Recently I suffered from the Donk-Q Worm on Windows XP, also known as
W32SdBot.  By now I have disinfected the computer with Symantec tools,
and to the best of my knowledge the PC is clean and yesterday I
finished downloading all the latest Microsoft Critical Updates.

Everything on my PC is fine now except for one legacy of the worm. 
When it was active it seems to have made a modification to prevent me
from enabling the Windows Internet Firewall. It did this by making it
impossible for me to open the Properties window for my Network
Connection. I simply cannot find a way to open this feature, no matter
how many ways I try.

I will probably install ZoneAlarm as a firewall anyway, but I would
still like to be able to fix this hack that the worm left.

Can anyone help?

---

Request for Question Clarification by aceresearcher-ga on 25 May 2004 09:56 PDT

Greetings, Patrick!

Can you describe step-by-step what you've done so far to eradicate the worm?

Thanks,

aceresearcher

---

Clarification of Question by patrickl999-ga on 25 May 2004 10:56 PDT

Sure. 
I first realized my PC was infected when it exhibited the following 3 symptoms:
1) Windows would give shutdown warnings because of unauthorized RPC calls. 
2) Windows would not allow me to run msconfig or regedit or download
updates from the Microsoft website.
3) Windows would not allow me to open the Network Properties window to
enable the IPC firewall.

I diagnosed the problem by rebooting in Safe Mode which allowed me to
run msconfig.exe  and take a look at what was running in my boot.ini
and startup file. There were 3 alien files: cool.exe, sys32.exe and
wnetmgr.exe.  When I searched for these on Google I saw that Symantec
classified these as belonging to the Donk-Q worm, which McAfee called
W32/Sdbot.

I downloaded Symantec's FixDonk.exe tool. This removed all the alien
files, and old infected System Restore files, and cleaned up my Hosts
file.

I have since run the PC without any problems (except for the Network
Connection Properties issue). I ran FixDonk.exe again, and it can find
no trace of the worm. I also ran the latest version of AntiVir
software from www.free-av to confirm that my PC does not have any
other viruses on it.

So I am assuming that the PC is clean, and that my current problem is
due to some minor hack that Donk did in my Windows settings to make
the Network Properties window inaccessible.

Patrick,

I think the prescribed medicine for your system is a Windows XP Repair
Install. This should re-implement the Network Properties
functionality.


There is an excellent tutorial on how to do this (and other XP-related
fixes) on Harry O's Windows XP "New Life For Windows" website:

"How to Repair Install: (also called "In place reinstall")
Sometimes the only way to repair XP is to reinstall. You do not have
to wipe your partition and start over. Just as with previous versions
of Windows you can install over top of an existing setup. This has the
advantage of retaining your installed applications, data and settings.
You will lose previously saved System Restore Points but System
Restore will begin creating new restore points again immediately
following the Repair Install. You will need to reinstall SP1a and any
Critical Updates from the Windows Update Site.

*** Be aware that a Repair Install will leave your system vulnerable
to the Blaster and Welchia worms. Do not go on line until you have
enabled XP's firewall first. Then visit the Windows Update Site to
patch your system. ***

It is always prudent to backup important data before you make changes to XP..."
http://www.webtree.ca/windowsxp/repair_xp.htm



I also highly recommend that if you have not already done so, you
download and run the following free programs, not just for this
problem, but on a frequent basis (every few days, weekly, or monthly,
depending on how much surfing and download is done on your system):

Spybot Search & Destroy
http://www.security.kolla.de

AdAware
http://www.lavasoft.de

*** IMPORTANT ***
If you already have Spybot and/or AdAware installed on your PC, be
sure to download the latest updates first **each time you run them**.
*****************

Other helpful free anti-scumware utilities:

CWShredder: 
http://www.spychecker.com/program/coolwebshredder.html 

Online Housecall
http://housecall.antivirus.com


Something to keep in mind is that even if these programs give your
system a "clean bill of health", it does *not* mean that you can be
absolutely sure that your system is clean. It is only a *reasonable
assurance* that it is clean.


I definitely recommend that you install Zone Alarm or Zone Alarm Pro.
I (and many people I know) use the Pro (paid) version, which provides
more extensive protection and customization. You can download them
here:
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp


It's also VERY important to continue to check with Microsoft
periodically and make sure that you have installed any new
security-related patches that have been released.
You can find out if there are any available by going here:
http://v4.windowsupdate.microsoft.com/en/default.asp


Before Rating my Answer, if you have any questions or problems with
the above information or need assistance in performing the
identification and removal procedures, please post a Request for
Clarification, and I will be glad to assist you.

I hope that this Answer helps you to resolve your nasty problem, and
that you have smooth surfing once again!

Regards,

aceresearcher

---

Request for Answer Clarification by patrickl999-ga on 26 May 2004 06:15 PDT

Well, it's not the answer I was hoping for, since obviously I'd like
to fix the problem without having to completely reinstall XP and
download all the Microsoft updates again over my dial-up connection.

But, if there's no other way....

---

Clarification of Answer by aceresearcher-ga on 26 May 2004 08:16 PDT

Patrick,

I know it's a pain, but bear in mind that it's not a *complete*
reinstall of Windows and all of your application programs -- plus a
reload of all your data files -- and I've had to do this! I lost a
week of my life...

It's just a repair (the system determines which files have been
corrupted and replaces only those files). However, because the system
compares itself to your original copy of XP, it will also replace
those files which were changed by the security patch updates, which is
why you will need to do them again.

Best Wishes!

ace

quick response!

Hey,

Boot from windows 2000 installation CD, go to recovery console..and run chkdsk /r

Hope it helps...

Regards,
Peeyush

UPDATE - 

  I discovered the source of the problem finally. It was my own ISP,
PeoplePC, that has locked me out of the Network Connection Properties
window.

Thank you for the update, Patrick! It's odd that they would do that. I
hope you were able to persuade them to enable you to do what you
needed to do.

Regards,

ace