Mydoom,Zindos,Doomjuice infection?

I woke this morning to be greeted by windows autoupdate informing me that I had an update for KB836528 to be installed. This update is only offered if windows update detects an infection. My question is why didn't NOD detect this and how did I get infected? here is the link to the KB article and here are my log entries from this morning;

http://support.microsoft.com/default.aspx?kbid=836528

Event Type: Information
Event Source: Windows Update Agent
Event Category: Installation
Event ID: 17
Date: 10/16/2004
Time: 4:52:35 AM
User: N/A
Computer: XXXX-XXXXXXXXXXXXX
Description:
Installation Ready: The following updates are downloaded and ready for installation. To install the updates, an administrator should log on to this computer and Windows will prompt with further instructions:
- Mydoom, Zindos, and Doomjuice Worm Removal Tool (KB83652

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

And my NOD info;

NOD32 Antivirus System information
Virus signature database version: 1.896 (20041015)
Dated: Friday, October 15, 2004
Virus signature database build: 4918

Information on other scanner support parts
Advanced heuristics module version: 1.010 (20040902)
Advanced heuristics module build: 1061
Internet filter version: 1.002 (2004070
Internet filter build: 1013
Archive support module version: 1.021 (20040917)
Archive support module build version: 1101

Information on installed components
NOD32 for Windows NT/2000/XP/2003 - EMON
Version: 2.0.0
NOD32 For Windows NT/2000/XP/2003 - Base
Version: 2.12.2
NOD32 For Windows NT/2000/XP/2003 - Internet support
Version: 2.12.2
NOD32 for Windows NT/2000/XP/2003 - Standard component
Version: 2.12.2

Operating system information
Platform: Windows XP
Version: 5.1.2600 Service Pack 2
Version of common control components: 5.82.2900
RAM: 512 MB
Processor: x86 Family 6 Model 5 Stepping 2 (448 MHz)
What gives? How did I get infected? is this a false positive from WindowsUpdate? the article says it looks for registry entries. I am confused by all of this. And no NOD never alerted or even found supicious files or anything. Any advice?

 

flyrfan111, I took the tool anyway, easily carried. Not infected.

 

Yes I took the tool also when I installed SP2, my question is, Windows update is only supposed to automatically download it if you are infected, I have a fully patched system, an updated NOD installation and a firewall(Sygate Pro), how did I get infected in the first place? NOD should have picked it up, Sygate has it in it's IDS signatures, so it should have picked it up also. How did I get it in the 1st place? Is this a FP from windows update? Unfortunately the tool doesn't tell you what it is hitting on so sending the file(s) to Eset is not possible. The KB article claims that it looks for registry entries, but doesn't specify what in particular it scans for.

 

Did you receive any of this information?

"6. It displays a Windows message box that describes the outcome of the detection or removal. You may receive any one of the following messages: • No infection detected – Mydoom variants A, B, E, F, G, J, L, or O, Doomjuice variants A and B, and Zindos.A were not detected on this computer.
• Successfully removed Mydoom. variant-letter – The variant of Mydoom worm was removed, and you do not have to do anything else. The variant-letter could be A, B, E, F, G, J, L, or O.
• Successfully removed Zindos.A – Zindos.A was removed, and you do not have to do anything else.
• Successfully removed Doomjuice.A - Doomjuice.A was removed, and you do not have to do anything else.
• Successfully removed Doomjuice.B - Doomjuice.B was removed, and you do not have to do anything else.
• This tool must be run by an administrator – To run the tool, you must log off and log back on using an account with administrator credentials.
• Fatal error, please review log file – Review the log file for errors, and then contact Microsoft Product Support Services (PSS) if you must.
• Mydoom. variant-letter was detected, but could not be removed – Try to reexecute the tool, and check the log file for errors.
• Mydoom.B was detected, but could not be removed – Try to reexecute the tool, and check the log file for errors.
• Doomjuice.A was detected, but could not be removed – Try to reexecute the tool, and check the log file for errors.
• Doomjuice.B was detected, but could not be removed – Try to reexecute the tool, and check the log file for errors.
• Incorrect Windows version (Win32s) – This tool is not supported in Windows 3.1 with Win32s. "

Or can you view the log file?


"The Mydoom Worm Removal Tool creates a log file that is named Doomcln.log in the %WINDIR%\debug folder in Windows Server 2003, Windows XP, and Windows 2000. The log file is created in the %WINDIR% folder in Windows 98, Windows 98 Second Edition, and Windows Millennium Edition."

 

Yes and it gets even more strange. According to the log from doomcln which I will post below No infection was found. Autoupdate is only supposed to download it if you are infected correct? What set autoupdate to download it then? I installed the tool from the options when I installed SP2. I guess it was an false positive from wondows updating automatically. That's all I can figure. I can't see how any of them could have gotten through an updated system, updated AV and a current firewall with updated IDS sigs.

Microsoft MyDoom removal tool (build 1.227) started on Sat Oct 16 11:15:09 2004
Checking 41 processes.
Checking startup registry keys for current user.
Checking keys for 7 other users
Deleted registry key 80000002:Software\Microsoft\Windows\CurrentVersion\Shell
Checking known MyDoom filenames.
**** No MyDoom infection found ****
Microsoft MyDoom removal tool stopped on Sat Oct 16 11:15:11 2004

Thanks for all the replies, sorry for wasting everyone's time. Especially thanks to Stan999, if I knew where the log was I wouldn't have had to start this thread. Just another MS goof I suppose.

 

Wasn't your computer infected with one of those worms in the past? Per what MS states on their website, the tool is downloaded also in case worm leftovers are detected in the registry. Another possibility is that the updater offered you the tool in error despite having no symptoms of infection.

 

No Marcos, I haven't had one of those. You are probably remembering the False Positive I had with Panda, Trj/Qhost.gen I think it was. They were detecting that Spybot modified my hosts file. That wasn't a virus or a worm though.