Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Login, personal settings flash by, logged out again

Status
Not open for further replies.
FredWagner

FredWagner

MIS
Oct 21, 1999
1,125
US
On a Windows 2000 SP4 machine, current updates as of last week, today our network gurus alerted me that it acted like it had a virus. Went to the machine, it was at a login screen. I logged in. It plays the login tune, then immediate plays the logout tune, and you're back to a login screen. Same thing as local administrator, even in safe mode. Has anyone seen this one before? Any advice? Safe to put the drive as a slave in another machine to retrieve data, or better to just re-image it? I'm worried that whatever did this is still roaming, might infect others.

Fred Wagner
frwagne@longbeach.gov
 
Sort by date Sort by votes
Do you have a rescue CD? Try booting from that. Winternals has a commercially available one. Worth geting if you deal with several computers.


James P. Cottingham

There's no place like 127.0.0.1.
There's no place like 127.0.0.1.
 
Upvote 0 Downvote
In the case of this particular unit, no factory recovery CD - it was shipped with XP, but our IT department decided to stick with Win2K as the standard a while longer. I can always re-image it- we use IC3 - but I'm curious to know what virus did this, as I've heard from several of our employees that this has happened to their home PCs, and they had to have them recovered/reimaged. Whatever it is shouldn't have gotten past our firewall, so I need to find out what's happening before we get it again, and again!

Fred Wagner
frwagne@longbeach.gov
 
Upvote 0 Downvote
Have you tried holding down the shift key at login to stop loading items in the start menu?

John
 
Upvote 0 Downvote
John - Thanks fo the suggestion - tried that just now, no difference. Whatever has taken over the PC is running as a service that launches automatically. Hope Symantec of McAfee figures this out and publishes a fix that can neutralize it!
Fred

Fred Wagner
frwagne@longbeach.gov
 
Upvote 0 Downvote
Progress report - put suspect PC back temporarily back on the network, able to map to it by \\pcname\C$ - scanned with current Symantec corporate, found nothing. Browsed, looking for suspect program folder, nothing. Looked in c:\winnt\System32, found some suspicious programs dated 4/22/04 - winhost32.exe,amcups.dll, amcups.cpy.dll - not sure what they were, but removing them didn't get rid of the problem yet.

Fred Wagner
frwagne@longbeach.gov
 
Upvote 0 Downvote
Can you fire up the Recovery console, and use SC to change the setting of any service to disabled?

If you don't have recovery console installed, boot the PC from the 2K CD-ROM and install it.

John
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sentrif
  • Locked
  • Question
Ransomeware back again
Replies
9
Views
417
2ffat
2ffat
javierdlm001
  • Locked
  • Question
"Win32.Downloader.gen" found as Malware by Spybot
Replies
3
Views
365
2ffat
2ffat
Ngolem
  • Locked
  • Question
plagued by PUPS 3
Replies
9
Views
473
kjv1611
kjv1611
OsakaWebbie
  • Locked
  • Question
PHP file found on flash drive - how could it have been used? 1
Replies
12
Views
559
OsakaWebbie
OsakaWebbie
crackoo
  • Locked
  • Question
Encrypted files by Win32.Mabezat.A
Replies
2
Views
301
crackoo
crackoo

Part and Inventory Search

Sponsor

Back
Top