Help Please

yeah it blocks lots of attacks, but only if the server is open on your computer! most of the time ( on norton ) when the globe pops out its some lil kid doing a port scan on sub seven because they dont know how to use it and steal other peoples victimz. If you know you aint got a server open then you have no problems


And 2 Mikes is quite confusing

ill leave my name as errm

Wizz

(P.S. could some1 please address my problem i posted in windows NT)

 

When that globe pops up it COULD BE something on YOUR OWN machine GOING OUT looking for trouble.

That globe and/or the Firewall works both ways. Or at least should. Unless you are using XPs' ONE WAY ONLY builtin FW.

BillyBob

 

yes i 4got to mention that - applications trying to access the internet too e.* msn messanger & kazza etc


Wizz

 

lol this conversation has gone from 1 thing to another.

a server is what a trojan uses to connect with. i know certain trojans that av dont pick up including firewalls even with updates! i only know of 1 for norton av. none i know of for zone alarm, but if some1 has sent u a server that zone alarm cannot pick up and u shut your fw down, ur open to an attack if the hacker is online or if some1 is doing a port scan.

does that make it any clearer?

Wizz

 

And you don't need a "server" open when you turn off the firewall.

Because with the firewall off an outside program can wake up the server afterwards.

Mr. Trojan or Mr. Worm are you there?
Yeah, we's here boss come on in! Bring friends!

Mike

 

mflynn

If that is not a wake up call and/or telling it like it is then I do not know what else to call it.

In my way of thinking if you are going to turn a Firewall OFF, why bother to install it in the first place ?

Because if you turn it off for just small amount of time and then turn it back on, it may well have been disabled or corrupted in some way rendering it now useless.

If you want better ( at least incoming ) protection insert a ROUTER between the machine and the Modem.

And another thing that I have found over the YEARS.

If you use something other than Norton for Anti-Virus and Firewall they may not need to be turned off when installing software. Becasue they do not get so tangled up in the actuall OS as Norton does.

And when installing said 3rd party AV/Firewall, install them into other than the default locations. Makes them VERY hard to find.

Even for me. The guy that installed them. LOL

And DEFAULT locations is what makes it do easy for these Virus/Trojan makers to get into Windows.

Not only is some version of Windows more widely used but I would say 99.5% of them use the DEAFULT installs. Making them all setup with the same folders and in the same location.

BillyBob

 

10-4 to all you said BB.

You have to stay 1 step ahead of them!

BLEEP! Hope you are not confused by our discussion. But this is the way it works here. Some things lead to other ideas and thoughts.

But for you I reinterate, all you need to do now is get the HiJackthis and post the results of the StartupList back to us in a messge.

Mike

 

ok u guys are far too technical for me. A server has to have been executed for the hacker to gain access. therefor if u aint executed the server then he cant get in. And that thing about mr Worm come in??? The server cant be accessed unless its been executed! so if u turn ur firewall off, it wudnt make a difference.

oooo im starting to sound technical

I didnt think that was possible for me lol

Wizz

 

When someone sends you the server you open it (execute it) and that then sends off your ip and ports to either a cgi list, email or icq. Then the hacker types in your port and password into the client and he connects. However the server has to of been opened for him to connect. Do you see what im gettin at, or is the mud going thicker?

Wizz

 

The better thing to to do is to keep yourself protected the best that you can. So that the S.O.Bs do not get in in the first place.

And that can only be done by running a good solid Anti-Virus AND a Firewall FULL TIME With NO TIME OUTS.

Those are two things that should be allowed to install with DEFAULT settings.

Would it suffice to install to a folder "&9t(#h5" instead of "Program Files ". That would get them off track for all installations

That may not stop everything but it sure will help.

A question from an earlier reply.

you havent heard bout the trojan in ie have you billy?

Yes I have heard of it. But I had protected myself against it by keeping the Windows Critical Updates UP TO DATE. At least two weeks before the **** hit the fan.

BillyBob

 

Man, you mean there has been "a" trojan in IE.

This is over my head, I'm outa here!

Mike

But BLEEP I am still waiting on you! Smile!

 

I need to calarify that a little as I see it may contradict what I said earlier about defaults.

What I really mean is to install them into other than the default folders.

But leave the default settings as they are. Becasue if settings are left alone nothing ( or very little ) will get past them.

BillyBob

 

i used to use trojans and changing the folder name for ur AV doesnt make a difference, the AV is tracked on the server so wen u open it the server automatically shuts down your firewall. ive seen this on Netdevil - which is no longer available!. possibly on subseven, which is widely available.

Yes theres been a trojan on IE and its bad ****.
So wen u execute IE it executes the server.

Dont tell me about trojans i know quite a lot about them. So unless u have the server open or in ur run u can turn ur firewall off. and if some1 does get on,. go on ms dos and type netstat, they usually **** umselves bcoz u wil get there ip and they wil disconnect.

Wizz

 

Hi Guys,

you asked me to generate a startup list. I have posted the output below, I hope this doesn't break any protocol on here, I can't see anything in the rules.

I am running Windows 2000 Professional Edition.

The startup list is as follows, thanks for any help. I will look in from work tomorrow.



StartupList report, 9/2/2003, 1:48:10 AM
StartupList version: 1.52
Started from : J:\HiJack\hijackthis196\HijackThis.EXE
Detected: Windows 2000 SP2 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
F:\EN817_HOME\bin\dbsnmp.exe
F:\EN817_HOME\bin\vppdc.exe
F:\EN817_HOME\Apache\Apache\Apache.exe
F:\EN817_HOME\BIN\TNSLSNR.exe
f:\en817_home\bin\ORACLE.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
F:\EN817_HOME\Apache\jdk\bin\java.exe
F:\EN817_HOME\Apache\Apache\Apache.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINNT\loadqm.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
J:\HiJack\hijackthis196\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
AbsoluteShield Internet Eraser.lnk = C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe
PowerReg Scheduler.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
NeroCheck = C:\WINNT\system32\NeroCheck.exe
NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
SpeedTouch USB Diagnostics = "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
LoadQM = loadqm.exe
AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe "
CreateCD50 = C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

RoboForm = "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe "
WrCtrl = "C:\Program Files\WinRoute Pro\wrctrl.exe "
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Yahoo! Companion BHO - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll - {13F537F0-AF09-11d6-9029-0002B31F9E59}
(no name) - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll - {724d43a9-0d85-11d4-9908-00400523e39a}
SysShield IE Popup Blocker - C:\Program Files\SysShield Tools\Internet Eraser\PKExt.dll - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[YInstStarter Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\CONFLICT.1\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[{6CB5E471-C305-11D3-99A8-000086395495}]
CODEBASE = http://toolbar.google.com/data/en/deleon/1.1.58-deleon/GoogleNav.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37850.932650463

[YahooYMailTo Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\ymmapi.dll
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0410.dll

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 6,445 bytes
Report generated in 0.110 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

Holy moley!

Geeze Bleep did you know about the Apache web server!

Do you use Oracle?

I don't want to make suggestions that will do damage so tell more about this computer.

What do you use it for. Are you or your son hosting your own web site?

Do you use Winroute Pro for more than its Firewall? It can route and proxy.

Is the computer for businness?

I see no sign of Viri or Trojan/worms.

I do see several useless processes.

You better give us more info here as to what you do, what you do not want.

Might get some info from your son.

Mmmm

Mike

 

Hi Mike.

My brother is an ORACLE sofware consultant and he uses the machine occasionally to do some development work. However, he has been working abroad for 7 months now and nothing at all has changed with these processes, they did not interefere with the PC in any way prior to my son visiting the chat rooms on the internet.

We are not hosting our own web site. Winroute Pro was loaded by my brother some months ago and is not used in anger.

The computer is not for businness other than hosting an ORACLE database for development purpose.

If there are no Viri or Trojan/worms, do you think that somehow the infection could have targeted the mouse driver or something like that?

What are the useless processes you identified, and what should I do about them?

Hope the above helps. I'm sorry if more technical info is required but I'm not a techie type person.

Thanks for your continued support.


Bleep

 

Just as an afterthought.

I'm sure that in order for my son to use MS Messenger I changed a couple of Zone Alarm settings. I think they were for Outlook Express and perhaps Messenger itself to be available as servers?

May this be relevant?