KINGSKNIGHT, attempt at summary
a summary of another thread?
well, it seemed it HAD to be done...
Quote:
Originally posted by cyndy10:
Incredible read. I have bookmarked this and saved to notepad most of the advice.
I am thinking of making a webpage of this thread's advice - if I can find a logical
order to put things in. If I do so I will give proper credit and post the link for
others to link to in the future.
Would anyone object?
Hi all, here's an attempt...
Jaak
___________________________________________________________________
A security related thread found at Virtual Doctor forum...
The entire thread where these excerpts were taken from is HERE
___________________________________________________________________
topic started by KINGSKNIGHT
===========================
KINGSKNIGHT Q-
When ever I go online line my best mate calls me up and tells me that Im online.
I have not got any other programs runing on my computer that deals with the
net e.g. Chat programs.
(later on it turns out he did have MSN and a few virii & trojans.
First few questions soon result in a start logger-printout.)
Initial advice given include AV scan/firewall/netstat/startuplogger.
Q - Are you using ICQ or AIM ?
KINGSKNIGHT A/Q- I dont use ICQ and I dont know what AIM is?????
A - AIM is AOL Instant Messenger. If you are using AOL or their instant messenger
program, others who have you on their buddy list can see when you are online and
for how long you have been there. Got AOL? Got a firewall installed? Might be time
for a new friend..hehe
Q & ADVICE - The next time you go on line wait a few minutes then before you open
a browser or any other program click Start>programs>msdos-prompt and at the
C:\>_ prompt type netstat and hit enter.
If you're already online then just close all programs related to the internet
(email, browser,chat progs, napster etc)
Let us know what, if anything, shows up.
If nothing shows up wait another 30 minutes and try again.
ADVICE- a few well regarded free programs that may be useful to you: (mentions firewalls)
zonealarm
or http://www.tinysoftware.com/
ADVICE ABOUT FIREWALL-
Most of the alerts they pick up are normal background "noise" on the internet and are not
necessarily pointed right at you. In fact your ISP will probably "ping" you many times a day.
If you are curious, you can go to this site and enter the number in the box and submit.
http://www.arin.net/whois/
Here is a somewhat techy site that explains what firewalls report.
http://www.robertgraham.com/pubs/firewall-seen.html
ADVICE ABOUT ANTIVIRUS
a free AV (well regarded by many at Virtual Doctor) http://antivirus.cai.com/ (with free updates)
individual descriptions and fixes found at symantec
http://www.sarc.com http://www.symantec.com/avcenter/tools.list.html
and as you all know, there are a good many other antivirus programs, some of them are free (albeit some want you to pay once you want updates...) panda, mcafee. ...
Some of them can do an online scan.
panda http://www.pandasoftware.com
Trend Micro's Housecall http://housecall.antivirus.com
McAfee http://www.mcafee.com
> Online Services > Anti-Virus
(you can do a one-shot trial of the service)
...............................................................................
KINGSKNIGHT has posted result from STARTUPLOG
ZA firewall has been activated and netstat results get posted
spyware, trojans and worms have been found,
and are being dealt with...
ADVICE about www.samspade.org gets posted
go here and enter the remote adress in the whois box..in this case 62.7.49.97
this will give you info on the ISP of the user that's scanning you.
Just be aware it could be anyone from anywhere in the world. You may eventually
see a pattern develop and maybe geographically be able to tell when your 'friend'
is trying to access your computer.
Don't go completely paranoid though... you will probably get lots of attempts..
tracing all of them will eventually either drive you crazy or you may just get bored.
Once you realize you're safe behind the firewall then the novelty of being scanned
can wear off pretty quickly.
ADVICE ABOUT TROJAN REMOVAL
exefix8 and the other rmbox tools; which include STARTUPLOG
http://home.earthlink.net/~rmbox/Reticulated/Toys.html
rmbox can also be linked to frome http://www.lurkhere.com, which lists good links to other tools
tauscan trojan detection/removal http://www.agnitum.com/products/tauscan/features.phtml
ADVICE ABOUT SPYWARE remover
adaware http://www.lavasoft.de/
GENERAL ADVICE gets posted
do you want a good read up on computer security ??
http://www.ceepeeu.com/ and http://www.cert.org/
---------------------------------------------
this gets posted while worms and other nasties are being dealt with
Q - After seeing those two worms, I'm starting to get the feeling that you have your
file and printer sharing active. Unless you are on a network, they don't need to be
and are giving an opening for these worms. If you are using windows 98, do this:
Start button>
settings>
control panel>
network>
On the configuration tab, click the "file and print sharing" button. Make sure that
both boxes have NO CHECKS in them. If they do, remove them and hit OK.
KINGSKNIGHT A - I have not got my file/printer sharing on and never have had it on.
I am running windows ME and i have had 3 worms now.
A/Q - It seems very odd that none of that was found in your startup profile, which
would have been necessary for them to be active. Do a Find Files for Notepad.com now;
if you had the qaz worm it should have renamed your real Notepad program to that and
it should be in your Windows directory.
http://www.symantec.com/avcenter/ven...llw.qaz.a.html
Also look for and delete the file network.log on the root directory if you find it: http://www.sarc.com/avcenter/venc/data/vbs.network.html
A - I'm sorry, I don't have an explanation for you on how you got them.
The important thing is that your anti-virus is catching and eliminating them.
It is interesting that you are finding these items after your friend bragged
he knew what you were doing... HMMMM Also not real familiar with windows ME
so maybe someone else has an opinion on security measures.
A/Q- ADVICE - It may take a while to find out how, the VBS stuff is constantly evolving.
The main point is to have a firewall or some protection from it calling out...
just in case they get in.
BUT, what WhitPhil has recommended early on is becoming very important.
You need to be careful that there is not another server on that machine...
Tauscan should find it. The server can't call out in any event, because of ZA.
Please install Tauscan. It has over 2000 Trojan definitions on board and the ability
to clean them.
BUT in this case, after you install Tauscan...don't run it immediately, open the
program and click the "Tools" button. Then "Options", then "Actions". On the Action
screen choose the "Report Only" radio button.
Apply that change, OK your way out, and then start the scan. That should list anything
in the logfile. If something shows up, post it here.
Sometimes it is best to see what is there before it is cleaned.
There are folks around that will help at that point.
KINGSKNIGHT Q-
I am reading up on the Bugs that i have got and THEY ARE ALL NETWORK BUGS!!!
I have never been part of a network. My AV as now got 6 network bugs!!!
Why is this happening to my computer???
I have got a bug called "AOL buddy"
this is really mested up because I have not got AOL I am with btinternet (isp)
Where could i of got all these from???
If he was randomly calling me I would work out that is was him but he only ever calls
me (on my mobile) when i am on line.
I dont believe that he randomly calls to see if I am online
A + OBSERVATIONS by Innovator (one o/t guys behind lurkhere.com)
The VBS stuff is sneaky and pretty hard to keep out.
The Qaz is a nice vector to load a server with, I keep hearing as small as ~7k.
Once that is in place, the plug-ins can be delivered. That thing should be about 400K.
At this point there is no need to leave the entries in the start-ups for those two
laying around. If there is a server, where is it running from ?
I'm not even sure it would still be there. If a Sub-Seven or Back Door was in place...
he could have monitored all the commotion... he then had plenty of time to kill it
before the new proggies got loaded.
Of course I'm a sucker for conspiracy threads on Friday nite, too.
But that is why I would really like to see Tauscan or Moonsoft run with a report.
That's just not InnoculatIT's job.
MORE ADVICE & SOME REFLECTIONS
(the posted log is srcutinised by many, and this is the only exerpt taken from these)
7. WIN.INI File - C:\WINDOWS
what about this hpfsched item?
isnt this contrary to what it says about nothing besides = sign?
Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.
These are the run and load lines in your WIN.INI file
run=hpfsched
load=
(after which someone mentioned this HP line gets nullified eslewhere)
You guys sound like you could put a program like
Comm View to good use.
It's great for seeing just who's connected to your computer and with the packet viewer
you can see exactly what's coming in and going out.
This is a bit ludicrous.
3 pages when you could have seen from the start log that he has MSN messenger loading at
startup. that is how your buddy is seeing you online
(a point well taken... however, there were enough worms to go fishing with...)
-------------------------------------------------------------------
interceptor1 wrote (page three)
this is for all those that are new and aren't familiar with all the neat tools we here
at VDr. use and things we do to protect ourselves. There are alot of links, but most of
this stuff is pretty easy to use, especially the utilities.
1. If you use any IRC's (AIM, Icq, MSN), make sure they do not start with your machine.
Once they do, you do not want to be visible (if that option is available). Any other
security features in there you should use as well.
2. While no firewall is infallible (I know how to scan around them), ZoneAlarm
(www.zonelabs.com) will defeat nMAP scans thru ports 65000+. It also is faster than
most firewalls (yes, even ATGuard/Norton Internet Security, Tiny). It will also not
crash as easily as many firewalls if they are scanned at high speed and bombarded
with many packets. I allowed nMAP scans pound away at my system for 2 hours and they
were useless. If you prefer rules based firewalls, Tiny (www.tinysoftware.com)
Norton Internet Security (http://www.symantec.com/product/home-is.html) are probably
your best bet.
3. For everyone using ZoneAlarm and does not know about the many log analyzers there are
available to assist you in determining what all those alerts mean, you can go to
http://clearzone.hypermart.net/
(which also has analyzers for BlackIce) and get an excellent shareware version,
or you can go to http://www.zonelog.co.uk/
or http://keir.net/icewatch.html (for BlackIce)
and obtain free versions.
4. Defeat those nasty .VBS scriptworms as well as the new trojan/virus embedded hostile
web pages. This free tool from Symantec is all you need to protect you from them.
http://www.symantec.com/avcenter/ven...t.hosting.html
This next tool (HTAStop) will disable the new virus embedded HTML issue.
http://www.nsclean.com/psc-exe2.html
5. Maintain your operating system security updates.
This is a must, because if they're important enough for Microsoft to take the time (finally)
to address them, you should have them.
6. Whatever antivirus you decide to use must be maintained and upgraded constantly.
I use PC-cillin2000. Yes it has akamai advertising software in it, but ZoneAlarm blocks it.
It is also (in my opinion) more effective than InnoculateIT
http://antivirus.cai.com/ (if you want free, then this is the only free one you want.)
It actually works better than Norton or McAfee)
Norton Antivirus http://www.symantec.com,
McAfee http://www.mcafee.com,
AVP http://www.avp.ch,
AVX http://www.avp.com,
and Command http://www.commandcom.com.
The only one it didn't beat was Panda Platinum
http://www.pandasoftware.com/
However, Panda platinum uses alot of system resources.
But, it's whatever you prefer. Having nothing at all is the worst thing you can do.
7. Tauscan from www.agnitum.com and The Cleaner www.softseek.com are the most effective
add-on trojan scanners there are. Personally, I use Tauscan.
8. Ah, the famous "Toybox" from our esteemed "rmbox"....
some of the handiest little utilities I've ever seen.
http://home.earthlink.net/~rmbox/Reticulated/Toys.html
9. RegistryProtect from http://www.diamondcs.com.au/html/registryprot.htm is a free registry
monitor that will alert you to sudden changes in your system's registry.
Jammer (www.agnitum.com) is shareware and has this and other features.
The newest version of Jammer (2.0) while not a firewall, has firewall like functions. Until
Agnitum comes out with an effectively tested true firewall tho, I prefer the old reliable v1.95.
10. AdAware http://www.lavasoft.de/aaw/index.html is the perfect way to get rid of
that pesky spyware.
11.SpyChecker is the perfect way to check if that free program has spyware in it.
www.spychecker.com
An additional site that you can also check is here:
http://www.infoforce.qc.ca/spyware/enknownlistfrm.html
12. Netlab http://www.adanil.com/NetLab/index.html
is freeware that you keep on your system. It's small and does WhoIs, DNS, ping, finger, quote,
trace and time on those ip addresses that keep popping up in your firewall logs.
Pretty nifty and you don't have to go to a separate site.
13. Al kinds of virus removal tools, and for free!
http://www.symantec.com/avcenter/tools.list.html
http://www.js-inc.com/
http://www.pandasoftware.com/
McAfee's Manual Removal and tools page:
http://vil.mcafee.com/virusSupport/virusSupport.asp?
(Click on 'Top10' 'Command line' or 'Misc.' links from that page).
Or, try the AVERT page, here:
http://www.mcafeeb2b.com/naicommon/a...nter/tools.asp
http://fireav.com/downloads/
14. Now that I've effectively gone blind....I guess that's all.
_________________________
Q - by member
a while ago I renamed mshta.exe and have not yet seen ill effects.
(this refers to html security issue in outlook. Renaming this was a tip I saw while reading an earlier thread. HTAstop may be better for it though.)
I also use symantec script killer.
Still, I have a question
What is java JIT compiler and what does it do? In IE5x it is enabled by default.
Besides that, what do the other two java entries in tools/IEsettings/advanced mean?
A - here is some information:
In order to understand JITs (Just-In-Time compilers), you must first understand how the Java
Virtual Machine (JVM) works. When you write a Java™ application, such as the
following "hello world" program:
class hello {
public static void main(String argv[]) {
System.out.println("Hello!");
}
}
You first run "javac", the Java Compiler, which turns the Java code into what is known as
"bytecodes" and puts them into the "hello.class" file. This class file can then be interpreted
on any machine which has a Java Virtual Machine on it. The key word here is "interpreted".
The Java Virtual Machine processes each of the bytecodes in the .class file and executes them.
This is similar to what other interpreted languages do, such as Basic, LISP, and Smalltalk.
When a JIT is present, the Java Virtual Machine does something different. After reading in
the .class file for interpretation, it hands the .class file to the JIT. The JIT will take
the bytecodes and compile them into native code for the machine that you are running on.
It can actually be faster to grab the bytecodes, compile them, and run the resulting executable
than it is to just interpret them. The JIT is an integral part of the Java Virtual Machine,
so you never notice it's there, except your Java runs faster. Some environments allow you
to choose whether or not to JIT code.
Java is a dynamic language, so you are not allowed to "statically" compile all the .class
files into machine code until they are actually called. Thus the JIT is really "just-in-time",
since it compiles methods on a method by method basis just before they are called. If you call
the same method more than once, the JIT'd code can really pay off as you do not have to re-JIT
the method and can simply re-execute the native code.
Does it make sense to always JIT code? No, not always. Sometimes JIT'd code does not run any
faster than interpreted code. If the Java Virtual Machine is not spending its time interpreting
bytecodes, then JIT'ing the bytes codes will not speed things up. Although it is rare, things
might slow down since you are spending the time compiling the bytecodes when you could have
been interpreting them.
The Java Console window both displays Java messages and accepts input to Java applications.
Unless you are writing a command-based Java application, you cannot use the Java Console
window for input.
JAVA CONSOLE WINDOW
The Java Console window displays:
Messages from this application (Java Studio or Java WorkShop)
Messages from user-supplied programs running within this application
Examples of these kinds of messages are:
Messages from applets and components
Java errors
You can display the Java Console window at any time by choosing Windows -> Java Console.
Normally, the Java Console window automatically appears whenever there are messages to display.
To prevent the Java Console window from automatically appearing, click the Pop Up On
Any Output checkbox on the Java Console window. To undo this action, display the Java Console
window and then click the checkbox again.
If you are developing a command-based Java application, you can use the Java Console window
to send input to your application. The Java Console window lets you send input that would
normally be entered at your user's command line.
JAVA LOGGING
The Javalog.txt file is created in the Windows\Java folder when Java logging is enabled and
an error occurs when a Java program is run. The Javalog.txt file can provide information
about the Java error and the classes affected. To view the Javalog.txt file, close Internet
Explorer and then open the Javalog.txt file with WordPad.
===============================
At about this point KINGSKNIGHT decides to format and asked;
Q - If I format my C:\ drive will all virus be deleted?
Is there anyway that virus can come back from a Formated hard disk?
I dont think so but I must ask.
---------------------------------------------------------------
A - there are virus types that survive format C:
to wit, boot sector virii and CMOS -aka, BIOS- infectors.
(I do not think you have to worry. this answer is purely academic,
your AntiVirus scan did not pick these up, see.)
Still academic, but one can play it safe.
search SARC (at symantec) and find info on bios/cmos infectors.
get the removal tools and put them on disk.
Then, for instance, you can run CIH kill from symantec, which will even run in infected
systems and disable CIH if found, after which it can be removed.
(CIH is payload of another nasty called Chernobyl, and I saw a few of those after Xmass)
when bios/CMOS is infected (which CIH and a few others can do if bios protection was off),
there are ways to restore CMOS. (methods are described at symantec. methods can include
a BIOS flash, even recovery mode flash)
again, if you came out clean, you should not worry.
To kill master boot record infectors, it is often said that fdisk /mbr will kill it.
(even when fdisk was not designed to be used as antivirus tool)
Yet there's danger in this advice if it is given without mentioning the possible consequences.
To wit; on systems with the operating system still installed, you should NOT run fdisk /mbr
when using a boot manager, nor on systems using Adaptec GOBACK or Second Chance".
BEWARE, The use of fdisk /mbr ain't always good for virus removal.
As far as dealing with boot sector viruses, there are instances where running an AV using
a generic cleaning solution can be a BAD thing.
The One-Half virus is a classic example of this dangerous potential.
There is also other information concerning running F-Disk/MBR. Check this thread out:
http://www.suggestafix.com/ubb/Forum9/HTML/000195.html
you should also not run fdisk /mbr on drives with more than four partitions
(so I hear, I bet it must be true)
And don't do FDISK /MBR on drives in machines which NEED an overlay !!
(this is QUITE important, so heed this warning if you still have data on that drive.)
Microsoft article; how to determine if overlay is used.
http://support.microsoft.com/support.../Q186/0/57.ASP
Actually, if you want to start squeeky clean and gonna format anyway, you could first get the
proper drive manufactor tools and prepare the drive as if it was a new one.
(iow, get it to the as new state)
To do so, you should boot from CDROM (or a bootable floppy which is absolutely clean, and the
surest way to make such one is done from cdrom)
Then run the proper util from drive manufactor.
(The tools one usually finds can be things like zap/blast/wipe and these would get rid of it,
since mbr and embr are rewritten)
One could also download MBRWORK.
http://www.terabyteunlimited.com/utilities.html
ZAP and WIPE are found here
http://www.braintrust.gr/products/IB...rt/welcome.htm
But, why bother?
A good antivirus tool will get rid of boot sector infectors just as well...
btw, Mach2 is right, you should never do a low level if you don't have to.
Doing it from within BIOS is outright dangerous when done on a modern drive
(from BIOS is a TRUE LOW LEVEL)
Hard drive manufactor's will also warn you about the dangers in using their very
own "low level" utils.
So, once again, why bother? A good antivirus can get rid of virii for you.
btw, if you gonna format, run it like
format C: /U
(for unconditional) which Formats both FAT tables, and does NOT save unformat data.
(at least, that's what I think it means. Anyone know where unformat data get stored??)
here's a thread which describes a few methods to create virus free start disks
http://discussions.virtualdr.com/For...ML/038724.html
If your drive wasn't divided into partitions, partitioning might be a good idea.
After format and setup, make sure you re-enable antivirus protection in BIOS.
btw, after fdisk (or drive tools), reboot
after format, reboot.
iow, do not run setup immediately after format finished.
Q - Why should i not run setup immediately after format finished?
A - because format puts your drive in dos compatibility mode while formatting, and if you
immediately run setup after it (in other words, without rebooting after format), you may lock
your drive in DOS compatibility mode.
MORE ADVICE
hi, if you have AOL, go to setting, then click on preferences, then click on privacy
There you can block e-mail, instant messages, and block anyone from seeing that you are online.
SCRIPT SENTRY gets mentioned
No need to delete Windows Scripting Host or turning if off.
http://www.jasons-toolbox.com/scriptsentry.asp
------------------
looks like this summed it up???
------------------
you may want to click on edit first before you hilite, lest the "here" which slip in here
and there only appear as "here" rather than the URL
tip; if this is too wide for 800*600.
with wheelmouse, hold ctrl and scroll,
or use view menu to adjust font.
[This message has been edited by jtdoom (edited 05-01-2001).]
[This message has been edited by jtdoom (edited 08-11-2001).]
