboot in safe mode the conditions described above still exist.  We have run the normal antivirus, anti spyware, antimalware on these systems be remving the drive and attaching to an isolated good system.  All tests come back clean with no report of problems.  Any advice is welcomed.
muskoka_guyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DarksquireCommented:
I would remove the drive and place it as a secondary drive in another un-infected computer and hit it with every virus protection solution you've got. Combofix and Malwarebytes are great

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

http://www.malwarebytes.org/
0
centralityCommented:
Hi,

This could be related to the McAfee DAT 5958 release.

While McAfee have pulled the release it won't help you fix machines affected by the problem.

Please check our web-site:  http://www.mycentrality.com  for manual steps you need to follow to fix this problem.

Many thanks
Mike Davies
0
centralityCommented:
The biggest problem is that once affected, machines lack basic functionality such as network and even some USB drive access, making this a tricky one to resolve.

Mike
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

uescompCommented:
Sounds like your system got hit by a virus, and when i say hit i mean hit hard, one thing you can check is hitting ctrl + esc, this will display the start panel and taskbar.  Another thing for you internet is to check if the virus placed a proxy, open up internet explorer, select tools/internet options, under the connections tab click LAN settings, make sure there is no checkbox under proxy, if so clear the checkbox.  Then test your connectivity.

Another question is are you recieving popups of system being infected by a bogus antivirus etc.  Some fake antiviruses like to lock down the system.  Otherwise to save you some time I would backup the data and wipe the system, this virus that you have probably did alot of damage and you would spend more time fixing the system which will probably have some issues eventually vs. wiping.

Hope everything works out for you.
0
centralityCommented:
Do not wipe your system!

There is seriously a 5 minute fix!

Mike
0
uescompCommented:
Are you also able to open the task manager? to see what processes are running, there could be a process (aka virus) causing this issue, if you are unable to open task manager I would log off, as soon as you log back into the system spam ctrl + alt + delete, this will give you a chance to start task manager before the virus kicks in.  In which case the virus will start after task manager so you can kill the process.

Viruses can also tamper with your host files, for xp go to local drive/windows/system32/drivers/etc folder, open the host file in notepad or drag the file and drop it into notepad to view the contents.  The only thing you should see is as follows:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#      127.0.0.1       localhost

Anything below the localhost address that points to a website might be whats causing the issue.
0
muskoka_guyAuthor Commented:
For Mike at centrality
step 1 I completed
step 2 there is no such file of that name in the directory you specified.
BTW copy and paste do not work in the safe mode all services are disabled and cannot be started had to use command line copy using ~1 yuk.
Scott
0
centralityCommented:
Hi Scott,

Option 1 should be enough to get you up and running again.

Agreed about the ~ usage, XP seems to be in a very limited mode in several areas.

Option 2 was something we were developing to automate the fix, but MS licensing restrictions prevent us from publishing.  

 To re-iterate You do not need Option 2 or any files to fix your PC.

Thanks
Mike
0
centralityCommented:
Hi,

Have updated our web-site

http://www.mycentrality.com

with additional breaking info.

thanks
Mike
0
younghvCommented:
I was just reviewing the Article here: http:/A_2914.html

Please take a look and see if that helps.
0
centralityCommented:
Hello,

as requested please find below the two recommended options for recovering a compromised system:
 
also attached is Centrality's after action report explaining the cause, and why only certain XP machines are affected.
Regards
Mike

Option 1 - Try this first

Download the extra.dat file from McAfee (http://vil.nai.com/vil/5958_false.htm) and place on a USB stick (assuming no network access) 
As an administrator on the affected machine copy the Extra.dat file to the Engine folder.On most machines this will be:
"c:\program files\common files\mcafee\engine" 
Reboot your PC 
Log back on as an administrator user 
Run the following command: sfc /scanfile=<Sys32>\svchost.exe eg:
sfc /scanfile=c:\windows\system32\svchost.exe 
Reboot your PC 
Login and manually update your DATs to 5959 or above 
 
Option 2 - Safe Mode Recovery

This process works well when you have no ability to get any new files on to an affected machine as all recovery steps use files already present on an affected PC.

Boot Windows in to Safe Mode 
Log on and get to a command prompt 
Using the command line, copy the contents of the McAfee OldEngine folder to the parent "Engine" folder.
On most machines this will mean:
copy c:\progra~1\common~1\mcafee\engine\oldeng~1\*.* c:\progra~1\common~1\mcafee\engine
Note: You MUST use the 8.3 notation (e.g. with ~1) for file and directories that are longer than 8 characters 
Using the command line, copy svchost.exe from the DLLCache to Sys32. 
Again, on most machines, this will mean:
copy c:\windows\system32\dllcache\svchost.exe" to c:\windows\system32 
Reboot your machine  
Go in to McAfee Console and prevent any automatic updates until you are confident it is safe to re-enable them.

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
centralityCommented:
With file attached this time!
McAfee5958AfterActionReportv10.pdf
0
muskoka_guyAuthor Commented:
Thanks to all for your prompt and helpful responses.  A special thanks to Centrality for the solution and to younghv whise link I am sure will help some others as well.  A footnote is that this morning McAfee has released a superdata fiel that fixes this problem and also appears to recover any missing files.
regards
Scott
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.