System hangs on both boot and shutdown

Windows XP Pro, Service Pack Two. Symptoms:

1) Boot process gets as far as displaying the wallpaper, but not to the point where it shows desktop icons or taskbar.

2) Task Manager can be launched from that point, minimizing it puts it into the lower left-hand corner of the screen and shows just the blue part at the top of the screen.

3) Anything that uses Windows Explorer ends up showing the "flashlight" icon swinging back and forth but gets no further.

4) Anything that uses a .msi to install (Windows Defender, for example) hangs at the "Preparing to Install" note. See #3. If you hit cancel at that point it displays "Cancelling." but gets no further.

5) There are three SVCHOST.EXE entries in the Processes list. If I kill the one that shows 4,096K memory usage, (occasionally 4,196K) the icons pop, the very bottom of the taskbar appears at the top of the screen and everything appears fine - for a couple of minutes. Then the system informs informs me it must shut down due to the failure of a RPC. It tries to shutdown, but hangs there, too.

6) Booting in Safe Mode yields roughly the same results.

7) Running Spybot S&D from a CD (couldn't install it directly, see #4) informs me that I have some variant of Zlob - doesn't say which one. It can't fully fix the system - three items unresolved - asks if I want to run on restart. That never happens, as it hangs shutting down, and whatever mechanism it uses to run S&D on restart never happens.

8) I suspect that any changes to the Registry never get actually written to disk. See #7.

9) Running "tasklist" from a command prompt also hangs.

Any ideas? Short of a Wipe and reload, that is?


bestRegards, Guy.

 

Hiya, chaslang! Thanks for taking the time to respond!

___chaslang___
Can you boot up/shutdown okay from Safe Mode?
---------------
Kinda, sorta. I can get there, but have no taskbar. Not sure how to get to "Add/Remove Programs" in Control Panel without a Start button.


___chaslang___
Zlob is part of the SmitFraud family of infections. See if you can
run the below which does not reqire any programs to be installed
but you must download and run some tools.
----------------
Didn't know that! Great. This might be more tricky than I originally thought.

Will the tools work without the Add/Remove Programs step in the instructions?


bestRegards, Guy.

 

Doesn't bring up a desktop - but gives me a second "EXPLORER.EXE" entry in the Processes list. Neither one seems to be doing anything.

I was just trying to be thorough. The Removal procedure says to make sure we have followed the "view system files and hidden folders" procedure - which requires a working explorer.exe to my way of thinking. Sixth bullet-point has us going to Add/Remove programs. I looked through the list of DLLs and EXEs using attrib from the CLI - "attrib" will list 'em even if they're system or hidden files - but none were present.

Out of curiosity - is there any way to get to the control panel from the CLI (of File->Run->New Task in the Task Manager)???


bestRegards, Guy.

 

One additional piece of information - just found this out from the gentleman who owns the computer - this problem started two days after he updated his Macaffee subscription. Do not know if this is relevant.


bestRegards, Guy

 

Finally got the logs - but it was costly! No floppy, no USB support for thumbdrives, etc, no writeable optical media, no internet connection, no shares on the LAN.

So I yanked the drive and took it to another client that uses SATA drives. Figured disk to disk copy would work. It did, but now /that/ computer is infected!

bestRegards, Guy.

 

Exactly. I ran it on the infected PC - exactly as it was written up in the procedure (except for the "show all files" and "add/remove programs" bits - we already discussed that) Then took that hard disk, with the three logs, over to the other system for copyting.

Yes. My guess is that because the system's hanging on SHUTDOWN - the only way to reboot is kill the power - the registry changes aren't being written permanently to disk - so on reboot they're still there just like before, no matter that the SpywareQuake & SpyFalcon Removal Procedure removed the registrry entries.

No need - There was a recent Ghost image of the other system. They're following proper backup procedures at the client company where I took the infected disk. Took me a good chunk of the night, I just wiped the disk and reloaded the saved Ghost image. It's already back to normal.


bestRegards, Guy.