Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help IDing virus in Vista, breaks LAN connection


  • Please log in to reply
6 replies to this topic

#1 CyyberSpaceCowboy

CyyberSpaceCowboy

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 27 January 2009 - 02:48 AM

I need help, I'm going to have to go back and clean the fourth Vista box on our network tomorrow because of a virus I can't identify.

First off, I can try to post a Hijack This log but I examined one from on of the previously infected PC's and didn't see anything I didn't recognized. Deleing all the unnecessary entries didn't help. Malware Bytes (installed from a CD in Safe Mode) found no infection.

Here are the symptoms:

1. It breaks the wired LAN connection. The Disconnected icon shows up on the taskbar. If you right click and try to Repair or Create a new connection, at length Windows comes back and tells you the necessary services are not loaded. Same thing from "Networks" under the Start Menu or Control Panel. The Internert Connection (over the same LAN adapter) stays up. Again, I can browse even though the LAN says it is broken. If I boot into Safe Mode, my local LAN connection is restored.

2. We are now running the "Security Agent" that came with our Lightspeed Systems web filtering server. It detects nothing (I ran it from Safe Mode). We used to have MS Live Care (I disabled active scanning before installing the Lightspeed Security Agent). Live Care also tells me tat services necessary for it's operation are not loading in normal mode and it won't run in Safe Mode.

3. Printer definitions are deleted from the Control Panel.

4. USB is non-functional (I put thumb drive in a machine before I realized it was infected. It never showed up and the connection light on the drive never lit up (I'm still going to re-format it on my Linux box).

5. Productivity programs seem to run normally, (browsers, Office), but anything that might help correct the problem is blocked. You can launch Windows Explorer, but it slows to a crawl or freezes. I can install an update of Spybot, but the program itself won't launch when I click the icon (hourglass then nothing). Regedit will not run.

Anybody know what this is? I realize if it's a rootkit I'm better off nuking from space anyway, but I'd like to have a way to identify it so I can scan my network and find any other infections. I also need to know if there is any way to keep it from spreading.

Is there any tool (payware or freeware) out yet that can scan and repair a Vista workstation from boot CD?
BTW, I haven't seen this thing infect an XP box yet.

Edited by CyyberSpaceCowboy, 27 January 2009 - 02:49 AM.


BC AdBot (Login to Remove)

 


#2 dhants20

dhants20

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 27 January 2009 - 03:32 AM

1) whats the exact error? in some cases an antivirus program's firewall can cause this problem also check services.msc or you can try to turn on enable all services in msconfig
2) As you may already know, automated softwares rely on their definitions, if you have time read about autoruns, process explorer, hijackthis and avenger
3) Printer definitions? Do you mean the printer installed are not appearing under control panel>printer? Uninstall the printer and utility program for the printer
4) USB is not functional? w/c is probably the reason why your printer is not detected as well
5) Optimize your ie - close all running ie's, type inetcpl.cpl in the start search box, delete files, make sure security settings are on default, reset the setting on advanced or better yet use ie with no addons
6) Do you have a feeling it's a rootkit? TDSS is the most common rootkit today and it can easily be removed by uninstalling it in the device manager... open device manager... view - show hidden devices, expand non plug and play devices... look for tdsserv.sys... right click on it and uninstall... regedit? have you tried regedt32? if its disabled, you can enable it again but this rarely happens in vista so am not going to give you the command for it

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:35 AM

Posted 27 January 2009 - 12:17 PM

if you have time read about autoruns, process explorer, hijackthis and avenger

dhants20...these are advanced tools recommended for use under the guidance of an expert assisting members with malware removal. Please read the pinned sticky How do I get help? Who is helping me?

Posting instructions for the use of the following by non-staff members is prohibited in this area, as well as in all other areas of the forums. This list contains tools and procedures that are forbidden, the instructions for using similar tools or procedures should not be posted here, or elsewhere on Bleeping Computer forums, without prior Staff approval.


TDSS is the most common rootkit today and it can easily be removed by uninstalling it in the device manager...

This worked with earlier versions but that is not the case with newer variants.


CyyberSpaceCowbo...is this a work computer? If so, have you contacted and advised your IT Department? In most work environments, the IT staff implement specific policies and procedures for the use of computer equipment and related resources. In fact, many companies will require you to read those policies and sign a statement of understanding. Further, they usually have procedures in place to deal with infections on the network and may not approve of employees seeking help at an online forum or outside the business office.

The malware you are dealing with may have already infected the network. The IT Department needs to be advised right away so they can take the appropriate measures.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 CyyberSpaceCowboy

CyyberSpaceCowboy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 27 January 2009 - 06:33 PM

First, I am the IT guy, though obviously not as well versed in security as you folks. Everything in my toolkit says either doesn't run or returns a clean scan, that's why I'm here.

Exact messages:

in NORMAL (as opposed to Safe) Mode: The broken Wired LAN icon appears on the Taskbar, right click and select "Diagnose and Repair", I get "Network Diagnostics cannot run because the Diagnostics Policy Service is not Running". If I click "Click to open "Service Control Manager", nothing happens. If I run services.msc, nothing happens. It runs in Safe Mode, but setting Diagnostics Policy Service to auto does not make it run in Normal Mode. If I open Start->Network, I get an empty folder Window (ditto Safe Mode). Control Panel->Networking and Sharing Center, I get an empty folder with the "wait" cursor (though if I try anything else first, like right clicking the broken network icon on the Taskbar, I just get the "disallowed" ding). "The Windows Live OneCare Service is not running or has been stopped". Our current active AV scanner, Lightspeed Systems Security Agent says the system is clean (long story, but I have an indication they just skinned Clamwin). MalwareBytes says the system is clean. Network services and networking come back in Safe Mode (the first time I saw the networking errors I assumed it was a driver update problem and left the cable plugged in)

Spybot installs but does not run. The current version of Hijack This does not install. I can run the old 1.8x version, but one of the pinned posts says not to post logs unless asked.

The are no printers now in the Printers section under the Control Panel. All the printers were on IP ports, it has nothing to do with the USB.

IE is not the issue unless it is infected. As I said, I can go to the Internet even though Windows tells me there is no network connection.

Another piece of the puzzle, the first tunneling adapter listed in IPConfig /all is disabled
Tunnel Adapter Local Area Connection* 7:
Media State .... Media Disconnected

I plan to back up the data and rebuild the system. As you said, this thing is probably loose on the network. I need help to identify it before I can hope to clean it.



Is there a live or PE disk based scanner that works on Vista yet? I've been looking and have not been able to find one.

I went to the AntiVirus, Firewall and Privacy Products and Protection Methods page and looked at the pinned list of tools. With the exception of the payware trials and the online scans (in conflict with protecting the rest of my network) I've tried most of them. What tools would you use? Avenger? Can you be more specific? I'm downloading Process Explorer, is there a list of known bad processes to look for?

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:35 AM

Posted 28 January 2009 - 09:19 AM

To prevent the malware from spreading to other clients on the network keep this system separated from all others until fully cleaned and disable network file and printer sharing. Vista users can refer to these instructions.

Then isolate each computer from the network and check/disinfect individually to ensure it is clean before reconnecting. See how to scan your network.

On a network where the domain controller has been infected with a rootkit, you should clean the domain controller before cleaning the remaining computers on the network. See rootkit removal on a network with an infected domain controller.

If you were infected by malware that spreads to network shares or by a password stealing trojan, change the passwords for all important applications and set strong passwords for shared network resources.

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer. A file's properties may give a clue to identifying it. Right-click on the file, Properties and examine the General and Version tabs. The Process Explorer utility you downloaded will also be helpful with investigation.

Most of the processes in Task Manager will be legitimate as shown in these links.
List of common system processes found in Task Manager
Common system processes found in Task Manager
Top System Processes

Anytime you come across a suspicious file or one that you do not recognize, search the name using Google or the following links:
BC's Startup Programs Database
SystemLookup StartupList Index
File Research Center
ProcessLibrary.com

If you come across a suspicious file for which you cannot find any information about, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 CyyberSpaceCowboy

CyyberSpaceCowboy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 02 February 2009 - 04:05 PM

Thanks for the suggestions and resources. I read the " rootkit removal on a network with an infected domain controller." For the record, Sophos Standalone Trial didn't find anything on the infected workstation or our DC.

Edited by CyyberSpaceCowboy, 02 February 2009 - 04:08 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:35 AM

Posted 03 February 2009 - 11:44 AM

You're welcome.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users