Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: War-Against-Worm

  1. #1
    Senior Member
    Join Date
    Oct 2001
    Posts
    114

    Red face War-Against-Worm

    Hi guys here is the saga to my war-against-worms. The system is XP with NAV2K. Here I go....

    I had Norton 2k installed on my system which I kept updating in about once a month, few months back the live update subscription of my Norton got expired and for few months I was on my non-updated AV system. Then one day I experienced my PC slowing down and its performance degrading, on a closer look I found multiple unknown processes and number of unexplained network connections when I used my dial-up. Being a computer guy (but not a sys admin) I rushed of to Internet searched for all the suspected processes. I removed as many files/registry entries/services etc. that I could from the information I received on the net.

    I followed this up with online scans from adwarwe, Norton and trend and some more. They did find two worms and cleaned them, I did a fresh round of complete scans and my system was certified clean of virus. Oh! I forgot to mention that I had to download a utility from Symantec to remove Norton, as the virus had made Norton incapable of doing anything (even uninstall !!). I finally got CA's EzArmor firewall+Av suit and installed it. I completed the process by updating my XP to SP2.

    I though that I had done enough to get rid of the menace but I had a surprise waiting. I suddenly found my system getting realllllly slowed down, no funny processes but lots of svchost eating up huge memories and having lots of I/O reads (above 1000 in 5 minutes) same for my lsass process. I checked these figures with other systems and did find the I/O read property abnormally high , coupled with this after about 5 days of usage my dial/up broke and then my lan access broke. I mean now I can not connect to outside world, reinstalling drivers doesn’t help (firewalls were disabled and there is nothing related to new AV or Sp2 that could be causing these problems) . Phew.... I could have easily formatted my system, but I was hell bent upon removing the worms/spyware without a reformat.

    I just want to ask you guys one thing, What the heck did I do wrong. Is there something I can still do and get out of this mess. After my LAN-die out I really wanted to reformat my system, this is my last attempt to resolve this issue. Its been over a month and I dint keep track of my actions, that’s why you see stuff like "few more", "etc', "few worms" and all.

    OK I should add this, some of the initial processes were, ftpd.exe, update32.exe, some service that said it was USB2 driver etc.



    TIA.
    Better Laugh At Your Own Problems..
    Coz...The World Laughs At Them

  2. #2
    In all honesty, when your system is compormised by a backdoor trojan, when a malicious user may have modified any number of things, the best (and really only) way to be sure you're clean is to re-format and reinstall the Operating System.

  3. #3
    In all honesty, when your system is compormised by a backdoor trojan, when a malicious user may have modified any number of things, the best (and really only) way to be sure you're clean is to re-format and reinstall the Operating System.
    Hmm...I'm afraid I must disagree. Of course, I'm subscribing to one of the two major schools of thought represented here at AO, but I think reformating should be a last resort. Some points:

    1) You don't learn anything about how you were compromised (and furthermore, how not to let it happen again) if you just up and reformat. Analyze, research, learn, then be better prepared next time.

    2) Use multiple AV scans (for example, whatever you have installed, followed up by HouseCall) and multiple anti-spyware programs to thoroughly clean your system, then once that's done checking and double-checking, be the scanner yourself and look through key target system folders and examine running processes to make sure all is clear. Again, this way you learn, which you won't gain from simply wiping the hard drive.

    3) If your computer is so screwed up that you can't even install an AV or spyware cleaner on it (I had this happen on a client's machine recently, in fact -- a key .dll file necessary for AV installation -- shell.dll, if I recall correctly -- was removed by the malware evidently), then connect the infected computer to your network and have it scanned remotely (but make sure the machine scanning the troublesome box is very well secured before connecting). If you can connect the infected computer to one other secure computer for this purpose via a null modem cable, all the better.

    And note that before you do any of this, completely disconnect the machine from the Internet before cleaning, so it won't spread more havoc during the process.

    If all that fails, then reformat the hard drive.

  4. #4
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    Well, I would take it just one more step.

    After doing all of the above and perhaps learning something........then reformate and reinstall the OS to be really sure you got it all.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  5. #5
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    I agree, reformatting is a last resort. Programs like hijackthis are excellent removal tools becasue they force you to actually learn what the problem is rather then just deleting them. Also learn your software, AVs are no good if not configured correctly, same with firewalls and any other protection you enable. Formatting is a not so quick but easy fix for alot of computer problems, but like angelicknight said, you learn nothing but how to format, and chances are you will get the same infection becasue now you dont know what the cause of it was therefor you cant prevent it.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  6. #6
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    I recently had an XP Home machine on the bench (CEOs home computer )..and It would not let me install anything..
    No AV, Anti spyware or any other utility..for that matter

    I connected it to the internet and tried windows update.......would get to the site then error out when I went to scan computer (if that was even the actual windows update site)....almost thought I had a harddrive failure

    I ended up manually downloading XP SP2 ( for networking professionals) and ran it locally from the c:\.

    That at least allowed me to get updates and install Adaware...which found over 900 spyware and malware. (I love the new SE edition). What ever it was on the machine..it disabled the WUD and AV (Norton)

    I just wanted to say the Angelic Knight is right...

    When I first started coming to this site I thought the only way to fix the machine was to format and reinstall....I have learned a TON since then.

    Although...if it was my server compromised...that may be a different situation as CERT recommends a format reinstall for ALL compromised servers..whatever the OS

    Thats why..you patch patch patch

    and patch somemore

    My .02 CDN ( which is becoming more valuable by the minute lately )

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  7. #7
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    I take it you installed SP2 After the fact...hmmmm you could still have one of the lovely worms living happily under the skin of your nice new AV prog

    Be aware that some of the stuff you have described could be a damaged driver/ or virtual device driver .. in otherwords system files corrupted..

    Go to www.moosoft.com and download a trial copy of The Cleaner, install, update, restart the machine in Safemode, and run a scan.

    Also get a hold of the removal tools for Gaobot from Symantec (some versions of this worm won't allow you to update Win, or install/uninstall an AV

    Also get the usual Spy/Ad ware removal tools
    Spybot search and destroy
    Adaware se 1.05
    Coolwebschreeder (CWS)
    Spysweeper or spyware blaster(we throw this in after we fix yoiur problem)
    Why do I mention this.. many AV's dont detect the ad/spyware crap.. and these also can cause virus like symptoms.. and as some are built on trojans..

    but only start on this if you are serious about having a go at the removal process.. else follow timmy77's advice..

    edit/ I will need to speed up my typing..or stop posting and talking on the phone.. good replies there guys.. the site is in good hands.. I'm taking a holiday.. be back in a few weeks.. cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Do me a quick favor and we may be able to get to the bottom of this fairly quickly.

    You mention ftpd etc. Sounds like a worm or virus. Letsget a copy of Hijack This, (on a floppy if necessary), and see if you can run it. If you can, save the results and post them here....

    The we can take a look and see what we can do for you.........
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Senior Member
    Join Date
    Oct 2001
    Posts
    114
    Shark

    HijackThis was probably the first tool after NAV that i tried, it did help a lot.

    Now HijackThis does not show up any thing suspicious (atleast in my eyes). Anyways I will run a scan and post the logs (I should have done that before). I should also explain my position here, I am at GMT+5.30 timezone, and connect to net from my office pc (remember I lost both my lan and dialup connectivity few days back). So I will post logs tomorrow morning my time.

    In the mean while would you like me to do anything else? I had actually asked a guy to come and reformat my system, but I have some how got new enthu. I have called him to cancel the job. Will give my system a few more days oops... nights

    Und3ertak3r

    I had Adaware se 1.05 and two more anti-spywares (dont remmeber the names now..but will post them with the logs) installed, as I mentioned I got my system online scanned from NAV and Trend (Housecall??). Currently I have Adware SE and EZArmor on my sytem.

    I will download the cleaner and see what it turns up.

    Could you guys give some pointers to find out the system files that might have been compromised, somehow to get my dial-up working again and stuff.

    As I earlier said that now I suspect something wrong becuase of folowing points
    1) General slowing down.
    2) Huge 20Mb+ svchost process + multiple svchost (around 7 processes)
    3) audio video drivers, network getting courrupted.

    I did not mention that I have to frequently reload my drivers.
    Better Laugh At Your Own Problems..
    Coz...The World Laughs At Them

  10. #10
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    All most sounds like a hardware problem??? as suggested here


    Be aware that some of the stuff you have described could be a damaged driver/ or virtual device driver .. in otherwords system files corrupted..
    Sometimes when you reapply drivers ...you need to update your SP level...(in the old NT4 days)

    Even though WINVER said you had the SP installed when you put the SP CD in..it would inspect and ask you if you wanted to install over a previous version...

    Do you have a spare harddrive..you could do a test install as an install will test all hardware...and fail if there is trouble.

    I usually try this or a parallel install (if you have lots of room on your existing harddrive)to test\stress the hardware to the point of failure.

    With the parallel install..just tell the install not to format and chose a different directory for the system files..I use \winbak

    This will then give you 2 boot options when starting up....old system and parallel system...
    If you are experiencing the same probs with the new or parallel install most likely you have a hardware issue...memory\cpu\board\harddrive etc

    Parallel installs are good cause you can remove later and you dont lose your original install\data. Its a good way to access data on a unstartable system...as long as it is not a harddrive failure.

    Last couple of harddrive that failed...I could read...but the system would fail miserably when trying to write...I at least was able to pull data off.


    I have done this with NT4 and 2000...havent needed to do with a XP install...yet.

    Post your hjt logs..cause I know that the help offerd by TS ..is priceless

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •