Honda Motorcycles - FireBlades.org banner

1 - 20 of 33 Posts

·
Registered
Joined
·
2,466 Posts
Discussion Starter #1
Hi folks... I'm a little pissed off and can use your help. My work laptop caught a virus and I need some tools that I can't get to; The virus is not detected by Norton or the latest version of McAfee's Stinger.exe - however, it has blocked all of my access to Microsoft.com (for updates) and SpyBot. I think it is also smart enough to monitor URL's - it won't let me download spybot directly from download.com either.

Sooo.... if someone could please download and post the latest version of spybot here, that would be great; it might be a good thing to change the file name to spibot or something too.

Ok... now for my rant! :rant: I'm very careful with my systems, particularly careful with my work laptop. I'm running a LAN firewall, a personal firewall, Norton antivirus and scheduled runs of McAfee stinger as well as frequent checks with SpyBot... the little fucker STILL managed to get on my system!!! As a good techie, I never run .exe's, I never run strange little programs on the net, I don't even use IE (except for checking hotmail from Messenger - anti-trust bastards have that locked down.). What has a guy gotta do to get some security around here?!?!? :rant: :rant: :rant: :rant: :rant:

I'll be back late tonight so no rush but I do appreciate the help.
 

·
Registered
Joined
·
2,466 Posts
Discussion Starter #3
Thanks. I wasn't able to download anything from download.com so I pulled them from your site. Adaware is chugging away but spybot still can't connect to get the detection rule updates. *grrrrrr*

Ok... I'll mess with this when I get home later.
 

·
Registered
Joined
·
2,466 Posts
Discussion Starter #6
Arg. I'm still stuck with crap on the system.

The symptoms... it's hard to explain. My laptop is relatively new, and by that I mean I just got it from work so I havent had time to install much junk on it. it's a 1.7GHz w/ 1.5GB of RAM and (up until a day or so ago) was tooting along just fine. Now... it takes a long time (30 seconds?) to get to the login screen after ctrl-alt-del. My Windows tool bar also lost the preferences I had set (such as viewing the quick launch bar). It has blocked certain web sites... however, I have sniffed the outgoing packets and they are reaching the intended sites and a response is also made; my side of the connection never returns however. Hmmm... what else can I tell you? I suspect something is checking all new processes that are starting because opening applications are taking much longer than expected (than previously witnessed).

Anyway... I still haven't had luck. Ad-aware found "Alexa", Spybot (without any updates) found a DOS attack; I hear that's a bug in Spybot though. Both Norton Antivirus and McAfee's Stinger (july 19) were clean.... I'm stumped.

Someone throw me a bone here...

MrX954, yes, SpyBot and AdAware are both good products to have on hand; that's assuming you can get them to run. Most viruses now target the common virus protection apps first before proceeding.
 

·
Registered
Joined
·
3,599 Posts
If it's that new, and you have so little tied up in it, why not just restore it from CD? :idunno:
 

·
Administrator
Joined
·
8,596 Posts
Sounds kind of like the virus I had recently (do a search here). My problem was it wouldn't let me run AV programs or visit AV sites without shutting everything down. I ended up have to reformat...not a pleasant solution. Good luck...let us know how it turns out.
 

·
Registered
Joined
·
2,761 Posts
nomad said:
MrX954, yes, SpyBot and AdAware are both good products to have on hand; that's assuming you can get them to run. Most viruses now target the common virus protection apps first before proceeding.
Thanks I'll d/l one or both today see how I like them.
 

·
Registered
Joined
·
2,466 Posts
Discussion Starter #11
Ok... I've gone through HiJackThis and see nothing out of the ordinary. The CWShredder app comes up clean as well. Hmmmmmm.... I'm so stumped.

To have the tech guys re-image my machine will require several weeks worth of rebuilding. I don't have time for that... I really need to fix this sucker. Blah. Ok... off to find some other sources.

Thx all. I'll keep watching here if anyone has more advice.
 

·
Registered
Joined
·
2,466 Posts
Discussion Starter #12 (Edited)
A clue? I seeeem to have found this going through my firewall...
http://64.233.161.99/

It appears to be a google web page but I don't believe it is legitimate. Up here, we are redirected to google.ca... slightly different page. Also, the IP can't be located in the DNS.... Can someone verify if this page is real or if it is a mock site?

Edit: This may be a connection from my firefox browser with a google bar... however, why doesn't the ip resolve?
 

·
Registered
Joined
·
2,466 Posts
Discussion Starter #14
216.239 is google ok... hmph... then I'm still stumped.
 

·
Registered
Joined
·
3,586 Posts
Try running a scan with the below AV software in the past I've had it go under a virus/worm/spybot's radar and remove it.
http://www.pandasoftware.com/home/default.asp

Also check out whats in your msconfig startup list (or get into the registery yourseld) or use this ( http://www.windowsstartup.com/ ) to see if there is anything you can get rid of during a restart. Try checking the list of services to see if there is anything weird in that too.

Also see if you can install and run teatimer (Spybot resident) with Spybot to see if there are any programs adding entries to your registry on you after you remove them with the above.

Other than that got through your installed programs in Add/Remove and be ruthless. But you've probably already done that.

the other thing to check is the setting on both your personal firewall and LAN firewall to see if they are blocking those sites. Has there been a transparent proxy installed that is filtering the websites?

Are there any other symptoms?

Another thought, do a Norton AV scan by booting from the CD with the lastest signatures on a floppy, the Norton on your HD might be owned by the virus.

The IP address seems to be a Google allocated block.

07/21/04 20:40:47 IP block 64.233.161.99
Trying 64.233.161.99 at ARIN
Trying 64.233.161 at ARIN

OrgName: Google Inc.
OrgID: GOGL
Address: 2400 E. Bayshore Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US

NetRange: 64.233.160.0 - 64.233.191.255
CIDR: 64.233.160.0/19
NetName: GOOGLE
NetHandle: NET-64-233-160-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.GOOGLE.COM
NameServer: NS2.GOOGLE.COM
Comment:
RegDate: 2003-08-18
Updated: 2004-03-05

TechHandle: ZG39-ARIN
TechName: Google Inc.
TechPhone: +1-650-318-0200
TechEmail: [email protected]

OrgTechHandle: ZG39-ARIN
OrgTechName: Google Inc.
OrgTechPhone: +1-650-318-0200
OrgTechEmail: [email protected]

# ARIN WHOIS database, last updated 2004-07-20 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
 

·
Registered
Joined
·
2,466 Posts
Discussion Starter #16
Hi All...

I think I thwarted, but maybe not fixed the problem. I completely isolated the affected machines allowing ONLY traffic to be routed into my firewall so I could watch all connections. In doing so, I had to use a fixed IP address. After the change, I was able to access all sites and perform the correct updates... I don't really know what this tells me - could the problem be held in the DHCP system??

After successfully updating SpyBot it found 5 "DOS Exploits" which to my knowledge is a bug in the SpyBot code. At any rate... I have found nothing, fixed nothing yet with a switch to a fixed IP address, I am running again.

THANK YOU, you (*@&#%@#% SQUIDS of the TECHNOLOGY WORLD!!! :rant: Waste my frigging time for hours. That's money and time and patients lost. :rant:
 

·
Registered
Joined
·
3,586 Posts
nomad said:
I don't really know what this tells me - could the problem be held in the DHCP system??
I doubt it, I'd be looking more that any proxies or firewall rules that are preventing traffic from within the DHCP scope you were dished an IP from.
 

·
Registered
Joined
·
2,466 Posts
Discussion Starter #18
matt232 said:
I doubt it, I'd be looking more that any proxies or firewall rules that are preventing traffic from within the DHCP scope you were dished an IP from.
:nono:

I control all firewall rules and my DHCP server. I haven't changed anything. In fact, I had been away all weekend. I also verified my firewall and DHCP config on the server, neither had been tampered with and neither was blocking those sites. In fact, I could still hit those sites from my other connected machines. At any given time I have upto 5 machines plugged in... only 2 were affected in the end. FUGGING Microsoft. :mad:

I've started the move from 20% to 60% Linux.

For what it's worth, I do have a proxy but it is only used when I'm needing to skirt external firewalls (another discussion). For my internal home lan, I have wide-open outbound traffic because I generally trust my home lan. :rant: I don't lock it down unless shit like this happens. :rant: As for DHCP, it's configed for a few static IP's that serve Internet-side services and the rest of the subnet is for workstations... all pick up their DNS from my DHCP server.
 

·
Registered
Joined
·
3,586 Posts
Sorry your post sounded like there was more than one machine having issues so I was looking for a commonality between them, hence my focus on the firewall. The personal firewall......that was clear too?

I assume its back up and running now with a DHCP allocated IP address, the problems haven't resurfaced?

Was there another machine temporarily introduced to your network in your absence, that might have spread the infection behind the firewall?

Other than that I'm tapped! :crap: I've been stuggling with booting a linux 2.6.6 kernel off a raid1 root partition for a new server this week, so my brain is pretty toasted atm.
 
1 - 20 of 33 Posts
Top