virus/security problems

Hi Shannon

Had a moment from a clients office to check in. May not get to again untill tonight.

I like both the LinkSys bfsr41 and the D-Link DI-604. But the d-link was on sale and had a rebate lowering it to less than $50.00 at Office max.

The cables to each computer are correct. Just turn off old hub remove, then put in the new Router/Switch, then swap cables and turn on power. Network will be there.

DSL should be left alone and done seperately as some info about the internet connection needs to be harvested first. The D-Link has its cable in the box.

For now you can switch the hub over and leave DSL as is, and it will also continue as always.

I will post instructions on the ifo we need and how to switch it tonight.

Mike

PS How is the main computer cleanup coming along ?

 

From Mike, "The cables to each computer are correct. "

Make that probably correct. They must be Cat5 (will be printed on the wire) and must be terminated properly. Older and slower stuff only needed Cat3 so you could have cable that worked fine at the slower speed but won't with faster equipment.

- If the cable is Cat5 and was factory terminated you will be fine.

- Cat5 and done by a tech and you should be fine. Just make sure the RJ-45 connectors are within 1/4 inch of where the wire is twisted. Easier to put them on if you untwist an inch or two of the cable but it messes things up big time.

- Cat3 (older stuff) will just need to be replaced.

Other than that, just as Mike said. Unplug from hub. Plug into switch. Watch things fly.

 

10-4 on the wiring of the cables ends.

But I was basing my answer on the fact that they are currently working and on this quote from Shannon;

"- commscope network cable P/N 0590 568 cat5 e113333 4 pr/24 (UL) type cmp "


confirming cat5 cabling.

Nan nan a nana smarty pants.. Hee hee, Lol..

Mike Lol!

 

Hi Shannon

11:30 pm, just in a few moments ago. Long lonnnng day.

To get the info for DSL do these steps on the 2K machine.

Command prompt

type

ipconfig /all >lan.txt

This will produce a file named lan.txt.

Now open this file in wordpad and copy it and then paste back to us in a message.

Also include the name of the isp. Like www.bellsouth.net or msn.com.

Mike

 

Okay... I bought a Lynksys BEFSX41. The packaging includes a router setup wizard cd that says will configure the dsl/network all at once. Should I try this, or just set up the network stuff and get you the isp information to walk me through the setup?

I have the first computer completely cleaned, using all the steps you listed. I'm currently cleaning the other two slaves, both of which should run very quickly because there's very little on either system. Then I'm going to attach the administrator computer and set up the router.

I'll check back here in a bit to see what you suggest.

Thanks again...
Shannon

 

BTW... do you know if there is a way to retrieve the passwords/usernames that are stored in Gator? I want to uninstall it from his computer, but he doesn't know any of his passwords.

 

Shannon

You can do the Cd if you want but only after we have a copy of the ipconfig as I directed.

Because if things go ka phuly then we know what they were.

Never had Gator never would so never used it, so no help on this.

Perhaps someone else will advise. But you are correct in removing it. He may have to email for the passwords.

Mike

 

I have all the slaves cleaned and am now cleaning the administrator unit. When I ran the online virus scanner at anti-trojan.net I received the following messages:

Port 1025 is open
Application(s): network blackjack, ICQ
Trojan(s): NetSpy, Maverick’s Matrix, RemoteStorm


Not sure what to do now?

 

and now bitdefender scan has found the following:

C:\WINNT\system32\D2COLOUR.EXE/(UPX) infected: Trojan.HideWindows.A

Are we having fun yet?

 

Aw shoot. You know you love this stuff. You gotta or else you don't do it.

 

LOL... well, there is some shred of truth to that statement... but I would much rather be dealing with an issue that I could solve. I'm frustrated with how to get rid of these stupid trojans and viruses that were detected by the online scans. There aren't any instructions on how to get rid of them... can I just delete the files that are listed? Norton doesn't seem to detect them, nor remove them. Any thoughts?

I'm planning on sitting here in front of this darned system until I get it cleaned and connected! Looks like it may be a loooooong night!

Any help you can offer will be much appreciated!

 

Hi Shannon

Just got home.

OK no panic. It could be a false positive on both. IT CAN BE SOLVED!

Likely you do have one of these.

Here is my advice.

Reboot to safe mode

Then go to add/remove

Uninstall any program with the name irc or mirc

look closely at the other installed programs and uninstall anything old new or that noone knows what they are.

Let me know the names of the ones you remove as i may recognize it

After removing these programs do a disk search for the names of these programs and delete them all, like this

irc*.*
mirc*.*
and so on

additionally remove the below files if they exist

CLONE.MRC
FDRIVE.DAT
D2COLOUR.EXE hides windows that the trojan opens
FDR.DLL
COAX.DLL
cvar.ini
EDIN.DLL
LAN.EXE
LVL5.MRC
net.deld
PRP.DAT
PSEXESVC.EXE
secure.bat
SPEED.MRC
STDS.DLL
WHENN.DLL

after thes files are all removed run all, "I meam all the registry cleaners" one after the other. If one finds anything run the others again, even if you have already run them. RUN THEM UNTILL THEY ALL COME UP CLEAN.

Then reboot to full mode and run Trend and the online Trojan scan again.

Do all of this and report back and based on your report I will guide you from there.

mike

PS let me know immediately that you have recievied this.

 

Got it! Thank you very much... will report back soon.

 

Okay... I'm back and almost have a on my face again.

I ran in safe mode, found several files on your list and deleted them. I ran all of the reg cleaners... several times, until all came up clear. I rebooted and ran the trojan scan... same results as before:

- Port 1025 is open
- Application(s): network blackjack, ICQ
- Trojan(s): NetSpy, Maverick’s Matrix, RemoteStorm

Ran the bitdefender... it came up clean.

I'm hoping I can proceed with the router install now? All of the other scans, etc., listed in the earlier post have been completed.

Waiting to hear from you now....

 

here's the ipconfig info from the txt file:



Windows 2000 IP Configuration



Host Name . . . . . . . . . . . . : administrater
Primary DNS Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No


Ethernet adapter Local Area Connection 3:



Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Efficient Networks Enternet P.P.P.o.E Adapter
Physical Address. . . . . . . . . : 44-45-53-54-77-77

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : No

IP Address. . . . . . . . . . . . : 208.191.126.249

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 208.191.126.249

DHCP Server . . . . . . . . . . . : 1.1.1.1

DNS Servers . . . . . . . . . . . : 151.164.17.201
151.164.11.201
Lease Obtained. . . . . . . . . . : Thursday, June 19, 2003 7:39:29 PM

Lease Expires . . . . . . . . . . : Monday, January 18, 2038 9:14:07 PM


Ethernet adapter Local Area Connection 2:



Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : D-Link DFE-530TX+ PCI Adapter
Physical Address. . . . . . . . . : 00-05-5D-43-B9-C4

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Autoconfiguration IP Address. . . : 169.254.189.166

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . :

DNS Servers . . . . . . . . . . . :

Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection
Physical Address. . . . . . . . . : 00-10-DC-58-D6-4F

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Autoconfiguration IP Address. . . : 169.254.202.230

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . :

DNS Servers . . . . . . . . . . . :

 

You need to fix this or know it is a false positive.

D/L install and run this I agree with TonyT this is the best

The Cleaner (specialized trojan worm finder killer)

http://www.moosoft.com/

When it is clean proceed with the Router. But do not connect the other cables to the new router switch yet. Untill we are sure it is clean. If you do you could backstep all you have done.

Mike

 

Alrighty then... I'll be back!

 

The Cleaner scan completed and found no trojans. I'm going to proceed with the router install, with the setup wizard disk. I'll be back soon.

 

You da man Shannon. I gotta give you credit you are determined. And you can take instructions.

I know it is late, I know you are tired but if you shortcut it now you will have wasted your time.

Can you not stop for the night and finish tommorow?

I myself will need to go to bed in the next 30-45 minutes.

I will let you know when I do.

Mike