Welch Company
San Francisco, CA
S U M M A R Y
DIARY: December 30, 2010 11:58 AM Thursday;
Rod Welch
Trend Micro fix malware virus c16 slow processing Google redirection.
1...Summary/Objective
2...Work Plan Develop SIC Log Submit Trend Micro
3...Microsoft Windows Defender
..............
Click here to comment!
CONTACTS
SUBJECTS
C16 Virus Redirection Search Google Case 1-1-395893663 Trend Micro R
3303 -
3303 - ..
3304 - Summary/Objective
3305 -
330501 - Follow up ref SDS 10 0000, ref SDS 9 0000.
330502 -
330503 -
330504 -
330505 -
330507 - ..
3306 -
3307 -
3308 -
3309 - Background
3310 -
331001 - On 101031 1719 report that for past 6 months c16 has had 2 growing
331002 - problems....
331004 - ..
331005 - 1. Google search redirection. ref SDS 3 6D5H
331007 - ..
331008 - 2. Access to Internet including email has become gradually slower,
331009 - which is a symptom associated with "denial of service" DOS
331010 - virus attack, reported on 031031 1125. ref SDS 1 LI8V
331012 - ..
331013 - Both problems seem caused by virus.
331015 - ..
331016 - Notified Trend Micro for assistance on 101122 1116. ref SDS 6 716S
331018 - ..
331019 - Trend Micro sent a letter recommending a system scan for examination
331020 - at Trend Micro offices in the Phillipines, reported on 101122 1116,
331021 - ref SDS 6 F45I This system scan failed to correct the problem, and
331022 - led to a series of failed scans with the customer doing all of the
331023 - work to correct failure of Trend Micro virus protection with Pccillin,
331024 - continuing to yesterday on 101229 0621. ref SDS 10 4S8G
331026 - ..
331027 - 3. During system shut down or reboot, getting messages like...
331028 -
331029 - The instruction at "0x7750c8ed" referenced memory at
331030 - "0x000ad988." The memory could not be read.
331032 - ..
331033 - Trend Micro was notified of this recent problem, as part of a letter
331034 - to Allan on 101227 0948, ref SDS 9 NU7Q Possibly there is a hardware
331035 - memory failure causing problem 2; seems unlikely to be causing problem
331036 - 1, per above. ref SDS 0 J85H
331037 -
331038 - [...below, carrying out Trend Micro instructions to assess
331039 - redirection and DOS virus possibilities, encountered
331040 - another system error message of memory failure. ref SDS 0
331041 - G26S
331043 - ..
331044 - [...below Trend Micro SIC analysis program seems to have
331045 - failed at a memory address, and so may be similar to system
331046 - messages reporting memory failure on shut down, see below.
331047 - ref SDS 0 QG43 further explained following SIC error
331048 - report. ref SDS 0 PQ6M
331050 - ..
331051 - Thus, may have compound software (virus) and hardware problems.
331053 - ..
331054 - Scan results were submitted to Trend Micro on 101217 1210, ref SDS 7
331055 - LD35
331057 - ..
331058 - On 101223 1314 Trend Micro claimed the letter transmitting the scan
331059 - log was not received, even though there was no report that the
331060 - electronic transmission failed. Trend Micro created a new case
331061 - number, ref SDS 8 GM5J
331062 -
331063 - 1-1-395893663
331065 - ..
331066 - Since last week, have received several letters with instructions to
331067 - clear the problem. None have worked, as noted above. ref SDS 0 JF5K
331068 -
331069 -
331071 - ..
3311 -
3312 -
3313 -
3314 -
3315 - Progress
3316 -
331601 - Today, received another letter saying...
331603 - ..
331604 - 1. Subject: RE: Re: [SR1-1-395893663] Website Redirection
331605 - Date: 31 Dec 2010 00:21:39 +0800
331612 - ..
331613 - 3. Thank for your patience in following the instructions. I
331614 - apoligize that the previous instructions [...responding to
331615 - letter notifying Trend Micro that additional steps requested by
331616 - Trend Micro failed, 101229 0621, ref SDS 10 7H7O...], did not
331617 - fix the issue.
331619 - ..
331620 - 4. To further assists you on this case, I will be asking for a SIC
331621 - log using the SIC Tool. The SIC tool automatically collects
331622 - information about your system, specifically when you encounter
331623 - malware-related issues. It allows both you and Trend Micro
331624 - Technical Support to pinpoint possible infections by an unknown
331625 - malware.
331627 - ..
331628 - 5. Getting the SIC Log files using SIC tool
331630 - ..
331631 - 1. Go to this link to download the SIC Tool:
331632 -
331633 - http://www.trendmicro.com/ftp/products/sic/SIC%205.0%20Build%201004.zip
331635 - ..
331636 - Save it to your Desktop
331638 - ..
331639 - 2. On your desktop look for the SIC 5.0 Build 1004.zip file.
331640 - Single-right click the SIC 5.0 Build 1004.zip and select
331641 - Properties.
331643 - ..
331644 - 3. On the Properties window click Unblock and click OK (Note:
331645 - If there is no Unblock button proceed to the next step)
331647 - ..
331648 - Did not find an "Unblock" option.
331650 - ..
331651 - Trend Micro's letter continues...
331652 -
331653 - 4. Once again on the desktop look for the SIC 5.0 Build
331654 - 1004.zip file. Single-right click the SIC 5.0 Build
331655 - 1004.zip and select Extract All then click Next until you
331656 - reach the Finish button. (If you are using Winzip look for
331657 - Winzip and select Extract to Here)
331659 - ..
331660 - This was difficult to accomplish. C16 running xp would not extract
331661 - the files. Said their was no data, or file is corrupt.
331663 - ..
331664 - Downloaded to c17 running w7....
331665 -
331666 - g: 00 trendmicro sic sic 5.0 Build 1004.zip
331667 - ..
331668 - Properties for the zip file had and Unblock button, executed it.
331670 - ..
331671 - Extraction occurred normally, and saved files to...
331672 -
331673 - g:\00\trendmicro\sic\sic_5.0_build-1004\
331675 - ..
331676 - Trend Micro's letter continues...
331677 -
331678 - 6. It will now extract these files:
331679 -
331680 - 1. SICWin.exe
331681 - 2. TmEngDrv.dll
331682 - 3. Tmufeng.dll
331683 - 4. Sic.conf
331684 - 5. Sicdbase.dat
331685 - 6. Tmmcomm.sys
331687 - ..
331688 - Above list was extracted.
331690 - ..
331691 - Prior to executing sicwin.exe did a shut down to clear memory.
331693 - ..
331694 - During shutdown, got another error message saying...
331695 -
331696 - The instruction at "0x7750cc86" referenced memory at
331697 - "0x02ae050 ." The memory could not be read.
331699 - ..
331700 - The above rendering is missing a character due the speed of system
331701 - presentation during shutdown.
331703 - ..
331704 - Similar message was reported to Trend Micro in the letter to Allan on
331705 - 101227, ref SDS 9 NU7Q, saying...
331706 -
331707 - The instruction at "0x7750c8ed" referenced memory at
331708 - "0x000ad988." The memory could not be read.
331709 -
331710 - ...and as set out explaining possible compound problems to assess, per
331711 - above. ref SDS 0 J85H
331712 -
331714 - ..
3318 -
3319 -
3320 - 1600
3321 -
332101 - Decided to investigate with HP memory problems, before continuing with
332102 - Trend Micro instructions.
332103 -
332104 - [...in another record today on 101230 1601 called HP and
332105 - reported recent memory error messages during shut down from
332106 - Windows XP. ref SDS 11 Y15H HP eventually provided support
332107 - and assisted performing BIOS memory and disk test.
332108 - ref SDS 11 UH8G HP testing shows normal Internet access and
332109 - data transfer on network with Windows 7 64-bit, suggests
332110 - problems with Windows XP, rather than hardware failures.
332111 - ref SDS 11 E66T
332113 - ..
332114 - [On 101231 1712 notified Trend Micro may end efforts to
332115 - resolve Google Search redirection problem using virus
332116 - protection diagnostics, as efforts have failed the past
332117 - month, and instead format the drive and re-install Windows
332118 - XP. ref SDS 12 5L3P
332120 - ..
332121 - [On 110102 1308 took c16 to Fry's and arranged for Ryan to
332122 - format I: drive and install xp de novo. ref SDS 13 ZE4H
332124 - ..
332125 - [On 110107 1413 received c16 configured with Windows XP
332126 - installed; virus and performance accessing the Internet and
332127 - transferring files to another computer are resolved;
332128 - received software to configure multi-boot for efficient
332129 - access. ref SDS 14 1U5N
332130 -
332131 -
332133 - ..
332134 - Trend Micro's letter continues...
332135 -
332136 - 7. SIC Log Assess Malware Virus Problems
332137 -
332138 - 1. Double click on the SICWin.exe file
332139 -
332140 - A window will appear that will ask you to accept just click
332141 - I Accept
332143 - ..
332144 - 2. The SIC Window will appear. Click on the Analyze button on
332145 - the window.
332147 - ..
332148 - It will now begin analyzing the computer and will save a
332149 - log file inside the SIC Folder.
332151 - ..
332152 - Sicwin.exe issued following report without completing analysis of
332153 - c16...
332154 -
332155 - System Information Collector has encountered a problem
332156 - and needs to close. We are sorry for the
332157 - inconvenience.
332159 - ..
332160 - Please tell Microsoft about this problem.
332162 - ..
332163 - We have created an error report that you can send to
332164 - us. We will treat this report as confidential and
332165 - annonymous.
332167 - ..
332168 - To send what data this error report contains "click
332169 - here."
332170 -
332171 - Send Error Report Don't Send
332173 - ..
332174 - Clicked "click here."
332176 - ..
332177 - SIC opened another window saying...
332178 -
332179 - System Information Collector
332180 -
332181 - Error signature
332182 -
332183 - Reporting details
332185 - ..
332186 - This error report includes information regarding the
332187 - condition of System Information Collector when the
332188 - problem occurred, the operating system version, and the
332189 - Internet Protocol IP) address of your computer.
332191 - ..
332192 - We do not intentionally collect your files, name,
332193 - address, email address or any other form of personally
332194 - identifiable information. However, the error report
332195 - could contain customer specific informatonsuch as data
332196 - from open files. While this information could
332197 - potentially be used to determine your identify, if
332198 - present it will not be used.
332200 - ..
332201 - The data that we colect will only be used to fix the
332202 - problem. If more information is available we will tell
332203 - you when you report the problem. This error report
332204 - will be sent using a secure connection to a data base
332205 - with limited access and will not be used for marketing
332206 - purposes.
332208 - ..
332209 - To view technical information about the error report
332210 - "click here."
332212 - ..
332213 - To see our data collection policy on the web "click
332214 - here."
332216 - ..
332217 - Clicked "click here" to view technical information.
332219 - ..
332220 - SIC opened another window saying...
332222 - ..
332223 - This report shows a sequence of memory addresses. Since SIC analysis
332224 - failed reading system memory, this may align with the report to Trend
332225 - Micro in the the letter on 101227, cited in background above.
332226 - ref SDS 0 K35J
332228 - ..
332229 - The last element of the SIC analysis seems to have ended with...
332230 -
332231 - Error signature
332232 -
332233 - x Preparing
332234 - x Connecting to server
332235 - x Checking for status of this problem
332237 - ..
332238 - Error reporting completed.
332240 - ..
332241 - Trend Micro's letter continues...
332242 -
332243 - 3. After its finished analyzing it will show you a window
332244 - asking if you want to view the logs, just click NO.
332246 - ..
332247 - As noted, SIC analysis seems to have failed and ended with error
332248 - report sent to Trend Micro, per above. ref SDS 0 K68K
332250 - ..
332251 - 4. Click Retrieve Files button and click on the Compress and
332252 - Retrieve Files button.
332254 - ..
332255 - 5. Click Done when finished, then click Sent to Trend Labs
332257 - ..
332258 - 8. Open the sic folder on your Desktop. Look for a SICLOG folder.
332259 -
332260 - 1. Double click the SICLOG folder to open and you will see a
332261 - SICLOG0000x.TXT and a SUSPECT. log file inside.
332263 - ..
332264 - 2. Attach the SICLOG0000x.TXT and SUSPECT.log to this email
332265 - and forward it back to me.
332267 - ..
332268 - Found siclog0000x.txt, but there is no suspect.log file produced.
332269 -
332270 - [On 101231 1712 submitted log to Trend Micro with link to
332271 - this record showing details on performing Trend Micro
332272 - guidance to evaluate Google redirection problem on c16, and
332273 - recent slow access to access and the network. ref SDS 12
332274 - 5L3V
332276 - ..
332277 - As noted, SIC analysis seems to have failed and ended with error
332278 - report sent to Trend Micro, per above. ref SDS 0 K68K
332279 -
332280 - [...in another record today on 101230 1601 called HP and
332281 - reported recent memory error messages during shut down from
332282 - Windows XP. ref SDS 11 Y15H HP eventually provided support
332283 - and assisted performing BIOS memory and disk test.
332284 - ref SDS 11 UH8G HP testing shows normal Internet access and
332285 - data transfer on network with Windows 7 64-bit, suggests
332286 - problems with Windows XP, rather than hardware failures.
332287 - ref SDS 11 E66T
332289 - ..
332290 - Trend Micro's letter continues...
332291 -
332292 - 9. You can refer to the link below:
332293 -
332294 - http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1032596&id=EN-1032596
332296 - ..
332297 - 10. Note: We would appreciate a response from you within 24 to 48
332298 - hours from the date you receive this email. After the given
332299 - time frame, your case will be presumed resolved and closed.
332300 - You will also receive a feedback from us confirming the status
332301 - of your case. Should you still have concerns regarding your
332302 - issue, please simply reply to this email.
332304 - ..
332305 - 11. To ensure timely response on your cases, please check your
332306 - "spam" folders too. If this email is tagged as spam, please
332307 - mark this message as "not spam" email.
332309 - ..
332310 - 12. Have a great day!
332312 - ..
332313 - 13. Regards,
332315 - ..
332316 - 14. Allan Rey Mendoza
332317 - Consumer Support Team
332318 - Trendlabs HQ, Trend Micro Incorporated
332320 - ..
332321 - 15. In order for us to have a history of our correspondence, please do not delete the subject and the contents of this email.
332322 - ===========================================================================
332323 - For future inquiries, you may visit our support page using the link below:
332324 - http://esupport.trendmicro.com/support/consumer/consumerhome.do
332325 - ===========================================================================
332326 -
332328 - ..
3324 -
3325 -
3326 - 1445
3327 -
332701 - Work Plan Develop SIC Log Submit Trend Micro
332702 -
332703 -
332704 - 1. Setup c16 for support using c17.
332705 -
332706 - 2. Update SDS on c16 from c17 that works.
332708 - ..
332709 - Encountered problem transferring files from c17 to c16. C17 would
332710 - not open c16 on the network.
332712 - ..
332713 - Got c16 to open c17 on the network. Then c17 opened c16.
332715 - ..
332716 - Moved updated files from c17 to c16, only about 100 MB. This was
332717 - very very slow. Should have taken 10 seconds or less. Took about a
332718 - minute.
332720 - ..
332721 - Work Plan continues...
332722 -
332723 - 3. Try accessing the Internet on c16 to obtain tools cited by
332724 - Trend Micro in their letter today, per above. ref SDS 0 OQ6Q
332726 - ..
332727 - Save download for future work in...
332728 -
332729 - g: 00
332731 - ..
332732 - 4. Try to unzip the download.
332733 -
332734 -
332735 -
332737 - ..
3328 -
3329 -
3330 - 2339
3331 -
333101 - Microsoft Windows Defender
333102 -
333103 - Found this on the Internet looking for analysis on reinstalling
333104 - Windows XP....
333105 -
333106 - http://www.microsoft.com/windows/products/winfamily/defender/default.mspx
333108 - ..
333109 - Tried installing on c17 with Windows 7 32-bit. Got message that
333110 - Windows Defender is part of Windows 7 OS, and so not needed.
333112 - ..
333113 - Tried installing on c16 for XP, which seems to be infected.
333115 - ..
333116 - Got error message saying...
333117 -
333118 - Service "Windows_Defencer" (WindDefend) failed to start.
333119 - Verify that you have sufficient priveleges to start system
333120 - services.
333121 -
333122 - Retry Cancel
333124 - ..
333125 - Tried "Retry"
333127 - ..
333128 - Got same message again.
333129 -
333130 - [...in another record today on 101230 1601 called HP and
333131 - reported recent memory error messages during shut down from
333132 - Windows XP. ref SDS 11 Y15H HP eventually provided support
333133 - and assisted performing BIOS memory and disk test.
333134 - ref SDS 11 UH8G HP testing shows normal Internet access and
333135 - data transfer on network with Windows 7 64-bit, suggests
333136 - problems with Windows XP, rather than hardware failures.
333137 - ref SDS 11 E66T
333138 -
333139 -
333140 -
333141 -
333142 -
333143 -
333144 -
333145 -
333146 -
3332 -