Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 553
  • Last Modified:

Log Off/Welcome Screen Problem

Yesterday several of my Networked Workstations started going to the welcome screen when operator was working on machine.  Sometimes it show they are still logged in and other times it just shows the users in welcome screen meaning they are not logged in.  This is happening on most of my networked machines.  A couple of machines actually restart on their own.  Some workstations have Win XP Pro and others Win 7 Pro.  All settting on machines are correct ie: No password requireed etc.  AV software is Microsoft security essentials.  Also when you log back in any window that was open is reduced to very small size in upper left side of screen and the Gadgets are also stacked on top of each other in the top left corner.  This never happened before that's why I don't thing its a settings issue  Any Ideas?
0
Joe Abruzzo
Asked:
Joe Abruzzo
  • 7
  • 5
  • 2
  • +1
1 Solution
 
BxozCommented:

It could be that but it's an old post so  Microsoft essentials security should find this virus...
How to Fix the Automatic Log off of Windows while Logging in
http://www.bizzntech.com/2008/06/06/how-to-fix-the-automatic-log-off-of-windows-while-logging-in

You can try kaspersky anti rootkit is realy fast to scan
http://support.kaspersky.com/faq/?qid=208283363
and
http://housecall.trendmicro.com
0
 
SommerblinkCommented:
Well, the first question that comes to mind is:
What changed.

Now it sounds like you have a pretty diverse environment there, with two different types of OSs running. Are the XP machine's hardware the same as the Win7? Or are they older and different?

What I'm trying to get at is if this could have been a hardware driver update that is causing this, becuase the first thing that comes to mind about the resized windows is video driver. I've seen video drivers cause all sorts of problems, including 'changing' the resolution, thus causing Windows to smash all the windows into a smaller portion of the screen, since it thought the resolution had changed.

If all the hardware is different, paying particular attention to video cards... then I would start looking for malware/viruses. Even with 'protection', MSE and other antivirus vendors typically can only find viruses that they are aware of, although they all proclaim 'heuristically scanning' and whatnot.

Have you run a full scan on one of the machines?

Tell us what you find out.
0
 
Joe AbruzzoCEOAuthor Commented:
I tried all the links Kaspersky, Housecall and registry solution.  Did not find the problem.  Having this problem on 10 Workstations, 8 Win 7 Pro and 2 XP Pro.  Any more thoughts?  Please advise
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
BxozCommented:
do you have RDP enable on your workstation ? maybe it's a user who having fun with it

start -> run... -> mstsc -> @IP of one of your workstation


0
 
Joe AbruzzoCEOAuthor Commented:
Can you explain this post?  I also noticed that the problem workstations are using the same User Account (Administrator).  The workstations not affected are using a different user account and the Administrator account is disabled.  I wonder if maybe infected machine(if there is a infected machine) with the user account Administrator is sending a remote automatically.  This iproblem is happening when no other people are in the building so if this is the problem it maybe some file that was downloaded from the internet that is doing this automatically.  Any idea on what that file/service/script mite be?
PS:  Av software does not detect any problems(Sercuity Essentials)  Also scanned with the other virus software that you suggested
0
 
BxozCommented:

It could be this one
http://www.f-secure.com/weblog/archives/00002227.html

Can you try to disable RDP on your workstation with the issue (Start -> right click on "My Computer" -> Properties -> "Remote" tab -> and uncheck "Allow users to connect remotely to this computer"

Setting-20Up-20the-20Remote-20Co.jpg
0
 
Jim-RCommented:
I've asked moderators to add the AntiVirus category to your question.  It certainly sounds like something malware would possibly do just because it is happening with no one around.
0
 
Joe AbruzzoCEOAuthor Commented:
It seems like the problem is the"Morto Worm"  I set XP machines to "donot except Remote connections" and Win 7 machines to " allow Connectios from Machines running Network Level authentication".  This seems to have stopped the Remote Login's/Logoffs for Now.  The question is how to remove and or which files to remove and which registry files?  I found alot of info on this and each solution seems to be different as to what files and registry keys to remove.  
I do use remote desktop so I need to change the settings back at some point.

Does anybody have any experience with this Worm and how the best way to remove it?
0
 
BxozCommented:
Can you find those files
%Windows%\clb.dll
%Windows%\clb.dll.bak
%windows%\temp\ntshrui.dll
<system folder>\sens32.dll
c:\windows\offline web pages\cache.txt

Open in new window


Here you have the releases of this worm  
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=morto&searchIcon.x=0&searchIcon.y=0

You should detect Morto with Microsoft Safety Scanner
http://www.microsoft.com/security/scanner/en-us/default.aspx

Here is a technical write-up our analysts at the Microsoft Malware Protection Center have on this threat: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FMorto.A

I also see that there are reports of reinfection after cleaning the aforementioned malware, so there are a few things to consider here:

1.  Microsoft detects and removes the Morto.A family/variant. You can use the Microsoft Safety Scanner to clean this particular malware as well as all other known malware that Microsoft has definitions for. The MS Safety Scanner can be downloaded from: http://www.microsoft.com/security/scanner/en-us/default.aspx

2.  If you are seeing a reinfection of this, or any malware, it is possible that a rootkit and/or trojan dropper still exists on the system. Microsoft is offering a beta version of a bootable scanning utility that will allow you to boot into a WinPE environment and scan the file system while it is offline thus preventing the potential rootkit from loading and giving you a better chance of finding it. Please see the Standalone System Sweeper at: http://connect.microsoft.com/systemsweeper

http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/31cf740c-818c-4863-8df9-0d9a1d6de6fc
0
 
Joe AbruzzoCEOAuthor Commented:

 
%Windows%\clb.dll (Found in System32 Folder)
%Windows%\clb.dll.bak (Not Found)
%windows%\temp\ntshrui.dll (Found in System32 Folder)
<system folder>\sens32.dll (Found in System 32 Folder)
c:\windows\offline web pages\cache.txt (Yes Deleted and it comes back)

Can you explain Path <System folder>, not sure what this path is

I scanned with Mircosoft Safety Scanner it did not find anything.  Maybe it is something else
PS: I noticed that on the good workstaions I do not have the file sens32.dll.  I read something that said this was a problem file

What is your thoughts
0
 
SommerblinkCommented:
Personal opinion alert: There is no such thing as 'cleaning' an infected computer.

The only way to be absolutely certain that you have eliminated any infection is by reloading the OS on the drive with your corporate image.

My company's policy on any confirmed or suspected infection is to take the computer off network immediately and reload them from a corporate image.
0
 
BxozCommented:
<System folder> is System 32 Folder

I scanned with Mircosoft Safety Scanner it did not find anything.
What kind of scan did you do ? Quick ? Full ?


%Windows%\clb.dll (Found in System32 Folder)
%Windows%\clb.dll.bak (Not Found)
%windows%\temp\ntshrui.dll (Found in System32 Folder)

This is ok i found the same files on my computer.
But sens32 seems to be morto worm ... can you try to send this file on http://www.virustotal.com/ to see if an AV find something.

On an infected computer can you launch the command "netstat -ano"
Start -> run -> cmd -> netstat -ano
if the morto worm is on the computer you should see in the result on the Foreign Address column lot of IP:3389 like this

Proto  Local Address          Foreign Address        State           PID
   TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
   TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       708
   TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       2256
   TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
   TCP    0.0.0.0:1027           0.0.0.0:0              LISTENING       464
   TCP    0.0.0.0:2717           0.0.0.0:0              LISTENING       2256
   TCP    1.2.3.4:139       0.0.0.0:0              LISTENING       4
   TCP    1.2.3.4:2258      144.176.55.204:3389    SYN_SENT        832
   TCP    1.2.3.4:2259      106.218.17.126:3389    SYN_SENT        832
   TCP    1.2.3.4:2260      82.159.196.249:3389    SYN_SENT        832
   TCP    1.2.3.4:2261      35.13.212.21:3389      SYN_SENT        832
   TCP    1.2.3.4:2262      98.89.156.119:3389     SYN_SENT        832
   TCP    1.2.3.4:2263      172.183.83.244:3389    SYN_SENT        832
   TCP    1.2.3.4:2264      2.22.184.226:3389      SYN_SENT        832
   TCP    1.2.3.4:2265      179.151.241.111:3389   SYN_SENT        832
   TCP    1.2.3.4:2266      188.131.141.230:3389   SYN_SENT        832
   TCP    1.2.3.4:2267      88.184.60.211:3389     SYN_SENT        832
   TCP    1.2.3.4:2268      19.246.27.204:3389     SYN_SENT        832
   TCP    1.2.3.4:2269      81.1.120.167:3389      SYN_SENT        832
   TCP    1.2.3.4:2270      104.115.210.138:3389   SYN_SENT        832
   TCP    1.2.3.4:2271      131.91.148.141:3389    SYN_SENT        832

0
 
Joe AbruzzoCEOAuthor Commented:
I am doing a Full Scan and it is not finding any problems.  I checked the File sens32.dll on the Virustotal site and it did not find any problems with file.  I did the netsat -ano and I noticed several entries on the port 3389.  There were 2 states 1=SYN_Sent and 2=Established.  Is this a history of connections?  what does it mean "Established"  How can we delete these connections if they are present?  Please advise
0
 
Joe AbruzzoCEOAuthor Commented:
Hi Bxoz!

Thanks for all your support.  I think a got rid of the problem.  Your last post showing the Netstat -ano command and seeing all the port 3389 did the trick.  What I did was note the PID and in Taskmanager I found the service that this PID was using.  I Killed the service and than I was able to go to the Windows\Offline Files and delete the files in this folder.  It turns out that was where the problem was coming from.  After that a did another Netstat -ano and there were no Port 3389.  I also manually deleted the sens32.dll in the System32 folder.  In some cases I had to do this from the Safe Mode.
As a Side note Security essentials picked up the problem on a few of the affected machines (Not All) and deleted some of the files(Not All).  That's where I got the tip where to look(Windows\Offline Files)
If you have any questions just email me at abruzzo@snet.net  Thanks again!!!
0
 
Joe AbruzzoCEOAuthor Commented:
Great Job Bxoz
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 7
  • 5
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now