> Yet Another Frustrated WinXP SP 2 User
>
> I need some good and detailed advice on the problem I encountered
> after installing WinXP SP2 on my home computer.  I hope this is the
> best forum to post this question to, but if you know of a different
> group, please, refer me there.
>
> Here's my story, which I'll try to keep to a minimum - just
> enough to describe things in detail.  I have two computers at home: a
> desktop and a laptop.  Both of them sit behind a wireless router
> (Linksys WRT54G) and a cable model (Motrola - can't recall the
> model at this point).  Both boxes run WinXP.  I've been using this
> setup smoothly and happily for some two years now relying on the
> router's built in Firewall to protect me from malicious attempts of
> the villains out there.
>
> Unfortunately a couple of weeks ago I must have contracted some
> mutated version of sasser which caused my lsass.exe to cease to
> function and forced periodic system reboot.  Alerted by this event
> I've decided to bring my desktop up to the latest updates, and
> perhaps install some software firewall on the box itself.  I was able
> to successfully remove the malware (and in the process found some
> more stuff, albeit less malignant).  Either way, after installing the
> first set of necessary updates from MS I got everything working
> smoothly again... And here's when I made a mistake.
>
> I thought, if things are going so well, perhaps I should go ahead and
> install Microsoft's recommended SP2, and I went for it.  Installation
> proceeded uneventfully and soon I had my brand new and shiny WinXP
> SP2. Unfortunately, from that point on I have been unable to connect
> to the internet.  I've pored over gazillions of posts and discussion
> forums, found some advice, applied it, and... got nothing.  I even
> went as far as restoring the system back to before SP2 (at which
> point everything works fine) and reinstalling again, but to no avail.
>
> Now, here's what I see exactly.  My ipconfig shows everything as it
> needs to be.  Both my desktop (with SP2) and my laptop (without SP2)
> get their IPs from the router via DHCP.  I can also ping my router
> (192.168.1.1) and my cable modem (192.168.100.1) just fine.  I can
> ping between the desktop and laptop as well.  However, if I try to
> browse to either one (http://192.168.1.1 or http://192.168.100.1)
> which normally brings up a web based configuration interface, I get
> an IE error page indicating it cannot connect.  Also, when I try to
> ping something outside my local network, the ping times out.
>
> Now, this is the most bizarre part.  Before I installed SP2 on my
> desktop I took it offline by physically unplugging the network.
> During the installation and even after I could access the internet
> from my laptop without any issues.  I could also view the
> configuration web interfaces of both the router and the cable modem.
> When I later plugged in the desktop with SP2 back onto my LAN I could
> still browse happily on my laptop for a little while.  I tried to
> navigate to my router interface from my desktop, and after a very
> long delay, the interface slowly came up.  It was available for a few
> minutes, and then went down (with the familiar error page in IE).  I
> thought this must be a problem with the desktop and SP2, but to my
> dismay I found out that my laptop now can't access the internet or
> web interface of the
> router either.  It seems that SP2 on my desktop is somehow capable of
> taking down the router with it!!!
>
> As a background info, let me state that I have installed the latest
> firmware on the router.  I've also carefully reviewed any potential
> malware on my box.  I've run Ad-Aware and removed everything that
> looked suspicious.  I also scanned the system with HijackThis and
> examined the log, but did not find anything that concerned me.  I'd
> be happy to post the log later when I'm back at my box, if that can
> be relevant here.
>
> Another interesting tidbit is that my "Internet Connection" under
> Network Connections disappeared after I installed SP2.  When I
> restored to the previous state, I couldn't see it either.  Later,
> after re-installation of SP2, it popped up again, until everything
> went down, and then it disappeared again.
>
> I also have Symantec Internet Security 2003 installed.  I had not used
> it before, but I enabled it after I discovered and removed sasser.
> I've tried disabling it, but this had no effect on my connectivity
> problems.  I also disabled the Windows Firewall, but to no avail.
>
> Quite frankly I'm completely at a loss for a solution.  If there is
> anyone out there who could shed some light on my desperate situation,
> I would greatly appreciate your opinion and advice.
>
> Thanks a bunch,
>
> Andrew

On 15 Jun 2005 11:40:47 -0700, "ObsesivelyCurious" <andrew.miadow***@gmail.com>
wrote:

>I've got WinSockXpFix.exe and I even started it, but when I tried to
>run registry backup I got a bunch of errors, which I found
>discouraging, and stopped for now.  I'll give it a shot later.
>
>On the other hand - judging from some other discussion thread I read on
>a similar subject - I would think that since I can ping successfully
>(at least withing my local network) the problem is not with the tcp/ip
>stack.  I could be wrong here.
>
>One more piece of information.  The problem does not seem to be limited
>to the browser only.  My MSN Messenger refuses to connect either, and
>it doesn't seem like Windows Update is able to connect either.  Does
>this preclude some malware trying to hijack the browser?  I have
>Firefox installed and I tried it too after the first installation of
>SP2, but I couldn't connect anywhere.  I can give it another spin, but
>I suspect the outcome will be similar.
>
>Andrew

On 15 Jun 2005 13:12:08 -0700, "ObsesivelyCurious" <*email_address_deleted*>
wrote:

>Chuck,
>
>Thanks for your response.  I'll try to run WinSockXpFix when I get
>home.  Are there any precautions I should take, i.e. can it remove
>stuff that should actually be is LSP?
>
>I haven't posted my HijackThis log yet.  Again, I'll get to it as soon
>as I get home.
>
>The IP addresses I posted where of the router (192.168.1.1) and the
>cable modem (192.168.100.1).  The laptop and desktop (the IPs of which
>I didn't post here) get theirs via DHCP and these default to
>192.168.1.100 for the desktop and 192.168.1.101 for the laptop.
>
>Andrew

On 15 Jun 2005 14:37:38 -0700, "ObsesivelyCurious" <andrew.miadow***@gmail.com>
wrote:

>Chuck,
>
>I had checked my LSP stack using MSInfo32, but didn't have the time to
>examine it in detail.  Microsoft documentaion of fixing winsocks
>problems said the standard stack should have 10 entries.  Mine had 12,
>so I assume I have something extra attached.  Most likely its Symantec
>Network Security.  I'm not sure if both are it, or if the other entry
>is something else.  I'll check it out.
>
>I don't have Autoruns yet.  I'm glad you pointed it out.  It sounds
>like a great tool.  I'll grab it when I get home.
>
>I never thought much about the cable modem being on a different
>subnet...  These were the default settings and they always simply "just
>worked".  I could always ping it by IP and I could also access its web
>interface by http://192.168.100.1.  Is there something here that could
>be causing problems with SP2?  Why should a separate subnet be a
>problem in the first place?
>
>Thanks,
>
>Andrew

On 15 Jun 2005 16:41:03 -0700, "ObsesivelyCurious" <andrew.miadow***@gmail.com>
wrote:

>I see what you were getting at with the modem IP address.  Doesn't the
>modem expose two interfaces and therefore two IP address? One for the
>local network and one for the outside world.  The one I posted is the
>local address that I can see on the inside.  The other is obtained via
>DHCP from my Comcast (my cable provider), and I don't remember it at
>the moment.
>
>What's your advice on NIS then?  Should I try to uninstall it
>completely and then remove anything that may be leftover in LSP?  I've
>had it installed for quite a while since it came in a bundle with
>Antivirus along with some piece of hardware I bought, and I just never
>cared to uninstall it, but simply disabled it.  I've had it all running
>in this fashion for the longest time without any issues at all.
>
>My system was stable before I installed SP2.  In other words, I took
>care of all the issues I saw by running the malware removal tool(s) and
>applying some security patches from MS.  It all ran in a stable fashion
>for a day, and then I decided to move on to SP2.  Also, if I restore to
>the point just before installation of SP2, I get back to a nice and
>stable environment...
>
>I'll give all the LSPs a spin.  I hope none of them will do any damage
>to what I need to run my network :-).  I'll post what I get when I'm
>done.
>
>Andrew

On 15 Jun 2005 18:57:54 -0700, "ObsesivelyCurious" <andrew.miadow***@gmail.com>
wrote:

>Chuck,
>
>Looks like you've exposed a whole in my (somewhat patchy) knowledge of
>computer networks.  I guess the class I took was too long ago, or I was
>dozing off when this topic was discussed.  Of course, it is the router
>that has both the local LAN and the "world" IP address.  Just for
>reference the internet-side IP is 24.20.235.200.
>
>Now down to business.  I've downloaded Autoruns per your advice and
>indeed it is a fabulous tool.  I did a scan, hid all the Microsoft
>registered entries and analyzed what remained.  First I jumped to the
>Winsock tab.  Much to my surprise there was nothing there that was not
>Microsoft-registered.  I suppose, all my 12 items I had referred to
>before must be legitimate (I looked closely, and they appear that way
>to me).  I guess this suggests that the problem was not in the tcp/ip
>stack, especially that I never had much trouble with pinging the world
>(at least not until my SP2 box took down the router).
>
>Anyway, subsequently I unchecked a couple of items in the "Logon"
>section, including two related to Norton Internet Security, but left
>many that I recongized as valid programs.
>
>Then took a hatchet to the "Internet Explorer" section led by the
>earlier symptoms that seemed to be related to IE.  Many of the items in
>there made sense to me (Google toolbar, Norton AntiVirus, Sun Java
>Console, and a couple of others) but regardless I unchecked them all.
>
>With that I rebooted my box and waited....  It came back up fine and
>when I got to browsing things simply worked!  So I think you hit the
>nail on the head, and Autoruns is the right tool to have.
>
>Now I need to re-enable the items one by one to pinpoint the culprit.
>I'll post the info in a few minutes.
>
>I will also post my HijackThis log here for now, cause after I
>registered at Spyware Warrior, I need to wait for activation.
>
>Thanks for your help,
>
>Andrew

On 16 Jun 2005 08:30:24 -0700, "ObsesivelyCurious" <*email_address_deleted*>
wrote:

>Chuck,
>
>Just as I was about to proclaim complete victory last night.... (see
>below)
>
>Continuing my previous post...
>
>I now re-enabled all Norton AntiVirus related entries in IE section,
>rebooted the box, and everything is still working fine.  I noticed only
>one difference: my "Internet Connection" in Network Connections now has
>the "Disabled" status when the box first came up.  This does not,
>however, prevent me from ping or browsing.  I can also right-click it
>and choose "Enable" which changes its state to "Connected".
>
>I've also re-enabled Adobe Acrobat BHO as well as MS Money items, and
>everything is still running fine.  That's good news.  Now what
>remains is some unchecked logon and services items.  Most of them
>pertain to Norton AntiVirus or Internet Security....
>
>....an utter disaster struck!  Little did I know that this would be the
>last time I would see my system stable for the next 24 hours.  Now, one
>more restore point, several unsuccessfull virus scans, malware scans,
>etc., and one sleepless night later I am back to square one.
>
>When I re-enabled Symantec services I started seeing internet slowness
>again.  It didn't quite take down the router like before (I could still
>use it just fine from my laptop), but pages took 10 times as long as
>they should to download.  So I decided to uncheck these services in
>Autoruns hoping for a smooth ride concluded by possibly uninstallation
>of the Symantec products, but - needless to say - that did not happen.
>After a reboot I saw the same slowness symptoms, and soon afterward the
>infamous error messages (lsass.exe) followed by a reboot started again.
> Trying to get the system to a more stable state I restored to a point
>before the changes I've made with Autoruns, but this didn't help, and
>perhaps made things even worse, cause now I started seeing errors from
>services.exe too.
>
>I figure it had to be a virus of some sort, so I resorted to trying
>antivirus software.  I couldn't run Norton AntiVirus in a stable way -
>the app crashed and the system followed.  I grabbed Symanted Sasser
>removal tool and did a system scan, which went through without a reboot
>on 2nd or 3rd attempt and found nothing!  I thought, maybe I got some
>other worm, and found out about McAffee's stinger.  I got that one too
>and ran it.  First in normal windows mode, in which it briefly splashed
>something about a virus found in a single file, but I didn't have a
>chance to even see the name, cause the app crashed too.  I tried it a
>few more times in normal mode and I didn't see any viruses, but the
>scan never completed because of app and system crashes.  Somwhere there
>between furiously rubbing my red eys with contacts permanently
>implanted in them and frantically pulling out my hair, my box started
>randomly rebooting without any error messages whatsoever...
>
>I restarted in safe mode, but even then the spontaneous reboots
>continued.  I attempted to run stinger again focusing first on
>C:\Windows.  It completed successfully and found nothing.  Encouraged
>by that, I started a full scan of both my hard drives, and completely
>exhausted went to sleep.
>
>This morning I found the box restarted again gleefully informing me
>that "the system recovered from a serious error".  I have no clue
>whether the scan completed, cause the tool left no log file behind (at
>least as far as I can tell).  I started to suspect some hardware
>problem on top of everything else, so I took out all my PCI cards, and
>now I'm running the scan again.
>
>I also took a peek and the system and application logs and I can see a
>bunch of errors in there.  I saved those for later, as I didn't have
>the time to analyze them then.  One thing that did jump at me - because
>it looked strangely familiar, like a problem that I dealt with before -
>were errors in the acpi module.  I'll need to look into this more, as
>this could be the reason for the random reboots without any errors.
>
>Either way, if I can get this system back to some semblance of
>stability I will feel quite proud of myself...
>
>I'll report on the progress and any conclusions I reach.
>
>Andrew

On 16 Jun 2005 13:18:14 -0700, "ObsesivelyCurious" <andrew.miadow***@gmail.com>
wrote:

>Chuck,
>
>Thanks for the advice.  I'll make sure to check out the site.  I have
>been quite careful with disabling services, though.  In fact I did not
>disable anything of which the origin/purpose I couldn't determine.  I
>do suspect a virus of sorts, because of some really odd behavior I saw.
> For one thing, when I checked the Winsock in Autoruns once I saw the
>default list of MFAD TCP/IP items.  At a different time, after a reboot
>or two, a whole list of SPX/IPX appeared even though the protocol is
>not attached to the network card.  There was also an entry for RAW/IP.
>
>There was another interesting symptom, although this could be a
>coincidence.  During my initial run of Stinger the virus detected (I
>didn't catch the name) was found in msnmsg.exe.  Earlier when I was
>playing with Autoruns and unchecked the msnmsg.exe, and then refreshed
>the list another msnmsg.exe entry would appear right next to the one I
>disabled and it was alway checked.  I didn't see this happening for any
>other entry in Autoruns.
>
>I'll have to examine the system log files to perhaps glean some
>information from them.  Hopefully my system is still up and running
>when I come back home.  Maybe then I'll be luck enough to see the
>results of the virus scan as well...
>
>Andrew

On 16 Jun 2005 21:09:32 -0700, "ObsesivelyCurious" <*email_address_deleted*>
wrote:

>Chuck,
>
>Thanks for more advice.  I've reviewed every single service that show
>up either under Autoruns or in Windows Service management console
>snap-in.  They are all legitimate and the vast majority conforms to
>BV's recommendations for the safe mode.  I made a few adjustments using
>my judgement.
>
>Now, here's the scoop so far.  When I came home after work today, I
>found my system up and running in the safe mode as I had left it some 9
>hours earlier with the stinger stil up, which is a great sign.  I'm not
>sure if I had mentioned it, but before I started the scan I took out
>all the unnecessary PCI cards, so now all I have in is my graphics
>card, the hard drives, floppy, DVD and CDRW.  This seems to work for
>now.  Much to my surprise, stinger found absolutely no infections of
>any kind.
>
>So now I'm looking through the list of services, browser extensions,
>winsock providers, etc.  And here again one thing jumps at me.  In
>winsock providers I see a whole bunch of entries pertaining to SPX/IPX.
> I can't verify this at this moment (since my network card is out), but
>I'm 99.99% sure that I do NOT have SPX/IPX protocol installed.  The
>only thing I have is TCP/IP.  I do use file and printer sharing, but
>that shouldn't matter here.  I find these entries highly suspicious,
>especially that they seem to come back even after I have disabled them
>using Autoruns.
>
>I'll try to disable them again and boot up the system in normal mode,
>still without any cards or network connectivity.
>
>To be continued...
>
>Andrew

On 21 Jun 2005 10:16:24 -0700, "ObsesivelyCurious" <andrew.miadow***@gmail.com>
wrote:

>Victory!!!!
>
>My box is back up and online!  It took many days and nights of
>gruelling work, but in the end I'm infection-free and all the software
>seems to be healthy too.  Moreover, my internet is as fast as it ever
>has been, or faster.  And even my MSN Messenger connects much more
>smoothly and faster.
>
>As for the root cause of the problem it appears to be virus related.
>After I run a full chkdsk on my hard drives (which took about 15
>hours!!!) and found no errors or problems of any kind, I went back to
>the antivirus software.  I purchased the latest version of Symantec
>Internet Security in hope that I can run the command line virus scanner
>from the bootable installation CD that comes in the box (I tried to
>install the software, but the installation software would either
>terminate with an error, or not start at all).  It turned out that I
>was in for some disappointment.  First, when the box booted from the CD
>it was unable to even see the hard drives, which could be somehow
>related to the BIOS not being new enough to fully recognized the large
>hard drives.  As the result the virus scan tested the memory and boot
>sectors of the CD only and did me absolutely no good.  Not willing to
>mess with BIOS upgrades at this tender stage, I was forced to try
>something else.  I discovered that the command line scanner is present
>on the CD in an uncompressed form and I should be able to run from
>command prompt under Windows.  It seems, however, that while the
>software is there, and even the virus definitions are present (though
>you have to explicitly figure out the path and pass it as command line
>parameter), the configuration files are not there (or at least I
>couldn't find them), and so the tool refuses to start!!!
>
>At this point I was quite desparate.  I tried one last thing.  I
>plugged back the network cable and ran the online virus detection tool
>from Symantec.  Much to my surprise, it ran fine without crashing, and
>after several hours reported detecting three files infected with three
>different trojans.  Interestingly, the registry entries that these
>trojans supposedly created were not present on my box.  I removed the
>infected files, and restarted the computer.
>
>I also found somewhere on Symantec's website a tool for removing
>leftover files and registry entries from previously installed (or
>unsuccessfully uninstalled) versions of their software.  I recalled
>that my installations failed a couple of times due to memory fault
>errors, which I can attribute only to the viral activities on my box at
>the time.  Either way, I ran a couple of these handy tools, and
>subsequently was able to successfully installe NIS 2005!  Now, this was
>a step in the right direction.  I downloaded the latest upgrades and
>virus definitions, unplugged the box from the network, and ran a full
>virus scan.  The report came out clean!
>
>Since then I reenabled the startup services, plugged in the network
>cable and stuck the remaining PCI cards back in, and I'm still running
>nice and stable.  Although the ultimate root cause of the problem is
>still somewhat murky I have to attribute it to the viruses I had
>contracted.  Perhaps the most malicious was the one hidden in
>msnmsg.exe which got detected and removed the first time I ran the
>trial version of Symantec AntiVirus.  Unfortunately some of the reports
>are now gone since I had to unistall and reinstall NIS, but I'll see if
>I can submit any of my files for analysis.
>
>All in all, this was a great (though quite painful and time consuming)
>adventure.  I've learned a lot in the process, picked up several very
>handy tools and tricks.  Great thanks to Chuck, who was an invaluable
>advisor in my distress.  I also have a new found respect for the
>antivirus software and its creators.  And - who knows - perhaps I'll
>even start running backup jobs regularly ;-).
>
>Andrew