W32 Blaster F Worm

[Guest]

I have recently installed XP Home and picked up W32BlasterF worm. I have
downloaded all the Microsoft patches. I have used Symantecs worm removal tool
and followed all the associated instructions. NAV 2005 tells me I am still
infected in C:\backup\undo\enbiei.exe but quarantine and auto delete fail.
The removal tool tells me I am not infected. I cannot find the file to
delete it manually. Enbiei.exe is not running when I check task manager.
There are no entries in the registry referring to enbiei.exe.

Am I missing something here or is there nothing to worry about?

 

[David H. Lipman]

Obtain McAfee's virus and worm removal tool, Stinger: http://vil.nai.com/vil/stinger/

1) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
2) Reboot your PC into Safe Mode
3) Using the Stinger utility, perform a Full Scan of your platform and clean/delete any
infectors found
4) Restart your PC and perform a "final" Full Scan of your platform
5) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),

6) Reboot your PC.
7) Create a new Restore point
8) Please report back your results

Dave






| I have recently installed XP Home and picked up W32BlasterF worm. I have
| downloaded all the Microsoft patches. I have used Symantecs worm removal tool
| and followed all the associated instructions. NAV 2005 tells me I am still
| infected in C:\backup\undo\enbiei.exe but quarantine and auto delete fail.
| The removal tool tells me I am not infected. I cannot find the file to
| delete it manually. Enbiei.exe is not running when I check task manager.
| There are no entries in the registry referring to enbiei.exe.
|
| Am I missing something here or is there nothing to worry about?

 

[Guest]

Dave

Problem solved! Stinger located and deleted enbiei.exe. Useful weapon to
have in the armoury.

Many thanks

John

 

[David H. Lipman]

Not really a "Useful weapon to have in the armoury."
Stinger is a throwaway tool since it is replaced with a new executable when Stinger targets
a new infector or if there is a new variant of an already targeted infector.

Dave




| Dave
|
| Problem solved! Stinger located and deleted enbiei.exe. |
| Many thanks
|
| John
|
| "David H. Lipman" wrote:
|
| > Obtain McAfee's virus and worm removal tool, Stinger: http://vil.nai.com/vil/stinger/
| >
| > 1) Disable System Restore
| > http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
| > 2) Reboot your PC into Safe Mode
| > 3) Using the Stinger utility, perform a Full Scan of your platform and clean/delete
any
| > infectors found
| > 4) Restart your PC and perform a "final" Full Scan of your platform
| > 5) Re-enable System Restore and re-apply any System Restore preferences,
| > (e.g. HD space to use suggested 400 ~ 600MB),
| >
| > 6) Reboot your PC.
| > 7) Create a new Restore point
| > 8) Please report back your results
| >
| > Dave
| >
| >
| >
| >
| >
| >
| > | > | I have recently installed XP Home and picked up W32BlasterF worm. I have
| > | downloaded all the Microsoft patches. I have used Symantecs worm removal tool
| > | and followed all the associated instructions. NAV 2005 tells me I am still
| > | infected in C:\backup\undo\enbiei.exe but quarantine and auto delete fail.
| > | The removal tool tells me I am not infected. I cannot find the file to
| > | delete it manually. Enbiei.exe is not running when I check task manager.
| > | There are no entries in the registry referring to enbiei.exe.
| > |
| > | Am I missing something here or is there nothing to worry about?
| >
| >
| >

 

[cquirke (MVP Win9x)]

Stinger is a throwaway tool since it is replaced with a new executable when Stinger targets
a new infector or if there is a new variant of an already targeted infector.

More to the point, it only looks for 40-60 out of thousands of
traditional malware. It's like goofing off for the whole of a 3-year
university course and then "spotting" 1% of the material for a final
week-long cram session.

If it wasn't for NTFS's inherent lack of maintenance tools, we'd never
take something like Stinger seriously as a way of "excluding viruses".

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

 

[David H. Lipman]

I keep trying to get people to realize this but alas, there are so many who think Stinger is
an investigational tool or think telling posters to download and execute it, when they don't
know what is the infector actually is, will do no harm.

There are too many MVPs who are giving this bad advice.

For them, I suggest Trend Sysclean. This is a good semi GUI/command line utility that is a
very broad spectrum detector.

Dave




| On Sat, 11 Sep 2004 19:49:57 -0400, "David H. Lipman"
|
| >Stinger is a throwaway tool since it is replaced with a new executable when Stinger
targets
| >a new infector or if there is a new variant of an already targeted infector.
|
| More to the point, it only looks for 40-60 out of thousands of
| traditional malware. It's like goofing off for the whole of a 3-year
| university course and then "spotting" 1% of the material for a final
| week-long cram session.
|
| If it wasn't for NTFS's inherent lack of maintenance tools, we'd never
| take something like Stinger seriously as a way of "excluding viruses".
|
|
|
| >-------------------- ----- ---- --- -- - - - -
| Running Windows-based av to kill active malware is like striking
| a match to see if what you are standing in is water or petrol.
| >-------------------- ----- ---- --- -- - - - -

 

[cquirke (MVP Win9x)]

On Sun, 12 Sep 2004 08:57:04 -0400, "David H. Lipman"

I keep trying to get people to realize this but alas, there are so many who think Stinger is
an investigational tool or think telling posters to download and execute it, when they don't
know what is the infector actually is, will do no harm.

It's one of the few things you can just run on an NTFS system without
having to install it and get 'net access to update it, and without
hassling about license issues as it's free.

If it can be made to work formally from Bart's PE boot CDR, then so
much the better - and it has non-fight-picking "report-only" mode.

I avoid the whole mess by avoiding NTFS - no ADS for malware to hide
in, and I have a choice of 3 good, free, DOS-based av that I can use
to formally scan all files for "all" traditional malware.

There are too many MVPs who are giving this bad advice.

In the land of no maintenance, the half-assed tool is king ;-)

For them, I suggest Trend Sysclean. This is a good semi GUI/command line utility that is a
very broad spectrum detector.

Ah; more on that, please! Is it:
- free?
- able to work from Bart's PE?
- able to work without being installed on the HD first?
- updatable?

What does it scan for?

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

 

[cquirke (MVP Win9x)]

"cquirke (MVP Win9x)" <[email protected]>

No installation required, ~ 12MB bunch of files.

| - updatable?

Yes... Trend Sysclean Package

http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.

http://www.trendmicro.com/download/pattern.asp

Are those files for SysClean as well as Trend's av? Or do you just
download a new SysClean every time, like Stinger?

-------------- ---- --- -- - - - -

"I think it's time we took our
friendship to the next level"
'What, gender roles and abuse?'

 

[David H. Lipman]

Both. It seems they update the utilities Engine so a new utility can be downloaded
periodically, albeit less often then the pattern files which are the same for their AV
package and are akin to McAfee's DAT files.

Give it a shot and let me know what you think.

Dave





| On Sun, 12 Sep 2004 10:24:02 -0400, "David H. Lipman"
| >"cquirke (MVP Win9x)" <[email protected]>
|
| >No installation required, ~ 12MB bunch of files.
| >
| >| - updatable?
| >
| >Yes... Trend Sysclean Package
| >
| >http://www.trendmicro.com/download/dcs.asp
| >
| >Latest Trend signature files.
| >
| >http://www.trendmicro.com/download/pattern.asp
|
| Are those files for SysClean as well as Trend's av? Or do you just
| download a new SysClean every time, like Stinger?
|
|
|
| >-------------- ---- --- -- - - - -
| "I think it's time we took our
| friendship to the next level"
| 'What, gender roles and abuse?'
| >-------------- ---- --- -- - - - -

 

[cquirke (MVP Win9x)]

On Tue, 14 Sep 2004 17:03:50 -0400, "David H. Lipman"

Both. It seems they update the utilities Engine so a new utility can be downloaded
periodically, albeit less often then the pattern files which are the same for their AV
package and are akin to McAfee's DAT files.

Give it a shot and let me know what you think.

I will, thanks!

-------------- ---- --- -- - - - -

"I think it's time we took our
friendship to the next level"
'What, gender roles and abuse?'

 

[cquirke (MVP Win9x)]

It works pretty well, thanks! Hasn't caught anything yet, and I
haven't tried it as a formal scanner (i.e. from Bart PE). The last
Bart CDR I made - including the promising UCD (?) collection of
add-ons - resets during load, so doesn't run.

--------------- ----- ---- --- -- - - -

I *am* a power user!
I have electricity bills to prove it!