Daniel Kaliel

So, about two weeks ago a user open a "gift card" email and installed a
trojan. It was detected and cleaned. However, and maybe it is unrelated,
but every morning when staff arrive to work every computer is frozen. Either
the screen saver is on but moving a mouse or touching a button only displays
the background image or all you see is a copy of their desktop with files and
folders. However there is no start bar, clicking ctrl-alt-delete does
nothing. We have waited hours for some machines to shows signs of life to no
avail. The only way to get them to come back is a hard boot, and even then
it can take 3 or 4 of them before it comes back to life.

I am stumped and don't even know what tests to run anymore.

Any / All help is appreciated.

One other interesting note, I did remove one workstation from the DFS
redirect of their folders and it appears that they no longer lock up. I have
scanned the servers, and they appear clean and there are no errors in the
event logs on the DFS servers. I am posting this in the DFS discussion group
as well.

Please help. Thank you.

S. Pidgorny

Rebuild your work computer, for starters.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

Daniel Kaliel wrote:
> So, about two weeks ago a user open a "gift card" email and installed a
> trojan. It was detected and cleaned. However, and maybe it is unrelated,
> but every morning when staff arrive to work every computer is frozen. Either
> the screen saver is on but moving a mouse or touching a button only displays
> the background image or all you see is a copy of their desktop with files and
> folders. However there is no start bar, clicking ctrl-alt-delete does
> nothing. We have waited hours for some machines to shows signs of life to no
> avail. The only way to get them to come back is a hard boot, and even then
> it can take 3 or 4 of them before it comes back to life.
>
> I am stumped and don't even know what tests to run anymore.
>
> Any / All help is appreciated.
>
> One other interesting note, I did remove one workstation from the DFS
> redirect of their folders and it appears that they no longer lock up. I have
> scanned the servers, and they appear clean and there are no errors in the
> event logs on the DFS servers. I am posting this in the DFS discussion group
> as well.
>
> Please help. Thank you.

PA Bear [MS MVP]

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_R...:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/...moving_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in
conjuction with some other utilities). HijackThis will NOT fix anything on
its own, but it will help you to both identify and remove any
hijackware/spyware with assistance from an expert. **Post your log to
http://aumha.net/viewforum.php?f=30,
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html, or other appropriate forums for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.

--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

Daniel Kaliel wrote:
> So, about two weeks ago a user open a "gift card" email and installed a
> trojan. It was detected and cleaned. However, and maybe it is unrelated,
> but every morning when staff arrive to work every computer is frozen.
> Either the screen saver is on but moving a mouse or touching a button only
> displays the background image or all you see is a copy of their desktop
> with files and folders. However there is no start bar, clicking
> ctrl-alt-delete does nothing. We have waited hours for some machines to
> shows signs of life to no avail. The only way to get them to come back is
> a hard boot, and even then it can take 3 or 4 of them before it comes back
> to life.
>
> I am stumped and don't even know what tests to run anymore.
>
> Any / All help is appreciated.
>
> One other interesting note, I did remove one workstation from the DFS
> redirect of their folders and it appears that they no longer lock up. I
> have scanned the servers, and they appear clean and there are no errors in
> the event logs on the DFS servers. I am posting this in the DFS
> discussion
> group as well.
>
> Please help. Thank you.

Daniel Kaliel

My computer runs fine without locking. The only difference is I have not
re-installed our anti-virus software. AVG 8.0.

"S. Pidgorny <MVP>" wrote:

> Rebuild your work computer, for starters.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
> Daniel Kaliel wrote:
> > So, about two weeks ago a user open a "gift card" email and installed a
> > trojan. It was detected and cleaned. However, and maybe it is unrelated,
> > but every morning when staff arrive to work every computer is frozen. Either
> > the screen saver is on but moving a mouse or touching a button only displays
> > the background image or all you see is a copy of their desktop with files and
> > folders. However there is no start bar, clicking ctrl-alt-delete does
> > nothing. We have waited hours for some machines to shows signs of life to no
> > avail. The only way to get them to come back is a hard boot, and even then
> > it can take 3 or 4 of them before it comes back to life.
> >
> > I am stumped and don't even know what tests to run anymore.
> >
> > Any / All help is appreciated.
> >
> > One other interesting note, I did remove one workstation from the DFS
> > redirect of their folders and it appears that they no longer lock up. I have
> > scanned the servers, and they appear clean and there are no errors in the
> > event logs on the DFS servers. I am posting this in the DFS discussion group
> > as well.
> >
> > Please help. Thank you.
>