Re: worm symptoms, and M-S patches won't "stick"
From: Little Orly (LittleOrly_at_discussions.microsoft.com)
Date: 11/30/04
- Next message: David H. Lipman: "Re: worm symptoms, and M-S patches won't "stick""
- Previous message: Yleeyas: "Re: NAV Liveupdate notification"
- Next in thread: David H. Lipman: "Re: worm symptoms, and M-S patches won't "stick""
- Reply: David H. Lipman: "Re: worm symptoms, and M-S patches won't "stick""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Nov 2004 14:19:01 -0800
11/30/04 - OK, i'm back after following instructions, thoroughly if slowly.
i hope there's a tickler system to alert you to this posting. first i’ll
list what happened with virus/worm detection using your instructions, then i
have a couple of followup questions, if i may. i preceded all work with IE6
automated and manual deletions of files in temp, cookies, and internet temp
files directories. the problems all started with virus/worm interference
with updates of my anti-virus software. i’ve been using mcafee, so i also
went in and manually deleted most files/folders that were left after a
conventional uninstall. however, several files/folder refused to budge.
also, symantec was packaged with the system, and i uninstalled it. something
was weird about that process -- the uninstall dialogue boxes appeared and
disappeared rapidly without waiting for my input. i found by trial and error
that i could nail the “yes” button on rapidly self-closing dialogue boxes.
after several repetitions, symantec progressively left the system.
i have run the Trend sysclean.exe, McAfee AVERT, and Lavasoft AdAware
numerous times now, partly because of your recommendation; partly because
the first round caught several problems (i’m an engineer and, thus, more is
better); and because after several cycles i found the system restore was NOT
disabled though i was sure i had done that step early on.
SAFE MODE:
sysclean found worm_donk_worm_rbot.fl during the opening memory scan. later
it listed numerous (error <-94>) incidents mostly for log files and dll’s
during its VSCANIM phase. (maybe can’t open certain files. saw a note
online today about that issue.) it found worm_rbot and removed various
keys and files. and at the end of vscanim, sysclean showed “...has
encountered a problem” that it offers to report to microsoft. i have
confirmed this happens with numerous sysclean runs, and it looks as though
it’s during an end-of-run transition of vscanim.
an immediate rerun of sysclean repeated the (error <-94>) incidents but
listed no other offending files.
AVERT identified W32/SDBOT.WORM.GEN.T, and announced that it deleted
C:/RECYCLERS/S-1-5-.../DC232.exe, and C:/WINDOWS/SYSTEM32/TFTP2016 as the
sdbot.worm.dam virus. "TFTP" issues seemed to be the earliest symptoms of
problems on the PC.
an immediate AVERT rerun was clean.
AdAware found 8 critical files, all ALEXA’s. i’ve scoured their online help
and discussions for guidance, and found that most alexa’s can be discarded,
but with caution for selective disruption of normal system functions. i’ve
quarantined the alexa’s. several weeks ago, i tried this on my other
computer, and it appeared that quarantining the alexa’s had some negative
effects on the system -- i restored them.
NORMAL MODE:
sysclean rapidly found WORM.BAGLE.AH WORM_BAGLE1, but a rerun of sysclean,
then AVERT and then adaware were all clean.
because of my oversight with the system restore function, i’ve repeated the
entire cycle again, and all is clean.
i haven't tried any of the other dozen or so detection/cleaning links you
listed. i'll get to them later.
Now My Questions: somewhere in the time frame that i got your advice on
this process, i also saw a comment from someone on-line that Windows XP has a
system scan function to determine whether the O/S files are intact. i can’t
find that reference again, but i think it would be a good idea to use the
function -- is it actually available? having cleaned up my system, can i
do some sort of XP check/reinstall to restore integrity of files lost/damaged
through security breaches and cleaning tasks?
secondly, is now a good time to install the Windows XP Service Pack 2?
thanks much for the help.
Orly
"David H. Lipman" wrote:
> 1) Download the following four items...
>
> McAfee Stinger
> http://vil.nai.com/vil/stinger/
>
> Trend Sysclean Package
> http://www.trendmicro.com/download/dcs.asp
>
> Latest Trend Pattern File.
> http://www.trendmicro.com/download/pattern.asp
>
> Adaware SE (free personal version v1.05)
> http://www.lavasoftusa.com/
>
> Create a directory.
> On drive "C:\"
> (e.g., "c:\New Folder")
> or the desktop
> (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
>
> Download Sysclean.com and place it in that directory.
> Download the Trend Pattern File by obtaining the ZIP file.
> For example; lpt257.zip
>
> Extract the contents of the ZIP file and place the contents in the same directory as
> sysclean.com.
>
> 2) Update Adaware with the latest definitions.
> 3) If you are using WinME or WinXP, disable System Restore
> http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
> 4) Reboot your PC into Safe Mode
> 5) Using Trend Sysclean, Stinger and Adaware, perform a Full Scan of your
> platform and clean/delete any infectors/parasites found.
> (a few cycles may be needed)
> 6) Restart your PC and perform a "final" Full Scan of your platform using the three
> utilities; Trend Sysclean, Stinger and Adaware
> 7) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
> System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
> 8) Reboot your PC.
> 9) If you are using WinME or WinXP, create a new Restore point
>
> You can also try some of the below online scanners.
>
> BitDefender:
> http://www.bitdefender.com/scan/license.php
>
> Computer Associates:
> http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
>
> DialogueScience:
> http://www.antivir.ru/english/www_av/
>
> F-Secure:
> http://support.f-secure.com/enu/home/ols.shtml
>
> Freedom Online scanner:
> http://www.freedom.net/viruscenter/index.html
>
> Kaspersky:
> http://www.kaspersky.com/de/scanforvirus
>
> McAfee:
> http://www.mcafee.com/myapps/mfs/default.asp
>
> Panda:
> http://www.pandasoftware.com/activescan/
>
> RAV
> http://www.ravantivirus.com/scan/
>
> Symantec:
> http://security.symantec.com/
>
> Trend:
> http://housecall.antivirus.com
> http://housecall.trendmicro.com
>
>
> * * * Please report your results ! * * *
>
> Dave
>
>
>
>
>
> "Little Orly" <Little Orly@discussions.microsoft.com> wrote in message
> news:E3B498C6-3421-43CD-95DD-CC302342B3CD@microsoft.com...
> | i have checked all 44 pages of "virus security" postings and read karl
> | levinsons "read before posting" FAQs -- this problem isn't in there. i
> | can't make Microsoft security patches stick. i downloaded several and
> | started them from the "RUN" window.
> |
> | here's why: my wife's computer (running Windows XP Home) has symptoms
> | matching descriptions of infection by blaster or sasser worms. no, i'm not
> | completely up to date on security patches, and yes i have SP2 in house. but
> | i'm giving this focused attention before trying SP2 -- i think i need to
> | clean up the infection before installing SP2, yes? so i've selected
> | Microsoft security patches and cleanup tools to target the worms blaster,
> | sasser .... and doom just for good measure.
> |
> | other details: this all started about two weeks ago when McAfee Virus Scan
> | online update failed with "error downloading" messages, and the system also
> | started aborting after McAfee Firewall notified me of attempted TFTP
> | communication (which i prohibited). consistent with blaster in particular,
> | the system goes into a 60-second shutdown spiral shortly after the TFTP
> | attempts. this also triggers an SVCHost glomming onto high-90s percent CPU
> | usage. the McAfee update failures were retried and repeatedly failed. and
> | as of the last couple of days, i can't access sites like McAfee, Microsoft,
> | etc.
> |
> | using my own computer (also on XP Home) as a relay station, i've downloaded
> | several microsoft security patches and tools to detect/clean/protect against
> | doom, blaster, sasser. the cleanup tools say the system (my wife's PC) is
> | clean. so does AVERT from mcafee and a ClnPOZA tool from CAI.
> |
> | BUUUT, the blaster and sasser patches won't install. after starting from the
> | XP "RUN" panel, they begin to show the install dialogue box, and then that
> | terminates abruptly. the control panel "add/remove programs" window doesn't
> | show the patches in the inventory of installed stuff.
> |
> | (coincidentally, my own computer has had the McAfee update download failure
> | (the two PCs are not connected), citing a "possible system error." i've
> | stripped virus scan from both and now running vewwwwy carefully, only going
> | to the internet from my PC. both PCs have XP firewall activated.)
> |
> | what do i do now about the phantom worm/virus and patch installation
> | problem, please?
>
>
>
- Next message: David H. Lipman: "Re: worm symptoms, and M-S patches won't "stick""
- Previous message: Yleeyas: "Re: NAV Liveupdate notification"
- Next in thread: David H. Lipman: "Re: worm symptoms, and M-S patches won't "stick""
- Reply: David H. Lipman: "Re: worm symptoms, and M-S patches won't "stick""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
