no remote access after scan

D

desertdirk

I installed and scanned a clients computer remotely after
which microsoft antispyware suggested a reboot to finish
cleaning what it found. Now I can not access the computer
remotely. I have no way of knowing the status of the
computer until I can go there physically. Any suggestions?

This is an XP Pro machine on a network running Windows
Small Business Server.
 
B

Bill Sanderson

Do you recall any of the bugs found? If a reboot is required after a clean,
there's a fair chance that one or more of the bugs involved the Winsock LSP
stack, and caused the issue which is described in the Release Notes section
of the Help file in build .509, and in this KB article:

http://support.microsoft.com/kb/892350

You aren't going to be able to fix this one remotely, but if the machine is
SP2, talking someone through the fix at the other end so that you can again
check it out remotely should be quite possible.
 
G

Guest

This thing was so infected its hard to recall: there were
9 programs and over 1700 affected files. Gator Gain,
WebTV, toolbar search help etc. Yes it is an SP2 machine
and the article seems straight forward enough that I
should be able to talk the client through it. Provided
this is the situation. Thanks very much for the KB.
 
B

Bill Sanderson

If they are using other software that hooks the Winsock LSP stack, that has
to be reinstalled, too. I don't use the firewall client on my SBS sites, so
I don't know how this might be impacted by such a removal (and I haven't
needed this fix on any of those client machines, either.)

I think the netsh fix should get things to the point where you can remote in
again, unless there's some issue with the firewall client, for example.
 
D

desertdirk

just came across this utility but don't know much about
it: "lsp fix"
http://www.cexx.org/lspfix.htm

claims to repair the winsock 2 from bad spyware removal.
Do you or anybody out there have experience with it?
Looks like it may do the same thing as the netsh fix, ie
it rebuilds the chain after giving you the option of
keeping or removing registry entries.
 
J

Jim Byrd

Hi All - The following, from one of my "standard" malware removal posts,
may be of some help:


#########IMPORTANT#########
Download both a copy of LSPFIX here: http://www.cexx.org/LSPFix.exe Be
sure to also download and read lspfix.txt, here:
http://www.cexx.org/lspfix.txt

AND a copy of Winsockfix for W95, W98, and ME
http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
Directions here: http://www.tacktech.com/display.cfm?ttid=257

or here for Win2k/XP http://files.webattack.com/localdl834/WinsockxpFix.exe
Info here: http://www.spychecker.com/program/winsockxpfix.html
Directions here: http://www.iup.edu/house/resnet/winfix.shtm

The process of removing certain malware may kill your internet connection.
If this should occur, these programs, LSPFIX and WINSOCKFIX, will enable you
to regain your connection.

NOTE: It is reported that in XP SP2, the Run command netsh winsock reset
will fix this problem without the need for these programs. (You can also
try this if you're on XP SP1. There has also been one, as yet unconfirmed,
report that this also works there.) Also, one MS technician suggested the
following sequence:

netsh int reset all
ipconfig /flushdns

See also: http://windowsxp.mvps.org/winsock.htm for additional XPSP2
info/approaches using the netsh command.
#########IMPORTANT#########

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In
 
B

Bill Sanderson

Yes--that should also do the job--but requires more care and feeding, and
comes from a source that some might not trust as well as direct Microsoft
instructions.

There's also a winsockXPfix.exe which works well.

I wouldn't bother with these on XP SP2. With the older versions, they might
save you some time.

This may have been an optimistic answer to your query--since the symptom is
just loss of connectivity. The machine might also be blue-screened or
unable to log in--some bugs have worse side-effects on removal than others.
This (the Winsock LSP breakage) is quite common and easy to fix,
fortunately.
 
G

Guest

Just returned from the clients office (100 mile each way)
Turns out that the machine shut down instead of re-
booting. Ha Ha. After booting the machine, no problems
and no need to run netsh fix. Thought of another questio
though, does one need to disable system restore before a
scan. (Maybe need to look at other threads)
 
J

Jim Byrd

Hi - Re: Restore Points - There has been considerable discussion about this
issue in the private MVP mailing lists. The consensus opinion of those
discussions is about what I've published in my blog, Defending Your Machine,
here: http://defendingyourmachine.blogspot.com/


"If you're using WindowsME or WindowsXP, SysClean (and the other cleaning
tools below) may find infections within Restore Points which it will be
unable to clean. You may choose to disable Restore if you're on XP or ME
(directions here:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm) which will
eliminate ALL previous Restore Points, or alternatively, you can wait until
cleaning is completed and then use the procedure within the *********'s
below to delete all older, possibly infected Restore Points and save a new,
clean one. This approach is in the sprit of "keep what you've got" so that
you can recover to an at least operating albeit infected system if you
inadvertently delete something vital, and is the approach I recommend that
you take."

and

" *******ONLY IF you've successfully eliminated the malware, you can now
make a new, clean Restore Point and delete any previously saved (possibly
infected) ones. The following suggested approach is courtesy of Gary
Woodruff: For XP you can run a Disk Cleanup cycle and then look in the More
Options tab. The System Restore option removes all but the latest Restore
Point. If there hasn't been one made since the system was cleaned you should
manually create one before dumping the old possibly infected ones.*******
"


As one MVP in those discussions recently put it, "Better an infected
lifeboat than no lifeboat at all!"


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In
 
B

Bill Sanderson

I'm in the "better an infected lifeboat than none at all" camp.

I have, I think, seen antispyware scan results which were found in the SR
store, but its been awhile--not certain.

The shutdown is a bug. I must have seen it, but I actually haven't done a
required shutdown cleaning remotely--I've done dozens of installs, and scans
remotely, but the machines I admin tend to be squeaky clean--I watch them
pretty closely--advantages of having few customers--there are corresponding
disadvantages!
 
P

plun

-----Original Message-----
As one MVP in those discussions recently put it, "Better
an infectedlifeboat than no lifeboat at all!"

One question about this, if you use a tool such as Total
Commander you can open up these restore points inside
folder System Volyme information.

You can see all of them as folders RPXXX, I cant
understand why its needed to disable SR to get rid
of malicious software. Must be a way to get a real access
to this folders for scanning. For example virusscanner
can detect viral infections but not remove anything and
it must be better that this viralprogram tells you that
RPXYZ is infected and all others are clean.
Then we remove this RP.

I am also going to move one RP folder and see what
happens.
 
J

Jim Byrd

Hi Plun - You can gain access by changing the permissions. I don't know if
doing so would allow "proper" scanning by an anti-malware program or not -
could depend on just how the program is set up. You could certainly try it,
but be prepared for potential problems and BE CAREFUL about what
"cleaning/deleting" you allow for the program in question if you test.
Since MS is fairly free with the info about allowing access, it may well be
that you can't do too much damage, but I wouldn't want to bet the farm on
it. :)

See here: http://support.microsoft.com/default.aspx/kb/309531?
http://www.theeldergeek.com/system_volume_information_folder1.htm

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In
 
P

plun

Jim said:
Hi Plun - You can gain access by changing the permissions. I don't know if
doing so would allow "proper" scanning by an anti-malware program or not -
could depend on just how the program is set up. You could certainly try it,
but be prepared for potential problems and BE CAREFUL about what
"cleaning/deleting" you allow for the program in question if you test.
Since MS is fairly free with the info about allowing access, it may well be
that you can't do too much damage, but I wouldn't want to bet the farm on
it. :)

See here: http://support.microsoft.com/default.aspx/kb/309531?
http://www.theeldergeek.com/system_volume_information_folder1.htm

Well, I have backups ;) and there is no problem to blow
this PC and reinstall.

My question was about why these RP,s cant be handled with any
antivirus or spyware program. You can see them and move them
with TC
, this is just some files. It must be something else, every
antivirusvendor
uses disabling, but why to throw away these lifeboats.....??

Look at this:

http://hem.bredband.net/b288305/rp.JPG

I know its about permissions but is this standalone RP,s
which can be removed
or can the whole SR function be corrupt if a single RP´s are
removed.

I think its stupid to disable SR and clean and then "pray to
God" and restart.
 
J

Jim Byrd

Hi plun - Well, most MVP's I think agree with the "keep what you have"
approach - see my post above. Actually, I suspect that most anti-malware
could handle them, and it really just an access issue. AFAIK, deleting one
or more RP's doesn't cause any harm. This is in effect what's done with the
"Disk Cleanup cycle and then look in the More Options tab. The System
Restore option removes all but the latest Restore Point." approach which I
advocate, and which is perfectly safe.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In
 
P

plun

Jim said:
Hi plun - Well, most MVP's I think agree with the "keep what you have"
approach - see my post above. Actually, I suspect that most anti-malware
could handle them, and it really just an access issue. AFAIK, deleting one
or more RP's doesn't cause any harm. This is in effect what's done with the
"Disk Cleanup cycle and then look in the More Options tab. The System
Restore option removes all but the latest Restore Point." approach which I
advocate, and which is perfectly safe.

Thanks !

Really strange anyway that most antivirusprograms don´t
removes within
these RP.s anyway. Must be a better way to handle this.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top