Re: Solution to mIRC and Secedit Virus Networking Problems

From: Rich Benack [MS] (richbe@online.microsoft.com)
Date: 09/26/02 

From: "Rich Benack [MS]" <richbe@online.microsoft.com>
Date: Wed, 25 Sep 2002 18:50:07 -0700

Here are some WINDOWS SERVICES THAT POSSIBLY CAN BE DISABLED (depending on
the role of the workstation/server)

  Alerter
  ClipBook Server
  Computer Browser
  DHCP Client
  Distributed File System
  Dist. Link Tracking
  IIS Admin
  Licensing Logging
  Logical Disk Manager
  Messenger
  Network DDE
  Network DDE DSDM
  Print Spooler
  Remote Registry
  Removable Storage
  RunAS
  Task Scheduler
  TCP/IP NetBIOS Helper
  Telephony
  Windows Installer

Again, These are POSSIBLE services that might not be needed. You will need
to determine if your particular workstation needs these services or not.

Rich

This posting is provided "AS IS" with no warranties, and confers no rights.

"Alison Taylor" <alison_taylor@canada.com> wrote in message
news:3c990e53.0209231129.45295f35@posting.google.com...
> Many thanks to both Edward and Kyle for information on this virus. I
> have attempted to carry out all your suggestions since my computer was
> infected several days ago.
>
> I have some lingering problems and am wondering if anyone else has
> seen these and can suggest fixes. The most notable problem is that my
> computer reboots during bootup. The Win2000 login prompt comes up ok
> and I log in to my account (which has administrator privileges, dont
> know if that is relevant). Then the programs with incons in the
> taskbar launch. During the launching of these programs, or
> immediately after, the computer then reboots.
>
> Another thing I noted was in the registry. Under
> HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run there
> is an entry "Adobea" which was pointing to
> C:winnt\system32\adobes.exe, which Norton AntiVirus had identifies as
> and IRC Trojan. There does exist a file called Adobea.exe in the
> system32 directory, but I don't know whether it is also a
> trojan-created file or whether it needs to be there. I currently have
> the adobea entry pointing to a non-existent file till I have this
> sorted out.
>
> I am not familiar enough with all the services to know which should be
> disabled and which should be enabled. I am guessing that during my
> attempts to rollback the changes made by the virus I have messed up my
> services and registry settings, causing the crash on startup. I don't
> need to allow anyone to log in remotely or provide any services to
> remote users. Can anyone out there suggest a minimal list of services
> to run?
>
> Thanks for any replies,
>
> Alison
>
>
>
> aladin168@hotmail.com (aladin) wrote in message
news:<bf0f8e77.0209050049.24860609@posting.google.com>...
> > Hi Edward Alfert,
> > I referenced the steps you wrote in my document. They are nice steps
> > and most importantly, it was tested and worked for many people. Great
> > job!
> >
> > Here is my analysis:
> >
> > Sorry guys if this is a repeat. I kind of need to make a correction
> > on the steps to restore security templates, and I just referenced
> > Edward Alfert's instructions:
> >
> > More Analysis on ocxdll.exe virus: v. 1.1
> >
> > Kyle Lai, CISSP, CISA
> > aladin168@hotmail.com
> >
> >