Suspected Attack

  • Thread starter Thread starter Alan UK
  • Start date Start date
A

Alan UK

I am running W2k pro with Norton System Works AV (with
Live Update) and a Sygate Personal Firewall (freeware
version) and have an ADSL connection- although not left on
24/7.
After the MSBlast virus I scheduled a weekly Windows
Update and have all the latest bit and pieces.
I recently noticed a lot of attempts (throught the
firewall log) for sites trying to access the internet
using existing software- ie "site.com is trying to access
the internet through Norton Speed Disk" sort of thing.
Although I blocked all I could later the PC went a bit
barmy and kept showing Explorer.exe errors.
After a reboot and every scan (AV, Spyware etc) I could
muster I noticed that the Sygate firewall had gone awol.
The .exe file and Readme.txt were in the folder, but all
the rest had gone- and I discovered them all in the
Recycle bin.
I restored them, but is this a virus/trojan attack to
disbale the firewall or could this have happened during
the Explorer.exe errors? (I realise that could have been
part of any attack too)
Any information would be greatly appreciated, and
particularly any information about further (cost-
effective) methods of protecting the pc short of shutting
it off or disabling so much as to make the internet a
waste of time...I know its a compromise.
:-(
 
After the MSBlast virus I scheduled a weekly Windows
Update and have all the latest bit and pieces.
I recently noticed a lot of attempts (throught the
firewall log) for sites trying to access the internet
using existing software- ie "site.com is trying to access
the internet through Norton Speed Disk" sort of thing.
Although I blocked all I could later the PC went a bit
barmy and kept showing Explorer.exe errors.
After a reboot and every scan (AV, Spyware etc) I could
muster I noticed that the Sygate firewall had gone awol.
The .exe file and Readme.txt were in the folder, but all
the rest had gone- and I discovered them all in the
Recycle bin.
I restored them, but is this a virus/trojan attack to
disbale the firewall or could this have happened during
the Explorer.exe errors? (I realise that could have been
part of any attack too)

Sounds like you have already picked the obvious 2 options.
I would be tempted to change all my account passwords, and
edit the local security policy (Control Panel-
Administrative Tools->Local Security Policy) to remove
any possibility of a remote login. Of particular interest
should be the Local Policies->Security Options and Local
Policies->User Rights Assingment. Have a read through the
descriptions and change anything you don't like the look
of. I would recommend changing "additional restrictions
for anonymous logon" to "no access without explicit
permissions" and remove everything from "access this
computer from the network" if you are not part of a LAN
environment, or have no wish to share things with other
LAN users anyway. Also check which services (right click
My Computer->Manage->Services and Applications->Services)
are running on your machine and disable any you do not
need (make sure IIS is uninstalled if you are not hosting
a website, disable Terminal Services etc.).
Any information would be greatly appreciated, and
particularly any information about further (cost-
effective) methods of protecting the pc short of shutting
it off or disabling so much as to make the internet a
waste of time...I know its a compromise.
:-(

For firewalls, you tend to get what you pay for. Although
Sygate and Zone Alarm are free, you'll get more
configurability and functionality if you opt to pay for
it. Zone Alarm Pro is reasonable ($30 or so), Checkpoint
have a great reputation although they are expensive ($300
for a hardware firewall aimed at home broadband users).
Look around, and buy what you can afford. I am sure other
people here can give you info on which firewalls they
prefer.
 
Thanks for your advice "Hey Nonny"(!)
I did as you suggested, and will ponder the firewall
question further- didn't get along with the freeware
version of Zone Alarm when I had it before- its main
purpose was to entice the upgrade, it seemed.
Regarding IIS- how do I unistall that? Just delete all the
files with IIS?
Also I looked around and adjusted a few settings, changed
passwords, tidied up the accounts/profiles, but I am still
offered a log in via internet on the log in screen. Am I
to assume that I have missed this etting somehow- if so I
am not sure what it is called or where it resides?
Or, how to jump from a moderately informed home pc user to
a security expert in one easy step! lol
Thanks for your help again
 
Back
Top