Haven't seen this before and I hope I don't see it again. Did a clean install of Win2K on a customer's machine last week. He just had broadband installed and hooked it to the web for the first time on Sat. His wife went online for a bit and later his son tried to use the web but it wouldn't connect. Rebooted the system and it BSOD's with a C000021a STOP: error message. After several failed reboot attempts he called me. It would boot to Safe Mode so I picked it up for a rework on Mon. Ran tests on the memory and hdd and found nothing out of sorts. Would boot to Safe Mode with Networking but the NIC wouldn't work. Tried a different nic and same problem. Figured maybe it was the new version of AVG I had installed or a conflicting update from Windows Update that just came thru. Removed AVG using the Add/Remove Programs in Safe Mode, rebooted and the system came up fine. Went to Ewido to run a scan when I noticed one of my own Win2K based folding machines was showing up as offline on the EMIII monitoring program. Checked it out and found the same BSOD as the customer machine! Long story made short, his pc had some dialer infection that has made it's way thru all 7 of my Win2K based folding machines. None would connect to the internet any longer and on reboot would either bsod until AVG was removed (either version 7.1 or 7.5) or the pc's would remain in a contiuous reboot loop. I've verified the same dialer and infections are present in all machines. Task Manager shows the System Process running at 100% when the infection is active and this prevents Folding@Home from running. None of my Vista or XP Home or XP Pro machines were touched. I suspect because they're all running the MS Firewall. So far nothing has cleaned any of them to allow reinstalling AVG. I've tried all the scanning tools, checked the AVG forums for anyone else having similar issues and used Hijack This! on two pc's to no avail. Right now I have turned off all 7 of mine and the customer's machine. I'm planning to nuke and pave all of them doing it one at a time until all are clean. Then I'll restore the network. I've often wondered if connecting an infected machine to my home network had the potential to spread a virus and now I know! Not the way I wanted to find out however!

Hey Panama,

I know what you're talking about. When I did IT work for my school's helpdesk the last couple years, we had issues with this sort of thing too. We would get a quarantined machine from a student (quarantined = moved into its own VLAN so it couldn't infect the rest of the residential network) and would attempt to fix it at the technology helpdesk. The problem was that we would have to plug it into the network there (main campus network) to download updates etc. Naturally, there was always a concern that this infected machine would go out and infect countless others before we had gotten a chance to get it all cleaned off. Eventually, we got a little hardware firewall that we put between the infected machine and the rest of the network where we could block almost all traffic except port 80 (web browsing) for instance. Might be good to look into something like this for yourself, or throw ZoneAlarm on all your network's machines.

I've often wondered if connecting an infected machine to my home network had the potential to spread a virus and now I know! Not the way I wanted to find out however!
This has crossed my mind so many times when connecting customers machines to my router.
Sounds like a major problem you have got yourself there PR.

this is exactly why I preach the use of a 3rd party software firewall, if one was installed on the infected machine it would have isolated the dialer to that machine only. In my mind at least, outbound protection is as important as inbound protection.

..outbound protection is as important as inbound protection.

Guess I had to experience it personally just to feel the pain!:eek: Lesson learned.
May have to develop a close relationship with Zone Alarm.

This is why I almost always just use a bootable linux disk to backup data before doing a nuke and pave as you like to call it. I have a writeable shared folder on my main box that I just dump all the data into from the client's computer. I realize this wouldn't have helped you since you wanted to specifically fix the problem instead of just wiping it clean, but I find that my approach makes for a smoother process even if they only have spyware and no infectious worms, because none of the spyware is running and making the computer slow, so I get full-speed transfers and a responsive computer to work with.