After your box is built with all the current service packs and patches, I would use Norton's ghost or WinImage to save an image of the computer for faster rebuilds. Joseph -----Original Message----- From: Sandy Ryan [mailto:sryan@xxxxxxxxxxx] Sent: Friday, August 10, 2001 10:15 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: CodeRed Scanner http://www.ISAserver.org If you get hit by the first code red - all you do is reboot. If it's the second code red - and you get hit... The only way you can be 100% sure to clean the box is rebuild (and reformat) -- too many 'back doors ' get open with the second version... You can check the registry to see if you are hit by code red 2 - if you see something like System\currentcontrolset\services\w3scv\parameters\virtual roots\c to c:\,,21 or System\currentcontrolset\services\w3scv\parameters\virtual roots\d to d:\,,21 Your hit with the second version and REALLY need to reformat and reload - after reload make sure you install the june 18th patch or you will get hit again. -----Original Message----- From: Butte, Jeff M APX [mailto:jeff.butte@xxxxxxxxxx] Sent: Friday, August 10, 2001 11:07 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: CodeRed Scanner http://www.ISAserver.org That is the patch.. but I thought they came out with a detection / repair utility. Right now we are hitting all our boxes with the http://www.eeye.com/html/Research/Tools/codered.html scanner to look for vulnerable systems. We are then using Jim Harrison's VBScript to scan for infection. Then we have a QChain script with all the patches setup and then we are installing the ISAPI IDA filter. But in the event we hit an infected box, we need to have a quick repair utility to clean it up until we can do a full restore prior to the infection. Jeff Butte HPD Server Team Abbott Laboratories mailto:Jeff.Butte@xxxxxxxxxx -----Original Message----- From: Paul A Brown [mailto:paul@xxxxxxxxxx] Sent: Friday, August 10, 2001 12:00 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: CodeRed Scanner http://www.ISAserver.org Hi Jeff, Try this http://www.microsoft.com/windows2000/downloads/critical/q300972/default. asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D30800%26redirec t%3Dno Paul -----Original Message----- From: Butte, Jeff M APX [mailto:jeff.butte@xxxxxxxxxx] Sent: 10 August 2001 17:59 To: [ISAserver.org Discussion List] Subject: [isalist] CodeRed Scanner http://www.ISAserver.org Does anyone have the link to Microsoft's Code Red repair tool? I cannot seem to find where I put the link and can't find it on their site. Might need it ASAP... :-0 Jeff Butte HPD Server Team Abbott Laboratories mailto:Jeff.Butte@xxxxxxxxxx pager: mailto:8884281914@xxxxxxxxxx ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: paul@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jeff.butte@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: sryan@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')