Re: Queries on kb836528 removal tool

From: Hwy101 (Hwy101_at_discussions.microsoft.com)
Date: 09/10/04 

Date: Thu, 9 Sep 2004 20:43:02 -0700

Thanks Ricardo! I read your posts and found the log file; and, like the other
gentleman, I am free of the worm -dishearten the it was indicated that I
probably had a worm based upon a ??

"Ricardo Dias Marques" wrote:

> Hi Murphy,
>
> On Tue, 10 Aug 2004, "murphy" wrote:
>
> >I've done a window update and was offer to install this
> >kb836528 (mydoom, zindos & doom juice removal tool)it
> >says that only system found with this symptom will be
> >offer this tool. I successfully downloaded this tool but
> >is was no where to be found, so how am I going to run
> >this tool and remove the worm when I don't even know
> >where has the tool gone to?
>
> I had the same "problem" using Windows 2000 Professional: I have the
> "Windows Crital Update Notification utility" installed which prompted
> me today (11 Aug 2004) to download the "Mydoom, Zindos, and Doomjuice
> Worm Removal Tool (KB836528)".
>
> I downloaded and clicked on the Install button. A dialog box appeared
> with the usual message saying that the update was successfully
> installed ... and nothing else.
>
> So, I had the same doubt as you did: How can I *run* the tool? Where
> was it saved?
>
> Actually, the Removal Tool, when downloaded through Windows Update,
> seems to run "silently" upon installation: the removal tool left a log
> file called doomcln.log in my C:\WINNT\debug folder after I installed
> it.
>
> For Windows XP, I think the file will be saved in the C:\WINDOWS\debug
> folder.
>
> In my case, the doomcln.log file says the following:
> ________________________
> Microsoft MyDoom removal tool (build 1.227) started on Wed Aug 11
> 13:47:03 2004
> Checking 56 processes.
> Can't get base module information for process 00000008
> 0000012b: Only part of a ReadProcessMemory or WriteProcessMemory
> request was completed.
> Checking startup registry keys for current user.
> Checking keys for 2 other users
> Deleted registry key
> 80000002:Software\Microsoft\Windows\CurrentVersion\Shell
> Checking known MyDoom filenames.
> **** No MyDoom infection found ****
> Microsoft MyDoom removal tool stopped on Wed Aug 11 13:47:13 2004
> ________________________
>
>
> So, check if you have a log file called doomcln.log in your
> C:\WINDOWS\debug folder.
>
> Actually, Microsoft mentions the doomcln.log file in one of their
> pages (although one may easily miss it):
>
> http://www.microsoft.com/downloads/details.aspx?FamilyID=c14bfbe4-3d50-464d-a26c-9c287f8a08c5&displaylang=en
> "(...) Also, the tool creates a log file named doomcln.log in the
> %WINDIR%\debug folder."
>
>
> I hope this helps you. It also confused me!
>
> Best wishes,
> Ricardo Dias Marques
> (To send me e-mail: remove ".invalid" from my e-mail address and
> replace the underscore by a period in "spamcop_net")
>