With all the problems you've described on this box, you're better off nuking it and reinstalling from scratch. If you really want to play with it and learn from it, take an image of the hard drive before you do so (with, of course, the customer's consent). That way the customer gets back up and running quickly and you can perform forensic analysis at your leisure.
Be aware, though, with all of the access to the drive that you've described, you're going to have a very tough time actually determining exactly what happened. The fact that it is XP SP1 (not SP2) dramatically increases the likelihood of malware's role in ruining this installation. -- Devin L. Ganger, Exchange MVP Email: [EMAIL PROTECTED] 3Sharp Phone: 425.882.1032 14700 NE 95th Suite 210 Cell: 425.239.2575 Redmond, WA 98052 Fax: 425.558.5710 (e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/ > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mike Moratz- > Coppins > Sent: Saturday, March 15, 2008 8:11 AM > To: [email protected] > Subject: Compromised WinXP box prob > > I am self-employed; fixing computers for customers for a living. I > have > a customer's machine at home at the moment because I am stumped by > a > problem on it. > > I'll describe the history (AFAIK) up to this point - the customer > was > running WinXP SP1 with Norton Antivirus. They noticed a problem > where > it looked like lots of e-mails were outgoing, Norton detected > viruses > but wasn't able to get rid of them. The customer rang Symantec > support, > who spent about an hour doing remote assistance on their machine, > seemingly trying to delete the virus-infected files only to have > them > recreated on reboot. The Symantec guy gave up after a while and > advised > the customer that they should get hold of a WinXP CD (I'm not sure > what > their intention was at this point). When the customer managed to > get > hold of a WinXP CD, they rang Symantec back only to be told that > they > should get someone local to deal with the problem. Then the > customer > called me. > > When the computer boots, it seemingly does a normal Windows boot > (the > normal Windows XP progress bar (green as it is Home Edition and pre > SP2), but then the next screen it shows is saying safe mode (no > reboot > in between). Standard welcome screen, but no accounts can log in > ("your > account cannot log in due to an account restriction" - perhaps not > exactly word-for-word but the message looks like a genuine Windows > message rather than something crafted by a third party). This goes > for > all accounts on the machine including administrator. > > I tried all safe modes and 'last known good' but same result. Next > I > tried the ntpasswd boot CD and reset all accounts' passwords, > though > none of them said locked out/disabled etc. Boot again, no > difference. > > I booted off my WinXP CD into recovery console, and as the customer > mentioned boot sector viruses, for the sake of being thorough I > used > FIXMBR and FIXBOOT to rewrite the boot sector and MBR. No > difference to > normal Windows boot. Again in recovery console, I checked for the > file > names that the customer said that Norton mentioned. Neither of > them > were familiar, but I think I found one of them and renamed it to > stop it > potentially executing on boot. No difference to bootup. > > I guessed that the 'account restriction' might be the 'log on > locally' > right but I haven't found a way of configuring this. I tried > renaming > logonui.exe to cmd.exe but that command prompt won't let me run any > other executables (not enough quota message) such as ntrights.exe. > One > possibility I can think of is to set up a LAN with DHCP, put my > laptop > on it and the machine in question and try to do ntrights over the > network but I would have thought that the firewall on that machine > would > stop that attempt. Of course I could be barking up the wrong tree > with > this overall 'account restriction' theory. I also tried having > REGEDIT.EXE run in the place of LOGONUI.EXE but it errors saying I > didn't supply it with an argument. Eventually it gives up trying > to run > it and goes to the winlogon classic UI, which unsurprisingly gives > me > the same account restriction error. > > The other problem I have noticed is that I saw a few iffy-looking > services in recovery console using LISTSVC but I can't configure > the > service startup type as the command complains that there isn't a > CurrentControlSet key. > > That last problem makes me think that this and the 'account > restriction' > were inadvertently caused by Symantec support, perhaps one of their > removal utilities (which I've noticed one or two on C drive) has > done > some damage. My only other theory is that some over-zealous > malware > writer has designed some sort of self-destruct system but I can > think of > more effective ways of achieving such an end and overall I think > this > theory is rather alarmist. > > I've mounted the disk on my machine and virus-scanned it. It has > removed a few assorted virus-infected files and cleaned up a couple > of > others (such as lsass.exe - not misspelt), but the machine still > doesn't > start. I've backed up the customer's data and I have got the > customer's > consent to nuke the installation but I would prefer not to if it > isn't > necessary (and learn from this experience), though of course I > don't > want to spend a huge amount of hours on this problem only to fall > back > on the repair-reinstall/clean-install option. > > If anyone has any ideas I would much appreciate hearing them! > > > -- > Mike Moratz-Coppins > [EMAIL PROTECTED] > http://www.mikeymike.org.uk/
