WORMS IN WINDOWS XP FILES

[Guest]

I just reformated & loaded windows xp on the system. Then updated it. then
ram McAfee scan and found thatthe file under Windows\system32\winservices.exe
has 2 worms in it and I can not delete, clean or quartine it. What is the fix
for it?

 

[Frank Saunders, MS-MVP OE]

I just reformated & loaded windows xp on the system. Then updated it.
then ram McAfee scan and found thatthe file under
Windows\system32\winservices.exe has 2 worms in it and I can not
delete, clean or quartine it. What is the fix for it?

Did you turn on the firewall before connecting to the Internet?

--
Frank Saunders, MS-MVP OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com./athome/security/protect/default.aspx
http://defendingyourmachine.blogspot.com/

 

[S.Sengupta]

http://securityresponse.symantec.com/avcenter/venc/data/pf/[email protected]


regards,
S.Sengupta[MS-MVP]

 

[David H. Lipman]

From: "MADHAT" <[email protected]>

| I just reformated & loaded windows xp on the system. Then updated it. then
| ram McAfee scan and found thatthe file under Windows\system32\winservices.exe
| has 2 worms in it and I can not delete, clean or quartine it. What is the fix
| for it?

Was it the W32/Yaha worm ?

Start with the McAfee module of the below Multi AV Scanning Tool.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[Chas]

I just reformated & loaded windows xp on the system. Then updated it. then
ram McAfee scan and found thatthe file under
Windows\system32\winservices.exe
has 2 worms in it and I can not delete, clean or quartine it. What is the
fix
for it?

Please???

 

[Kerry Brown]

I just reformated & loaded windows xp on the system. Then updated it.
then ram McAfee scan and found thatthe file under
Windows\system32\winservices.exe has 2 worms in it and I can not
delete, clean or quartine it. What is the fix for it?

Don't connect to the Internet before you have a firewall in place. If your
version of Windows was pre-SP2 and you didn't have a firewall or NAT router
in place then as soon as you connected to download updates you were
infected. If you have a broadband connection and it was connected you may
have been infected before the install was even completed. At this point your
best option is to reformat and install Windows again. This time do not
connect to the Internet until you have a firewall installed or SP2
installed. Download SP2 and burn it to CD. Install Windows, Install SP2.
Connect to Internet.

http://www.microsoft.com/downloads/...be-3b8e-4f30-8245-9e368d3cdb5a&displaylang=en

Kerry

 

[ANONYMOUS]

You need to reformat and re-install Windows XP again using the official
MS CD (or other CDs from top brand OEMs) and not any other cracked ones
that are available from the intenet.

hth

 

[Kerry Brown]

You need to reformat and re-install Windows XP again using the
official MS CD (or other CDs from top brand OEMs) and not any other
cracked ones that are available from the intenet.

hth

What makes you think MADHAT has a cracked CD?

Kerry

 

[Vanguard]

I just reformated & loaded windows xp on the system. Then updated it. then
ram McAfee scan and found thatthe file under
Windows\system32\winservices.exe
has 2 worms in it and I can not delete, clean or quartine it. What is the
fix
for it?

Stop using pirated copies of Windows.
Stop installing your applications after installing Windows.
Yank the network cable before installing Windows and leave it disconnected
until you get the firewall setup.

Microsoft doesn't distribute worms. Obviously something YOU use and which
didn't come from Microsoft is infected. So you format and then end up
putting the pest back in your system.

 

[ANONYMOUS]

What makes you think MADHAT has a cracked CD?

I have never experienced a clean intall of OS resulting in worms and
viruses even after going online for updates. Perhaps it is just me - a
regular church goer - able to repel all scumwares like pests repellents.

Have you had any such incidents in your trade?

 

[David H. Lipman]

From: "ANONYMOUS" <[email protected]>

|
| I have never experienced a clean intall of OS resulting in worms and
| viruses even after going online for updates. Perhaps it is just me - a
| regular church goer - able to repel all scumwares like pests repellents.
|
| Have you had any such incidents in your trade?

Although many here (including I) have indicated it may be the Yaha worm, it aiso can be a
SDbot worm variant (Aka; Win32.Rbot).

If the OP has not installed the correct patches and is connected to the Internet then the
SDbot can use network protocols TCP 135 or TCP 445 to worm its way into the OS and infect
the system. Other variants may use File and Print Sharing that has been enabled but not
properly secured.

This has nothing to do with pirated or cracked software. It has to do with how quickly and
unpatched/un=protected system can be infected from the Internet.

Read Kerry Brown's initial reply. He had it right. He stated -- "If your version of
Windows was pre-SP2 and you didn't have a firewall or NAT router in place then as soon as
you connected to download updates you were infected."

 

[Michael Stevens]

In

I have never experienced a clean intall of OS resulting in worms and
viruses even after going online for updates. Perhaps it is just me -
a regular church goer - able to repel all scumwares like pests
repellents.

Have you had any such incidents in your trade?

I guess you never used a pre-service pack XP CD or always had a router in
place.
You need to fix that hair trigger you use to evaluate people. It is a shame
when people get slammed for asking innocent questions from people like you.
I guess when you are anonymous, you feel like Tom Cruise on the Oprah show.
LOL
--
Michael Stevens MS-MVP XP
(e-mail address removed)
http://www.michaelstevenstech.com
For a better newsgroup experience. Setup a newsreader.
http://www.michaelstevenstech.com/outlookexpressnewreader.htm

 

[Kerry Brown]

I have never experienced a clean intall of OS resulting in worms and
viruses even after going online for updates. Perhaps it is just me -
a regular church goer - able to repel all scumwares like pests
repellents.

Have you had any such incidents in your trade?

I have personally seen it happen when a broadband connection is present
during the install.

Kerry

 

[RA]

I have never experienced a clean intall of OS resulting in worms and
viruses even after going online for updates. Perhaps it is just me -
a regular church goer - able to repel all scumwares like pests
repellents.

Have you had any such incidents in your trade?

I personally saw it happen to the supervisor in my group with Windows XP pre
SP1. He wanted to set up his own new pc and wasn't up to speed with malware
and virus issues. He did not enable the firewall before he connected the
network cable and was infected in less than 5 minutes.

 

[Steve N.]

I have never experienced a clean intall of OS resulting in worms and
viruses even after going online for updates.

You've been lucky, it often takes less than a minute to get infected
online if you haven't taken precautions.

Perhaps it is just me - a
regular church goer - able to repel all scumwares like pests repellents.

Going to church apparently didn't help prevent you from being a
self-righteous and pompous pest. You've got a lot of nerve accusing
people of things you can't prove, and with no inkling of any idication
from the OP of anything untoward either.

Have you had any such incidents in your trade?

Plenty.

Steve N.

 

[Mike Mueller]

I agree. I have been MS-blasted many times when installing
and hooked to internet.

: ANONYMOUS wrote:
:
: >
: > Kerry Brown wrote:
: >
: >>
: >>What makes you think MADHAT has a cracked CD?
: >>
: >
: >
: >
: > I have never experienced a clean intall of OS resulting
in worms and
: > viruses even after going online for updates.
:
: You've been lucky, it often takes less than a minute to
get infected
: online if you haven't taken precautions.
:
: > Perhaps it is just me - a
: > regular church goer - able to repel all scumwares like
pests repellents.
:
: Going to church apparently didn't help prevent you from
being a
: self-righteous and pompous pest. You've got a lot of nerve
accusing
: people of things you can't prove, and with no inkling of
any idication
: from the OP of anything untoward either.
:
: >
: > Have you had any such incidents in your trade?
:
: Plenty.
:
: Steve N.

 

[Steve N.]

I just reformated & loaded windows xp on the system. Then updated it. then
ram McAfee scan and found thatthe file under Windows\system32\winservices.exe
has 2 worms in it and I can not delete, clean or quartine it. What is the fix
for it?

http://www.avira.com/en/threats/Worm_Yaha_M_details.html

Steve N.

 

[Steve N.]

Stop using pirated copies of Windows.

Rash assumption. This "guilty until proven innocent" attitude around
here is really starting to get annoying. A guy comes here for help and
gets accused of piracy! How stupid is that?

Stop installing your applications after installing Windows.

Oh really? And when should they be installed, _before_ installing
Windows? LOL! What a joke!

Yank the network cable before installing Windows and leave it
disconnected until you get the firewall setup.

This is the only thing you said that makes sense.

Microsoft doesn't distribute worms.

No, but they distribute the vulnerabilities that the worms exploit.

Obviously something YOU use and
which didn't come from Microsoft is infected. So you format and then
end up putting the pest back in your system.

It's a worm that can spread via network shares. Why don't you research
the issue before spewing out your half-baked advice? It isn't something
the OP necessarily did, but rather more likely did not do, which was to
protect the PC and OS vulnerabilities, and amidst your condescending
reply you did manage to touch on that. Good job!

Steve N.