A few questions about Vundo et al.
adarryl
No Man Stands So Tall As When He Stoops To Help a Child. Icrontian
A friend of mine brought me her Dell Latitude 110L office laptop for repair as her network admin was stumped trying to resolve the problem(s) and she was getting frustrated. (I didn't do her any good either, btw) The laptop was connected to a non-secure wireless office network with nothing but Norton AV for protection. He had found Vundo and possibly other scumware on it but neither he nor I can do anything about it. Here's why:
1. The laptop now asks for a user log-on password at boot-up when no password was ever assigned. (My friend says she was and is the only user of this PC since new.) As a result, no one can get it to boot to desktop. (can't get past the login screen)
2. A bcmwltry.exe application error pops up at the same time as the win login pop-up comes up and cannot be closed. I found out that this error relates to her Broadcom Wireless adapter and can be generated by scumware/hijacking.
Since we can't get into Windows, there appears to be no way to clean out the machine. (you can get into the BIOS but nothing else) I told her I thought the only solution at this point was to have the Admin run the recovery CD knowing she will lose important files. Anyway, I am out of the picture but it caused me to wonder about some things and since I am not a virus/scumware expert, I thought I would ask:
1. Is it possible that Vundo or another type of trojan can hijack a PC to where the hijacker himself can remotely set his own logon password and block system access to legit users?
2. Knowing that her laptop is infected, how likely is it now that her entire office network is infected? They have printer sharing and internal/external emailing.
3. Is there anything else that might help her get her PC operational where she could access her files?
FWIW, this problem surfaced when her laptop all of a sudden started running like molasses in January.
1. The laptop now asks for a user log-on password at boot-up when no password was ever assigned. (My friend says she was and is the only user of this PC since new.) As a result, no one can get it to boot to desktop. (can't get past the login screen)
2. A bcmwltry.exe application error pops up at the same time as the win login pop-up comes up and cannot be closed. I found out that this error relates to her Broadcom Wireless adapter and can be generated by scumware/hijacking.
Since we can't get into Windows, there appears to be no way to clean out the machine. (you can get into the BIOS but nothing else) I told her I thought the only solution at this point was to have the Admin run the recovery CD knowing she will lose important files. Anyway, I am out of the picture but it caused me to wonder about some things and since I am not a virus/scumware expert, I thought I would ask:
1. Is it possible that Vundo or another type of trojan can hijack a PC to where the hijacker himself can remotely set his own logon password and block system access to legit users?
2. Knowing that her laptop is infected, how likely is it now that her entire office network is infected? They have printer sharing and internal/external emailing.
3. Is there anything else that might help her get her PC operational where she could access her files?
FWIW, this problem surfaced when her laptop all of a sudden started running like molasses in January.
0
Comments
The likely scenario why the user account has logon problems is someone or some action altered/deleted essential registry LSA key values. Although they might try to access the startup menu (at startup tap the F8 key) there is a slim chance they can try the "Last known good" registry restore option, but more often that user account damage done during the next reboot after the initial changes leaves the system inaccessible. To recover the data they can slave this drive in a different working system and offload the info that way. Chance of that cross infecting the working system is possible though.
This is likely a single user event, and likely from poor choices made downloading software. If their network has reasonable security measure in place it will also not likely infect that way. But never a guarantee. And no, no malware I know of has the capacity, or actually a reason, to hijack a system in the manner you describe.
You can get every piece of software needed free for personal use. As this is for business use you would need to buy the comercial releases which may or may not be cheaper than Norton.
Have a look for
AVG or Avast anti virus
Online Armour or Comodo firewall
Spybot S&D
AdAware
Spyware Blaster
And remember only ever use one AntiVirus and one Firewall at a time.
It could be a little tricky getting your data off the PC as it is a laptop but you could try some of below.
1. This may be dependend on your level of experience, but as previously sugested remove the hard disk and add it as a slave to a stand alone (off the network and internet) PC.
-Scan the infected HD with anti virus to try and minimise the risk of cross infection.
-Copy ONLY essential files on to an external HD or usb flash drive.
-Shut down and remove the infected HD and usb drive.
-This is not essential but I would suggest an online scan from Kaspersky on the clean machine to ensure it is not infected.
-Replace the infected HD into the original laptop reformat and reinstall. Make sure you do a full format and wipe the partition.
-Scan the USB drive for infections then copy the data back to you clean PC
---This cant be 100% safe and you may reinfect your clean PC---
2. Reinstall windows without formatting the partition. This should give you access to your PC as administrator, as all your user accounts will be reset but you shouldn't loose data. You can then Post a HiJack this log in a new thread on this forum to try and clean the PC.
3. If you have a floppy drive you may be able to create a dos prompt boot disk and copy stuff off from there.
Personally I would try option 2 first then 3 then 1.
You really should add some form of secure access to your wireless network too.
I cant be sure if any of the above will work but they are the first things that came to my mind.