Tech or Treat! Write an article about your scariest tech disaster to win gadgets!Learn more

x
?
Solved

WinXP security patches after fresh install.

Posted on 2004-08-12
4
Medium Priority
?
736 Views
Last Modified: 2013-12-04
Hello,
I was asked to resolve an issue with a friends win-XP PC  last night.  "My start bar has vanished"..... long story, but now it continually reboots with an error from lsass.exe appearing. (This started afer I chose - Start from last known good profile -  )... anyway, I'm going to reinstall from scratch for him.

After installing a firewall, the first thing i plan to do is apply auto-updates and let it go to work. But, with all these viruses about, how can i try to secure the machine while downloading without being infected?

Download SP2 fromanother machine and burn to CD perhaps?

TIA,
Dave.

0
Comment
Question by:dave_p_r_b
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 32

Accepted Solution

by:
LucF earned 180 total points
ID: 11781658
Hi dave_p_r_b,

You're going the right way. Before connecting the computer to the internet the first time, install a firewall. This will keep your computer protected. Then, update windows without browsing to other sites, and surely no dodgy sites.

The firewall will make sure virusses like blaster/welchia/sasser won't infect that computer.

Greetings,

LucF
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 120 total points
ID: 11781660
Instructions for patching and cleaning vulnerable Windows 2000 and Windows XP systems:

Vulnerable Windows 2000 and Windows XP machines may have the LSASS.EXE process crash every time a malicious worm packet targets the vulnerable machine which can occur very shortly after the machine starts up and initialises the network stack.

When cleaning a machine that is vulnerable to the Sasser worm it is necessary to first prevent the LSASS.EXE process from crashing, which in turn causes the machine to reboot after a 60 second delay.  This reboot cannot be aborted on Windows 2000 platforms using the Shutdown.exe or psshutdown.exe utilities and can interfere with the downloading and installation of the patch as well as removal of the worm.

1. To prevent LSASS.EXE from shutting down the machine during the cleaning  process:

a. Unplug the network cable from the machine

b. If you are running Windows XP you can enable the built-in Internet Connection Firewall using the instructions found here: Windows XP

http://support.microsoft.com/?id=283673 and then plug the machine back into the network and go to step 2.

c. If you are running Windows 2000, you won't have a built-in firewall and must use the following work-around to prevent LSASS.EXE from crashing.

This workaround involves creating a read-only file named 'dcpromo.log' in
the "%systemroot%\debug" directory.  Creating this read-only file will prevent the vulnerability used by this worm from crashing the LSASS.EXE process.

i.      NOTE:  %systemroot% is the variable that contains the name of the Windows installation directory.  For example if Windows was installed to the "c:\winnt" directory the following command will create a file called dcpromo.log in the c:\winnt\debug directory.  The following commands must be typed in a command prompt (i.e. cmd.exe) exactly as they are written below.

1. To start a command shell, click Start and then click run and type 'cmd.exe' and press enter.

2.Type the following command:

echo dcpromo >%systemroot%\debug\dcpromo.log

For this workaround to work properly you MUST make the file read-only by typing the following command:

3. attrib +R %systemroot%\debug\dcpromo.log

4. After enabling the Internet Connection Firewall or creating the read-only dcpromo.log you can plug the network cable back in and you must download and install the MS04-011 patch from the MS04-011 download link for the affected machines operating system before cleaning the system.  If the system is cleaned before the patch is installed it is possible that the system could get re-infected prior to installing the patch.

a. Here is the URL for the bulletin which contains the links to the download location for each patch:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

b. If your machine is acting sluggish or your Internet connection is slow you should use Task Manager to kill the following processes and then try downloading the patch again (press the Ctrl + Alt + Del keys simultaneously and select Task Manager):

i. Kill any process ending with '_up.exe' (i.e. 12345_up.exe)  ii. Kill any process starting with 'avserv' (i.e. avserve.exe, avserve2.exe)

iii. Kill any process starting with 'skynetave' (i.e. skynetave.exe)  iv. Kill hkey.exe  v. Kill msiwin84.exe  vi. Kill wmiprvsw.exe

5. Note there is a legitimate system process called 'wmiprvse.exe'that does NOT need to be killed.

c. allow the system to reboot after the patch is installed.

6. Run the Sasser cleaner tool from the following URL:

a. For the on-line ActiveX control based version of the cleaner you can run it directly from the following URL:

 http://www.microsoft.com/security/incident/sasser.asp

b. For the stand-alone download version of the cleaner you can download it from the following URL:

 http://www.microsoft.com/downloads/details.aspx?FamilyId=76C6DE7E-1B6B-4FC3-90D4-9FA42D14CC17&displaylang=en

7. Determine if the machine has been infected with a variant of the Agobot worm which can also get on the machine using the same method as the Sasser worm.

a. To do this run a full antivirus scan of your machine after ensuring your antivirus signatures are up to date.

b. If you do NOT have an antivirus product installed you can visit HouseCall from TrendMicro to perform a free scan using the following

URL:

http://housecall.trendmicro.com/
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 11782042
ThanQ
0
 
LVL 32

Expert Comment

by:LucF
ID: 11782125
Glad to help :)

LucF
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Suggested Courses

647 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question