Is My TCP/IP Stack Corrupted Due to Worms?

Click For Summary
SUMMARY

The discussion centers on diagnosing and resolving internet connectivity issues on a Windows 2000 machine infected with the W32.Swen.A@mm and W32.sdbot.worm.gen worms. Key symptoms include high CPU usage by svchost.exe, socket creation errors in IPRIP, and DHCP renewal failures. The recommended approach is to remove network devices via Device Manager and reboot the system to allow Windows to reinstall the drivers. Formatting the hard drive is deemed unnecessary if less destructive methods can restore functionality.

PREREQUISITES
  • Understanding of Windows 2000 operating system
  • Familiarity with network interface card (NIC) settings
  • Knowledge of Windows Device Manager
  • Basic troubleshooting skills for malware removal
NEXT STEPS
  • Learn how to use Windows Device Manager for hardware troubleshooting
  • Research methods for removing malware from Windows 2000
  • Explore techniques for restoring TCP/IP stack functionality
  • Understand the implications of network driver corruption and recovery
USEFUL FOR

This discussion is beneficial for IT support technicians, network administrators, and anyone dealing with malware-related network issues on legacy Windows systems.

Gokul43201
Staff Emeritus
Science Advisor
Gold Member
Messages
7,213
Reaction score
25
My computer's (750 MHz Dell running Win 2K ) unable to connect to the internet, and has a couple of worms (W32.Swen.A@mm and W32.sdbot.worm.gen) wrecking it. The following are some of the error messages/problems that I've discovered :

1. Windows Task Manger shows two occurances of a process named svchost.exe. One of these is taking up 99% of the CPU.

2. Event Viewer had this error : Source = IPRIP. Description = "IPRIP was unable to create a socket for address 169.254.13.27" (is this some default Windows ip address ?). There was also the following warning : Source = DHCP. Description = "Your computer was not able to renew its address from the network for the network card with network address ############. The following error occurred : The semaphore timeout period has expired. Your computer will continue to try and obtain an address on its own from the DHCP server."

3. Command Prompt : trying "ipconfig /renew" gave me the following error message : "An operation was attempted on something that is not a socket."

So what is your diagnosis of the situation ? What really has happened, and what is the extent of damage ? And what should I do about it ?

Is my TCPIP stack screwed ? Should I reconfigure TCPIP (followed by deworming, of course) ? Should I format HD ? What is the least destructive means of remedying my malady ?

Thanks all ! :frown:
 
Last edited:
Computer science news on Phys.org
Just format and reinstall. Once you've got your computer up and running make a backup of the partition. If something else goes wrong later you'll just have to recopy the partition back on instead of wasting time going through the install process.
 
From your desciption it sounds as ther has been corruption to your NIC and its driver setting. Rather than reformatting i would suggest trying the following.
Open the device manager and simply remove any devices listed in the network controllers section. When asked to restart say no and do a complete shutdown of the PC. Wait 10 secs and then reboot. Windows should detect the card with a new copy of the driver set to the original defaults. If you are using a router or hub disconnect the PC from any of them. Just unplug the network cable from the NIC card before you boot up to prevent any suspicious services from accessing any network resources

10 years as a PC and network support technician, that's what I woud try first.
 

Similar threads

Comp Sci How do I free up tcp port 80 in windows 10?
  • · Replies 10 ·
Replies
10
Views
3K
Troubleshooting Internet Connection for Multiple Devices | Linksys Switch Setup
  • · Replies 1 ·
Replies
1
Views
2K