R
REM
With every protection I can think of in place one of those worms has
slipped right through. I just started letting the kids use the machine
a week or so ago. They say they received no attachments, so I really
don't know how it slipped through. AVG did not contain it though and
it had it's way with the machine.
I first noticed that something had killed most of my ruleset in Kerio
2.1.5. I did not use a password, so the program was able to
selectively kill rules. The setting had been moved from high (silently
block all) to medium. I imagine it had been opened wide open to do
it's dirty work and did not return to the correct setting.
I suppose if a password is used it would have to kill the whole
ruleset or pass it up. I have one set now. I did not notice any
additions, but I suppose it could have changed a program and checksum,
or simply turned the firewall off, I dunno.
It pretty much defeated AVG. Occasionally AVG would post notice that
the worm was in D:\System Restore (Win XP Pro). I ran it numerous
times, but it could never delete the file. That directory is
protected, so I couldn't delete the thing manually either. That's a
pretty good place to store a contamination.
I threw in the towel early on and ran fdisk (W98) to fix the
partitions more to my liking and reinstalled everything. I write
protected all floppies of course.
I think I've still got the darned thing. My CD drives do not show up,
as they did when infected. And my modem is good for about an hour and
it just loses connectivity. It's still connected, but I have to redial
(2 different ISP's) hourly to keep bits flowing. Strange. It is a
cheap modem, but the timing is bad.
I've updated the reinstalled AVG, I installed EZ AV from the MS
Security Update CD, and I ran F-PROT and all say that I'm clean.
I getting Trend Housecall now, but I tried that before fdisk/reformat
and it did not catch anything.
There is a newer version of F-PROT listed on the homesite, but the
link doesn't seem to work.
This might just be an error in the installation process, or possibly a
hardware problem with the new machine. It did not want to install my
modem driver at all. It installed perfectly when I first got the Best
Data external a couple of months ago. As for the CD drives, I don't
know, but it looks like viral activity to me.
I got to use the MS Security Update CD. It took 10 weeks or so to get
here. It took 4 weeks after I got an email stating that it had been
shipped.
As far as XP goes, there were only 4 updates (pre-Feb 2004). It did
work like a charm though. I then had to download 7.8 megs of more
critical updates. I tried it on my ME machine that already had the
critical updates and it installed pretty much everything I had elected
not to install with one click. It rebooted itself when needed and
proceeded without any intervention.
The CD comes with a very crippled firewall that looks very much like
Zone Alarm. I like Kerio though. It also came with a Computer
Associates AV, EZ AV. I used this, as I want to check with everything
that I can. The AV is a 1 year trialware, what the heck. It's another
free source of scanning for now.
Anyway, keep your hatches battened down and hopefully one of these
critters won't find it's way onto your drives.
WOW! I've run AVG several times today, all clean. I just got a popup
that says I have I-Worm/Netsky.Q just as I was about to send this.
EZ AV just popped up saying that I have ZIP.Netsky.P worm in the same
location:
C:\Docume~1\Jimmy\Locals~1\Temp\v3h43ba00796
That path does not show up in Windows Explorer (after Jimmy\)
I made it in in DOS and the files\subdirs listed do not show up. It
seems to be jumping about with differing filenames.
Now AVG says it is I-WORM/Yaga.G
Jeez. How did it get in again? This occurred as HouseCall was
scanning. Surely a scan cannot be interpretted as a virus. But both
real time scanners came up together. The popups stopped when HouseCall
stopped, so maybe it did cause this.
What a nasty critter. I know what I'm going to be doing the next day
or two...
slipped right through. I just started letting the kids use the machine
a week or so ago. They say they received no attachments, so I really
don't know how it slipped through. AVG did not contain it though and
it had it's way with the machine.
I first noticed that something had killed most of my ruleset in Kerio
2.1.5. I did not use a password, so the program was able to
selectively kill rules. The setting had been moved from high (silently
block all) to medium. I imagine it had been opened wide open to do
it's dirty work and did not return to the correct setting.
I suppose if a password is used it would have to kill the whole
ruleset or pass it up. I have one set now. I did not notice any
additions, but I suppose it could have changed a program and checksum,
or simply turned the firewall off, I dunno.
It pretty much defeated AVG. Occasionally AVG would post notice that
the worm was in D:\System Restore (Win XP Pro). I ran it numerous
times, but it could never delete the file. That directory is
protected, so I couldn't delete the thing manually either. That's a
pretty good place to store a contamination.
I threw in the towel early on and ran fdisk (W98) to fix the
partitions more to my liking and reinstalled everything. I write
protected all floppies of course.
I think I've still got the darned thing. My CD drives do not show up,
as they did when infected. And my modem is good for about an hour and
it just loses connectivity. It's still connected, but I have to redial
(2 different ISP's) hourly to keep bits flowing. Strange. It is a
cheap modem, but the timing is bad.
I've updated the reinstalled AVG, I installed EZ AV from the MS
Security Update CD, and I ran F-PROT and all say that I'm clean.
I getting Trend Housecall now, but I tried that before fdisk/reformat
and it did not catch anything.
There is a newer version of F-PROT listed on the homesite, but the
link doesn't seem to work.
This might just be an error in the installation process, or possibly a
hardware problem with the new machine. It did not want to install my
modem driver at all. It installed perfectly when I first got the Best
Data external a couple of months ago. As for the CD drives, I don't
know, but it looks like viral activity to me.
I got to use the MS Security Update CD. It took 10 weeks or so to get
here. It took 4 weeks after I got an email stating that it had been
shipped.
As far as XP goes, there were only 4 updates (pre-Feb 2004). It did
work like a charm though. I then had to download 7.8 megs of more
critical updates. I tried it on my ME machine that already had the
critical updates and it installed pretty much everything I had elected
not to install with one click. It rebooted itself when needed and
proceeded without any intervention.
The CD comes with a very crippled firewall that looks very much like
Zone Alarm. I like Kerio though. It also came with a Computer
Associates AV, EZ AV. I used this, as I want to check with everything
that I can. The AV is a 1 year trialware, what the heck. It's another
free source of scanning for now.
Anyway, keep your hatches battened down and hopefully one of these
critters won't find it's way onto your drives.
WOW! I've run AVG several times today, all clean. I just got a popup
that says I have I-Worm/Netsky.Q just as I was about to send this.
EZ AV just popped up saying that I have ZIP.Netsky.P worm in the same
location:
C:\Docume~1\Jimmy\Locals~1\Temp\v3h43ba00796
That path does not show up in Windows Explorer (after Jimmy\)
I made it in in DOS and the files\subdirs listed do not show up. It
seems to be jumping about with differing filenames.
Now AVG says it is I-WORM/Yaga.G
Jeez. How did it get in again? This occurred as HouseCall was
scanning. Surely a scan cannot be interpretted as a virus. But both
real time scanners came up together. The popups stopped when HouseCall
stopped, so maybe it did cause this.
What a nasty critter. I know what I'm going to be doing the next day
or two...