Re: slowly-spreading, but very annoying problem
From: Ken (kmelrose_at_kc.rr.com)
Date: 03/21/04
- Next message: Carey Frisch [MVP]: "Re: product key"
- Previous message: jez: "product key"
- In reply to: cquirke (MVP Win9x): "Re: slowly-spreading, but very annoying problem"
- Next in thread: Mad Max: "Re: slowly-spreading, but very annoying problem"
- Reply: Mad Max: "Re: slowly-spreading, but very annoying problem"
- Reply: cquirke (MVP Win9x): "Re: slowly-spreading, but very annoying problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 21 Mar 2004 10:31:45 -0600
cquirke -
I really appreciate your well articulated and very informative response. You
certainly appear to know your stuff! Great job!
Regarding the "machine-gunning multiple newsgroups", point taken, thanks for
the tip. I was told in the past that instead of posting to each list
individually, cross-post. It covers more ground, enables more people to
learn and contribute and it avoids folks from having to respond to each
list. However, I understand your point.
I will follow your guidance closely. Interestingly enough, yesterday, my
system on its own (not sure why) ran Scan Disk. It ran for about an hour
before it completed. When it was done and the system was rebooted, the
entire system began functioning (a whole lot) better and quicker. Not to
imply this has solved my problem.
I will certainly share the results of the fix, after execution of all the
great advice you and others have provided.
Thank you.
//Ken
"cquirke (MVP Win9x)" <cquirkenews@nospam.mvps.org> wrote in message
news:937r50565ucp7hvshfdtdmjp9q8f0h1nde@4ax.com...
> On Sat, 20 Mar 2004 12:09:30 -0600, "Ken" <kmelrose@kc.rr.com> wrote:
>
> >Please Help!
>
> OK, let's make a deal: I'll help you (from here in security_admin) if
> you cut down the number of ngs you send this to :-)
>
> Only kidding - I'll help you anyway - but machine-gunning multiple
> newsgroups is Bad. You'd alienate some good frontals that way.
>
> >I am seeing what appears to be a slowly-spreading, but very annoying
> >problem. Over the past three weeks, I have had three separate groups of
> >people (including myself) describe a problem their experiencing with
their
> >Windows XP systems. There are several similarities in the symptoms being
> >reported.
>
> >All affected computers -
>
> >.are running Windows XP
>
> On FATxx or NTFS? Both can get shot to pieces by malware, but NTFS
> can pose obstacles in cleaning this up.
>
> >.have plenty of processor, memory and disk capacity
> >.have High-Speed cable network connection
>
> OK; a significant risk surface, that. Now I'mm waiting to see the
> words "firewall" and/or "router" :-)
>
> >.have been running efficiently until now
> >.only one user can login, others cannot
>
> Is that by design, or an effect of the problem? Sounds like something
> needed system-wide is patched in only through the user startup axis or
> similar runpoints. Smells like commercial malware; something like a
> namespace extender a la NewDotNet.
>
> >.detected large number (230-12000) of spy ware related files
>
> OK. How did you manage these, and did things go sour before or after
> you whacked 'em? Hopefully you logged what was found and done, as you
> never know when you may need to "go manual" in cleaning up the mess.
>
> That's when a GoOgleable name is a Good Thing To Have.
>
> >.have NOT detected any viruses using Norton Anti Virus
>
> <shrug> Well, it's active, ergo it got past Norton. Why does it not
> surprise me that active malware missed by Norton can maitain "air
> superiority" and keep itself hidden from Norton thereafter? If NAV
> was still working OK, a new update could help it detect the malware.
>
> But the malware's active, so Norton may no longer be working OK.
>
> >.have had their TEMP directories cleaned and are now empty
>
> Interesting, that.
>
> >.are now protected with Anti Spy and Virus, and Firewall software
>
> "now", eh? Hmm.
>
> >.are STILL running poorly and experiencing the same problems
>
> Yup.
>
> >Can anyone offer any guidance (please) on how we can regain control and
> >performance over my computers?
>
> 0) Isolate the PCs from LAN and WAN
> - pull cables
> - wireless devices; [x] Disable in this profile (DeviceManager)
>
> 1) Do a formal virus check
> - run NO code off HD in the process
> - scan all files
> - first, look don't clean; save log
> - then read up what you find (www.f-secure.com/v-descs etc.)
> - then if no caveats, clean the malware
> - if can't clean, no caveats; rename away so reversably inactive
> - www.f-prot.com, www.nod32.com, www.sophos.com for free tools
>
> Just because NTFS may make (1) difficult or impossible, makes it no
> less the bottom line here. Users don't get to pick only the easy,
> solvable problems; the problems pick you! If an NTFS victim, read up
> bootable CDRs such as Knoppix (Linux) or Bart's PE builder (XP) and
> start hunting for av that will run from these.
>
> 2) Manually clean up any residue; startup axis etc.
>
> 3) Informally scan and manage commercial malware
> - Ad-Aware, Spybot etc.; use more than one
> - keep logs, remember which order you ran them in
> - once again, read up on what you find
> - Spybot in particular may wave things best ignored
>
> 4) Apply risk management
> - decide what you don't need; wall it out
> - any file sharing over WAN
> - full shares of startup axis, including hidden admin shares
> - autorunning scripts in email "messages"
> - support for WSH, "remote desktop" etc.
> - only you know what's on this list
> - kill 'em all, but do so reversably
> - also; close broken-code autorun holes via patches
> - decide what some ppl need; pwd-protect it
> - goes about user permissions, good pwds etc.
> - a poor substitute for the above, where above applies
> - what may be risked, evaluate
> - build user skills to make that evaluation
> - ensure system doesn't "do it for the user" automatically
> - ensure system offers required info, e.g. show extensions
> - what is risked, screen first
> - firewall as doorman of last resort
> - antivirus as goalkeeper of last resort
>
> 5) Purge hidden malware stashes
> - System Restore (if cabbed, may be undetectable)
> - email apps that hide attachments in mailboxes
>
> 6) When all systems clean, reconnect LAN
>
> 7) When all systems patched and 'walled, reconnect WAN
>
> 8) When (if ever?) you know wireless is secure, enable wireless
>
> Sorry such a generic answer, but it's a generically common problem!
>
>
>
> >-------------------- ----- ---- --- -- - - - -
> Running Windows-based av to kill active malware is like striking
> a match to see if what you are standing in is water or petrol.
> >-------------------- ----- ---- --- -- - - - -
- Next message: Carey Frisch [MVP]: "Re: product key"
- Previous message: jez: "product key"
- In reply to: cquirke (MVP Win9x): "Re: slowly-spreading, but very annoying problem"
- Next in thread: Mad Max: "Re: slowly-spreading, but very annoying problem"
- Reply: Mad Max: "Re: slowly-spreading, but very annoying problem"
- Reply: cquirke (MVP Win9x): "Re: slowly-spreading, but very annoying problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
