star_topology
In Runtime
- Messages
- 195
We've been battling this bugger for a couple of weeks now, and we can't seem to kick it. I'm still trying a few more things this morning (including HiJackThis, Spybot S&D, Ad-Aware), but I'd like to go ahead and get this "call for help" out here now. According to Symantec's description, that it originates from P2P software/site. If that is the case, that is a whole other issue we will have to take up with our users later.
Anyway, we're running Symantec Corporate 10.1.0.394, and have been running patches on all our clients (this is not available via LiveUpdate) to .396 because of the following situation regarding W32.Spybot.Worm from Symantec:
"Symantec was notified that Symantec Client Security and Symantec AntiVirus Corporate Edition are susceptible to a potential stack overflow. Exploiting this overflow successfully could potentially cause a system crash, or allow a remote or local attacker to execute arbitrary code with System level rights on the affected system."
So, this is my process for removal:
-Run a Scan
-Quarantine all variants of the virus (wuauclt10.exe, links.exe, hanz.exe, etc.)
-Run Symantec .396 Patch
-Reboot to Safe Mode
-Delete all items in Quarantine
-Run a RegistryClean tool that I made (deletes all variants from the registry)
-Run a RegistryPatch tool to patch up the changes made to the registry, according to Symantec's Removal Process
-Reboot to WinXP
-Scan
-Check MsConfig and Registry to verify that the malicious .exes are gone
And so far, this has worked, but wuauclt10.exe seems to come back on a handful of computers, but overall this has done the trick. But we can't rest easy just yet. If anyone has any ideas on what I need to do to get this virus that came out in 2005 (why it's here now, is beyond me) it would be appreciated.
Anyway, we're running Symantec Corporate 10.1.0.394, and have been running patches on all our clients (this is not available via LiveUpdate) to .396 because of the following situation regarding W32.Spybot.Worm from Symantec:
"Symantec was notified that Symantec Client Security and Symantec AntiVirus Corporate Edition are susceptible to a potential stack overflow. Exploiting this overflow successfully could potentially cause a system crash, or allow a remote or local attacker to execute arbitrary code with System level rights on the affected system."
So, this is my process for removal:
-Run a Scan
-Quarantine all variants of the virus (wuauclt10.exe, links.exe, hanz.exe, etc.)
-Run Symantec .396 Patch
-Reboot to Safe Mode
-Delete all items in Quarantine
-Run a RegistryClean tool that I made (deletes all variants from the registry)
-Run a RegistryPatch tool to patch up the changes made to the registry, according to Symantec's Removal Process
-Reboot to WinXP
-Scan
-Check MsConfig and Registry to verify that the malicious .exes are gone
And so far, this has worked, but wuauclt10.exe seems to come back on a handful of computers, but overall this has done the trick. But we can't rest easy just yet. If anyone has any ideas on what I need to do to get this virus that came out in 2005 (why it's here now, is beyond me) it would be appreciated.