Jump to content

Strange Network Behavior After Virus

Jersey Mike
 Share

Recommended Posts

Jersey Mike

Jersey Mike

Posted
Posted

All,

If anyone can figure this one out, my hat's off to you because I consider myself a pretty good fixer of these weird problems. I have a laptop (an IBM T41) which I was infectied with a virus last week. The T41 is running XP with SP2. The virus was different than any I had seen before. It changed the screen backround to display a message similar to this: "Your PC has been infected Go right now to <some site> for a free PC scan.

Of course I didn't believe the message but went through my usual suite of virus removal tools. They include Trend A/V, Malwarebytes version, what ever the latest is as of 2:00 AM EST. SD Search and Destroy, and a couple others that I can't recall right now. (My mind tends to switch into standby mode at around midnight and it won't come back on-line unless i continue to pressure it for at least an hour more.

The problem I am having is one of the strangest that I've ever seen (and I've been doing this a long time). The hardware is an IBM T41 laptop on a docking station, running XP w/ SP2 and all other current security patches. The network on the computer will not connect to the physical network. The icon in the task bar keeps going back and forth like it's trying to obtain an ip address. This happens either with the wired lan or the wireless card under the keyboard. I've obtaned the latest drivers for the lan card from Intel but it made no difference. I tried deleting the offending components, hoping that PNP would pick them up. Well it did, but the end results were the same. I even tried setting a static ip address, but there was no difference.

As a little background, this laptop and an older machine running Win2K were both hit, almost simultaneously by the XPFIXER virus. They plant a seed on your computer and if you go to the site to get the fix, you are flooded with tons of other viriues. Of course I recognized this as a scam immediately and tried to remove the origininal infestation. (Please forgive any spelling or grammer errors tonight as I've been at this for about 14 hours now). I thought that I was doing good. I identified 3 new dll's in the system32 directory that couldn't be moved, renamed, deleted, etc. I brought the system down and rebooted with some incantation of Bart's PE (on CD) that a friend gave me and that has saved the day dozens on times before. I deleted the stuborn dll's, fixed the startup list to contain only reasonible stuff, popped the cd out and rebooted. Now I cannot connect to either my wired or wireless network. The Icon shows the comp. searching for an ip address, but it never finds one. I wonder if I accidentally closed either port 67 or 68. I didn't check that yet and probably won't until tomorrow because it's already 2:30 AM. I hate being up this late working on computers. It makes me a real bear the next day. Putting that aside, does anyone have an idea what could still be wrong? I run Malware now and it comes up clean. It's probably not port 67 or 68 being blocked because I get the same results, even if I specify a static ip address. It's an older machine. I could just take my 5 pound sledge hammer and beat it into tiny pieces. This would probably affect the functionallity of the laptop though. If anyone has any ideas, please send them along. I will check in the morning (it's already morning).

Thanks,

Mike

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Hi Mike,

Well seeing as though this is either Virus or Malware related then you really need to follow the instructions here first Pre- HJT Post Instructions I realize that you may be at least some what experienced at computing but you also have to realize that we are not sitting at your machine and we need to see logs in order to help us see what's going on. There are now millions of variants of Malware out in the wild now days so it's very difficult to know for sure what you have and what all damage it did without following a process.

So please follow the instruction there and then post all the logs in this forum Malware Removal - HijackThis Logs here in a new post and someone will be happy to work with you on trying to locate and fix the problem.

Link to post
Share on other sites
JeanInMontana

JeanInMontana

Posted
Posted

Wow. OK, trying to sort through this. 1. Your system is not up to date. Current Service Pack is 3. 2. You didn't have a virus, it's a trojan and whether or not you removed it is not known without proper analysis. That will be difficult with no connection.

This http://www.bleepingcomputer.com/tutorials/tutorial59.html may fix it for you. If it does then you should follow the directions here http://www.malwarebytes.org/forums/index.php?showtopic=2936 and begin your own topic.

Link to post
Share on other sites
Jersey Mike

Jersey Mike

Posted
  • Author
Posted
Wow. OK, trying to sort through this. 1. Your system is not up to date. Current Service Pack is 3. 2. You didn't have a virus, it's a trojan and whether or not you removed it is not known without proper analysis. That will be difficult with no connection.

This http://www.bleepingcomputer.com/tutorials/tutorial59.html may fix it for you. If it does then you should follow the directions here http://www.malwarebytes.org/forums/index.php?showtopic=2936 and begin your own topic.

Jean,

I just read Advanced and your responses. I haven't had a chance to run HijackThis yet, so the logs you are looking at are not from me. I will run it now, copy the results to a USB key and then upload them from this computer.

Thanks,

Mike

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

The current SP level is now SP3 from Microsoft. Not sure how many fixes, but since it also fixes all those from NO SP, SP1, SP2 as well as this list here List of fixes that are included in Windows XP Service Pack 3

There are still a LOT of fixes that are new.

Also MB 1.20 was released today which "may" have fixes to help with your network connection. Worth a try to update it. Copy the new 1.20 to a disk and install it to that system and give it a try.

You can also burn the SP3 to a disk and install it on that PC

Windows XP Service Pack 3 Network Installation Package

Link to post
Share on other sites
Jersey Mike

Jersey Mike

Posted
  • Author
Posted
The current SP level is now SP3 from Microsoft. Not sure how many fixes, but since it also fixes all those from NO SP, SP1, SP2 as well as this list here List of fixes that are included in Windows XP Service Pack 3

There are still a LOT of fixes that are new.

Also MB 1.20 was released today which "may" have fixes to help with your network connection. Worth a try to update it. Copy the new 1.20 to a disk and install it to that system and give it a try.

You can also burn the SP3 to a disk and install it on that PC

Windows XP Service Pack 3 Network Installation Package

Advanced and Jean,

Thank you so much for your help. There were some messed up registry entries (like clsid's that pointed to programs that no longer existed) but the main problem was a missing link in the LSP chain. I've never seen this before but I've heard of it. I did all the upfront cleanup so hijackthis and Malwarebytes showed no errors except for the LSP problem. I downloaded and ran LSPFix, rebooted and life (at least on that machine) is good again. I wouldn't have thought of that one on my own because I've never seen it before. I think I'm going to have to get hold of some virus code and disassemble it. You have to have a pretty intimate knowledge of Windows, under the covers, to come up with something like this. I didn't upload the logs. I still have them, except for the PandaActive scan, because I couldn't get out the wire. If you want me to upload what I have, I will but everything looks clean so I can't see that you'd gain anything from it.

Thanks again,

Mike

PS, now that that machine can communicate again, I WILL upgrade it to sp3 and what ever else has come out recently. Then it will be up to date (after a couple hours sleep).

Link to post
Share on other sites
Jersey Mike

Jersey Mike

Posted
  • Author
Posted
Broken LSP is quite common after malware infection. HJT doesn't show errors. It would be to your advantage to follow the directions here http://www.malwarebytes.org/forums/index.php?showtopic=2936 and begin your own topic.

Jean,

I'm glad that I'm far enough away so I don't hear all the names that you are calling me right now, but that link for the instructions on how to start your own forum takes you to the "Before HJT Logs" page. Can you send me the correct link (DUCK!) or can I find it myself through searching.

Thanks again and I'm sorry to be such a pain in the butt,

Mike

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.