Internet Connection Lost After Installation of Windows XP Service Pack 2 (WinXP SP2)

[ObsesivelyCurious]

OK, so before restarting in normal mode I decided to follow the manual
procedure to reset the winsock catalog. According to Microsoft's
troubleshooter I simply removed the winsock and winsoc2 keys from the
registry (after exporting them to a file first). Interestingly enough
I found there two additional entries for reach of them in the form
"winsock(2) - google desktop backup before first(last) install". I
wonder if they could be confusing the system somehow. Either way, I
took them out too after backing them up to a file.

I restarted the box in safe mode and verified that the catalog is now
empty. I suppose when I install my network card back in I'll need to
reinstall TCP/IP. But that's no big deal.

Now I'm restarting in normal mode to check if the system is still
stable...

Andrew

 

[Chuck]

Chuck,

Thanks for more advice. I've reviewed every single service that show
up either under Autoruns or in Windows Service management console
snap-in. They are all legitimate and the vast majority conforms to
BV's recommendations for the safe mode. I made a few adjustments using
my judgement.

Now, here's the scoop so far. When I came home after work today, I
found my system up and running in the safe mode as I had left it some 9
hours earlier with the stinger stil up, which is a great sign. I'm not
sure if I had mentioned it, but before I started the scan I took out
all the unnecessary PCI cards, so now all I have in is my graphics
card, the hard drives, floppy, DVD and CDRW. This seems to work for
now. Much to my surprise, stinger found absolutely no infections of
any kind.

So now I'm looking through the list of services, browser extensions,
winsock providers, etc. And here again one thing jumps at me. In
winsock providers I see a whole bunch of entries pertaining to SPX/IPX.
I can't verify this at this moment (since my network card is out), but
I'm 99.99% sure that I do NOT have SPX/IPX protocol installed. The
only thing I have is TCP/IP. I do use file and printer sharing, but
that shouldn't matter here. I find these entries highly suspicious,
especially that they seem to come back even after I have disabled them
using Autoruns.

I'll try to disable them again and boot up the system in normal mode,
still without any cards or network connectivity.

To be continued...

Andrew

Andrew,

I should point out that I have not, to date, tried using Autoruns to disable any
network protocols, since those entries are part of the LSP / Winsock, which is a
chain of entries. The problem requiring LSP / Winsock repair generally results
from removal of one component in the chain, which breaks the chain, and causes
other components to not work. If you simply use Autoruns to disable an entry in
the chain, I have no idea what would happen. Hopefully, Mark of SysInternals
has thought of that, but I can't say for sure.

Also, Stinger is one type of malware detector, from one anti-malware company. I
wouldn't take it for a final or sole authority, in any case. Please locate and
submit msnmsg.exe to Jotti and VirusTotal, for intensive scanning by a bank of
authorities. Please don't stop with Stinger.

 

[ObsesivelyCurious]

Chuck,

The saga continues...

After I manually cleaned up the winsock registry keys, restarted the
box and reinstalled TCP/IP on my network card, everything seems to work
fine again... (well almost, but I'll get to that in a second). My
internet connection is blazingly fast . Interestingly,
after I reinstalled TCP/IP I see only two entries in the protocols
section under MsInfo32, ie. these are the only entries in the registry.
There is one for TCP/IP and one for UDP/IP. What's funny is that the
other 10 that Microsoft says are standard for a healthy LSP are gone
. Apparently you don't need them so much ;-).

So once I did that I was able to install a trial version of Norton
AntiVirus 2005, which was then able to update its virus definitions
over the internet. I started a full systems scan. I watched it for a
while and noticed it did detect a few infected files. I left it
running for the night. Unfortunately, when I came back I saw my system
restarted again - still no clue why this happens, but at least it's
much less fequent now. Quick glance at system logs revealed one entry
indicating an error on my second hard drive. I also took a look at the
Norton log and found a whole shmorgasboard (how do you spell that
anyway?) of viruses. I guess I was a little ;-) naive trusting my
AntiVirus 2003 with a year old virus definition to protect my system.
Obviously, stinger does not find all there is to find, either.

I wish the antivirus software would create a log of the scan progress.
What I could see was just a list of quarantined files, but I have no
clue how far the scan got. I know it didn't complete, cause Norton
reports that in the console. If I had a log I could perhaps pinpoint
the problem better...

Well, at least I have a good cause of the system's instability. Now I
just need to find a reliable way of getting rid of it. I rebooted the
box in safe mode and ran AntiVirus again. It informed me its
functionality is limited in this mode, and I guess it must be, because
it appeared to freeze on me . It seemed stuck on one particular
file - some mp3 for way too long for my taste. I had to close it.

I thought maybe it's a good idea to run some chkdsk to make sure I
don't have any serious issues there as well. So I scheduled a chkdsk
on restart and rebooted the box. Here I made a mistake of choosing
safe mode again, which starts up Windows with textual interface during
bootup process. What I didn't know is that chkdsk in this case will
not show anything on the screen whatsoever, which I find quite stupid.
I let it run for some 45 minutes, but got impatient not knowing if
indeed it's doing something or is just stuck in some endless loop, and
restarted the box this time in normal mode. This time aftter a long
delay while booting the box, chcdsk finally came up with its GUI and is
scanning... and scanning... and scanning. Oh well, I had to go work.
We'll see what I see when I get back. This scan was on the system
drive. Now I still need to run another one on the second drive,
especially that this is the one reporting some error in the system log.

When all this is done I hope to be able to re-run the full virus scan.
Perhaps I'll need to take my network card out again to ensure the box
is stable enough... When I finally kick all these infections goodbye,
I'll definitely post my findings online, and get the files examined
thoroughly. I think, though, that the msnmsg.exe is gone permanently -
removed by stinger.

Good luck to me

Andrew

 

[ObsesivelyCurious]

Victory!!!!

My box is back up and online! It took many days and nights of
gruelling work, but in the end I'm infection-free and all the software
seems to be healthy too. Moreover, my internet is as fast as it ever
has been, or faster. And even my MSN Messenger connects much more
smoothly and faster.

As for the root cause of the problem it appears to be virus related.
After I run a full chkdsk on my hard drives (which took about 15
hours!!!) and found no errors or problems of any kind, I went back to
the antivirus software. I purchased the latest version of Symantec
Internet Security in hope that I can run the command line virus scanner
from the bootable installation CD that comes in the box (I tried to
install the software, but the installation software would either
terminate with an error, or not start at all). It turned out that I
was in for some disappointment. First, when the box booted from the CD
it was unable to even see the hard drives, which could be somehow
related to the BIOS not being new enough to fully recognized the large
hard drives. As the result the virus scan tested the memory and boot
sectors of the CD only and did me absolutely no good. Not willing to
mess with BIOS upgrades at this tender stage, I was forced to try
something else. I discovered that the command line scanner is present
on the CD in an uncompressed form and I should be able to run from
command prompt under Windows. It seems, however, that while the
software is there, and even the virus definitions are present (though
you have to explicitly figure out the path and pass it as command line
parameter), the configuration files are not there (or at least I
couldn't find them), and so the tool refuses to start!!!

At this point I was quite desparate. I tried one last thing. I
plugged back the network cable and ran the online virus detection tool
from Symantec. Much to my surprise, it ran fine without crashing, and
after several hours reported detecting three files infected with three
different trojans. Interestingly, the registry entries that these
trojans supposedly created were not present on my box. I removed the
infected files, and restarted the computer.

I also found somewhere on Symantec's website a tool for removing
leftover files and registry entries from previously installed (or
unsuccessfully uninstalled) versions of their software. I recalled
that my installations failed a couple of times due to memory fault
errors, which I can attribute only to the viral activities on my box at
the time. Either way, I ran a couple of these handy tools, and
subsequently was able to successfully installe NIS 2005! Now, this was
a step in the right direction. I downloaded the latest upgrades and
virus definitions, unplugged the box from the network, and ran a full
virus scan. The report came out clean!

Since then I reenabled the startup services, plugged in the network
cable and stuck the remaining PCI cards back in, and I'm still running
nice and stable. Although the ultimate root cause of the problem is
still somewhat murky I have to attribute it to the viruses I had
contracted. Perhaps the most malicious was the one hidden in
msnmsg.exe which got detected and removed the first time I ran the
trial version of Symantec AntiVirus. Unfortunately some of the reports
are now gone since I had to unistall and reinstall NIS, but I'll see if
I can submit any of my files for analysis.

All in all, this was a great (though quite painful and time consuming)
adventure. I've learned a lot in the process, picked up several very
handy tools and tricks. Great thanks to Chuck, who was an invaluable
advisor in my distress. I also have a new found respect for the
antivirus software and its creators. And - who knows - perhaps I'll
even start running backup jobs regularly ;-).

Andrew

 

[Chuck]

Victory!!!!

My box is back up and online! It took many days and nights of
gruelling work, but in the end I'm infection-free and all the software
seems to be healthy too. Moreover, my internet is as fast as it ever
has been, or faster. And even my MSN Messenger connects much more
smoothly and faster.

As for the root cause of the problem it appears to be virus related.
After I run a full chkdsk on my hard drives (which took about 15
hours!!!) and found no errors or problems of any kind, I went back to
the antivirus software. I purchased the latest version of Symantec
Internet Security in hope that I can run the command line virus scanner
from the bootable installation CD that comes in the box (I tried to
install the software, but the installation software would either
terminate with an error, or not start at all). It turned out that I
was in for some disappointment. First, when the box booted from the CD
it was unable to even see the hard drives, which could be somehow
related to the BIOS not being new enough to fully recognized the large
hard drives. As the result the virus scan tested the memory and boot
sectors of the CD only and did me absolutely no good. Not willing to
mess with BIOS upgrades at this tender stage, I was forced to try
something else. I discovered that the command line scanner is present
on the CD in an uncompressed form and I should be able to run from
command prompt under Windows. It seems, however, that while the
software is there, and even the virus definitions are present (though
you have to explicitly figure out the path and pass it as command line
parameter), the configuration files are not there (or at least I
couldn't find them), and so the tool refuses to start!!!

At this point I was quite desparate. I tried one last thing. I
plugged back the network cable and ran the online virus detection tool
from Symantec. Much to my surprise, it ran fine without crashing, and
after several hours reported detecting three files infected with three
different trojans. Interestingly, the registry entries that these
trojans supposedly created were not present on my box. I removed the
infected files, and restarted the computer.

I also found somewhere on Symantec's website a tool for removing
leftover files and registry entries from previously installed (or
unsuccessfully uninstalled) versions of their software. I recalled
that my installations failed a couple of times due to memory fault
errors, which I can attribute only to the viral activities on my box at
the time. Either way, I ran a couple of these handy tools, and
subsequently was able to successfully installe NIS 2005! Now, this was
a step in the right direction. I downloaded the latest upgrades and
virus definitions, unplugged the box from the network, and ran a full
virus scan. The report came out clean!

Since then I reenabled the startup services, plugged in the network
cable and stuck the remaining PCI cards back in, and I'm still running
nice and stable. Although the ultimate root cause of the problem is
still somewhat murky I have to attribute it to the viruses I had
contracted. Perhaps the most malicious was the one hidden in
msnmsg.exe which got detected and removed the first time I ran the
trial version of Symantec AntiVirus. Unfortunately some of the reports
are now gone since I had to unistall and reinstall NIS, but I'll see if
I can submit any of my files for analysis.

All in all, this was a great (though quite painful and time consuming)
adventure. I've learned a lot in the process, picked up several very
handy tools and tricks. Great thanks to Chuck, who was an invaluable
advisor in my distress. I also have a new found respect for the
antivirus software and its creators. And - who knows - perhaps I'll
even start running backup jobs regularly ;-).

Andrew

Andrew,

That's great news (excepting the frustration you experienced)! Thanks for
updating us. And don't stop there - layer your defenses, for future protection.
<http://nitecruzr.blogspot.com/2005/05/please-protect-yourself-layer-your.html>