Re: Virus cleanup - fix compromised windows firewall settings

---

• From: Cloud9Flyer <sean.blaes@xxxxxxxxxx>
• Date: Fri, 24 Aug 2007 07:25:03 -0000

---

On Aug 23, 10:45 am, "Kurt Sarens [MSFT]"
<ksar...@xxxxxxxxxxxxxxxxxxxx> wrote:

Hi Cloud9Flyer,

First of all, get your AV vendor envolved!
If your box gets reinfected, it means that it is not properly cleaned or
that there is still other malware envolved controlling your box.
Inform your AV vendor about the reinfection and provide them with the binary
of the virus (if possible).

You can run below online scanners to verify if your box is clean, as said by
Leythos, there is never a guarantee that your system is clean after a
compromise.

OneCare:http://safety.live.com
Kaspersky:http://www.kaspersky.com/virusscanner
eTrust Antivirus Web Scanner:http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Trend Micro HouseCall:http://housecall.trendmicro.com/
Panda ActiveScan:http://www.pandasoftware.com/activescan/com/activescan_principal.htm
McAfee FreeScan:http://us.mcafee.com/root/mfs/default.asp?cid=9914
F-Secure Online Virus Scanner:http://support.f-secure.com/enu/home/ols.shtml

Also, raise a case with Microsofthttp://www.microsoft.com/protect/support/default.mspx.

Thanks,
Kurt Sarens [MSFT]
Security Resources online:http://support.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.

This e-mail address does not receive e-mail, but is used for newsgroup
postings only."Cloud9Flyer" <sean.bl...@xxxxxxxxxx> wrote in message

news:1187751401.123992.58790@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

On Aug 21, 8:10 pm, Leythos <v...@xxxxxxxxxxx> wrote:

In article <1187719486.791080.45...@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
sean.bl...@xxxxxxxxxx says...

I totally agree, normally. But regretfully we're dealing with a
horrible ISP that will take weeks to wipe the box. We also have no
clean area to do a reinstall in because it's remote. Also, it's
supposed to be behind a firewall, but I just don't think the ISP has
very strict rules on the firewall.

Why are you using ISP's hardware if they have shown they can't protect
the OS/apps?

Either get your own servers and firewall or find another ISP to host
your applications.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999f...@xxxxxxxxxx (remove 999 for proper email

It's political. The client's CEO and the owner of the ISP are old
drinking buddies. I've tried to get the servers moved, but the boss
won't let it happen.

At any rate, my hands being tied how they are, we're way off-topic. I
would LOVE to move the server to a better ISP, and I would LOVE to
have the machine rebuilt, but I cannot make that happen in any
reasonable amount of time. So, I have to work with the cards I'm
dealt. I don't like it more than anybody else.

Does anybody have any ideas on how to clean this up? I need to get
this port out of the firewall, but I can't figure out where it's
hiding. I deleted a registry entry for windows Firewall, and it now
shows the policy = none when I do the show state, so that's good.
But, that open port is still open and grayed out so I can't modify
it. Does anybody have any idea where this might be hiding.

I did manage to get the port exception removed using netsh commands.
The exception "name" was null, so I think that was causing the
problem.

I'll run those online scans as well.

.

---

• References:
  • Virus cleanup - fix compromised windows firewall settings
    • From: Cloud9Flyer
  • Re: Virus cleanup - fix compromised windows firewall settings
    • From: Leythos
  • Re: Virus cleanup - fix compromised windows firewall settings
    • From: Cloud9Flyer
  • Re: Virus cleanup - fix compromised windows firewall settings
    • From: Leythos
  • Re: Virus cleanup - fix compromised windows firewall settings
    • From: Cloud9Flyer
  • Re: Virus cleanup - fix compromised windows firewall settings
    • From: Kurt Sarens [MSFT]

• Prev by Date: Re: How to Create Restricted User at the Win2K3 DOMAIN Controller
• Next by Date: Re: Permit only one network logon per user
• Previous by thread: Re: Virus cleanup - fix compromised windows firewall settings
• Next by thread: KRA
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: [opensuse] Is there a gotomypc like service for ssh? ... I have a machine at my parents house that is behind a ISPs firewall. ... I've tried to open up the ssh port in the firewall but it is not ... Maybe the ISP is blocking it even earlier. ... (SuSE) Re: Virus cleanup - fix compromised windows firewall settings ... Inform your AV vendor about the reinfection and provide them with the binary of the virus. ... You can run below online scanners to verify if your box is clean, as said by Leythos, there is never a guarantee that your system is clean after a compromise. ... > horrible ISP that will take weeks to wipe the box. ... > very strict rules on the firewall. ... (microsoft.public.windows.server.security) Re: ftp scanning ... >> I run a Linux box behind a firewall. ... I'm running ProFTP v1.2. ... >> half as many hits to this port. ... Many people have had to find another ISP because if this. ... (comp.os.linux.security) Re: [opensuse] Is there a gotomypc like service for ssh? ... I have a machine at my parents house that is behind a ISPs firewall. ... I've tried to open up the ssh port in the firewall but it is not ... Maybe the ISP is blocking it even earlier. ... (SuSE) Re: [opensuse] Is there a gotomypc like service for ssh? ... I have a machine at my parents house that is behind a ISPs firewall. ... I've tried to open up the ssh port in the firewall but it is not ... Maybe the ISP is blocking it even earlier. ... (SuSE)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.windows.server.security  > 2007-08