Solved

Virus, Trojan, Worm? Must Hard Drive be Reformatted? A Puzzle For You!!!

Posted on 2003-10-21
6
531 Views
Last Modified: 2013-12-04
WinXP Home, Dell 8300, DialUpATT, ZoneAlrmv3.7.202, VisualZone, Norton SystemWorks, NAV2003 w/current updates, Sysbot S-D, NO CHAT, MUCH
Internet Website Hopping on seedy locations.  1st:ZoneAlarm mssg "I am
infected w/known malicious program-don't allow it internet Access. (COM Surrogate-DLL Host.exe is a known malicious prgm also known as Nachi or Welchia. My NAV full sys scans never detected this. Ran 2 removers from Symantec site: WBlaster.D & Nachi, nothing found, ran safe mode & regular.
2nd.Noticed many SRVHOST.exe in TaskMgr-Process List. GenerincHost Process for Win 32 were present (2 of them)seen on top of ZoneAlarm & if these were not given access to net via InterExplorer 6.2600 no internet contact possible. One of these always was monitoring Ports b/n # 3400 to 3599. These were always like this. I restrict all on ZoneAlarm, only IExplr6 is direct to the internet as Server. The Spooler SubSystem, Generic Host 32,
LiveUpdate, & Spybot Search-Destroy. ALL WAS OK FOR A WHILE...NEXT
came a delay upon clicking the Desktop Icon, any Icon... I click & no response whatsoever, until apx. 2 minutes pass & then all of those prior clicks appear @ once...(Dozens)...then if I shut all but one, I could use syst.
Next it became worse such that it isn't possible to use computer. I manage to get on w/comp but barely. I have all the Windows Updates installed, run the AV always & keep it current, Sysbot SD daily, no Chatting ever. Today I changed the Icon on a desktop Shortcut via its Properties access and after doing this a new problem began...a rectangular 3" X 4" box kept flashing on & off, it said..."File Download" w/a green bar across center, a globe icon upper left & folder icon upper right. When this flashed on every 1 seond it
would take control of the desktop menu. The Task Manager showed 1 to 2 flashing rectangles & said only "File Download" this went on for 1/2 hr & unit was never online during this. Manual Power Reset & then OK, until I clicked that same desktop short cut, it began again. I deleted the Icon & it continued, until Recycle bin was emptied. I had been told by Dell Tech that maybe too many startup items, msconfig to uncheck most...same prblm w/
delayed icon activation. After this came the flashing FileDownload & we
went into service.msc changes the three "what to do if system fails" to do nothing, also changed something else in there...same problem w/Icons on Desktop & start menu....we used systemrestore in sys tools to reset system to Oct. 14...one week back...the oldest date available. It still does same delayd activation of Icons.  I am hoping I can resolve this unknown prblm w/o wiping my hard drive and reinstalling. I am holding off on a major software install (3Gig & 2 complex search engines. NO ONE KNOWS WHAT
THE CAUSE IS OR HOW TO RESOLVE THIS. THE ORIGINAL EXE FILES THAT WERE FLAGGED AS MALICIOUS, ETC ARE ALSO WINDOWS SYSTEM 32 FILES...WHAT SHOULD BE IN THE PROCESS LIST TO OPERATE SYSTEM?
PLEASE READ THIS CAREFULLY AND SEE IF YOU CAN PUT YOUR FINGER
ON THE ACTUAL PROBLEM.  I am also concerned that the problem might be from a bit of infested data...jpg, gif, doc, txt, ??? Help????Thanks much!!!! Be advised-tonight I ran another Virus Scan at www.housecall.antivirus.com & this came out clean.
0
Comment
Question by:nikkorrook
  • 2
6 Comments
 
LVL 16

Accepted Solution

by:
ahmedbahgat earned 63 total points
ID: 9597073
ok it is a long story and it will take longer to troubleshoot, the best and shortest answer will be backing up your files, formatting the HD, reinstall windows and all software and its updates, restore your files, I do this without any hesitation when any OS I use start to show weired stuff

cheers

0
 
LVL 24

Assisted Solution

by:SunBow
SunBow earned 62 total points
ID: 9599320
I like that answer.   before trying to sort all that out, think of this: Go offnet, Erase all HD, install OS, Install ZoneAlarm, Install all upgrades to OS and patch all the holes. Install applications like Office, and patch all of them. You didn't forget the IE and IRC patches, right? Now if that was done, what are we left with?  OK, add SAV with updated pattern to ready to detect new malwares.

> Be advised-tonight I ran another Virus Scan at www.housecall.antivirus.com & this came out clean.

Why? Oh, I guess that may help if some malware trashed the local AV files. But if you want webscan, why not run Symantec's? (except that it does not manage IE windows well):

http://www.symantec.com/siteindex.html

Run the online security check on the right hand side of that link

Your comment is quite a runon, you're competing well with me with that. The answer to what happened, is, I think, that you failed to maintain your upgrades to MS wares such as IE and OS.  You probably got hit by at least one if not two malwares, one that trips up you A/V detect, so you'd have to reinstall that, and reinstall ZA, but not until the beast is DOA. You probably got another that exploited IE to maladjust your DNS.  One of the latest also hooked google's engine. Can you use browser to go to google? If not, this is most likely qhosts. Here's the tool for that very popular one:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html

0
 
LVL 24

Expert Comment

by:SunBow
ID: 9599348
>  & then all of those prior clicks appear @ once...(Dozens)...then if I shut all but one, I could use syst.

do you think you may have a neighbour who is interested in hacking your system via key trackin and remote control?  Guess what, a lot of them programs are so junky that they don't work and the intruder is caught.  You have to accept that you'll be outted before you should try any of that.
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 9600350
Hard drives do not have to be reformatted, but it is a good practice. I agree with the comments the others have made above.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
OfficeMate Freezes on login or does not load after login credentials are input.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now