Queries on kb836528 removal tool

[murphy]

I've done a window update and was offer to install this
kb836528 (mydoom, zindos & doom juice removal tool)it
says that only system found with this symptom will be
offer this tool. I successfully downloaded this tool but
is was no where to be found, so how am I going to run
this tool and remove the worm when I don't even know
where has the tool gone to?

 

[PA Bear]

What happens when you run the tool found here?...

http://www.microsoft.com/security/incident/mydoom.mspx
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

Are You Ready for WinXP SP2?
http://www.microsoft.com/athome/security/protect/default.aspx

WinXP SP2 Release Notes
http://support.microsoft.com/default.aspx?scid=kb;en-us;835935

AumHa Forums
http://forum.aumha.org

 

[murphy]

Thanks for your response! Just a queries,why are you
giving me the ftp for? To download the removal tool
again? As I have mention ms update has said that I have
successfully downloaded the removal tool, is just that
the tool is no where to be found (missing?) Can you tell
me which folder I can go to so that I can run it from
there? Rather then downloading again.

 

[murphy]

Follow what you have suggested, went to the link which
you have given and trying running the tool from there and
the result is>>>>>> "We are sorry, but the tool did not
work properly on your computer. Please try again later.
In the meantime, please visit Windows Update to use the
tool, or contact your antivirus vendor." Pls
advised........ So my conclusion is not only the tool
doesn't works on the site which you recommended, it also
doesn't work on microsoft update.

 

[Ricardo Dias Marques]

Hi Murphy,

I've done a window update and was offer to install this
kb836528 (mydoom, zindos & doom juice removal tool)it
says that only system found with this symptom will be
offer this tool. I successfully downloaded this tool but
is was no where to be found, so how am I going to run
this tool and remove the worm when I don't even know
where has the tool gone to?

I had the same "problem" using Windows 2000 Professional: I have the
"Windows Crital Update Notification utility" installed which prompted
me today (11 Aug 2004) to download the "Mydoom, Zindos, and Doomjuice
Worm Removal Tool (KB836528)".

I downloaded and clicked on the Install button. A dialog box appeared
with the usual message saying that the update was successfully
installed ... and nothing else.

So, I had the same doubt as you did: How can I *run* the tool? Where
was it saved?

Actually, the Removal Tool, when downloaded through Windows Update,
seems to run "silently" upon installation: the removal tool left a log
file called doomcln.log in my C:\WINNT\debug folder after I installed
it.

For Windows XP, I think the file will be saved in the C:\WINDOWS\debug
folder.

In my case, the doomcln.log file says the following:
________________________
Microsoft MyDoom removal tool (build 1.227) started on Wed Aug 11
13:47:03 2004
Checking 56 processes.
Can't get base module information for process 00000008
0000012b: Only part of a ReadProcessMemory or WriteProcessMemory
request was completed.
Checking startup registry keys for current user.
Checking keys for 2 other users
Deleted registry key
80000002:Software\Microsoft\Windows\CurrentVersion\Shell
Checking known MyDoom filenames.
**** No MyDoom infection found ****
Microsoft MyDoom removal tool stopped on Wed Aug 11 13:47:13 2004
________________________


So, check if you have a log file called doomcln.log in your
C:\WINDOWS\debug folder.

Actually, Microsoft mentions the doomcln.log file in one of their
pages (although one may easily miss it):

http://www.microsoft.com/downloads/...e4-3d50-464d-a26c-9c287f8a08c5&displaylang=en
"(...) Also, the tool creates a log file named doomcln.log in the
%WINDIR%\debug folder."


I hope this helps you. It also confused me!

Best wishes,
Ricardo Dias Marques
(To send me e-mail: remove ".invalid" from my e-mail address and
replace the underscore by a period in "spamcop_net")

 

[murphy]

You're excellent, Ricardo! Follow your instruction and
manage to find the log file which goes like
this "Microsoft MyDoom removal tool (build 1.227) started
on Wed Aug 11 07:54:56 2004
Checking 26 processes.
Checking startup registry keys for current user.
Checking keys for 7 other users
Deleted registry key
80000002:Software\Microsoft\Windows\CurrentVersion\Shell
Checking known MyDoom filenames.
**** No MyDoom infection found ****
Microsoft MyDoom removal tool stopped on Wed Aug 11
07:54:57 2004" At least I can relieve now, knowing that I
did not caught the "my doom." But was indeed surprised
why microsoft prompt us to download this update, giving
ppl the false impression? Also I'm a bit disappointed
that the MVP did not follow up my question even though I
have posted on two occassion.

Once again thanks for your help, not only you're helpful
but knowledgelable. Here's another doubt I'm having, do I
need to remove the removal tool since there's no worm
found?

 

[Ricardo Dias Marques]

Hi again Murphy!

You're excellent, Ricardo! Follow your instruction and
manage to find the log file

Great! Thank you very much for the compliment. I'm glad that I could
help you


[snip]

At least I can relieve now, knowing that I
did not caught the "my doom." But was indeed surprised
why microsoft prompt us to download this update, giving
ppl the false impression?

I am not sure. Maybe we were prompted to install the Removal Tool
because we had that
80000002:Software\Microsoft\Windows\CurrentVersion\Shell registry key
in our computers. I have googled for the Registry Key with that
80000002 number (both Web and Newsgroups search) and I only found a
reference to it in a German newsgroup posting (I don't speak german,
so I couldn't make much of it):

[snip]

Once again thanks for your help, not only you're helpful

but knowledgeable.

Thanks again, and you're welcome!

Here's another doubt I'm having, do I need to remove the
removal tool since there's no worm found?

Good question. I think the Removal Tool (doomcln.exe) was
automatically deleted after having been run. The Removal Tool
*installer* (the file that contained doomcln.exe) is probably still
saved in some temporary folder. At least, that's what I understand
from reading this:

836528 - Mydoom, Zindos, and Doomjuice Worm Removal Tool
<http://support.microsoft.com/?kbid=836528>
____________
"Removal information

Doomcln.exe is automatically deleted from its temporary location after
the Mydoom Worm Removal Tool runs. You can delete the tool’s installer
after you install the Mydoom Worm Removal Tool. "
____________


I couldn't find the Installer file neither in the "Temporary Internet
Files" folder (which is setup in Internet Explorer) nor in c:\temp

Oh well... It's not a big deal, anyway.


Best wishes,
Ricardo Dias Marques
(To send me e-mail: remove ".invalid" from my e-mail address and
replace the underscore by a period in "spamcop_net")

 

[Tomasz]

Hi again Murphy!

You're excellent, Ricardo! Follow your instruction and
manage to find the log file

Great! Thank you very much for the compliment. I'm glad that I could
help you


[snip]

At least I can relieve now, knowing that I
did not caught the "my doom." But was indeed surprised
why microsoft prompt us to download this update, giving
ppl the false impression?

I am not sure. Maybe we were prompted to install the Removal Tool
because we had that
80000002:Software\Microsoft\Windows\CurrentVersion\Shell registry key
in our computers. I have googled for the Registry Key with that
80000002 number (both Web and Newsgroups search) and I only found a
reference to it in a German newsgroup posting (I don't speak german,
so I couldn't make much of it):

[snip]

Once again thanks for your help, not only you're helpful

but knowledgeable.

Thanks again, and you're welcome!

Here's another doubt I'm having, do I need to remove the
removal tool since there's no worm found?

Good question. I think the Removal Tool (doomcln.exe) was
automatically deleted after having been run. The Removal Tool
*installer* (the file that contained doomcln.exe) is probably still
saved in some temporary folder. At least, that's what I understand
from reading this:

836528 - Mydoom, Zindos, and Doomjuice Worm Removal Tool
<http://support.microsoft.com/?kbid=836528>
____________
"Removal information

Doomcln.exe is automatically deleted from its temporary location after
the Mydoom Worm Removal Tool runs. You can delete the tool?s installer
after you install the Mydoom Worm Removal Tool. "
____________


I couldn't find the Installer file neither in the "Temporary Internet
Files" folder (which is setup in Internet Explorer) nor in c:\temp

Oh well... It's not a big deal, anyway.


Best wishes,
Ricardo Dias Marques
(To send me e-mail: remove ".invalid" from my e-mail address and
replace the underscore by a period in "spamcop_net")

This stopped for me once I removed the following reg key which was
empty (for the most part, nothing useful anyway...)

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell

I then went to windows update which was clean.
Stupid way of "detecting" if you have a worm or not..

 

[Guest]

Thanks Ricardo! I read your posts and found the log file; and, like the other
gentleman, I am free of the worm -dishearten the it was indicated that I
probably had a worm based upon a ??