Help: Pinpointing the source for virus association.
Results 1 to 6 of 6

Thread: Help: Pinpointing the source for virus association.

  1. #1
    Junior Member
    Join Date
    May 2002
    Posts
    9

    Unhappy Help: Pinpointing the source for virus association.

    I am sorry if this was mentioned before somewhere, but I first checked the search feature looking for "virus sources" in hope to find the answer to my question and didn't come across it during my normal browsing through these forums.

    I'm in a panic right now; apparently my brother's laptop has been suffering under tons of viruses I wasn't aware of - now I wish to discover where the root of this problem began, and when.

    I have a pretty good start - the porn. Although, the time interval from when the temporary internet file(s) were downloaded to the time unusual programs made their debut (a debut of which I wasn't notified of) is considerably large (I'd say about a month 6/9/05 -> 7/18/05).

    Is it possible that this would be the root for all this havoc? These some odd [lots] of viruses that came out of nowhere (I just performed an avast! check not too long ago) just seemed so... sudden and those programs that were blocked - I had no idea that they were even there! Now I'm going nuts - I'm very paranoid about stuff I've been downloading like for example Trillian [multi-msging program] or doing stuff like watching Family Guy on winamp tv. and I begin to worry about What if... whoever now "owns" the laptop can try to gain entry into my computer under the common network. Maybe I'm being paranoid about this, irrationall paranoid - kinda like how I always made sure my zip files for counter-strike movies that I got from csmovies site and fileplanet were always scanned. It's stupid, I know, but you should see me in school and when I take tests.

    Under zonealarm, I have disabled sharing on the network. Hopefully that provides some relief. Hopefully.

    My hair is turning gray - I lost sleep yesterday worrying about my computer - and even worried about alone putting the installation disks so I could reformat the system... There aren't those kind of viruses that would affect the reformatting process... are there? I don't know, but I made sure I killed off whatever I could with trial anti-virus from avast! and trend micro's Housecall. Everything was deleted whether it was a system file or not - I don't care, I'm not going to bust my butt cleaning everything.

    I'm a wreck, please tell me I'm just reacting irrationally to the situation. People tell me I am one in 500 who suffer the same situation, and that mine isn't particularly bad since I've got nothing to lose. It's just uncomfortable knowing that someone's been controlling my computer = my life. ;-;

    I hope to be more knowledgeable about the situation. This is a rude wake up call to internet security - tomorrow I shall be purchasing the books : Network Intrusion Detection
    Counter Hack Reloaded , and Malware - Fighting Malicious Code [as suggested by an antionline member actually].

    Some day I'd like to return the favor for the community sooner or later if the community would help me throughout this time. Please.

    [Pardon my grammar skills. I grow weary as these late-nights get ugly. ]

    -Thanks, n2c.
    (It took me a long time to post. I'm still new at this security stuff, but I'm willing to learn. By the standards in those 'readme' posts, It's hard to post anything without fear of getting flamed. )

  2. #2
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    OK,

    1. If at all possible, try to fight this stuff in SAFE MODE that prevents quite a lot of it loading, and gives your anti-malware a better chance.

    2. Get these, update them and run them in safe mode

    http://www.emsisoft.com/en/software/free/
    http://www.ewido.net/en/
    http://www.safer-networking.org/en/index.html

    You want spybot search & destroy from that last link.

    You should be able to get Avast! for free, I have just got a 14 month extension to my licence

    Clean out history, temporary and cache folders.

    Try FireFox as a browser and load the anti-scripting plug-in.

    Use the "immunise" feature in SpyBot

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #3
    OK, i've read through your post a few times, and there are a couple of things that confuse me.


    I take it that you mean a hacker who has installed software on your system, as you said the laptop belongs to your brother. If someone has control of the laptop, and it's connected to your PC via a network, it's possible that they can access any shared folders. You should try to prevent people taking control of the laptop in the first place!

    If you've gotten rid of the viruses on your system, and it sounds like you have, you should move on to tackling spyware. Download and run Spybot Search and Destroy, and Adaware and delete everything they find. You should also install a firewall on the laptop.

    At worst, virus problems can usually be fixed with a format, although there are usually easier ways! No need to worry about the situation too much. In answer to your other question, porn sites are the #1 source of viruses.

    I take it you are asking how to remove all the viruses/malware from the laptop? Once you've done these steps, you're usually pretty safe. Afterwards, you can always post a Hijack This log in the security forum, and we'll see if there's anything left.

  4. #4
    Junior Member
    Join Date
    May 2002
    Posts
    9
    Alright, thanks for the replies. I'm just overreacting with the situation most likely. I was checking out my friend's computer and even though he's had a tremendous virus history his computer still runs at it's best (although I'm kinda worried that he's relying on zonealarm to do all the work without him doing any personal configuration). I think it'll be better if I reformat and install ZA, Avast! and that a^2 and spybot stuff as well; I think my dad's going to be using the laptop for business-related stuff (most likely TurboTax) so I might as well make sure that it's fully cleaned out. There's a lot of junk on that computer - My brother told me yesterday/this morning that that became his porn-laptop (that's kinda scared me. He let me use it over the summer without knowing what the laptop has gone through).

    @tt. : It's easier to reformat than continuously download various freeware and toying with them. I just learned how to use Hijack this! yesterday since it's the first time I've ever encountered a humongous problem. By the way, I meant that with all the virus stuff that was on it (mostly trojans and a backdoor) then zonealarm probably was rendered useless under the weight. In that control of the laptop probably wasn't even the user using it anymore.

    Thanks again

  5. #5
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Greeting's

    Because you are thinking of reformatting and starting from scratch here is a basic outline :

    1. Install windows

    ** DO NOT CONNECT TO THE INTERNET TO COMPLETE THE FOLLOWING STEP, EITHER DOWNLOAD THE FILE FROM A CAFE OR USE THE CURRENT MACHINE TO DOWNLOAD THE FINE AND THEN TAKE IT ON A CD **
    ** ALSO CHECK THE MD5 of the file with the one given on net **
    *** DO NOT MISS OUT ON THIS STEP ***
    2. Apply updates using Autopatcher (www.autopatcher.com) (http://www.neowin.net/forum/index.php?showtopic=409564)
    Here i would advise that you download the lite version becaue optional updates can be applied afterwards.
    3. creat only 2 accounts (if you creat more then 2 then let *one* be the admin account and all remaining be restricted user's)
    4. Give all your accounts a password
    5. Now install firewall and an anti-virus
    6. Go to control panel and in network connection's select and remove everthing except TCP/IP
    now go to advanced and ** DISABLE NETBIOS OVER TCP/IP AND REMOVE THE CHECK MARK AGAINST Enable LMhosts lookup ** repeat this for all your connection's
    7. in windows xp do the following :

    -> (WindowsXP ONLY) Run: regedit.exe
    --> Go to (if key/value does not exist, create one by right clicking in the right window)
    ---> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
    ----> EnableDCOM (REG_SZ)
    -----> Set to: N
    ---> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc
    ----> Value: DCOM Protocols
    -----> Remove ncacn_ip_tcp
    ---> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\
    ----> Value: MaxCachedSockets (REG_DWORD)
    -----> Set to: 0
    ---> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
    ----> SmbDeviceEnabled (REG_DWORD)
    -----> Set to: 0
    ---> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\
    ----> REG_DWORD
    -----> AutoShareServer
    ------> Set to: 0
    -----> AutoShareWks
    ------> Set to: 0
    ---> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSession Pipes\
    ----> NullSessionPipes
    -----> (Delete all value data INSIDE this key)
    ----> NullSessionShares
    -----> (Delete all value data INSIDE this key)
    ---> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths\
    ----> Machine
    -----> (Delete all value data INSIDE this key)

    8. in internet explorer change your security settings to high then click custom and allow file download
    add *.windowsupdate.com too trusted site list otherwise windows update will not work
    9. Now after doing all this reboot your pc
    10. ** BEFORE DOING THIS STEP BE SURE THAT YOU UNDERSTAND WHAT YOU ARE DOING IF YOU DONT ASK AGAIN **

    GO to http://www.tweakhound.com/xp/security/page_3.htm
    and ** DISABLE as many service's as you dont want **

    download firefox and use it.

    DO NOT USE THE ADMINISTRATOR ACCOUNT FOR SURFING THE INTERNET IF YOU ARE TOO TEMPTED TO UE THE ADMINISTRATOR ACCOUNT THEN DOWNLOAD AND USE DropMyRights by microsoft from here :

    http://msdn.microsoft.com/library/de...re11152004.asp


    Well even if you do this much you are good to go
    (although a ** LOT ** will depend on your ability to configure your firewall, but then if you have problem's then just ask)
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  6. #6
    Junior Member
    Join Date
    May 2002
    Posts
    9
    Woah, sounds complicated...

    Firewall is just set to block everything; I'm not sure if there actually is any more configuration than that. Maybe, establish Proxys? I never did that before, so I... probably won't tamper with it.

    Thanks for all the help; I'm going to keep it bookmarked for personal use - although I'm unsure of toying with the default Microsoft settings myself. Navigating through the registry is risky, and altering the default settings for the running programs seems controversial... I honestly would love to go through all this for security purposes but it's hard to follow and it seems very easy to screw up. I don't really want to hassle people about what does <so and so> do? and if I did screw up in the end, I don't want to be yelled at for the errors.

    I bought myself a book on Counter Hack Reloaded to see for myself what paths and exploits hackers usually toy with. Whatever the book suggests should correspond to whatever information is presented throughout these forums.

    Thanks for the reformatting procedure info. I skimmed through tweakhound to look at the advantages of altering the settings for various things, and with that it seems like if I end up in the same distress as I am now, the situation wouldn't seem so... impossible.

    I can't stop them from looking at porn. Too much of that stuff is out there :T

    Because I'm reformatting the computer I am on now and the laptop, I'll apply the procedure to the laptop and just run through the typical one on this computer instead. I'll compare the two and see for myself the differences between them. Just a precaution, I'm going to run this procedure past some people I know and probably bug them about it...

    -Thanks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •