I was asked to look at a computer running XP that is exhibiting the following behaviour:
- opening a jpg attachment in Outlook Express results in a window/box begins to open up, but it never goes beyond just the initial stage of rendering the box -- remaining grey or semi-transluecent in its non-responsive state.
- clicking on the close window x will generate a popup box informing of the run dll as an app error. Then you get the "do you want to send in an error report to MS..."
Google'ing, it appears that this is a common error for a variety of different reasons.
- installation/de-installation breakage
- malware/spyware /virus
Apparently this behaviour has been happening for this user for some length of time now. The user is a low risk candidate for getting viruses (though using a good vector I suppose through OE), and has MSE running and is uptodate in definitions and all MS patches etc.
I kind of suspect that the problem is actually related to some changes in their image viewing software -- they had previously had a problem with opening attachments that was related to some older ACDSEE version that ended up going to the dustbin, but have been using some Canon software since in its place. Though, I think a Canon update at some pt may have borked something (I say this because there was evidently some sort of minor change in the default behaviour of the Cannon app a while back).
Anyway, where it gets interesting is when I ran a precautionary (full system) scan with MSE -- almost 3mins into the process, it grinds to a halt on a \Documents and Settings\{User}\Local Settings\Temporary Internet Files\Content.IE5\{random alphanumeric folder name}
I then checked running processes and services, but didn't see anything out of the ordinary or to be concerned about.
Then went into the file manager to have a peak at the folder ... only the folder doesn't show up in the file manager (windows explorer).
Suspicion rising.
Boot into safe mode under Admin. Run MRT.ext (MS' supposed nasty thing finder). Similar result -- within two minutes, the scan comes to a halt on a similar Temporary Internet Files\Content.IE5\{random alphanumeric folder name} but this time I can see its stuck on a file named yM-LaWTgTA[1].js
Uh-oh, javascript if I'm not mistaken.
Stopped the scan -- had to force kill the process.
Then tried running MSE on it (BTW, does MSE not start up automatically when in safe mode? -- it was saying the computer was not running it in real time or something to that effect (w/ big scary red window dressing colours in the background to emphasis that the system was not protected) ). Scan did the same thing as MRT --> ground to a halt on the same file.
Then tried to see if I could see the folder in safe mode with Windows Explorer ... access denied.
And that's all the time I could spend looking at it.
So, the big questions are:
- why are there apparently some hidden temporary internet folders/files that the admin can't access ?
- would you suspect a low level javascript virus that knocked out the rundll.exe link to jpgs?
- how would you proceed ? My knowledge of Windows is diminishing and I'm not up on what the current anti-spyware/malware/virus stuff (detction and removal) best practices would be
- is this two separate issues ... ie. a broken association of jpegs with an appropriate app .... and ... a bunch of folders/files, that on one level don't apparently exist, but exist on another level and which are playing some sort of havoc.?
Thanks in advance
- opening a jpg attachment in Outlook Express results in a window/box begins to open up, but it never goes beyond just the initial stage of rendering the box -- remaining grey or semi-transluecent in its non-responsive state.
- clicking on the close window x will generate a popup box informing of the run dll as an app error. Then you get the "do you want to send in an error report to MS..."
Google'ing, it appears that this is a common error for a variety of different reasons.
- installation/de-installation breakage
- malware/spyware /virus
Apparently this behaviour has been happening for this user for some length of time now. The user is a low risk candidate for getting viruses (though using a good vector I suppose through OE), and has MSE running and is uptodate in definitions and all MS patches etc.
I kind of suspect that the problem is actually related to some changes in their image viewing software -- they had previously had a problem with opening attachments that was related to some older ACDSEE version that ended up going to the dustbin, but have been using some Canon software since in its place. Though, I think a Canon update at some pt may have borked something (I say this because there was evidently some sort of minor change in the default behaviour of the Cannon app a while back).
Anyway, where it gets interesting is when I ran a precautionary (full system) scan with MSE -- almost 3mins into the process, it grinds to a halt on a \Documents and Settings\{User}\Local Settings\Temporary Internet Files\Content.IE5\{random alphanumeric folder name}
I then checked running processes and services, but didn't see anything out of the ordinary or to be concerned about.
Then went into the file manager to have a peak at the folder ... only the folder doesn't show up in the file manager (windows explorer).
Suspicion rising.
Boot into safe mode under Admin. Run MRT.ext (MS' supposed nasty thing finder). Similar result -- within two minutes, the scan comes to a halt on a similar Temporary Internet Files\Content.IE5\{random alphanumeric folder name} but this time I can see its stuck on a file named yM-LaWTgTA[1].js
Uh-oh, javascript if I'm not mistaken.
Stopped the scan -- had to force kill the process.
Then tried running MSE on it (BTW, does MSE not start up automatically when in safe mode? -- it was saying the computer was not running it in real time or something to that effect (w/ big scary red window dressing colours in the background to emphasis that the system was not protected) ). Scan did the same thing as MRT --> ground to a halt on the same file.
Then tried to see if I could see the folder in safe mode with Windows Explorer ... access denied.
And that's all the time I could spend looking at it.
So, the big questions are:
- why are there apparently some hidden temporary internet folders/files that the admin can't access ?
- would you suspect a low level javascript virus that knocked out the rundll.exe link to jpgs?
- how would you proceed ? My knowledge of Windows is diminishing and I'm not up on what the current anti-spyware/malware/virus stuff (detction and removal) best practices would be
- is this two separate issues ... ie. a broken association of jpegs with an appropriate app .... and ... a bunch of folders/files, that on one level don't apparently exist, but exist on another level and which are playing some sort of havoc.?
Thanks in advance
