Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Multiple Worm Problems - Windows XP Professional

Posted on 2006-04-14
20
Medium Priority
?
1,260 Views
Last Modified: 2013-12-04
Hello,

The boss has recently returned, after a several month business trip.  At some point during this time, his Norton Antivirus was deactivated and his computer was infected with several worms and viruses.

I have since reactivated Norton, but I cannot seem to get rid of these worms, mostly because they disable the Internet on the laptop once Norton has blocked them.  

This prevents me from running Windows Update and Norton Update (two things that haven't been done in awhile).  I have, however, downloaded the Norton anti-virus definitions on a seperate computer, and used that to update the laptops defintions, though I have no real idea as to whether or not that helped against the worms.

The worms that Norton is blocking are:

- MS PnP QueryResConflist BO
- MS ASN1 Integer Overflow TCP
- MS RPC LSASS DS Oversized Request (TCP)
- MSRPC Malicious LSASS DS Request BO


I have searched the symantec website, and downloaded the subsequent Microsoft updates that are related to these worms, but they still persist.  My theory is that these updates from Microsoft are meant to prevent the infection of these worms, and do not actually remove them if the infection has already taken place.

While formatting the laptop is an option, it's going to be a last resort.  I have backed up more of the important data located on it to a seperate flash drive (not going to put it on the network), but I'd prefer to avoid the entire re-installation of the programs there if possible.

I've ran a full norton system check twice, and it's found several things (both times) which have subsequently been removed.  I've also ran Windows Malicious Software Removal Tool, which reported no malicious software on the machine, though I know that the worms are there.

To cover what happens, if the laptop is not on the Internet, then nothing really happens out of the ordinary.  When the laptop is connected to the Internet though, Norton will start popping up indicating that it has blocked an intrusion attempt by the above mentioned worms, and in some cases mentioning the same worm more than once.  At this point, the Internet on the computer will stop working completely.

I've searched on the Internet have resulted in nothing useful, and I'm sort of at a loss as to what to do.

Any help would be appreciated.
0
Comment
Question by:Sebastion
  • 8
  • 5
  • 4
  • +2
20 Comments
 
LVL 1

Accepted Solution

by:
clbraun74 earned 700 total points
ID: 16454911
Try putting the computer into safe mode with networking. From there I would go to Pandasoftware.com and run their online activescan. It's free and will clean any virus it finds plus it will show you if there is any spyware on the machine as well. To go into safe mode with networking, click on the start button and then click on run. In the box that comes up type: MSCONFIG, then hit enter. When the system configuration utility box comes up, click on the boot.ini tab at the top. In the middle of the box, you will see your boot options. Check safeboot and then to the right of it check network. Once those are checked, go to the bottom and click apply, then click ok. On the new box that that pops up, click restart. The system will restart in safe mode now. Try to get online and run virus scan and wait patiently.

If everything went well, you should be ready to go back to normal operating mode. To do this, click on the start button and then click on run. Once more, we will type: MSCONFIG  and then press enter. The system configuration utility will pop up with the general tab already selected. Simply click on check the box that says: Normal Startup, then go down to the bottom and click on apply then ok. On the box that pops up click restart computer. The computer will restart in normal mode and if we were lucky, those nasty worms are gone. Hope this helps.
0
 
LVL 30

Expert Comment

by:Marc Z
ID: 16456081
Grab these programs and while you are on the sites, grab the standalone definition updates that you can, Spybot has one, Adaware has one, unknown about the other two but check out the sites.  Copy them to a CD or a thumbdrive and install them on his laptop. Install, update and run them one at a time to try to clean out as much as possible, then we'll look at a  hijackthis log.

MS Defender http://www.microsoft.com/athome/security/spyware/software/default.mspx Free
Lavasoft Adaware  http://www.lavasoftusa.com/software/adaware/ Free
Spybot Search & Destroy  http://www.safer-networking.org/en/download/ Free
Spysweeper http://www.webroot.com/ Not Free but 14 day trial

You may also need cwshredder found here http://www.intermute.com/spysubtract/cwshredder_download.html


0
 
LVL 30

Expert Comment

by:Marc Z
ID: 16456087
Probably will need Stinger too if the worm turned off his AV.
http://vil.nai.com/vil/stinger/
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16457850
You could also download and run Hijackthis where its entries might show us something where the culprit is located.

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or copy and paste the log at;
http://www.hijackthis.de/ 
and click "Analyse", "Save".  Post a link to the saved list here.
0
 
LVL 97

Expert Comment

by:war1
ID: 16457907
Greetings, Sebastion !

To restore your internet connection, run this script

http://downloads.subratam.org/WinsockFix.zip

Best wishes!
0
 

Author Comment

by:Sebastion
ID: 16459118
Hey group, sorry for the late reply, I was sorting out a conference matter (on Easter too, no doubt).

Anyway, I've had a chance to run through some of your suggestions (though not all, explained below):

clbraun74, thanks for reminding me about Safe Mode (though I generally just use the F8 key).  I must have dismissed that because I knew that you couldn't update Norton or use Windows Update there.  I booted into safe mode and updated Ad-aware and spybot though, which subsequently found and deleted a bunch of spyware.

Before that though, I ran the online check you linked from Pandasoftware.com (also done in safe mode).  This check found 3 viruses, and 12 spyware (which it wouldn't remove, without downloading the full program).  It did fix the 3 viruses though.

Since then, I booted into Windows normally again, and it lasted about 10 minutes on the Internet with no worms, but then the same thing that I mentioned in my initial post happened again.

I'm going to sort out HijackThis now, and I'll probably post up the details in it.  I also plan on downloading MS Defender, linked by mtz1of4, and I'll give that a whirl prior to posting the HijackThis log.
0
 

Author Comment

by:Sebastion
ID: 16460219
Update 2:

I downloaded and ran Stinger, with no luck.  It found nothing.

I also downloaded MS Defender, which I didn't even get to use.  Firstly, it informed me that it could only be installed on a Windows XP Service Pack 2 machine (I was using Service Pack 1).  After debating with myself for abit, I downloaded the Service Pack 2 redist and installed it (the whole ~200 MB).  

After finally getting that installed, I tried to install MS Defender again, only to be told that I needed Windows Installer v 3.1 or greater.  I searched around and downloaded Windows Installer 3.1, and updated the system with that.  Finally, MS Defender was installed, but when I ran the update to try and find new definitions, I was prompted with an error saying that MS Defender could not be updated.  I searched the error code on the Internet, only to find alot of other people having the same problem, but no mentioned solution.

I've since uninstalled MS Defender.  Slightly annoying, at the process being much more complicated than it needed to be...

Anyway, here's the hijackthis log file:

http://www.rafb.net/paste/results/OSK9uW69.html
0
 
LVL 30

Assisted Solution

by:Marc Z
Marc Z earned 700 total points
ID: 16460473
OK, sorry for the Defender muck up on your end.  Typically the Defender update would go through the Auto Update function of Windows.  You could have tried Windows Update to see if it would have updated.  Sorry for your wasted time but at least now you are up to date with SP2.

Anyway, Here is your Hijack This Log Analysis.  http://www.hijackthis.de/logfiles/71a7d6f929934fbff5e20973df70b5df.html

It will be there for three days now.  They do recommend fixing a couple of your things  there especially this one.
  O17 - HKLM\System\CCS\Services\Tcpip\..\{316BCF0A-756E-45B9-9601-50CAC3D859F6}: NameServer = 61.9.134.49 61.9.133.193                 
Possibly nasty               If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.
Currently there is no visitor's assessment!               Do you know the IP or Domain '61.9.134.49 61.9.133.193'? If not, fix this entry.
You've got  a few things there like etradeaustralia and movieweb that looks suspicious to it.  Look at anything there that says Possible Nasty and read their recommendations.
Rerun Hijack this and Fix what they recommend. Reboot and rerun Hijack this again.

rpggamergirl will probably offer better and more assistance on the HijackThis log.
0
 
LVL 97

Expert Comment

by:war1
ID: 16460780
Sebastion,

Did you run the script that I posted to restore your internet connection?
0
 

Author Comment

by:Sebastion
ID: 16462209
war1, I didn't run the script you linked to because I had Internet capabilities in Safe Mode.  Likewise, after running the scan from Panda software, even though some of the worms were still presented and blocked by Norton, the Internet connection appeared unaffected.  This was most likely because not all of the worms appeared to be on the system anymore (only 2 of the 4 remained), so I'm guessing it was one of the worms that was removed that caused the Internet connection loss, or something.

0
 

Author Comment

by:Sebastion
ID: 16462221
mtz1of4, no need to apologize for the MS Defender thing, as you could have had no idea it was going to be such a hassle.

With regards to the HiJackThis log, I corrected alot of the mistakes as per your link.  ETrade is a valid website, I know that much, as it deals in shares and the boss (who owns this laptop) uses it quite extensively.  Movieweb though, I know is a pain - I removed that.

Interestingly, the NameServer one didn't appear in the list after a HiJackThis scan from a normal boot.  It wasn't until I connected to the Internet and Norton blocked a worm intrusion that HiJackThis would pick up on it.  In any event, I removed that too.

I rebooted the computer, ran HiJackThis and everything appeared fine again.  When I connected to the Internet again though, and ran another HiJackThis, the same NameServer link appeared (61.9.134.49).  To my knowledge, our company does not use this IP address itself, but that said I'm just wondering if it is associated with the Wireless Internet connection that the computer uses.  If this is the case, then it wouldn't have anything to do with the worms that remain.

I'm going to drop the laptop back around to the boss this morning, because he has some work that needs to be done, but I'll get it again this afternoon briefly before my plane flight.
0
 
LVL 97

Expert Comment

by:war1
ID: 16462245
Sebastion,

1. Disable System Restore.  Sometimes worms are backed up in a restore file.  Disable System Restore, rebooting, then enable system restore removed the worm.

2.  If you have not done so already, clear the Temp folder files.

3. Please delete the following item from HijackThis log

O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\socbase.dll (file missing)

4. Norton should be able to remove the quarantined files.  If not able to remove with Norton, use
Housecall Online Scan to remove
http://housecall.antivirus.com

Use Ewido to remove trojans
http://www.ewido.net/en/

0
 

Author Comment

by:Sebastion
ID: 16466221
war1,

I have cleared the Temp folders already, sorry for not mentioning it earlier.  Also, from what I can remember, there are no items in Norton's Quarantine.  Norton appears to detect and block the worm, but not remove or quarantine it.

At the moment the laptop is with the boss in mid-flight.  When he lands I will get him to disable system restore and then talk him through doing the scans with Housecall and Ewido.  I will also get him to remove the "Winlogon Notify: Hints" entry and check out Norton's quarantine list.
0
 
LVL 97

Expert Comment

by:war1
ID: 16466262
Sebastion,

Ok, keep us updated. Run Ewido in Safe Mode.  It is a deep scan, you scan may take couple of hours.
0
 

Author Comment

by:Sebastion
ID: 16482489
Just to let you know, I have spoken with the boss however he was in a conference all day yesterday and now I have learnt that he'll be just as busy today.

Hopefully I will have something for by the weekend.
0
 

Author Comment

by:Sebastion
ID: 16541457
Sorry for the lack of replies.

I have tried to book an appointment several times with the boss to run the scans but he's had to cancel due to other matters.

I'll give him a few more days to sort himself out otherwise I'll just close the question.  We got most of the worms, there's only one remaining as far as I know.
0
 
LVL 30

Expert Comment

by:Marc Z
ID: 16545416
You could just tell him, you'll need it over the weekend to reformat and reinstall everything, wiping out all his stuff.  That'll get him on your leash.

Just kidding.   We'll be here.  Just keep us in the loop.
0
 

Author Comment

by:Sebastion
ID: 16574692
I have decided to close the question as it has become apparant that it will be neigh impossible to get some tech time with the boss over the phone to get him to run the other two scans suggested by War1.  Due to his schedule it seems that the next time I will actually get hands on with the laptop will be in 1-2 months.

I've accepted clbraun74's response as the online pandasoftware scan was surprisingly effective; catching alot of malware that the updated Norton missed.

Thanks goes to mtz1of4's for the support with the HiJackThis logs, the links to other software and reminding me that I could manually update both Spybot and Ad-aware.

War1, I'm confident that the two online scans (Housecall & Ewido) you linked to would have detected, if not removed, that last worm.  If only I could have gotten a chance to test them.  Rest assured that I will run them when the laptop returns here in the next few months.  I appreciate the support that you have given.
0
 
LVL 30

Expert Comment

by:Marc Z
ID: 16579778
Thanks for the update.   Hopefully we can help again.
0
 
LVL 1

Expert Comment

by:clbraun74
ID: 16580349
Glad I could help. Come back any time.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Kernel Data Recovery is a renowned Data Recovery solution provider which offers wide range of softwares for both enterprise and home users with its cost-effective solutions. Let's have a quick overview of the journey and data recovery tools range he…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question