Re: Can't apply KB835732 on various Win2k systems

From: Jerry Bryant [MSFT] (jbryant_at_online.microsoft.com)
Date: 05/05/04 

Date: Wed, 5 May 2004 14:07:37 -0700

Aaron,

So these machines have the Sasser worm? Sounds like it. See the recovery
steps in the instructions below:

NEW WORM: SASSER
If the recovery procedures in this bulletin do not resolve your issue,
please contact Microsoft at 1-866-PCSafety (1-866-727-2338).
Microsoft has learned about a worm identified as "W32.Sasser.worm" that is
currently circulating on the Internet. The worm exploits the Local Security
Authority Subsystem Service (LSASS) vulnerability which was fixed in
Microsoft Security Update MS04-011 on April 13, 2004.
Microsoft encourages customers to protect themselves against this worm by
immediately installing Microsoft Security Bulletin MS04-011 from the
following Web site:

www.microsoft.com/technet/security/bulletin/ms04-011.mspx

PRODUCTS AFFECTED
. Windows XP Home
. Windows XP Professional
. Windows XP 64 Bit Edition
. Windows 2000 Professional
. Windows 2000 Server Edition

IMPACT OF ATTACK
Remote Execution of Code

TECHNICAL DETAILS
For additional details on this worm from antivirus software vendors
participating in the Microsoft Virus Information Alliance (VIA), please
visit the following Web sites:

. F-secure: http://www.f-secure.com/v-descs/sasser.shtml
. Global Hauri:
http://www.globalhauri.com/html/notice/notice_read.html?uid=447
. Network Associates: http://vil.nai.com/vil/content/v_125007.htm
. Norman: http://www.norman.com/Virus/Virus_descriptions/14919/en-us
 . Panda: http://www.pandasoftware.com/virus_info/threats.aspx
 . Sophos: http://www.sophos.com/virusinfo/analyses/w32sassera.html
 . Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html
 . Trend Micro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.A
For more information about Microsoft's Virus Information Alliance, please
visit the following Web site:
. http://www.microsoft.com/technet/security/topics/virus/via.mspx
For more information about Microsoft's Virus Information Alliance please
visit the following Web Site:
. http://www.microsoft.com/technet/security/topics/virus/via.mspx

Please contact your Antivirus Vendor for additional details about this
virus.

PREVENTION
1. Install the latest Microsoft Security Bulletin MS04-011 from the
following Web site:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

2. Users who have enabled the Windows XP Firewall are protected from the
vector this worm attacks -- the TCP Port 139. Most third party firewalls
also block this attack vector by default.

RECOVERY
If your computer has been infected with this virus, please contact your
preferred antivirus vendor or Microsoft Product Support Services for
assistance with removing it.
Follow the below steps to try and resolve the issue:
If you are connected to a network within your company, refer to the
Anti-Virus software vendor for support on the Sasser or AgoBot viruses.
If your machine is rebooting, sluggish or your Internet connection is slow

1. Terminate the following processes in Task Manager.

Access your Task Manager one of the following ways:
1. Right click the Taskbar and select Task Manager.
2. On the keyboard, press CTRL + ALT + DEL and then select Task Manager.
3. Click on processes tab.
4. Highlight process to terminate and press End Process.
1. any process ending with _up.exe
2. any process starting with avserv
3. hkey.exe
4. msiwin84.exe
5. wmiprvsw.exe
****Note: There is a legitimate system process called 'wmiprvse.exe' that
does NOT need to be terminated.

2. Remove your computer from the Internet by:
a) Unplug their internet cable(s). (Preferred method)
b) Disable their internet connection.

Note: This is a required step. If you do not disconnect your internet
connection, it may result in crash.

Enable your Internet Connection Firewall (ICF).
If you are using Windows XP:
1. Click the Start button and then click Control Panel. Double-click
"Networking and Internet Connections" and then click Network Connections.
2. Right-click the current Internet or Network connection and then click
Properties.
3. On the Advanced tab, click select the option to "Protect my computer or
network."

If you are using Windows 2000:
Enable Advanced TCP/IP filtering on all interfaces to block un-solicited
incoming network packets.
1. Click the Start button, click Run and type: cmd.exe
2. Click Enter and then type the following command:

echo dcpromo >%systemroot%\debug\dcpromo.log

3. Then type the following command:

attrib +R %systemroot%\debug\dcpromo.log

Install Microsoft Security Patch MS04-011
1. Connect to the Internet and install the patch from Microsoft to remove
the vulnerability. You must disable your antivirus software before
installing the patch.
2. To install the patch, visit the following Web site:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
3. Reboot the machine after the patch is installed.

Run the Sasser Removal Tool.

To access the tool, visit one of the following Web sites:
. http://www.microsoft.com/security/incident/sasser.asp
.
http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=76C6DE7E-1B6B-4FC3-90D4-9FA42D14CC17&displaylang=en
. Via KB article 841720 located at
http://support.microsoft.com/default.aspx?scid=kb;EN-US;841720.

Check your machine for infection from a variant of the Agobot worm.

The Agobot worm can infect your machine using the same method as the Sasser
worm.
1. Contact your antivirus vendor or run the update on your antivirus
signatures to ensure you have the latest version.
2. Run a full antivirus scan on your machine.

Note If you do not have an antivirus product installed, you can perform a
free antivirus scan from HouseCall TrendMicro. For more information, visit
the following Web site:

http://housecall.trendmicro.com/

3. Finally, go to Windows Update to ensure you have all other necessary
Critical Updates installed on your machine. Microsoft recommends doing this
on a regular basis to ensure your machine is kept up to date.

For more information about Windows Update, visit the following Web site:
http://windowsupdate.microsoft.com/

If these steps do not resolve the issue please call 1-866-PCSAFETY or (866)
727-2338.
During a virus situation you may experience longer than normal hold times or
a busy signal. 

-- 
Regards,
Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities
Get Secure! www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
"Aaron" <anonymous@discussions.microsoft.com> wrote in message
news:D777D953-9282-404B-8570-73AE1922E8C8@microsoft.com...
> On various systems (all Win2k) the KB835732 patch does not apply other
than in Safe Mode.  When trying to install, technicians get the error
'lsass.exe cannot be terminated.'  obviously it can't be stopped manually.
The %windir%\kb835732.log is rather undecipherable, but I do notice lots of
errors (I'll attach a section of one log at the bottom of this post).  The
System event log gives a Windows File Protection event for sp3res.dll and
then auto-uninstalls the patch (see full events below).  I can't find any
similarities between the systems - some are SP3, some SP4.  Some are one
version of our standard image, some are another.  Some have special software
loaded, some don't.
>
> Has anyone encountered this as well, or have any idea how to resolve it?
Rebooting into Safe Mode seems to work, but it's a lot of extra work.
>
>
> [from System event log]
>
> Event Type: Information
> Event Source: Windows File Protection
> Event Category: None
> Event ID: 64021
> Date: 5/4/2004
> Time: 10:36:40 AM
> User: N/A
> Computer: (removed)
> Description:
> The system file c:\winnt\system32\sp3res.dll could not be copied into the
DLL cache.  The specific error code is 0x00000020 [The process cannot access
the file because it is being used by another process.
> ].  This file is necessary to maintain system stability.
>
> Event Type: Information
> Event Source: NtServicePack
> Event Category: None
> Event ID: 4382
> Date: 5/4/2004
> Time: 10:36:45 AM
> User: (domain user w/ local admin access)
> Computer: (removed)
> Description:
> Windows 2000 KB835732 was removed from your computer, and the previous
Windows 2000 configuration was restored.
>
>
> [from %windir%\kb835732.log - white space & "***" lines removed to save
space]
> ================== Update.exe started at  5/ 4/2004 at 10:34:42
==================
> Service Pack started with following command line:
> DoInstallation: CleanPFR failed: 0x2
> SetAltOsLoaderPath: No section uses DirId 65701; done.
> IncludeDirectoryIdFromInfSection: No DirId found for:
DontRemoveOnUninst.DirId
> FetchSourceURL: SetupOpenInfFile Failed to open file:
c:\9568cc827f370578407edb7f06e5\update\update.url
> DoInstallation: FetchSourceURL for
c:\9568cc827f370578407edb7f06e5\update\update.inf Failed
> LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed:
0xe0000102
> BuildCabinetManifest:SetupOpenInfFile failed with error
INVALID_HANDLE_VALUE
> AnalyzePhaseZero used 0 ticks
> CreateUninstall = 1,Directory = C:\WINNT\$NtUninstallKB835732$
> AnalyzePhaseOne: used 7691 ticks
> AnalyzeComponents: Hotpatch analysis disabled; skipping.
> AnalyzeComponents: Hotpatching is disabled.
> AnalyzePhaseTwo used 100 ticks
> AnalyzePhaseThree used 0 ticks
> AnalyzePhaseFive used 0 ticks
> AnalyzePhaseSix used 30 ticks
> AnalyzeComponents used 7821 ticks
> Downloading 0 files
> bPatchMode = FALSE
> Inventory complete: ReturnStatus=0, 7951 ticks
> Num Ticks for invent : 7951
> Allocation size of drive C: is 512 bytes, free space = 11345235456 bytes
> LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed:
0xe0000102
> Drive C: free 10819MB req: 51MB w/uninstall 83MB
> Num Ticks for download : 851
> CabinetBuild complete
> Num Ticks for Cabinet build : 0
> Starting process:  C:\WINNT\system32\secedit.exe /configure /cfg
C:\WINNT\inf\hfsecper.inf /db C:\WINNT\security\templates\hfsecper.sdb /log
C:\WINNT\security\logs\hfsecper.log
>  Return Code = 1
> LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed:
0xe0000102
> Num Ticks for Backup : 3996
> Num Ticks for creating uninst inf : 2233
> Registering Uninstall Program for -> KB835732, KB835732 , 0x0
> LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed:
0xe0000102
> SfcTurnOff: System is not Win2k < SP2; Not turning off SFC.
> SfcTurnOff: SFC was not turned off; using MakeSfcFileException.
> AtomicReplaceFile: Calling HpReplaceSystemModule(
C:\WINNT\system32\ADVAPI32.DLL, HFX18.tmp, _000064_.tmp, FALSE ).
> AtomicReplaceFile: HpReplaceSystemModule failed; status=0xc0000003,
location=684.
> DoNoDelayReplace: Atomic replace support not implemented; disabling.
> Copied file:  C:\WINNT\system32\ADVAPI32.DLL
> Message displayed to the user: The file C:\WINNT\system32\LSASS.EXE is
open or in use by another application.
> Close all other applications and then click Retry.
> User Input: CANCEL
> Message displayed to the user: Are you sure you want to cancel?
> User Input: YES
> DoInstllation: SetupCommitFileQueue for FileQueue failed: 0x4c7
> VerifySize: Unable to verify size: Source = NULL: c:\winnt\oem12.cat
> KB835732 Setup canceled.
> Select 'OK' to undo the changes that have been made, or select 'Cancel' to
quit. If you select 'Cancel', your system will be left in a partially
updated state and may not work correctly.
> Message displayed to the user: KB835732 Setup canceled.
> Select 'OK' to undo the changes that have been made, or select 'Cancel' to
quit. If you select 'Cancel', your system will be left in a partially
updated state and may not work correctly.
> User Input: OK
> Starting process:  C:\WINNT\$NtUninstallKB835732$\spuninst\spuninst.exe
/~ -u -z
> Dirty Uninstall was successful
> [KB835732.log]
> 2004/5/4  10:42:39.669
> Exe = UPDATE.EXE, Version = 5.4.1.0