Sebastion
asked on
Multiple Worm Problems - Windows XP Professional
Hello,
The boss has recently returned, after a several month business trip. At some point during this time, his Norton Antivirus was deactivated and his computer was infected with several worms and viruses.
I have since reactivated Norton, but I cannot seem to get rid of these worms, mostly because they disable the Internet on the laptop once Norton has blocked them.
This prevents me from running Windows Update and Norton Update (two things that haven't been done in awhile). I have, however, downloaded the Norton anti-virus definitions on a seperate computer, and used that to update the laptops defintions, though I have no real idea as to whether or not that helped against the worms.
The worms that Norton is blocking are:
- MS PnP QueryResConflist BO
- MS ASN1 Integer Overflow TCP
- MS RPC LSASS DS Oversized Request (TCP)
- MSRPC Malicious LSASS DS Request BO
I have searched the symantec website, and downloaded the subsequent Microsoft updates that are related to these worms, but they still persist. My theory is that these updates from Microsoft are meant to prevent the infection of these worms, and do not actually remove them if the infection has already taken place.
While formatting the laptop is an option, it's going to be a last resort. I have backed up more of the important data located on it to a seperate flash drive (not going to put it on the network), but I'd prefer to avoid the entire re-installation of the programs there if possible.
I've ran a full norton system check twice, and it's found several things (both times) which have subsequently been removed. I've also ran Windows Malicious Software Removal Tool, which reported no malicious software on the machine, though I know that the worms are there.
To cover what happens, if the laptop is not on the Internet, then nothing really happens out of the ordinary. When the laptop is connected to the Internet though, Norton will start popping up indicating that it has blocked an intrusion attempt by the above mentioned worms, and in some cases mentioning the same worm more than once. At this point, the Internet on the computer will stop working completely.
I've searched on the Internet have resulted in nothing useful, and I'm sort of at a loss as to what to do.
Any help would be appreciated.
The boss has recently returned, after a several month business trip. At some point during this time, his Norton Antivirus was deactivated and his computer was infected with several worms and viruses.
I have since reactivated Norton, but I cannot seem to get rid of these worms, mostly because they disable the Internet on the laptop once Norton has blocked them.
This prevents me from running Windows Update and Norton Update (two things that haven't been done in awhile). I have, however, downloaded the Norton anti-virus definitions on a seperate computer, and used that to update the laptops defintions, though I have no real idea as to whether or not that helped against the worms.
The worms that Norton is blocking are:
- MS PnP QueryResConflist BO
- MS ASN1 Integer Overflow TCP
- MS RPC LSASS DS Oversized Request (TCP)
- MSRPC Malicious LSASS DS Request BO
I have searched the symantec website, and downloaded the subsequent Microsoft updates that are related to these worms, but they still persist. My theory is that these updates from Microsoft are meant to prevent the infection of these worms, and do not actually remove them if the infection has already taken place.
While formatting the laptop is an option, it's going to be a last resort. I have backed up more of the important data located on it to a seperate flash drive (not going to put it on the network), but I'd prefer to avoid the entire re-installation of the programs there if possible.
I've ran a full norton system check twice, and it's found several things (both times) which have subsequently been removed. I've also ran Windows Malicious Software Removal Tool, which reported no malicious software on the machine, though I know that the worms are there.
To cover what happens, if the laptop is not on the Internet, then nothing really happens out of the ordinary. When the laptop is connected to the Internet though, Norton will start popping up indicating that it has blocked an intrusion attempt by the above mentioned worms, and in some cases mentioning the same worm more than once. At this point, the Internet on the computer will stop working completely.
I've searched on the Internet have resulted in nothing useful, and I'm sort of at a loss as to what to do.
Any help would be appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You could also download and run Hijackthis where its entries might show us something where the culprit is located.
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:
Or copy and paste the log at;
http://www.hijackthis.de/
and click "Analyse", "Save". Post a link to the saved list here.
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:
Or copy and paste the log at;
http://www.hijackthis.de/
and click "Analyse", "Save". Post a link to the saved list here.
Greetings, Sebastion !
To restore your internet connection, run this script
http://downloads.subratam.org/WinsockFix.zip
Best wishes!
To restore your internet connection, run this script
http://downloads.subratam.org/WinsockFix.zip
Best wishes!
ASKER
Hey group, sorry for the late reply, I was sorting out a conference matter (on Easter too, no doubt).
Anyway, I've had a chance to run through some of your suggestions (though not all, explained below):
clbraun74, thanks for reminding me about Safe Mode (though I generally just use the F8 key). I must have dismissed that because I knew that you couldn't update Norton or use Windows Update there. I booted into safe mode and updated Ad-aware and spybot though, which subsequently found and deleted a bunch of spyware.
Before that though, I ran the online check you linked from Pandasoftware.com (also done in safe mode). This check found 3 viruses, and 12 spyware (which it wouldn't remove, without downloading the full program). It did fix the 3 viruses though.
Since then, I booted into Windows normally again, and it lasted about 10 minutes on the Internet with no worms, but then the same thing that I mentioned in my initial post happened again.
I'm going to sort out HijackThis now, and I'll probably post up the details in it. I also plan on downloading MS Defender, linked by mtz1of4, and I'll give that a whirl prior to posting the HijackThis log.
Anyway, I've had a chance to run through some of your suggestions (though not all, explained below):
clbraun74, thanks for reminding me about Safe Mode (though I generally just use the F8 key). I must have dismissed that because I knew that you couldn't update Norton or use Windows Update there. I booted into safe mode and updated Ad-aware and spybot though, which subsequently found and deleted a bunch of spyware.
Before that though, I ran the online check you linked from Pandasoftware.com (also done in safe mode). This check found 3 viruses, and 12 spyware (which it wouldn't remove, without downloading the full program). It did fix the 3 viruses though.
Since then, I booted into Windows normally again, and it lasted about 10 minutes on the Internet with no worms, but then the same thing that I mentioned in my initial post happened again.
I'm going to sort out HijackThis now, and I'll probably post up the details in it. I also plan on downloading MS Defender, linked by mtz1of4, and I'll give that a whirl prior to posting the HijackThis log.
ASKER
Update 2:
I downloaded and ran Stinger, with no luck. It found nothing.
I also downloaded MS Defender, which I didn't even get to use. Firstly, it informed me that it could only be installed on a Windows XP Service Pack 2 machine (I was using Service Pack 1). After debating with myself for abit, I downloaded the Service Pack 2 redist and installed it (the whole ~200 MB).
After finally getting that installed, I tried to install MS Defender again, only to be told that I needed Windows Installer v 3.1 or greater. I searched around and downloaded Windows Installer 3.1, and updated the system with that. Finally, MS Defender was installed, but when I ran the update to try and find new definitions, I was prompted with an error saying that MS Defender could not be updated. I searched the error code on the Internet, only to find alot of other people having the same problem, but no mentioned solution.
I've since uninstalled MS Defender. Slightly annoying, at the process being much more complicated than it needed to be...
Anyway, here's the hijackthis log file:
http://www.rafb.net/paste/results/OSK9uW69.html
I downloaded and ran Stinger, with no luck. It found nothing.
I also downloaded MS Defender, which I didn't even get to use. Firstly, it informed me that it could only be installed on a Windows XP Service Pack 2 machine (I was using Service Pack 1). After debating with myself for abit, I downloaded the Service Pack 2 redist and installed it (the whole ~200 MB).
After finally getting that installed, I tried to install MS Defender again, only to be told that I needed Windows Installer v 3.1 or greater. I searched around and downloaded Windows Installer 3.1, and updated the system with that. Finally, MS Defender was installed, but when I ran the update to try and find new definitions, I was prompted with an error saying that MS Defender could not be updated. I searched the error code on the Internet, only to find alot of other people having the same problem, but no mentioned solution.
I've since uninstalled MS Defender. Slightly annoying, at the process being much more complicated than it needed to be...
Anyway, here's the hijackthis log file:
http://www.rafb.net/paste/results/OSK9uW69.html
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sebastion,
Did you run the script that I posted to restore your internet connection?
Did you run the script that I posted to restore your internet connection?
ASKER
war1, I didn't run the script you linked to because I had Internet capabilities in Safe Mode. Likewise, after running the scan from Panda software, even though some of the worms were still presented and blocked by Norton, the Internet connection appeared unaffected. This was most likely because not all of the worms appeared to be on the system anymore (only 2 of the 4 remained), so I'm guessing it was one of the worms that was removed that caused the Internet connection loss, or something.
ASKER
mtz1of4, no need to apologize for the MS Defender thing, as you could have had no idea it was going to be such a hassle.
With regards to the HiJackThis log, I corrected alot of the mistakes as per your link. ETrade is a valid website, I know that much, as it deals in shares and the boss (who owns this laptop) uses it quite extensively. Movieweb though, I know is a pain - I removed that.
Interestingly, the NameServer one didn't appear in the list after a HiJackThis scan from a normal boot. It wasn't until I connected to the Internet and Norton blocked a worm intrusion that HiJackThis would pick up on it. In any event, I removed that too.
I rebooted the computer, ran HiJackThis and everything appeared fine again. When I connected to the Internet again though, and ran another HiJackThis, the same NameServer link appeared (61.9.134.49). To my knowledge, our company does not use this IP address itself, but that said I'm just wondering if it is associated with the Wireless Internet connection that the computer uses. If this is the case, then it wouldn't have anything to do with the worms that remain.
I'm going to drop the laptop back around to the boss this morning, because he has some work that needs to be done, but I'll get it again this afternoon briefly before my plane flight.
With regards to the HiJackThis log, I corrected alot of the mistakes as per your link. ETrade is a valid website, I know that much, as it deals in shares and the boss (who owns this laptop) uses it quite extensively. Movieweb though, I know is a pain - I removed that.
Interestingly, the NameServer one didn't appear in the list after a HiJackThis scan from a normal boot. It wasn't until I connected to the Internet and Norton blocked a worm intrusion that HiJackThis would pick up on it. In any event, I removed that too.
I rebooted the computer, ran HiJackThis and everything appeared fine again. When I connected to the Internet again though, and ran another HiJackThis, the same NameServer link appeared (61.9.134.49). To my knowledge, our company does not use this IP address itself, but that said I'm just wondering if it is associated with the Wireless Internet connection that the computer uses. If this is the case, then it wouldn't have anything to do with the worms that remain.
I'm going to drop the laptop back around to the boss this morning, because he has some work that needs to be done, but I'll get it again this afternoon briefly before my plane flight.
Sebastion,
1. Disable System Restore. Sometimes worms are backed up in a restore file. Disable System Restore, rebooting, then enable system restore removed the worm.
2. If you have not done so already, clear the Temp folder files.
3. Please delete the following item from HijackThis log
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\socbas
4. Norton should be able to remove the quarantined files. If not able to remove with Norton, use
Housecall Online Scan to remove
http://housecall.antivirus.com
Use Ewido to remove trojans
http://www.ewido.net/en/
1. Disable System Restore. Sometimes worms are backed up in a restore file. Disable System Restore, rebooting, then enable system restore removed the worm.
2. If you have not done so already, clear the Temp folder files.
3. Please delete the following item from HijackThis log
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\socbas
4. Norton should be able to remove the quarantined files. If not able to remove with Norton, use
Housecall Online Scan to remove
http://housecall.antivirus.com
Use Ewido to remove trojans
http://www.ewido.net/en/
ASKER
war1,
I have cleared the Temp folders already, sorry for not mentioning it earlier. Also, from what I can remember, there are no items in Norton's Quarantine. Norton appears to detect and block the worm, but not remove or quarantine it.
At the moment the laptop is with the boss in mid-flight. When he lands I will get him to disable system restore and then talk him through doing the scans with Housecall and Ewido. I will also get him to remove the "Winlogon Notify: Hints" entry and check out Norton's quarantine list.
I have cleared the Temp folders already, sorry for not mentioning it earlier. Also, from what I can remember, there are no items in Norton's Quarantine. Norton appears to detect and block the worm, but not remove or quarantine it.
At the moment the laptop is with the boss in mid-flight. When he lands I will get him to disable system restore and then talk him through doing the scans with Housecall and Ewido. I will also get him to remove the "Winlogon Notify: Hints" entry and check out Norton's quarantine list.
Sebastion,
Ok, keep us updated. Run Ewido in Safe Mode. It is a deep scan, you scan may take couple of hours.
Ok, keep us updated. Run Ewido in Safe Mode. It is a deep scan, you scan may take couple of hours.
ASKER
Just to let you know, I have spoken with the boss however he was in a conference all day yesterday and now I have learnt that he'll be just as busy today.
Hopefully I will have something for by the weekend.
Hopefully I will have something for by the weekend.
ASKER
Sorry for the lack of replies.
I have tried to book an appointment several times with the boss to run the scans but he's had to cancel due to other matters.
I'll give him a few more days to sort himself out otherwise I'll just close the question. We got most of the worms, there's only one remaining as far as I know.
I have tried to book an appointment several times with the boss to run the scans but he's had to cancel due to other matters.
I'll give him a few more days to sort himself out otherwise I'll just close the question. We got most of the worms, there's only one remaining as far as I know.
You could just tell him, you'll need it over the weekend to reformat and reinstall everything, wiping out all his stuff. That'll get him on your leash.
Just kidding. We'll be here. Just keep us in the loop.
Just kidding. We'll be here. Just keep us in the loop.
ASKER
I have decided to close the question as it has become apparant that it will be neigh impossible to get some tech time with the boss over the phone to get him to run the other two scans suggested by War1. Due to his schedule it seems that the next time I will actually get hands on with the laptop will be in 1-2 months.
I've accepted clbraun74's response as the online pandasoftware scan was surprisingly effective; catching alot of malware that the updated Norton missed.
Thanks goes to mtz1of4's for the support with the HiJackThis logs, the links to other software and reminding me that I could manually update both Spybot and Ad-aware.
War1, I'm confident that the two online scans (Housecall & Ewido) you linked to would have detected, if not removed, that last worm. If only I could have gotten a chance to test them. Rest assured that I will run them when the laptop returns here in the next few months. I appreciate the support that you have given.
I've accepted clbraun74's response as the online pandasoftware scan was surprisingly effective; catching alot of malware that the updated Norton missed.
Thanks goes to mtz1of4's for the support with the HiJackThis logs, the links to other software and reminding me that I could manually update both Spybot and Ad-aware.
War1, I'm confident that the two online scans (Housecall & Ewido) you linked to would have detected, if not removed, that last worm. If only I could have gotten a chance to test them. Rest assured that I will run them when the laptop returns here in the next few months. I appreciate the support that you have given.
Thanks for the update. Hopefully we can help again.
Glad I could help. Come back any time.
MS Defender http://www.microsoft.com/athome/security/spyware/software/default.mspx Free
Lavasoft Adaware http://www.lavasoftusa.com/software/adaware/ Free
Spybot Search & Destroy http://www.safer-networking.org/en/download/ Free
Spysweeper http://www.webroot.com/ Not Free but 14 day trial
You may also need cwshredder found here http://www.intermute.com/spysubtract/cwshredder_download.html