[AccessD] martin's problem - SOLUTON

William Hindman wdhindman at bellsouth.net
Tue Aug 12 23:05:53 CDT 2003


...some follow-up comments ...the MS Win Update site was heavily loaded all
day long ...dls were much slower than normal at every client site ...and as
for what you were seeing, the worm exploits a buffer overrun to get into
your system, then dls the msblast.exe from a dynamically changing list of
IPs and ports ...so even if you wipe msblast, it just reloads the next time
you connect ...you have to have the ms patch installed to prevent it from
using the buffer overrun to reload itself again and again ...then the virus
cleaning will work ...only positive was that it was an excellent client
object lesson in keeping Win updates current ...safest thing is to dl them
automatically every night and then apply selectively ...that way you at
least have them dl'd before everyone starts hitting on the ms site ...I'm
really pretty surprised that it worked as well as it did.

William Hindman
So, then, to every man his chance -- to every man, regardless of his birth,
his shining golden opportunity -- to every man his right to live, to work,
to be himself, to become whatever his manhood and his vision can combine to
make him -- this, seeker, is the promise of America.
-- Thomas Wolfe



----- Original Message ----- 
From: "Steven W. Erbach" <serbach at new.rr.com>
To: "Access Developers discussion and problem solving"
<accessd at databaseadvisors.com>
Sent: Tuesday, August 12, 2003 5:57 PM
Subject: Re: [AccessD] martin's problem - SOLUTON


> Dear Group,
>
> >> This link point's to Symnatec's fix for the worm. Look for "Removal
using
> the W32.Blaster.Worm Removal Tool" to locate the link to the fix file. <<
>
> For what it's worth, I went to a client's site to eradicate the Blaster
> Worm. SHEESH! It's a Win XP Home system that has not been updated to the
> most recent Windows update since they bought it about two years ago. It
has
> Norton AntiVirus 2003 on it, but, of course, the last time they did a
virus
> update was last week. They have no firewall.
>
> I was able to download the Symantec "fix" while in normal Windows, but I
had
> to run the program in Safe Mode since the RPC error / Shutdown message
> appeared every time I tried to run the fix. So far so good.
>
> I thought that I'd try to go to the Windows Update site. It showed that
this
> PC, of course, hadn't ever been updated, so there were 34 critical updates
> to make. Started the first one...RPC error / Shutdown.
>
> Okay, lets update Norton AntiVirus. Did that, but I still got the RPC
error.
> Shutdown.
>
> Started up in Safe Mode and ran a full Norton AV System Scan. 114,000
files
> later there were no viruses present.
>
> Restarted in normal Windows and went to the Windows Update site. Norton
> displayed its W32.Blaster.Worm detection screen and said that it had been
> deleted...but a minute or two later the RPC error appeared again anyway
and
> I had to shut the system down and restart.
>
> I tried this Windows Update thingy a few more times. There were a couple
of
> times after the Norton AV message appeared indicating that, once again, it
> had deleted Blaster.Worm, a Windows message appeared indicating that the
> Generic Host Process for Win32 Services had encountered a problem and
needed
> to close. Right after that the RPC / Shutdown error appeared. Restart.
>
> I finally got wise that Windows REALLY needed to have the MS KB823980
patch
> applied. I hadn't tried that right away because I thought that Windows had
> to be updated to the most recent level first. I tried to run the file from
> the Microsoft site rather than saving to disk and got both the Generic
Host
> Process error and the RPC error. Shutdown and restart.
>
> I got even MORE wise and restarted in Safe Mode With Network capability. I
> downloaded the patch all right...but instead of applying it I thought I'd
> try the Windows update again. RPC. Shutdown.
>
> Restarted in Safe Mode with Network. Started the patch. RPC / Shutdown.
>
> Restared in Safe Mode WITHOUT the network. Ran the patch. COMPLETED!
>
> Restarted in Safe Mode WITH Networking to try Windows Update again.
Finally
> the PC began downloading the huge number of pieces that it needed to
upgrade
> Win XP to the current revision. I left my client's office about 4 hours
> after I'd arrived, giving them instructions to call when the downloads
were
> completed. I should be able to walk them through the Windows Update
process
> tonight.
>
> They have DSL but it was god-awful slow. 95 MB download estimated at about
> 200 minutes...more than 10 times slower than my cable service would take.
>
> So, the upshot is, if the PC hasn't been updated to the most recent
version
> of XP lately (or at all) make sure that you download and run everything in
> Safe Mode...and make sure to run the MS patch in Safe Mode WITHOUT
> networking. I must have seen that RPC shutdown thing two dozen times or
> more, and the General Host Process error 8 or 9 times.
>
> It's now looking good, but we're not finished upgrading Windows XP yet.
I'm
> crossing my fingers that the guy on the other end of the phone is somewhat
> proficient. Crossing my fingers.
>
> Steve Erbach
> Scientific Marketing
> Neenah, WI
>
> "Eventually, socialists run out of other people's money."
> -- Lady Margaret Thatcher
>
>
> _______________________________________________
> AccessD mailing list
> AccessD at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com
>




More information about the AccessD mailing list