msconfig and trojans.

  • Thread starter Thread starter Dave
  • Start date Start date
D

Dave

With respect to the problem I was having earlier in the week it seems to
be solved, thanks all.

I just wanted to confirm that if a program is unchecked in msconfig (and
does not load itself on startup so the boc becomes checked) and is also
not in the registry after I have deleted it, that presumably, it does
not load on start-up.

Thanks.
 
I just wanted to confirm that if a program is unchecked in msconfig (and
does not load itself on startup so the boc becomes checked) and is also
not in the registry after I have deleted it, that presumably, it does
not load on start-up.
Click to expand...


msconfig isn't a comprehensive list. Look at autoruns
http://www.sysinternals.com/Utilities/autoruns.html

Also, some malware uses companion processes to make it hard to close
down. If you close down one of the processes, its companion
immediately restarts it. Similarly, if you have not stopped all the
running processes and uncheck the boxes in msconfig or autoruns, you
may well find that they are immediately re-checked by the running
processes. For that reason it is advisable to run Process Explorer
http://www.sysinternals.com/Utilities/ProcessExplorer.html
to ensure all unwanted processes are terminated before unchecking any
startup boxes.


Jim.
 
James said:
msconfig isn't a comprehensive list. Look at autoruns
http://www.sysinternals.com/Utilities/autoruns.html

Also, some malware uses companion processes to make it hard to close
down. If you close down one of the processes, its companion
immediately restarts it. Similarly, if you have not stopped all the
running processes and uncheck the boxes in msconfig or autoruns, you
may well find that they are immediately re-checked by the running
processes. For that reason it is advisable to run Process Explorer
http://www.sysinternals.com/Utilities/ProcessExplorer.html
to ensure all unwanted processes are terminated before unchecking any
startup boxes.


Jim.
Click to expand...
Thank you.

The problem I had was that despite deleting the entries from msconfig
and regedit, the entires (which looked like Japanese characters) kept
returning. I dealt with it by putting msconfig in diagnostic mode then
deleting from the registry which seemed to have worked. Having looked
through the two utlities you suggested, I cannot see any start-up
processes or autoruns that would cause a concern.

However, on a possibly related point, google.com just gave the following
error message which I understand suggests a DDoS attack is occuring:

"...we can't process your request right now. A computer virus or spyware
application is sending us automated requests, and it appears that your
computer or network has been infected.

We'll restore your access as quickly as possible, so try again soon. In
the meantime, you might want to run a virus checker or spyware remover
to make sure that your computer is free of viruses and other spurious
software."

Now, I am actually using a proxy to connect to google. Therefore, are
other people using the same proxy to invoke a DDoS, or do I still have a
problem (ZoneAlarm Pro, Ad-Aware, Spybot, and a couple of other AV
products revealed no problems).

I have tried www.google.com several more times with no problems.
 
Dave said:
Thank you.

The problem I had was that despite deleting the entries from msconfig
and regedit, the entires (which looked like Japanese characters) kept
returning. I dealt with it by putting msconfig in diagnostic mode then
deleting from the registry which seemed to have worked. Having looked
through the two utlities you suggested, I cannot see any start-up
processes or autoruns that would cause a concern.

However, on a possibly related point, google.com just gave the following
error message which I understand suggests a DDoS attack is occuring:

"...we can't process your request right now. A computer virus or spyware
application is sending us automated requests, and it appears that your
computer or network has been infected.

We'll restore your access as quickly as possible, so try again soon. In
the meantime, you might want to run a virus checker or spyware remover
to make sure that your computer is free of viruses and other spurious
software."

Now, I am actually using a proxy to connect to google. Therefore, are
other people using the same proxy to invoke a DDoS, or do I still have a
problem (ZoneAlarm Pro, Ad-Aware, Spybot, and a couple of other AV
products revealed no problems).

I have tried www.google.com several more times with no problems.
Click to expand...



http://www.spy.org.uk/spyblog/2005/06/stupid_google_virusspyware_cap.html

Google seem to be intent on destroying their $78 billion dollar market
capitalisation by blocking innocent users or customers from their search
engine. Have you noticed this stupid Google captcha page recently ?
Captchas, which require you to visually decode some distorted images of
a password and type them into a form before proceeding, are a huge
annoyance to partially sighted people and they do not address the
fundamental problems of spam or malware etc.

400_virus_Google_Captcha_403.jpg - stupid Google captcha

"A computer virus or spyware application is sending us automated
requests, and it appears that your computer or network has been infected."

No our "computer or network" is not infected, and we resent this "guilt
by association".

The way that Google has implemented this captcha block is also extremely
annoying, given that on several occaisions, having typed the password in
correctly, another captcha screen is presented, and then yet another one !

Google seem to be blacklisting by the IP address of our ISP's proxy
server, and doing so inconsistently and erratically. Possibly they are
confused by the load balancing either at our ISP or on their own systems.

If we re-configure a web browser not to use the proxy server, then our
PC's IP Address does not trigger this stupid captcha block.

This is not an anonymous proxy server so it does forward our IP address
in the HTTP_VIA or HTTP_X_FORWARDED_FOR headers, which, one would have
thought Google would be checking against their blacklist, but apparently
not.
 
Dave said:
However, on a possibly related point, google.com just gave the following
error message which I understand suggests a DDoS attack is occuring:

"...we can't process your request right now. A computer virus or spyware
application is sending us automated requests, and it appears that your
computer or network has been infected.
Click to expand...

Google and the other internet search engines are valuable tools for
fighting the assorted con games, especially the political ones. We can
expect them to be subjected to more and stronger attacks in the future
as more groups get ticked off by having their scams exposed.

As an example of the sort of attacks I mean, consider how "Scientology"
attacks it's critics. The behavior displayed by "Pcbutts" is an example
of one type of attack possible.

I am uncertain if the random word lists Google occasionally turns up are
another spoiler, or if it's related to something else.

Well, in any case, market forces and a desire to make money off searches
are not the only reasons for search engines to eventually go to paid
subscription.
 
On Thu, 15 Dec 2005, Dave wrote:

[snip]
However, on a possibly related point, google.com just gave the following
error message which I understand suggests a DDoS attack is occuring:

"...we can't process your request right now. A computer virus or spyware
application is sending us automated requests, and it appears that your
computer or network has been infected.

We'll restore your access as quickly as possible, so try again soon. In
the meantime, you might want to run a virus checker or spyware remover
to make sure that your computer is free of viruses and other spurious
software."

Now, I am actually using a proxy to connect to google. Therefore, are
other people using the same proxy to invoke a DDoS, or do I still have a
problem (ZoneAlarm Pro, Ad-Aware, Spybot, and a couple of other AV
products revealed no problems).

I have tried www.google.com several more times with no problems.
Click to expand...

Were you searching for "phpbb" by any chance?

I have seen reports that a trojan is exploiting a security hole in
phpbb and using Google searches to look for other potentially vulnerable
systems. The repeated searches for that string from multiple infected
systems is apparently overloading Google's servers and they have been
forced to take defensive measures against it.
 
Norman said:
On Thu, 15 Dec 2005, Dave wrote:

[snip]
However, on a possibly related point, google.com just gave the following
error message which I understand suggests a DDoS attack is occuring:

"...we can't process your request right now. A computer virus or spyware
application is sending us automated requests, and it appears that your
computer or network has been infected.

We'll restore your access as quickly as possible, so try again soon. In
the meantime, you might want to run a virus checker or spyware remover
to make sure that your computer is free of viruses and other spurious
software."

Now, I am actually using a proxy to connect to google. Therefore, are
other people using the same proxy to invoke a DDoS, or do I still have a
problem (ZoneAlarm Pro, Ad-Aware, Spybot, and a couple of other AV
products revealed no problems).

I have tried www.google.com several more times with no problems.
Click to expand...


Were you searching for "phpbb" by any chance?

I have seen reports that a trojan is exploiting a security hole in
phpbb and using Google searches to look for other potentially vulnerable
systems. The repeated searches for that string from multiple infected
systems is apparently overloading Google's servers and they have been
forced to take defensive measures against it.
Click to expand...
No my search term was "Murder Auction" (without quotation) marks actually!
 
Back
Top