From: "Glenn Meadows" 

I also might just unregister the dll that controls this, per the MS
Advisory...till a patch is released.  I would hope that this one gets
released "out of cycle", as soon as the patch is ready to go.

--

Glenn M.
"Glenn Meadows"  wrote in message
news:43b60e40$1{at}w3.nls.net...
> Well, all indications are that the machine is now sound and secure.
> HijackThis shows no extra open listening ports, I've run 4 Adware/malware
> detection programs against the machine, as well as 3 separate Anti-Virus
> programs, including an online from Trend Micro.
>
> Adware/Malware:
> Ad-Aware
> Spybot Search-Destroy
> eWido
> CounterSpy.
>
> Both CounterSpy and eWido are running with their active detection left on.
>
> Anti-Virus:
> Sophos
> AVG
> Trend
>
> Sophos is left in active detect mode.  You can open the monitor panel, and
> watch it look at each exe/dll file that's loaded, be scanned.  I was
> "playing" with one of the trojan infected files, to zip it
to send to one
> of the AV firms, and Sophos caught every time I touched the file, or it
> was accessed, and blocked any action with it.  Had to use a restore with a
> file name change in the restore to destination window to be able to do
> anything with the files.
>
> NONE of the other computers in the office appear to have been affected.
> None of the files on this computer show up on any of the other machines.
>
> I'm actually quite thankful that both our NY office and Nashville offices
> were "closed" this week.  The few people who came in, appear to have
> avoided this problem, save for the salesman here in Nashville.  Thank
> goodness for small favors.  I think that this exploit would have a larger
> impact on our systems if everyone had been working all this week.
>
> I had the production manager in the NY office put a physical notice on
> everyone's monitor today detailing the virus potential problem, and giving
> specific instructions that when they start their computers first thing
> Tuesday, that before they open Outlook, or IE, that they open their AV
> control panel, and do an immediate Live Update (NY uses Symantec Corporate
> edition), but as I discovered today, each local system is globally set to
> pull sig files from the Symantec server, NOT from the local AV server
> . Got to get that re-configured.  I also discovered that the Live
> Update was configured to check for updates once a week.  I've changed that
> to be once a day now.  I'm also going to re-config each computer to pull
> sig files from the local server, but the machines have to be on, so I can
> Remote Desktop to them to re-configure them and verify that the changes
> have been made.
>
> --
>
> Glenn M.
> "John Beckett" 
wrote in message
> news:8q0cr1dnhpbfeuc637tb9qud0cvdhkrptu{at}4ax.com...
>> "Glenn Meadows"  wrote in message
>> news::
>>> What would the magic incantation be using Knoppix, to allow me to DELETE
>>> files on the Windows HD?
>>
>> I'm pretty sure that only very experimental versions of Linux include the
>> ability to write to an NTFS partition. That is, Knoppix will NOT allow
>> you
>> to delete or rename files on NTFS.
>>
>> The best procedure to do this would (I think) be to purchase the tool
>> from
>> Sysinternals that allows you to boot from a CD and have write access to
>> NTFS partitions. I have never tried it.
>>
>> However, the couple of times that I've had a look at a hosed system I
>> have
>> convinced myself that an amateur trying to outsmart a virus writer is a
>> complete waste of time. Copy data files off the partition, then wipe it.
>>
>> John
>>
>
>

--- BBBS/NT v4.01 Flag-5