Link to home
Start Free TrialLog in
Avatar of Joe Abruzzo
Joe AbruzzoFlag for United States of America

asked on

Log Off/Welcome Screen Problem

Yesterday several of my Networked Workstations started going to the welcome screen when operator was working on machine.  Sometimes it show they are still logged in and other times it just shows the users in welcome screen meaning they are not logged in.  This is happening on most of my networked machines.  A couple of machines actually restart on their own.  Some workstations have Win XP Pro and others Win 7 Pro.  All settting on machines are correct ie: No password requireed etc.  AV software is Microsoft security essentials.  Also when you log back in any window that was open is reduced to very small size in upper left side of screen and the Gadgets are also stacked on top of each other in the top left corner.  This never happened before that's why I don't thing its a settings issue  Any Ideas?
Avatar of Bxoz
Bxoz
Flag of France image


It could be that but it's an old post so  Microsoft essentials security should find this virus...
How to Fix the Automatic Log off of Windows while Logging in
http://www.bizzntech.com/2008/06/06/how-to-fix-the-automatic-log-off-of-windows-while-logging-in

You can try kaspersky anti rootkit is realy fast to scan
http://support.kaspersky.com/faq/?qid=208283363
and
http://housecall.trendmicro.com
Well, the first question that comes to mind is:
What changed.

Now it sounds like you have a pretty diverse environment there, with two different types of OSs running. Are the XP machine's hardware the same as the Win7? Or are they older and different?

What I'm trying to get at is if this could have been a hardware driver update that is causing this, becuase the first thing that comes to mind about the resized windows is video driver. I've seen video drivers cause all sorts of problems, including 'changing' the resolution, thus causing Windows to smash all the windows into a smaller portion of the screen, since it thought the resolution had changed.

If all the hardware is different, paying particular attention to video cards... then I would start looking for malware/viruses. Even with 'protection', MSE and other antivirus vendors typically can only find viruses that they are aware of, although they all proclaim 'heuristically scanning' and whatnot.

Have you run a full scan on one of the machines?

Tell us what you find out.
Avatar of Joe Abruzzo

ASKER

I tried all the links Kaspersky, Housecall and registry solution.  Did not find the problem.  Having this problem on 10 Workstations, 8 Win 7 Pro and 2 XP Pro.  Any more thoughts?  Please advise
do you have RDP enable on your workstation ? maybe it's a user who having fun with it

start -> run... -> mstsc -> @IP of one of your workstation


Can you explain this post?  I also noticed that the problem workstations are using the same User Account (Administrator).  The workstations not affected are using a different user account and the Administrator account is disabled.  I wonder if maybe infected machine(if there is a infected machine) with the user account Administrator is sending a remote automatically.  This iproblem is happening when no other people are in the building so if this is the problem it maybe some file that was downloaded from the internet that is doing this automatically.  Any idea on what that file/service/script mite be?
PS:  Av software does not detect any problems(Sercuity Essentials)  Also scanned with the other virus software that you suggested

It could be this one
http://www.f-secure.com/weblog/archives/00002227.html

Can you try to disable RDP on your workstation with the issue (Start -> right click on "My Computer" -> Properties -> "Remote" tab -> and uncheck "Allow users to connect remotely to this computer"

Setting-20Up-20the-20Remote-20Co.jpg
I've asked moderators to add the AntiVirus category to your question.  It certainly sounds like something malware would possibly do just because it is happening with no one around.
It seems like the problem is the"Morto Worm"  I set XP machines to "donot except Remote connections" and Win 7 machines to " allow Connectios from Machines running Network Level authentication".  This seems to have stopped the Remote Login's/Logoffs for Now.  The question is how to remove and or which files to remove and which registry files?  I found alot of info on this and each solution seems to be different as to what files and registry keys to remove.  
I do use remote desktop so I need to change the settings back at some point.

Does anybody have any experience with this Worm and how the best way to remove it?
Can you find those files
%Windows%\clb.dll
%Windows%\clb.dll.bak
%windows%\temp\ntshrui.dll
<system folder>\sens32.dll
c:\windows\offline web pages\cache.txt

Open in new window


Here you have the releases of this worm  
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=morto&searchIcon.x=0&searchIcon.y=0

You should detect Morto with Microsoft Safety Scanner
http://www.microsoft.com/security/scanner/en-us/default.aspx

Here is a technical write-up our analysts at the Microsoft Malware Protection Center have on this threat: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FMorto.A

I also see that there are reports of reinfection after cleaning the aforementioned malware, so there are a few things to consider here:

1.  Microsoft detects and removes the Morto.A family/variant. You can use the Microsoft Safety Scanner to clean this particular malware as well as all other known malware that Microsoft has definitions for. The MS Safety Scanner can be downloaded from: http://www.microsoft.com/security/scanner/en-us/default.aspx

2.  If you are seeing a reinfection of this, or any malware, it is possible that a rootkit and/or trojan dropper still exists on the system. Microsoft is offering a beta version of a bootable scanning utility that will allow you to boot into a WinPE environment and scan the file system while it is offline thus preventing the potential rootkit from loading and giving you a better chance of finding it. Please see the Standalone System Sweeper at: http://connect.microsoft.com/systemsweeper

http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/31cf740c-818c-4863-8df9-0d9a1d6de6fc

 
%Windows%\clb.dll (Found in System32 Folder)
%Windows%\clb.dll.bak (Not Found)
%windows%\temp\ntshrui.dll (Found in System32 Folder)
<system folder>\sens32.dll (Found in System 32 Folder)
c:\windows\offline web pages\cache.txt (Yes Deleted and it comes back)

Can you explain Path <System folder>, not sure what this path is

I scanned with Mircosoft Safety Scanner it did not find anything.  Maybe it is something else
PS: I noticed that on the good workstaions I do not have the file sens32.dll.  I read something that said this was a problem file

What is your thoughts
Personal opinion alert: There is no such thing as 'cleaning' an infected computer.

The only way to be absolutely certain that you have eliminated any infection is by reloading the OS on the drive with your corporate image.

My company's policy on any confirmed or suspected infection is to take the computer off network immediately and reload them from a corporate image.
ASKER CERTIFIED SOLUTION
Avatar of Bxoz
Bxoz
Flag of France image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I am doing a Full Scan and it is not finding any problems.  I checked the File sens32.dll on the Virustotal site and it did not find any problems with file.  I did the netsat -ano and I noticed several entries on the port 3389.  There were 2 states 1=SYN_Sent and 2=Established.  Is this a history of connections?  what does it mean "Established"  How can we delete these connections if they are present?  Please advise
Hi Bxoz!

Thanks for all your support.  I think a got rid of the problem.  Your last post showing the Netstat -ano command and seeing all the port 3389 did the trick.  What I did was note the PID and in Taskmanager I found the service that this PID was using.  I Killed the service and than I was able to go to the Windows\Offline Files and delete the files in this folder.  It turns out that was where the problem was coming from.  After that a did another Netstat -ano and there were no Port 3389.  I also manually deleted the sens32.dll in the System32 folder.  In some cases I had to do this from the Safe Mode.
As a Side note Security essentials picked up the problem on a few of the affected machines (Not All) and deleted some of the files(Not All).  That's where I got the tip where to look(Windows\Offline Files)
If you have any questions just email me at abruzzo@snet.net  Thanks again!!!
Great Job Bxoz