Multiple Worm Problems - Windows XP Professional

Hello,

The boss has recently returned, after a several month business trip.  At some point during this time, his Norton Antivirus was deactivated and his computer was infected with several worms and viruses.

I have since reactivated Norton, but I cannot seem to get rid of these worms, mostly because they disable the Internet on the laptop once Norton has blocked them.  

This prevents me from running Windows Update and Norton Update (two things that haven't been done in awhile).  I have, however, downloaded the Norton anti-virus definitions on a seperate computer, and used that to update the laptops defintions, though I have no real idea as to whether or not that helped against the worms.

The worms that Norton is blocking are:

- MS PnP QueryResConflist BO
- MS ASN1 Integer Overflow TCP
- MS RPC LSASS DS Oversized Request (TCP)
- MSRPC Malicious LSASS DS Request BO


I have searched the symantec website, and downloaded the subsequent Microsoft updates that are related to these worms, but they still persist.  My theory is that these updates from Microsoft are meant to prevent the infection of these worms, and do not actually remove them if the infection has already taken place.

While formatting the laptop is an option, it's going to be a last resort.  I have backed up more of the important data located on it to a seperate flash drive (not going to put it on the network), but I'd prefer to avoid the entire re-installation of the programs there if possible.

I've ran a full norton system check twice, and it's found several things (both times) which have subsequently been removed.  I've also ran Windows Malicious Software Removal Tool, which reported no malicious software on the machine, though I know that the worms are there.

To cover what happens, if the laptop is not on the Internet, then nothing really happens out of the ordinary.  When the laptop is connected to the Internet though, Norton will start popping up indicating that it has blocked an intrusion attempt by the above mentioned worms, and in some cases mentioning the same worm more than once.  At this point, the Internet on the computer will stop working completely.

I've searched on the Internet have resulted in nothing useful, and I'm sort of at a loss as to what to do.

Any help would be appreciated.
SebastionAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

clbraun74Commented:
Try putting the computer into safe mode with networking. From there I would go to Pandasoftware.com and run their online activescan. It's free and will clean any virus it finds plus it will show you if there is any spyware on the machine as well. To go into safe mode with networking, click on the start button and then click on run. In the box that comes up type: MSCONFIG, then hit enter. When the system configuration utility box comes up, click on the boot.ini tab at the top. In the middle of the box, you will see your boot options. Check safeboot and then to the right of it check network. Once those are checked, go to the bottom and click apply, then click ok. On the new box that that pops up, click restart. The system will restart in safe mode now. Try to get online and run virus scan and wait patiently.

If everything went well, you should be ready to go back to normal operating mode. To do this, click on the start button and then click on run. Once more, we will type: MSCONFIG  and then press enter. The system configuration utility will pop up with the general tab already selected. Simply click on check the box that says: Normal Startup, then go down to the bottom and click on apply then ok. On the box that pops up click restart computer. The computer will restart in normal mode and if we were lucky, those nasty worms are gone. Hope this helps.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Marc ZCommented:
Grab these programs and while you are on the sites, grab the standalone definition updates that you can, Spybot has one, Adaware has one, unknown about the other two but check out the sites.  Copy them to a CD or a thumbdrive and install them on his laptop. Install, update and run them one at a time to try to clean out as much as possible, then we'll look at a  hijackthis log.

MS Defender http://www.microsoft.com/athome/security/spyware/software/default.mspx Free
Lavasoft Adaware  http://www.lavasoftusa.com/software/adaware/ Free
Spybot Search & Destroy  http://www.safer-networking.org/en/download/ Free
Spysweeper http://www.webroot.com/ Not Free but 14 day trial

You may also need cwshredder found here http://www.intermute.com/spysubtract/cwshredder_download.html


0
Marc ZCommented:
Probably will need Stinger too if the worm turned off his AV.
http://vil.nai.com/vil/stinger/
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

rpggamergirlCommented:
You could also download and run Hijackthis where its entries might show us something where the culprit is located.

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or copy and paste the log at;
http://www.hijackthis.de/ 
and click "Analyse", "Save".  Post a link to the saved list here.
0
war1Commented:
Greetings, Sebastion !

To restore your internet connection, run this script

http://downloads.subratam.org/WinsockFix.zip

Best wishes!
0
SebastionAuthor Commented:
Hey group, sorry for the late reply, I was sorting out a conference matter (on Easter too, no doubt).

Anyway, I've had a chance to run through some of your suggestions (though not all, explained below):

clbraun74, thanks for reminding me about Safe Mode (though I generally just use the F8 key).  I must have dismissed that because I knew that you couldn't update Norton or use Windows Update there.  I booted into safe mode and updated Ad-aware and spybot though, which subsequently found and deleted a bunch of spyware.

Before that though, I ran the online check you linked from Pandasoftware.com (also done in safe mode).  This check found 3 viruses, and 12 spyware (which it wouldn't remove, without downloading the full program).  It did fix the 3 viruses though.

Since then, I booted into Windows normally again, and it lasted about 10 minutes on the Internet with no worms, but then the same thing that I mentioned in my initial post happened again.

I'm going to sort out HijackThis now, and I'll probably post up the details in it.  I also plan on downloading MS Defender, linked by mtz1of4, and I'll give that a whirl prior to posting the HijackThis log.
0
SebastionAuthor Commented:
Update 2:

I downloaded and ran Stinger, with no luck.  It found nothing.

I also downloaded MS Defender, which I didn't even get to use.  Firstly, it informed me that it could only be installed on a Windows XP Service Pack 2 machine (I was using Service Pack 1).  After debating with myself for abit, I downloaded the Service Pack 2 redist and installed it (the whole ~200 MB).  

After finally getting that installed, I tried to install MS Defender again, only to be told that I needed Windows Installer v 3.1 or greater.  I searched around and downloaded Windows Installer 3.1, and updated the system with that.  Finally, MS Defender was installed, but when I ran the update to try and find new definitions, I was prompted with an error saying that MS Defender could not be updated.  I searched the error code on the Internet, only to find alot of other people having the same problem, but no mentioned solution.

I've since uninstalled MS Defender.  Slightly annoying, at the process being much more complicated than it needed to be...

Anyway, here's the hijackthis log file:

http://www.rafb.net/paste/results/OSK9uW69.html
0
Marc ZCommented:
OK, sorry for the Defender muck up on your end.  Typically the Defender update would go through the Auto Update function of Windows.  You could have tried Windows Update to see if it would have updated.  Sorry for your wasted time but at least now you are up to date with SP2.

Anyway, Here is your Hijack This Log Analysis.  http://www.hijackthis.de/logfiles/71a7d6f929934fbff5e20973df70b5df.html

It will be there for three days now.  They do recommend fixing a couple of your things  there especially this one.
  O17 - HKLM\System\CCS\Services\Tcpip\..\{316BCF0A-756E-45B9-9601-50CAC3D859F6}: NameServer = 61.9.134.49 61.9.133.193                 
Possibly nasty               If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.
Currently there is no visitor's assessment!               Do you know the IP or Domain '61.9.134.49 61.9.133.193'? If not, fix this entry.
You've got  a few things there like etradeaustralia and movieweb that looks suspicious to it.  Look at anything there that says Possible Nasty and read their recommendations.
Rerun Hijack this and Fix what they recommend. Reboot and rerun Hijack this again.

rpggamergirl will probably offer better and more assistance on the HijackThis log.
0
war1Commented:
Sebastion,

Did you run the script that I posted to restore your internet connection?
0
SebastionAuthor Commented:
war1, I didn't run the script you linked to because I had Internet capabilities in Safe Mode.  Likewise, after running the scan from Panda software, even though some of the worms were still presented and blocked by Norton, the Internet connection appeared unaffected.  This was most likely because not all of the worms appeared to be on the system anymore (only 2 of the 4 remained), so I'm guessing it was one of the worms that was removed that caused the Internet connection loss, or something.

0
SebastionAuthor Commented:
mtz1of4, no need to apologize for the MS Defender thing, as you could have had no idea it was going to be such a hassle.

With regards to the HiJackThis log, I corrected alot of the mistakes as per your link.  ETrade is a valid website, I know that much, as it deals in shares and the boss (who owns this laptop) uses it quite extensively.  Movieweb though, I know is a pain - I removed that.

Interestingly, the NameServer one didn't appear in the list after a HiJackThis scan from a normal boot.  It wasn't until I connected to the Internet and Norton blocked a worm intrusion that HiJackThis would pick up on it.  In any event, I removed that too.

I rebooted the computer, ran HiJackThis and everything appeared fine again.  When I connected to the Internet again though, and ran another HiJackThis, the same NameServer link appeared (61.9.134.49).  To my knowledge, our company does not use this IP address itself, but that said I'm just wondering if it is associated with the Wireless Internet connection that the computer uses.  If this is the case, then it wouldn't have anything to do with the worms that remain.

I'm going to drop the laptop back around to the boss this morning, because he has some work that needs to be done, but I'll get it again this afternoon briefly before my plane flight.
0
war1Commented:
Sebastion,

1. Disable System Restore.  Sometimes worms are backed up in a restore file.  Disable System Restore, rebooting, then enable system restore removed the worm.

2.  If you have not done so already, clear the Temp folder files.

3. Please delete the following item from HijackThis log

O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\socbase.dll (file missing)

4. Norton should be able to remove the quarantined files.  If not able to remove with Norton, use
Housecall Online Scan to remove
http://housecall.antivirus.com

Use Ewido to remove trojans
http://www.ewido.net/en/

0
SebastionAuthor Commented:
war1,

I have cleared the Temp folders already, sorry for not mentioning it earlier.  Also, from what I can remember, there are no items in Norton's Quarantine.  Norton appears to detect and block the worm, but not remove or quarantine it.

At the moment the laptop is with the boss in mid-flight.  When he lands I will get him to disable system restore and then talk him through doing the scans with Housecall and Ewido.  I will also get him to remove the "Winlogon Notify: Hints" entry and check out Norton's quarantine list.
0
war1Commented:
Sebastion,

Ok, keep us updated. Run Ewido in Safe Mode.  It is a deep scan, you scan may take couple of hours.
0
SebastionAuthor Commented:
Just to let you know, I have spoken with the boss however he was in a conference all day yesterday and now I have learnt that he'll be just as busy today.

Hopefully I will have something for by the weekend.
0
SebastionAuthor Commented:
Sorry for the lack of replies.

I have tried to book an appointment several times with the boss to run the scans but he's had to cancel due to other matters.

I'll give him a few more days to sort himself out otherwise I'll just close the question.  We got most of the worms, there's only one remaining as far as I know.
0
Marc ZCommented:
You could just tell him, you'll need it over the weekend to reformat and reinstall everything, wiping out all his stuff.  That'll get him on your leash.

Just kidding.   We'll be here.  Just keep us in the loop.
0
SebastionAuthor Commented:
I have decided to close the question as it has become apparant that it will be neigh impossible to get some tech time with the boss over the phone to get him to run the other two scans suggested by War1.  Due to his schedule it seems that the next time I will actually get hands on with the laptop will be in 1-2 months.

I've accepted clbraun74's response as the online pandasoftware scan was surprisingly effective; catching alot of malware that the updated Norton missed.

Thanks goes to mtz1of4's for the support with the HiJackThis logs, the links to other software and reminding me that I could manually update both Spybot and Ad-aware.

War1, I'm confident that the two online scans (Housecall & Ewido) you linked to would have detected, if not removed, that last worm.  If only I could have gotten a chance to test them.  Rest assured that I will run them when the laptop returns here in the next few months.  I appreciate the support that you have given.
0
Marc ZCommented:
Thanks for the update.   Hopefully we can help again.
0
clbraun74Commented:
Glad I could help. Come back any time.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.