Plethora of nasties

[Dave Baker]

The intergoogles and Facetubes seem to be infested with nasties finding
their way onto my pc at the moment. It started with the printer churning out
blank pages all by itself which turned out to be a large spool file which
you couldn't delete created by something icky. Shifted that in Recovery
Console plus what appeared to be a randomly named dll file in the windows
directory and it all went quiet for a while until everything came back. The
spool file filled all available space on the C drive and a new one popped up
as soon as you deleted the last one.

Ran MBAM which found Vundo, Downadup, Sysvxd.exe and several registry
entries. Got rid of the lot but bugger me it's all back plus even more this
morning. Anyway just spotted the bloody thing had turned the firewall off so
it had a nice little backdoor every time I went online.

Note to self and others. Check the firewall settings haven't been tampered
with BEFORE you run anti malware progs or it'll be a waste of time. Anyway
fingers crossed for now. Hijack This seems to indicate nothing unusual
running anyway.

 

[Duh_OZ]

The intergoogles and Facetubes seem to be infested with nasties finding
their way onto my pc at the moment. It started with the printer churning out
blank pages all by itself which turned out to be a large spool file which
you couldn't delete created by something icky. Shifted that in Recovery
Console plus what appeared to be a randomly named dll file in the windows
directory and it all went quiet for a while until everything came back. The
spool file filled all available space on the C drive and a new one poppedup
as soon as you deleted the last one.

<stuff snipped>.

===================
Just wondering, what OS, firewall and AV program are you using?

 

[Char Jackson]

The intergoogles and Facetubes seem to be infested with nasties finding
their way onto my pc at the moment. It started with the printer churning out
blank pages all by itself which turned out to be a large spool file which
you couldn't delete created by something icky. Shifted that in Recovery
Console plus what appeared to be a randomly named dll file in the windows
directory and it all went quiet for a while until everything came back. The
spool file filled all available space on the C drive and a new one popped up
as soon as you deleted the last one.

Ran MBAM which found Vundo, Downadup, Sysvxd.exe and several registry
entries. Got rid of the lot but bugger me it's all back plus even more this
morning. Anyway just spotted the bloody thing had turned the firewall off so
it had a nice little backdoor every time I went online.

Note to self and others. Check the firewall settings haven't been tampered
with BEFORE you run anti malware progs or it'll be a waste of time. Anyway
fingers crossed for now. Hijack This seems to indicate nothing unusual
running anyway.

If your system is repeatedly getting infected, it might indicate user
behavior that is less than safe. No firewall can save you from
yourself.

 

[Dave Baker]

If your system is repeatedly getting infected, it might indicate user
behavior that is less than safe. No firewall can save you from
yourself.

I get the occasional thing every now and then but nothing too drastic. This
looks like a single infection which turned off the firewall and let the rest
in. To answer someone else's question I run XP, all the service packs and
updates and just the XP firewall. I find constantly resident antivirus
software too intrusive on a pc as old and slow as this one so I just fix
whatever gets through as and when. It's rarely much of an issue to kill it
all off either in the Recovery Console or with MBAM. Anyway it's all clean
again since I turned the firewall back on. I was really just making the
point to check that every time you spot a nasty before deleting it.

 

[FromTheRafters]

[...]

Note to self and others. Check the firewall settings haven't been
tampered with BEFORE you run anti malware progs or it'll be a waste of
time.

If your computer is compromised by malware, and your firewall settings
look okay, what conclusions can you draw from this?

 

[Dave Baker]

In XP SP3 there is a Windows Security Center that alerts you whenever the
firewall is down. Did the malware turn off the security center alert?

Yes it had switched that off too and I turned it back on. MBAM also picks
that up as a registry warning.

 

[Dave Baker]

[...]

Note to self and others. Check the firewall settings haven't been
tampered with BEFORE you run anti malware progs or it'll be a waste of
time.

If your computer is compromised by malware, and your firewall settings
look okay, what conclusions can you draw from this?

Factoring in the speed of the malware attack, the switched off firewall and
switched off firewall alert notice, the letters used in the randomly named
dll file and the number of pages of paper my printer wasted before I managed
to get rid of everything the conclusion I draw is that it will probably snow
again today.

 

[Leythos]

[...]

Note to self and others. Check the firewall settings haven't been
tampered with BEFORE you run anti malware progs or it'll be a waste of
time.

If your computer is compromised by malware, and your firewall settings
look okay, what conclusions can you draw from this?

What does a firewall have to do with compromised computers?

If the firewall doesn't block ALL inbound and ALL outbound connections
then the firewall is not the cause of the problem.

 

[RayLopez99]

I get the occasional thing every now and then but nothing too drastic. This
looks like a single infection which turned off the firewall and let the rest
in. To answer someone else's question I run XP, all the service packs and
updates and just the XP firewall. I find constantly resident antivirus
software too intrusive on a pc as old and slow as this one so I just fix
whatever gets through as and when. It's rarely much of an issue to kill it
all off either in the Recovery Console or with MBAM. Anyway it's all clean
again since I turned the firewall back on. I was really just making the
point to check that every time you spot a nasty before deleting it.
--

I think you brought this problem on yourself, for the reasons you cite
above--no AV s/w.

But I'm just a rookie in this area.

RL

 

[Char Jackson]

[...]

Note to self and others. Check the firewall settings haven't been
tampered with BEFORE you run anti malware progs or it'll be a waste of
time.

If your computer is compromised by malware, and your firewall settings
look okay, what conclusions can you draw from this?

What does a firewall have to do with compromised computers?

If the firewall doesn't block ALL inbound and ALL outbound connections
then the firewall is not the cause of the problem.

It seems like a firewall that blocks "ALL inbound and ALL outbound
connections" is functionally equivalent to a disconnected network
cable.

 

[FromTheRafters]

[...]

Note to self and others. Check the firewall settings haven't been
tampered with BEFORE you run anti malware progs or it'll be a waste
of
time.

If your computer is compromised by malware, and your firewall
settings
look okay, what conclusions can you draw from this?

What does a firewall have to do with compromised computers?

....that's another way of saying it. )

Answer: Nothing, but malware running on the machine can make your tools
appear to lie to you. Affecting changes to a firewall by using tools in
a compromised environment may not be actual changes, only lies. I'm just
saying Dave's suggestion is only the half of it - it is futile either
way. The thing to do is to remove the active malware so that you can
trust the tools, then check your settings.

 

[Leythos]

[...]

Note to self and others. Check the firewall settings haven't been
tampered with BEFORE you run anti malware progs or it'll be a waste
of
time.

If your computer is compromised by malware, and your firewall
settings
look okay, what conclusions can you draw from this?

What does a firewall have to do with compromised computers?

...that's another way of saying it. )

Answer: Nothing, but malware running on the machine can make your tools
appear to lie to you. Affecting changes to a firewall by using tools in
a compromised environment may not be actual changes, only lies. I'm just
saying Dave's suggestion is only the half of it - it is futile either
way. The thing to do is to remove the active malware so that you can
trust the tools, then check your settings.

Isn't that why you don't trust a firewall on the computer you actually
use?

The general security rule is that a firewall, to be effective, is
installed on a stand-alone machine that is not used by anyone and has no
shared account authentication with your users.

While many firewall products, real that as Appliances, can filter
content (files) out of HTTP and FTP and SMTP sessions, you really have
to understand how to do that in order to protect your network and
systems.

 

[FromTheRafters]

[...]

Note to self and others. Check the firewall settings haven't
been
tampered with BEFORE you run anti malware progs or it'll be a
waste
of
time.

If your computer is compromised by malware, and your firewall
settings
look okay, what conclusions can you draw from this?

What does a firewall have to do with compromised computers?

...that's another way of saying it. )

Answer: Nothing, but malware running on the machine can make your
tools
appear to lie to you. Affecting changes to a firewall by using tools
in
a compromised environment may not be actual changes, only lies. I'm
just
saying Dave's suggestion is only the half of it - it is futile either
way. The thing to do is to remove the active malware so that you can
trust the tools, then check your settings.

Isn't that why you don't trust a firewall on the computer you actually
use?

Indeed! The simplest of firewall appliances is better than an 'all bells
and whistles' personal firewall application running on the machine it
hopes to protect. I mispoke when I didn't qualify that the discussion
was likely about personal firewall applications and not actual
firewalls. I used to be a real stickler about there being an important
distinction there.

 

[FromTheRafters]

[...]

Note to self and others. Check the firewall settings haven't
been
tampered with BEFORE you run anti malware progs or it'll be a
waste
of
time.

If your computer is compromised by malware, and your firewall
settings
look okay, what conclusions can you draw from this?

What does a firewall have to do with compromised computers?

...that's another way of saying it. )

Answer: Nothing, but malware running on the machine can make your
tools
appear to lie to you. Affecting changes to a firewall by using tools
in
a compromised environment may not be actual changes, only lies. I'm
just
saying Dave's suggestion is only the half of it - it is futile either
way. The thing to do is to remove the active malware so that you can
trust the tools, then check your settings.

Isn't that why you don't trust a firewall on the computer you actually
use?

Indeed! The simplest of firewall appliances is better than an 'all bells
and whistles' personal firewall application running on the machine it
hopes to protect. I misspoke when I didn't qualify that the discussion
was likely about personal firewall applications and not actual
firewalls. I used to be a real stickler about there being an important
distinction there.

[...]

Note to self and others. Check the firewall settings haven't
been
tampered with BEFORE you run anti malware progs or it'll be a
waste
of
time.

If your computer is compromised by malware, and your firewall
settings
look okay, what conclusions can you draw from this?

What does a firewall have to do with compromised computers?

...that's another way of saying it. )

Answer: Nothing, but malware running on the machine can make your
tools
appear to lie to you. Affecting changes to a firewall by using tools
in
a compromised environment may not be actual changes, only lies. I'm
just
saying Dave's suggestion is only the half of it - it is futile either
way. The thing to do is to remove the active malware so that you can
trust the tools, then check your settings.

Isn't that why you don't trust a firewall on the computer you actually
use?

The general security rule is that a firewall, to be effective, is
installed on a stand-alone machine that is not used by anyone and has
no
shared account authentication with your users.

While many firewall products, real that as Appliances, can filter
content (files) out of HTTP and FTP and SMTP sessions, you really have
to understand how to do that in order to protect your network and
systems.

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to
that.
Trust yourself.
(e-mail address removed) (remove 999 for proper email address)

 

[RayLopez99]

Indeed! The simplest of firewall appliances is better than an 'all bells
and whistles' personal firewall application running on the machine it
hopes to protect. I mispoke when I didn't qualify that the discussion
was likely about personal firewall applications and not actual
firewalls. I used to be a real stickler about there being an important
distinction there.

So your position is that only somebody as steeped in knowledge as an
IT professional (like you?) can effectively use a firewall. Those
'rules' (and my firewall Look 'n' Stop has about 20 of them) are of
little or no importance? Or perhaps they only take care of the 'easy'
cases--say 50% or less of the total?

Interesting if that's your position--and certainly that's not what the
marketers of firewalls tell casual users like myself...

RL

 

[FromTheRafters]

Indeed! The simplest of firewall appliances is better than an 'all
bells
and whistles' personal firewall application running on the machine it
hopes to protect. I mispoke when I didn't qualify that the discussion
was likely about personal firewall applications and not actual
firewalls. I used to be a real stickler about there being an important
distinction there.

So your position is that only somebody as steeped in knowledge as an
IT professional (like you?) can effectively use a firewall.

***
I'm a hobbiest, not an IT professional. When an IT professional tells me
that a personal firewall application is a *real* firewall and a NAT
router with basic firewalling capabilities (SPI) is *not*, I know enough
to *know* he is wrong.
***

Those 'rules' (and my firewall Look 'n' Stop has about 20 of them) are
of little or no importance?

***
No, they can be helpful (or entertaining).
***

Or perhaps they only take care of the 'easy' cases--say 50% or less of
the total?

***
Don't know, but if you are talking about outbound filtering or
application control, then we are no longer talking about a firewall in
the sense that a router as described above is a firewall. Disallowing a
trojan from accessing the internet can be a good thing, but you are
correct in assuming that this would be an "easy" case.
***

Interesting if that's your position--and certainly that's not what the
marketers of firewalls tell casual users like myself...

***
Toothpaste companies always show *lots* of toothpaste on the brush - do
you think that much is *really* needed? Why would they want to teach the
users to be conservative, after all, they *are* in business to make
money.
***