maybe the worm but tftp locked so no patching 1

[maraflux]

Hi

I'm having a helluva time with win2k right now

I don't know if I have the worm or not but I am trying to fix a problem where drag and drop and copy and paste all are broken in the Explorer and in all apps on my win2k machine. Then I start getting no taskbar, desktop, etc on login. I do ctrl-alt-del, run Task Manager, new a cmd shell, cd to WINNT, run explorer. Voila, desktop and all appear just like normal. I have to do this on every login now.

I think I must have a virus or something so I go to Microsoft.com to try to install some updates/patches.

So I try to install the SP4 update since I see the worm update andI need SP4 to do this. Well SP4 won't install because it says that I have "tftp in use by another application" while no apps are running.

I simply cannot install SP4 or the latest worm update. I cannot do anything after login without bringing up Task Manager and then manually starting an Explorer. And each time I do look at Task Manager after login there is a process that starts whose name contains all random consonants and is always different random consonants. A new virus/worm?!

I have run Norton to no avail (found no problems). I removed Norton and installed Panda AntiVirus. It found 16 viruses and removed them it said. Still no change.

Any ideas? If I can somehow unlock my tftp file that seems to be currently in use always.

Please help!

 

[RobBoberts]

- Lookup the viruses that were found, sometimes there are manual procedures that need to be done in addition to just running the anti-virus program. I am surprised that Norton did not find any viruses but Panda did, it makes me wonder if you updated the virus definitions before you ran it.

Televison will make radio obsolete.

 

[maraflux]

Hi Rob

Yup I did update my Norton virus definitions yesterday before running the full scan and finding nothing. Makes me wonder as well what Panda found. I cannot look now however, as I am (stupidly?) running a "restore" install from Win2k cd. I have been down for 2.5 days and (actually it's another user here, I have a Mac OS X workstation myself and run Linux servers am getting tired of scratching for a fix.

I did run manual procedures from Symantec's site and some removal progs they had for Nimda A+E I believe and msblast (from spyware I think) removal too. Nothing so far has worked for me.

I am so hoping I don't have to do a clean reinstall for this user

Any other thoughts? Thanks.

 

[ashpp]

> I don't know if I have the worm

You do. The worm runs TFTP on startup

> If I can somehow unlock my tftp file that seems to be
> currently in use always.

Follow symantecs guide on removing the worm first of all.

 

[maraflux]

Hi Ashley

Thanks. I ran antimsblast.exe from Bulldog or some such. I didn't notice symantec had removal for the worm though I ran their Nimda removals Lame of me.

I am running it now. I did a restore from my Win2K cd. Now Explorer starts on login but the system starts MUCH slower from the "Win2k is loading" to the login screen time. Ergh.

IF I can get the worm removed and SP to install, should I install SP 3 or 4 so I can install the worm security patch from MS? Or what should I do next?!

Thanks.

 

[maraflux]

Ok

The Symantec worm blaster removal said that I didn't have it. Clearly I do have something quite bad.

However, after the Restore from the Win2K cd (got desperate), I am able to run (slowly) the SP4 installer. So far anyway, it's still running but it got past the point where it used to cancel and tell me that tftp was in use.

I am only hoping this works and SP4 installs. Then I plan to install the worm security patch also from MS.

Then do I dare assume that my virus/worm/whatever that no removal prog found actually got removed?!

I guess I can cross my fingers... and keep watch for the weird tasks that were seen being started in Task Manager right after login. And for the svchost crashes. And if my drag and drop and copy and paste work again... these would indicate all is ok again in win2k land for me?!!

 

[dholbrook]

It sounds like you have several (not one!) worm/virus infections at the same time, which is not surprising, since if the system was open for one it was probably open for several attacks, and may have been infected for some time.

Since you do have more than one problem, I would highly recommend a clean install, including a total wipe and reformat of the system. Otherwise you will never be really sure you have cleaned it all out. If you have data files and can get the system back up I suggest you back them up elsewhere (like to tape or CD) and then go into total rebuild. Yes it takes time, but consider the time you have already been down and what is ahead of you, and consider the state of the system you will ahve after it has been patched, prodded, and poked to get it back to a barely operational state.

Good luck,

David

 

[maraflux]

Hi David,

I'm sure you are right. And I don't trust the system now. If this were a workstation on our network I would definitely do a clean reinstall. But... (here comes my rationalization this is our only windows based operating system (we run all Unix including now Mac OS X). We only have this box for testing websites on different browsers, running MS Word occasionally, etc. I just hate to put anymore time/effort into a MS OS install I'd rather reinstall linux and just force our users to learn how to convert their business documents to/from MS formats!

So I did manage to get it running fine again. The Task Manager shows no mysterious tasks now. The drag and drop and cut and paste all work again. I blocked the tftp port and shut off DCOM from/to other machines.

I also installed and ran full scans from 3 separate virus software packages (NOD32, Panda, Norton)! All found it to be "clean" this time. And I installed WormGuard and set it to not allow any questionable programs to run for any user.

 

[n3buo]

We are running into issues becuase of the ISP's starting to filter port 135. If they filter 135 you no longer have access to shared drives, Exchange, Samba from the internet.

Dave

 

[ashpp]

Why on earth are you allowing people to access your shared drivers over the internet? Thats a hackers goldmine. Use VPN, use Exchange Webmail and don't expose a non-DMZed zone to the internet!

 

[maraflux]

Yeah

I think using Samba for shared drives on your local network is fine but over the internet that is a big no-no. I don't use Exchange at all but I do think Ashley has it right!

 

[theguru97321]

Use Terminal Services, this gives the user SECURE access to anything on the network, as long as they have the right to login.
I filter port 135 plus about 1500 more, and I am running fine now.

 

[ashpp]

> Use Terminal Services, this gives the user SECURE access > to anything on the network

This is assuming their aren't any vulnerabilities within terminal servics. Its very likely there is....

 

[Rohdem]

I am having the same issues with not being able to copy and paste files.........but I can't seem to find any traces of any virus on my system. I've ran the blaster removal tool. I've ran the welchia removal tool. Nothing. I can't find any of the files that these viruses copy. There are no strange services running that I can tell. Svchost.exe is running multiple instances. I'm not sure if that is abnormal or not. It doesn't make sense to me that I would have a worm/virus because I am running norton antivirus with the latest definitions. I'm also running zonealarm so there really shouldn't be any way a worm could be running on my system, but the cut and paste issue sure seems like a worm.

Are there any other lesser-known worms that can cause this??

 

[NortonES2]

do you have any files in WINNT\SYSTEM32\WINS?

-------------------------------

If it doesn't leak oil it must be empty!!

 

[dholbrook]

maraflux,

Since you appear to have gotten the system partially (?) functional at this point, I would highly recommend installing ADAware from

http://www.lavasoft.de,

scanning and cleaning the system. With all the garbage you have already found I would not be surprised to see a whole bunch of dataminer programs also running. After AdAware comes up clean, reboot the system (it will make registery modifications to clean out the garbage) and see if the situation has not improved.

I also occasionaly install the SpyBot Search and Destroy program, run it to scan and clean, then remove the program. (

http://www.safer-networking.org/)

It finds things that AdAware does not.

I had a system two weeks ago that had over 700 spy programs installed, and once we cleaned that all out (plus the 26,000 plus cookies!), the system once again zips right along.

 

[Rohdem]

there is nothing in WINNT\SYSTEM32\WINS

 

[NortonES2]

In that case it isn't the Welchia or Nachi worm.

-------------------------------

If it doesn't leak oil it must be empty!!

 

[svafnir]

I had the same problem and I found something about it.

This virus is called EvilExplorer by one documentation that I found about it. No antivirus program vill detect it as the bad files are named like the system files. One is explorer.exe and you can know that it is not the system explorer.exe file by the size of it. IT is only 5k's or so. Apparently there are more files like that that are in the system that have system file names that I cant find.

Check this link out and find out what you are dealing with.

http://www.cs.uwaterloo.ca/~mpatters/SWG/evilexp.htm

What ever you do dont delete these files because someone has to get them to Symantec or something for the to create a fix for it. I was supid and deleted the file that I found so I could not do it.

 

[GlenJohnson]

AdAware is good, but I like Spybot S&D.

http://security.kolla.de/news.php?lang=en

Also, re Terminal Services, that's great software, but TightVNC is free and it allow unlimited licenses.

http://www.tightvnc.com

Glen A. Johnson
Johnson Computer Consulting

http://www.johnsoncomputers.us

"I only know that I know nothing."
Socrates (47-399 BC); Greek philosopher

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884