Re: Package Installer looks fishy

Thanks for your reply, Rafters.

Are we all equally vulnerable to this thing by simply re-installing Windows,
or am I just specially blessed?

As God is my witness, the only things I have done after the full, write-0s
reformat is install WindowsXPPro SP2 from a retail disk, and then, from disks
downloaded at a computer not part of my network, install SP3, IE7 and the
aforementioned Package Installer updates.

Even before I install the updates, I see these logfile entries and other
stuff mentioned in my note to PA Bear above:

--HiPerfCooker, CmdTriggerConsumer, and Rsop Planning Mode provider
"warnings" using terms like "failure to impersonate" and described my other
long-winded postings.

--Even though there is no Web Based Enterprise Management system that *I*
have set up, but there sure is evidence that someone has. Curiously, I find
things in
the WBEM logs that have lines in them including,
--BSTR Query = SELECT * FROM __InstanceOperationEvent WHERE TargetInstance
ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct'
--ESS is now open for business





"FromTheRafters" wrote:

That is, are there documented cases where you can't get rid of the
buggers, whether you do a full-format reinstall of the disk, or use a Windows > > 98 disk to do fdisk/mbr, use things like DBAN or KILLDISK to write 0s to the hard
drive?

Yes, but in those cases the infection or vulnerability was brought
back to the system rather than having survived such tactics. For
example reintroducing the vulnerability which led to the intitial
attack (i.e. reinstalling Windows) or perhaps restoring some
program or data from a backup that had been tainted.


.

Relevant Pages

  • Re: Windows Media Player Remote Code Execution (923689) - sfpcopy.ex_ (0/1)
    ... They say that this utility is included with every Windows ... package for Windows Server on June 12th. ... The reason 6.4.9.1133 doesn't get updated or won't install on SP2 ... To reference the vulnerability ...
    (microsoft.public.windows.server.security)
  • Re: Windows Media Player Remote Code Execution (923689) - sfpcopy. - sfpcopy.ex_ (0/1)
    ... They say that this utility is included with every Windows ... package for Windows Server on June 12th. ... On June 12th you will be able to apply the new install package for Windows ... To reference the vulnerability description, ...
    (microsoft.public.windows.server.security)
  • Re: Windows Media Player Remote Code Execution (923689) - sfpcopy.ex_ (0/1)
    ... They say that this utility is included with every Windows ... package for Windows Server on June 12th. ... The reason 6.4.9.1133 doesn't get updated or won't install on SP2 ... To reference the vulnerability ...
    (microsoft.public.windows.server.security)
  • RE: Internet Explorer problem. Help!
    ... Problems in Windows Explorer or the Windows shell after you install security ... "Workaround for Windows shell vulnerability" under Vulnerability Details: ...
    (microsoft.public.windowsxp.help_and_support)
  • SecurityFocus Microsoft Newsletter #163
    ... MICROSOFT VULNERABILITY SUMMARY ... Bugzilla Javascript Buglists Remote Information Disclosure V... ... Microsoft Internet Explorer DHTML Drag and Drop Local File S... ... Microsoft Windows Workstation Service Remote Buffer Overflow... ...
    (Focus-Microsoft)