Trouble removing malware/worm

tnorman
tnorman used Ask the Experts™
on
I have a worm or malware virus that is making it's way through my network.  I have very little information about it as conventional scans do pick up any infected files.  There are a specific set of symptoms though.  Network connectivity ceases on the infected machine.  When you run IPCONFIG from the command prompt the "connection-specific DNS Suffix:" shows a line of random characters  (brackets, numbers, smiley faces, etc.) and the internal speaker beeps.  A /release /renew temporarily returns connectivity.  Combofix reports some deleted files.  Symantec antivirus is up to date and real time scanning is on along with windows firewall.

If anyone has seen this before and knows of a removal tool or some manual removal instructions it would be greatly appreciated.

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
Are you running windows xp?
If so, it sounds like your wins socket is corrupt.

Author

Commented:
yes it is xp.  It doesn't appear to be a WINS Socket issue.

Commented:
Disable system restore, get latest version of malwarebytes and do a full system scan. Also though run this from a cmd line: netsh winsock reset catalog.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Top Expert 2009
Commented:
Could you post combofix's logfile. Dont turn off system restore as you will be left with nothing to fall back to if needed. Restore points lay dormont/inactive
Top Expert 2009

Commented:
Different folks, different strokes! :)
Most Valuable Expert 2011
Top Expert 2011
Commented:
I would say to get an AutoRuns export (save it as a .arn file, not a .log file), and let us see whats loading with the machine.....

Autoruns for Windows
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Might help us isolate the source of the problem......

Most Valuable Expert 2011
Top Expert 2011

Commented:
I would actually do a few things first........Install and update Super Anti Spyware and reboot to Safe Mode. Then do a full scan, and see what it finds.

SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware!
http://www.superantispyware.com/
One of the best on the market (and it is free, although you can upgrade and get Real Time Protection). Under the Options, go to Scanning Control> and make sure it is set to the following.....
.
Ignore Files larger than 4MB - Unchecked
Ignore Non-Executable files - Unchecked
Ignore System Restore - Unchecked
Scan only known file types - Unchecked
Close Browsers before scanning - Checked
Scan for tracking cookies - Your choice
Terminate memory threats - Checked
Scan Alternate Data Streams - Checked
Use kernel firect file access- Checked
Use kernel firect registry access- Checked
Use Direct Disk Access -  Checked
Display scan option in Explorer -Checked

Just make sure to rename the superantispyware.exe installer to something like bob.exe, before trying to install it.....

Also.....

RootRepeal - RootRepeal - Rootkit Detector
http://rootrepeal.googlepages.com/

Under each tab, hit the Scan button, and see if you get any RED files/services/processes/drivers in the list, or just look for the summary, for any hidden files/services/processes/drivers in the lower left hand corner.....

Some of the UAC/GAO rootkits actually have a hidden key to prevent the running of the named AV/Malware files, which is why you have to rename them.....

Author

Commented:
I will post some log files shortly.  Just as a visual reference I will paste the results of an IPCONFIG /ALL.  The DNS server entries are random and incorrect.

Windows IP Configuration

        Host Name . . . . . . . . . . . . : NB-07
        Primary Dns Suffix  . . . . . . . : cwes.ad
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : cwes.ad
                                            ¦¦+¿Jä^m@¿ƒ_R=ñ-æB~ôt++¿+t|¿¬+`¦÷

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : ¦¦+¿Jä^m@¿ƒ_R=ñ-æB~ôt++¿+t|¿¬+`¦÷
        Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Cont
roller
        Physical Address. . . . . . . . . : 00-21-70-92-1B-3A
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.1.107
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 0.121.223.51
                                            74.82.208.51
                                            36.98.78.46
        Lease Obtained. . . . . . . . . . : Friday, January 29, 2010 8:59:30 AM
        Lease Expires . . . . . . . . . . : Saturday, January 30, 2010 8:59:30 A

Author

Commented:
Sorry for the wild goose chase everyone.  Turns out someone had plugged another router into the network, and the above was the (very odd) result of two DHCP servers bumping heads.  I will leave this question up, in the chance that someone else goes down this road.
Top Expert 2009

Commented:
Strange indeed showing up those characters as a result. One to remember :)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial