Re: worm symptoms, and M-S patches won't "stick"

From: Little Orly (LittleOrly_at_discussions.microsoft.com)
Date: 11/30/04 

Date: Tue, 30 Nov 2004 14:39:03 -0800

"Poifect!!" -- tanx

"David H. Lipman" wrote:

> Thanx for *all* that feedback !
>
> The command for WinXP is SFC.EXE (System File Checker)
> It will check for replaced/wrong version files.
>
> Open a Command Prompt and type...
> SFC /?
>
> To get the syntax of the SFC command line utility.
>
> Once you have "Thoroughly Cleaned" the system, yes install WinXP SP2.
>
> Dave
>
>
>
>
>
> "Little Orly" <LittleOrly@discussions.microsoft.com> wrote in message
> news:54DE0F65-5BAD-4751-A1B3-470152195107@microsoft.com...
> | 11/30/04 - OK, i'm back after following instructions, thoroughly if slowly.
> | i hope there's a tickler system to alert you to this posting. first i'll
> | list what happened with virus/worm detection using your instructions, then i
> | have a couple of followup questions, if i may. i preceded all work with IE6
> | automated and manual deletions of files in temp, cookies, and internet temp
> | files directories. the problems all started with virus/worm interference
> | with updates of my anti-virus software. i've been using mcafee, so i also
> | went in and manually deleted most files/folders that were left after a
> | conventional uninstall. however, several files/folder refused to budge.
> | also, symantec was packaged with the system, and i uninstalled it. something
> | was weird about that process -- the uninstall dialogue boxes appeared and
> | disappeared rapidly without waiting for my input. i found by trial and error
> | that i could nail the "yes" button on rapidly self-closing dialogue boxes.
> | after several repetitions, symantec progressively left the system.
> |
> | i have run the Trend sysclean.exe, McAfee AVERT, and Lavasoft AdAware
> | numerous times now, partly because of your recommendation; partly because
> | the first round caught several problems (i'm an engineer and, thus, more is
> | better); and because after several cycles i found the system restore was NOT
> | disabled though i was sure i had done that step early on.
> |
> | SAFE MODE:
> | sysclean found worm_donk_worm_rbot.fl during the opening memory scan. later
> | it listed numerous (error <-94>) incidents mostly for log files and dll's
> | during its VSCANIM phase. (maybe can't open certain files. saw a note
> | online today about that issue.) it found worm_rbot and removed various
> | keys and files. and at the end of vscanim, sysclean showed "...has
> | encountered a problem" that it offers to report to microsoft. i have
> | confirmed this happens with numerous sysclean runs, and it looks as though
> | it's during an end-of-run transition of vscanim.
> |
> | an immediate rerun of sysclean repeated the (error <-94>) incidents but
> | listed no other offending files.
> |
> | AVERT identified W32/SDBOT.WORM.GEN.T, and announced that it deleted
> | C:/RECYCLERS/S-1-5-.../DC232.exe, and C:/WINDOWS/SYSTEM32/TFTP2016 as the
> | sdbot.worm.dam virus. "TFTP" issues seemed to be the earliest symptoms of
> | problems on the PC.
> |
> | an immediate AVERT rerun was clean.
> |
> | AdAware found 8 critical files, all ALEXA's. i've scoured their online help
> | and discussions for guidance, and found that most alexa's can be discarded,
> | but with caution for selective disruption of normal system functions. i've
> | quarantined the alexa's. several weeks ago, i tried this on my other
> | computer, and it appeared that quarantining the alexa's had some negative
> | effects on the system -- i restored them.
> |
> | NORMAL MODE:
> | sysclean rapidly found WORM.BAGLE.AH WORM_BAGLE1, but a rerun of sysclean,
> | then AVERT and then adaware were all clean.
> |
> | because of my oversight with the system restore function, i've repeated the
> | entire cycle again, and all is clean.
> |
> | i haven't tried any of the other dozen or so detection/cleaning links you
> | listed. i'll get to them later.
> |
> | Now My Questions: somewhere in the time frame that i got your advice on
> | this process, i also saw a comment from someone on-line that Windows XP has a
> | system scan function to determine whether the O/S files are intact. i can't
> | find that reference again, but i think it would be a good idea to use the
> | function -- is it actually available? having cleaned up my system, can i
> | do some sort of XP check/reinstall to restore integrity of files lost/damaged
> | through security breaches and cleaning tasks?
> |
> | secondly, is now a good time to install the Windows XP Service Pack 2?
> |
> | thanks much for the help.
> |
> | Orly
> |
> | "David H. Lipman" wrote:
> |
> | > 1) Download the following four items...
> | >
> | > McAfee Stinger
> | > http://vil.nai.com/vil/stinger/
> | >
> | > Trend Sysclean Package
> | > http://www.trendmicro.com/download/dcs.asp
> | >
> | > Latest Trend Pattern File.
> | > http://www.trendmicro.com/download/pattern.asp
> | >
> | > Adaware SE (free personal version v1.05)
> | > http://www.lavasoftusa.com/
> | >
> | > Create a directory.
> | > On drive "C:\"
> | > (e.g., "c:\New Folder")
> | > or the desktop
> | > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
> | >
> | > Download Sysclean.com and place it in that directory.
> | > Download the Trend Pattern File by obtaining the ZIP file.
> | > For example; lpt257.zip
> | >
> | > Extract the contents of the ZIP file and place the contents in the same directory as
> | > sysclean.com.
> | >
> | > 2) Update Adaware with the latest definitions.
> | > 3) If you are using WinME or WinXP, disable System Restore
> | > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
> | > 4) Reboot your PC into Safe Mode
> | > 5) Using Trend Sysclean, Stinger and Adaware, perform a Full Scan of your
> | > platform and clean/delete any infectors/parasites found.
> | > (a few cycles may be needed)
> | > 6) Restart your PC and perform a "final" Full Scan of your platform using the three
> | > utilities; Trend Sysclean, Stinger and Adaware
> | > 7) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
> | > System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
> | > 8) Reboot your PC.
> | > 9) If you are using WinME or WinXP, create a new Restore point
> | >
> | > You can also try some of the below online scanners.
> | >
> | > BitDefender:
> | > http://www.bitdefender.com/scan/license.php
> | >
> | > Computer Associates:
> | > http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
> | >
> | > DialogueScience:
> | > http://www.antivir.ru/english/www_av/
> | >
> | > F-Secure:
> | > http://support.f-secure.com/enu/home/ols.shtml
> | >
> | > Freedom Online scanner:
> | > http://www.freedom.net/viruscenter/index.html
> | >
> | > Kaspersky:
> | > http://www.kaspersky.com/de/scanforvirus
> | >
> | > McAfee:
> | > http://www.mcafee.com/myapps/mfs/default.asp
> | >
> | > Panda:
> | > http://www.pandasoftware.com/activescan/
> | >
> | > RAV
> | > http://www.ravantivirus.com/scan/
> | >
> | > Symantec:
> | > http://security.symantec.com/
> | >
> | > Trend:
> | > http://housecall.antivirus.com
> | > http://housecall.trendmicro.com
> | >
> | >
> | > * * * Please report your results ! * * *
> | >
> | > Dave
> | >
> | >
> | >
> | >
> | >
> | > "Little Orly" <Little Orly@discussions.microsoft.com> wrote in message
> | > news:E3B498C6-3421-43CD-95DD-CC302342B3CD@microsoft.com...
> | > | i have checked all 44 pages of "virus security" postings and read karl
> | > | levinsons "read before posting" FAQs -- this problem isn't in there. i
> | > | can't make Microsoft security patches stick. i downloaded several and
> | > | started them from the "RUN" window.
> | > |
> | > | here's why: my wife's computer (running Windows XP Home) has symptoms
> | > | matching descriptions of infection by blaster or sasser worms. no, i'm not
> | > | completely up to date on security patches, and yes i have SP2 in house. but
> | > | i'm giving this focused attention before trying SP2 -- i think i need to
> | > | clean up the infection before installing SP2, yes? so i've selected
> | > | Microsoft security patches and cleanup tools to target the worms blaster,
> | > | sasser .... and doom just for good measure.
> | > |
> | > | other details: this all started about two weeks ago when McAfee Virus Scan
> | > | online update failed with "error downloading" messages, and the system also
> | > | started aborting after McAfee Firewall notified me of attempted TFTP
> | > | communication (which i prohibited). consistent with blaster in particular,
> | > | the system goes into a 60-second shutdown spiral shortly after the TFTP
> | > | attempts. this also triggers an SVCHost glomming onto high-90s percent CPU
> | > | usage. the McAfee update failures were retried and repeatedly failed. and
> | > | as of the last couple of days, i can't access sites like McAfee, Microsoft,
> | > | etc.
> | > |
> | > | using my own computer (also on XP Home) as a relay station, i've downloaded
> | > | several microsoft security patches and tools to detect/clean/protect against
> | > | doom, blaster, sasser. the cleanup tools say the system (my wife's PC) is
> | > | clean. so does AVERT from mcafee and a ClnPOZA tool from CAI.
> | > |
> | > | BUUUT, the blaster and sasser patches won't install. after starting from the
> | > | XP "RUN" panel, they begin to show the install dialogue box, and then that
> | > | terminates abruptly. the control panel "add/remove programs" window doesn't
> | > | show the patches in the inventory of installed stuff.
> | > |
> | > | (coincidentally, my own computer has had the McAfee update download failure
> | > | (the two PCs are not connected), citing a "possible system error." i've
> | > | stripped virus scan from both and now running vewwwwy carefully, only going
> | > | to the internet from my PC. both PCs have XP firewall activated.)
> | > |
> | > | what do i do now about the phantom worm/virus and patch installation
> | > | problem, please?
> | >
> | >
> | >
>
>
>