Re: worm symptoms, and M-S patches won't "stick"
From: David H. Lipman (DLipman~nospam~_at_Verizon.Net)
Date: 11/30/04
- Next message: Little Orly: "Re: worm symptoms, and M-S patches won't "stick""
- Previous message: Little Orly: "Re: worm symptoms, and M-S patches won't "stick""
- In reply to: Little Orly: "Re: worm symptoms, and M-S patches won't "stick""
- Next in thread: Little Orly: "Re: worm symptoms, and M-S patches won't "stick""
- Reply: Little Orly: "Re: worm symptoms, and M-S patches won't "stick""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Nov 2004 17:26:18 -0500
Thanx for *all* that feedback !
The command for WinXP is SFC.EXE (System File Checker)
It will check for replaced/wrong version files.
Open a Command Prompt and type...
SFC /?
To get the syntax of the SFC command line utility.
Once you have "Thoroughly Cleaned" the system, yes install WinXP SP2.
Dave
"Little Orly" <LittleOrly@discussions.microsoft.com> wrote in message
news:54DE0F65-5BAD-4751-A1B3-470152195107@microsoft.com...
| 11/30/04 - OK, i'm back after following instructions, thoroughly if slowly.
| i hope there's a tickler system to alert you to this posting. first i'll
| list what happened with virus/worm detection using your instructions, then i
| have a couple of followup questions, if i may. i preceded all work with IE6
| automated and manual deletions of files in temp, cookies, and internet temp
| files directories. the problems all started with virus/worm interference
| with updates of my anti-virus software. i've been using mcafee, so i also
| went in and manually deleted most files/folders that were left after a
| conventional uninstall. however, several files/folder refused to budge.
| also, symantec was packaged with the system, and i uninstalled it. something
| was weird about that process -- the uninstall dialogue boxes appeared and
| disappeared rapidly without waiting for my input. i found by trial and error
| that i could nail the "yes" button on rapidly self-closing dialogue boxes.
| after several repetitions, symantec progressively left the system.
|
| i have run the Trend sysclean.exe, McAfee AVERT, and Lavasoft AdAware
| numerous times now, partly because of your recommendation; partly because
| the first round caught several problems (i'm an engineer and, thus, more is
| better); and because after several cycles i found the system restore was NOT
| disabled though i was sure i had done that step early on.
|
| SAFE MODE:
| sysclean found worm_donk_worm_rbot.fl during the opening memory scan. later
| it listed numerous (error <-94>) incidents mostly for log files and dll's
| during its VSCANIM phase. (maybe can't open certain files. saw a note
| online today about that issue.) it found worm_rbot and removed various
| keys and files. and at the end of vscanim, sysclean showed "...has
| encountered a problem" that it offers to report to microsoft. i have
| confirmed this happens with numerous sysclean runs, and it looks as though
| it's during an end-of-run transition of vscanim.
|
| an immediate rerun of sysclean repeated the (error <-94>) incidents but
| listed no other offending files.
|
| AVERT identified W32/SDBOT.WORM.GEN.T, and announced that it deleted
| C:/RECYCLERS/S-1-5-.../DC232.exe, and C:/WINDOWS/SYSTEM32/TFTP2016 as the
| sdbot.worm.dam virus. "TFTP" issues seemed to be the earliest symptoms of
| problems on the PC.
|
| an immediate AVERT rerun was clean.
|
| AdAware found 8 critical files, all ALEXA's. i've scoured their online help
| and discussions for guidance, and found that most alexa's can be discarded,
| but with caution for selective disruption of normal system functions. i've
| quarantined the alexa's. several weeks ago, i tried this on my other
| computer, and it appeared that quarantining the alexa's had some negative
| effects on the system -- i restored them.
|
| NORMAL MODE:
| sysclean rapidly found WORM.BAGLE.AH WORM_BAGLE1, but a rerun of sysclean,
| then AVERT and then adaware were all clean.
|
| because of my oversight with the system restore function, i've repeated the
| entire cycle again, and all is clean.
|
| i haven't tried any of the other dozen or so detection/cleaning links you
| listed. i'll get to them later.
|
| Now My Questions: somewhere in the time frame that i got your advice on
| this process, i also saw a comment from someone on-line that Windows XP has a
| system scan function to determine whether the O/S files are intact. i can't
| find that reference again, but i think it would be a good idea to use the
| function -- is it actually available? having cleaned up my system, can i
| do some sort of XP check/reinstall to restore integrity of files lost/damaged
| through security breaches and cleaning tasks?
|
| secondly, is now a good time to install the Windows XP Service Pack 2?
|
| thanks much for the help.
|
| Orly
|
| "David H. Lipman" wrote:
|
| > 1) Download the following four items...
| >
| > McAfee Stinger
| > http://vil.nai.com/vil/stinger/
| >
| > Trend Sysclean Package
| > http://www.trendmicro.com/download/dcs.asp
| >
| > Latest Trend Pattern File.
| > http://www.trendmicro.com/download/pattern.asp
| >
| > Adaware SE (free personal version v1.05)
| > http://www.lavasoftusa.com/
| >
| > Create a directory.
| > On drive "C:\"
| > (e.g., "c:\New Folder")
| > or the desktop
| > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
| >
| > Download Sysclean.com and place it in that directory.
| > Download the Trend Pattern File by obtaining the ZIP file.
| > For example; lpt257.zip
| >
| > Extract the contents of the ZIP file and place the contents in the same directory as
| > sysclean.com.
| >
| > 2) Update Adaware with the latest definitions.
| > 3) If you are using WinME or WinXP, disable System Restore
| > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
| > 4) Reboot your PC into Safe Mode
| > 5) Using Trend Sysclean, Stinger and Adaware, perform a Full Scan of your
| > platform and clean/delete any infectors/parasites found.
| > (a few cycles may be needed)
| > 6) Restart your PC and perform a "final" Full Scan of your platform using the three
| > utilities; Trend Sysclean, Stinger and Adaware
| > 7) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
| > System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
| > 8) Reboot your PC.
| > 9) If you are using WinME or WinXP, create a new Restore point
| >
| > You can also try some of the below online scanners.
| >
| > BitDefender:
| > http://www.bitdefender.com/scan/license.php
| >
| > Computer Associates:
| > http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
| >
| > DialogueScience:
| > http://www.antivir.ru/english/www_av/
| >
| > F-Secure:
| > http://support.f-secure.com/enu/home/ols.shtml
| >
| > Freedom Online scanner:
| > http://www.freedom.net/viruscenter/index.html
| >
| > Kaspersky:
| > http://www.kaspersky.com/de/scanforvirus
| >
| > McAfee:
| > http://www.mcafee.com/myapps/mfs/default.asp
| >
| > Panda:
| > http://www.pandasoftware.com/activescan/
| >
| > RAV
| > http://www.ravantivirus.com/scan/
| >
| > Symantec:
| > http://security.symantec.com/
| >
| > Trend:
| > http://housecall.antivirus.com
| > http://housecall.trendmicro.com
| >
| >
| > * * * Please report your results ! * * *
| >
| > Dave
| >
| >
| >
| >
| >
| > "Little Orly" <Little Orly@discussions.microsoft.com> wrote in message
| > news:E3B498C6-3421-43CD-95DD-CC302342B3CD@microsoft.com...
| > | i have checked all 44 pages of "virus security" postings and read karl
| > | levinsons "read before posting" FAQs -- this problem isn't in there. i
| > | can't make Microsoft security patches stick. i downloaded several and
| > | started them from the "RUN" window.
| > |
| > | here's why: my wife's computer (running Windows XP Home) has symptoms
| > | matching descriptions of infection by blaster or sasser worms. no, i'm not
| > | completely up to date on security patches, and yes i have SP2 in house. but
| > | i'm giving this focused attention before trying SP2 -- i think i need to
| > | clean up the infection before installing SP2, yes? so i've selected
| > | Microsoft security patches and cleanup tools to target the worms blaster,
| > | sasser .... and doom just for good measure.
| > |
| > | other details: this all started about two weeks ago when McAfee Virus Scan
| > | online update failed with "error downloading" messages, and the system also
| > | started aborting after McAfee Firewall notified me of attempted TFTP
| > | communication (which i prohibited). consistent with blaster in particular,
| > | the system goes into a 60-second shutdown spiral shortly after the TFTP
| > | attempts. this also triggers an SVCHost glomming onto high-90s percent CPU
| > | usage. the McAfee update failures were retried and repeatedly failed. and
| > | as of the last couple of days, i can't access sites like McAfee, Microsoft,
| > | etc.
| > |
| > | using my own computer (also on XP Home) as a relay station, i've downloaded
| > | several microsoft security patches and tools to detect/clean/protect against
| > | doom, blaster, sasser. the cleanup tools say the system (my wife's PC) is
| > | clean. so does AVERT from mcafee and a ClnPOZA tool from CAI.
| > |
| > | BUUUT, the blaster and sasser patches won't install. after starting from the
| > | XP "RUN" panel, they begin to show the install dialogue box, and then that
| > | terminates abruptly. the control panel "add/remove programs" window doesn't
| > | show the patches in the inventory of installed stuff.
| > |
| > | (coincidentally, my own computer has had the McAfee update download failure
| > | (the two PCs are not connected), citing a "possible system error." i've
| > | stripped virus scan from both and now running vewwwwy carefully, only going
| > | to the internet from my PC. both PCs have XP firewall activated.)
| > |
| > | what do i do now about the phantom worm/virus and patch installation
| > | problem, please?
| >
| >
| >
- Next message: Little Orly: "Re: worm symptoms, and M-S patches won't "stick""
- Previous message: Little Orly: "Re: worm symptoms, and M-S patches won't "stick""
- In reply to: Little Orly: "Re: worm symptoms, and M-S patches won't "stick""
- Next in thread: Little Orly: "Re: worm symptoms, and M-S patches won't "stick""
- Reply: Little Orly: "Re: worm symptoms, and M-S patches won't "stick""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
